Bug 490150 (example, fwmark, in, multiport, Use)

Summary: multiport in fwmark example
Product: Red Hat Enterprise Linux 5 Reporter: Barry Brimer <lists>
Component: Documentation-clusterAssignee: John Ha <jha>
Status: CLOSED WONTFIX QA Contact: ecs-bugs
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: adstrong, lists
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Virtual_Server_Administration/s2-lvs-fwm-VSA.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:09:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Barry Brimer 2009-03-13 15:26:53 UTC 
Description of problem:

Example of creating fwmarks for multiport service could benefit from the use of multiport iptables rule


Version-Release number of selected component (if applicable):
Virtual_Server_Administration(EN)-5.2 (2008-05-15T16:07)


In section 3.4.1. Assigning Firewall Marks there is an example of creating firewall marks for use in a multiport service:


==================================================================================
/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 --dport 80 -j MARK --set-mark 80

/sbin/iptables -t mangle-A PREROUTING -p tcp -d n.n.n.n/32 --dport 443 -j MARK --set-mark 80 
==================================================================================

The goal of this example is to mark packets with the same firewall mark, but it is being done in multiple commands, which give a greater possibility of error or inconsistency. I recommend making use of the multiport directive so that the same firewall mark is made to all relevant ports at the same time in the same command.  I would change this example to:

/sbin/iptables -t mangle -A PREROUTING -p tcp -d n.n.n.n/32 -m multiport --dports 80,443 -j MARK --set-mark 80

Also .. in the second example in the current documentation, there should be a space between the trailing 'e' in 'mangle' and the '-' used to append this rule to the PREROUTING chain
Comment 6 RHEL Program Management 2010-08-09 18:17:41 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 8 RHEL Program Management 2014-03-07 12:45:41 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 9 RHEL Program Management 2014-06-02 13:09:00 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).