Describe checking for cls_flow support

This commit is contained in:
Tom Eastep 2009-12-05 09:34:39 -08:00
parent 01ed97ad94
commit 0e5293ffc5

View File

@ -645,6 +645,59 @@ ppp0 6000kbit 500kbit</programlisting>
tracking fields. As shown above, we recommend flow=nfct-src;
that means that we want to use the source IP address
<emphasis>before SNAT</emphasis> as the key.</para>
<note>
<para> Shorewall cannot determine ahead of time if the flow
classifier is available in your kernel (especially if it was
built into the kernel as opposed to being loaded as a module).
Consequently, you should check ahead of time to ensure that
both your kernel and 'tc' utility support the feature.</para>
<para>You can test the 'tc' utility by typing (as
root):</para>
<blockquote>
<para><command>tc filter add flow help</command></para>
</blockquote>
<para>If flow is supported, you will see:</para>
<programlisting> Usage: ... flow ...
[mapping mode]: map key KEY [ OPS ] ...
[hashing mode]: hash keys KEY-LIST ...
...</programlisting>
<para> If 'flow' is not supported, you will see:</para>
<programlisting> Unknown filter "flow", hence option "help" is unparsable</programlisting>
<para>If your kernel supports module autoloading, just type
(as root):</para>
<blockquote>
<para><command>modprobe cls_flow</command></para>
</blockquote>
<para>If 'flow' is supported, no output is produced;
otherwise, you will see:</para>
<programlisting> FATAL: Module cls_flow not found.</programlisting>
<para>If your kernel is not modularized or does not support
module autoloading, look at your kernel configuration (either
<filename>/proc/config.gz</filename> or the
<filename>.config</filename> file in <filename
class="directory">/lib/modules/&lt;kernel-version&gt;/build/</filename></para>
<para>If 'flow' is supported, you will see: NET_CLS_FLOW=m or
NET_CLS_FLOW=y.</para>
<para>For modularized kernels, Shorewall will attempt to load
<filename>/lib/modules/&lt;kernel-version&gt;/net/sched/cls_flow.ko</filename>
by default. </para>
</note>
</listitem>
<listitem>