Shorewall devel - Sep 2012 - tc question

I have a very straight-forward query. Suppose I have the following setup:

tcclasses
~~~~~~~~~
be:21 - 300kbps 1mbit 2
be:21:22 - 10kbps:50ms:1500b full 2
[...]
be:26 - 50kbps:30ms:1500b 150kbps 2

tcfilters
~~~~~~~~~
be:22 1.1.1.22 - tcp 22 1111
be:26 1.1.1.0/24

When the filrewall file is compiled, this results in the following
snippet of code for tc to execute:

firewall
~~~~~~~~
tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
   match ip src 1.1.1.22/32\
   match ip protocol 6 0xff\
   link 0x001:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat

tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32 ht 0x001:0\
   match tcp dst 22 0xffff\
   match tcp src 1111 0xffff\
   flowid be:22

tc filter add dev ifb0 protocol ip parent be:0 prio 10 u32\
   match ip src 1.1.1.0/24\
   flowid be:26


The question I have is this: what entry would get a priority if I
connect from 1.1.1.22, dest port 22 and src port 1111? This will match
both entries above and since the priority seems to be the same I don''t
know what would be matched first. Thanks.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/9/12 11:30 AM, Mr Dash Four wrote:
> 
> The question I have is this: what entry would get a priority if I
> connect from 1.1.1.22, dest port 22 and src port 1111? This will match
> both entries above and since the priority seems to be the same I
don''t
> know what would be matched first. Thanks.
I don''t know.

Sorry,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> The question I have is this: what entry would get a priority if I
>> connect from 1.1.1.22, dest port 22 and src port 1111? This will match
>> both entries above and since the priority seems to be the same I
don''t
>> know what would be matched first. Thanks.
>>     
>
> I don''t know.
>   
OK, that is the problem I am having at present - I was under the 
impression that the first match wins, but that seems not to be the case 
at all - I get a match on the second class (26), but no the first.

Another query then - if I set the priority of, say, class 22 to be 2, 
and the priority of 26 to be 3 would that help - would I get a match on 
22 first and then 26? How is this priority interpreted in the tc 
statements? Is this priority accounted for in ifbX devices?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/9/12 1:30 PM, Mr Dash Four wrote:
> 
>>> The question I have is this: what entry would get a priority if I
>>> connect from 1.1.1.22, dest port 22 and src port 1111? This will
match
>>> both entries above and since the priority seems to be the same I
don''t
>>> know what would be matched first. Thanks.
>>>     
>>
>> I don''t know.
>>   
> OK, that is the problem I am having at present - I was under the 
> impression that the first match wins, but that seems not to be the case 
> at all - I get a match on the second class (26), but no the first.
> 
> Another query then - if I set the priority of, say, class 22 to be 2, 
> and the priority of 26 to be 3 would that help - would I get a match on 
> 22 first and then 26? How is this priority interpreted in the tc 
> statements? Is this priority accounted for in ifbX devices?
Some examples in the LARTC HOWTO suggest that only unclassified packets
are passed to the next priority. So it sounds like using different
priority classes would help in your case.

TC filters are independent of the type of interface.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Some examples in the LARTC HOWTO suggest that only unclassified packets
> are passed to the next priority. So it sounds like using different
> priority classes would help in your case.
>   
In the meantime I performed this experiment and it doesn''t seem to be 
working as expected.

How is shorewall setting this priority (the "priority" column value in
tcclasses) and where can I find it in the "raw" tc statements, because
the only thing I am seeing is statement upon statement with "prio 10"
set?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/9/12 2:04 PM, Mr Dash Four wrote:
> 
>> Some examples in the LARTC HOWTO suggest that only unclassified packets
>> are passed to the next priority. So it sounds like using different
>> priority classes would help in your case.
>>   
> In the meantime I performed this experiment and it doesn''t seem to
be
> working as expected.
> 
> How is shorewall setting this priority (the "priority" column
value in
> tcclasses) and where can I find it in the "raw" tc statements,
because
> the only thing I am seeing is statement upon statement with "prio
10" set?
Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and
11 for IPv6.

Attached is a patch that adds a PRIORITY column to the tcfilters file.
The minimum priority that can be specified in the column is 12.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and
> 11 for IPv6.
>
> Attached is a patch that adds a PRIORITY column to the tcfilters file.
> The minimum priority that can be specified in the column is 12.
>   
Hmm, there is something I am not completely clear about - is the 
"priority" column specified in tcclasses the one which should be taken
into account, but it isn''t (is this what your patch addresses)? I 
presume the same question is going to arise with tcrules as well - is 
the tcclasses'' priority column value ignored there as well (I
can''t see
any priority specified for outgoing traffic in tc statements as well)?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/9/12 2:43 PM, Mr Dash Four wrote:
> 
>> Yes -- the priority for rules generated by tcfilters is 10 for IPv4 and
>> 11 for IPv6.
>>
>> Attached is a patch that adds a PRIORITY column to the tcfilters file.
>> The minimum priority that can be specified in the column is 12.
>>   
> Hmm, there is something I am not completely clear about - is the 
> "priority" column specified in tcclasses the one which should be
taken
> into account, but it isn''t (is this what your patch addresses)? I 
> presume the same question is going to arise with tcrules as well - is 
> the tcclasses'' priority column value ignored there as well (I
can''t see
> any priority specified for outgoing traffic in tc statements as well)?
The two priorities are unrelated. The new PRIORITY column governs the
order in which filters are evaluated.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> The two priorities are unrelated. The new PRIORITY column governs the
> order in which filters are evaluated.
Could you elaborate on this a bit please? I always thought that the
"PRIORITY" column in tcclasses defines the priority with which a
certain packet is served. From man shorewall-tcclasses:

PRIORITY - priority: The priority in which classes will be serviced by the
packet shaping scheduler and also the priority in which bandwidth in excess of
the rate will be given to each class. Higher priority classes will experience
less delay since they are serviced first. Priority values are serviced in
ascending order (e.g. 0 is higher priority than 1). Classes may be set to the
same priority, in which case they will be serviced as equals.

What is the difference between the priority you introduce with your patch and
the PRIORITY column in tcclasses? How is the priority of classes described in
tcrules determined then, if it is not the one defined in the PRIORITY column in
tclcasses?

Where is this priority specified (for outgoing packets) in tc statements
currently? For incoming packets I understand this is the "prio XX"
value, but for outgoing packets where is this defined?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/9/12 4:35 PM, Mr Dash Four wrote:
>> The two priorities are unrelated. The new PRIORITY column governs
>> the order in which filters are evaluated.
> Could you elaborate on this a bit please? I always thought that the
> "PRIORITY" column in tcclasses defines the priority with which a
> certain packet is served. From man shorewall-tcclasses:
> 
> PRIORITY - priority: The priority in which classes will be serviced
> by the packet shaping scheduler and also the priority in which
> bandwidth in excess of the rate will be given to each class. Higher
> priority classes will experience less delay since they are serviced
> first. Priority values are serviced in ascending order (e.g. 0 is
> higher priority than 1). Classes may be set to the same priority, in
> which case they will be serviced as equals.
> 
> What is the difference between the priority you introduce with your
> patch and the PRIORITY column in tcclasses? How is the priority of
> classes described in tcrules determined then, if it is not the one
> defined in the PRIORITY column in tclcasses?
The priority of filter rules determines the order in which they are
evaluated. This priority is involved in classifying packets. If no rule
of priority 1 classifies the packet then the rule(s) at priority 2 (if
any) are evaluated. If the packet is still not classified then the rules
at priority 3 (if any) are evaluated.

Once the packet is classified and assigned to a class, then the class''s
priority determines the service given to the packet.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> What is the difference between the priority you introduce with your
>> patch and the PRIORITY column in tcclasses? How is the priority of
>> classes described in tcrules determined then, if it is not the one
>> defined in the PRIORITY column in tclcasses?
> 
> The priority of filter rules determines the order in which they are
> evaluated. This priority is involved in classifying packets. If no rule
> of priority 1 classifies the packet then the rule(s) at priority 2 (if
> any) are evaluated. If the packet is still not classified then the rules
> at priority 3 (if any) are evaluated.
> 
> Once the packet is classified and assigned to a class, then the
class''s
> priority determines the service given to the packet.
Call me thick, but I still don''t get it!


Where do you currently use the priority specified in the PRIORITY column in
tcclasses?

Am I right in assuming that this is a different "priority" which is
present in the tc statements, which you just added in your patch (to be
specified in tcfilters)?

Also, how is the priority for outgoing packets determined (those that are
defined in tcrules)? The reason I am asking this is because there will be the
same scenario for possible multiple matches as I described in my initial post,
so how is this dealt with currently in shorewall?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/09/2012 05:08 PM, Mr Dash Four wrote:
> Call me thick, but I still don''t get it!
>
> Where do you currently use the priority specified in the PRIORITY
> column in tcclasses?
In ''tc class add'' commands.
>
> Am I right in assuming that this is a different "priority" which
is
> present in the tc statements, which you just added in your patch (to
> be specified in tcfilters)?
Yes -- the new PRIORITY is used in ''tc filter add'' commands
generated by
entries in /etc/shorewall/tcfilters.
>
> Also, how is the priority for outgoing packets determined (those that
> are defined in tcrules)?
In the current code, the priority of that filter is <priority of the 
corresponding class> LAND 20. This allows entries in 
/etc/shorewall/tcfilters to override firewall marks.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/10/12 6:34 AM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 09/09/2012 05:08 PM, Mr Dash Four wrote:
>
>> Call me thick, but I still don''t get it!
>>
>> Where do you currently use the priority specified in the PRIORITY
>> column in tcclasses?
>
>In ''tc class add'' commands.
>>
>> Am I right in assuming that this is a different "priority"
which is
>> present in the tc statements, which you just added in your patch (to
>> be specified in tcfilters)?
>
>Yes -- the new PRIORITY is used in ''tc filter add''
commands generated by
>entries in /etc/shorewall/tcfilters.
>
>>
>> Also, how is the priority for outgoing packets determined (those that
>> are defined in tcrules)?
>
>In the current code, the priority of that filter is <priority of the
>corresponding class> LAND 20. This allows entries in
>/etc/shorewall/tcfilters to override firewall marks.
Correction: it is ( <priority of the corresponding class> << 8 ) |
20.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>>> Where do you currently use the priority specified in the PRIORITY
>>> column in tcclasses?
>> In ''tc class add'' commands.
>>> Am I right in assuming that this is a different
"priority" which is
>>> present in the tc statements, which you just added in your patch
(to
>>> be specified in tcfilters)?
>> Yes -- the new PRIORITY is used in ''tc filter add''
commands generated by
>> entries in /etc/shorewall/tcfilters.
>>
>>> Also, how is the priority for outgoing packets determined (those
that
>>> are defined in tcrules)?
>> In the current code, the priority of that filter is <priority of the
>> corresponding class> LAND 20. This allows entries in
>> /etc/shorewall/tcfilters to override firewall marks.
> 
> Correction: it is ( <priority of the corresponding class> << 8
) | 20.
I am sorry, but I can''t see *any* of it. 

OK, I prepared a (rather rudimentary) test case and I am attaching the relevant
files in this email - I hope the mailing list daemon would accept the
attachments, if not will send them privately.

In tcclasses I defined various classes for a single interface for both ingress
and egress (eth0->ifb0) with different priorities ranging from 1 to 7. In the
resulting compilation (shorewall compile -T -p -e) file (see firewall_tc) I can
see all of these classes and flows defined, though I cannot see any of the
priorities I have specified in my tclcasses file.

Ignoring the fact that the flow priorities (used in "tc filter"
statements) are always set at 10, I can''t see the value of the
priorities I specified in tclasses (1-7) - either as raw values or as
"<priority of corresponding class> << 8 | 20". Am I
missing something? Where are these priorities defined?






------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/11/2012 05:14 PM, Mr Dash Four wrote:
> I am sorry, but I can''t see *any* of it.
>
> OK, I prepared a (rather rudimentary) test case and I am attaching
> the relevant files in this email - I hope the mailing list daemon
> would accept the attachments, if not will send them privately.
>
> In tcclasses I defined various classes for a single interface for
> both ingress and egress (eth0->ifb0) with different priorities
> ranging from 1 to 7. In the resulting compilation (shorewall compile
> -T -p -e) file (see firewall_tc) I can see all of these classes and
> flows defined, though I cannot see any of the priorities I have
> specified in my tclcasses file.
That''s because the code is neglecting to set the priority on hsfc 
classes :-( Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/12/2012 07:35 AM, Tom Eastep wrote:
> On 09/11/2012 05:14 PM, Mr Dash Four wrote:
>
>> I am sorry, but I can''t see *any* of it.
>>
>> OK, I prepared a (rather rudimentary) test case and I am attaching
>> the relevant files in this email - I hope the mailing list daemon
>> would accept the attachments, if not will send them privately.
>>
>> In tcclasses I defined various classes for a single interface for
>> both ingress and egress (eth0->ifb0) with different priorities
>> ranging from 1 to 7. In the resulting compilation (shorewall compile
>> -T -p -e) file (see firewall_tc) I can see all of these classes and
>> flows defined, though I cannot see any of the priorities I have
>> specified in my tclcasses file.
>
> That''s because the code is neglecting to set the priority on hsfc
> classes :-( Patch attached.
Disregard the earlier patch -- hfsc doesn''t support priority on its 
classes. I''ll have to work on a patch that allows PRIORITY to be
omitted
on those classes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> That''s because the code is neglecting to set the priority on
hsfc
>> classes :-( Patch attached.
> 
> Disregard the earlier patch -- hfsc doesn''t support priority on
its
> classes. I''ll have to work on a patch that allows PRIORITY to be
omitted
> on those classes.
Damn! How is traffic prioritised then? By setting the dmax values? If priority
is indeed not supported (and can''t be supported!) for hfsc, then the
right course of action would be to issue an error when something (anything!) is
specified in the PRIORITY column, not simply ignore it, otherwise there will be
others like me asking why is this value not honoured.

As far as hfsc goes, If I can''t prioritise traffic I may have to change
the discipline used. I used hsfc primarily because of the ability to specify
dmax values. Apart from HTB (which I am not very keen on) and HSFC, is there
another discipline I could use for traffic shaping? CBQ?

Another question - you use "tc filter" for ifbX type devices, but not
for others. Why? Can you not use hfsc for definition of classes and then create
separate "tc filter" statements when you can define priorities. The
man pages inform me that "tc filter" statements are
"consulted" before a class is used, so, potentially, even if a
priority is not defined (or can''t be defined) in hfsc classes, that
could be done in "tc filter" statements. Would that work?

One other thing I spotted in the meantime: in the firewall_tc file I attached
yesterday, the "quantum" variable defined in those 2 functions is not
used anywhere, so you might consider removing it altogether.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/12/2012 03:35 PM, Mr Dash Four wrote:
> Damn! How is traffic prioritised then? By setting the dmax values?
Once you have read this article:

	http://www.shorewall.net/traffic_shaping.htm#HFSC

and the article linked from it:

	http://linux-ip.net/articles/hfsc.en/

then you will know everything about HFSC as I do (although there is some 
of my analysis available at
> If priority is indeed not supported (and can''t be supported!) for
> hfsc, then the right course of action would be to issue an error
> when something (anything!) is specified in the PRIORITY column, not
> simply ignore it, otherwise there will be others like me asking why
> is this value not honoured.
The PRIORITY value is still used for generating the priority of the 
Shorewall-generated filters that classify traffic by MARK and by the 
tcp-ack and tos options. It just isn''t used for by the queuing 
discipline. So I prefer to handle this via a documentation change. I 
have made the PRIORITY optional for HFSC classes and allowed an explicit 
prority to be specified for MARK and the two options.
>
> As far as hfsc goes, If I can''t prioritise traffic I may have to
> change the discipline used. I used hsfc primarily because of the
> ability to specify dmax values. Apart from HTB (which I am not very
> keen on) and HSFC, is there another discipline I could use for
> traffic shaping? CBQ?
You can use CBQ but Shorewall has no support for it. So you would need 
to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in 
shorewall.conf.
>
> Another question - you use "tc filter" for ifbX type devices, but
not
> for others. Why?
''tc filter'' is the only way to classify ifbX traffic. So the 
documentation stresses that application.
> Can you not use hfsc for definition of classes and
> then create separate "tc filter" statements when you can define
> priorities.
Sure.
> The man pages inform me that "tc filter" statements are
> "consulted" before a class is used, so, potentially, even if a
> priority is not defined (or can''t be defined) in hfsc classes,
that
> could be done in "tc filter" statements. Would that work?
That will determine the order in which the filters are evaluation.
>
> One other thing I spotted in the meantime: in the firewall_tc file I
> attached yesterday, the "quantum" variable defined in those 2
> functions is not used anywhere, so you might consider removing it
> altogether.
I''ll put that on my todo list; ''quantum'' is used for
HTB...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> then you will know everything about HFSC as I do (although there is some 
> of my analysis available at
At?
> The PRIORITY value is still used for generating the priority of the 
> Shorewall-generated filters that classify traffic by MARK and by the 
> tcp-ack and tos options. It just isn''t used for by the queuing 
> discipline. So I prefer to handle this via a documentation change. I 
> have made the PRIORITY optional for HFSC classes and allowed an explicit 
> prority to be specified for MARK and the two options.
In other words, for any other classes (i.e. HTB in this case as HFSC has no use
for it), you use this value << 8 | 20 to determine the class priority,
right?

If so, can you not do the same with the "tc filter" priorities instead
of having two separate values specified in 2 separate files? In other words,
what I am asking is this - why have a separate column in tcfilters when you can
use the value in this one (PRIORITY column in tcclasses) and then calculate the
<< 8 | 20 magic from it and then use that in the "tc filter"
statements? Reduces complexity and everything is in one place.

Also, a side question - is there any reason why the priority should be
calculated in this way - value << 8 | 20?
> You can use CBQ but Shorewall has no support for it. So you would need 
> to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in 
> shorewall.conf.
CBQ seems to be a bit more comprehensive, though I haven''t looked in
details about this discipline. I may consider it.
>> Another question - you use "tc filter" for ifbX type devices,
but not
>> for others. Why?
> 
> ''tc filter'' is the only way to classify ifbX traffic. So
the
> documentation stresses that application.
I understand that, but my question was more towards if you use it for ifbX
device why not use it for "normal" ones - like eth0 for example? That
way, priorities can be specified regardless of the queuing discipline used,
right?
>> Can you not use hfsc for definition of classes and
>> then create separate "tc filter" statements when you can
define
>> priorities.
> 
> Sure.
Again, I meant for "normal" devices. Would that work?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/12/12 4:26 PM, Mr Dash Four wrote:
>> then you will know everything about HFSC as I do (although there is
>> some of my analysis available at
> At?
Disregard -- I reworded that part and neglected to clean it
up.
> 
>> The PRIORITY value is still used for generating the priority of the
>>  Shorewall-generated filters that classify traffic by MARK and by
>> the tcp-ack and tos options. It just isn''t used for by the
queuing
>>  discipline. So I prefer to handle this via a documentation change.
>> I have made the PRIORITY optional for HFSC classes and allowed an
>> explicit prority to be specified for MARK and the two options.
>
> In other words, for any other classes (i.e. HTB in this case as HFSC
> has no use for it), you use this value << 8 | 20 to determine the
> class priority, right?
Also for HFSC. These are *filters* that associate individuals with
classes; they are queuing-discipline independent.
> 
> If so, can you not do the same with the "tc filter" priorities
> instead of having two separate values specified in 2 separate files?
> In other words, what I am asking is this - why have a separate column
> in tcfilters when you can use the value in this one (PRIORITY column
> in tcclasses) and then calculate the << 8 | 20 magic from it and then
> use that in the "tc filter" statements? Reduces complexity and
> everything is in one place.
Because I don''t have the energy for all of the testing that would take.
My enthusiasm for traffic shaping rivals my love of undergoing oral
surgery (I didn''t implement the original TC -- after the TC developer
created it, he promptly disappeared).
> 
> Also, a side question - is there any reason why the priority should
> be calculated in this way - value << 8 | 20?
Only to make it be evaluated after value << 8 | 10 and to ensure
uniqueness between class priorities.
> 
>> You can use CBQ but Shorewall has no support for it. So you would
>> need to script the rules in /etc/shorewall/tcscript and set
>> TC_ENABLED=Yes in shorewall.conf.
>
> CBQ seems to be a bit more comprehensive, though I haven''t looked
in
> details about this discipline. I may consider it.
> 
>>> Another question - you use "tc filter" for ifbX type
devices, but
>>> not for others. Why?
>> 
>> ''tc filter'' is the only way to classify ifbX traffic.
So the
>> documentation stresses that application.
> I understand that, but my question was more towards if you use it for
> ifbX device why not use it for "normal" ones - like eth0 for
example?
> That way, priorities can be specified regardless of the queuing
> discipline used, right?
If you like them, use them.
> 
>>> Can you not use hfsc for definition of classes and then create
>>> separate "tc filter" statements when you can define
priorities.
>> 
>> Sure.
> Again, I meant for "normal" devices. Would that work?
Yes

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> In other words, for any other classes (i.e. HTB in this case as HFSC
>> has no use for it), you use this value << 8 | 20 to determine the
>> class priority, right?
> 
> Also for HFSC.
My understanding was that you ignore the PRIORITY column in tcclasses for HFSC
as it doesn''t support it.
> These are *filters* that associate individuals with
> classes; they are queuing-discipline independent.
Yes, I am aware of that, though I thought that you use the value specified in
PRIORITY << 8 | 20 and use the result in the "prio" option when
defining the class, is that not the case or have I got this wrong?
>> If so, can you not do the same with the "tc filter"
priorities
>> instead of having two separate values specified in 2 separate files?
>> In other words, what I am asking is this - why have a separate column
>> in tcfilters when you can use the value in this one (PRIORITY column
>> in tcclasses) and then calculate the << 8 | 20 magic from it and
then
>> use that in the "tc filter" statements? Reduces complexity
and
>> everything is in one place.
> 
> Because I don''t have the energy for all of the testing that would
take.
Well, I am able to help with the testing part, if needed - you know that.

The idea is to use a single value (PRIORITY in tcclasses) for class as well as
filter "prio" options, instead of using PRIORITY in tcclasses for
class priorities and have a separate PRIORITY value in tcfilters for the filter
"prio" options, simply because in most cases these priorities will be
the same.
> Only to make it be evaluated after value << 8 | 10 and to ensure
> uniqueness between class priorities.
"Be evaluated"? Are there any restrictions on these values? I know of
one - in filters - that needs to be > 12. Are there any other such
restrictions?
>> I understand that, but my question was more towards if you use it for
>> ifbX device why not use it for "normal" ones - like eth0 for
example?
>> That way, priorities can be specified regardless of the queuing
>> discipline used, right?
> 
> If you like them, use them.
Currently, for outgoing traffic, CLASSIFY target is used, which derives its
constraints from tcrules. If HFSC is not used, then the priority specified in
tclasses is applied - in one form or another - in "prio" option when
the class is defined. That''s of no use if HFSC discipline is defined.
Can you not, in such a case, define a "dummy" "tc filter"
statement corresponding to that class, setting the priority specified? Something
like:

run_tc filter add dev eth0 protocol ip parent e:0 prio <PRIORITY in tclasses
<< 8 | 20> flowid <classid from tcclasses>? Would that work? If
so, this is how you can always use priorities regardless of the queuing
discipline defined. Would that work, is this doable?



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>> Only to make it be evaluated after value << 8 | 10 and to ensure
>> uniqueness between class priorities.
> "Be evaluated"? Are there any restrictions on these values? I
know of one - in filters - that needs to be > 12. Are there any other such
restrictions?
Further point on this - I did a bit of testing and changed my discipline to htb
just to see what has been produced. It turns out that the value in the PRIORITY
column in tcclasses is passed onto the class definitions as-is - none of this
<< 8 | 20 malarkey! All my class "prio" values are 1 to 7 -
without exception (I could attach my firewall_tc file produced, if needed - just
let me know).

Also, I tried using the same priority values (1-7) when defining filter classes
as well. It turns out that not only is this value accepted by tc, but it also
works, so I don''t know where you get that the "prio" value in
the "tc filter" statements must be > 12 from?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/12/2012 05:21 PM, Mr Dash Four wrote:
>>> In other words, for any other classes (i.e. HTB in this case as
>>> HFSC has no use for it), you use this value << 8 | 20 to
>>> determine the class priority, right?
>>
>> Also for HFSC.
> My understanding was that you ignore the PRIORITY column in tcclasses
> for HFSC as it doesn''t support it.
No, I don''t ignore it. It is still used for prioritizing the filters.

Attached are the tcdevices and tcclasses files from one of my test hfsc 
configurations. Also attached is the output of ''shorewall show 
classifiers'' with that configuration running. In that output, the
''pref''
setting is the filter priority.

Note that the firewall mark classifiers all have their priority set to ( 
<class priority> << 8 ) | 20 and that the tcp-ack and
tos-minimize-delay
rules have priority ( <class priority> << 8 ) | 10.

The classifiers would look exactly the same if HTB were used.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/12/2012 06:21 PM, Mr Dash Four wrote:
>>> Only to make it be evaluated after value << 8 | 10 and to
ensure
>>> uniqueness between class priorities.
>> "Be evaluated"? Are there any restrictions on these values? I
know
>> of one - in filters - that needs to be > 12. Are there any other
>> such restrictions?
> Further point on this - I did a bit of testing and changed my
> discipline to htb just to see what has been produced. It turns out
> that the value in the PRIORITY column in tcclasses is passed onto the
> class definitions as-is - none of this << 8 | 20 malarkey! All my
> class "prio" values are 1 to 7 - without exception (I could
attach my
> firewall_tc file produced, if needed - just let me know).
No need -- I''m prefectly aware of how it works. But as I pointed out in
my previous post the ''malarkey'' is used to order the filters,
regardless
of the queuing discipline.
>
> Also, I tried using the same priority values (1-7) when defining
> filter classes as well. It turns out that not only is this value
> accepted by tc, but it also works, so I don''t know where you get
that
> the "prio" value in the "tc filter" statements must be
> 12 from?
I removed that restriction shortly after I posted the patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

>>> Also for HFSC.
>> My understanding was that you ignore the PRIORITY column in tcclasses
>> for HFSC as it doesn''t support it.
> 
> No, I don''t ignore it. It is still used for prioritizing the
filters.
> 
> Attached are the tcdevices and tcclasses files from one of my test hfsc
> configurations. Also attached is the output of ''shorewall show
> classifiers'' with that configuration running. In that output, the
''pref''
> setting is the filter priority.
A couple of things:

You introduced this <class priority> << 8 | XX malarkey with RC1,
which was released a couple of hours ago. Your test results and the files you
have attached in your previous post have used this not-yet-released RC1 version
of shorewall!

My name is not Mystic Meg and I don''t have a crystal ball to see
whether you are going to release a new version of shorewall in which to include
this << 8 | XX calculation. My testing and subsequent results were based
on the latest released version of shorewall at the time (Beta3), with the
exception of the patches you have provided me with.
> Note that the firewall mark classifiers all have their priority set to (
> <class priority> << 8 ) | 20 and that the tcp-ack and
tos-minimize-delay
> rules have priority ( <class priority> << 8 ) | 10.
Care to explain the reason behind this priority calculation - why ( <class
priority> << 8 ) | 10?

Also, you have used MARK - I don''t use that. May be that is why I am
not getting any priorities set at all when I use HFSC? When I use HTB (again,
without MARK being specified!) all class priority values are set *exactly* as
specified in tclasses, which is what I wanted in the first place.
> The classifiers would look exactly the same if HTB were used.
See above - when I do *not* use MARK and with HFSC specified, I don''t
have any priorities set.

When I employ HTB (again, with *no* MARK specified), I see the priorities values
set *exactly* as specified in tcclassess/tcfilters - this has all being tested
with Beta3, as well as the newly-released RC1 - the end result is the same as
far as priorities go, with the exception of automatic priority numbering (1-X)
in RC1 in all "tc filter add" statements if I do not specify any
priority value in tcfilters, which is to be expected really.

So, for avoidance of any doubt and to stop us going round circles I am attaching
a couple of files:

1. tcrules, tcclasses & tcdevices - these are exactly the same as I attached
to you previously, with the only exception being that in tcdevices
"hfsc" and "htb" can be interchanged for testing different
disciplines.
2. tcfilters - the new PRIORITY column has been used which mirrors its counter
part in tcclasses. Please note that in two of the tests (see
firewall_tc_*_rc1_no_prio attached) I did not have anything in PRIORITY
(tcfilters) to see how this is going to translate in the resulting file.
3. firewall_tc_hfsc_rc1_no_prio - HFSC discipline used and no PRIORITY in
tcfilters is specified. Please note the absence of any class priorities (which
you, apparently, have when hfsc & mark is used).
4. firewall_tc_hfsc_rc1 - same as 3 above, but this time with PRIORITY in
tcfilters specified. Again, even though there are "filter" priorities
set, there are no class priorities specified of any kind.
5. firewall_tc_htb_rc1_no_prio - HTB discipline used, with no priorities
specified in tcfilters. Please note that the value of all class priorities is
set exactly as specified in tcclasses - none of this << 8 | XX malarkey,
which is what I wanted really. Also, the filter priorities are 1-X (in that
order) which is normal as I did not specify any in tcfilters.
6. firewall_tc_htb_rc1 - same as 5 above, but with priorities specified in
tcfilters - all "prio" values are set *exactly* as specified in
tcclasses/tcfilters in the resulting compilation - none of this << 8 | XX
malarkey, which is what I wanted really.

The results of the Beta3 testing I did yesterday are very similar and I can
attach these files, if needed - let me know if that is the case.









------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

> No need -- I''m prefectly aware of how it works. But as I pointed
out in
> my previous post the ''malarkey'' is used to order the
filters, regardless
> of the queuing discipline.
Maybe not so - the "malarkey" doesn''t seem to be used if I
have *no* MARK specified, which is fine with me (see my previous post on the
subject)!


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

On 09/13/2012 04:56 PM, Mr Dash Four wrote:
> A couple of things:
>
> You introduced this <class priority> << 8 | XX malarkey with
RC1,
> which was released a couple of hours ago. Your test results and the
> files you have attached in your previous post have used this
> not-yet-released RC1 version of shorewall!
As I stated in my previous post, the ''malarkey'' has been in
the
Shorewall code for almost 3 years.
>
> My name is not Mystic Meg and I don''t have a crystal ball to see
> whether you are going to release a new version of shorewall in which
> to include this << 8 | XX calculation. My testing and subsequent
> results were based on the latest released version of shorewall at the
> time (Beta3), with the exception of the patches you have provided me
> with.
No your''re not -- but you are prone to making strong statements about 
things that you really know nothing about.
>
>> Note that the firewall mark classifiers all have their priority set
>> to ( <class priority> << 8 ) | 20 and that the tcp-ack and
>> tos-minimize-delay rules have priority ( <class priority>
<< 8 ) |
>> 10.
> Care to explain the reason behind this priority calculation - why (
> <class priority> << 8 ) | 10?
It orders the MARK, tcp-ack and tos* filters in the order that makes 
them work as intended.
>
> Also, you have used MARK - I don''t use that. May be that is why I
am
> not getting any priorities set at all when I use HFSC?
That''s correct (and you don''t use ''tcp-ack''
or ''tos*'' options either).
> When I use HTB
> (again, without MARK being specified!) all class priority values are
> set *exactly* as specified in tclasses, which is what I wanted in the
> first place.
And which has been the behavior since day 1.
>
>> The classifiers would look exactly the same if HTB were used.
> See above - when I do *not* use MARK and with HFSC specified, I
don''t
> have any priorities set.
>
> When I employ HTB (again, with *no* MARK specified), I see the
> priorities values set *exactly* as specified in tcclassess/tcfilters
> - this has all being tested with Beta3, as well as the newly-released
> RC1 - the end result is the same as far as priorities go, with the
> exception of automatic priority numbering (1-X) in RC1 in all "tc
> filter add" statements if I do not specify any priority value in
> tcfilters, which is to be expected really.
>
> So, for avoidance of any doubt and to stop us going round circles I
> am attaching a couple of files:
I understand how the product works; I may be old but I''m not senile.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

>> You introduced this <class priority> << 8 | XX malarkey
with RC1,
>> which was released a couple of hours ago. Your test results and the
>> files you have attached in your previous post have used this
>> not-yet-released RC1 version of shorewall!
> 
> As I stated in my previous post, the ''malarkey'' has been
in the
> Shorewall code for almost 3 years.
Oh yeah?

--- shorewall-4.5.8-Beta3/shorewall/Perl/Shorewall/Tc.pm	2012-09-09
21:20:41.000000000 +0100
+++ shorewall-4.5.8-RC1/shorewall/Perl/Shorewall/Tc.pm	2012-09-13
18:00:24.000000000 +0100
@@ -1109,11 +1121,25 @@
 
     my $tcref = $tcclasses{$device};
 
+    if ( $devref->{qdisc} eq ''htb'' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value
$prio;
+    }
+
     my $markval = 0;
+    my $markprio;
 
     if ( $mark ne ''-'' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless
$config{TC_BITS};
 
+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, ''mark''
);
+	} else {
+	    fatal_error "Missing mark priority" if $prio eq
''-'';
+	    $markprio =  ( $prio << 8 ) | 20; 
+	}
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
@@ -1209,25 +1234,45 @@
 
     unless ( $options eq ''-'' ) {
 	for my $option ( split_list1 "\L$options",
''option'' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;
+
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, ''mark'' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq
''-'';
+		    $priority = ( $prio << 8 ) | 15;
+		}
 
 	    $option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join '':'', $option, $pri;
+	    }
 
 	    if ( $option eq ''default'' ) {
 		fatal_error "Only one default class may be specified for device
$device" if $devref->{default};
 		fatal_error "The $option option is not valid with ''occurs"
if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq ''tcp-ack'' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with ''occurs"
if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2,
''tcp-ack'' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq
''-'';
+		    $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with ''occurs"
if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with ''occurs"
if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The ''flow'' option is not allowed with
''pfifo''" if $tcref->{pfifo};
 		fatal_error "The ''flow'' option is not allowed with
''red''"   if $tcref->{red};

I may be older than you, but I am not as stupid.
> No your''re not -- but you are prone to making strong statements
about
> things that you really know nothing about.
A bit like you then.
>> Also, you have used MARK - I don''t use that. May be that is
why I am
>> not getting any priorities set at all when I use HFSC?
> 
> That''s correct (and you don''t use
''tcp-ack'' or ''tos*'' options either).
Yes, I do.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

> You can use CBQ but Shorewall has no support for it. So you would need 
> to script the rules in /etc/shorewall/tcscript and set TC_ENABLED=Yes in 
> shorewall.conf.
''tcscript'' isn''t defined anywhere and there are no
man pages describing its function(s).

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

On 9/20/12 3:32 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>>> You introduced this <class priority> << 8 | XX malarkey
with RC1,
>>> which was released a couple of hours ago. Your test results and the
>>> files you have attached in your previous post have used this
>>> not-yet-released RC1 version of shorewall!
>> 
>> As I stated in my previous post, the ''malarkey'' has
been in the
>> Shorewall code for almost 3 years.
>Oh yeah?
>
>--- shorewall-4.5.8-Beta3/shorewall/Perl/Shorewall/Tc.pm	2012-09-09
>21:20:41.000000000 +0100
>+++ shorewall-4.5.8-RC1/shorewall/Perl/Shorewall/Tc.pm	2012-09-13
>18:00:24.000000000 +0100
>@@ -1109,11 +1121,25 @@
> 
>     my $tcref = $tcclasses{$device};
> 
>+    if ( $devref->{qdisc} eq ''htb'' ) {
>+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value
$prio;
>+    }
>+
>     my $markval = 0;
>+    my $markprio;
> 
>     if ( $mark ne ''-'' ) {
> 	fatal_error "MARK may not be specified when TC_BITS=0" unless
>$config{TC_BITS};
> 
>+	( $mark, my $priority ) = split/:/, $mark, 2;
>+
>+	if ( supplied $priority ) {
>+	    $markprio = validate_filter_priority( $priority,
''mark'' );
>+	} else {
>+	    fatal_error "Missing mark priority" if $prio eq
''-'';
>+	    $markprio =  ( $prio << 8 ) | 20;
>+	}
>+
> 	$markval = numeric_value( $mark );
> 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
> 
>@@ -1209,25 +1234,45 @@
> 
>     unless ( $options eq ''-'' ) {
> 	for my $option ( split_list1 "\L$options",
''option'' ) {
>-	    my $optval = $tosoptions{$option};
>+	    my $priority;
>+	    my $optval;
>+
>+	    ( $option, my $pri ) =  split /:/, $option, 2;
>+
>+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) )
>{
>+
>+		if ( supplied $pri ) {
>+		    $priority = validate_filter_priority( $pri, ''mark''
);
>+		} else {
>+		    fatal_error "Missing TOS priority" if $prio eq
''-'';
>+		    $priority = ( $prio << 8 ) | 15;
>+		}
> 
> 	    $option = "tos=$optval" if $optval;
>+	    } elsif ( supplied $pri ) {
>+		$option = join '':'', $option, $pri;
>+	    }
> 
> 	    if ( $option eq ''default'' ) {
> 		fatal_error "Only one default class may be specified for device
>$device" if $devref->{default};
> 		fatal_error "The $option option is not valid with
''occurs" if
>$tcref->{occurs} > 1;
> 		$devref->{default} = $classnumber;
>-	    } elsif ( $option eq ''tcp-ack'' ) {
>+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
> 		fatal_error "The $option option is not valid with
''occurs" if
>$tcref->{occurs} > 1;
>-		$tcref->{tcp_ack} = 1;
>+		if ( $1 ) {
>+		    $tcref->{tcp_ack} = validate_filter_priority( $2,
''tcp-ack'' );
>+		} else {
>+		    fatal_error "Missing tcp-ack priority" if $prio eq
''-'';
>+		    $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
>+		}
> 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
> 		fatal_error "The $option option is not valid with
''occurs" if
>$tcref->{occurs} > 1;
> 		( undef, $option ) = split /=/, $option;
>-		push @{$tcref->{tos}}, "$option/0xff";
>+		push @{$tcref->{tos}}, "$option/0xff:$priority";
> 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
> 		fatal_error "The $option option is not valid with
''occurs" if
>$tcref->{occurs} > 1;
> 		( undef, $option ) = split /=/, $option;
>-		push @{$tcref->{tos}}, $option;
>+		push @{$tcref->{tos}}, "$option:$priority";
> 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
> 		fatal_error "The ''flow'' option is not allowed with
''pfifo''" if
>$tcref->{pfifo};
> 		fatal_error "The ''flow'' option is not allowed with
''red''"   if
>$tcref->{red};
>
>I may be older than you, but I am not as stupid.
My God, you are an arrogant jackass! You totally overlooked this bit and
then you call me stupid!

@ -1886,7 +1957,6 @@
 
                $classids{$classid}=$devname;
 
-               my $priority = $tcref->{priority} << 8;
                my $parent   = in_hexp $tcref->{parent};
 
                emit ( "[ \$${dev}_mtu -gt $quantum ] &&
quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1945,22 +2015,23 @@
                # add filters
                #
                unless ( $mark eq ''-'' ) {
-                   emit "run_tc filter add dev $device protocol all
parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw
classid $classid" if $tcref->{occurs} == 1;
+                   emit "run_tc filter add dev $device protocol all
parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid
$classid" if $tcref->{occurs} == 1;
                }
 
                emit "run_tc filter add dev $device protocol all prio 1
parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor
1024" if $tcref->{flow};
                #
                # options
                #
-               emit( "run_tc filter add dev $device parent
$devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ''
u32'' .
+               emit( "run_tc filter add dev $device parent
$devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
                      "\\\n    match ip protocol 6 0xff" .
                      "\\\n    match u8 0x05 0x0f at 0" .
                      "\\\n    match u16 0x0000 0xffc0 at 2" .
                      "\\\n    match u8 0x10 0xff at 33 flowid
$classid" )
if $tcref->{tcp_ack};
 
                for my $tospair ( @{$tcref->{tos}} ) {
+                   ( $tospair, my $priority ) = split /:/, $tospair;
                    my ( $tos, $mask ) = split q(/), $tospair;
-                   emit "run_tc filter add dev $device parent
$devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match
ip
tos $tos $mask flowid $classid";
+                   emit "run_tc filter add dev $device parent
$devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask
flowid $classid";
                }
 
                save_progress_message_short qq("   TC Class $classid
defined.");


Take your business somewhere else. I''m finished listening to you.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

>> I may be older than you, but I am not as stupid.
> 
> My God, you are an arrogant jackass! You totally overlooked this bit and
> then you call me stupid!
Fair enough - I must have missed it and I am a man enough to admit it and
apologise. That doesn''t excuse the above comment, though I am not the
one with anger management issues.
> Take your business somewhere else. I''m finished listening to you.
You are in no position to dictate where I should "take my business".
In case you haven''t noticed, shorewall isn''t my
"business". Fixing bugs, testing or otherwise making contribution to
your shorewall "products" isn''t what I do for living either,
not least because this activity is voluntary and I dedicate my free time to do
it, while I am not charging you, or anyone else, for these efforts.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html

Hi "Mr Dash Four" and Shorewall,

I''ve been following this thread and I follow parts of shorewall-users
and shorewall-devel and as long as it''s okay with everyone,
I''d like to
voice some thoughts... I''m top posting this, because it
doesn''t really
belong in line anywhere...

Personally, I think shorewall is a brilliant product which I have been
using for well over 10 years I think, and my job as a sysadmin would be
infinitely harder without it. I know that Tom works on this as a
volunteer project in his spare time, so he deserves a lot of respect for
this, and all he asks is that you donate to the Alzheimer association.

So: "Mr Dash Four", I think you''re out of line here, and you
should
definitely show a lot more respect. Also, if you''re going to call out
Tom like this, then man up and do so using your real name. Personally,
I''d like to continue seeing you post on the mailing lists because I
assume that it is helping the progression of shorewall and hopefully it
will help it become an even better product, but not if you''re going to
be taking shots at our benevolent leader.

In life, I''m not always as diplomatic as I should be, but my rule of
thumb when talking on the internets is that I''m on someone elses turf
then I should try to be as nice as possible even when (if) the other guy
is at fault, and I don''t think in this scenario that this is on Tom,
I''ve seen you be a bit more rude than I would expect, especially when
you get a lot of of free support from Tom. If Tom tells you to take your
business elsewhere, you better either do it, or find a way to make
amends to him.

So, in other words to Mr Dash Four:
* thanks for reading
* chill the f*** out
* start posting with your real full name
* apologize to Tom
* and maybe donate some cash in his name to support Alzheimers:
http://www.shorewall.net/shorewall_index.htm#Donations

Sincerely,
James Shubin

On Mon, 2012-09-24 at 00:23 +0100, Mr Dash Four wrote:
> >> I may be older than you, but I am not as stupid.
> > 
> > My God, you are an arrogant jackass! You totally overlooked this bit
and
> > then you call me stupid!
> Fair enough - I must have missed it and I am a man enough to admit it and
apologise. That doesn''t excuse the above comment, though I am not the
one with anger management issues.
> 
> > Take your business somewhere else. I''m finished listening to
you.
> You are in no position to dictate where I should "take my
business". In case you haven''t noticed, shorewall isn''t
my "business". Fixing bugs, testing or otherwise making contribution
to your shorewall "products" isn''t what I do for living
either, not least because this activity is voluntary and I dedicate my free time
to do it, while I am not charging you, or anyone else, for these efforts.
> 
> 
>
------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

I''d like to second James'' words. Mr Dash Four''s
behaviour on this towards
Tom is simply inexcusable.
On Sep 24, 2012 4:15 AM, "James" <purpleidea@gmail.com> wrote:
> Hi "Mr Dash Four" and Shorewall,
>
> I''ve been following this thread and I follow parts of
shorewall-users
> and shorewall-devel and as long as it''s okay with everyone,
I''d like to
> voice some thoughts... I''m top posting this, because it
doesn''t really
> belong in line anywhere...
>
> Personally, I think shorewall is a brilliant product which I have been
> using for well over 10 years I think, and my job as a sysadmin would be
> infinitely harder without it. I know that Tom works on this as a
> volunteer project in his spare time, so he deserves a lot of respect for
> this, and all he asks is that you donate to the Alzheimer association.
>
> So: "Mr Dash Four", I think you''re out of line here, and
you should
> definitely show a lot more respect. Also, if you''re going to call
out
> Tom like this, then man up and do so using your real name. Personally,
> I''d like to continue seeing you post on the mailing lists because
I
> assume that it is helping the progression of shorewall and hopefully it
> will help it become an even better product, but not if you''re
going to
> be taking shots at our benevolent leader.
>
> In life, I''m not always as diplomatic as I should be, but my rule
of
> thumb when talking on the internets is that I''m on someone elses
turf
> then I should try to be as nice as possible even when (if) the other guy
> is at fault, and I don''t think in this scenario that this is on
Tom,
> I''ve seen you be a bit more rude than I would expect, especially
when
> you get a lot of of free support from Tom. If Tom tells you to take your
> business elsewhere, you better either do it, or find a way to make
> amends to him.
>
> So, in other words to Mr Dash Four:
> * thanks for reading
> * chill the f*** out
> * start posting with your real full name
> * apologize to Tom
> * and maybe donate some cash in his name to support Alzheimers:
> http://www.shorewall.net/shorewall_index.htm#Donations
>
> Sincerely,
> James Shubin
>
> On Mon, 2012-09-24 at 00:23 +0100, Mr Dash Four wrote:
> > >> I may be older than you, but I am not as stupid.
> > >
> > > My God, you are an arrogant jackass! You totally overlooked this
bit
> and
> > > then you call me stupid!
> > Fair enough - I must have missed it and I am a man enough to admit it
> and apologise. That doesn''t excuse the above comment, though I am
not the
> one with anger management issues.
>
> >
> > > Take your business somewhere else. I''m finished
listening to you.
> > You are in no position to dictate where I should "take my
business". In
> case you haven''t noticed, shorewall isn''t my
"business". Fixing bugs,
> testing or otherwise making contribution to your shorewall
"products" isn''t
> what I do for living either, not least because this activity is voluntary
> and I dedicate my free time to do it, while I am not charging you, or
> anyone else, for these efforts.
> >
> >
> >
>
------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://ad.doubleclick.net/clk;258768047;13503038;j?
> > http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> > _______________________________________________
> > Shorewall-devel mailing list
> > Shorewall-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/