-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/23/2016 12:09 AM, [email protected] wrote:
> Hi all
>
> I am experimenting with traffic shaping. I use 5.0.13.1 on CentOS 7
> with added xtables-addons. I have BASIC_FILTERS=Yes . Currently I
> am trying to use ipsets in tcfilter, but I stumbled in 3 distinct
> errors which I think might be bugs in Tc.pm. I sort of solved 2 of
> these, and I would like to review them and possibly make them in
> the source. For the remaining one, I would like to ask if there is
> a solution.
>
> Issue #1, if I put the following line in tcfilters: 1:140
> +wuhosts
>
> I obtain the following error:
>
> Setting up Traffic Control... Object "ipset(wuhosts" is unknown,
> try "tc help". ERROR: Command "tc ipset(wuhosts src) flowid 1:140"
> Failed Restoring Shorewall... Initializing... Processing
> /etc/shorewall/init ... Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering... Setting up Martian Logging... Setting
> up Accept Source Routing... Setting up Proxy ARP... Setting up
> Traffic Control... IPv4 Forwarding Enabled Processing
> /etc/shorewall/restored ... done. Shorewall restored from
> /var/lib/shorewall/.try /usr/share/shorewall/lib.common: line 93:
> 8663 Terminated $SHOREWALL_SHELL $script $options $@
>
> Spreading some print STDERR "\n$rule\n" in process_tc_filter2 in
> Tc.pm, it seems the problem is that the rule to be applied is reset
> when the parser encounters an ipset, where the new clause should be
> added. This results in a tc rule like this, which is clearly
> invalid:
>
> '\ ipset\(wuhosts src\)'
>
> The following patch seems to solve the issue:
>
> --- /usr/share/perl5/vendor_perl/Shorewall/Tc.pm.orig 2016-10-23
> 07:41:55.000000000 +0200 +++
> /usr/share/perl5/vendor_perl/Shorewall/Tc.pm 2016-10-23
> 08:11:15.913612498 +0200 @@ -1518,7 +1518,7 @@ $rule .= ' and' if
> $have_rule;
>
> if ( $source =~ /^\+/ ) { - $rule = join( '', "\\\n ",
> handle_ematch( $source, 'src' ) ); + $rule .= join( '',
> "\\\n ", handle_ematch( $source, 'src' ) ); } else { my @parts =
> decompose_net_u32( $source );
>
> For reference, the tc command results like this:
>
> 'filter add dev eth1 protocol ip parent 1:0 prio 1 basic match\
> ipset\(wuhosts src\)'
>
>
Looks good.
>
>
> Issue #2, Another problem I encounter is that I have to manually
> pre-create the wuhosts set, otherwise I get another error:
>
> Setting up Traffic Control... ipset: unknown set name 'wuhosts' ...
> ipset(wuhosts >>dst)<< ... ... ipset(>>wuhosts<< dst)... Usage:
> ipset(SETNAME FLAGS) where: SETNAME:= string FLAGS := {
> FLAG[,FLAGS] } FLAG := { src | dst }
>
> Example: 'ipset(bulk src,dst)' Illegal "ematch" ERROR: Command "tc
> filter add dev ifb0 protocol ip parent 2:0 prio 1 basic match
> ipset(wuhosts dst) flowid 2:140" Failed
>
>
> I am sure there is support in shorewall to automatically create
> ipsets when needed, because for example I use dynamic zones which
> are implemented with ipsets (and in fact it calls
> add_ipset($ipset); ). Inspired by that I tried to simply do
> something like this:
>
> --- Tc.pm.orig 2016-10-23 07:41:55.000000000 +0200 +++ Tc.pm
> 2016-10-23 08:55:24.529013933 +0200 @@ -1517,8 +1517,9 @@ if (
> $source ne '-' ) { $rule .= ' and' if $have_rule;
>
> - if ( $source =~ /^\+/ ) { + if ( $source =~
> /^\+(\S+)/ ) { $rule .= join( '', "\\\n ", handle_ematch(
> $source, 'src' ) ); + add_ipset($1); } else { my @parts =
> decompose_net_u32( $source );
>
> but it gave me this weird error. Apparently I have to know
> something more about ipset handling in Shorewall. Could this be
> addressed?
Please see if the attached patch addresses your issue.
>
> Issue #3, more like #1, if I put the following line in tcfilters:
> 2:140 - +wuhosts
>
> I get the error:
>
> Compiling /etc/shorewallConWinUpdSets/tcfilters... WARNING:
> Degenerate filter ignored /etc/shorewallConWinUpdSets/tcfilters
> (line 11)
>
> Without going too deep, it seems that in Tc.pm, when parsing a rule
> with a set in DEST, the rule is treated as if it was void
> (degenerate). A change like this seems to address the issue:
>
> --- Tc.pm.orig 2016-10-23 07:41:55.000000000 +0200 +++ Tc.pm
> 2016-10-23 09:01:15.129492591 +0200 @@ -1558,8 +1558,9 @@ } }
>
> - $have_rule = 1; } + + $have_rule = 1; }
>
> if ( $have_rule ) {
>
>
Thanks!
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYDUrSAAoJEJbms/JCOk0QIkwP/il8LBTIKJx6FFtM2cK/2G6j
b3toIH+Lc1tf0QBQf2ls2X0UCnCbFiokjexxBMlAmEfnEyQdVLJPmlNpwCbMjkRo
kka0GI7W7JBFDMXe/D/pDMoz1R4H+5Fl/xI+jyzH2HVDywCiBhPlFB59s2IrH9r1
OHcmIGaFldQyDQtk2HZ44pw5pUnk+1BFDhF9z5DF2BnF0FxnPcubXj477l963W3j
ML+tGq7czWidVjCsZk39OuB1uIe9SNZakDRRLAmblCI/DpHnx9cCWf0FYD9ftHbb
yNrsovZgLPzWxveKPaT/ybpUzf1NuyaA5JMfvdp4mZnPKZZP7dBXjEP1v6ctqJNa
+0kaYOCCHCp/UnjNbz3hJpx3SU9Qyk0XfEUDW0fsx25vlAIIFIcAsbmNiBeWaitM
7qIFvJ86P6Kao92V5Ws3YAXZNMpWw2N6M0XEqCOiVdB6uAptdC1CGpU8LPicgMCg
1+f7PV5w9YygyrFNReW0xRywgeAikzaX78TVfXILcp6L+5B5CSyOdJaV8A7X/pdp
VHdwBbat+NFpxtMnYDElYUBlzKFDBmkbbFCsoSXmsqcFKEuRbIVCluq4LS6N6XS3
YLO/Xu40L0OQQzqRNWw3kPyFkp/CtSvsREJ5A3jEUic+d/UHKbqdWHGuLL9sIxzl
zFSgUB4nYUrw+yAB/L72
=qL5o
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 558ec73..a38ee94 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1308,6 +1308,8 @@ sub handle_ematch( $$ ) {
$setname =~ s/\+//;
+ add_ipset($setname);
+
return "ipset\\($setname $options\\)";
}
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
