Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall

Conflicts: Shorewall/changelog.txt Shorewall/releasenotes.txt
2024-11-23 16:13:18 +01:00 · 2009-05-09 10:03:33 -07:00 · 2009-05-09 10:03:33 -07:00 · 887fee7618
commit 887fee7618
parent be9573d30f e1771ebead
4 changed files with 47 additions and 12 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -967,12 +967,15 @@ sub setup_traffic_shaping() {

 	if ( $devref->{occurs} ) {
 	    #
-	    # The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check
-	    # the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust
+	    # The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently
+	    # and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test
+	    # is fairly robust
 	    #
-	    emit( qq(if ! qt \$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw; then) ,
+	    my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw";
+
+	    emit( qq(if ! qt $command ; then) ,
 		  qq(    if ! \$TC filter list dev $device | grep -q 65535; then) ,
-		  qq(        error_message "ERROR: Command '\$TC add dev $device parent $devnum:0 prio 65535 protocol ip fw' failed"),
+		  qq(        error_message "ERROR: Command '$command' failed"),
 		  qq(        stop_firewall),
 		  qq(        exit 1),
 		  qq(    fi),
@ -983,13 +986,13 @@ sub setup_traffic_shaping() {

 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol ip prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
 		   );
 	}

 	for my $rdev ( @{$devref->{redirected}} ) {
 	    emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
-	    emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	}

 	save_progress_message_short "   TC Device $device defined.";
@ -1051,11 +1054,11 @@ sub setup_traffic_shaping() {
 	#
 	unless ( $devref->{classify} ) {
 	    if ( $tcref->{occurs} == 1 ) {
-		emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
+		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
 	    }
 	}

-	emit "run_tc filter add dev $device protocol ip prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -25,7 +25,13 @@ Changes in Shorewall 4.3.10

 9) Implement nested HTB classes.

-10) Fix 'start' with AUTOMAKE=Yes
+10) Fix 'iprange' command.
+
+11) Make traffic shaping work better with IPv6.
+
+12) Externalize 'flow'.
+
+13) Fix 'start' with AUTOMAKE=Yes

 Changes in Shorewall 4.3.9

--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -469,7 +469,7 @@ ip_range() {
 	y=2
 	z=1

-	while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do
+	while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
 	    vlsm=/$x
 	    x=$(( $x - 1 ))
 	    z=$y
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -87,7 +87,10 @@ released late in 2009.
    /etc/shorewall/tcfilters would cause an invalid rule to be
    generated.

-2.  When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start')
+2.  The list of networks returned by the 'shorewall iprange' command
+    was not minimal.
+
+3.  When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start')
    command used the wrong compiled script to start the firewall.
 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@ -99,7 +102,30 @@ None.
                N E W   F E A T U R E S   I N   4 . 3 . 11
 ----------------------------------------------------------------------------

-None.
+1)  Shorewall attaches an SFQ queuing discipline to each leaf HTB
+    class. SFQ ensures that each 'flow' gets equal access to the
+    interface. 
+
+    The default definition of a 'flow' corresponds to a TCP
+    connection. So if one internal system is running BitTorrent, for
+    example, it can have lots of 'flows' and can thus take up a larger
+    share of the bandwidth than a system having only a single active
+    connection.
+
+    The 'flow' classifier (module cls_flow) works around this by
+    letting you define what a 'flow' is. The clasifier must be used
+    carefully or it can block off all traffic on an interface!
+
+    To use the 'flow' classifier, you specify 'flow=<keys>' in the
+    OPTIONS column of an HTB leaf class (one that has no
+    sub-classes). I recommend that you use the following:
+
+    	Shaping internet-bound traffic 	   flow=nfct-src
+	Shaping traffic bound for your
+	local net			   flow=dst
+
+    These will cause a 'flow' to consists of the traffic to/from each
+    internal system. 
   
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 3