Shorewall users - Oct 2006 - HIGH_ROUTE_MARKS mask and compiler skript

Hello !

I use shorewall 3.2.4 with multiple providers and I want to use packet
marking for traffic shaping, so I use a kernel which supports everything
needed.

I set HIGH_ROUTE_MARKS=yes in shorewall.conf.

I use marks like 0x0100 and 0x0200 for the different providers.

However if I want to set connection marks in tcrules to manually
influence routing between the providers, shorewall throws an error
because the compiler masks the values with 0xff. I edited the compiler
skript like this:

--- compiler.orig       2006-10-06 16:01:50.000000000 +0200
+++ compiler    2006-10-06 16:02:02.000000000 +0200
@@ -2190,7 +2190,7 @@
     do_connmark()
     {
        target="CONNMARK --set-mark"
-       mark=$mark/0xff
+       mark=$mark
        did_connmark=Yes
     }

In your document http://www1.shorewall.net/PacketMarking.html you state
following:

For entries in tcrules, the default mask value is 0xffff except in these
cases:
    *  RESTORE rules use a default mask value of 0xff.
    *  SAVE rules use a default mask value of 0xff.

So the above is a bug in my point of view...

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
rs@databay.de

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Ralf Schenk wrote:
> Hello !
> 
> I use shorewall 3.2.4 with multiple providers and I want to use packet
> marking for traffic shaping, so I use a kernel which supports everything
> needed.
> 
> I set HIGH_ROUTE_MARKS=yes in shorewall.conf.
> 
> I use marks like 0x0100 and 0x0200 for the different providers.
> 
> However if I want to set connection marks in tcrules to manually
> influence routing between the providers, shorewall throws an error
You do NOT set connection marks in tcrules to manually influence routing. You
set packet marks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Ralf Schenk wrote:
> 
> For entries in tcrules, the default mask value is 0xffff except in these
> cases:
>     *  RESTORE rules use a default mask value of 0xff.
>     *  SAVE rules use a default mask value of 0xff.
> 
> So the above is a bug in my point of view...
> 
I''ve corrected the documentation to mention that connection marking
rules also
use a mask of 0xFF.

I will change the code, however, to only specify the mask when
HIGH_ROUTE_MASK=Yes is used; that way, users who don''t have Extended
CONNMARK
SUPPORT can still use connection marks with HIGH_ROUTE_MASK=No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep schrieb:
> Ralf Schenk wrote:
>> Hello !
>>
>> I use shorewall 3.2.4 with multiple providers and I want to use packet
>> marking for traffic shaping, so I use a kernel which supports
everything
>> needed.
>>
>> I set HIGH_ROUTE_MARKS=yes in shorewall.conf.
>>
>> I use marks like 0x0100 and 0x0200 for the different providers.
>>
>> However if I want to set connection marks in tcrules to manually
>> influence routing between the providers, shorewall throws an error
> 
> You do NOT set connection marks in tcrules to manually influence routing.
You
> set packet marks!
Perhaps I''ve to explain a bit more what I wanted to do. I
don''t want to
balance providers but I want to route traffic depending on traffic types
and destination or source adresses i.e. route from my office PC''s via a
adsl line. For that I use an ipset PPPROUTING that is filled with a
handful IP Adresses of my private 192.X.X.X net and a few destinations
like typical download mirrors we use.

/etc/shorewall/providers:
westend 1 0x0100  main eth2 XXX.XXX.XXX.XXX track           eth0,eth1

dsl     2 0x0200  main ppp0 -               track,optional  eth0,eth1

Excerpt from /etc/shorewall/tcrules:
# Routing
0x0200:CP  +PPPROUTING     0.0.0.0/0
0x0200:CP  0.0.0.0/0       +PPPROUTING

So I think I mark connections in the prerouting chain and the routing
will take place depending on the packet mark that is derived from this
connection mark.

But I think you didn''t intend to be able to use the high marks as a
routing key in /etc/shorewall/tcrules because a line like this throws an
compiler error.

0x0200 $FW 0.0.0.0/0 tcp http,https,8080

Why shouldn''t we use the high marks for routing and connection-tracking
if multiple providers are involved and the low marks for traffic
shaping ?

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
rs@databay.de

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Ralf Schenk wrote:
> 
> Why shouldn''t we use the high marks for routing and
connection-tracking
> if multiple providers are involved and the low marks for traffic
> shaping ?
> 
Ralf,

You can, but you have to follow the rules.

a) You set PACKET marks in PREROUTING for selecting which provider to use:

0x0200:P  +PPPROUTING     0.0.0.0/0
0x0200:P  0.0.0.0/0       +PPPROUTING

b) You use low marks in the FORWARD chains for traffic shaping:

1:F	0.0.0.0/0	0.0.0.0/0	tcp	22

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Ralf Schenk wrote:
> 
>> Why shouldn''t we use the high marks for routing and
connection-tracking
>> if multiple providers are involved and the low marks for traffic
>> shaping ?
>>
> 
> Ralf,
> 
> You can, but you have to follow the rules.
> 
> a) You set PACKET marks in PREROUTING for selecting which provider to use:
> 
> 0x0200:P  +PPPROUTING     0.0.0.0/0
> 0x0200:P  0.0.0.0/0       +PPPROUTING
> 
> b) You use low marks in the FORWARD chains for traffic shaping:
> 
> 1:F	0.0.0.0/0	0.0.0.0/0	tcp	22
> 
The reason that I don''t allow setting low marks in PREROUTING or OUTPUT
(with
HIGH_ROUTE_MARKS) is because fwmark routing rules do not allow specification of
a mask!

So if you had 4 non-zero tc mark values and 2 connection mark values, you would
need (4 +1) * 2 = 10 routing rules to perform routing based on your 2 connection
mark values.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep schrieb:
>>
>>> Why shouldn''t we use the high marks for routing and
connection-tracking
>>> if multiple providers are involved and the low marks for traffic
>>> shaping ?
>>>
>> Ralf,
>>
>> You can, but you have to follow the rules.
>>
>> a) You set PACKET marks in PREROUTING for selecting which provider to
use:
>>
>> 0x0200:P  +PPPROUTING     0.0.0.0/0
>> 0x0200:P  0.0.0.0/0       +PPPROUTING
>>
>> b) You use low marks in the FORWARD chains for traffic shaping:
>>
>> 1:F	0.0.0.0/0	0.0.0.0/0	tcp	22
>>
> 
> The reason that I don''t allow setting low marks in PREROUTING or
OUTPUT (with
> HIGH_ROUTE_MARKS) is because fwmark routing rules do not allow
specification of
> a mask!
> 
> So if you had 4 non-zero tc mark values and 2 connection mark values, you
would
> need (4 +1) * 2 = 10 routing rules to perform routing based on your 2
connection
> mark values.
> 
Thanks a lot for your help. I modified my tcrules according to your
suggestions. These rules work fine.

I have one last problems that stops me dumping completely my complex
handcrafted years old script for policyrouting.

I wanted to set marks for traffic originating on the firewall so that
i.e. packets from the local squid deamon are routed through my dsl line.
Unfortunately I can''t use a rule like this.

0x0200    $FW             0.0.0.0/0       tcp     http,https,8080
0x0200    $FW            +PPPROUTING

Shorewall stops with
"  ERROR: Invalid mark value (0x0200) in rule "0x0200:F fw 0.0.0.0/0
tcp
http,https,8080     "
/sbin/shorewall: line 774: 24884 Terminated
$SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile
${VARDIR}/.restart"

I checked, that it is possible to (re)route packages originating on the
firewall by mangling in the OUTPUT chains according to your image
http://www1.shorewall.net/images/Netfilter.png. Packets sould be
rerouted if they changed in the OUPTPUT chain.

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
rs@databay.de

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________

Diese E-Mail und etwa angehängte Dateien enthalten vertrauliche
Informationen und sind ausschließlich für den Adressaten bestimmt.
Sollten Sie irrtümlich diese E-Mail erhalten haben, bitten wir Sie,
uns darüber unter info@databay.de zu informieren und die E-Mail
ungelesen an uns zurückzusenden und aus Ihrem System zu löschen.

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
info@databay.de. If you are not the named recipient, you should return
this message without reading further and delete it from your system.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Ralf Schenk wrote:
> Tom Eastep schrieb:
>>>> Why shouldn''t we use the high marks for routing and
connection-tracking
>>>> if multiple providers are involved and the low marks for
traffic
>>>> shaping ?
>>>>
>>> Ralf,
>>>
>>> You can, but you have to follow the rules.
>>>
>>> a) You set PACKET marks in PREROUTING for selecting which provider
to use:
>>>
>>> 0x0200:P  +PPPROUTING     0.0.0.0/0
>>> 0x0200:P  0.0.0.0/0       +PPPROUTING
>>>
>>> b) You use low marks in the FORWARD chains for traffic shaping:
>>>
>>> 1:F	0.0.0.0/0	0.0.0.0/0	tcp	22
>>>
>> The reason that I don''t allow setting low marks in PREROUTING
or OUTPUT (with
>> HIGH_ROUTE_MARKS) is because fwmark routing rules do not allow
specification of
>> a mask!
>>
>> So if you had 4 non-zero tc mark values and 2 connection mark values,
you would
>> need (4 +1) * 2 = 10 routing rules to perform routing based on your 2
connection
>> mark values.
>>
> 
> Thanks a lot for your help. I modified my tcrules according to your
> suggestions. These rules work fine.
> 
> I have one last problems that stops me dumping completely my complex
> handcrafted years old script for policyrouting.
> 
> I wanted to set marks for traffic originating on the firewall so that
> i.e. packets from the local squid deamon are routed through my dsl line.
> Unfortunately I can''t use a rule like this.
> 
> 0x0200    $FW             0.0.0.0/0       tcp     http,https,8080
> 0x0200    $FW            +PPPROUTING
> 
> Shorewall stops with
> "  ERROR: Invalid mark value (0x0200) in rule "0x0200:F fw
0.0.0.0/0 tcp
> http,https,8080     "
> /sbin/shorewall: line 774: 24884 Terminated
> $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile
> ${VARDIR}/.restart"
>
Which Shorewall version are you running currently?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> 
> Which Shorewall version are you running currently?
> 
If you are running a 3.2 version, the attached patch to
/usr/share/shorewall/compiler might apply cleanly (with offset).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep schrieb:
> Tom Eastep wrote:
> 
>> Which Shorewall version are you running currently?
>>
> 
> If you are running a 3.2 version, the attached patch to
> /usr/share/shorewall/compiler might apply cleanly (with offset).
Thanks a lot. That solved it for me. :-)

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
rs@databay.de

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Ralf Schenk wrote:
> Tom Eastep schrieb:
>> Tom Eastep wrote:
>>
>>> Which Shorewall version are you running currently?
>>>
>> If you are running a 3.2 version, the attached patch to
>> /usr/share/shorewall/compiler might apply cleanly (with offset).
> 
> Thanks a lot. That solved it for me. :-)
> 
Thanks for checking it out, Ralf

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642