From: David K. <dmk...@gm...> - 2012-01-30 19:34:41
|
On Mon, Jan 30, 2012 at 12:19 PM, Tom Eastep <te...@sh...> wrote: > On Mon, 2012-01-30 at 11:22 -0600, David Koscinski wrote: > > > Do I misunderstand the capabilities of the MARK column in the > > accounting table? Or have I misconfigured something? > > It's not possible to say, given what you have told us. > > 1. Which chain(s) are you doing your TC marking in? > 2. It appears that you are doing your accounting in the filter table, is > that correct? (Shorewall also allows you to do accounting in the > mangle). > > I suspect that you are marking packets after they have been through > accounting; that would explain what you are seeing. You may wish to > refer to the diagram at http://www.shorewall.net/NetfilterOverview.html. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Shorewall-users mailing list > Sho...@li... > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Sorry for the top post last time. I've been thinking some more about your reply and I've been studying the netfilter diagram you referenced and the shorewall-accounting documentation. >From that I can definitely say that I am doing accounting in the netfilter table. According to the diagram the last chain that /etc/shorewall/accounting would see is FORWARD. So my tcrules that apply mark 3 cannot be accounted for because they have not been applied yet. 3:T 0.0.0.0/0 0.0.0.0/0 udp 1194 # openvpn So then to mark the openvpn traffic that is generated on the firewall (since it hosts openvpn) I would need a tcrule like this: 3 fw 0.0.0.0/0 udp 1194 #openvpn As I understand it, this would mark in the OUTPUT chain, which is part of the filter table. Is that reasoning correct? Thanks again. david. |