Shorewall users - Aug 2006 - Two balanced providers with traffic shaping issue.

Dear Shorewall Users,

please forgive me if this question is already answered in some document
I missed to read.

I've tried to find the right solution in the documentation, even looking
at the source code... and ended up fixing up the rules manually, unable
to solve it.

I have two balanced ADSL providers that need the "track" option to
work
flawlessly.

Problem is I also use traffic shaping with the internal engine. Some of
the rules in "tcrules" involve the "$FW" itself, and
shorewall shows
some error messages when I try to change those "tcout" rules from
"MARK"
to "CLASSIFY" in the lines where "fw" appears.

CLASSIFY is the way to go for those "tcout" firewall generated traffic
rules. But the rules never got processed due to the rules:

-A OUTPUT -m connmark ! --mark 0x0 -j CONNMARK --restore-mark
-A OUTPUT -j tcout -m mark --mark 0x0 -j tcout

-A tcout -m owner --uid-owner userclass2 -j MARK --set-mark 0x2
-A tcout -m owner --uid-owner userclass6 -j MARK --set-mark 0x6

So those "tcout" rules where never checked because once the connection
was stablished and marked, firewall traffic never reached the tcout set
of rules. And even if checked, the MARK set for shaping would screw the
"track" mark for balancing.

I needed to use CLASSIFY then so...

I dumped the rules and modified them manually to make them look like
this:

-A OUTPUT -m connmark ! --mark 0x0 -j CONNMARK --restore-mark
-A OUTPUT -j tcout

Leaving the "track" marks unmodified, and then in "tcout"
made the rules
look like these:

-A tcout -m owner -o eth0 --uid-owner userclass2 -j CLASSIFY --set-class
0001:0012
-A tcout -m owner -o eth1 --uid-owner userclass2 -j CLASSIFY --set-class
0002:0012
-A tcout -m owner -o eth0 --uid-owner userclass6 -j CLASSIFY --set-class
0001:0016
-A tcout -m owner -o eth1 --uid-owner userclass6 -j CLASSIFY --set-class
0002:0016

That properly classifies output traffic from both "eth0" and
"eth1"
originated in the "fw" without having to mark the packages and thus
allowing the balanced providers work.

This solution works great, but I had to manually edit the dumped config.
And that's obviously not the right way to solve it.

I run shorewall version 3.0.7

And my question would be, how would I make shorewall produce such set of
rules directly ? mixing traffic shaping (classifying output traffic by
user) and two (connection marked) balanced providers ?

Again, please forgive me if it is solved somewhere else, but I was
unable to find that solution or, if found, understand it properly.

Thanks in advance,

Jorge

-- 
Jorge Daza García-Blanes <jorge@drqueue.org>


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Jorge Daza García-Blanes wrote:
>
> 
> I run shorewall version 3.0.7
> 
> And my question would be, how would I make shorewall produce such set of
> rules directly ? mixing traffic shaping (classifying output traffic by
> user) and two (connection marked) balanced providers ?
You will need to upgrade to 3.2.2 and set HIGH_ROUTE_MARKS=Yes in
shorewall.conf

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Mon, 2006-08-14 at 21:11 -0700, Tom Eastep wrote:
> Jorge Daza García-Blanes wrote:
> >
> > 
> > I run shorewall version 3.0.7
> > 
> > And my question would be, how would I make shorewall produce such set
of
> > rules directly ? mixing traffic shaping (classifying output traffic by
> > user) and two (connection marked) balanced providers ?
> 
> You will need to upgrade to 3.2.2 and set HIGH_ROUTE_MARKS=Yes in
> shorewall.conf
Sorry -- I checked again this morning and that won''t solve your problem
either.

Currently there is no solution other than to modify the rules manually
using an extension script.

Sorry,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Tue, 2006-08-15 at 07:33 -0700, Tom Eastep wrote:
> On Mon, 2006-08-14 at 21:11 -0700, Tom Eastep wrote:
> > Jorge Daza García-Blanes wrote:
> > >
> > > 
> > > I run shorewall version 3.0.7
> > > 
> > > And my question would be, how would I make shorewall produce such
set of
> > > rules directly ? mixing traffic shaping (classifying output
traffic by
> > > user) and two (connection marked) balanced providers ?
> > 
> > You will need to upgrade to 3.2.2 and set HIGH_ROUTE_MARKS=Yes in
> > shorewall.conf
> 
> Sorry -- I checked again this morning and that won''t solve your
problem
> either.
> 
> Currently there is no solution other than to modify the rules manually
> using an extension script.
In SVN (shorewall/branches/3.0/Shorewall), there is code that allows
TC_EXPERT=Yes in shorewall.conf. That setting will allow you to do what
you want -- simply include your CLASSIFY rules in tcrules with SOURCE
specified as $FW.

Let me know if that works -- I have tested the 3.2 version of the code.

-Tom

PS -- you will need to upgrade to 3.0.8 before copying the
''firewall''
script from SVN to /usr/share/shorewall/
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Thanks Tom,

I''m running Debian''s prepackaged version.

Considering I''d have to install from sources, would you recommend me
3.0
or 3.2 branch ?

Thanks a lot,

Jorge

On Tue, 2006-08-15 at 11:12 -0700, Tom Eastep wrote:
> On Tue, 2006-08-15 at 07:33 -0700, Tom Eastep wrote:
> > On Mon, 2006-08-14 at 21:11 -0700, Tom Eastep wrote:
> > > Jorge Daza García-Blanes wrote:
> > > >
> > > > 
> > > > I run shorewall version 3.0.7
> > > > 
> > > > And my question would be, how would I make shorewall produce
such set of
> > > > rules directly ? mixing traffic shaping (classifying output
traffic by
> > > > user) and two (connection marked) balanced providers ?
> > > 
> > > You will need to upgrade to 3.2.2 and set HIGH_ROUTE_MARKS=Yes in
> > > shorewall.conf
> > 
> > Sorry -- I checked again this morning and that won''t solve
your problem
> > either.
> > 
> > Currently there is no solution other than to modify the rules manually
> > using an extension script.
> 
> In SVN (shorewall/branches/3.0/Shorewall), there is code that allows
> TC_EXPERT=Yes in shorewall.conf. That setting will allow you to do what
> you want -- simply include your CLASSIFY rules in tcrules with SOURCE
> specified as $FW.
> 
> Let me know if that works -- I have tested the 3.2 version of the code.
> 
> -Tom
> 
> PS -- you will need to upgrade to 3.0.8 before copying the
''firewall''
> script from SVN to /usr/share/shorewall/
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________ Shorewall-users mailing
list Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 
Jorge Daza García-Blanes <jorge@drqueue.org>


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Jorge Daza García-Blanes escribió:
> Thanks Tom,
> 
> I''m running Debian''s prepackaged version.
> 
> Considering I''d have to install from sources, would you recommend
me 3.0
> or 3.2 branch ?
> 
Please, use 3.2.




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hi
Please I would like to unsuscribe to this mailing list with this email address
and switch to the following address.
Thanks

Tom Eastep <teastep@shorewall.net> wrote: On Tue, 2006-08-15 at 07:33
-0700, Tom Eastep wrote:
> On Mon, 2006-08-14 at 21:11 -0700, Tom Eastep wrote:
> > Jorge Daza García-Blanes wrote:
> > >
> > > 
> > > I run shorewall version 3.0.7
> > > 
> > > And my question would be, how would I make shorewall produce such
set of
> > > rules directly ? mixing traffic shaping (classifying output
traffic by
> > > user) and two (connection marked) balanced providers ?
> > 
> > You will need to upgrade to 3.2.2 and set HIGH_ROUTE_MARKS=Yes in
> > shorewall.conf
> 
> Sorry -- I checked again this morning and that won''t solve your
problem
> either.
> 
> Currently there is no solution other than to modify the rules manually
> using an extension script.
In SVN (shorewall/branches/3.0/Shorewall), there is code that allows
TC_EXPERT=Yes in shorewall.conf. That setting will allow you to do what
you want -- simply include your CLASSIFY rules in tcrules with SOURCE
specified as $FW.

Let me know if that works -- I have tested the 3.2 version of the code.

-Tom

PS -- you will need to upgrade to 3.0.8 before copying the
''firewall''
script from SVN to /usr/share/shorewall/
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



Roland Mfondoum 
VAKIFLAR ISHANI 
C BLOCK KAT1 
No 7-8 GIRNE KKTC 
MERSIN 10 TURKEY 
Land line: +90-392-815-8905 
Mobile line: +90-533-879-8040
FAX: +90-392-815-8904
 		
---------------------------------
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

roland escribió:
> Hi
> Please I would like to unsuscribe to this mailing list with this email
address and switch to the following address.
> Thanks
> 
you can do that by yourself -- see
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Tue, 2006-08-15 at 17:26 -0400, Cristian Rodriguez R.
wrote:
> Jorge Daza García-Blanes escribió:
> > Thanks Tom,
> > 
> > I''m running Debian''s prepackaged version.
> > 
> > Considering I''d have to install from sources, would you
recommend me 3.0
> > or 3.2 branch ?
> > 
> 
> Please, use 3.2.
But if you do use 3.2.2, you will need to move ''compiler'',
''firewall''
and ''functions'' from SVN to /usr/share/shorewall/

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Wed, 2006-08-16 at 02:25 -0400, Cristian Rodriguez R. wrote:
> roland escribió:
> > Hi
> > Please I would like to unsuscribe to this mailing list with this email
address and switch to the following address.
> > Thanks
> > 
> 
> you can do that by yourself -- see
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
After you have entered your mail id at the bottom of the form, you will
be presented with a second form. Enter your password and *click the Log
in button*. After you have logged in, you will see an "Unsubscribe"
botton; click the check-box labeled "Yes, I really want to
unsubscribe"
then click "Unsubscribe"; you will be immediately unsubscribed.

The alternative is that when you come to the second page, *do not enter
your password* but simply click "Unsubscribe" -- you will be sent a
confirmation email that you can simply reply to to complete the
unsubscription. This method only works if the mail id that you are
currently subscribed under still works.

Also note that *every message forwarded by the list server* includes
headers such as the following:

List-Unsubscribe:
        <https://lists.sourceforge.net/lists/listinfo/shorewall-users>, 
       
<mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
       
<http://sourceforge.net/mailarchive/forum.php?forum=shorewall-users>
List-Post: <mailto:shorewall-users@lists.sourceforge.net>
List-Help:
       
<mailto:shorewall-users-request@lists.sourceforge.net?subject=help>
List-Subscribe:
        <https://lists.sourceforge.net/lists/listinfo/shorewall-users>, 
       
<mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe>

So, as you can see, another option is to send an email to:

	shorewall-users-request@lists.sourceforge.net

with the subject

	unsubscribe

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642