I have just installed shorewall 2.0.9, having spent a day and a half tracking down why my tcrules wasn''t working properly in 2.0.8. I didn''t see the announcement of 2.0.9 because it didn''t go to -announce. Anyway I have 2.0.9 now (the package from Debian incoming) and the problem is still there. My tcrules file says: 1 0.0.0.0/0 0.0.0.0/0 tcp 22 1 0.0.0.0/0 0.0.0.0/0 tcp 53 1 0.0.0.0/0 0.0.0.0/0 udp 53 1 0.0.0.0/0 0.0.0.0/0 icmp # gpg keyservers 1 192.168.1.0/24 0.0.0.0/0 tcp 11371 # psi 1 192.168.1.0/24 0.0.0.0/0 tcp 5223 2 192.168.1.0/28 0.0.0.0/0 tcp 80,443 2 $FW 0.0.0.0/0 tcp 80,443 3 0.0.0.0/0 0.0.0.0/0 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE With these tcrules, I don''t get correct tc rules generated. Marks 2 and 3 seem to get applied but not mark 1. A trace of "shorewall restart debug" is at http://www.leverton.org/bad If I change the "3 ..... all" line to be 3 0.0.0.0/0 0.0.0.0/0 tcp 3 0.0.0.0/0 0.0.0.0/0 udp then all three marks get set and my buckets work fine. A trace of "shorewall restart debug" for this is at http://www.leverton.org/good Hope you can find it, please ask for any more info I''ve missed Nick Leverton
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nick Leverton wrote:> I have just installed shorewall 2.0.9, having spent a day and a > half tracking down why my tcrules wasn''t working properly in 2.0.8. > I didn''t see the announcement of 2.0.9 because it didn''t go to -announce.Don''t know what happened -- for some reason, the list server rejected the announcement but since a "Shorewall 2.0.9" message ended up in my Announcements folder, I didn''t notice.> Anyway I have 2.0.9 now (the package from Debian incoming) and the problem > is still there. > > My tcrules file says: > > 1 0.0.0.0/0 0.0.0.0/0 tcp 22 > 1 0.0.0.0/0 0.0.0.0/0 tcp 53 > 1 0.0.0.0/0 0.0.0.0/0 udp 53 > 1 0.0.0.0/0 0.0.0.0/0 icmp > # gpg keyservers > 1 192.168.1.0/24 0.0.0.0/0 tcp 11371 > # psi > 1 192.168.1.0/24 0.0.0.0/0 tcp 5223 > > 2 192.168.1.0/28 0.0.0.0/0 tcp 80,443 > 2 $FW 0.0.0.0/0 tcp 80,443 > > 3 0.0.0.0/0 0.0.0.0/0 all > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > With these tcrules, I don''t get correct tc rules generated. Marks 2 and 3 > seem to get applied but not mark 1. A trace of "shorewall restart debug" > is at http://www.leverton.org/badThe output of "shorewall show mangle" would habe been more useful but there is nothing wrong with the rules being generated. Unlike rules in /etc/shorewall/rules, evaluation of tcrules continues after a match. This means that your last rule is marking all of your traffic with a 3, regardless of the traffic type. You will solve your problem by moving that rule to the beginning of the file. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBXBYRO/MAbZfjDLIRAhk8AKCmAbwcWCNsVpyH9YcqKFvAJfnuvwCeKMgy tch9svatEqmeQCv9G6Oe778=V5Ph -----END PGP SIGNATURE-----
Nick Leverton
2004-Sep-30 15:18 UTC
Re: tcrules for proto "all" still not working in 2.0.9
On Thu, Sep 30, 2004 at 07:20:01AM -0700, Tom Eastep wrote:> The output of "shorewall show mangle" would habe been more useful but > there is nothing wrong with the rules being generated.Apologies, I was going by the evidence you''d requested on this list for a previous similar-looking problem.> Unlike rules in /etc/shorewall/rules, evaluation of tcrules continues > after a match. This means that your last rule is marking all of your > traffic with a 3, regardless of the traffic type. You will solve your > problem by moving that rule to the beginning of the file.That''s the hidden clue ! And now it works, thankyou. It would be a really neat idea if it were documented that that file works the other way round from all other Shorewall files - at least the ones where order matters. I.e. that the final match is the one used, not the first match. Ideally in the file comments, where folk will see it, but just a mention of it anywhere would be helpful. Again my apologies if I''ve overlooked it, but I can''t see it anywhere in the docs. Nick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nick Leverton wrote:> On Thu, Sep 30, 2004 at 07:20:01AM -0700, Tom Eastep wrote: > > >>The output of "shorewall show mangle" would habe been more useful but >>there is nothing wrong with the rules being generated. > > > Apologies, I was going by the evidence you''d requested on this list for > a previous similar-looking problem. > > >>Unlike rules in /etc/shorewall/rules, evaluation of tcrules continues >>after a match. This means that your last rule is marking all of your >>traffic with a 3, regardless of the traffic type. You will solve your >>problem by moving that rule to the beginning of the file. > > > That''s the hidden clue ! And now it works, thankyou. > > It would be a really neat idea if it were documented that that file works > the other way round from all other Shorewall files - at least the ones > where order matters. I.e. that the final match is the one used, not > the first match. Ideally in the file comments, where folk will see it, > but just a mention of it anywhere would be helpful. Again my apologies > if I''ve overlooked it, but I can''t see it anywhere in the docs.If you look at CVS, you will see that I checked in an update to the tcrules file minutes after I responded to your post. I was remiss in not updating the documents until after I had my morning coffee but the copy at http://shorewall.net/ has been updated and that change will propogate to the other mirrors at their next rsync. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXCV0O/MAbZfjDLIRAictAJsG2Lz/1qLIj+SEWCDmlavH9nXn0ACgq8CB QuOWdfgHxKnQqEiDOKvEC1E=99Db -----END PGP SIGNATURE-----
Nick Leverton
2004-Sep-30 15:32 UTC
Re: tcrules for proto "all" still not working in 2.0.9
On Thu, Sep 30, 2004 at 08:25:40AM -0700, Tom Eastep wrote:> If you look at CVS, you will see that I checked in an update to the > tcrules file minutes after I responded to your post. I was remiss in not > updating the documents until after I had my morning coffee but the copy > at http://shorewall.net/ has been updated and that change will propogate > to the other mirrors at their next rsync.Thankyou Tom. I didn''t mean to hassle you, I just didn''t know you were doing it ! Nick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nick Leverton wrote:> On Thu, Sep 30, 2004 at 08:25:40AM -0700, Tom Eastep wrote: > > >>If you look at CVS, you will see that I checked in an update to the >>tcrules file minutes after I responded to your post. I was remiss in not >>updating the documents until after I had my morning coffee but the copy >>at http://shorewall.net/ has been updated and that change will propogate >>to the other mirrors at their next rsync. > > > Thankyou Tom. I didn''t mean to hassle you, I just didn''t know you were > doing it ! >No problem -- as a general rule, when I discover an obvious hole in the documentation, I try to correct it promptly so that others don''t fall into it. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXCryO/MAbZfjDLIRAjeEAJwOTKKLp4i/MHlRAIhAS+36jiV6QgCfSoKk YbRXlZv0qju3Cgu2W/MdOAo=Lehv -----END PGP SIGNATURE-----