thr3ads.net - Shorewall users - Traffic shapping Bug ? [Sep 2004]

If this information is useful, please help other people find it:
Share via:

Florent

2004-Sep-02 15:42 UTC

Traffic shapping Bug ?

hello ,

i''m currently trying to set-up Traffic Shapping with Shorewall and I
have strong
feelings that I found a bug.
I may be mistaken, but I tried everything and can''t get it to work.

I''ve turned ON TC_ENABLED=Yes and CLEAR_TC=Yes
when i start shorewall ( shorewall start ), i get this message :


Setting up Traffic Control Rules...
TC Rule "2 eth1 0.0.0.0/0 tcp 80 " added
iptables v1.2.9: unknown protocol `-j'' specified
Try `iptables -h'' or ''iptables --help'' for more
information.
Processing /etc/shorewall/stop .


my tcrules files is as simple as :

#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
2                       eth1                0.0.0.0/0       tcp         80


As a result, I tried to get more information using the shorewall start debug 2
>
file command.
Here''s what I got :

+ run_iptables2 -t mangle -A tcfor -p -j MARK --set-mark
''PORT(S)''
+ ''['' ''x-t mangle -A tcfor -p -j MARK --set-mark
PORT(S)'' = ''x-t mangle -A tcfor -p -j MARK --set-mark
PORT(S)'' '']''
+ run_iptables -t mangle -A tcfor -p -j MARK --set-mark
''PORT(S)''
+ ''['' -n '''' '']''
+ iptables -t mangle -A tcfor -p -j MARK --set-mark ''PORT(S)''
iptables v1.2.9: unknown protocol `-j'' specified
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' -z '''' '']''
+ stop_firewall


What I understand here is that shorewall doesn''t write the
"tcp" protocol after
the -p option. Am I right ? Is there a quick-fix for that ?

Here is some information about my system :


shorewall version
2.0.8

ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: shaper0: <> mtu 1500 qdisc noop qlen 10
    link/ether 
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:fc:6c:fb:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::250:fcff:fe6c:fb84/64 scope link 
       valid_lft forever preferred_lft forever
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:fc:4d:68:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::250:fcff:fe4d:68ad/64 scope link 
       valid_lft forever preferred_lft forever
5: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void 
6: tunl0: <NOARP> mtu 1480 qdisc noop 
    link/ipip 0.0.0.0 brd 0.0.0.0
7: gre0: <NOARP> mtu 1476 qdisc noop 
    link/gre 0.0.0.0 brd 0.0.0.0
8: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0
9: ip6tnl0: <NOARP> mtu 1460 qdisc noop 
    link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
23: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
    link/ppp 
    inet 81.56.195.25 peer 192.168.254.254/32 scope global ppp0


ip route show

ip route show
192.168.254.254 dev ppp0  proto kernel  scope link  src 81.56.195.25
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1 
default via 192.168.254.254 dev ppp0 


tc -V
tc utility, iproute2-ss010824

iptables -V
iptables v1.2.9

uname -a
Linux zaibe 2.6.8 #4 Wed Sep 1 15:41:29 CEST 2004 i686 GNU/Linux

Tom Eastep

2004-Sep-02 16:17 UTC

head link

Re: Traffic shapping Bug ?

On Thursday 02 September 2004 08:42, Florent wrote:
>
>
> What I understand here is that shorewall doesn''t write the
"tcp" protocol
> after the -p option. Am I right ? Is there a quick-fix for that ?
>
I''m sorry -- I can''t reproduce the problem here. Please send
me the full
trace.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Florent

2004-Sep-02 16:43 UTC

head link

Traffic shapping Bug ?

okay , thx for your answer, 

here is the full trace from the debug file.
tc_rule to END
i think the fisrt line. are not useful.



 process_tc_rule
+ chain=tcfor
+ ''['' 2 ''!='' 2 '']''
++ separate_list eth1
++ local list
++ local part
++ local newlist
++ list=eth1
++ part=eth1
++ newlist=eth1
++ ''['' xeth1 ''!='' xeth1
'']''
++ echo eth1
++ separate_list 0.0.0.0/0
++ local list
++ local part
++ local newlist
++ list=0.0.0.0/0
++ part=0.0.0.0/0
++ newlist=0.0.0.0/0
++ ''['' x0.0.0.0/0 ''!='' x0.0.0.0/0
'']''
++ echo 0.0.0.0/0
++ separate_list 80
++ local list
++ local part
++ local newlist
++ list=80
++ part=80
++ newlist=80
++ ''['' x80 ''!='' x80 '']''
++ echo 80
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ add_a_tc_rule
+ r+ ''['' xeth1 ''!='' x- '']''
+ verify_interface eth1
+ known_interface eth1
+ local iface
+ if_match ppp0 eth1
+ local pattern=ppp0
+ test xppp0 = xeth1
+ if_match eth1 eth1
+ local pattern=eth1
+ test xeth1 = xeth1
+ return 0
++ match_source_dev
++ ''['' -n '''' '']''
++ echo -i
+ r=-i eth1
+ ''['' x- ''!='' x- '']''
+ ''['' x0.0.0.0/0 = x- '']''
+ r=-i eth1 -d 0.0.0.0/0
+ ''['' tcp = all '']''
+ r=-i eth1 -d 0.0.0.0/0 -p tcp
+ ''['' x80 = x- '']''
+ r=-i eth1 -d 0.0.0.0/0 -p tcp --dport 80
+ ''['' x- = x- '']''
+ run_iptables2 -t mangle -A tcfor -i eth1 -d 0.0.0.0/0 -p tcp --dport 80 -j
MARK --set-mark 2
+ ''['' ''x-t mangle -A tcfor -i eth1 -d 0.0.0.0/0 -p
tcp --dport 80 -j MARK --set-mark 2'' = ''x-t mangle -A tcfor -i
eth1 -d 0.0.0.0/0 -p tcp --dport 80 -j MARK --set-mark 2''
'']''
+ run_iptables -t mangle -A tcfor -i eth1 -d 0.0.0.0/0 -p tcp --dport 80 -j MARK
--set-mark 2
+ ''['' -n '''' '']''
+ iptables -t mangle -A tcfor -i eth1 -d 0.0.0.0/0 -p tcp --dport 80 -j MARK
--set-mark 2
+ return
+ progress_message ''   TC Rule "2 eth1 0.0.0.0/0 tcp 80  "
added''
+ ''['' -n '''' '']''
+ echo ''   TC Rule "2 eth1 0.0.0.0/0 tcp 80  "
added''
+ read mark sources dests proto ports sports user
+ expandv mark sources dests proto ports sports user
+ local varval
+ ''['' 7 -gt 0 '']''
+ eval ''varval=$mark''
++ varval=PORT(S)
+ eval ''mark="PORT(S)"''
++ mark=PORT(S)
+ shift
+ ''['' 6 -gt 0 '']''
+ eval ''varval=$sources''
++ varval+ eval ''sources=""''
++ sources+ shift
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$dests''
++ varval+ eval ''dests=""''
++ dests+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$proto''
++ varval+ eval ''proto=""''
++ proto+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$ports''
++ varval+ eval ''ports=""''
++ ports+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$sports''
++ varval+ eval ''sports=""''
++ sports+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$user''
++ varval+ eval ''user=""''
++ user+ shift
+ ''['' 0 -gt 0 '']''
++ echo ''PORT(S)      ''
+ rule=PORT(S)
+ process_tc_rule
+ chain=tcfor
+ ''['' ''PORT(S)'' ''!=''
''PORT(S)'' '']''
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
++ separate_list -
++ local list
++ local part
++ local newlist
++ list=-
++ part=-
++ newlist=-
++ ''['' x- ''!='' x- '']''
++ echo -
+ add_a_tc_rule
+ r+ ''['' x- ''!='' x- '']''
+ ''['' x- ''!='' x- '']''
+ ''['' x- = x- '']''
+ ''['' '''' = all '']''
+ r=-p
+ ''['' x- = x- '']''
+ ''['' x- = x- '']''
+ run_iptables2 -t mangle -A tcfor -p -j MARK --set-mark
''PORT(S)''
+ ''['' ''x-t mangle -A tcfor -p -j MARK --set-mark
PORT(S)'' = ''x-t mangle -A tcfor -p -j MARK --set-mark
PORT(S)'' '']''
+ run_iptables -t mangle -A tcfor -p -j MARK --set-mark
''PORT(S)''
+ ''['' -n '''' '']''
+ iptables -t mangle -A tcfor -p -j MARK --set-mark ''PORT(S)''
iptables v1.2.9: unknown protocol `-j'' specified
Try `iptables -h'' or ''iptables --help'' for more
information.
+ ''['' -z '''' '']''
+ stop_firewall
+ ''['' -n /var/lib/shorewall/shorewall.Kw9tYf
'']''
+ rm -f /var/lib/shorewall/shorewall.Kw9tYf
+ set +x



my tcrules


##############################################################################
#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
2               eth1            0.0.0.0/0       tcp     80
PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tom Eastep

2004-Sep-02 16:56 UTC

head link

Re: Traffic shapping Bug ?

On Thursday 02 September 2004 09:43, Florent wrote:
>
>
> my tcrules
>
> PORT(S)
Get rid of the above line in your file:
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
It turns out that there *is* a bug in the code as well -- if the PROTO column 
isn''t specified or is specified as "all" then an error
occurs. I''ve attached
a patch against 2.0.8.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Possibly Parallel Threads

Search for more possibly parallel threads

Shorewall users - Sep 2004 - Traffic shapping Bug ?

Traffic shapping Bug ?

Re: Traffic shapping Bug ?

Traffic shapping Bug ?

Re: Traffic shapping Bug ?

Possibly Parallel Threads