* bug report and future request
@ 2022-03-21 20:44 Martin Zaharinov
2022-03-21 21:27 ` Florian Westphal
0 siblings, 1 reply; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-21 20:44 UTC (permalink / raw)
To: Florian Westphal, netfilter, netfilter-devel, pablo
Hi Netfilter team
first is it posible to fix this:
You can delete the rule whose handle is 5 with the following command:
% nft delete rule filter output handle 5
Note: There are plans to support rule deletion by passing:
% nft delete rule filter output ip saddr 192.168.1.1 counter
but this is not yet implemented. So you'll have to use the handle to delete rules until that feature is implemented
This is from Docs:
https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management#Removing_rules
if have 1k rule
table inet nft-qos-static {
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
.........
ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
}
chain download {
type filter hook prerouting priority filter; policy accept;
ip daddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
........
ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
}
}
and problem is not easy to delete rule for ip 10.0.0.100 or othere in list .
if use handle and list all rule for example 4k and parse handle on every 10-15 sec will load cpu with this.
and second:
is it posible in this rule ppp*
table inet filter {
flowtable fastnat {
hook ingress priority 0; devices = { eth0, ppp* };
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
or vlan* , the problem is on system dynamic up vlan or ppp is auto up when user is connect
If there options to fix and add this options will be great,
thanks in advance
Martin.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-21 20:44 bug report and future request Martin Zaharinov
@ 2022-03-21 21:27 ` Florian Westphal
2022-03-22 7:14 ` Martin Zaharinov
0 siblings, 1 reply; 12+ messages in thread
From: Florian Westphal @ 2022-03-21 21:27 UTC (permalink / raw)
To: Martin Zaharinov; +Cc: Florian Westphal, netfilter, netfilter-devel, pablo
Martin Zaharinov <micron10@gmail.com> wrote:
> if have 1k rule
>
> table inet nft-qos-static {
> chain upload {
> type filter hook postrouting priority filter; policy accept;
> ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
> .........
> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
> }
1k rules? Thats insane. Don't do that.
There is no need for that many rules, its also super slow.
Use a static/immutable ruleset with a named set and then add/remove elements from the set.
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes }
}
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr @limit_ul drop
}
}
static ruleset: no need to add/delete a rule:
nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
You can add/delete multiple elements in { }, sepearate by ",".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-21 21:27 ` Florian Westphal
@ 2022-03-22 7:14 ` Martin Zaharinov
2022-03-22 10:32 ` Florian Westphal
0 siblings, 1 reply; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-22 7:14 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, netfilter-devel, pablo
Hi Florian
Look good this config but not work after set user not limit by speed.
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
}
set limit_dl {
typeof ip saddr
flags dynamic
elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
}
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr @limit_ul drop
}
chain download {
type filter hook prerouting priority filter; policy accept;
ip saddr @limit_dl drop
}
}
With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
When back to this config :
table inet nft-qos-static {
chain upload {
type filter hook postrouting priority filter; policy accept;
ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
}
chain download {
type filter hook prerouting priority filter; policy accept;
ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
}
}
User is limited perfect.
may be i miss something?
Martin
> On 21 Mar 2022, at 23:27, Florian Westphal <fw@strlen.de> wrote:
>
> Martin Zaharinov <micron10@gmail.com> wrote:
>> if have 1k rule
>>
>> table inet nft-qos-static {
>> chain upload {
>> type filter hook postrouting priority filter; policy accept;
>> ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
>> .........
>> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
>> }
>
> 1k rules? Thats insane. Don't do that.
> There is no need for that many rules, its also super slow.
>
> Use a static/immutable ruleset with a named set and then add/remove elements from the set.
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes }
> }
>
> chain upload {
> type filter hook postrouting priority filter; policy accept;
> ip saddr @limit_ul drop
> }
> }
>
> static ruleset: no need to add/delete a rule:
>
> nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
> nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
>
> You can add/delete multiple elements in { }, sepearate by ",".
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-22 7:14 ` Martin Zaharinov
@ 2022-03-22 10:32 ` Florian Westphal
2022-03-22 22:55 ` Martin Zaharinov
0 siblings, 1 reply; 12+ messages in thread
From: Florian Westphal @ 2022-03-22 10:32 UTC (permalink / raw)
To: Martin Zaharinov; +Cc: Florian Westphal, netfilter, netfilter-devel, pablo
Martin Zaharinov <micron10@gmail.com> wrote:
> Hi Florian
>
> Look good this config but not work after set user not limit by speed.
Works for me. Before:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender
[ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
After:
[ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender
[ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
> }
> set limit_dl {
> typeof ip saddr
> flags dynamic
> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
> }
>
> chain upload {
> type filter hook postrouting priority filter; policy accept;
> ip saddr @limit_ul drop
> }
> chain download {
> type filter hook prerouting priority filter; policy accept;
> ip saddr @limit_dl drop
> }
daddr?
> With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
> When back to this config :
>
> table inet nft-qos-static {
> chain upload {
> type filter hook postrouting priority filter; policy accept;
> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
> }
>
> chain download {
> type filter hook prerouting priority filter; policy accept;
> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
~~~~~
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-22 10:32 ` Florian Westphal
@ 2022-03-22 22:55 ` Martin Zaharinov
2022-03-24 7:52 ` Martin Zaharinov
0 siblings, 1 reply; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-22 22:55 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, netfilter-devel, pablo
Hi Florian
yes now work perfect
i will test with 1-4k ips to see performance vs qdisc or iptables.
for second offload question:
is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
P.S.
thanks for fast reply for first part!
P.S.2
resend mail to netfilter group
Martin
> On 22 Mar 2022, at 12:32, Florian Westphal <fw@strlen.de> wrote:
>
> Martin Zaharinov <micron10@gmail.com> wrote:
>> Hi Florian
>>
>> Look good this config but not work after set user not limit by speed.
>
> Works for me. Before:
> [ ID] Interval Transfer Bitrate Retr
> [ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender
> [ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
>
> After:
> [ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender
> [ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver
>
>> table inet nft-qos-static {
>> set limit_ul {
>> typeof ip saddr
>> flags dynamic
>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>> }
>> set limit_dl {
>> typeof ip saddr
>> flags dynamic
>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>> }
>>
>> chain upload {
>> type filter hook postrouting priority filter; policy accept;
>> ip saddr @limit_ul drop
>> }
>> chain download {
>> type filter hook prerouting priority filter; policy accept;
>> ip saddr @limit_dl drop
>> }
>
> daddr?
>
>> With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
>
>> When back to this config :
>>
>> table inet nft-qos-static {
>> chain upload {
>> type filter hook postrouting priority filter; policy accept;
>> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>> }
>>
>> chain download {
>> type filter hook prerouting priority filter; policy accept;
>> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
> ~~~~~
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-22 22:55 ` Martin Zaharinov
@ 2022-03-24 7:52 ` Martin Zaharinov
2022-03-24 12:09 ` Martin Zaharinov
0 siblings, 1 reply; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-24 7:52 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, netfilter-devel, pablo
HI all
One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% :
31.26% [pppoe] [k] pppoe_rcv
3.19% [nf_tables] [k] nft_do_chain
2.46% [kernel] [k] __netif_receive_skb_core.constprop.0
2.18% [kernel] [k] fib_table_lookup
2.07% [i40e] [k] i40e_clean_rx_irq
1.51% [kernel] [k] __dev_queue_xmit
1.23% [kernel] [k] dev_queue_xmit_nit
1.23% [nf_conntrack] [k] __nf_conntrack_find_get.isra.0
1.20% [kernel] [k] __copy_skb_header
1.19% [kernel] [k] kmem_cache_free
1.17% [kernel] [k] skb_release_data
1.06% [nf_tables] [k] nft_rhash_lookup
Is have options to optimize work of nft rule set.
and for second question is it posible to make work this limiter in flow table rule set :
#table inet filter {
# flowtable fastnat {
# hook ingress priority 0; devices = { eth0, eth1 };
# }
#
# chain forward {
# type filter hook forward priority 0; policy accept;
# ip protocol { tcp , udp } flow offload @fastnat;
# }
#}
Like this and if have options to make devices list dynamic to add device automatic or to add device with *
If limiter work in flow table will make offload traffic and reduce cpu load
Martin
> On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@gmail.com> wrote:
>
> Hi Florian
>
> yes now work perfect
> i will test with 1-4k ips to see performance vs qdisc or iptables.
>
> for second offload question:
>
> is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
>
>
>
> P.S.
>
> thanks for fast reply for first part!
>
> P.S.2
>
> resend mail to netfilter group
>
> Martin
>
>> On 22 Mar 2022, at 12:32, Florian Westphal <fw@strlen.de> wrote:
>>
>> Martin Zaharinov <micron10@gmail.com> wrote:
>>> Hi Florian
>>>
>>> Look good this config but not work after set user not limit by speed.
>>
>> Works for me. Before:
>> [ ID] Interval Transfer Bitrate Retr
>> [ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender
>> [ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
>>
>> After:
>> [ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender
>> [ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver
>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>> }
>>> set limit_dl {
>>> typeof ip saddr
>>> flags dynamic
>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>> }
>>>
>>> chain upload {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip saddr @limit_ul drop
>>> }
>>> chain download {
>>> type filter hook prerouting priority filter; policy accept;
>>> ip saddr @limit_dl drop
>>> }
>>
>> daddr?
>>
>>> With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
>>
>>> When back to this config :
>>>
>>> table inet nft-qos-static {
>>> chain upload {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>> }
>>>
>>> chain download {
>>> type filter hook prerouting priority filter; policy accept;
>>> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>> ~~~~~
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-24 7:52 ` Martin Zaharinov
@ 2022-03-24 12:09 ` Martin Zaharinov
2022-03-24 12:20 ` Pablo Neira Ayuso
0 siblings, 1 reply; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-24 12:09 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter, netfilter-devel, pablo
One more update
I try to make rule for limiter in offload mode :
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
}
set limit_dl {
typeof ip daddr
flags dynamic
}
chain upload {
type filter hook prerouting priority filter ; policy accept;
ip saddr @limit_ul drop;
}
chain download {
type filter hook postrouting priority filter; policy accept;
ip daddr @limit_dl drop;
}
flowtable fastnat {
hook ingress priority filter; devices = { eth0, eth1 };
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
its not work perfect only upload limit work , download get full channel
in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
the problem is limiter work only for Upload , is it posible to make work on download rule ?
Martin
> On 24 Mar 2022, at 9:52, Martin Zaharinov <micron10@gmail.com> wrote:
>
> HI all
>
> One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% :
>
> 31.26% [pppoe] [k] pppoe_rcv
> 3.19% [nf_tables] [k] nft_do_chain
> 2.46% [kernel] [k] __netif_receive_skb_core.constprop.0
> 2.18% [kernel] [k] fib_table_lookup
> 2.07% [i40e] [k] i40e_clean_rx_irq
> 1.51% [kernel] [k] __dev_queue_xmit
> 1.23% [kernel] [k] dev_queue_xmit_nit
> 1.23% [nf_conntrack] [k] __nf_conntrack_find_get.isra.0
> 1.20% [kernel] [k] __copy_skb_header
> 1.19% [kernel] [k] kmem_cache_free
> 1.17% [kernel] [k] skb_release_data
> 1.06% [nf_tables] [k] nft_rhash_lookup
>
>
> Is have options to optimize work of nft rule set.
>
> and for second question is it posible to make work this limiter in flow table rule set :
>
> #table inet filter {
> # flowtable fastnat {
> # hook ingress priority 0; devices = { eth0, eth1 };
> # }
> #
> # chain forward {
> # type filter hook forward priority 0; policy accept;
> # ip protocol { tcp , udp } flow offload @fastnat;
> # }
> #}
>
> Like this and if have options to make devices list dynamic to add device automatic or to add device with *
> If limiter work in flow table will make offload traffic and reduce cpu load
>
> Martin
>
>> On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@gmail.com> wrote:
>>
>> Hi Florian
>>
>> yes now work perfect
>> i will test with 1-4k ips to see performance vs qdisc or iptables.
>>
>> for second offload question:
>>
>> is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
>>
>>
>>
>> P.S.
>>
>> thanks for fast reply for first part!
>>
>> P.S.2
>>
>> resend mail to netfilter group
>>
>> Martin
>>
>>> On 22 Mar 2022, at 12:32, Florian Westphal <fw@strlen.de> wrote:
>>>
>>> Martin Zaharinov <micron10@gmail.com> wrote:
>>>> Hi Florian
>>>>
>>>> Look good this config but not work after set user not limit by speed.
>>>
>>> Works for me. Before:
>>> [ ID] Interval Transfer Bitrate Retr
>>> [ 5] 0.00-10.00 sec 5.09 GBytes 4.37 Gbits/sec 0 sender
>>> [ 5] 0.00-10.00 sec 5.08 GBytes 4.36 Gbits/sec receiver
>>>
>>> After:
>>> [ 5] 0.00-10.00 sec 62.9 MBytes 52.7 Mbits/sec 0 sender
>>> [ 5] 0.00-10.00 sec 59.8 MBytes 50.1 Mbits/sec receiver
>>>
>>>> table inet nft-qos-static {
>>>> set limit_ul {
>>>> typeof ip saddr
>>>> flags dynamic
>>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>> }
>>>> set limit_dl {
>>>> typeof ip saddr
>>>> flags dynamic
>>>> elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>> }
>>>>
>>>> chain upload {
>>>> type filter hook postrouting priority filter; policy accept;
>>>> ip saddr @limit_ul drop
>>>> }
>>>> chain download {
>>>> type filter hook prerouting priority filter; policy accept;
>>>> ip saddr @limit_dl drop
>>>> }
>>>
>>> daddr?
>>>
>>>> With this config user with ip 10.0.0.1 not limited to 5 mbytes ,
>>>
>>>> When back to this config :
>>>>
>>>> table inet nft-qos-static {
>>>> chain upload {
>>>> type filter hook postrouting priority filter; policy accept;
>>>> ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>>> }
>>>>
>>>> chain download {
>>>> type filter hook prerouting priority filter; policy accept;
>>>> ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>> ~~~~~
>>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-24 12:09 ` Martin Zaharinov
@ 2022-03-24 12:20 ` Pablo Neira Ayuso
2022-03-24 12:23 ` Martin Zaharinov
0 siblings, 1 reply; 12+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-24 12:20 UTC (permalink / raw)
To: Martin Zaharinov; +Cc: Florian Westphal, netfilter, netfilter-devel
On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
> One more update
>
> I try to make rule for limiter in offload mode :
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> }
> set limit_dl {
> typeof ip daddr
> flags dynamic
> }
>
> chain upload {
> type filter hook prerouting priority filter ; policy accept;
> ip saddr @limit_ul drop;
> }
>
> chain download {
> type filter hook postrouting priority filter; policy accept;
> ip daddr @limit_dl drop;
>
> }
> flowtable fastnat {
> hook ingress priority filter; devices = { eth0, eth1 };
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
> its not work perfect only upload limit work , download get full channel
>
> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>
> the problem is limiter work only for Upload , is it posible to make work on download rule ?
If you want to combine ratelimit/policing with flowtable, then you
have to use the ingress and egress hooks, not prerouting and
postrouting.
Make sure you place the flowtable in a priority that comes after the
priority of your ingress hook.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-24 12:20 ` Pablo Neira Ayuso
@ 2022-03-24 12:23 ` Martin Zaharinov
2022-03-24 21:43 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
0 siblings, 2 replies; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-24 12:23 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter, netfilter-devel
Hi Pablo
base on this rule :
table inet nft-qos-static {
set limit_ul {
typeof ip saddr
flags dynamic
}
set limit_dl {
typeof ip daddr
flags dynamic
}
chain download {
type filter hook postrouting priority filter; policy accept;
ip daddr @limit_dl drop
}
chain upload {
type filter hook prerouting priority filter ; policy accept;
ip saddr @limit_ul drop;
}
flowtable fastnat {
hook ingress priority filter; devices = { eth0, eth1 };
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp , udp } flow offload @fastnat;
}
}
where to set this , please help.
> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>> One more update
>>
>> I try to make rule for limiter in offload mode :
>>
>> table inet nft-qos-static {
>> set limit_ul {
>> typeof ip saddr
>> flags dynamic
>> }
>> set limit_dl {
>> typeof ip daddr
>> flags dynamic
>> }
>>
>> chain upload {
>> type filter hook prerouting priority filter ; policy accept;
>> ip saddr @limit_ul drop;
>> }
>>
>> chain download {
>> type filter hook postrouting priority filter; policy accept;
>> ip daddr @limit_dl drop;
>>
>> }
>> flowtable fastnat {
>> hook ingress priority filter; devices = { eth0, eth1 };
>> }
>> chain forward {
>> type filter hook forward priority filter; policy accept;
>> ip protocol { tcp , udp } flow offload @fastnat;
>> }
>> }
>>
>> its not work perfect only upload limit work , download get full channel
>>
>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>
>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>
> If you want to combine ratelimit/policing with flowtable, then you
> have to use the ingress and egress hooks, not prerouting and
> postrouting.
>
> Make sure you place the flowtable in a priority that comes after the
> priority of your ingress hook.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-24 12:23 ` Martin Zaharinov
@ 2022-03-24 21:43 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
1 sibling, 0 replies; 12+ messages in thread
From: Martin Zaharinov @ 2022-03-24 21:43 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter, netfilter-devel
Hi Pablo
unfortunately i can't find any documentation on how to do it :(
Martin
> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@gmail.com> wrote:
>
> Hi Pablo
>
> base on this rule :
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> }
> set limit_dl {
> typeof ip daddr
> flags dynamic
> }
>
> chain download {
> type filter hook postrouting priority filter; policy accept;
> ip daddr @limit_dl drop
>
> }
> chain upload {
> type filter hook prerouting priority filter ; policy accept;
> ip saddr @limit_ul drop;
> }
> flowtable fastnat {
> hook ingress priority filter; devices = { eth0, eth1 };
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
>
> where to set this , please help.
>
>
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update
>>>
>>> I try to make rule for limiter in offload mode :
>>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> }
>>> set limit_dl {
>>> typeof ip daddr
>>> flags dynamic
>>> }
>>>
>>> chain upload {
>>> type filter hook prerouting priority filter ; policy accept;
>>> ip saddr @limit_ul drop;
>>> }
>>>
>>> chain download {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip daddr @limit_dl drop;
>>>
>>> }
>>> flowtable fastnat {
>>> hook ingress priority filter; devices = { eth0, eth1 };
>>> }
>>> chain forward {
>>> type filter hook forward priority filter; policy accept;
>>> ip protocol { tcp , udp } flow offload @fastnat;
>>> }
>>> }
>>>
>>> its not work perfect only upload limit work , download get full channel
>>>
>>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>>
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>>
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>>
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
2022-03-24 12:23 ` Martin Zaharinov
@ 2022-04-05 14:12 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
1 sibling, 0 replies; 12+ messages in thread
From: Martin Zaharinov @ 2022-04-05 14:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter, netfilter-devel
Hello Pablo and Florian
i try to make this work on egress or ingress but limiter not work
setup is :
eth0 uplink - WAN
ppp0 ,ppp1,pppX users
table netdev nft-qos-ingress {
set limit_ul {
typeof ip saddr
flags dynamic
elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
}
chain upload {
type filter hook ingress device "ppp0" priority -450; policy accept;
ip saddr @limit_ul drop
}
}
Here problem is when ppp user disconnect rule for ppp0 remove from nftable (is there options to set here ppp* to list all ppp interface )
for egress i try this setup but not work on egress:
table netdev nft-qos-egress {
set limit_dl {
typeof ip daddr
flags dynamic
elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
}
chain download {
type filter hook egress device “eth0" priority -450; policy accept;
ip daddr @limit_dl drop
}
}
Idea is to move limiter in egress and ingress.
which should reduce the CPU load perhaps
Best regards,
Martin
> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@gmail.com> wrote:
>
> Hi Pablo
>
> base on this rule :
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> }
> set limit_dl {
> typeof ip daddr
> flags dynamic
> }
>
> chain download {
> type filter hook postrouting priority filter; policy accept;
> ip daddr @limit_dl drop
>
> }
> chain upload {
> type filter hook prerouting priority filter ; policy accept;
> ip saddr @limit_ul drop;
> }
> flowtable fastnat {
> hook ingress priority filter; devices = { eth0, eth1 };
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
>
> where to set this , please help.
>
>
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update
>>>
>>> I try to make rule for limiter in offload mode :
>>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> }
>>> set limit_dl {
>>> typeof ip daddr
>>> flags dynamic
>>> }
>>>
>>> chain upload {
>>> type filter hook prerouting priority filter ; policy accept;
>>> ip saddr @limit_ul drop;
>>> }
>>>
>>> chain download {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip daddr @limit_dl drop;
>>>
>>> }
>>> flowtable fastnat {
>>> hook ingress priority filter; devices = { eth0, eth1 };
>>> }
>>> chain forward {
>>> type filter hook forward priority filter; policy accept;
>>> ip protocol { tcp , udp } flow offload @fastnat;
>>> }
>>> }
>>>
>>> its not work perfect only upload limit work , download get full channel
>>>
>>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>>
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>>
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>>
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: bug report and future request
@ 2022-04-05 14:12 ` Martin Zaharinov
0 siblings, 0 replies; 12+ messages in thread
From: Martin Zaharinov @ 2022-04-05 14:12 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Florian Westphal, netfilter, netfilter-devel
Hello Pablo and Florian
i try to make this work on egress or ingress but limiter not work
setup is :
eth0 uplink - WAN
ppp0 ,ppp1,pppX users
table netdev nft-qos-ingress {
set limit_ul {
typeof ip saddr
flags dynamic
elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
}
chain upload {
type filter hook ingress device "ppp0" priority -450; policy accept;
ip saddr @limit_ul drop
}
}
Here problem is when ppp user disconnect rule for ppp0 remove from nftable (is there options to set here ppp* to list all ppp interface )
for egress i try this setup but not work on egress:
table netdev nft-qos-egress {
set limit_dl {
typeof ip daddr
flags dynamic
elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
}
chain download {
type filter hook egress device “eth0" priority -450; policy accept;
ip daddr @limit_dl drop
}
}
Idea is to move limiter in egress and ingress.
which should reduce the CPU load perhaps
Best regards,
Martin
> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@gmail.com> wrote:
>
> Hi Pablo
>
> base on this rule :
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> }
> set limit_dl {
> typeof ip daddr
> flags dynamic
> }
>
> chain download {
> type filter hook postrouting priority filter; policy accept;
> ip daddr @limit_dl drop
>
> }
> chain upload {
> type filter hook prerouting priority filter ; policy accept;
> ip saddr @limit_ul drop;
> }
> flowtable fastnat {
> hook ingress priority filter; devices = { eth0, eth1 };
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
>
> where to set this , please help.
>
>
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update
>>>
>>> I try to make rule for limiter in offload mode :
>>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> }
>>> set limit_dl {
>>> typeof ip daddr
>>> flags dynamic
>>> }
>>>
>>> chain upload {
>>> type filter hook prerouting priority filter ; policy accept;
>>> ip saddr @limit_ul drop;
>>> }
>>>
>>> chain download {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip daddr @limit_dl drop;
>>>
>>> }
>>> flowtable fastnat {
>>> hook ingress priority filter; devices = { eth0, eth1 };
>>> }
>>> chain forward {
>>> type filter hook forward priority filter; policy accept;
>>> ip protocol { tcp , udp } flow offload @fastnat;
>>> }
>>> }
>>>
>>> its not work perfect only upload limit work , download get full channel
>>>
>>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>>
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>>
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>>
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-04-05 21:18 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 20:44 bug report and future request Martin Zaharinov
2022-03-21 21:27 ` Florian Westphal
2022-03-22 7:14 ` Martin Zaharinov
2022-03-22 10:32 ` Florian Westphal
2022-03-22 22:55 ` Martin Zaharinov
2022-03-24 7:52 ` Martin Zaharinov
2022-03-24 12:09 ` Martin Zaharinov
2022-03-24 12:20 ` Pablo Neira Ayuso
2022-03-24 12:23 ` Martin Zaharinov
2022-03-24 21:43 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.