Shorewall users - Oct 2003 - tcrules ignored? wondershaper integration?

Hi,

first of all, let me thank you for your great Shoreline Firewall. I use
it with great success at home (protecting my WiFi connection).

And now if I could have a question about traffic shaping. I did read
everything I could find but I still have two problems: first, the MARK
from tcrules is not working in HTB based simple tc filter line ("handle
$MARK fw classid 1:20"). If I switch this tcstart''s line to
"u32 match
ip dst $IPADDR flowid 1:20" suddenly the shaping starts working. I
cannot figure this one out, really. I''ll provide more details later and
now let me ask you the second question:

According to
http://lists.shorewall.net/pipermail/shorewall-users/2003-August/007791.html
Dario Lesca had the very same problem as I do have: I cannot see anything in the
stock wondershaper-1.1a/wshaper.htb that would mimic your older manually written
shaper published as the example at traffic_shaping.htm. I see what you answered
to Dario and I read the wshaper.htb many many times but frankly I can''t
see there anything that would be related to the tcrules MARK entries.
What''s even worse, I don''t see anything there that would allow
me to limit the download speed. It just limits uploads to 90% and 80% but
that''s it. I''d be grateful if you said a little bit more than
just "it''s there, read it". BTW, my current goal is to limit
one IP address to 64kbit - that''s all I need.

My configuration:
shorewall Version: 1.4.5-1 (debian unstable)

tcrules:
4:F             eth0,eth1       192.168.1.4     all

Please note that :F is there because of masquerading.

Everything else works, just the tcrules connection to tcstart is not.
shorewall.conf contains the required Yes settings, don''t worry.

Thanks for your answer.

Petr

P.S. Shorewall 1.4.7 got new RATE/RATE LIMIT option but I don''t think
they can be used as a replacement for tcrules/tcstart, right? Or am I
wrong and upgrading to 1.4.7 could save me from tuning up the HTB?
Remember that all I need is to limit certain IP addresses to certain
max. data transfer rates.

On Wed, 2003-10-15 at 13:54, Petr Stehlik wrote:
> first of all, let me thank you for your great Shoreline Firewall. I use
> it with great success at home (protecting my WiFi connection).
You''re welcome.
> 
> And now if I could have a question about traffic shaping. I did read
> everything I could find but I still have two problems: first, the MARK
> from tcrules is not working in HTB based simple tc filter line
("handle
> $MARK fw classid 1:20").

Where $MARK=4? And is the filter being defined on an interface that will
carry outbound traffic previously marked by your tcrule entry?
> If I switch this tcstart''s line to "u32 match
> ip dst $IPADDR flowid 1:20" suddenly the shaping starts working. I
> cannot figure this one out, really. I''ll provide more details
later and
> now let me ask you the second question:
If you do "shorewall show mangle", do you see the generated rule in
the
''tcfor'' chain? Is the packet count (first column) non-zero?
> 
> According to
>
http://lists.shorewall.net/pipermail/shorewall-users/2003-August/007791.html
> Dario Lesca had the very same problem as I do have: I cannot see anything
> in the stock wondershaper-1.1a/wshaper.htb that would mimic your older
> manually written shaper published as the example at traffic_shaping.htm.
> I see what you answered to Dario and I read the wshaper.htb many many
> times but frankly I can''t see there anything that would be related
> to the tcrules MARK entries.
There isn''t as far as I know. And I have made absolutely no claims that
my sample script does anything at all similar to WonderShaper (or vice
versa).

As I''ve said before and I will say again:

I use the tcrules file but I do so for Policy Routing (see
http://shorewall.net/Shorewall_Squid_Usage.html) -- there is nothing in
my tcrules file that has anything at all to do with traffic shaping and
WonderShaper.
>  What''s even worse, I don''t see anything there that would
allow me to
> limit the download speed. It just limits uploads to 90% and 80% but
> that''s it. I''d be grateful if you said a little bit more
than just
> "it''s there, read it".
I don''t know what else to say. I''m not in the business of
supporting
traffic shaping in general or WonderShaper in particular.

a) I use WonderShaper.
b) It does what I need (although it does something different from my
sample htb script in the docs).
c) I don''t have the time or interest to understand traffic shaping in
any detail. I fooled around with it enough to convince myself that the
Shorewall interface to traffic shaping works and that''s all
I''ve done
(besides install and configure WonderShaper).

In other words, WonderShaper does for me in the area of Traffic Shaping
what Shorewall does for you in the area of firewalling. I use it but
I''m
not an expert nor am I willing to spend any time supporting it.

After I retire (currently scheduled for 2008 or so), I may have the time
to dig deeper into Traffic Shaping but until then it''s not something
that I''m going to spend my evenings and weekends studying so that I can
then spend more evenings and weekends answering people''s questions
about
how to use it.
>  BTW, my current goal is to limit one IP address to 64kbit -
that''s all I need.
> 
> My configuration:
> shorewall Version: 1.4.5-1 (debian unstable)
> 
> tcrules:
> 4:F             eth0,eth1       192.168.1.4     all
> 
> Please note that :F is there because of masquerading.
> 
> Everything else works, just the tcrules connection to tcstart is not.
> shorewall.conf contains the required Yes settings, don''t worry.
> 
> Thanks for your answer.
> 
> Petr
> 
> P.S. Shorewall 1.4.7 got new RATE/RATE LIMIT option but I don''t
think
> they can be used as a replacement for tcrules/tcstart, right? Or am I
> wrong and upgrading to 1.4.7 could save me from tuning up the HTB?
> Remember that all I need is to limit certain IP addresses to certain
> max. data transfer rates.
The Shorewall rate limits apply to the rate of *connections*, not to the
byte rate.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 15 October 2003 23:50, Tom Eastep wrote:
> I use the tcrules file but I do so for Policy Routing (see
> http://shorewall.net/Shorewall_Squid_Usage.html) -- there is nothing in
> my tcrules file that has anything at all to do with traffic shaping and
> WonderShaper.
> 
there is a rule error in the in running squid on the firewall, where you write
3128 i belive there should be interface or have you a zone with the name 3128 ?

On Thu, 2003-10-16 at 08:14, Benny Pedersen wrote:
> On Wednesday 15 October 2003 23:50, Tom Eastep wrote:
> > I use the tcrules file but I do so for Policy Routing (see
> > http://shorewall.net/Shorewall_Squid_Usage.html) -- there is nothing
in
> > my tcrules file that has anything at all to do with traffic shaping
and
> > WonderShaper.
> > 
> there is a rule error in the in running squid on the firewall,
> where you write 3128 i belive there should be interface or have
> you a zone with the name 3128 ?
The rule is correct as printed. For REDIRECT rules, the destination zone
MUST BE $FW so there is no point is requiring it to be entered.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-10-15 at 23:50, Tom Eastep wrote:
> > And now if I could have a question about traffic shaping. I did read
> > everything I could find but I still have two problems: first, the MARK
> > from tcrules is not working in HTB based simple tc filter line
("handle
> > $MARK fw classid 1:20").
> 
> 
> Where $MARK=4? And is the filter being defined on an interface that will
> carry outbound traffic previously marked by your tcrule entry?
tcrules:
4:F		eth0	192.168.1.4	all

tcstart (last line):
tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 4 fw classid
1:20

So I believe the "4:F" marks it for the "handle 4". At least
this is
what I got from the shorewall doc.
> > If I switch this tcstart''s line to "u32 match
> > ip dst 192.168.1.4 flowid 1:20" suddenly the shaping starts
working.
> If you do "shorewall show mangle", do you see the generated rule
yes, it looks as follows:

    0     0 MARK       all  --  eth0   *       0.0.0.0/0           
192.168.1.4        MARK set 0x4 
> Is the packet count (first column) non-zero?
no. It''s always zero.
> There isn''t as far as I know. And I have made absolutely no claims
that
> my sample script does anything at all similar to WonderShaper (or vice
> versa).
true. I somehow thought it would do the same and that you just switched
your hand made script to WonderShaper. I was wrong, sorry.
> In other words, WonderShaper does for me in the area of Traffic Shaping
> what Shorewall does for you in the area of firewalling. I use it but
I''m
> not an expert nor am I willing to spend any time supporting it.
That''s perfectly understandable. I haven''t been asking for
anything but
more information about *your* current setup because I thought I would
understand from that how it works in general. But the answer "I
don''t
use tcrules for WonderShaper" makes it perfectly clear. Once I stopped
using tcrules the shaping started working perfectly so now I am OK. I
just wanted to make the documentation on the shorewall web clear for
myself.
> After I retire (currently scheduled for 2008 or so), I may have the time
> to dig deeper into Traffic Shaping
sounds good. I may retire some 30 years later :)
> The Shorewall rate limits apply to the rate of *connections*, not to the
> byte rate.
OK, thanks for explanation.

Petr