diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 97ca51d73..562fec83f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in 3.3.6 3) Use export directory's modules file with -e. +4) Use fwmark tc filter with unknown interfaces. + Changes in 3.3.5 1) Restore default route when there are no 'balance' providers. diff --git a/Shorewall/lib.tc b/Shorewall/lib.tc index 47f40b7cd..32986a541 100644 --- a/Shorewall/lib.tc +++ b/Shorewall/lib.tc @@ -254,12 +254,18 @@ setup_traffic_shaping() run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum" run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 + # add filters if [ -n "$CLASSIFY_TARGET" ]; then - run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid + if known_interface $device; then + run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid + else + run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid + fi else run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid fi + #options list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e3ff0f7bb..84069ffbb 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -54,6 +54,11 @@ Other Changes in 3.3.6 compiled, then that file will be copied into the compiled script and used on the firewall system. +3) Shorewall now uses tc fwmark filters to classify packets for + traffic shaping when the DEVICE isn't an interface described in + /etc/shorewall/interfaces. This is in preparation for the upcoming + change to the way that --physdev-out works in iptables/Netfilter. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default