ricky gutierrez | 4 Jun 20:55 2014
Picon

routing multiple network

Hi list , I'm migrating SuSEfirewall2 to shorewall, routed me several
networks this coming from a router to my network lan and I can from my
network lan reach those networks,

something like:

Internet ====eth1 - LinuxBOX - eth0====LAN (192.168.1.254/24) ==switch-LAN

                                 =

                                 =

                                 =

                                ROUTER

                              Other networks

                               192.168.2.0/24

                             192.168.3.0/24

in SuSEfirewall2 ,I add these networks to a couple of options and it
works: FW_FORWARD="192.168.1.0/24,192.168.2.0/24
192.168.1.0/24,192.168.3.0/24 192.168.1.0/24,192.168.4.0/24
192.168.1.0/24,192.168.5.0/24 192.168.1.0/24,192.168.6.0/24 ,
FW_MASQ_NETS="192.168.1.0/24, 192.168.4.0/24, 192.168.2.0/24,
192.168.3.0/24, 192.168.5.0/24, , but shorewall've been testing this
tutorial http://shorewall.net/Multiple_Zones.html and it gives me
error:
(Continue reading)

Picon

Howto define bandwidthd in shorewall (based rules in tc)

The many years use shorewall, but simple, lan and wan way, but now I'm in big trouble, excessive users which crashes the modem (which is not a bridge adsl, but router adsl ), I decided using a script tc rules, it works, but I would use shorewall for this.

How do? I got confused with the policies tcclasses, tcdevices, tc** in shorewall. My wan is ADSL 50Mbps guaranteed only 40% download

CentOS release 6.5
Shorewall 4.5.4

### tcdevices (wan/internet)

###############################################################################
#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
#INTERFACE                                                      INTERFACES
# adsl (it this is correct? The config below)
em1             2500kbit        200kbit
# network (internal)
p2p1            1000mbit        1000mbit

use this script limit for user, bad, but work.

#!/bin/bash
TC=/sbin/tc
IF=p2p1             # Interface
DNLD=1mbit          # DOWNLOAD Limit
UPLD=512kbit          # UPLOAD Limit
IP=192.168.1.95     # Host IP
U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32"

start() {

## what file config in shorewall?
## /etc/shorewall/tc???
    $TC qdisc add dev $IF root handle 1: htb default 30

## /etc/shorewall/tcclasses ???
    $TC class add dev $IF parent 1: classid 1:1 htb rate $DNLD
    $TC class add dev $IF parent 1: classid 1:2 htb rate $UPLD

## and this? /etc/shorewall/tcfilters ???
    $U32 match ip dst $IP/32 flowid 1:1
    $U32 match ip src $IP/32 flowid 1:2

}

...


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Db Clinton | 2 Jun 17:00 2014
Picon

Running an FTP server via DNAT behind Shorewall

Hi,
I'm trying to accept FTP uploads (using VSFTP on Ubuntu 14.04) from within a Shorewall-managed LAN. nf_nat_ftp and nf_conntrack_ftp are both happily loaded on the Shorewall server and VSFTP is accepting clients from within the LAN. Here's the rule I've added to /etc/shorewall/rules:

DNAT            inet:eth1       lan:10.0.0.34:21        tcp     49034   -       xxx.xx.xx.xxx 

...where 10.0.0.34 is my internal DNAT address, 21, obviously, is the FTP port I want to open up, 49034 is the port I use for port-forwarding through the firewall to my PC, and xxx.xx.xx.xxx is my external IP. As you can no doubt guess, this isn't working. My external client is getting a
could not parse response code
error. 
Does anyone have any idea what I should be doing?
Thanks,

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Göran Höglund | 2 Jun 14:26 2014
Picon

Instagram

Hi List!
Any one who has any suggestion how to block users from using Instagram??

/Göran

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Tom Eastep | 31 May 23:13 2014
Picon

Shorewall 4.6.0.3

4.6.0.3 is now available for download.

Problems Corrected:

1)  The Shorewall-init package now installs correctly on RHEL7.

2)  1:1 NAT is now enabled in IPv6.

3)  A subtle interaction between NAT and sub-zones is explained in
    shorewall-nat.

4)  The 'show filters' command now works with Simple TC.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
Tom Eastep | 27 May 01:26 2014
Picon

Shorewall 4.5.21.10

For those who are reluctant to upgrade to the new major release, I've
corrected a couple of problems in 4.5.21.

1)  The tarball installers, now install .service files with mode 644
    rather than mode 600.

2)  Previously, 1:1 NAT was disabled in Shorewall6, even if IPv6 NAT is
    supported.

3)  The 'show filters' command now works with Simple TC and shows
    ingress filters in both Simple and Complex TC.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
Paolo | 26 May 13:54 2014
Picon

host


Hi list

 	I usually install shorewall to stand-alone servers or into servers 
that act non only, but also as gateway for other boxes.
If I install a dedicated box as firewall, usually I consider dedicated 
distro like IpCop, PFSense, ZeroShell, ... because they give me a distro 
already hardened and some tools like graphical reports that are very 
useful for monitoring activity.
Using Munin/Monitorix/... I can have the flexybility of Shorewall and the 
confort of a visual monitoring system. I like this combination, so 
sometimes I ask to myself and now to the list: If you are planning to 
install a box wich primary activity is firewalling (usual 
NET/LAN/DMZ/WLAN config), wich distro do you consider/prefer?
Some particular packages and/or advice for configuration?

Thanks, P.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
Lee Brown | 24 May 20:18 2014

Re: shorewall show filters not working

On Fri, May 23, 2014 at 9:19 AM, Tom Eastep <teastep <at> shorewall.net> wrote:
> On 5/22/2014 7:35 PM, Lee Brown wrote:
>> Hi list,
>>
>> I recently installed shorewall 4.5.21.9 on Centos6.5 (2.6.32) on metal
>> and another install of 4.6.0 on Slackware 14.1 (3.10.17) in a KVM under
>> it.  I notice that on both these systems shorewall show filters iterates
>> the devices but provides no output.  I believe the 'tc' tool may have
>> changed behaviour.
>>
>> I can see tc filters being added via 'tc monitor', but a 'tc show
>> filters dev eth0' produces no output.  'tc show filters dev eth0 root'
>> provides some output and if you know all the parent id's, 'tc show
>> filters dev eth0 parent xxx:' gets output.
>>
>> From the slack KVM, I've included a tar of the /etc/shorewall directory,
>> which includes a file called dump.txt which is the output from shorewall
>> dump, plus a file called console to illustrate the problem.  It's very
>> small.
>>
>> I used no filters on my previous systems which were Centos5.9 (2.6.18),
>> so I've no basis for when this may have been introduced.
>
> It looks to me as though 'tc filter ls' is broken. The manpage only
> shows 'tc filter show' as a valid command (where 'ls' is a synonym for
> 'show'). 'tc filter show [ parent ] root' works as you have observed,
> but 'tc filter show parent 1' does not, even though there are filters
> defined for qdisc 1. Similarly 'tc filter show parent ffff' doesn't
> work, even though 'ffff' is equivalent to 'root'.
>
> Attached is a hack that improves the output of 'shorewall show filters',
> but it's only a band-aid.

Thanks Tom,

I found this, right after the statement starting qt, line 256 or so
gets non-root filters for my particular example, but it feels pretty
distasteful.  The awk code can be improved not to assume field 7, but
this is a hack anyway...maybe introduces awk as a dependency as well?

tc class show dev $device | awk '{print "echo && echo Node ",$7," &&
tc -s filter show dev '$device' parent ",$7}'|sh

YMMV -- lee

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Tom Eastep | 24 May 17:15 2014
Picon

Re: 6to4 with Charter.com

On 5/24/2014 2:36 AM, Louis Lagendijk wrote:
> On Fri, 2014-05-23 at 17:30 -0700, Tom Eastep wrote:
>> On 5/23/2014 3:59 PM, Tom Eastep wrote:
>>
>>> A couple of things:
>>>
>>> a) That script was written 6 years ago before the distributions has much
>>> support for IPv6. I certainly wouldn't use it today and will remove
>>> mention to it as soon as I have a moment. You really should be using
>>> your distribution's configuration tools to configure the tunnel.
>>>
>>> b) You need to give some thought to how you are going to use the /32.
>>> Your current configuration is totally unusable (the same /32 is defined
>>> on eth0 and eth1). Unless the two interfaces connect to the same
>>> network, you must subnet such that the networks on eth0 and eth1 are
>>> disjoint.
> Charter offers 6rd, where the V6 address is appended to the 6rd prefix,
> effectively giving the OP a single /64 address. I recommend the OP to
> read up on 6rd

Thanks, Louis.

Eric: Here's a Debian Howto:

   http://servernetworktech.com/2012/11/charter-ipv6/

But before you go there, in the material you sent previously, we see:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2602:100:6153:810d:1::1/32 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::250:bfff:feb5:368f/64 scope link
       valid_lft forever preferred_lft forever

and we see:

	auto eth0
	iface eth0 inet dhcp
	iface eth0 inet6 dhcp

Did you configure the IPv6 address yourself or did dhcpv6 configure it
for you?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Orion Poplawski | 19 May 21:00 2014

Support for RHEL7

I'm trying to build the shorewall EPEL package for RHEL7 and getting:

+ pushd shorewall-init-4.6.0
~/build/BUILD/shorewall-4.6.0/shorewall-init-4.6.0 ~/build/BUILD/shorewall-4.6.0
+ ./configure vendor=redhat SYSTEMD=/usr/lib/systemd/system SBINDIR=/usr/sbin
INFO: Creating a redhat-specific installation -  Mon May 19 18:24:23 UTC 2014
HOST=redhat
PREFIX=/usr
SHAREDIR=${PREFIX}/share
LIBEXECDIR=${PREFIX}/libexec
PERLLIBDIR=/usr/share/perl5/vendor_perl
CONFDIR=/etc
SBINDIR=/usr/sbin
MANDIR=${SHAREDIR}/man
INITDIR=/etc/rc.d/init.d
INITSOURCE=init.fedora.sh
INITFILE=$PRODUCT
AUXINITSOURCE=
AUXINITFILE=
SYSTEMD=/usr/lib/systemd/system
SERVICEFILE=                      	
SYSCONFFILE=sysconfig
SYSCONFDIR=/etc/sysconfig/
SPARSE=
ANNOTATED=
VARLIB=/var/lib
VARDIR=${VARLIB}/$PRODUCT
+ DESTDIR=/builddir/build/BUILDROOT/shorewall-4.6.0-1.el7.noarch
+ ./install.sh
ERROR: Unknown BUILD environment (rhel)

FYI - RHEL7 is much like Fedora at this point and uses systemd.

# cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.0 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="7.0"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.0 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.0:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.0
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION=7.0

--

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion <at> nwra.com
Boulder, CO 80301                   http://www.nwra.com

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Victor Galino | 19 May 11:22 2014
Picon

Shorewall Asterisk SIP Callls Stop at 30 minutes


Hello

I Configure shorewall for a Asterisk server.

Need to add on /etc/shorewall/start

rmmod nf_nat_sip &> /dev/null
rmmod nf_conntrack_sip &> /dev/null


And works fine.

The only problem i detect its when i have a call stablished, , on the 30 minutes mark, the call is down, and need to do another call

Configuration its on a Centos 6.5 Final and kernel 2.6.32-431.17.1, Shorewall 4.5.4

I Send the parts of shorewall dump related to the modules and nfconntrack, i understand its something generic with tcp connections or nf_conntraf (netfilter)

Thanks in advance
Regards
Victor



/proc

   /proc/version = Linux version 2.6.32-431.17.1.el6.x86_64 (mockbuild <at> c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Wed May 7 23:32:49 UTC 2014
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/tun3/proxy_arp = 0
   /proc/sys/net/ipv4/conf/tun3/arp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/arp_ignore = 0
   /proc/sys/net/ipv4/conf/tun3/rp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/log_martians = 1



Modules

ip_set                 30977  1 xt_set
iptable_filter          2793  1
iptable_mangle          3349  1
iptable_nat             6158  0
iptable_raw             2264  0
ip_tables              17831  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype            2153  5
ipt_ah                  1247  0
ipt_CLUSTERIP           6796  0
ipt_ecn                 1507  0
ipt_ECN                 1955  0
ipt_LOG                 5845  9
ipt_MASQUERADE          2466  0
ipt_NETMAP              1832  0
ipt_REDIRECT            1840  0
ipt_REJECT              2351  4
ipt_ULOG               10765  0
nf_conntrack           79758  32 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda     2979  1 nf_nat_amanda
nf_conntrack_broadcast     1471  2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp       12913  1 nf_nat_ftp
nf_conntrack_h323      67696  1 nf_nat_h323
nf_conntrack_ipv4       9506  16 iptable_nat,nf_nat
nf_conntrack_irc        5530  1 nf_nat_irc
nf_conntrack_netbios_ns     1323  0
nf_conntrack_netlink    17392  0
nf_conntrack_pptp      12166  1 nf_nat_pptp
nf_conntrack_proto_gre     7003  1 nf_conntrack_pptp
nf_conntrack_proto_sctp    12482  0
nf_conntrack_proto_udplite     3348  0
nf_conntrack_sane       5716  0
nf_conntrack_snmp       1651  1 nf_nat_snmp_basic
nf_conntrack_tftp       4878  1 nf_nat_tftp
nf_defrag_ipv4          1483  2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6         11156  1 xt_TPROXY
nf_nat                 22759  11 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda           1277  0
nf_nat_ftp              3507  0
nf_nat_h323             8830  0
nf_nat_irc              1883  0
nf_nat_pptp             4653  0
nf_nat_proto_gre        3028  1 nf_nat_pptp
nf_nat_snmp_basic       8553  0
nf_nat_tftp              987  0
nf_tproxy_core          1332  1 xt_TPROXY,[permanent]
xt_AUDIT                3064  0
xt_CLASSIFY             1069  0
xt_comment              1034  9
xt_connlimit            3238  0
xt_connmark             1347  0
xt_CONNMARK             1507  0
xt_conntrack            2776  13
xt_dccp                 2215  0
xt_dscp                 1831  0
xt_DSCP                 2279  0
xt_hashlimit            9685  0
xt_helper               1497  0
xt_iprange              2312  0
xt_length               1322  0
xt_limit                2118  0
xt_mac                  1118  0
xt_mark                 1057  0
xt_MARK                 1057  1
xt_multiport            2700  2
xt_NFLOG                1195  0
xt_NFQUEUE              2213  0
xt_owner                1252  0
xt_physdev              1741  0
xt_pkttype              1194  0
xt_policy               2616  0
xt_realm                1060  0
xt_recent               7932  0
xt_set                  4032  0
xt_state                1492  0
xt_statistic            1524  0
xt_tcpmss               1607  0
xt_time                 2183  0
xt_TPROXY               9249  0



Shorewall has detected the following iptables/netfilter capabilities:
   NAT (NAT_ENABLED): Available
   Packet Mangling (MANGLE_ENABLED): Available
   Multi-port Match (MULTIPORT): Available
   Extended Multi-port Match (XMULIPORT): Available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Packet Type Match (USEPKTTYPE): Available
   Policy Match (POLICY_MATCH): Available
   Physdev Match (PHYSDEV_MATCH): Available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
   Packet length Match (LENGTH_MATCH): Available
   IP range Match(IPRANGE_MATCH): Available
   Recent Match (RECENT_MATCH): Available
   Owner Match (OWNER_MATCH): Available
   Owner Name Match (OWNER_NAME_MATCH): Available
   CONNMARK Target (CONNMARK): Available
   Extended CONNMARK Target (XCONNMARK): Available
   Connmark Match (CONNMARK_MATCH): Available
   Extended Connmark Match (XCONNMARK_MATCH): Available
   Raw Table (RAW_TABLE): Available
   Rawpost Table (RAWPOST_TABLE): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   CLASSIFY Target (CLASSIFY_TARGET): Available
   Extended REJECT (ENHANCED_REJECT): Available
   Repeat match (KLUDGEFREE): Available
   MARK Target (MARK): Available
   Extended MARK Target (XMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Comments (COMMENTS): Available
   Address Type Match (ADDRTYPE): Available
   TCPMSS Match (TCPMSS_MATCH): Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   NFQUEUE Target (NFQUEUE_TARGET): Available
   Realm Match (REALM_MATCH): Available
   Helper Match (HELPER_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Available
   Time Match (TIME_MATCH): Available
   Goto Support (GOTO_TARGET): Available
   LOGMARK Target (LOGMARK_TARGET): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   LOG Target (LOG_TARGET): Available
   ULOG Target (ULOG_TARGET): Available
   NFLOG Target (NFLOG_TARGET): Available
   Persistent SNAT (PERSISTENT_SNAT): Available
   TPROXY Target (TPROXY_TARGET): Available
   FLOW Classifier (FLOW_FILTER): Available
   fwmark route mask (FWMARK_RT_MASK): Available
   Mark in any table (MARK_ANYWHERE): Available
   Header Match (HEADER_MATCH): Not available
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   AUDIT Target (AUDIT_TARGET): Available
   ipset V5 (IPSET_V5): Not available
   Condition Match (CONDITION_MATCH): Not available
   Statistic Match (STATISTIC_MATCH): Available
   IMQ Target (IMQ_TARGET): Not available
   DSCP Match (DSCP_MATCH): Available
   DSCP Target (DSCP_TARGET): Available
   Geo IP match: Not available
   iptables -S (IPTABLES_S): Available
   Basic Filter (BASIC_FILTER): Available
   CT Target (CT_TARGET): Not available



Traffic Control

Device eth0:
qdisc mq 0: root
 Sent 1346296381 bytes 11623838 pkt (dropped 0, overlimits 0 requeues 7)
 rate 0bit 0pps backlog 0b 0p requeues 7

class mq :1 root
 Sent 842127610 bytes 5697988 pkt (dropped 0, overlimits 0 requeues 1)
 backlog 0b 0p requeues 1
class mq :2 root
 Sent 504168771 bytes 5925850 pkt (dropped 0, overlimits 0 requeues 6)
 backlog 0b 0p requeues 6

Device tun3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 38445759 bytes 443154 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0



TC Filters

Device eth0:

Device tun3:






 
This e-mail has been scanned by comendo.com and does not contain virus.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

Gmane