I am trying to apply the new :T flag in tcrules. the man page for this
file [1] sayas that if SOURCE is $FW then rules are applied in OUTPUT.
this doesn''t seem to work on my setup. I have in tcrules :
------------------------------------------------------------------------
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
2:T $FW 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
------------------------------------------------------------------------
but shorewall show mangle gives :
------------------------------------------------------------------------
Shorewall 3.4.0-RC1 Mangle Table at droopy - Thu Jan 25 12:06:47 GMT
2007
Counters reset Thu Jan 25 11:41:20 GMT 2007
Chain PREROUTING (policy ACCEPT 21911 packets, 7207K bytes)
pkts bytes target prot opt in out source destination
215 36310 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK match !0x0/0xff CONNMARK restore mask 0xff
648 69251 routemark 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff
647 69125 tcpre 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
21873 7205K tcpre 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff00
Chain INPUT (policy ACCEPT 20174 packets, 6867K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1737 packets, 340K bytes)
pkts bytes target prot opt in out source destination
1733 340K tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 112K packets, 56M bytes)
pkts bytes target prot opt in out source destination
454 47166 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK match !0x0/0xff CONNMARK restore mask 0xff
20313 10M tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff00
Chain POSTROUTING (policy ACCEPT 22096 packets, 10M bytes)
pkts bytes target prot opt in out source destination
22062 10M tcpost 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain routemark (1 references)
pkts bytes target prot opt in out source destination
648 69251 MARK 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x2
648 69251 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xff CONNMARK save mask 0xff
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
21608 10M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xffff CONNMARK restore mask 0xff
454 47166 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xffff
35 3888 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
ipp2p v0.8.2 --ipp2p MARK set 0x2
35 3888 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xffff CONNMARK save mask 0xff
Chain tcpre (2 references)
pkts bytes target prot opt in out source destination
------------------------------------------------------------------------
Do any of you know what i am doing wrong ?
thanks
[1] http://www.shorewall.net/manpages/shorewall-tcrules.html
T o M
--
http://tomdeb.org
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thomas Debost wrote:> I am trying to apply the new :T flag in tcrules. the man page for this > file [1] sayas that if SOURCE is $FW then rules are applied in OUTPUT. > > this doesn''t seem to work on my setup. I have in tcrules : > ------------------------------------------------------------------------ > RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 > CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 > 2:T $FW 0.0.0.0/0 ipp2p:all > SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 > ------------------------------------------------------------------------The man page says that if neither :F nor :P nor :T is specified, *then* if the SOURCE is $FW then rules are applied in OUTPUT. It your case, all of your rules specify :T so they are all applied in POSTROUTING. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> Thomas Debost wrote: >> I am trying to apply the new :T flag in tcrules. the man page for this >> file [1] sayas that if SOURCE is $FW then rules are applied in OUTPUT. >> >> this doesn''t seem to work on my setup. I have in tcrules : >> ------------------------------------------------------------------------ >> RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 >> CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 >> 2:T $FW 0.0.0.0/0 ipp2p:all >> SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 >> ------------------------------------------------------------------------ > > The man page says that if neither :F nor :P nor :T is specified, *then* if > the SOURCE is $FW then rules are applied in OUTPUT. It your case, all of > your rules specify :T so they are all applied in POSTROUTING.BTW, where can I get 3.4.0-RC1, did I miss something? The latest I see is 3.4.0-Beta3. Simon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Matter wrote:> > BTW, where can I get 3.4.0-RC1, did I miss something? The latest I see is > 3.4.0-Beta3.I assume that Thomas is running one of the Betas since I haven''t yet released RC1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Simon Matter wrote: > >> BTW, where can I get 3.4.0-RC1, did I miss something? The latest I see is >> 3.4.0-Beta3. > > I assume that Thomas is running one of the Betas since I haven''t yet > released RC1. >Although, he could have gotten it from SVN -- I updated the version numbers in SVN yesterday. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV