When classifying data in tc rules does it matter if you enter data in these two methods? With high marks yes, Mark in Forward Yes The first way seems more efficient but I was curious which way is the best? (1) If you want to route through a certain Isp and use class 3. This way I noticed the packets are marked in the postrouting chain only. (does tcpost chain shape as well?) tc rules entry 256:103 $FW 0.0.0.0/0 tcp 80,443,3128 512:203 $FW 66.224.62.96/27 all 512:203 0.0.0.0/0 66.224.62.96/27 all mangle table results------------------------------------------ Chain tcpost (1 references) pkts bytes target prot opt in out source destination 535K 75M CLASSIFY tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,3128 CLASSIFY set 256:103 36209 12M CLASSIFY all -- * * 0.0.0.0/0 66.224.62.96/27 CLASSIFY set 512:203 (2) Or you can enter this way in tc rules, which then marks route in the Pre routing chain and the shaping in the Forward Chain tc rules entry 512:P eth3:10.19.227.0/24 64.42.53.203 all 3 eth3:10.19.227.0/24 64.42.53.203 all mangle table results------------------------------------------ Chain tcfor (1 references) pkts bytes target prot opt in out source destination 588 40397 MARK all -- eth3 * 10.19.227.0/24 64.42.53.203 MARK set 0x3 Chain tcpre (3 references) pkts bytes target prot opt in out source destination 598 42399 MARK all -- eth3 * 10.19.227.0/24 64.42.53.203 MARK or 0x200 Where with this one you could have entered ? 512:203 eth3:10.19.227.0/24 64.42.53.203 all Thanks] Mike ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> When classifying data in tc rules does it matter if you enter > data in these two methods? With high marks yes, Mark in Forward Yes > The first way seems more efficient but I was curious which way > is the best? > > (1) > If you want to route through a certain Isp and use class 3. This way I > noticed the > packets are marked in the postrouting chain only. (does tcpost chain shape > as well?) > tc rules entry > 256:103 $FW 0.0.0.0/0 tcp 80,443,3128 > 512:203 $FW 66.224.62.96/27 all > 512:203 0.0.0.0/0 66.224.62.96/27 all > mangle table results------------------------------------------ > Chain tcpost (1 references) > pkts bytes target prot opt in out source > destination > 535K 75M CLASSIFY tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 80,443,3128 CLASSIFY set 256:103 > 36209 12M CLASSIFY all -- * * 0.0.0.0/0 > 66.224.62.96/27 CLASSIFY set 512:203That whole thing is nonsense. a) You can''t influence routing in the POSTROUTING chain -- "POST" means "after". b) 256:103 indicates that you have 256 interfaces under traffic shaping and you want to classify the traffic for interface 256 with mark value 03 (which isn''t possible since leading zeros are dropped). Of course, it is clearly documented that Shorewall doesn''t support more than 10 interfaces being traffic shaped.> > (2) > Or you can enter this way in tc rules, which then marks route in the > Pre routing chain and the shaping in the Forward Chain > tc rules entry > 512:P eth3:10.19.227.0/24 64.42.53.203 all > 3 eth3:10.19.227.0/24 64.42.53.203 all > mangle table results------------------------------------------ > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > 588 40397 MARK all -- eth3 * 10.19.227.0/24 > 64.42.53.203 MARK set 0x3 > Chain tcpre (3 references) > pkts bytes target prot opt in out source > destination > 598 42399 MARK all -- eth3 * 10.19.227.0/24 > 64.42.53.203 MARK or 0x200 > Where with this one you could have entered ? > 512:203 eth3:10.19.227.0/24 64.42.53.203 allMike, you need to read the documentation about CLASSIDs again -- you clearly don''t understand them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Wrote:
Mike, you need to read the documentation about CLASSIDs again -- you
clearly don''t understand them.
Thanks Tom,
Thats fair to say that. And I have planned to study this over and over
until I get a solid understanding. I have been using a config I sent to the
list a ways
back that you stated "Looks good to me". I tried these rules to see if
they
would be marked and they were marked. Now reading this post made me realize
if they are marked correctly does not mean it is correct. And that I need to
goto the docs again.
I read all this back in October and need to go through it again.
I would like to ask this. From what I have under stood is this:
with high marks there is a limitation with this works and
you developed a way to shape with high marks.
My understanding is and correct me if I am wrong.
I understand Hex ,Binary more than Decimal.
I have had this config as follows
If you want to route all traffic from dmz through
ISP 2 with ISP=512 dmz=64.42.53.240---------------------
This section between I assume to be correct entries in tc rules?
0x200:P 0.0.0.0/0 64.42.53.240 all
0x200:P 64.42.53.240 0.0.0.0/0 all
and you want it in class 3 on ISP2
3 0.0.0.0/0 64.42.53.240 all
3 64.42.53.240 0.0.0.0/0 all
---------------------------------------------------------------------
So then with my understanding now would this work to combine the
entries above. This seems easier to follow in shorewall docs with a single
ISP
You warn left the low order byte 0 So maybe the only way to enter this is
above?
I realize in the last post I was entering 512 instead of 2 below
I assumed that I could enter
2:203 0.0.0.0/0 64.42.53.240 all
2:203 64.42.53.240 0.0.0.0/0 all
which would go out the second isp marked for class 3
Is this wrong? And this above rule would work if it was a single
ISP? Maybe to keep this simple I do better with an example
given the same task to you how would you enter this?
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> > I would like to ask this. From what I have under stood is this: > with high marks there is a limitation with this works and > you developed a way to shape with high marks.Yes -- The basic idea is that you use High marks in the PREROUTING and OUTPUT mangle chains to specify which ISP you want traffic to go to. You use low marks in the FORWARD and/or POSTROUTING chains to mark traffic for traffic shaping. Regardless of how you set HIGH_ROUTE_MARKS, you can always use CLASSIFY rules in the POSTROUTING chain. Classify rules are distinguished by having <number1>:<number2> in the MARK column where: <number1> is the interface number (the first interface in tcdevices has number 1, the second has number 2, and so forth). <number2> is the mark value for the class with "1" added in front of it. So if the mark value is 30, then <number2> is 130.> My understanding is and correct me if I am wrong. > I understand Hex ,Binary more than Decimal. > I have had this config as follows > If you want to route all traffic from dmz through > > ISP 2 with ISP=512 dmz=64.42.53.240--------------------- > This section between I assume to be correct entries in tc rules? > 0x200:P 0.0.0.0/0 64.42.53.240 all > 0x200:P 64.42.53.240 0.0.0.0/0 allCorrect.> and you want it in class 3 on ISP2 > 3 0.0.0.0/0 64.42.53.240 all > 3 64.42.53.240 0.0.0.0/0 allYes -- assuming that you have MARK_IN_FORWARD=Yes. Otherwise, you need "3:F" in the first column. But you can only make use of one of those rules -- see below.> --------------------------------------------------------------------- > > So then with my understanding now would this work to combine the > entries above. This seems easier to follow in shorewall docs with a single > ISP > You warn left the low order byte 0 So maybe the only way to enter this is > above? > I realize in the last post I was entering 512 instead of 2 below > I assumed that I could enter > 2:203 0.0.0.0/0 64.42.53.240 all > 2:203 64.42.53.240 0.0.0.0/0 all > which would go out the second isp marked for class 3 > Is this wrong?Yes -- You want: 2:13 0.0.0.0/0 64.42.53.240 all 2:13 64.42.53.240 0.0.0.0/0 all But of course you really only can use one of those rules since you can only shape output traffic and only one of those two rules will apply to that traffic. And this above rule would work if it was a single> ISP? Maybe to keep this simple I do better with an example > given the same task to you how would you enter this?Traffic shaping rules are exactly the same whether you have 1 ISP or 412 ISPs. They are independent of the number of ISPs and/or the setting of HIGH_ROUTE_MARKS. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV