[Shorewall-users] Traffic shapping Bug ?

Florent zebulon94 at wanadoo.fr
Thu Sep 2 08:42:01 PDT 2004


hello ,

i'm currently trying to set-up Traffic Shapping with Shorewall and I have strong
feelings that I found a bug.
I may be mistaken, but I tried everything and can't get it to work.

I've turned ON TC_ENABLED=Yes and CLEAR_TC=Yes
when i start shorewall ( shorewall start ), i get this message :


Setting up Traffic Control Rules...
TC Rule "2 eth1 0.0.0.0/0 tcp 80 " added
iptables v1.2.9: unknown protocol `-j' specified
Try `iptables -h' or 'iptables --help' for more information.
Processing /etc/shorewall/stop .


my tcrules files is as simple as :

#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
2                       eth1                0.0.0.0/0       tcp         80


As a result, I tried to get more information using the shorewall start debug 2 >
file command.
Here's what I got :

+ run_iptables2 -t mangle -A tcfor -p -j MARK --set-mark 'PORT(S)'
+ '[' 'x-t mangle -A tcfor -p -j MARK --set-mark PORT(S)' = 'x-t mangle -A tcfor -p -j MARK --set-mark PORT(S)' ']'
+ run_iptables -t mangle -A tcfor -p -j MARK --set-mark 'PORT(S)'
+ '[' -n '' ']'
+ iptables -t mangle -A tcfor -p -j MARK --set-mark 'PORT(S)'
iptables v1.2.9: unknown protocol `-j' specified
Try `iptables -h' or 'iptables --help' for more information.
+ '[' -z '' ']'
+ stop_firewall


What I understand here is that shorewall doesn't write the "tcp" protocol after
the -p option. Am I right ? Is there a quick-fix for that ?

Here is some information about my system :


shorewall version
2.0.8

ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: shaper0: <> mtu 1500 qdisc noop qlen 10
    link/ether 
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:fc:6c:fb:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::250:fcff:fe6c:fb84/64 scope link 
       valid_lft forever preferred_lft forever
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:fc:4d:68:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::250:fcff:fe4d:68ad/64 scope link 
       valid_lft forever preferred_lft forever
5: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void 
6: tunl0: <NOARP> mtu 1480 qdisc noop 
    link/ipip 0.0.0.0 brd 0.0.0.0
7: gre0: <NOARP> mtu 1476 qdisc noop 
    link/gre 0.0.0.0 brd 0.0.0.0
8: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0
9: ip6tnl0: <NOARP> mtu 1460 qdisc noop 
    link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
23: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp 
    inet 81.56.195.25 peer 192.168.254.254/32 scope global ppp0


ip route show

ip route show
192.168.254.254 dev ppp0  proto kernel  scope link  src 81.56.195.25
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1 
default via 192.168.254.254 dev ppp0 


tc -V
tc utility, iproute2-ss010824

iptables -V
iptables v1.2.9

uname -a
Linux zaibe 2.6.8 #4 Wed Sep 1 15:41:29 CEST 2004 i686 GNU/Linux





More information about the Shorewall-users mailing list