Shorewall users - Mar 2006 - Traffic shaping - prob during loading (RNETLINK Operation Not Supported)

The error message then continues to say: 

We have an error talking to the kernel

Information:
Gentoo Box
Shorewall 3.0.4 & 3.0.5(tested)
Network Cards tested - Broadcomm Gbit, Intel Ether 100, 3COM 3c90x
Kernel 2.6.15

tcdevices are as per the Example on shorewall''s site. Nothing Fancy.

tcdevices
eth1	300kbit		100kbit

tcclasses
eth1	10	full	full	1	tcp-ack,default

tcrules
1:P	0.0.0.0./0	0.0.0.0/0	icmp	icmp-request

Things work fine when i use the older wondershaper rules I was using
prior to trying this new one. Executing it did not leave any errors.

My old tcstart file

 # sh -x tcstart
+ DOWNLINK=250
+ UPLINK=250
+ DEV=eth2
+ ''['' '''' = status '']''
+ tc qdisc del dev eth2 root
+ tc qdisc del dev eth2 ingress
+ ''['' '''' = stop '']''
+ tc qdisc add dev eth2 root handle 1: htb default 30
+ tc class add dev eth2 parent 1: classid 1:1 htb rate 250kbit burst 30k
+ tc class add dev eth2 parent 1:1 classid 1:10 htb rate 250kbit burst
30k prio 0
+ tc class add dev eth2 parent 1:1 classid 1:20 htb rate 225kbit burst
30k prio 1
+ tc class add dev eth2 parent 1:1 classid 1:25 htb rate 150kbit ceil
225kbit burst 30k prio 2
+ tc class add dev eth2 parent 1:1 classid 1:30 htb rate 25kbit ceil
150kbit burst 30k prio 3
+ tc qdisc add dev eth2 parent 1:10 handle 10: sfq perturb 10
+ tc qdisc add dev eth2 parent 1:20 handle 20: sfq perturb 10
+ tc qdisc add dev eth2 parent 1:25 handle 25: sfq perturb 10
+ tc qdisc add dev eth2 parent 1:30 handle 30: sfq perturb 10
+ tc filter add dev eth2 parent 1:0 protocol ip prio 10 u32 match ip tos
0x10 0xff flowid 1:10
+ tc filter add dev eth2 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
+ tc filter add dev eth2 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2
match u8 0x10 0xff at 33 flowid 1:10
+ tc filter add dev eth2 parent 1: protocol ip prio 0 handle 2 fw
classid 1:20
+ tc filter add dev eth2 parent 1: protocol ip prio 0 handle 3 fw
classid 1:25
+ tc filter add dev eth2 parent 1: protocol ip prio 0 handle 4 fw
classid 1:25
+ tc filter add dev eth2 parent 1: protocol ip prio 3 handle 1 fw
classid 1:30


-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 20:37:57 up 4 days, 22:40, 4 users, load average: 0.55,
0.65, 0.37 




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Ow Mun Heng escribió:
> The error message then continues to say: 
> 
> We have an error talking to the kernel
> 
> Information:
> Gentoo Box
> Shorewall 3.0.4 & 3.0.5(tested)
> Network Cards tested - Broadcomm Gbit, Intel Ether 100, 3COM 3c90x
> Kernel 2.6.15
> 
> tcdevices are as per the Example on shorewall''s site. Nothing
Fancy.
> 
> tcdevices
> eth1	300kbit		100kbit
> 
> tcclasses
> eth1	10	full	full	1	tcp-ack,default
> 
> tcrules
> 1:P	0.0.0.0./0	0.0.0.0/0	icmp	icmp-request
> 
> Things work fine when i use the older wondershaper rules I was using
> prior to trying this new one. Executing it did not leave any errors.
> 
> My old tcstart file
> 
Come on folks, please alaborate your questions correctly, providing the
adecuate and necessary information.

There was 2 questions today, both totally annoying, with no relevant
information and no clue about the problem.

This kind of questions, only helps to filling people''s mailbox quota.

On Tue, 2006-03-21 at 22:35 -0400, Cristian Rodriguez
wrote:
> Ow Mun Heng escribió:
> > The error message then continues to say: 
> > 
> > We have an error talking to the kernel
> Come on folks, please alaborate your questions correctly, providing the
> adecuate and necessary information.
> 
I have provided all the information. That''s what''s spitted out
in the
both the error logs and the stdout error.

[stdout]
/etc/init.d/shorewall restart
 * Restarting firewall ...
RTNETLINK answers: Operation not supported
We have an error talking to the kernel
/etc/init.d/shorewall: line 26: 28136
Terminated              /sbin/shorewall restart >/dev/null        [ !! ]
[/stdout]

[logs]
Ingress scheduler: Classifier actions prefered over netfilter
u32 classifier
Perfomance counters on
logger: Shorewall Stopped
[/logs]

shorewall debug start 2>/tmp/trace

[...snip...]
+ ensure_and_save_command tc filter add dev eth0 parent ffff: protocol
ip prio 50 u32 match ip src 0.0.0.0/0 police rate 380kbit burst 10k drop
flowid :1
+ eval tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match
ip src 0.0.0.0/0 police rate 380kbit burst 10k drop flowid :1
++ tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate 380kbit burst 10k drop flowid :1
RTNETLINK answers: Operation not supported
We have an error talking to the kernel

[....]


u32 classifier prob?

My old tcstart script does not limit ingress.

#tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate 380kbit burst 10k drop flowid :1
RTNETLINK answers: Invalid argument
We have an error talking to the kernel

$ grep -i u32 /usr/src/linux/.config 
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
# CONFIG_CLS_U32_MARK is not set

$grep -i ingres /usr/src/linux/.config
CONFIG_NET_SCH_INGRESS=m

$grep -i netfilter /usr/src/linux/.config
CONFIG_NETFILTER=y


$ lsmod | grep -i u32
cls_u32                 6020  0 



> There was 2 questions today, both totally annoying, with no relevant
> information and no clue about the problem.
The only clue was the error shorewall spitted out. Other than that it''s
fine. (although I admit that I didn''t find out it _might_ be u32
related
until just now because I kept looking at the "netfilter preferred"
line
and finding nothing on google)




-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 10:54:31 up 2 days, 2:18, 6 users, load average: 3.11, 1.20,
0.80 




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Ow Mun Heng escribió:
> I have provided all the information. That''s what''s
spitted out in the
> both the error logs and the stdout error.
> 
> [stdout]
> /etc/init.d/shorewall restart
>  * Restarting firewall ...
> RTNETLINK answers: Operation not supported
> We have an error talking to the kernel
> /etc/init.d/shorewall: line 26: 28136
> Terminated              /sbin/shorewall restart >/dev/null        [ !! ]
> [/stdout]
that tells me you haven''t read the manual ¡¡¡

we do not support, nor document the usage of distro init scripts. to get
a real clue what kind of problem is really happening, you must use the
documented way  /sbin/shorewall restart

and if it crashes , send the RELEVANT informating asked many times here :
http://www.shorewall.net/support.htm#id2498116

section "If your problem is that an error occurs when you try to
“shorewall start”"

Otherwise, Sorry to say, we will ingore your posts.

On Tuesday 21 March 2006 19:11, Cristian Rodriguez
wrote:
> Ow Mun Heng escribió:
> > I have provided all the information. That''s what''s
spitted out in the
> > both the error logs and the stdout error.
> >
> > [stdout]
> > /etc/init.d/shorewall restart
> >  * Restarting firewall ...
> > RTNETLINK answers: Operation not supported
> > We have an error talking to the kernel
> > /etc/init.d/shorewall: line 26: 28136
> > Terminated              /sbin/shorewall restart >/dev/null        [
!! ]
> > [/stdout]
>
> that tells me you haven''t read the manual ¡¡¡
>
> we do not support, nor document the usage of distro init scripts. to get
> a real clue what kind of problem is really happening, you must use the
> documented way  /sbin/shorewall restart
>
> and if it crashes , send the RELEVANT informating asked many times here :
> http://www.shorewall.net/support.htm#id2498116
>
> section "If your problem is that an error occurs when you try to
> “shorewall start”"
>
> Otherwise, Sorry to say, we will ingore your posts.
I''m afraid that I have to agree with Cristian. We document the
procedure for
gathering and reporting information about Shorewall problems. When people 
don''t follow that procedure, we have to spend more of our free time
trying to
understand what your problem really is -- after 6-7 years of doing that, it 
really does get annoying.

So -- please follow the instructions that Cristian has referred you to. We 
aren''t trying to be difficult -- but remember: there are thousands of
you
Shorewall users and only a few of us trying to help you. We really appreciate 
your cooperation.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tue, 2006-03-21 at 23:11 -0400, Cristian Rodriguez
wrote:
> Ow Mun Heng escribió:
> and if it crashes , send the RELEVANT informating asked many times here :
> http://www.shorewall.net/support.htm#id2498116
 Attached is a minimal one w/ traffic shaping rules only.

My guess is that it''s not a _really_ shorewall related, but U32 related
somehow.

even running the tc command for ingress filtering on the cli kills it.

Would appreciate some insight into this if possible.
My kernel config mimics that at ->
http://www.shorewall.net/traffic_shaping.htm


iproute2 version 2.6.11.20050310-r1
iptables version 1.3.4
> Tom Eastep wrote:
> there are thousands of you 
> Shorewall users and only a few of us trying to help you. We really
> appreciate your cooperation.
I understand completely and I truly appreciate it. I initially didn''t
want to send it for privacy concerns. But I''ve taken out nearly all the
non-traffic shaping rules since it seems (to me) that it''s the ingress
traffic shaping problem which is making shorewall bork.

So, in essense, I do really think it''s not shorewall related but
something else to do with the netfilter/u32 code.



-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 11:36:35 up 2 days, 3:00, 7 users, load average: 1.22, 0.94,
0.68

On Tue, 2006-03-21 at 19:36 -0800, Tom Eastep wrote:
> So -- please follow the instructions that Cristian has referred you to. We 
> aren''t trying to be difficult -- but remember: there are thousands
of you
> Shorewall users and only a few of us trying to help you. We really
appreciate
> your cooperation.
I''ve sent the trace. but It''s too big it seems to get through
to the
mail list. (awaiting moderator approval)


-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 16:33:57 up 2 days, 7:57, 7 users, load average: 1.33, 1.29,
0.99 




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Ow Mun Heng wrote:
> On Tue, 2006-03-21 at 19:36 -0800, Tom Eastep wrote:
>
>   
>> So -- please follow the instructions that Cristian has referred you to.
We
>> aren''t trying to be difficult -- but remember: there are
thousands of you
>> Shorewall users and only a few of us trying to help you. We really
appreciate
>> your cooperation.
>>     
>
> I''ve sent the trace. but It''s too big it seems to get
through to the
> mail list. (awaiting moderator approval)
>
>
>   
gzip it.  More hand holding. ;)

-- 
Ray Booysen
rj_booysen@rjb.za.net




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wed, 2006-03-22 at 09:38 +0000, Ray Booysen wrote:
> Ow Mun Heng wrote:
> > On Tue, 2006-03-21 at 19:36 -0800, Tom Eastep wrote:
> >
> >   
> >> So -- please follow the instructions that Cristian has referred
you to. We
> >> aren''t trying to be difficult -- but remember: there are
thousands of you
> >> Shorewall users and only a few of us trying to help you. We really
appreciate
> >> your cooperation.
> >>     
> >
> > I''ve sent the trace. but It''s too big it seems to
get through to the
> > mail list. (awaiting moderator approval)
> >
> >
> >   
> gzip it.  More hand holding. ;)
It''s tar.bz2''ed already.
> 
-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 17:41:32 up 2 days, 9:05, 5 users, load average: 0.48, 0.64,
0.50 




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wednesday 22 March 2006 01:41, Ow Mun Heng wrote:
>
> It''s tar.bz2''ed already.
You can send it to me directly if you like and I''ll take a look at it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 21 March 2006 19:47, Ow Mun Heng wrote:
> On Tue, 2006-03-21 at 23:11 -0400, Cristian Rodriguez wrote:
> > Ow Mun Heng escribió:
> >
> > and if it crashes , send the RELEVANT informating asked many times
here :
> > http://www.shorewall.net/support.htm#id2498116
>
>  Attached is a minimal one w/ traffic shaping rules only.
>
The only thing shown in this trace is that you mis-typed
''default'' as
''DEfault''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key