Shorewall users - Dec 2005 - Packets MARKed but not CLASSIFIed

Hi all!

Downloaded Shorewall 3.0.3 some days ago and used it to set up a
firewall for a shared DSL Inet connection by 25 users through a WiFi
wlan. The firewall stuff worked GREAT, thanks to the people who
develops/mantain Shorewall.

Next step was to set up a QoS. I read some stuff about QoS some time
ago, right now I''m not good at it. But I think I have the basic
skills. Started to make some tests but a strange thing occurs: packets
get marked but not classified.

Firewall runs Debian sarge, has 3 network devices. DSL is at eth0 and
WiFi network is at eth2. As I said before, I have no problem when
setting up the firewall, problems are with QoS.

The simpliest test is to try to set the traffic coming from the web
server that is placed in the firewall itself (eth2, 172.16.0.1) to
lowest priority:

tcdevices:
#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH
eth2		15000kbit	15000kbit

tcclasses:
#INTERFACE	MARK	RATE	CEIL	PRIORITY	OPTIONS
eth2		10	100kbit	full	1			
eth2		20	100kbit	full	2		tcp-ack
eth2		30	4000kbit full	3		default	
eth2		50	full/3	full	4		

tcrules:
#MARK	SOURCE		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
#							PORT(S)
50:P	172.16.0.0/24	172.16.0.1	tcp	80
50:P	172.16.0.1	172.16.0.0/24	tcp	-	80

WiFi wlan has a maximum bandwith of 16 Mbit/s. I set up more classes
than I really need for the example, but it should run ok.

So all traffic from users of the wifi wlan (172.16.0.0/24) that acces
to the internal webserver (172.16.0.1) should go to class 50. If I set
this up, and download fat files from 172.16.0.1 webserver, I get:

root@SantaFe:~# iptables -L -v -t mangle
Chain PREROUTING (policy ACCEPT 147K packets, 42M bytes)
 pkts bytes target     prot opt in     out     source               destination
 147K   42M tcpre      all  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 123K packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 23665 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination
23653   14M tcfor      all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 131M packets, 83G bytes)
 pkts bytes target     prot opt in     out     source               destination
 180K  144M tcout      all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 204K packets, 158M bytes)
 pkts bytes target     prot opt in     out     source               destination
 204K  158M tcpost     all  --  any    any     anywhere             anywhere

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CLASSIFY   all  --  any    eth2    anywhere            
anywhere            MARK match 0xa CLASSIFY set 1:110
    0     0 CLASSIFY   all  --  any    eth2    anywhere            
anywhere            MARK match 0x14 CLASSIFY set 1:120
    0     0 CLASSIFY   all  --  any    eth2    anywhere            
anywhere            MARK match 0x1e CLASSIFY set 1:130
    0     0 CLASSIFY   all  --  any    eth2    anywhere            
anywhere            MARK match 0x32 CLASSIFY set 1:150

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       udp  --  any    any     172.16.0.0/24       
0.0.0.0/24          udp dpts:27000:27015 MARK set 0xa
41800 1673K MARK       tcp  --  any    any     172.16.0.0/24       
172.16.0.1                tcp dpt:www MARK set 0x32
    0     0 MARK       tcp  --  any    any     172.16.0.1             
   172.16.0.0/24       tcp spt:www MARK set 0x32

root@SantaFe:~# tc -s qdisc show dev eth2
qdisc htb 1: r2q 10 default 130 direct_packets_stat 4
 Sent 134913482 bytes 96961 pkts (dropped 0, overlimits 1794)
qdisc ingress ffff: ----------------
 Sent 7485964 bytes 55854 pkts (dropped 0, overlimits 0)
qdisc sfq 110: limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 120: limit 128p quantum 1514b perturb 10sec
 Sent 142530 bytes 2619 pkts (dropped 0, overlimits 0)
qdisc sfq 130: limit 128p quantum 1514b perturb 10sec
 Sent 134770352 bytes 94338 pkts (dropped 0, overlimits 0)
qdisc sfq 150: limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)


Packets are MARKed (0x32), but not classified:

Chain tcpre
41800 1673K MARK       tcp  --  any    any     172.16.0.0/24       
172.16.0.1                tcp dpt:www MARK set 0x32

Chain tcpost
    0     0 CLASSIFY   all  --  any    eth2    anywhere            
anywhere            MARK match 0x32 CLASSIFY set 1:150

qdisc sfq 150: limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

Dunno what''s wrong, google hasn''t helped me this time :-( Can
you help me?

Thanks in advance!

a.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

On Friday 30 December 2005 10:13, aCiDBiTS wrote:
>
> The simpliest test is to try to set the traffic coming from the web
> server that is placed in the firewall itself (eth2, 172.16.0.1) to
> lowest priority:
You are using the wrong syntax in /etc/shorewall/rules. When the source or 
destination is the firewall itself, the comments at the top of the file 
clearly state that you must use $FW -- you can qualify that with an IP 
address if desired.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Friday 30 December 2005 11:42, Tom Eastep wrote:
> On Friday 30 December 2005 10:13, aCiDBiTS wrote:
> > The simpliest test is to try to set the traffic coming from the web
> > server that is placed in the firewall itself (eth2, 172.16.0.1) to
> > lowest priority:
>
> You are using the wrong syntax in /etc/shorewall/rules. When the source or
> destination is the firewall itself, the comments at the top of the file
> clearly state that you must use $FW -- you can qualify that with an IP
> address if desired.
Correction -- the above only applies when the SOURCE is the firewall. 

Sorry for the confusion,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key