I have a very straight-forward query. Suppose I have the following setup: tcclasses ~~~~~~~~~ be:21 - 300kbps 1mbit 2 be:21:22 - 10kbps:50ms:1500b full 2 [...] be:26 - 50kbps:30ms:1500b 150kbps 2 tcfilters ~~~~~~~~~ be:22 1.1.1.22 - tcp 22 1111 be:26 1.1.1.0/24 When the filrewall file is compiled, this results in the following snippet of code for tc to execute: firewall ~~~~~~~~ tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\ match ip src 1.1.1.22/32\ match ip protocol 6 0xff\ link 0x001:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32 ht 0x001:0\ match tcp dst 22 0xffff\ match tcp src 1111 0xffff\ flowid be:22 tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\ match ip src 1.1.1.0/24\ flowid be:26 The question I have is this: what entry would get a priority if I connect from 1.1.1.22, dest port 22 and src port 1111? This will match both entries above and since the priority seems to be the same I don''t know what would be matched first. Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/9/12 11:30 AM, Mr Dash Four wrote:> > The question I have is this: what entry would get a priority if I > connect from 1.1.1.22, dest port 22 and src port 1111? This will match > both entries above and since the priority seems to be the same I don''t > know what would be matched first. Thanks.I don''t know. Sorry, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> The question I have is this: what entry would get a priority if I >> connect from 1.1.1.22, dest port 22 and src port 1111? This will match >> both entries above and since the priority seems to be the same I don''t >> know what would be matched first. Thanks. >> > > I don''t know. >OK, that is the problem I am having at present - I was under the impression that the first match wins, but that seems not to be the case at all - I get a match on the second class (26), but no the first. Another query then - if I set the priority of, say, class 22 to be 2, and the priority of 26 to be 3 would that help - would I get a match on 22 first and then 26? How is this priority interpreted in the tc statements? Is this priority accounted for in ifbX devices? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/9/12 1:30 PM, Mr Dash Four wrote:> >>> The question I have is this: what entry would get a priority if I >>> connect from 1.1.1.22, dest port 22 and src port 1111? This will match >>> both entries above and since the priority seems to be the same I don''t >>> know what would be matched first. Thanks. >>> >> >> I don''t know. >> > OK, that is the problem I am having at present - I was under the > impression that the first match wins, but that seems not to be the case > at all - I get a match on the second class (26), but no the first. > > Another query then - if I set the priority of, say, class 22 to be 2, > and the priority of 26 to be 3 would that help - would I get a match on > 22 first and then 26? How is this priority interpreted in the tc > statements? Is this priority accounted for in ifbX devices?Some examples in the LARTC HOWTO suggest that only unclassified packets are passed to the next priority. So it sounds like using different priority classes would help in your case. TC filters are independent of the type of interface. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Some examples in the LARTC HOWTO suggest that only unclassified packets > are passed to the next priority. So it sounds like using different > priority classes would help in your case. >In the meantime I performed this experiment and it doesn''t seem to be working as expected. How is shorewall setting this priority (the "priority" column value in tcclasses) and where can I find it in the "raw" tc statements, because the only thing I am seeing is statement upon statement with "prio 10" set? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/9/12 2:04 PM, Mr Dash Four wrote:> >> Some examples in the LARTC HOWTO suggest that only unclassified packets >> are passed to the next priority. So it sounds like using different >> priority classes would help in your case. >> > In the meantime I performed this experiment and it doesn''t seem to be > working as expected. > > How is shorewall setting this priority (the "priority" column value in > tcclasses) and where can I find it in the "raw" tc statements, because > the only thing I am seeing is statement upon statement with "prio 10" set?Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and 11 for IPv6. Attached is a patch that adds a PRIORITY column to the tcfilters file. The minimum priority that can be specified in the column is 12. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and > 11 for IPv6. > > Attached is a patch that adds a PRIORITY column to the tcfilters file. > The minimum priority that can be specified in the column is 12. >Hmm, there is something I am not completely clear about - is the "priority" column specified in tcclasses the one which should be taken into account, but it isn''t (is this what your patch addresses)? I presume the same question is going to arise with tcrules as well - is the tcclasses'' priority column value ignored there as well (I can''t see any priority specified for outgoing traffic in tc statements as well)? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/9/12 2:43 PM, Mr Dash Four wrote:> >> Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and >> 11 for IPv6. >> >> Attached is a patch that adds a PRIORITY column to the tcfilters file. >> The minimum priority that can be specified in the column is 12. >> > Hmm, there is something I am not completely clear about - is the > "priority" column specified in tcclasses the one which should be taken > into account, but it isn''t (is this what your patch addresses)? I > presume the same question is going to arise with tcrules as well - is > the tcclasses'' priority column value ignored there as well (I can''t see > any priority specified for outgoing traffic in tc statements as well)?The two priorities are unrelated. The new PRIORITY column governs the order in which filters are evaluated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> The two priorities are unrelated. The new PRIORITY column governs the > order in which filters are evaluated.Could you elaborate on this a bit please? I always thought that the "PRIORITY" column in tcclasses defines the priority with which a certain packet is served. From man shorewall-tcclasses: PRIORITY - priority: The priority in which classes will be serviced by the packet shaping scheduler and also the priority in which bandwidth in excess of the rate will be given to each class. Higher priority classes will experience less delay since they are serviced first. Priority values are serviced in ascending order (e.g. 0 is higher priority than 1). Classes may be set to the same priority, in which case they will be serviced as equals. What is the difference between the priority you introduce with your patch and the PRIORITY column in tcclasses? How is the priority of classes described in tcrules determined then, if it is not the one defined in the PRIORITY column in tclcasses? Where is this priority specified (for outgoing packets) in tc statements currently? For incoming packets I understand this is the "prio XX" value, but for outgoing packets where is this defined? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/9/12 4:35 PM, Mr Dash Four wrote:>> The two priorities are unrelated. The new PRIORITY column governs >> the order in which filters are evaluated.> Could you elaborate on this a bit please? I always thought that the > "PRIORITY" column in tcclasses defines the priority with which a > certain packet is served. From man shorewall-tcclasses: > > PRIORITY - priority: The priority in which classes will be serviced > by the packet shaping scheduler and also the priority in which > bandwidth in excess of the rate will be given to each class. Higher > priority classes will experience less delay since they are serviced > first. Priority values are serviced in ascending order (e.g. 0 is > higher priority than 1). Classes may be set to the same priority, in > which case they will be serviced as equals. > > What is the difference between the priority you introduce with your > patch and the PRIORITY column in tcclasses? How is the priority of > classes described in tcrules determined then, if it is not the one > defined in the PRIORITY column in tclcasses?The priority of filter rules determines the order in which they are evaluated. This priority is involved in classifying packets. If no rule of priority 1 classifies the packet then the rule(s) at priority 2 (if any) are evaluated. If the packet is still not classified then the rules at priority 3 (if any) are evaluated. Once the packet is classified and assigned to a class, then the class''s priority determines the service given to the packet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> What is the difference between the priority you introduce with your >> patch and the PRIORITY column in tcclasses? How is the priority of >> classes described in tcrules determined then, if it is not the one >> defined in the PRIORITY column in tclcasses? > > The priority of filter rules determines the order in which they are > evaluated. This priority is involved in classifying packets. If no rule > of priority 1 classifies the packet then the rule(s) at priority 2 (if > any) are evaluated. If the packet is still not classified then the rules > at priority 3 (if any) are evaluated. > > Once the packet is classified and assigned to a class, then the class''s > priority determines the service given to the packet.Call me thick, but I still don''t get it! Where do you currently use the priority specified in the PRIORITY column in tcclasses? Am I right in assuming that this is a different "priority" which is present in the tc statements, which you just added in your patch (to be specified in tcfilters)? Also, how is the priority for outgoing packets determined (those that are defined in tcrules)? The reason I am asking this is because there will be the same scenario for possible multiple matches as I described in my initial post, so how is this dealt with currently in shorewall? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/09/2012 05:08 PM, Mr Dash Four wrote:> Call me thick, but I still don''t get it! > > Where do you currently use the priority specified in the PRIORITY > column in tcclasses?In ''tc class add'' commands.> > Am I right in assuming that this is a different "priority" which is > present in the tc statements, which you just added in your patch (to > be specified in tcfilters)?Yes -- the new PRIORITY is used in ''tc filter add'' commands generated by entries in /etc/shorewall/tcfilters.> > Also, how is the priority for outgoing packets determined (those that > are defined in tcrules)?In the current code, the priority of that filter is <priority of the corresponding class> LAND 20. This allows entries in /etc/shorewall/tcfilters to override firewall marks. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/10/12 6:34 AM, "Tom Eastep" <teastep@shorewall.net> wrote:>On 09/09/2012 05:08 PM, Mr Dash Four wrote: > >> Call me thick, but I still don''t get it! >> >> Where do you currently use the priority specified in the PRIORITY >> column in tcclasses? > >In ''tc class add'' commands. >> >> Am I right in assuming that this is a different "priority" which is >> present in the tc statements, which you just added in your patch (to >> be specified in tcfilters)? > >Yes -- the new PRIORITY is used in ''tc filter add'' commands generated by >entries in /etc/shorewall/tcfilters. > >> >> Also, how is the priority for outgoing packets determined (those that >> are defined in tcrules)? > >In the current code, the priority of that filter is <priority of the >corresponding class> LAND 20. This allows entries in >/etc/shorewall/tcfilters to override firewall marks.Correction: it is ( <priority of the corresponding class> << 8 ) | 20. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> Where do you currently use the priority specified in the PRIORITY >>> column in tcclasses? >> In ''tc class add'' commands. >>> Am I right in assuming that this is a different "priority" which is >>> present in the tc statements, which you just added in your patch (to >>> be specified in tcfilters)? >> Yes -- the new PRIORITY is used in ''tc filter add'' commands generated by >> entries in /etc/shorewall/tcfilters. >> >>> Also, how is the priority for outgoing packets determined (those that >>> are defined in tcrules)? >> In the current code, the priority of that filter is <priority of the >> corresponding class> LAND 20. This allows entries in >> /etc/shorewall/tcfilters to override firewall marks. > > Correction: it is ( <priority of the corresponding class> << 8 ) | 20.I am sorry, but I can''t see *any* of it. OK, I prepared a (rather rudimentary) test case and I am attaching the relevant files in this email - I hope the mailing list daemon would accept the attachments, if not will send them privately. In tcclasses I defined various classes for a single interface for both ingress and egress (eth0->ifb0) with different priorities ranging from 1 to 7. In the resulting compilation (shorewall compile -T -p -e) file (see firewall_tc) I can see all of these classes and flows defined, though I cannot see any of the priorities I have specified in my tclcasses file. Ignoring the fact that the flow priorities (used in "tc filter" statements) are always set at 10, I can''t see the value of the priorities I specified in tclasses (1-7) - either as raw values or as "<priority of corresponding class> << 8 | 20". Am I missing something? Where are these priorities defined? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/11/2012 05:14 PM, Mr Dash Four wrote:> I am sorry, but I can''t see *any* of it. > > OK, I prepared a (rather rudimentary) test case and I am attaching > the relevant files in this email - I hope the mailing list daemon > would accept the attachments, if not will send them privately. > > In tcclasses I defined various classes for a single interface for > both ingress and egress (eth0->ifb0) with different priorities > ranging from 1 to 7. In the resulting compilation (shorewall compile > -T -p -e) file (see firewall_tc) I can see all of these classes and > flows defined, though I cannot see any of the priorities I have > specified in my tclcasses file.That''s because the code is neglecting to set the priority on hsfc classes :-( Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/12/2012 07:35 AM, Tom Eastep wrote:> On 09/11/2012 05:14 PM, Mr Dash Four wrote: > >> I am sorry, but I can''t see *any* of it. >> >> OK, I prepared a (rather rudimentary) test case and I am attaching >> the relevant files in this email - I hope the mailing list daemon >> would accept the attachments, if not will send them privately. >> >> In tcclasses I defined various classes for a single interface for >> both ingress and egress (eth0->ifb0) with different priorities >> ranging from 1 to 7. In the resulting compilation (shorewall compile >> -T -p -e) file (see firewall_tc) I can see all of these classes and >> flows defined, though I cannot see any of the priorities I have >> specified in my tclcasses file. > > That''s because the code is neglecting to set the priority on hsfc > classes :-( Patch attached.Disregard the earlier patch -- hfsc doesn''t support priority on its classes. I''ll have to work on a patch that allows PRIORITY to be omitted on those classes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> That''s because the code is neglecting to set the priority on hsfc >> classes :-( Patch attached. > > Disregard the earlier patch -- hfsc doesn''t support priority on its > classes. I''ll have to work on a patch that allows PRIORITY to be omitted > on those classes.Damn! How is traffic prioritised then? By setting the dmax values? If priority is indeed not supported (and can''t be supported!) for hfsc, then the right course of action would be to issue an error when something (anything!) is specified in the PRIORITY column, not simply ignore it, otherwise there will be others like me asking why is this value not honoured. As far as hfsc goes, If I can''t prioritise traffic I may have to change the discipline used. I used hsfc primarily because of the ability to specify dmax values. Apart from HTB (which I am not very keen on) and HSFC, is there another discipline I could use for traffic shaping? CBQ? Another question - you use "tc filter" for ifbX type devices, but not for others. Why? Can you not use hfsc for definition of classes and then create separate "tc filter" statements when you can define priorities. The man pages inform me that "tc filter" statements are "consulted" before a class is used, so, potentially, even if a priority is not defined (or can''t be defined) in hfsc classes, that could be done in "tc filter" statements. Would that work? One other thing I spotted in the meantime: in the firewall_tc file I attached yesterday, the "quantum" variable defined in those 2 functions is not used anywhere, so you might consider removing it altogether. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/12/2012 03:35 PM, Mr Dash Four wrote:> Damn! How is traffic prioritised then? By setting the dmax values?Once you have read this article: http://www.shorewall.net/traffic_shaping.htm#HFSC and the article linked from it: http://linux-ip.net/articles/hfsc.en/ then you will know everything about HFSC as I do (although there is some of my analysis available at> If priority is indeed not supported (and can''t be supported!) for > hfsc, then the right course of action would be to issue an error > when something (anything!) is specified in the PRIORITY column, not > simply ignore it, otherwise there will be others like me asking why > is this value not honoured.The PRIORITY value is still used for generating the priority of the Shorewall-generated filters that classify traffic by MARK and by the tcp-ack and tos options. It just isn''t used for by the queuing discipline. So I prefer to handle this via a documentation change. I have made the PRIORITY optional for HFSC classes and allowed an explicit prority to be specified for MARK and the two options.> > As far as hfsc goes, If I can''t prioritise traffic I may have to > change the discipline used. I used hsfc primarily because of the > ability to specify dmax values. Apart from HTB (which I am not very > keen on) and HSFC, is there another discipline I could use for > traffic shaping? CBQ?You can use CBQ but Shorewall has no support for it. So you would need to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in shorewall.conf.> > Another question - you use "tc filter" for ifbX type devices, but not > for others. Why?''tc filter'' is the only way to classify ifbX traffic. So the documentation stresses that application.> Can you not use hfsc for definition of classes and > then create separate "tc filter" statements when you can define > priorities.Sure.> The man pages inform me that "tc filter" statements are > "consulted" before a class is used, so, potentially, even if a > priority is not defined (or can''t be defined) in hfsc classes, that > could be done in "tc filter" statements. Would that work?That will determine the order in which the filters are evaluation.> > One other thing I spotted in the meantime: in the firewall_tc file I > attached yesterday, the "quantum" variable defined in those 2 > functions is not used anywhere, so you might consider removing it > altogether.I''ll put that on my todo list; ''quantum'' is used for HTB... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> then you will know everything about HFSC as I do (although there is some > of my analysis available atAt?> The PRIORITY value is still used for generating the priority of the > Shorewall-generated filters that classify traffic by MARK and by the > tcp-ack and tos options. It just isn''t used for by the queuing > discipline. So I prefer to handle this via a documentation change. I > have made the PRIORITY optional for HFSC classes and allowed an explicit > prority to be specified for MARK and the two options.In other words, for any other classes (i.e. HTB in this case as HFSC has no use for it), you use this value << 8 | 20 to determine the class priority, right? If so, can you not do the same with the "tc filter" priorities instead of having two separate values specified in 2 separate files? In other words, what I am asking is this - why have a separate column in tcfilters when you can use the value in this one (PRIORITY column in tcclasses) and then calculate the << 8 | 20 magic from it and then use that in the "tc filter" statements? Reduces complexity and everything is in one place. Also, a side question - is there any reason why the priority should be calculated in this way - value << 8 | 20?> You can use CBQ but Shorewall has no support for it. So you would need > to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in > shorewall.conf.CBQ seems to be a bit more comprehensive, though I haven''t looked in details about this discipline. I may consider it.>> Another question - you use "tc filter" for ifbX type devices, but not >> for others. Why? > > ''tc filter'' is the only way to classify ifbX traffic. So the > documentation stresses that application.I understand that, but my question was more towards if you use it for ifbX device why not use it for "normal" ones - like eth0 for example? That way, priorities can be specified regardless of the queuing discipline used, right?>> Can you not use hfsc for definition of classes and >> then create separate "tc filter" statements when you can define >> priorities. > > Sure.Again, I meant for "normal" devices. Would that work? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/12/12 4:26 PM, Mr Dash Four wrote:>> then you will know everything about HFSC as I do (although there is >> some of my analysis available at > At?Disregard -- I reworded that part and neglected to clean it up.> >> The PRIORITY value is still used for generating the priority of the >> Shorewall-generated filters that classify traffic by MARK and by >> the tcp-ack and tos options. It just isn''t used for by the queuing >> discipline. So I prefer to handle this via a documentation change. >> I have made the PRIORITY optional for HFSC classes and allowed an >> explicit prority to be specified for MARK and the two options. >> In other words, for any other classes (i.e. HTB in this case as HFSC > has no use for it), you use this value << 8 | 20 to determine the > class priority, right?Also for HFSC. These are *filters* that associate individuals with classes; they are queuing-discipline independent.> > If so, can you not do the same with the "tc filter" priorities > instead of having two separate values specified in 2 separate files? > In other words, what I am asking is this - why have a separate column > in tcfilters when you can use the value in this one (PRIORITY column > in tcclasses) and then calculate the << 8 | 20 magic from it and then > use that in the "tc filter" statements? Reduces complexity and > everything is in one place.Because I don''t have the energy for all of the testing that would take. My enthusiasm for traffic shaping rivals my love of undergoing oral surgery (I didn''t implement the original TC -- after the TC developer created it, he promptly disappeared).> > Also, a side question - is there any reason why the priority should > be calculated in this way - value << 8 | 20?Only to make it be evaluated after value << 8 | 10 and to ensure uniqueness between class priorities.> >> You can use CBQ but Shorewall has no support for it. So you would >> need to script the rules in /etc/shorewall/tcscript and set >> TC_ENABLED=Yes in shorewall.conf. > > CBQ seems to be a bit more comprehensive, though I haven''t looked in > details about this discipline. I may consider it. > >>> Another question - you use "tc filter" for ifbX type devices, but >>> not for others. Why? >> >> ''tc filter'' is the only way to classify ifbX traffic. So the >> documentation stresses that application.> I understand that, but my question was more towards if you use it for > ifbX device why not use it for "normal" ones - like eth0 for example? > That way, priorities can be specified regardless of the queuing > discipline used, right?If you like them, use them.> >>> Can you not use hfsc for definition of classes and then create >>> separate "tc filter" statements when you can define priorities. >> >> Sure. > Again, I meant for "normal" devices. Would that work?Yes -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> In other words, for any other classes (i.e. HTB in this case as HFSC >> has no use for it), you use this value << 8 | 20 to determine the >> class priority, right? > > Also for HFSC.My understanding was that you ignore the PRIORITY column in tcclasses for HFSC as it doesn''t support it.> These are *filters* that associate individuals with > classes; they are queuing-discipline independent.Yes, I am aware of that, though I thought that you use the value specified in PRIORITY << 8 | 20 and use the result in the "prio" option when defining the class, is that not the case or have I got this wrong?>> If so, can you not do the same with the "tc filter" priorities >> instead of having two separate values specified in 2 separate files? >> In other words, what I am asking is this - why have a separate column >> in tcfilters when you can use the value in this one (PRIORITY column >> in tcclasses) and then calculate the << 8 | 20 magic from it and then >> use that in the "tc filter" statements? Reduces complexity and >> everything is in one place. > > Because I don''t have the energy for all of the testing that would take.Well, I am able to help with the testing part, if needed - you know that. The idea is to use a single value (PRIORITY in tcclasses) for class as well as filter "prio" options, instead of using PRIORITY in tcclasses for class priorities and have a separate PRIORITY value in tcfilters for the filter "prio" options, simply because in most cases these priorities will be the same.> Only to make it be evaluated after value << 8 | 10 and to ensure > uniqueness between class priorities."Be evaluated"? Are there any restrictions on these values? I know of one - in filters - that needs to be > 12. Are there any other such restrictions?>> I understand that, but my question was more towards if you use it for >> ifbX device why not use it for "normal" ones - like eth0 for example? >> That way, priorities can be specified regardless of the queuing >> discipline used, right? > > If you like them, use them.Currently, for outgoing traffic, CLASSIFY target is used, which derives its constraints from tcrules. If HFSC is not used, then the priority specified in tclasses is applied - in one form or another - in "prio" option when the class is defined. That''s of no use if HFSC discipline is defined. Can you not, in such a case, define a "dummy" "tc filter" statement corresponding to that class, setting the priority specified? Something like: run_tc filter add dev eth0 protocol ip parent e:0 prio <PRIORITY in tclasses << 8 | 20> flowid <classid from tcclasses>? Would that work? If so, this is how you can always use priorities regardless of the queuing discipline defined. Would that work, is this doable? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> Only to make it be evaluated after value << 8 | 10 and to ensure >> uniqueness between class priorities. > "Be evaluated"? Are there any restrictions on these values? I know of one - in filters - that needs to be > 12. Are there any other such restrictions?Further point on this - I did a bit of testing and changed my discipline to htb just to see what has been produced. It turns out that the value in the PRIORITY column in tcclasses is passed onto the class definitions as-is - none of this << 8 | 20 malarkey! All my class "prio" values are 1 to 7 - without exception (I could attach my firewall_tc file produced, if needed - just let me know). Also, I tried using the same priority values (1-7) when defining filter classes as well. It turns out that not only is this value accepted by tc, but it also works, so I don''t know where you get that the "prio" value in the "tc filter" statements must be > 12 from? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/12/2012 05:21 PM, Mr Dash Four wrote:>>> In other words, for any other classes (i.e. HTB in this case as >>> HFSC has no use for it), you use this value << 8 | 20 to >>> determine the class priority, right? >> >> Also for HFSC. > My understanding was that you ignore the PRIORITY column in tcclasses > for HFSC as it doesn''t support it.No, I don''t ignore it. It is still used for prioritizing the filters. Attached are the tcdevices and tcclasses files from one of my test hfsc configurations. Also attached is the output of ''shorewall show classifiers'' with that configuration running. In that output, the ''pref'' setting is the filter priority. Note that the firewall mark classifiers all have their priority set to ( <class priority> << 8 ) | 20 and that the tcp-ack and tos-minimize-delay rules have priority ( <class priority> << 8 ) | 10. The classifiers would look exactly the same if HTB were used. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/12/2012 06:21 PM, Mr Dash Four wrote:>>> Only to make it be evaluated after value << 8 | 10 and to ensure >>> uniqueness between class priorities. >> "Be evaluated"? Are there any restrictions on these values? I know >> of one - in filters - that needs to be > 12. Are there any other >> such restrictions? > Further point on this - I did a bit of testing and changed my > discipline to htb just to see what has been produced. It turns out > that the value in the PRIORITY column in tcclasses is passed onto the > class definitions as-is - none of this << 8 | 20 malarkey! All my > class "prio" values are 1 to 7 - without exception (I could attach my > firewall_tc file produced, if needed - just let me know).No need -- I''m prefectly aware of how it works. But as I pointed out in my previous post the ''malarkey'' is used to order the filters, regardless of the queuing discipline.> > Also, I tried using the same priority values (1-7) when defining > filter classes as well. It turns out that not only is this value > accepted by tc, but it also works, so I don''t know where you get that > the "prio" value in the "tc filter" statements must be > 12 from?I removed that restriction shortly after I posted the patch. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> Also for HFSC. >> My understanding was that you ignore the PRIORITY column in tcclasses >> for HFSC as it doesn''t support it. > > No, I don''t ignore it. It is still used for prioritizing the filters. > > Attached are the tcdevices and tcclasses files from one of my test hfsc > configurations. Also attached is the output of ''shorewall show > classifiers'' with that configuration running. In that output, the ''pref'' > setting is the filter priority.A couple of things: You introduced this <class priority> << 8 | XX malarkey with RC1, which was released a couple of hours ago. Your test results and the files you have attached in your previous post have used this not-yet-released RC1 version of shorewall! My name is not Mystic Meg and I don''t have a crystal ball to see whether you are going to release a new version of shorewall in which to include this << 8 | XX calculation. My testing and subsequent results were based on the latest released version of shorewall at the time (Beta3), with the exception of the patches you have provided me with.> Note that the firewall mark classifiers all have their priority set to ( > <class priority> << 8 ) | 20 and that the tcp-ack and tos-minimize-delay > rules have priority ( <class priority> << 8 ) | 10.Care to explain the reason behind this priority calculation - why ( <class priority> << 8 ) | 10? Also, you have used MARK - I don''t use that. May be that is why I am not getting any priorities set at all when I use HFSC? When I use HTB (again, without MARK being specified!) all class priority values are set *exactly* as specified in tclasses, which is what I wanted in the first place.> The classifiers would look exactly the same if HTB were used.See above - when I do *not* use MARK and with HFSC specified, I don''t have any priorities set. When I employ HTB (again, with *no* MARK specified), I see the priorities values set *exactly* as specified in tcclassess/tcfilters - this has all being tested with Beta3, as well as the newly-released RC1 - the end result is the same as far as priorities go, with the exception of automatic priority numbering (1-X) in RC1 in all "tc filter add" statements if I do not specify any priority value in tcfilters, which is to be expected really. So, for avoidance of any doubt and to stop us going round circles I am attaching a couple of files: 1. tcrules, tcclasses & tcdevices - these are exactly the same as I attached to you previously, with the only exception being that in tcdevices "hfsc" and "htb" can be interchanged for testing different disciplines. 2. tcfilters - the new PRIORITY column has been used which mirrors its counter part in tcclasses. Please note that in two of the tests (see firewall_tc_*_rc1_no_prio attached) I did not have anything in PRIORITY (tcfilters) to see how this is going to translate in the resulting file. 3. firewall_tc_hfsc_rc1_no_prio - HFSC discipline used and no PRIORITY in tcfilters is specified. Please note the absence of any class priorities (which you, apparently, have when hfsc & mark is used). 4. firewall_tc_hfsc_rc1 - same as 3 above, but this time with PRIORITY in tcfilters specified. Again, even though there are "filter" priorities set, there are no class priorities specified of any kind. 5. firewall_tc_htb_rc1_no_prio - HTB discipline used, with no priorities specified in tcfilters. Please note that the value of all class priorities is set exactly as specified in tcclasses - none of this << 8 | XX malarkey, which is what I wanted really. Also, the filter priorities are 1-X (in that order) which is normal as I did not specify any in tcfilters. 6. firewall_tc_htb_rc1 - same as 5 above, but with priorities specified in tcfilters - all "prio" values are set *exactly* as specified in tcclasses/tcfilters in the resulting compilation - none of this << 8 | XX malarkey, which is what I wanted really. The results of the Beta3 testing I did yesterday are very similar and I can attach these files, if needed - let me know if that is the case. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> No need -- I''m prefectly aware of how it works. But as I pointed out in > my previous post the ''malarkey'' is used to order the filters, regardless > of the queuing discipline.Maybe not so - the "malarkey" doesn''t seem to be used if I have *no* MARK specified, which is fine with me (see my previous post on the subject)! ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/13/2012 04:56 PM, Mr Dash Four wrote:> A couple of things: > > You introduced this <class priority> << 8 | XX malarkey with RC1, > which was released a couple of hours ago. Your test results and the > files you have attached in your previous post have used this > not-yet-released RC1 version of shorewall!As I stated in my previous post, the ''malarkey'' has been in the Shorewall code for almost 3 years.> > My name is not Mystic Meg and I don''t have a crystal ball to see > whether you are going to release a new version of shorewall in which > to include this << 8 | XX calculation. My testing and subsequent > results were based on the latest released version of shorewall at the > time (Beta3), with the exception of the patches you have provided me > with.No your''re not -- but you are prone to making strong statements about things that you really know nothing about.> >> Note that the firewall mark classifiers all have their priority set >> to ( <class priority> << 8 ) | 20 and that the tcp-ack and >> tos-minimize-delay rules have priority ( <class priority> << 8 ) | >> 10. > Care to explain the reason behind this priority calculation - why ( > <class priority> << 8 ) | 10?It orders the MARK, tcp-ack and tos* filters in the order that makes them work as intended.> > Also, you have used MARK - I don''t use that. May be that is why I am > not getting any priorities set at all when I use HFSC?That''s correct (and you don''t use ''tcp-ack'' or ''tos*'' options either).> When I use HTB > (again, without MARK being specified!) all class priority values are > set *exactly* as specified in tclasses, which is what I wanted in the > first place.And which has been the behavior since day 1.> >> The classifiers would look exactly the same if HTB were used. > See above - when I do *not* use MARK and with HFSC specified, I don''t > have any priorities set. > > When I employ HTB (again, with *no* MARK specified), I see the > priorities values set *exactly* as specified in tcclassess/tcfilters > - this has all being tested with Beta3, as well as the newly-released > RC1 - the end result is the same as far as priorities go, with the > exception of automatic priority numbering (1-X) in RC1 in all "tc > filter add" statements if I do not specify any priority value in > tcfilters, which is to be expected really. > > So, for avoidance of any doubt and to stop us going round circles I > am attaching a couple of files:I understand how the product works; I may be old but I''m not senile. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> You introduced this <class priority> << 8 | XX malarkey with RC1, >> which was released a couple of hours ago. Your test results and the >> files you have attached in your previous post have used this >> not-yet-released RC1 version of shorewall! > > As I stated in my previous post, the ''malarkey'' has been in the > Shorewall code for almost 3 years.Oh yeah? --- shorewall-4.5.8-Beta3/shorewall/Perl/Shorewall/Tc.pm 2012-09-09 21:20:41.000000000 +0100 +++ shorewall-4.5.8-RC1/shorewall/Perl/Shorewall/Tc.pm 2012-09-13 18:00:24.000000000 +0100 @@ -1109,11 +1121,25 @@ my $tcref = $tcclasses{$device}; + if ( $devref->{qdisc} eq ''htb'' ) { + fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio; + } + my $markval = 0; + my $markprio; if ( $mark ne ''-'' ) { fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS}; + ( $mark, my $priority ) = split/:/, $mark, 2; + + if ( supplied $priority ) { + $markprio = validate_filter_priority( $priority, ''mark'' ); + } else { + fatal_error "Missing mark priority" if $prio eq ''-''; + $markprio = ( $prio << 8 ) | 20; + } + $markval = numeric_value( $mark ); fatal_error "Invalid MARK ($markval)" unless defined $markval; @@ -1209,25 +1234,45 @@ unless ( $options eq ''-'' ) { for my $option ( split_list1 "\L$options", ''option'' ) { - my $optval = $tosoptions{$option}; + my $priority; + my $optval; + + ( $option, my $pri ) = split /:/, $option, 2; + + if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) { + + if ( supplied $pri ) { + $priority = validate_filter_priority( $pri, ''mark'' ); + } else { + fatal_error "Missing TOS priority" if $prio eq ''-''; + $priority = ( $prio << 8 ) | 15; + } $option = "tos=$optval" if $optval; + } elsif ( supplied $pri ) { + $option = join '':'', $option, $pri; + } if ( $option eq ''default'' ) { fatal_error "Only one default class may be specified for device $device" if $devref->{default}; fatal_error "The $option option is not valid with ''occurs" if $tcref->{occurs} > 1; $devref->{default} = $classnumber; - } elsif ( $option eq ''tcp-ack'' ) { + } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) { fatal_error "The $option option is not valid with ''occurs" if $tcref->{occurs} > 1; - $tcref->{tcp_ack} = 1; + if ( $1 ) { + $tcref->{tcp_ack} = validate_filter_priority( $2, ''tcp-ack'' ); + } else { + fatal_error "Missing tcp-ack priority" if $prio eq ''-''; + $tcref->{tcp_ack} = ( $prio << 8 ) | 10; + } } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) { fatal_error "The $option option is not valid with ''occurs" if $tcref->{occurs} > 1; ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, "$option/0xff"; + push @{$tcref->{tos}}, "$option/0xff:$priority"; } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { fatal_error "The $option option is not valid with ''occurs" if $tcref->{occurs} > 1; ( undef, $option ) = split /=/, $option; - push @{$tcref->{tos}}, $option; + push @{$tcref->{tos}}, "$option:$priority"; } elsif ( $option =~ /^flow=(.*)$/ ) { fatal_error "The ''flow'' option is not allowed with ''pfifo''" if $tcref->{pfifo}; fatal_error "The ''flow'' option is not allowed with ''red''" if $tcref->{red}; I may be older than you, but I am not as stupid.> No your''re not -- but you are prone to making strong statements about > things that you really know nothing about.A bit like you then.>> Also, you have used MARK - I don''t use that. May be that is why I am >> not getting any priorities set at all when I use HFSC? > > That''s correct (and you don''t use ''tcp-ack'' or ''tos*'' options either).Yes, I do. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> You can use CBQ but Shorewall has no support for it. So you would need > to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in > shorewall.conf.''tcscript'' isn''t defined anywhere and there are no man pages describing its function(s). ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/20/12 3:32 PM, "Mr Dash Four" <mr.dash.four@googlemail.com> wrote:>>> You introduced this <class priority> << 8 | XX malarkey with RC1, >>> which was released a couple of hours ago. Your test results and the >>> files you have attached in your previous post have used this >>> not-yet-released RC1 version of shorewall! >> >> As I stated in my previous post, the ''malarkey'' has been in the >> Shorewall code for almost 3 years. >Oh yeah? > >--- shorewall-4.5.8-Beta3/shorewall/Perl/Shorewall/Tc.pm 2012-09-09 >21:20:41.000000000 +0100 >+++ shorewall-4.5.8-RC1/shorewall/Perl/Shorewall/Tc.pm 2012-09-13 >18:00:24.000000000 +0100 >@@ -1109,11 +1121,25 @@ > > my $tcref = $tcclasses{$device}; > >+ if ( $devref->{qdisc} eq ''htb'' ) { >+ fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio; >+ } >+ > my $markval = 0; >+ my $markprio; > > if ( $mark ne ''-'' ) { > fatal_error "MARK may not be specified when TC_BITS=0" unless >$config{TC_BITS}; > >+ ( $mark, my $priority ) = split/:/, $mark, 2; >+ >+ if ( supplied $priority ) { >+ $markprio = validate_filter_priority( $priority, ''mark'' ); >+ } else { >+ fatal_error "Missing mark priority" if $prio eq ''-''; >+ $markprio = ( $prio << 8 ) | 20; >+ } >+ > $markval = numeric_value( $mark ); > fatal_error "Invalid MARK ($markval)" unless defined $markval; > >@@ -1209,25 +1234,45 @@ > > unless ( $options eq ''-'' ) { > for my $option ( split_list1 "\L$options", ''option'' ) { >- my $optval = $tosoptions{$option}; >+ my $priority; >+ my $optval; >+ >+ ( $option, my $pri ) = split /:/, $option, 2; >+ >+ if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) >{ >+ >+ if ( supplied $pri ) { >+ $priority = validate_filter_priority( $pri, ''mark'' ); >+ } else { >+ fatal_error "Missing TOS priority" if $prio eq ''-''; >+ $priority = ( $prio << 8 ) | 15; >+ } > > $option = "tos=$optval" if $optval; >+ } elsif ( supplied $pri ) { >+ $option = join '':'', $option, $pri; >+ } > > if ( $option eq ''default'' ) { > fatal_error "Only one default class may be specified for device >$device" if $devref->{default}; > fatal_error "The $option option is not valid with ''occurs" if >$tcref->{occurs} > 1; > $devref->{default} = $classnumber; >- } elsif ( $option eq ''tcp-ack'' ) { >+ } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) { > fatal_error "The $option option is not valid with ''occurs" if >$tcref->{occurs} > 1; >- $tcref->{tcp_ack} = 1; >+ if ( $1 ) { >+ $tcref->{tcp_ack} = validate_filter_priority( $2, ''tcp-ack'' ); >+ } else { >+ fatal_error "Missing tcp-ack priority" if $prio eq ''-''; >+ $tcref->{tcp_ack} = ( $prio << 8 ) | 10; >+ } > } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) { > fatal_error "The $option option is not valid with ''occurs" if >$tcref->{occurs} > 1; > ( undef, $option ) = split /=/, $option; >- push @{$tcref->{tos}}, "$option/0xff"; >+ push @{$tcref->{tos}}, "$option/0xff:$priority"; > } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) { > fatal_error "The $option option is not valid with ''occurs" if >$tcref->{occurs} > 1; > ( undef, $option ) = split /=/, $option; >- push @{$tcref->{tos}}, $option; >+ push @{$tcref->{tos}}, "$option:$priority"; > } elsif ( $option =~ /^flow=(.*)$/ ) { > fatal_error "The ''flow'' option is not allowed with ''pfifo''" if >$tcref->{pfifo}; > fatal_error "The ''flow'' option is not allowed with ''red''" if >$tcref->{red}; > >I may be older than you, but I am not as stupid.My God, you are an arrogant jackass! You totally overlooked this bit and then you call me stupid! @ -1886,7 +1957,6 @@ $classids{$classid}=$devname; - my $priority = $tcref->{priority} << 8; my $parent = in_hexp $tcref->{parent}; emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" ); @@ -1945,22 +2015,23 @@ # add filters # unless ( $mark eq ''-'' ) { - emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1; + emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1; } emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # # options # - emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . '' u32'' . + emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" . "\\\n match ip protocol 6 0xff" . "\\\n match u8 0x05 0x0f at 0" . "\\\n match u16 0x0000 0xffc0 at 2" . "\\\n match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack}; for my $tospair ( @{$tcref->{tos}} ) { + ( $tospair, my $priority ) = split /:/, $tospair; my ( $tos, $mask ) = split q(/), $tospair; - emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid"; + emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid"; } save_progress_message_short qq(" TC Class $classid defined."); Take your business somewhere else. I''m finished listening to you. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> I may be older than you, but I am not as stupid. > > My God, you are an arrogant jackass! You totally overlooked this bit and > then you call me stupid!Fair enough - I must have missed it and I am a man enough to admit it and apologise. That doesn''t excuse the above comment, though I am not the one with anger management issues.> Take your business somewhere else. I''m finished listening to you.You are in no position to dictate where I should "take my business". In case you haven''t noticed, shorewall isn''t my "business". Fixing bugs, testing or otherwise making contribution to your shorewall "products" isn''t what I do for living either, not least because this activity is voluntary and I dedicate my free time to do it, while I am not charging you, or anyone else, for these efforts. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Hi "Mr Dash Four" and Shorewall, I''ve been following this thread and I follow parts of shorewall-users and shorewall-devel and as long as it''s okay with everyone, I''d like to voice some thoughts... I''m top posting this, because it doesn''t really belong in line anywhere... Personally, I think shorewall is a brilliant product which I have been using for well over 10 years I think, and my job as a sysadmin would be infinitely harder without it. I know that Tom works on this as a volunteer project in his spare time, so he deserves a lot of respect for this, and all he asks is that you donate to the Alzheimer association. So: "Mr Dash Four", I think you''re out of line here, and you should definitely show a lot more respect. Also, if you''re going to call out Tom like this, then man up and do so using your real name. Personally, I''d like to continue seeing you post on the mailing lists because I assume that it is helping the progression of shorewall and hopefully it will help it become an even better product, but not if you''re going to be taking shots at our benevolent leader. In life, I''m not always as diplomatic as I should be, but my rule of thumb when talking on the internets is that I''m on someone elses turf then I should try to be as nice as possible even when (if) the other guy is at fault, and I don''t think in this scenario that this is on Tom, I''ve seen you be a bit more rude than I would expect, especially when you get a lot of of free support from Tom. If Tom tells you to take your business elsewhere, you better either do it, or find a way to make amends to him. So, in other words to Mr Dash Four: * thanks for reading * chill the f*** out * start posting with your real full name * apologize to Tom * and maybe donate some cash in his name to support Alzheimers: http://www.shorewall.net/shorewall_index.htm#Donations Sincerely, James Shubin On Mon, 2012-09-24 at 00:23 +0100, Mr Dash Four wrote:> >> I may be older than you, but I am not as stupid. > > > > My God, you are an arrogant jackass! You totally overlooked this bit and > > then you call me stupid! > Fair enough - I must have missed it and I am a man enough to admit it and apologise. That doesn''t excuse the above comment, though I am not the one with anger management issues.> > > Take your business somewhere else. I''m finished listening to you. > You are in no position to dictate where I should "take my business". In case you haven''t noticed, shorewall isn''t my "business". Fixing bugs, testing or otherwise making contribution to your shorewall "products" isn''t what I do for living either, not least because this activity is voluntary and I dedicate my free time to do it, while I am not charging you, or anyone else, for these efforts. > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-devel------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
I''d like to second James'' words. Mr Dash Four''s behaviour on this towards Tom is simply inexcusable. On Sep 24, 2012 4:15 AM, "James" <purpleidea@gmail.com> wrote:> Hi "Mr Dash Four" and Shorewall, > > I''ve been following this thread and I follow parts of shorewall-users > and shorewall-devel and as long as it''s okay with everyone, I''d like to > voice some thoughts... I''m top posting this, because it doesn''t really > belong in line anywhere... > > Personally, I think shorewall is a brilliant product which I have been > using for well over 10 years I think, and my job as a sysadmin would be > infinitely harder without it. I know that Tom works on this as a > volunteer project in his spare time, so he deserves a lot of respect for > this, and all he asks is that you donate to the Alzheimer association. > > So: "Mr Dash Four", I think you''re out of line here, and you should > definitely show a lot more respect. Also, if you''re going to call out > Tom like this, then man up and do so using your real name. Personally, > I''d like to continue seeing you post on the mailing lists because I > assume that it is helping the progression of shorewall and hopefully it > will help it become an even better product, but not if you''re going to > be taking shots at our benevolent leader. > > In life, I''m not always as diplomatic as I should be, but my rule of > thumb when talking on the internets is that I''m on someone elses turf > then I should try to be as nice as possible even when (if) the other guy > is at fault, and I don''t think in this scenario that this is on Tom, > I''ve seen you be a bit more rude than I would expect, especially when > you get a lot of of free support from Tom. If Tom tells you to take your > business elsewhere, you better either do it, or find a way to make > amends to him. > > So, in other words to Mr Dash Four: > * thanks for reading > * chill the f*** out > * start posting with your real full name > * apologize to Tom > * and maybe donate some cash in his name to support Alzheimers: > http://www.shorewall.net/shorewall_index.htm#Donations > > Sincerely, > James Shubin > > On Mon, 2012-09-24 at 00:23 +0100, Mr Dash Four wrote: > > >> I may be older than you, but I am not as stupid. > > > > > > My God, you are an arrogant jackass! You totally overlooked this bit > and > > > then you call me stupid! > > Fair enough - I must have missed it and I am a man enough to admit it > and apologise. That doesn''t excuse the above comment, though I am not the > one with anger management issues. > > > > > > Take your business somewhere else. I''m finished listening to you. > > You are in no position to dictate where I should "take my business". In > case you haven''t noticed, shorewall isn''t my "business". Fixing bugs, > testing or otherwise making contribution to your shorewall "products" isn''t > what I do for living either, not least because this activity is voluntary > and I dedicate my free time to do it, while I am not charging you, or > anyone else, for these efforts. > > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://ad.doubleclick.net/clk;258768047;13503038;j? > > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > _______________________________________________ > > Shorewall-devel mailing list > > Shorewall-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-devel > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-devel mailing list > Shorewall-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-devel > >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/