Tom Eastep | 3 Apr 02:28 2011
Picon

Shorewall 4.4.19 Beta 4

Beta 4 is now available for testing.

This beta includes improved handling of bridges with ports (defined in
/etc/shorewall/interfaces). It also supports protocol name/number lists
in the PROTO column of the rules file.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Johannes Graumann | 3 Apr 07:48 2011
Picon

shorewall-init, network-manager and (occasional) vpn

Hello,

I'm running debian testing including shorewall and shorewall-init 4.4.18.1 
in cojunction with network manager according to 
http://www.shorewall.net/Shorewall-init.html . Works perfectly.

I have, however, the need coming up to occasionally VPN into work. Network-
manager nicely integrates that, yet I am at a loss how to configure 
shorewall/-init to dynamically (as in the case of my wired/wireless 
interfaces) figure out whether the vpn has come up/down and react to it.

How might this and can this be achieved?

Thanks for any pointers.

Sincerely, Joh

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Tom Eastep | 3 Apr 19:43 2011
Picon

Shorewall 4.4.19 Beta 5

What I uploaded as Beta 4 was missing some intended content. So I've
just uploaded Beta 5 which includes that content.

I apologize for the noise.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Bob Smith | 4 Apr 05:37 2011
Picon

Re: tcclasses

ok i have searched google and the FAQ to the best of my ability i apologize in advance if i missed this somewhere.
i am following an example from the web and in my tcclasses file on the rate column there is this '60*full/100' please help me understand this because i cannot make sense of it!
 
other examples just have the mbit or kbit specified here but tc does not seem to follow it?
 
basically i have a 30mbit connection to the internet 30 down that is 6 up.
and i am trying to use tcdevices/tcrules/tcclasses in shorewall to prioritize bandwidth, so with what i have enabled i can do a bandwidth test of 15/4.8 from http://speakeasy.net/speedtest if i take the files out i get 27/6 so here is tcdevices :eth0            -          6mbit
eth1            -          100mbit
and here is the tcclasses file :
eth1             1      10*full/100      full    1 tcp-ack,tos-minimize-delay
eth1             2      5*full/100     full    2
eth1            3      5*full/100     full    3
eth1            4      30*full/100     full    4
eth1            5      50*full/100      full    5               default
and last the tcrules file:
2       0.0.0.0/0       0.0.0.0/0       tcp     20,21,22,3389,1723
1       0.0.0.0/0       0.0.0.0/0       udp     5160
3       0.0.0.0/0       0.0.0.0/0       udp     53
4       0.0.0.0/0       0.0.0.0/0       tcp     110,80,443
eth0 is the wan interface and eth1 is the lan.
 
any input would be greatly appreciated especially if it helps me!
i know that rule 4 covers http (and i think my speedtest) if i understand correctly the 30*full/100 basically means 30% of the connection which is 30mbit, but if that is right then why do i only get 15mbit on my speedtest?
 
thanks for your time.
 
BJ 
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Tom Eastep | 4 Apr 16:36 2011
Picon

Re: tcclasses

On 4/3/11 8:37 PM, Bob Smith wrote:
> ok i have searched google and the FAQ to the best of my ability i
> apologize in advance if i missed this somewhere.

> i am following an example from the web and in my tcclasses file on the
> rate column there is this '60*full/100' please help me understand this
> because i cannot make sense of it!

In your Google search, you apparently failed to find the Shorewall
"Complex Traffic Shaping" Documentation at
http://www.shorewall.net/traffic_shaping.htm an did not look at the
output of 'man shorewall-tcclasses'. Both indicate that this means 60%
of of the bandwidth defined for the interface

>  
> other examples just have the mbit or kbit specified here but tc does not
> seem to follow it?

That is because you tune your configuration by adjusting the rates in
tcdevices and the ammount allowed for each class then gets changed
automatically.

>  
> basically i have a 30mbit connection to the internet 30 down that is 6 up.
> and i am trying to use tcdevices/tcrules/tcclasses in shorewall to
> prioritize bandwidth, so with what i have enabled i can do a bandwidth
> test of 15/4.8 from http://speakeasy.net/speedtest if i take the files
> out i get 27/6 so here is tcdevices :

> eth0            -          6mbit
> eth1            -          100mbit
> and here is the tcclasses file :
> eth1             1      10*full/100      full    1
> tcp-ack,tos-minimize-delay
> eth1             2      5*full/100     full    2
> eth1            3      5*full/100     full    3
> eth1            4      30*full/100     full    4
> eth1            5      50*full/100      full    5               default

Very bizarre configuration.

- You have defined both eth0 and eth1 in the tcdevices file yet you have
no classes defined for eth0. Why don't you start with one of the
configurations in the above article that only deal with the WAN
interface and get that working first. Besides, given that you have
defined the bandwidth of eth1 to be 100mb (and your downlink is only
30mb), there will never be any queuing on eth1 and hence traffic shaping
on that interface does little if anything.

- The sum of the *guaranteed* rates is .1 + .5 + .5 + .3 + .3 = 170% of
the full bandwidth of eth1. The URL above clearly warns that the sum of
the guaranteed rates must not exceed the full rate or the thing doesn't
work at all. In fact, current versions of Shorewall would fail to start
with that configuration.

> and last the tcrules file:
> 2       0.0.0.0/0 <http://0.0.0.0/0>       0.0.0.0/0
> <http://0.0.0.0/0>       tcp     20,21,22,3389,1723
> 1       0.0.0.0/0 <http://0.0.0.0/0>       0.0.0.0/0
> <http://0.0.0.0/0>       udp     5160
> 3       0.0.0.0/0 <http://0.0.0.0/0>       0.0.0.0/0
> <http://0.0.0.0/0>       udp     53
> 4       0.0.0.0/0 <http://0.0.0.0/0>       0.0.0.0/0
> <http://0.0.0.0/0>       tcp     110,80,443
> eth0 is the wan interface and eth1 is the lan.

Again, referring to http://www.shorewall.net/traffic_shaping.htm, you
must pay close attention to the direction of traffic flow. You have
specified all of the ports as DEST PORTS so that means that the clients
are out on the web and the servers are on your LAN. That is likely to be
backwards from reality.
>  
> any input would be greatly appreciated especially if it helps me!
> i know that rule 4 covers http (and i think my speedtest) if i
> understand correctly the 30*full/100 basically means 30% of the
> connection which is 30mbit, but if that is right then why do i only get
> 15mbit on my speedtest?

I'm surprised that your configuration does anything to slow down traffic.

Are you sure that you wouldn't be better off using Simple Traffic
shaping? I designed and wrote Shorewall and that's what I use on an
internet link similar to yours. It meets my needs perfectly (and tests
at speedtest.net closely track my configuration).

If you have another occasion to post regarding traffic shaping issues,
we really ask that you include the output of 'shorewall dump' with your
report. The dump should be collected while the configuration is under
load so that we can see the behavior of each of your classes. See
http://www.shorewall.net/support.htm#guidelines

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Tom Eastep | 4 Apr 16:51 2011
Picon

Shorewall 4.4.18.2

4.4.18.2 corrects the following issues:

1)  SAVE_IPSETS=Yes didn't work unless there is a dynamic zone defined.

2)  If a logical name was given to a bridge and the ports on the bridge
    were defined in /etc/shorewall/interfaces, then the compiler would
    generate matches that used the logical name rather than the
    physical name.

Note: The release notes in the uploaded packages failed to include the
corrected problems. The release notes at
http://www1.shorewall.net/pub/shorewall/4.4/shorewall-4.4.18/releasenotes.txt
are complete.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
Tom Eastep | 4 Apr 17:18 2011
Picon

Re: tcclasses

On 4/4/11 7:36 AM, Tom Eastep wrote:

> 
> - The sum of the *guaranteed* rates is .1 + .5 + .5 + .3 + .3 = 170% of
> the full bandwidth of eth1. The URL above clearly warns that the sum of
> the guaranteed rates must not exceed the full rate or the thing doesn't
> work at all. In fact, current versions of Shorewall would fail to start
> with that configuration.

Correction: Only a WARNING message is issued in that case.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
lanas | 5 Apr 02:04 2011
Picon

4.4.11.6 not observing TC marks ?

Hello,

  I have installed 4.4.11.6 and configured some basic traffic
control on a router.  The problem is that I do not see any
traffic hitting the marks I have set.  All traffic is hitting the
default class and nothing else.

  The setup is as follows.  

  A laptop uses two instances of wget to retreive two 348 MB file
from a HTTP server running two instances of lighttpd on ports 80
and 3000.  The idea is to restrict traffic at eth2 when the bulk
of it from the HTTP server is going to the laptop.

  laptop eth0  <->  eth2 router eth1 <-> eth1 HTTP server

  laptop: 192.168.2.2

tcdevices

#NUMBER	IN	OUT
eth1    100mbit 100mbit
eth2    100mbit 100mbit

tcclasses

#INTERFACE  MARK   RATE		CEIL	    PRIORITY	OPTIONS
eth2	    1	   full/2	full	    1           default
eth2	    10	   full/100000  full/90000  10
eth2        20     full/100     full/95     20

tcrules

#MARK	SOURCE		DEST		PROTO	DEST	SOURCE
10	0.0.0.0/0	192.168.2.2	tcp	-       80
20      0.0.0.0/0       192.168.2.2     tcp     -       3000

Using tc, we see that the traffic never hit marks 10 and 20.  All
traffic has hit the default class only.  This was also observed
by looking at iptables' mangle table.

This is quite puzzling. Has anyone experienced something like
this ? 

Thanks for any information.

# tc -s -d class show dev eth2

class htb 2:110 parent 2:1 leaf 4: prio 7 quantum 1500 rate 1000bit
ceil 1000bit burst 1600b/8 mpu 0 b overhead 0b cburst 1600b/8 mpu 0b
overhead 0b level 0

 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 12500000 ctokens: 12500000

class htb 2:11 parent 2:1 leaf 3: prio 1 quantum 12500 rate 50000Kbit
ceil 100000Kbit burst 7843b/8 mpu 0b overhead 0b cburst 14087b/8 mpu
0b overhead 0b level 0

 Sent 111133255 bytes 73425 pkt (dropped 0, overlimits 0 requeues 0)
 rate 32683Kbit 2699pps backlog 0b 0p requeues 0
 lended: 43972 borrowed: 29453 giants: 0
 tokens: -79 ctokens: 303  

class htb 2:1 root rate 100000Kbit ceil 100000Kbit burst 14087b/8 mpu
0b overhead 0b cburst 14087b/8 mpu 0b overhead 0b level 7

 Sent 111133255 bytes 73425 pkt (dropped 0, overlimits 0 requeues 0)
 rate 32683Kbit 2699pps backlog 0b 0p requeues 0
 lended: 29453 borrowed: 0 giants: 0
 tokens: 303 ctokens: 303  

class htb 2:120 parent 2:1 leaf 5: prio 7 quantum 1500 rate 1000Kbit
ceil 1052Kbit burst 1724b/8 mpu 0b overhead 0b cburst 1730b/8 mpu 0b
overhead 0b level 0

 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 13476 ctokens: 12854

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
Tom Eastep | 5 Apr 02:50 2011
Picon

Re: 4.4.11.6 not observing TC marks ?

On 4/4/11 5:04 PM, lanas wrote:
> Hello,
> 
>   I have installed 4.4.11.6 and configured some basic traffic
> control on a router.  The problem is that I do not see any
> traffic hitting the marks I have set.  All traffic is hitting the
> default class and nothing else.
> 
>   The setup is as follows.  
> 
>   A laptop uses two instances of wget to retreive two 348 MB file
> from a HTTP server running two instances of lighttpd on ports 80
> and 3000.  The idea is to restrict traffic at eth2 when the bulk
> of it from the HTTP server is going to the laptop.
> 
>   laptop eth0  <->  eth2 router eth1 <-> eth1 HTTP server
> 
>   laptop: 192.168.2.2
> 
> tcdevices
> 
> #NUMBER	IN	OUT
> eth1    100mbit 100mbit
> eth2    100mbit 100mbit
> 
> tcclasses
> 
> #INTERFACE  MARK   RATE		CEIL	    PRIORITY	OPTIONS
> eth2	    1	   full/2	full	    1           default
> eth2	    10	   full/100000  full/90000  10
> eth2        20     full/100     full/95     20
> 

I'm concerned that there is a web site somewhere that is leading people
to mis-configure Shorewall's TC. This is the second very similar
configuration that I've seen today. Did you find this on some web site
other than shorewall.net?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
Tom Eastep | 5 Apr 04:22 2011
Picon

Re: 4.4.11.6 not observing TC marks ?

On 4/4/11 5:50 PM, Tom Eastep wrote:

> 
> I'm concerned that there is a web site somewhere that is leading people
> to mis-configure Shorewall's TC. This is the second very similar
> configuration that I've seen today. Did you find this on some web site
> other than shorewall.net?

And if you would like to pursue your current configuration further,
please include the output of 'shorewall dump' with your request. Collect
that output while stressing the configuration with whatever load you
feel isn't being handled properly.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

Gmane