--On Monday, December 16, 2002 11:29:49 AM -0800 James Bland <jbland@TheComputerNuts.Com> wrote:> I''m trying to setup bandwidth controls using shorewall tcrules and tcstart > for both outbound and inbound connections. Everything seems to work fine > while I do a simple bridge but as soon as I masq the connection from eth0 > to eth1 the tcrules file ignores my entires on inbound connections. But > when I use the external address (eth0) as the tcrules mark everything > works fine, the down side is that everything on the internal network is > clumped into the same queue. >Is this ingress filtering you are doing inbound or something else?> eth0 - 66.122.2.14 > eth1 - 192.168.1.1 - Internal Network > > tcrules won''t identify any addresses in private space and mark them > correctly on inbound packets. My hunch is that the mark is placed before > masq is completed. so entires like " 0.0.0.0/24 192.168.1.2" don''t get > marked but "0.0.0.0/24 66.122.2.14" works fine. Basically I would like > the private address space to work since I would like to control bandwidth > downloads on a per PC basis. At the same time I don''t want to break the > settings on outbond traffic since that seems to work. > > I''m queuing outbound traffic on eth0 and inbound traffic on eth1.Do you mean that you have defined outbound traffic control rules on eth1 as well as on eth0? If so, what is the point? Is your internet connection so fast that you have to worry about incoming packet queues building up in your firewall/router? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Monday, December 16, 2002 11:29:49 AM -0800 James Bland <jbland@TheComputerNuts.Com> wrote:> Basically I would like > the private address space to work since I would like to control bandwidth > downloads on a per PC basis.Ah -- I see; missed that the first time. You will have to code your own packet marking rules in the FORWARD or OUTPUT mangle chains or use a different classifier such as u32 for incoming packets. Originally, the ''mangle'' table only supported the PREROUTING standard chain so that is where Shorewall marks packets as specified in the tcrules file. As you guessed, the PREROUTING mangle chain is the first chain traversed when packets enter the system and before any address-rewriting takes place. Later versions of NetFilter implement all of the standard chains in the mangle table but I haven''t extended tcrules to take advantage of that enhancement and I probably won''t; if I add any additional packet marking capability, it will probably be as an extension of the rules file syntax; something like: MARK:2 loc:192.168.1.4 net .... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
I''m trying to setup bandwidth controls using shorewall tcrules and tcstart for both outbound and inbound connections. Everything seems to work fine while I do a simple bridge but as soon as I masq the connection from eth0 to eth1 the tcrules file ignores my entires on inbound connections. But when I use the external address (eth0) as the tcrules mark everything works fine, the down side is that everything on the internal network is clumped into the same queue. eth0 - 66.122.2.14 eth1 - 192.168.1.1 - Internal Network tcrules won''t identify any addresses in private space and mark them correctly on inbound packets. My hunch is that the mark is placed before masq is completed. so entires like " 0.0.0.0/24 192.168.1.2" don''t get marked but "0.0.0.0/24 66.122.2.14" works fine. Basically I would like the private address space to work since I would like to control bandwidth downloads on a per PC basis. At the same time I don''t want to break the settings on outbond traffic since that seems to work. I''m queuing outbound traffic on eth0 and inbound traffic on eth1. -James
--On Monday, December 16, 2002 11:00:57 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > Later versions of NetFilter implement all of the standard chains in the > mangle table but I haven''t extended tcrules to take advantage of that > enhancement and I probably won''t; if I add any additional packet marking > capability, it will probably be as an extension of the rules file syntax; > something like: > > MARK:2 loc:192.168.1.4 net .... >As a stop-gap, I have implemented a MARK_IN_FORWARD_CHAIN option in shorewall.conf. I''ve tested it lightly and it seems to work ok. That code is in the ''Shorewall'' (Development) CVS branch. You will need 1.3.11a installed then install the ''firewall'' and ''functions'' files from CVS (they both go in /usr/lib/shorewall). Add MARK_IN_FORWARD_CHAIN=Yes to your shorewall.conf. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net