I tried to upgrade my shorewall{,-lite} firewall from 4.0.15 to 4.2.8
this morning. I seem to have run into a problem:
Setting up Traffic Control...
RTNETLINK answers: No such file or directory
We have an error talking to the kernel
ERROR: Command "tc filter add dev eth0.1 protocol ip parent 1:0 prio 1
handle 1 fw classid 1:11" Failed
Looking at the "firewall" scripts produced by both versions,
it''s
entirely clear that the structure of the traffic control has been
reworked. I''m guessing that perhaps my kernel, 2.6.25.20, is out of
the
support range for 4.2.8 maybe?
Anyone more knowledgeable than I on Traffic Control and tc have any
thoughts?
b.
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there''s a perfect scanner to get the job done! With the NEW
KODAK i700
Series Scanner you''ll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
Brian J. Murrell wrote:> I tried to upgrade my shorewall{,-lite} firewall from 4.0.15 to 4.2.8 > this morning. I seem to have run into a problem: > > Setting up Traffic Control... > RTNETLINK answers: No such file or directory > We have an error talking to the kernel > ERROR: Command "tc filter add dev eth0.1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11" Failed > > Looking at the "firewall" scripts produced by both versions, it''s > entirely clear that the structure of the traffic control has been > reworked. I''m guessing that perhaps my kernel, 2.6.25.20, is out of the > support range for 4.2.8 maybe? > > Anyone more knowledgeable than I on Traffic Control and tc have any > thoughts?Not without seeing the entire generated script. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Wed, 2009-05-13 at 08:30 -0700, Tom Eastep wrote:> > Not without seeing the entire generated script.Is that the firewall script you want to see? b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Brian J. Murrell wrote:> On Wed, 2009-05-13 at 08:30 -0700, Tom Eastep wrote: >> Not without seeing the entire generated script. > > Is that the firewall script you want to see?Please. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Tom Eastep wrote:> Brian J. Murrell wrote: >> On Wed, 2009-05-13 at 08:30 -0700, Tom Eastep wrote: >>> Not without seeing the entire generated script. >> Is that the firewall script you want to see? > > Please.You can send it to upload@shorewall.net, if you like. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Wed, 2009-05-13 at 09:10 -0700, Tom Eastep wrote:> Brian J. Murrell wrote: > > On Wed, 2009-05-13 at 08:30 -0700, Tom Eastep wrote: > >> Not without seeing the entire generated script. > > > > Is that the firewall script you want to see? > > Please.For the benefit of the list, I sent them to Tom directly. No need to send large files like that to the list. I am sure he or I will summarize the issue(s) upon examination/resolution. BTW Tom, I must say I never really appreciated the design element of storing the entire configuration in the "restore" shell script so much as I did when even after an upgrade to 4.2.8 failed to load my newly compiled ruleset, it didn''t prevent the older version compiled ruleset from being restored -- even with the new version still installed. Very nice! b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Brian J. Murrell wrote:> On Wed, 2009-05-13 at 09:10 -0700, Tom Eastep wrote: >> Brian J. Murrell wrote: >>> On Wed, 2009-05-13 at 08:30 -0700, Tom Eastep wrote: >>>> Not without seeing the entire generated script. >>> Is that the firewall script you want to see? >> Please. > > For the benefit of the list, I sent them to Tom directly. No need to > send large files like that to the list. I am sure he or I will > summarize the issue(s) upon examination/resolution.Brian, I see nothing wrong with the generated commands. I''ve performed this sequence of operations on two different systems ranging from Debian Etch (2.6.18) to Ubuntu Jaunty (2.6.28): root@ursa:# tc qdisc add dev eth1 root handle 1: htb default 13 root@ursa:# tc class add dev eth1 parent 1:1 classid 1:11 htb rate 558kbit ceil 570kbit prio 1 root@ursa:# tc qdisc add dev eth1 parent 1:11 handle 11: sfq limit 127 perturb 10 root@ursa:# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11 root@ursa:# That appears to be the sequence of operations that is failing on your box (I''ve omitted a couple of parameters that should have no effect on the failing command). Is there a way that you can confirm that the above sequence fails? No copy of busybox that I have includes ''tc'' support so I can''t try this in that environment.> > BTW Tom, I must say I never really appreciated the design element of > storing the entire configuration in the "restore" shell script so much > as I did when even after an upgrade to 4.2.8 failed to load my newly > compiled ruleset, it didn''t prevent the older version compiled ruleset > from being restored -- even with the new version still installed. > > Very nice!Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Wed, 2009-05-13 at 10:19 -0700, Tom Eastep wrote:> > Brian, > > I see nothing wrong with the generated commands. I''ve performed this > sequence of operations on two different systems ranging from Debian Etch > (2.6.18) to Ubuntu Jaunty (2.6.28):Hrm. I was about to say maybe it''s my kernel/iproute2 version (which is 2.6.25.20 and 2.6.25, respectively) but your fairly wide version range seems to eliminate that possibility.> root@ursa:# tc qdisc add dev eth1 root handle 1: htb default 13 > root@ursa:# tc class add dev eth1 parent 1:1 classid 1:11 htb rate > 558kbit ceil 570kbit prio 1 > root@ursa:# tc qdisc add dev eth1 parent 1:11 handle 11: sfq limit 127 > perturb 10 > root@ursa:# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle > 1 fw classid 1:11 > root@ursa:# > > That appears to be the sequence of operations that is failing on your > box (I''ve omitted a couple of parameters that should have no effect on > the failing command).Hrm. I will give that same sequence a try here. Hopefully I can do it without pooching things up the live router too much.> Is there a way that you can confirm that the above sequence fails?OK. So first 3 commands executed successfully. The last one is where I get the error: # tc qdisc add dev eth1 root handle 1: htb default 13 # tc class add dev eth1 parent 1:1 classid 1:11 htb rate 558kbit ceil 570kbit prio 1 # tc qdisc add dev eth1 parent 1:11 handle 11: sfq limit 127 perturb 10 # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11 RTNETLINK answers: No such file or directory We have an error talking to the kernel> No > copy of busybox that I have includes ''tc'' support so I can''t try this in > that environment.Yeah. My environment is using tc from iproute2, so no issues of busybox neutering should be at play here. b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Brian J. Murrell wrote:> On Wed, 2009-05-13 at 10:19 -0700, Tom Eastep wrote: >> Brian, >> >> I see nothing wrong with the generated commands. I''ve performed this >> sequence of operations on two different systems ranging from Debian Etch >> (2.6.18) to Ubuntu Jaunty (2.6.28): > > Hrm. I was about to say maybe it''s my kernel/iproute2 version (which is > 2.6.25.20 and 2.6.25, respectively) but your fairly wide version range > seems to eliminate that possibility. > >> root@ursa:# tc qdisc add dev eth1 root handle 1: htb default 13 >> root@ursa:# tc class add dev eth1 parent 1:1 classid 1:11 htb rate >> 558kbit ceil 570kbit prio 1 >> root@ursa:# tc qdisc add dev eth1 parent 1:11 handle 11: sfq limit 127 >> perturb 10 >> root@ursa:# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle >> 1 fw classid 1:11 >> root@ursa:# >> >> That appears to be the sequence of operations that is failing on your >> box (I''ve omitted a couple of parameters that should have no effect on >> the failing command). > > Hrm. I will give that same sequence a try here. Hopefully I can do it > without pooching things up the live router too much. > >> Is there a way that you can confirm that the above sequence fails? > > OK. So first 3 commands executed successfully. The last one is where I > get the error: > > # tc qdisc add dev eth1 root handle 1: htb default 13 > # tc class add dev eth1 parent 1:1 classid 1:11 htb rate 558kbit ceil 570kbit prio 1 > # tc qdisc add dev eth1 parent 1:11 handle 11: sfq limit 127 perturb 10 > # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11 > RTNETLINK answers: No such file or directory > We have an error talking to the kernel > >> No >> copy of busybox that I have includes ''tc'' support so I can''t try this in >> that environment. > > Yeah. My environment is using tc from iproute2, so no issues of busybox > neutering should be at play here.Try ''modprobe cls_fw'' -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Wed, 2009-05-13 at 14:07 -0400, Brian J. Murrell wrote:> > OK. So first 3 commands executed successfully. The last one is where I > get the error:To reproduce exactly what the firewall script is doing (albeit on a different interface given this is a live firewall): # tc qdisc del dev eth1 root # tc qdisc del dev eth1 ingress # tc qdisc add dev eth1 root handle 1: htb default 13 # tc class add dev eth1 parent 1: classid 1:1 htb rate 570kbit mtu 1500 # tc qdisc add dev eth1 handle ffff: ingress # tc filter add dev eth1 parent ffff: protocol ip pref 10 u32 match ip src 0.0.0.0/0 police rate 9000kbit burst 10k drop flowid :1 # tc class add dev eth1 parent 1:1 classid 1:11 htb rate 558kbit ceil 570kbit prio 1 mtu 1500 quantum 13950 # tc qdisc add dev eth1 parent 1:11 handle 11: sfq quantum 13950 limit 127 perturb 10 # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:11 RTNETLINK answers: No such file or directory We have an error talking to the kernel And what got configured to this point: # tc qdisc show dev eth1 qdisc htb 1: root r2q 10 default 13 direct_packets_stat 0 qdisc ingress ffff: parent ffff:fff1 ---------------- qdisc sfq 11: parent 1:11 limit 127p quantum 13950b perturb 10sec b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
On Wed, 2009-05-13 at 11:24 -0700, Tom Eastep wrote:> > Try ''modprobe cls_fw''Bingo! Added that one to my modules file. Now to get on with getting shorewall6{,-lite} going as well. Thanx again, Tom. b. ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com