Shorewall users - Apr 2007 - multiple providers and tcrules without highmarks

I was previously using multiple providers on my "real linux" gateway
which had a kernel that supported high marks and I was policy routing in
tcrules.  I''ve now moved to openwrt where their kernel apparently does
not have high marks.

I want to continue to be able to have multiple providers and a) policy
route between them and b) be able to set marks for other things like
traffic shaping.

I can see that iptables is quite capable of both setting and matching
marks with masks, so I was thinking that I could just just use, say the
two high order bits of the mark (technically I only need the one high
order bit as I only have two providers, but provider marks seem to need
to be 1-5).

Or do I need to do any of this?  If I want to policy route in tcrules
with:

64:P	0.0.0.0/0
64	$FW

And then I want to further use marking for say traffic shaping, if I
write a mark in the FORWARD chain with something like:

# Ping (a silly rule to prove that shaping works)
1	0.0.0.0/0	0.0.0.0/0	icmp	echo-request
1	0.0.0.0/0	0.0.0.0/0	icmp	echo-reply

Does it matter that it will overwrite the "64" mark?  The routing
decsion (i.e. ip rule) is done by then isn''t it?  If it does, I have to
fallback to being able to write that one but with a mask of 0x3f:

# Ping (a silly rule to prove that shaping works)
1/0x3f	0.0.0.0/0	0.0.0.0/0	icmp	echo-request
1/0x3f	0.0.0.0/0	0.0.0.0/0	icmp	echo-reply

But then the question becomes, can an ip rule be written to only look at
the fwmark with a mask, and can shaping rules be done to do the same?

Thots?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> But then the question becomes, can an ip rule be written to only look at
> the fwmark with a mask, and can shaping rules be done to do the same?
No. That''s the problem that the HIGH_ROUTE_MARKS option solves.

But you can still make it work by taking the approach that you suggested --
you just can''t make ''track'' work right.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wed, 2007-18-04 at 13:18 -0700, Tom Eastep wrote:
> Brian J. Murrell wrote:
> 
> > But then the question becomes, can an ip rule be written to only look
at
> > the fwmark with a mask, and can shaping rules be done to do the same?
> 
> No. That''s the problem that the HIGH_ROUTE_MARKS option solves.
Indeed, what I had suspected.
> But you can still make it work by taking the approach that you suggested --
> you just can''t make ''track'' work right.
Bot won''t track still work completely as long as one avoids marking
packets in PREROUTING (which is the default if MARK_IN_FORWARD_CHAIN=Yes
which seems to be the best choice for that setting) for anything except
routing as per my example (which actually should be):

CONTINUE:P 0.0.0.0/0	0.0.0.0/0	all	-	-	-	!0/0xc0
64:P	0.0.0.0/0
64	$FW

So, (only) mark packets in PREROUTING for ''track'' and then add
additional (through masking) packets in FORWARD for things like traffic
shaping (is there any other reason to mark packets?).

If I''m right, this seems like it could be a SOP (in absence of high
marks) for using marking both for routing and shaping, complete with
warnings/errors for marking packets in the wrong places, no?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> 
> If I''m right, this seems like it could be a SOP (in absence of
high
> marks) for using marking both for routing and shaping, complete with
> warnings/errors for marking packets in the wrong places, no?
> 
You''re correct (It''s been a while since I thought about why I
did
HIGH_ROUTE_MARKS). So long as you don''t try to use SAVE/RESTORE rules,
you
should be ok. HIGH_ROUTE_MARKS provides a way to do SAVE/RESTORE safely
while still using ''track'' (which also does SAVE/RESTORE).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wed, 2007-18-04 at 14:14 -0700, Tom Eastep wrote:
> 
> You''re correct (It''s been a while since I thought about
why I did
> HIGH_ROUTE_MARKS). So long as you don''t try to use SAVE/RESTORE
rules, you
> should be ok. HIGH_ROUTE_MARKS provides a way to do SAVE/RESTORE safely
> while still using ''track'' (which also does SAVE/RESTORE).
I think even SAVE/RESTORE could be used as long as they use masks and
''track''ing used netmasks as well, no?

Lets say we are marking providers with 0x40 and 0x80 (I''d prefer 0x00
and 0x80 with only two providers but working with what we have
currently...).

Let''s say we default route (unless otherwise routed by some more
specific rule) via 0x40 with:

CONTINUE:P 0.0.0.0/0	0.0.0.0/0	all	-	-	-	!0/0xc0
64:P	0.0.0.0/0
64	$FW

''track'' does the work of SAVE/RESTORE (albeit not with the
0xc0 mask I
am proposing), restoring the connections mark, masked with 0xc0 before
routing so that the ip rule fwmark works.  Once a packet hits FORWARD it
should be RESTORED from the connection again to restore the lower bits
and then can be freely SAVEd.

Am I on crack?

b. 

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> On Wed, 2007-18-04 at 14:14 -0700, Tom Eastep wrote:
>> You''re correct (It''s been a while since I thought
about why I did
>> HIGH_ROUTE_MARKS). So long as you don''t try to use
SAVE/RESTORE rules, you
>> should be ok. HIGH_ROUTE_MARKS provides a way to do SAVE/RESTORE safely
>> while still using ''track'' (which also does
SAVE/RESTORE).
> 
> I think even SAVE/RESTORE could be used as long as they use masks and
> ''track''ing used netmasks as well, no?
No Brian. Shorewall generates RESTORES with mask 0xff.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Wed, 2007-18-04 at 17:40 -0700, Tom Eastep wrote:
> Brian J. Murrell wrote:
> > On Wed, 2007-18-04 at 14:14 -0700, Tom Eastep wrote:
> >> You''re correct (It''s been a while since I
thought about why I did
> >> HIGH_ROUTE_MARKS). So long as you don''t try to use
SAVE/RESTORE rules, you
> >> should be ok. HIGH_ROUTE_MARKS provides a way to do SAVE/RESTORE
safely
> >> while still using ''track'' (which also does
SAVE/RESTORE).
> > 
> > I think even SAVE/RESTORE could be used as long as they use masks and
> > ''track''ing used netmasks as well, no?
> 
> No Brian. Shorewall generates RESTORES with mask 0xff.
Yes, I realize it does currently.  My proposition is to use a mask that
masks off the high-order bits.  Only 1 bit if two providers, 2 bits if 4
or less, 3 if 7 or less, etc.  Of course the trade-off is the more
providers, the less bits you have to do other marking.  But really, how
many providers can one person have?  :-)

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Brian J. Murrell wrote:
> On Wed, 2007-18-04 at 17:40 -0700, Tom Eastep wrote:
>> Brian J. Murrell wrote:
>>> On Wed, 2007-18-04 at 14:14 -0700, Tom Eastep wrote:
>>>> You''re correct (It''s been a while since I
thought about why I did
>>>> HIGH_ROUTE_MARKS). So long as you don''t try to use
SAVE/RESTORE rules, you
>>>> should be ok. HIGH_ROUTE_MARKS provides a way to do
SAVE/RESTORE safely
>>>> while still using ''track'' (which also does
SAVE/RESTORE).
>>> I think even SAVE/RESTORE could be used as long as they use masks
and
>>> ''track''ing used netmasks as well, no?
>> No Brian. Shorewall generates RESTORES with mask 0xff.
> 
> Yes, I realize it does currently.  My proposition is to use a mask that
> masks off the high-order bits.  Only 1 bit if two providers, 2 bits if 4
> or less, 3 if 7 or less, etc.  Of course the trade-off is the more
> providers, the less bits you have to do other marking.  But really, how
> many providers can one person have?  :-)
I''m lost. What is the difference between that and what
HIGH_ROUTE_MARKS=Yes
does already (except for the width of the fields). I believe that to do what
you are proposing requires the same capabilities.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thu, 2007-19-04 at 07:12 -0700, Tom Eastep wrote:
> I''m lost. What is the difference between that and what
HIGH_ROUTE_MARKS=Yes
> does already (except for the width of the fields).
Nothing at all.  What I am proposing is in fact an emulation of
HIGH_ROUTE_MARKS=Yes without using HIGH_ROUTE_MARKS=Yes.
> I believe that to do what
> you are proposing requires the same capabilities.
But doesn''t require that the kernel/iptables support "both the
extended
CONNMARK target and the extended connmark match capabilities" which my
kernel does not unfortunately:

shorewall-lite show capabilities
...
   Extended CONNMARK Target: Available
...
   Extended MARK Target: Not available
...

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian J. Murrell wrote:
> On Thu, 2007-19-04 at 07:12 -0700, Tom Eastep wrote:
>> I''m lost. What is the difference between that and what
HIGH_ROUTE_MARKS=Yes
>> does already (except for the width of the fields).
> 
> Nothing at all.  What I am proposing is in fact an emulation of
> HIGH_ROUTE_MARKS=Yes without using HIGH_ROUTE_MARKS=Yes.
> 
>> I believe that to do what
>> you are proposing requires the same capabilities.
> 
> But doesn''t require that the kernel/iptables support "both
the extended
> CONNMARK target and the extended connmark match capabilities" which my
> kernel does not unfortunately:
> 
> shorewall-lite show capabilities
> ...
>    Extended CONNMARK Target: Available
> ...
>    Extended MARK Target: Not available
> ...
>
Then I would suggest that you just patch out the one place in the code
that requires that capability with HIGH_ROUTE_MARKS=Yes. No sense
re-inventing the wheel. It will mean that in the INPUT, FORWARD and
POSTROUTING chains, the current packet mark may still have the
high-order bits left over from the routing decision. You could replace
the ''--and-mark 0xFF'' with ''-j MARK --mark
0''.

I haven''t the time currently to worry about whether that change can be
made in the released code. But it should get you going, at any rate.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ5YMO/MAbZfjDLIRAm1fAJ0ZMsaBKztPfNNbqicnpdpIMOiuowCgxYi3
InZpCDkuPdh4p0d2RdD4dHc=BtOe
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Brian J. Murrell wrote:
>> On Thu, 2007-19-04 at 07:12 -0700, Tom Eastep wrote:
>>> I''m lost. What is the difference between that and what
HIGH_ROUTE_MARKS=Yes
>>> does already (except for the width of the fields).
>> Nothing at all.  What I am proposing is in fact an emulation of
>> HIGH_ROUTE_MARKS=Yes without using HIGH_ROUTE_MARKS=Yes.
> 
>>> I believe that to do what
>>> you are proposing requires the same capabilities.
>> But doesn''t require that the kernel/iptables support
"both the extended
>> CONNMARK target and the extended connmark match capabilities"
which my
>> kernel does not unfortunately:
> 
>> shorewall-lite show capabilities
>> ...
>>    Extended CONNMARK Target: Available
>> ...
>>    Extended MARK Target: Not available
>> ...
> 
> 
> Then I would suggest that you just patch out the one place in the code
> that requires that capability with HIGH_ROUTE_MARKS=Yes.
Turns out that there are two places.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ6WbO/MAbZfjDLIRAj9hAJ0ZzQI95AiBUpgnHFxuZYVuB81pPwCgkVQL
ISAQ4jaKjWovYdSS8O1dL9M=I3qU
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thu, 2007-19-04 at 10:23 -0700, Tom Eastep wrote:
> 
> Turns out that there are two places.
Yeah, I''ve had a brief look but been too busy today to do much more
than
that.  As long as you''re open to such a change in the form of a patch
for shorewall and assuming I can find the time soon, I can look into
hacking it up and contributing the patch.

On another note... well, let me start a new message thread.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian J. Murrell wrote:
> On Thu, 2007-19-04 at 10:23 -0700, Tom Eastep wrote:
>> Turns out that there are two places.
> 
> Yeah, I''ve had a brief look but been too busy today to do much
more than
> that.  As long as you''re open to such a change in the form of a
patch
> for shorewall
I will consider patches to 3.4 -- those can usually can be ported easily
to the 3.9 (current development release) shell-based compiler. That
means that I only have to do one real port -- to the 3.9 perl-based
compiler.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ7BjO/MAbZfjDLIRAnKBAJkBiBE6lLB0LBSTaWpKxByarsFmOACfd2bQ
dUs9qk9yDhdJ3uHgTlwipOU=+DEy
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/