Hello. I am trying to do incoming traffic shaping with Squid-Tproxy-imq: local net -> Tproxy (Squid) -> output connmark 0x81 -> i-net prerouting restore -> imq -> filter DIVERT rule add MARK > 0xff, let OR 0x200, MARK become 0x281 But in tcclasses i must use mark 1..255 and can''t use MASK It is possible to do such config to work? May be i was inattentive and missed options in doc Thank you... ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Slava wrote:> Hello. > I am trying to do incoming traffic shaping with Squid-Tproxy-imq: > > local net -> Tproxy (Squid) -> output connmark 0x81 -> i-net prerouting > restore -> imq -> filter > > DIVERT rule add MARK > 0xff, let OR 0x200, MARK become 0x281 > > But in tcclasses i must use mark 1..255 and can''t use MASK > It is possible to do such config to work? May be i was inattentive > and missed options in docTake a look at http://www.shorewall.net/PacketMarking.html#Values. It explains the layout of packet marks in Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
TE> Slava wrote:>> Hello. >> I am trying to do incoming traffic shaping with Squid-Tproxy-imq: >> >> local net -> Tproxy (Squid) -> output connmark 0x81 -> i-net prerouting >> restore -> imq -> filter >> >> DIVERT rule add MARK > 0xff, let OR 0x200, MARK become 0x281 >> >> But in tcclasses i must use mark 1..255 and can''t use MASK >> It is possible to do such config to work? May be i was inattentive >> and missed options in docTE> Take a look at TE> http://www.shorewall.net/PacketMarking.html#Values. It explains TE> the layout of packet marks in Shorewall. TE> -Tom Yes, i read and try various combination, but DIVERT select higher bits. Or i must write my own divert ? Thank you ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/19/2012 11:41 PM, Slava wrote:> > TE> Slava wrote: >>> Hello. >>> I am trying to do incoming traffic shaping with Squid-Tproxy-imq: >>> >>> local net -> Tproxy (Squid) -> output connmark 0x81 -> i-net prerouting >>> restore -> imq -> filter >>> >>> DIVERT rule add MARK> 0xff, let OR 0x200, MARK become 0x281 >>> >>> But in tcclasses i must use mark 1..255 and can''t use MASK >>> It is possible to do such config to work? May be i was inattentive >>> and missed options in doc > > TE> Take a look at > TE> http://www.shorewall.net/PacketMarking.html#Values. It explains > TE> the layout of packet marks in Shorewall. > > TE> -Tom > > Yes, i read and try various combination, but DIVERT select higher > bits. Or i must write my own divert ?Sorry -- I don''t understand what problem you are trying to solve. What is the purpose of the connmark 0x81? How are you diverting traffic from the local net to Squid? With an entry in /etc/shorewall/providers? If so, then the builtin DIVERT target will redirect the replies back to Squid automatically. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
TE> On 06/19/2012 11:41 PM, Slava wrote:>> >> TE> Slava wrote: >>>> Hello. >>>> I am trying to do incoming traffic shaping with Squid-Tproxy-imq: >>>> >>>> local net -> Tproxy (Squid) -> output connmark 0x81 -> i-net prerouting >>>> restore -> imq -> filter >>>> >>>> DIVERT rule add MARK> 0xff, let OR 0x200, MARK become 0x281 >>>> >>>> But in tcclasses i must use mark 1..255 and can''t use MASK >>>> It is possible to do such config to work? May be i was inattentive >>>> and missed options in doc >> >> TE> Take a look at >> TE> http://www.shorewall.net/PacketMarking.html#Values. It explains >> TE> the layout of packet marks in Shorewall. >> >> TE> -Tom >> >> Yes, i read and try various combination, but DIVERT select higher >> bits. Or i must write my own divert ?TE> Sorry -- I don''t understand what problem you are trying to solve. What TE> is the purpose of the connmark 0x81? How are you diverting traffic from TE> the local net to Squid? With an entry in /etc/shorewall/providers? If TE> so, then the builtin DIVERT target will redirect the replies back to TE> Squid automatically. TE> -Tom Sorry, more details We divide web traffic in several group, each has CONNMARK for example 0x1...0xN, assigned in output chain after Tproxy-Squid. For incoming from i-net packets this MARK restored in PREROUTING and traffic go to IMQ for shaping. DIVERT set his own bit in MARK, in default config OR 0x200 ( for TC_BITS=16 have 0x20000 ). So (question) on IMQ we have MARK 0x201...0x20N, and i can''t define classes with such numbers in TCCLASSES. (I return TCRULES to FORMAT 1 and create divert table and jump to it in START config file and all work well) Thank you ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Slava wrote:> > > Sorry, more details > We divide web traffic in several group, each has CONNMARK for example > 0x1...0xN, assigned in output chain after Tproxy-Squid. For incoming > from i-net packets this MARK restored in PREROUTING and traffic go to > IMQ for shaping. DIVERT set his own bit in MARK, in default config > OR 0x200 ( for TC_BITS=16 have 0x20000 ). So (question) on IMQ we have MARK 0x201...0x20N, and i can''t define > classes with such numbers in TCCLASSES. (I return TCRULES to FORMAT 1 > and create divert table and jump to it in START config file and all > work well) >Okay -- You will have to continue to use that method. The problem is that Shorewall wants to reserve the PREROUTING mangle chain for policy routing whereas IMQ requires setting TC marks in PREROUTING. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
TE> Slava wrote:>> >> >> Sorry, more details >> We divide web traffic in several group, each has CONNMARK for example >> 0x1...0xN, assigned in output chain after Tproxy-Squid. For incoming >> from i-net packets this MARK restored in PREROUTING and traffic go to >> IMQ for shaping. DIVERT set his own bit in MARK, in default config >> OR 0x200 ( for TC_BITS=16 have 0x20000 ). So (question) on IMQ we have MARK 0x201...0x20N, and i can't define >> classes with such numbers in TCCLASSES. (I return TCRULES to FORMAT 1 >> and create divert table and jump to it in START config file and all >> work well) >>TE> Okay -- You will have to continue to use that method. The problem TE> is that Shorewall wants to reserve the PREROUTING mangle chain for TE> policy routing whereas IMQ requires setting TC marks in PREROUTING. TE> -Tom Offtop. May be adding MARK/MASK in tcclasses is not bad idea, tc filter support that. Will continue use my config. Thank you -- С уважением, Карпущенко Вячеслав ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users