From b8c694e86ff9223524f622ab09a6424b92c5f59d Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 28 Nov 2006 00:05:52 +0000 Subject: [PATCH] Use fwmark classifier for unknown interfaces git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/lib.tc | 8 +++++++- Shorewall/releasenotes.txt | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 97ca51d73..562fec83f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in 3.3.6 3) Use export directory's modules file with -e. +4) Use fwmark tc filter with unknown interfaces. + Changes in 3.3.5 1) Restore default route when there are no 'balance' providers. diff --git a/Shorewall/lib.tc b/Shorewall/lib.tc index 47f40b7cd..32986a541 100644 --- a/Shorewall/lib.tc +++ b/Shorewall/lib.tc @@ -254,12 +254,18 @@ setup_traffic_shaping() run_tc "class add dev $device parent $devnum:1 classid $classid htb rate $rate ceil $ceil prio $prio mtu \$${dev}_mtu quantum \$quantum" run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 + # add filters if [ -n "$CLASSIFY_TARGET" ]; then - run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid + if known_interface $device; then + run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark/0xFF -j CLASSIFY --set-class $classid + else + run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid + fi else run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid fi + #options list_search "tcp-ack" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid list_search "tos-minimize-delay" $options && options="$options tos=0x10/0x10" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e3ff0f7bb..84069ffbb 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -54,6 +54,11 @@ Other Changes in 3.3.6 compiled, then that file will be copied into the compiled script and used on the firewall system. +3) Shorewall now uses tc fwmark filters to classify packets for + traffic shaping when the DEVICE isn't an interface described in + /etc/shorewall/interfaces. This is in preparation for the upcoming + change to the way that --physdev-out works in iptables/Netfilter. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default