forked from extern/shorewall_code
Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall
Conflicts: Shorewall/changelog.txt Shorewall/releasenotes.txt
This commit is contained in:
commit
887fee7618
@ -967,12 +967,15 @@ sub setup_traffic_shaping() {
|
||||
|
||||
if ( $devref->{occurs} ) {
|
||||
#
|
||||
# The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check
|
||||
# the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust
|
||||
# The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently
|
||||
# and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test
|
||||
# is fairly robust
|
||||
#
|
||||
emit( qq(if ! qt \$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw; then) ,
|
||||
my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw";
|
||||
|
||||
emit( qq(if ! qt $command ; then) ,
|
||||
qq( if ! \$TC filter list dev $device | grep -q 65535; then) ,
|
||||
qq( error_message "ERROR: Command '\$TC add dev $device parent $devnum:0 prio 65535 protocol ip fw' failed"),
|
||||
qq( error_message "ERROR: Command '$command' failed"),
|
||||
qq( stop_firewall),
|
||||
qq( exit 1),
|
||||
qq( fi),
|
||||
@ -983,13 +986,13 @@ sub setup_traffic_shaping() {
|
||||
|
||||
if ( $inband ) {
|
||||
emit ( "run_tc qdisc add dev $device handle ffff: ingress",
|
||||
"run_tc filter add dev $device parent ffff: protocol ip prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
|
||||
"run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
|
||||
);
|
||||
}
|
||||
|
||||
for my $rdev ( @{$devref->{redirected}} ) {
|
||||
emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
|
||||
emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
|
||||
emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
|
||||
}
|
||||
|
||||
save_progress_message_short " TC Device $device defined.";
|
||||
@ -1051,11 +1054,11 @@ sub setup_traffic_shaping() {
|
||||
#
|
||||
unless ( $devref->{classify} ) {
|
||||
if ( $tcref->{occurs} == 1 ) {
|
||||
emit "run_tc filter add dev $device protocol ip parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
|
||||
emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
|
||||
}
|
||||
}
|
||||
|
||||
emit "run_tc filter add dev $device protocol ip prio 1 parent $classnum: protocol ip handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
|
||||
emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
|
||||
#
|
||||
# options
|
||||
#
|
||||
|
@ -25,7 +25,13 @@ Changes in Shorewall 4.3.10
|
||||
|
||||
9) Implement nested HTB classes.
|
||||
|
||||
10) Fix 'start' with AUTOMAKE=Yes
|
||||
10) Fix 'iprange' command.
|
||||
|
||||
11) Make traffic shaping work better with IPv6.
|
||||
|
||||
12) Externalize 'flow'.
|
||||
|
||||
13) Fix 'start' with AUTOMAKE=Yes
|
||||
|
||||
Changes in Shorewall 4.3.9
|
||||
|
||||
|
@ -469,7 +469,7 @@ ip_range() {
|
||||
y=2
|
||||
z=1
|
||||
|
||||
while [ $(( $first % $y )) -eq 0 ] && addr_comp $l $(( $first + $y )) ; do
|
||||
while [ $(( $first % $y )) -eq 0 ] && ! addr_comp $(( $first + $y )) $l; do
|
||||
vlsm=/$x
|
||||
x=$(( $x - 1 ))
|
||||
z=$y
|
||||
|
@ -87,7 +87,10 @@ released late in 2009.
|
||||
/etc/shorewall/tcfilters would cause an invalid rule to be
|
||||
generated.
|
||||
|
||||
2. When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start')
|
||||
2. The list of networks returned by the 'shorewall iprange' command
|
||||
was not minimal.
|
||||
|
||||
3. When AUTOMAKE=Yes, the 'shorewall start' ('shorewall6 start')
|
||||
command used the wrong compiled script to start the firewall.
|
||||
----------------------------------------------------------------------------
|
||||
K N O W N P R O B L E M S R E M A I N I N G
|
||||
@ -99,7 +102,30 @@ None.
|
||||
N E W F E A T U R E S I N 4 . 3 . 11
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
1) Shorewall attaches an SFQ queuing discipline to each leaf HTB
|
||||
class. SFQ ensures that each 'flow' gets equal access to the
|
||||
interface.
|
||||
|
||||
The default definition of a 'flow' corresponds to a TCP
|
||||
connection. So if one internal system is running BitTorrent, for
|
||||
example, it can have lots of 'flows' and can thus take up a larger
|
||||
share of the bandwidth than a system having only a single active
|
||||
connection.
|
||||
|
||||
The 'flow' classifier (module cls_flow) works around this by
|
||||
letting you define what a 'flow' is. The clasifier must be used
|
||||
carefully or it can block off all traffic on an interface!
|
||||
|
||||
To use the 'flow' classifier, you specify 'flow=<keys>' in the
|
||||
OPTIONS column of an HTB leaf class (one that has no
|
||||
sub-classes). I recommend that you use the following:
|
||||
|
||||
Shaping internet-bound traffic flow=nfct-src
|
||||
Shaping traffic bound for your
|
||||
local net flow=dst
|
||||
|
||||
These will cause a 'flow' to consists of the traffic to/from each
|
||||
internal system.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S IN 4 . 3
|
||||
|
Loading…
Reference in New Issue
Block a user