From d66fc7a7e1c8dd4c1b582f4233745005453fedd3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 May 2009 07:19:25 -0700 Subject: [PATCH 1/6] Add warning when successful tc command returns non-zero exit status --- Shorewall/Perl/Shorewall/Tc.pm | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index ee085886c..4923bb2fe 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -970,9 +970,13 @@ sub setup_traffic_shaping() { # The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check # the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust # - emit( qq(if ! qt \$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw; then) , - qq( if ! \$TC filter list dev $device | grep -q 65535; then) , - qq( error_message "ERROR: Command '\$TC add dev $device parent $devnum:0 prio 65535 protocol ip fw' failed"), + my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw"; + + emit( qq(if ! qt $command ; then) , + qq( if \$TC filter list dev $device | grep -q 65535; then) , + qq( error_message "WARNING: Command '$command' succeeded but returned non-zero exit status") , + qq( else), + qq( error_message "ERROR: Command '$command' failed"), qq( stop_firewall), qq( exit 1), qq( fi), From ff26ff46975ed57440ee58837f4150dbac747545 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 May 2009 07:21:46 -0700 Subject: [PATCH 2/6] Fix 'iprange' command --- Shorewall/changelog.txt | 2 ++ Shorewall/lib.base | 2 +- Shorewall/releasenotes.txt | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index e0087b580..0961f143d 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -25,6 +25,8 @@ Changes in Shorewall 4.3.10 9) Implement nested HTB classes. +10) Fix 'iprange' command. + Changes in Shorewall 4.3.9 1) Logging rules now create separate chain. diff --git a/Shorewall/lib.base b/Shorewall/lib.base index ac07b223a..43e0af5bf 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -469,7 +469,7 @@ ip_range() { y=2 z=1 - while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do + while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do vlsm=/$x x=$(( $x - 1 )) z=$y diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 62e12dbb9..2dd2eb7f5 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -84,7 +84,12 @@ released late in 2009. ---------------------------------------------------------------------------- 1. Previously, specifying a source port for SCTP in - /etc/shorewall/tcfilters would cause an invalid rule to be generated. + /etc/shorewall/tcfilters would cause an invalid rule to be + generated. + +2. The list of networks returned by the 'shorewall iprange' command + was not minimal. + ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- From 7766855e98f1538d9d2b310f04b102198bd14165 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 May 2009 08:12:54 -0700 Subject: [PATCH 3/6] More comments about failing 'tc filter add' command --- Shorewall/Perl/Shorewall/Tc.pm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 4923bb2fe..3451bf81e 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -967,8 +967,14 @@ sub setup_traffic_shaping() { if ( $devref->{occurs} ) { # - # The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check - # the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust + # Depending on the installed networking kit, the following command may succeed yet generate an error message and non-zero exit + # status :-(. We thus run it silently and check the result. Note that since this is the first filter added after the root + # qdisc was added, the 'ls | grep' test is fairly robust + # + # Additional notes: + # + # - The command returns non-zero exit status on OpenSuSE 11.0 and 11.1 and on Debian Lenny + # - The command returns zero exit status on Ubuntu Jaunty # my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw"; From 0e94016462f16ed88f7a6b7c310f35fa6322cebb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 May 2009 13:19:48 -0700 Subject: [PATCH 4/6] Delete error message -- it's also occurring on 2.6.28 --- Shorewall/Perl/Shorewall/Tc.pm | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 3451bf81e..ba080a284 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -967,21 +967,14 @@ sub setup_traffic_shaping() { if ( $devref->{occurs} ) { # - # Depending on the installed networking kit, the following command may succeed yet generate an error message and non-zero exit - # status :-(. We thus run it silently and check the result. Note that since this is the first filter added after the root - # qdisc was added, the 'ls | grep' test is fairly robust - # - # Additional notes: - # - # - The command returns non-zero exit status on OpenSuSE 11.0 and 11.1 and on Debian Lenny - # - The command returns zero exit status on Ubuntu Jaunty + # The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently + # and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test + # is fairly robust # my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw"; emit( qq(if ! qt $command ; then) , - qq( if \$TC filter list dev $device | grep -q 65535; then) , - qq( error_message "WARNING: Command '$command' succeeded but returned non-zero exit status") , - qq( else), + qq( if ! \$TC filter list dev $device | grep -q 65535; then) , qq( error_message "ERROR: Command '$command' failed"), qq( stop_firewall), qq( exit 1), From 8f1ea63711b6beb15d6f763b8e2551fe6e2d4cb2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 May 2009 13:30:47 -0700 Subject: [PATCH 5/6] Make traffic shaping work better with IPv6 --- Shorewall/Perl/Shorewall/Tc.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index ba080a284..d4f9193fb 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -971,7 +971,7 @@ sub setup_traffic_shaping() { # and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test # is fairly robust # - my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw"; + my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw"; emit( qq(if ! qt $command ; then) , qq( if ! \$TC filter list dev $device | grep -q 65535; then) , @@ -986,13 +986,13 @@ sub setup_traffic_shaping() { if ( $inband ) { emit ( "run_tc qdisc add dev $device handle ffff: ingress", - "run_tc filter add dev $device parent ffff: protocol ip prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" + "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" ); } for my $rdev ( @{$devref->{redirected}} ) { emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" ); - emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); + emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" ); } save_progress_message_short " TC Device $device defined."; @@ -1054,11 +1054,11 @@ sub setup_traffic_shaping() { # unless ( $devref->{classify} ) { if ( $tcref->{occurs} == 1 ) { - emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid"; + emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid"; } } - emit "run_tc filter add dev $device protocol ip prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; + emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # # options # From e1771ebeadd0ab143ad551d5608dbbd63cc21df9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 8 May 2009 14:05:27 -0700 Subject: [PATCH 6/6] Externalize the 'flow' classifier --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- Shorewall/changelog.txt | 4 ++++ Shorewall/releasenotes.txt | 25 ++++++++++++++++++++++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index d4f9193fb..9e56231e4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1058,7 +1058,7 @@ sub setup_traffic_shaping() { } } - emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; + emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow}; # # options # diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 0961f143d..4c07882ce 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -27,6 +27,10 @@ Changes in Shorewall 4.3.10 10) Fix 'iprange' command. +11) Make traffic shaping work better with IPv6. + +12) Externalize 'flow'. + Changes in Shorewall 4.3.9 1) Logging rules now create separate chain. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2dd2eb7f5..a0353fa99 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -100,7 +100,30 @@ None. N E W F E A T U R E S I N 4 . 3 . 11 ---------------------------------------------------------------------------- -None. +1) Shorewall attaches an SFQ queuing discipline to each leaf HTB + class. SFQ ensures that each 'flow' gets equal access to the + interface. + + The default definition of a 'flow' corresponds to a TCP + connection. So if one internal system is running BitTorrent, for + example, it can have lots of 'flows' and can thus take up a larger + share of the bandwidth than a system having only a single active + connection. + + The 'flow' classifier (module cls_flow) works around this by + letting you define what a 'flow' is. The clasifier must be used + carefully or it can block off all traffic on an interface! + + To use the 'flow' classifier, you specify 'flow=' in the + OPTIONS column of an HTB leaf class (one that has no + sub-classes). I recommend that you use the following: + + Shaping internet-bound traffic flow=nfct-src + Shaping traffic bound for your + local net flow=dst + + These will cause a 'flow' to consists of the traffic to/from each + internal system. ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3