Discussion:
[Shorewall-users] Trouble with TC rules by host
Brian Foddy
2017-01-24 05:11:53 UTC
Permalink
Shorewall version 5.0.14, Fedora 24 all recent patches, x86_64

Long time user of Shorewall, but recently have tried to incorporate some
old TC scripts into Shorewall directly. I believe most of the classes
and rules are being correctly created, at least

tc -g -s qdisc show dev ppp0

shows the classes, and a reasonable distribution of packets, except for
one... Read on...

I have a host that needs to send to SpiderOak cloud backup services,
this service seems to post to https 443 protocol.

Another host in my house will occasionally connect to company VPN
services and those use https 443 as well. One host I want as a high
priority queue, one very low. And from what I can gleam from the packets
numbers in the tc command, both types are flowing through the same rule.

In tcclasses I have:

#INTERFACE MARK RATE CEIL PRIO OPTIONS
1:20 20 full/8 full 0
1:21 21 full/8 full 1
1:22 22 full/8 full 2
1:23 23 full/8 full 3
1:24 24 full/8 full 4
1:25 25 full/8 full 5 default
1:26 26 full/8 full 6
1:27 27 full/8 full 7

tcfilters contains:

######################################################################################
#CLASS SOURCE DEST PROTO DPORT SPORT
TOS LENGTH PRIOR
IPV4
1:27 10.20.0.8/32 0.0.0.0/0 all - -
- - #mammouth

where 10.20.0.8 is the IP address of the low priority host sending
SpiderOak packets.

I've tried this rule at the top of tcfilters, and bottom, no apparent
effect. Its not working.

TBH, I'm struggling with whether mangle needs to come into the picture,
so I also tried adding this line to mangle:

####################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT
USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
MARK(27) 10.20.0.8/32 0.0.0.0/0 all - -
- - - - - - -

but still no apparent effect.

So specifically my question as described, and also still struggling a
little with when mangle is required. I've read most of the docs on
mangle, but still missing some of the concepts of when its needed and
how to use it (I know the docs describe just this situation so I'm not
alone).

The full shorewall dump is attached. Its a rather complex firewall with
several interfaces, vpns, etc.

Any help greatly appreciated.

Thanks,

Brian
Tom Eastep
2017-01-25 01:38:21 UTC
Permalink
Post by Brian Foddy
Shorewall version 5.0.14, Fedora 24 all recent patches, x86_64
Long time user of Shorewall, but recently have tried to incorporate
some old TC scripts into Shorewall directly. I believe most of the
classes and rules are being correctly created, at least
tc -g -s qdisc show dev ppp0
shows the classes, and a reasonable distribution of packets, except
for one... Read on...
I have a host that needs to send to SpiderOak cloud backup
services, this service seems to post to https 443 protocol.
Another host in my house will occasionally connect to company VPN
services and those use https 443 as well. One host I want as a
high priority queue, one very low. And from what I can gleam from
the packets numbers in the tc command, both types are flowing
through the same rule.
#INTERFACE MARK RATE CEIL PRIO
OPTIONS 1:20 20 full/8 full 0
1:21 21 full/8 full 1 1:22
22 full/8 full 2 1:23 23
full/8 full 3 1:24 24 full/8
full 4 1:25 25 full/8 full
5 default 1:26 26 full/8 full
6 1:27 27 full/8 full 7
######################################################################################
#CLASS SOURCE DEST PROTO DPORT
SPORT TOS LENGTH PRIOR IPV4 1:27 10.20.0.8/32
0.0.0.0/0 all - - - - #mammouth
where 10.20.0.8 is the IP address of the low priority host sending
SpiderOak packets.
I've tried this rule at the top of tcfilters, and bottom, no
apparent effect. Its not working.
TBH, I'm struggling with whether mangle needs to come into the
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT
SPORT USER TEST LENGTH TOS CONNBYTES HELPER
PROBABILITY DSCP MARK(27) 10.20.0.8/32 0.0.0.0/0
all - - - - - - - -
-
but still no apparent effect.
It should not be necessary.
Post by Brian Foddy
So specifically my question as described, and also still struggling
a little with when mangle is required. I've read most of the docs
on mangle, but still missing some of the concepts of when its
needed and how to use it (I know the docs describe just this
situation so I'm not alone).
The full shorewall dump is attached. Its a rather complex firewall
with several interfaces, vpns, etc.
Any help greatly appreciated.
The generated filter look correct to me.

filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:27
match 0a140008/ffffffff at 12
match 00000000/00000000 at 16

The source IP address is at offset 12 in the IP header and 0x0a140008
is 10.20.0.8 (big-endian).

And note that this is the the only filter targeting 1:27 and there
*are* packets going through that class:

class htb 1:27 parent 1:1 leaf 9: prio 7 quantum 3121 rate 231Kbit
ceil 1850Kbit linklayer ethernet burst 1591b/1 mpu 0b overhead 0b
cburst 1591b/1 mpu 0b overhead 0b level 0
Sent 156 bytes 3 pkt (dropped 0, overlimits 0 requeues 0) <============
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 3 borrowed: 0 giants: 0
tokens: 833329 ctokens: 104048

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...