All of lore.kernel.org
 help / color / mirror / Atom feed
From: Martin Zaharinov <micron10@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
	netfilter <netfilter@vger.kernel.org>,
	netfilter-devel@vger.kernel.org
Subject: Re: bug report and future request
Date: Thu, 24 Mar 2022 23:43:47 +0200	[thread overview]
Message-ID: <59BE8A6C-B066-48C9-AD66-7EDBE2C7482E@gmail.com> (raw)
In-Reply-To: <9ED435A1-F1B8-4220-9466-FA3E9D100B1D@gmail.com>

Hi Pablo

unfortunately i can't find any documentation on how to do it :(


Martin

> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@gmail.com> wrote:
> 
> Hi Pablo
> 
> base on this rule : 
> 
> table inet nft-qos-static {
>        set limit_ul {
>                typeof ip saddr
>                flags dynamic
>        }
>        set limit_dl {
>                typeof ip daddr
>                flags dynamic
>        }
> 
>        chain download {
>                type filter hook postrouting priority filter; policy accept;
>                ip daddr @limit_dl drop
> 
>        }
>        chain upload {
>                type filter hook prerouting priority filter ; policy accept;
>                ip saddr @limit_ul drop;
>        }
>        flowtable fastnat {
>                hook ingress priority filter; devices = { eth0, eth1 };
>        }
>        chain forward {
>                type filter hook forward priority filter; policy accept;
>                ip protocol { tcp , udp } flow offload @fastnat;
>        }
> }
> 
> 
> where to set this , please help.
> 
> 
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> 
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update 
>>> 
>>> I try to make rule for limiter in offload mode :
>>> 
>>> table inet nft-qos-static {
>>>       set limit_ul {
>>>               typeof ip saddr
>>>               flags dynamic
>>>       }
>>>       set limit_dl {
>>>               typeof ip daddr
>>>               flags dynamic
>>>       }
>>> 
>>>       chain upload {
>>>               type filter hook prerouting priority filter ; policy accept;
>>>               ip saddr @limit_ul drop;
>>>       }
>>> 
>>>       chain download {
>>>               type filter hook postrouting priority filter; policy accept;
>>>               ip daddr @limit_dl drop;
>>> 
>>>       }
>>>       flowtable fastnat {
>>>               hook ingress priority filter; devices = { eth0, eth1 };
>>>       }
>>>       chain forward {
>>>               type filter hook forward priority filter; policy accept;
>>>               ip protocol { tcp , udp } flow offload @fastnat;
>>>       }
>>> }
>>> 
>>> its not work perfect only upload limit work , download get full channel 
>>> 
>>> in test i set 100mbit up/down  upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>> 
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>> 
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>> 
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
> 


  reply	other threads:[~2022-03-24 21:43 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-21 20:44 bug report and future request Martin Zaharinov
2022-03-21 21:27 ` Florian Westphal
2022-03-22  7:14   ` Martin Zaharinov
2022-03-22 10:32     ` Florian Westphal
2022-03-22 22:55       ` Martin Zaharinov
2022-03-24  7:52         ` Martin Zaharinov
2022-03-24 12:09           ` Martin Zaharinov
2022-03-24 12:20             ` Pablo Neira Ayuso
2022-03-24 12:23               ` Martin Zaharinov
2022-03-24 21:43                 ` Martin Zaharinov [this message]
2022-04-05 14:12                 ` Martin Zaharinov
2022-04-05 14:12                   ` Martin Zaharinov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=59BE8A6C-B066-48C9-AD66-7EDBE2C7482E@gmail.com \
    --to=micron10@gmail.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.