Hello, I realize my question isn''t directly related with the shorewall features, but I''m hoping for an answer from more experienced iptables users: I want to use the iptables-p2p kernel module on my shorewall-1.4.8-1 not to block p2p traffic, but to limit it to some value. If I were to block it I would just add this line in my /etc/shorewall/start: iptables -I FORWARD -m p2p --p2p all -j REJECT Is there any way to integrate the above module with tcrules ? Would it be enough to just set something like -j MARK --set-mark 0x1 in the above rule ? 10x, Marius
Marius Stan wrote:> Hello, > > I realize my question isn''t directly related with the shorewall > features, but I''m hoping for an answer from more experienced iptables > users: > > I want to use the iptables-p2p kernel module on my shorewall-1.4.8-1 not > to block p2p traffic, but to limit it to some value. > > If I were to block it I would just add this line in my > /etc/shorewall/start: > iptables -I FORWARD -m p2p --p2p all -j REJECT > > Is there any way to integrate the above module with tcrules ? Would it > be enough to just set something like -j MARK --set-mark 0x1 in the > above rule ? >You will need to include "-t mangle" -- you can only mark packets in the mangle table. In addition to the "-j MARK...", you might want to add "-i <internal IF> -o <external IF>" so that you are only marking loc->net traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-06-03 at 15:27, Marius Stan wrote:> Hello, > > I realize my question isn''t directly related with the shorewall > features, but I''m hoping for an answer from more experienced iptables users: > > I want to use the iptables-p2p kernel module on my shorewall-1.4.8-1 not > to block p2p traffic, but to limit it to some value. > > If I were to block it I would just add this line in my /etc/shorewall/start: > iptables -I FORWARD -m p2p --p2p all -j REJECT > > Is there any way to integrate the above module with tcrules ? Would it > be enough to just set something like -j MARK --set-mark 0x1 in the > above rule ?I don''t know about using the iptables-p2p module, but if you''re looking for integrating with tcrules and you only want to "limit" it, take a look at this http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html --