Hi, I''m using OpenVPN and shorewall. Everything was up and running. I have added TC both inside the VPN (tun0) and to traffic going out (ppp0 - ADSL link). I checked it out using safe-restart and things were fine. When the box rebooted due to a power outage, Shorewall did not come, it seems to have stopped without adding the iptables rules. From the shorewall-init.log, I saw the following line - Setting up Traffic Control Rules... TC Rule "1 10.33.33.0/24 10.10.1.1 udp " added TC Rule "1 fw w.x.y.z udp 1194 " added TC Rule "2 0.0.0.0/0 0.0.0.0/0 icmp echo-request " added TC Rule "2 0.0.0.0/0 0.0.0.0/0 icmp echo-reply " added Validating /etc/shorewall/tcdevices... Validating /etc/shorewall/tcclasses... Processing /etc/shorewall/tcdevices... TC Device ppp0 850kbit 110kbit Added.>>>>>>>>>>>>>>Cannot find device "tun0">>>>>>>>>>>>>>Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... ... Which seems to indicate that since tun0 was not present when shorewall was trying to setup TC, it restarted. This happened twice more, before it stopped trying, I think. I''ve attached the shorewall-init.log file. I would like to know if this is expected behaviour, or I''ve screwed up the configuration somehow. Or is there something else I need to do to get TC on such interfaces. If I cannot do TC on devices which are not present, is there anyway to setup these devices before I start shorewall that would be sufficient? In the file, the first three instances are when it did not detect tun0, ppp0 and tun0 respectively. Because I was trying to get the box up ASAP (I was remote debugging) we do not have any shorewall status, before we did shorewall restart. Thanks! Prasanna.
Prasanna Krishnamoorthy wrote:> > Which seems to indicate that since tun0 was not present when shorewall > was trying to setup TC, it restarted. > > I would like to know if this is expected behaviour, or I''ve screwed up > the configuration somehow. Or is there something else I need to do to > get TC on such interfaces.You cannot set up traffic shaping (using Shorewall or otherwise) on devices that do not exist.> > If I cannot do TC on devices which are not present, is there anyway to > setup these devices before I start shorewall that would be sufficient? > > In the file, the first three instances are when it did not detect > tun0, ppp0 and tun0 respectively. > > Because I was trying to get the box up ASAP (I was remote debugging) > we do not have any shorewall status, before we did shorewall restart.You can work around tun0 by running "openvpn --mktun dev tun0" before starting Shorewall and then specifying ''dev tun0'' in your OpenVPN configuration rather than ''dev tun''. I know of no way to create a ppp0 device ahead of time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom. I figured the best way to fix this issue was to check whether the interfaces exist *before* doing add_root_tc, and add_tc_class. This way I can do a refresh or restart when the interface comes up (ip_up or openvpn script) and the tc will get added. I''ve attached the patch (from 3.0.7), but my shell scripting is not quite up to your standards. Please let me know if this is acceptable or whether I should do something else. Thanks, Prasanna. On 5/19/06, Tom Eastep <teastep@shorewall.net> wrote:> Prasanna Krishnamoorthy wrote: > > > > > Which seems to indicate that since tun0 was not present when shorewall > > was trying to setup TC, it restarted. > > > > I would like to know if this is expected behaviour, or I''ve screwed up > > the configuration somehow. Or is there something else I need to do to > > get TC on such interfaces. > > You cannot set up traffic shaping (using Shorewall or otherwise) on > devices that do not exist. > > > > > If I cannot do TC on devices which are not present, is there anyway to > > setup these devices before I start shorewall that would be sufficient? > > > > In the file, the first three instances are when it did not detect > > tun0, ppp0 and tun0 respectively. > > > > Because I was trying to get the box up ASAP (I was remote debugging) > > we do not have any shorewall status, before we did shorewall restart. > > You can work around tun0 by running "openvpn --mktun dev tun0" before > starting Shorewall and then specifying ''dev tun0'' in your OpenVPN > configuration rather than ''dev tun''. > > I know of no way to create a ppp0 device ahead of time. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
Prasanna Krishnamoorthy wrote:> > I figured the best way to fix this issue was to check whether the > interfaces exist *before* doing add_root_tc, and add_tc_class. This > way I can do a refresh or restart when the interface comes up (ip_up > or openvpn script) and the tc will get added. > > I''ve attached the patch (from 3.0.7), but my shell scripting is not > quite up to your standards. Please let me know if this is acceptable > or whether I should do something else. >The patch you sent is empty. Plus, I''ll want to think about whether I want to take this approach or not; in 3.2, it''s a very non-trivial change given that the traffic-shaping parser has to handle both ''shorewall compile'' (which may be done on a computer other than where the script is to run) and ''shorewall refresh'' (which always runs on the computer where Shorewall is being refreshed). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 5/22/06, Tom Eastep <teastep@shorewall.net> wrote:> The patch you sent is empty. Plus, I''ll want to think about whether ISorry, I''ve reattached it with this mail.> want to take this approach or not; in 3.2, it''s a very non-trivial > change given that the traffic-shaping parser has to handle both > ''shorewall compile'' (which may be done on a computer other than where > the script is to run) and ''shorewall refresh'' (which always runs on the > computer where Shorewall is being refreshed).The compiled version is a script right? So it should be pretty much the same approach, extra code is generated to ensure that the device is there before the ''tc'' scripts are run, if I''m not much mistaken. On the refresh, if the device exists, it does the same function as before, if it doesn''t it is skipped again. Thanks! Prasanna.
Prasanna Krishnamoorthy wrote:> On 5/22/06, Tom Eastep <teastep@shorewall.net> wrote: > >> The patch you sent is empty. Plus, I''ll want to think about whether I > > Sorry, I''ve reattached it with this mail. > >> want to take this approach or not; in 3.2, it''s a very non-trivial >> change given that the traffic-shaping parser has to handle both >> ''shorewall compile'' (which may be done on a computer other than where >> the script is to run) and ''shorewall refresh'' (which always runs on the >> computer where Shorewall is being refreshed). > > The compiled version is a script right? So it should be pretty much > the same approach, extra code is generated to ensure that the device > is there before the ''tc'' scripts are run, if I''m not much mistaken. On > the refresh, if the device exists, it does the same function as > before, if it doesn''t it is skipped again.I''ll expect a patch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >>The compiled version is a script right? So it should be pretty much >>the same approach, extra code is generated to ensure that the device >>is there before the ''tc'' scripts are run, if I''m not much mistaken. On >>the refresh, if the device exists, it does the same function as >>before, if it doesn''t it is skipped again. > > > I''ll expect a patch. >Actually, it wasn''t too bad. I have it running here although the code generated by the compiler is not particularly optimal (it follows the same basic idea as your patch). So I''ll clean up your patch and integrate it into the 3.0 thread. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Many thanks! Prasanna. On 5/22/06, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > >> > >>The compiled version is a script right? So it should be pretty much > >>the same approach, extra code is generated to ensure that the device > >>is there before the ''tc'' scripts are run, if I''m not much mistaken. On > >>the refresh, if the device exists, it does the same function as > >>before, if it doesn''t it is skipped again. > > > > > > I''ll expect a patch. > > > > Actually, it wasn''t too bad. I have it running here although the code > generated by the compiler is not particularly optimal (it follows the > same basic idea as your patch). So I''ll clean up your patch and > integrate it into the 3.0 thread. > > Thanks, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Prasanna Krishnamoorthy wrote:> Many thanks! >Would you be willing to test the version in SVN? shorewall/branches/3.0/Shorewall You will need to install both the ''firewall'' and ''functions'' files. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tested with couple of interfaces, one present, one not. Saw the warning, then did refresh after creating the device, and things went fine. Thanks! Prasanna. On 5/22/06, Tom Eastep <teastep@shorewall.net> wrote:> Prasanna Krishnamoorthy wrote: > > Many thanks! > > > > Would you be willing to test the version in SVN? > shorewall/branches/3.0/Shorewall > > You will need to install both the ''firewall'' and ''functions'' files. > > Thanks! > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Prasanna Krishnamoorthy wrote:> Tested with couple of interfaces, one present, one not. Saw the > warning, then did refresh after creating the device, and things went > fine.Good. Thanks! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key