The IPMARK target makes it very efficient to assign packet marks based on IP address. Unfortunately, there is no efficient way to map the many mark values to HTB classes. As a result, the IPMARK feature introduced in Shorewall 4.3.9 is still very inefficient. There was once an IPCLASSIFY target in Netfilter which made the translation of IP address to CLASS ID very efficient. I''ll see what I can do about resurrecting it. In 4.3.10, IPMARK will be replaced with a different facility that is very efficient. Unfortunately, the new facility only works when shaping occurs on the firewall''s internal interface(s) since it is based entirely on tc filters rather than on packet marking. Still, the new facility allows administrators to define separate classes for each internal system to control download bandwidth usage. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O''Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
Tom Eastep wrote:> The IPMARK target makes it very efficient to assign packet marks based > on IP address. Unfortunately, there is no efficient way to map the many > mark values to HTB classes. As a result, the IPMARK feature introduced > in Shorewall 4.3.9 is still very inefficient. There was once an > IPCLASSIFY target in Netfilter which made the translation of IP address > to CLASS ID very efficient. I''ll see what I can do about resurrecting it. > > In 4.3.10, IPMARK will be replaced with a different facility that is > very efficient. Unfortunately, the new facility only works when shaping > occurs on the firewall''s internal interface(s) since it is based > entirely on tc filters rather than on packet marking. Still, the new > facility allows administrators to define separate classes for each > internal system to control download bandwidth usage.Please disregard this for now -- I have learned more and believe that I can provide both options. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O''Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf