Tom, Would it be simple to convert this to mark the packet based on tos value And convert it to the dscp ef class in tos field and put in the /etc/Shorewall/started Or etc/rc.d. I know the syntax is not correct but this is just to get The idea across. This would help my layer2 do downstream or userspace qos. Any ideas? Also I noticed in Shorewall when I entered Then I could also enter this in tcclasses tos=0xb8/0xfc instead of tos=0x14/0xfc? I this possible? Can Iptables be manipulated this way? Thanks Mike Sub() if iptables -A INPUT -p tcp -m tos --tos 0x14 sbin/iptables -A OUTPUT -t mangle -p udp -m udp -j DSCP --set-dscp-class ef fi end ------------------------------------------------------------------------------
Mike Lander wrote:> Tom, > Would it be simple to convert this to mark the packet based on tos > value > And convert it to the dscp ef class in tos field and put in the > /etc/Shorewall/started > Or etc/rc.d. I know the syntax is not correct but this is just to get > The idea across. This would help my layer2 do downstream or userspace qos. > Any ideas? Also I noticed in Shorewall when I entered > Then I could also enter this in tcclasses > tos=0xb8/0xfc instead of tos=0x14/0xfc? > I this possible? Can Iptables be manipulated this way? > > Thanks > Mike > > Sub() > if > iptables -A INPUT -p tcp -m tos --tos 0x14 > > sbin/iptables -A OUTPUT -t mangle -p udp -m udp -j DSCP --set-dscp-class ef > fi > endUnclear what you are trying to do but if the idea is to set the DSCP class to EF when the TOS byte contains 0x14 then this in /etc/shorewall/start should do it: run_iptables -t mangle -A tcfor -m tos --tos -0x14\ -j DSCP --set-dscp-class ef -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Mike Lander wrote:> Tom, > Would it be simple to convert this to mark the packet based on tos > value And convert it to the dscp ef class in tos field and put in the > /etc/Shorewall/started Or etc/rc.d. I know the syntax is not correct > but this is just to get The idea across. This would help my layer2 do > downstream or userspace qos. > Any ideas? Also I noticed in Shorewall when I entered Then I could > also enter this in tcclasses tos=0xb8/0xfc instead of tos=0x14/0xfc? > I this possible? Can Iptables be manipulated this way? > > Thanks > Mike > > Sub() > if > iptables -A INPUT -p tcp -m tos --tos 0x14 > > sbin/iptables -A OUTPUT -t mangle -p udp -m udp -j DSCP > --set-dscp-class ef fi endUnclear what you are trying to do but if the idea is to set the DSCP class to EF when the TOS byte contains 0x14 then this in /etc/shorewall/start should do it: run_iptables -t mangle -A tcfor -m tos --tos -0x14\ -j DSCP --set-dscp-class ef -Tom Thank you Tom What I am trying to to is like below Local network packets marked in tos 14 By phone system Packet enters firewall destination openvpn To other phone systems. | | V Iptables prerouting Prerouting/ingress Then traverse input chain since this local to firewall Post routing/output With the answer you provided will We mark the 14 to EF here. Tos now = EF By the time we are in postrouting will egress/postrouting Have these packets in the right classes? | | through tunnel and internet. V Firewall B Whole process over as above with the exception Tos now = EF so tcclasses will be set at 0xB8/0xfc In both firewall A and B Local network interface | V Layer two devices now recognize the tos bit EF. Ie: mangaged switches. Expecially layer two wireless bridging. Finally packet arrives at either a voip phone or voip interface card in PBX And at layer two on the destination site the voip packets have had At EF dscp treatment through the layer2 network. I may be shooting myself in the foot here because I can set some of these switches To honor the depreciated tos byte, it would take some investigation to see if The layer two bridges would be possible to use tos=14. Actually I don''t think this will work anyway because this Phone system will just mark them again with 14 one they enter the Destine network. But if you could think of something it would Be appreciated. Otherwise I think I am on my own with this. I need to see if the layer2 stuff can be rearranged to work With the old tos. Thank you, Mike ------------------------------------------------------------------------------
Mike Lander wrote:> > Mike Lander wrote: >> Tom, >> Would it be simple to convert this to mark the packet based on tos >> value And convert it to the dscp ef class in tos field and put in the >> /etc/Shorewall/started Or etc/rc.d. I know the syntax is not correct >> but this is just to get The idea across. This would help my layer2 do >> downstream or userspace qos. >> Any ideas? Also I noticed in Shorewall when I entered Then I could >> also enter this in tcclasses tos=0xb8/0xfc instead of tos=0x14/0xfc? >> I this possible? Can Iptables be manipulated this way? >> >> Thanks >> Mike >> >> Sub() >> if >> iptables -A INPUT -p tcp -m tos --tos 0x14 >> >> sbin/iptables -A OUTPUT -t mangle -p udp -m udp -j DSCP >> --set-dscp-class ef fi end > > Unclear what you are trying to do but if the idea is to set the DSCP class > to EF when the TOS byte contains 0x14 then this in /etc/shorewall/start > should do it: > > run_iptables -t mangle -A tcfor -m tos --tos -0x14\ > -j DSCP --set-dscp-class ef > > -Tom > > Thank you Tom > > What I am trying to to is like below > > Local network packets marked in tos 14 > By phone system > Packet enters firewall destination openvpn > To other phone systems. > | > | > V > Iptables prerouting > Prerouting/ingress > Then traverse input chain since this local to firewall > Post routing/output With the answer you provided will > We mark the 14 to EF here. Tos now = EF > By the time we are in postrouting will egress/postrouting > Have these packets in the right classes? > | > | through tunnel and internet. > V > Firewall B > Whole process over as above with the exception > Tos now = EF so tcclasses will be set at 0xB8/0xfc > In both firewall A and B > Local network interface > | > V > Layer two devices now recognize the tos bit EF. > Ie: mangaged switches. Expecially layer two wireless bridging. > Finally packet arrives at either a voip phone or voip interface card in PBX > And at layer two on the destination site the voip packets have had > At EF dscp treatment through the layer2 network. > > I may be shooting myself in the foot here because I can set some of these > switches > To honor the depreciated tos byte, it would take some investigation to see > if > The layer two bridges would be possible to use tos=14. > > Actually I don''t think this will work anyway because this > Phone system will just mark them again with 14 one they enter the > Destine network. But if you could think of something it would > Be appreciated. Otherwise I think I am on my own with this. > I need to see if the layer2 stuff can be rearranged to work > With the old tos. > > Thank you, > MikeMike -- the packets are forwarded through the two firewalls. They don''t go near the INPUT or OUTPUT chains of any table. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, June 24, 2009 2:01 PM To: Shorewall Users Subject: Re: [Shorewall-users] Packet Marking Mike Lander wrote:> > Mike Lander wrote: >> Tom, >> Would it be simple to convert this to mark the packet based on tos >> value And convert it to the dscp ef class in tos field and put in the >> /etc/Shorewall/started Or etc/rc.d. I know the syntax is not correct >> but this is just to get The idea across. This would help my layer2 do >> downstream or userspace qos. >> Any ideas? Also I noticed in Shorewall when I entered Then I could >> also enter this in tcclasses tos=0xb8/0xfc instead of tos=0x14/0xfc? >> I this possible? Can Iptables be manipulated this way? >> >> Thanks >> Mike >> >> Sub() >> if >> iptables -A INPUT -p tcp -m tos --tos 0x14 >> >> sbin/iptables -A OUTPUT -t mangle -p udp -m udp -j DSCP >> --set-dscp-class ef fi end > > Unclear what you are trying to do but if the idea is to set the DSCP > class to EF when the TOS byte contains 0x14 then this in > /etc/shorewall/start should do it: > > run_iptables -t mangle -A tcfor -m tos --tos -0x14\ > -j DSCP --set-dscp-class ef > > -Tom > > Thank you Tom > > What I am trying to to is like below > > Local network packets marked in tos 14 By phone system Packet enters > firewall destination openvpn To other phone systems. > | > | > V > Iptables prerouting > Prerouting/ingress > Then traverse input chain since this local to firewall Post > routing/output With the answer you provided will We mark the 14 to EF > here. Tos now = EF By the time we are in postrouting will > egress/postrouting Have these packets in the right classes? > | > | through tunnel and internet. > V > Firewall B > Whole process over as above with the exception Tos now = EF so > tcclasses will be set at 0xB8/0xfc In both firewall A and B Local > network interface > | > V > Layer two devices now recognize the tos bit EF. > Ie: mangaged switches. Expecially layer two wireless bridging. > Finally packet arrives at either a voip phone or voip interface card > in PBX And at layer two on the destination site the voip packets have > had At EF dscp treatment through the layer2 network. > > I may be shooting myself in the foot here because I can set some of > these switches To honor the depreciated tos byte, it would take some > investigation to see if The layer two bridges would be possible to use > tos=14. > > Actually I don''t think this will work anyway because this Phone > system will just mark them again with 14 one they enter the Destine > network. But if you could think of something it would Be appreciated. > Otherwise I think I am on my own with this. > I need to see if the layer2 stuff can be rearranged to work With the > old tos. > > Thank you, > MikeMike -- the packets are forwarded through the two firewalls. They don''t go near the INPUT or OUTPUT chains of any table. -Tom I tried to follow what I thought would be the route on the Shorewall netfilter overview. After tcingress it states to goto forward chain a note "packet destination is not the firewall system" Since openvpn takes the packets over outside interface I thought it had to traverse through the firewall Tables and chains. I remember now looking at your ipchains entry has the forward "iptables -t mangle -A tcfor -m" and rethinking this a bit. But ''my bad'' One thing learning this way when I am wrong I seem to remember better next time. Thank you, Mike ------------------------------------------------------------------------------