diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index ee085886c..9e56231e4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -967,12 +967,15 @@ sub setup_traffic_shaping() { if ( $devref->{occurs} ) { # - # The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check - # the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust + # The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently + # and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test + # is fairly robust # - emit( qq(if ! qt \$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw; then) , + my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw"; + + emit( qq(if ! qt $command ; then) , qq( if ! \$TC filter list dev $device | grep -q 65535; then) , - qq( error_message "ERROR: Command '\$TC add dev $device parent $devnum:0 prio 65535 protocol ip fw' failed"), + qq( error_message "ERROR: Command '$command' failed"), qq( stop_firewall), qq( exit 1), qq( fi), @@ -983,13 +986,13 @@ sub setup_traffic_shaping() { if ( $inband ) { emit ( "run_tc qdisc add dev $device handle ffff: ingress", - "run_tc filter add dev $device parent ffff: protocol ip prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" + "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" ); } for my $rdev ( @{$devref->{redirected}} ) { emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" ); - emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); + emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); } save_progress_message_short " TC Device $device defined."; @@ -1051,11 +1054,11 @@ sub setup_traffic_shaping() { # unless ( $devref->{classify} ) { if ( $tcref->{occurs} == 1 ) { - emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid"; + emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid"; } } - emit "run_tc filter add dev $device protocol ip prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; + emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # # options # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f4f309e5a..b3450ee65 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -25,7 +25,13 @@ Changes in Shorewall 4.3.10 9) Implement nested HTB classes. -10) Fix 'start' with AUTOMAKE=Yes +10) Fix 'iprange' command. + +11) Make traffic shaping work better with IPv6. + +12) Externalize 'flow'. + +13) Fix 'start' with AUTOMAKE=Yes Changes in Shorewall 4.3.9 diff --git a/Shorewall/lib.base b/Shorewall/lib.base index ac07b223a..43e0af5bf 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -469,7 +469,7 @@ ip_range() { y=2 z=1 - while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do + while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do vlsm=/$x x=$(( $x - 1 )) z=$y diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f3a281e6f..687f7b468 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -87,7 +87,10 @@ released late in 2009. /etc/shorewall/tcfilters would cause an invalid rule to be generated. -2. When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start') +2. The list of networks returned by the 'shorewall iprange' command + was not minimal. + +3. When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start') command used the wrong compiled script to start the firewall. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G @@ -99,7 +102,30 @@ None. N E W F E A T U R E S I N 4 . 3 . 11 ---------------------------------------------------------------------------- -None. +1) Shorewall attaches an SFQ queuing discipline to each leaf HTB + class. SFQ ensures that each 'flow' gets equal access to the + interface. + + The default definition of a 'flow' corresponds to a TCP + connection. So if one internal system is running BitTorrent, for + example, it can have lots of 'flows' and can thus take up a larger + share of the bandwidth than a system having only a single active + connection. + + The 'flow' classifier (module cls_flow) works around this by + letting you define what a 'flow' is. The clasifier must be used + carefully or it can block off all traffic on an interface! + + To use the 'flow' classifier, you specify 'flow=' in the + OPTIONS column of an HTB leaf class (one that has no + sub-classes). I recommend that you use the following: + + Shaping internet-bound traffic flow=nfct-src + Shaping traffic bound for your + local net flow=dst + + These will cause a 'flow' to consists of the traffic to/from each + internal system. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3