[LARTC] incoming traffic + iptable

[LARTC] incoming traffic + iptable

[mohican 542003]

[-- Attachment #1.1: Type: text/plain, Size: 595 bytes --]

Hello,

i try to use iptables to mark packet and then to filter them with tc. Here
is my script:
  iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j MARK
--set-mark 1
  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1

I can not use u32 because i have several filter with more than one IP
address in each.

Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
but packets are not filtered with tc.

Can someone help me ?

Thanks,

Olivier.

[-- Attachment #1.2: Type: text/html, Size: 779 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] incoming traffic + iptable

[Nikolay Kichukov]

Hello there,
Why would you want to mark the packets with iptables in the first place for
ingress shaping?
Why don't use the tc functionality to specify source and destination
addresses and protocol types?

I would suggest to leave iptables alone and get your hand on TC for doing
traffic control ;-)

So in your example:

  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
ffff:

Thats an elegant way to achieve what you want.

HTH,
-nik

p.s. Mind the burst parameter, seems huge value to me.


----- Original Message ----- 
From: mohican 542003
To: lartc@mailman.ds9a.nl
Sent: Wednesday, February 28, 2007 4:39 PM
Subject: [LARTC] incoming traffic + iptable


Hello,

i try to use iptables to mark packet and then to filter them with tc. Here
is my script:
  iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
MARK --set-mark 1
  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1

I can not use u32 because i have several filter with more than one IP
address in each.

Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
but packets are not filtered with tc.

Can someone help me ?

Thanks,

Olivier.




_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] incoming traffic + iptable

[François Delawarde]

Hello,
I would need to be able to do that, as I think that iptables is more 
powerful for classifying traffic you want to police/shape. I don't 
really know tc yet, so could you tell if it has the possibility of 
detecting:

- mac addresses
- ip tos/ttl values
- icmp types
- tcp/udp flags/ports or port ranges
- layer 7 protocols

Thanks for help,
François.


Nikolay Kichukov wrote:
> Hello there,
> Why would you want to mark the packets with iptables in the first place for
> ingress shaping?
> Why don't use the tc functionality to specify source and destination
> addresses and protocol types?
>
> I would suggest to leave iptables alone and get your hand on TC for doing
> traffic control ;-)
>
> So in your example:
>
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
> 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
> ffff:
>
> Thats an elegant way to achieve what you want.
>
> HTH,
> -nik
>
> p.s. Mind the burst parameter, seems huge value to me.
>
>
> ----- Original Message ----- 
> From: mohican 542003
> To: lartc@mailman.ds9a.nl
> Sent: Wednesday, February 28, 2007 4:39 PM
> Subject: [LARTC] incoming traffic + iptable
>
>
> Hello,
>
> i try to use iptables to mark packet and then to filter them with tc. Here
> is my script:
>   iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
> MARK --set-mark 1
>   tc qdisc add dev eth0 handle ffff: ingress
>   tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
> rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1
>
> I can not use u32 because i have several filter with more than one IP
> address in each.
>
> Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
> but packets are not filtered with tc.
>
> Can someone help me ?
>
> Thanks,
>
> Olivier.
>
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>   
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] incoming traffic + iptable

[Nikolay Kichukov]

Hello there,
Sure tc can do those, I am not sure about layer 7 protocols. I am no tc
expert myself ;-(

-nik
----- Original Message ----- 
From: "François Delawarde" <fdelawarde@wirelessmundi.com>
To: <lartc@mailman.ds9a.nl>
Cc: "Nikolay Kichukov" <hijacker@oldum.net>
Sent: Thursday, March 01, 2007 5:03 PM
Subject: Re: [LARTC] incoming traffic + iptable


> Hello,
> I would need to be able to do that, as I think that iptables is more
> powerful for classifying traffic you want to police/shape. I don't
> really know tc yet, so could you tell if it has the possibility of
> detecting:
>
> - mac addresses
> - ip tos/ttl values
> - icmp types
> - tcp/udp flags/ports or port ranges
> - layer 7 protocols
>
> Thanks for help,
> François.
>
>
> Nikolay Kichukov wrote:
> > Hello there,
> > Why would you want to mark the packets with iptables in the first place
for
> > ingress shaping?
> > Why don't use the tc functionality to specify source and destination
> > addresses and protocol types?
> >
> > I would suggest to leave iptables alone and get your hand on TC for
doing
> > traffic control ;-)
> >
> > So in your example:
> >
> >   tc qdisc add dev eth0 handle ffff: ingress
> >   tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip
src
> > 172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop
flowid
> > ffff:
> >
> > Thats an elegant way to achieve what you want.
> >
> > HTH,
> > -nik
> >
> > p.s. Mind the burst parameter, seems huge value to me.
> >
> >
> > ----- Original Message ----- 
> > From: mohican 542003
> > To: lartc@mailman.ds9a.nl
> > Sent: Wednesday, February 28, 2007 4:39 PM
> > Subject: [LARTC] incoming traffic + iptable
> >
> >
> > Hello,
> >
> > i try to use iptables to mark packet and then to filter them with tc.
Here
> > is my script:
> >   iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
> > MARK --set-mark 1
> >   tc qdisc add dev eth0 handle ffff: ingress
> >   tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw
police
> > rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1
> >
> > I can not use u32 because i have several filter with more than one IP
> > address in each.
> >
> > Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
> > but packets are not filtered with tc.
> >
> > Can someone help me ?
> >
> > Thanks,
> >
> > Olivier.
> >
> >
> >
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] incoming traffic + iptable

[Nikolay Kichukov]

Glad that helped.

You may want to share the knowledge with the others so I am CCing the list.
Just in case someone else is or will be having the same questions.

-nik


----- Original Message ----- 
From: mohican 542003
To: Nikolay Kichukov
Sent: Friday, March 02, 2007 4:47 PM
Subject: Re: [LARTC] incoming traffic + iptable


Hello,

Thank you very much. I tried it and it works very well.

my script is:
tc qdisc del dev eth0 ingress
tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.11.14 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.16.11 police index 1 rate 15000kbit burst 15000kbit drop flowid :5002
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.24.100.2 police index 2 rate 15000kbit burst 15000kbit drop flowid :5002

172.24.11.14 and 172.24.16.11 shared 15000kbit for incoming traffic and
172.24.100.2 can receive at 15000kbit.

Regards.

Olivier.


2007/3/2, Nikolay Kichukov <hijacker@oldum.net>:
hello,
I used to be wondering the same thing some time ago and also asked the list
for help, the answer was that I could use the index option to achieve that.

tc filter add ... police index 1 ...
tc filter add ... police index 1 ...
tc filter add ... police index 1 ...
tc filter add ... police index 1 ...

So all your rules should have the index parameter and thus the consumed
bandwidth will be calculated for all the IPs.


However I could not verify that this is actually working. Currently I am not
using it, I just tried it once, but did not have time to do measures and
calculations. So I cannot confirm if that actualy solves the problem you
have. Maybe you can give it a try and let me and the list know if that works
as expected?

-nik

----- Original Message -----
From: mohican 542003
To: Nikolay Kichukov
Sent: Thursday, March 01, 2007 9:45 AM
Subject: Re: [LARTC] incoming traffic + iptable


Hello,
I would like something like:
tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.28.54.41/32 match ip src
172.28.54.45/32match ip src
172.28.54.54/32match ip src
172.28.54.80/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
ffff:
with several IP address (not consecutive). The only way to do this seems to
be with iptables to mark packets ?

Thanks,

Olivier.


2007/3/1, Nikolay Kichukov <hijacker@oldum.net>:
Hello there,
Why would you want to mark the packets with iptables in the first place for
ingress shaping?
Why don't use the tc functionality to specify source and destination
addresses and protocol types?

I would suggest to leave iptables alone and get your hand on TC for doing
traffic control ;-)

So in your example:

  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src
172.28.54.41/32 police rate 10000kbit burst 10000kbit mtu 1500k drop flowid
ffff:

Thats an elegant way to achieve what you want.

HTH,
-nik

p.s. Mind the burst parameter, seems huge value to me.


----- Original Message -----
From: mohican 542003
To: lartc@mailman.ds9a.nl
Sent: Wednesday, February 28, 2007 4:39 PM
Subject: [LARTC] incoming traffic + iptable


Hello,

i try to use iptables to mark packet and then to filter them with tc. Here
is my script:
  iptables -t mangle -A PREROUTING -s 172.28.54.41/32 -p tcp -j
MARK --set-mark 1
  tc qdisc add dev eth0 handle ffff: ingress
  tc filter add dev eth0 parent ffff: protocol ip prio 1 handle 1 fw police
rate 10000kbit burst 10000kbit mtu 1500k drop flowid :1

I can not use u32 because i have several filter with more than one IP
address in each.

Packets seem to be well marked (command:  iptables -t mangle -L -vnx)
but packets are not filtered with tc.

Can someone help me ?

Thanks,

Olivier.




_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc