Hello, Can the test of tcrules be used to detect packets in POSTROUTING ? Thanks, Fred. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/13/2012 12:07 PM, Fred Maillou wrote:> Hello, > > Can the test of tcrules be used to detect packets in POSTROUTING ? >I don''t understand the question. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
The use case is applying DNAT in firewall rules for a certain traffic. Traffic control is also wished for the same traffic, as well as DSCP marking. And so, there is a tcrule that will mark those packets to be routed to a class and, there will be another rule that will take effect on that very same mark whose purpose is to apply an egress DSCP mark. In this case, must the 100 mark absolutely needs to be applied in the POSTROUTING chain ? In doing so the mark is certainly not observed, but feels natural for DNAT purposes. rules #ACTION SOURCE DEST PROTO DNAT lan:172.59.11.0/24 net:172.59.10.102 all tcclasses #INTERFACE MARK RATE CEIL PRIORITY fe-4-1 100 full*70/100 full 1 tcrules #MARK SOURCE DEST PROTO DPORT SPORT USER TEST 100:T 172.59.11.101 172.59.10.102 all - - - DSCP(EF) 0.0.0.0/0 0.0.0.0/0 all - - - 100 Thanks. ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : mardi 13 mars 2012 15h43 Objet : Re: [Shorewall-users] tcrules and test On 03/13/2012 12:07 PM, Fred Maillou wrote:> Hello, > > Can the test of tcrules be used to detect packets in POSTROUTING ? >I don''t understand the question. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/13/2012 01:07 PM, Fred Maillou wrote:> The use case is applying DNAT in firewall rules for a certain traffic. > Traffic control is also wished for the same traffic, as well as DSCP > marking. And so, there is a tcrule that will mark those packets to be > routed to a class and, there will be another rule that will take > effect on that very same mark whose purpose is to apply an egress DSCP > mark. In this case, must the 100 mark absolutely needs to be applied > in the POSTROUTING chain ? In doing so the mark is certainly not > observed, but feels natural for DNAT purposes. > > rules > #ACTION SOURCE DEST PROTO > DNAT lan:172.59.11.0/24 net:172.59.10.102 all > > tcclasses > #INTERFACE MARK RATE CEIL PRIORITY > fe-4-1 100 full*70/100 full 1 > > tcrules > #MARK SOURCE DEST PROTO DPORT SPORT USER TEST > 100:T 172.59.11.101 172.59.10.102 all - - - > DSCP(EF) 0.0.0.0/0 0.0.0.0/0 all - - - 100You want: #MARK SOURCE DEST PROTO DPORT SPORT USER TEST 100:T 172.59.11.101 172.59.10.102 all - - - DSCP(EF):T 0.0.0.0/0 0.0.0.0/0 all - - - 100 -- -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Thanks! It was not clear from the latest tcrules.annotated that the chain options were also available for DSCP marking. ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : mardi 13 mars 2012 16h18 Objet : Re: [Shorewall-users] Re : tcrules and test On 03/13/2012 01:07 PM, Fred Maillou wrote:> The use case is applying DNAT in firewall rules for a certain traffic. > Traffic control is also wished for the same traffic, as well as DSCP > marking. And so, there is a tcrule that will mark those packets to be > routed to a class and, there will be another rule that will take > effect on that very same mark whose purpose is to apply an egress DSCP > mark. In this case, must the 100 mark absolutely needs to be applied > in the POSTROUTING chain ? In doing so the mark is certainly not > observed, but feels natural for DNAT purposes. > > rules > #ACTION SOURCE DEST PROTO > DNAT lan:172.59.11.0/24 net:172.59.10.102 all > > tcclasses > #INTERFACE MARK RATE CEIL PRIORITY > fe-4-1 100 full*70/100 full 1 > > tcrules > #MARK SOURCE DEST PROTO DPORT SPORT USER TEST > 100:T 172.59.11.101 172.59.10.102 all - - - > DSCP(EF) 0.0.0.0/0 0.0.0.0/0 all - - - 100You want: #MARK SOURCE DEST PROTO DPORT SPORT USER TEST 100:T 172.59.11.101 172.59.10.102 all - - - DSCP(EF):T 0.0.0.0/0 0.0.0.0/0 all - - - 100 -- -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 03/13/2012 01:26 PM, Fred Maillou wrote:> Thanks! It was not clear from the latest tcrules.annotated that the > chain options were also available for DSCP marking.I had already updated the manpages to make that clear :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d