From: Martin Zaharinov <micron10@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>,
netfilter <netfilter@vger.kernel.org>,
netfilter-devel@vger.kernel.org
Subject: Re: bug report and future request
Date: Thu, 24 Mar 2022 23:43:47 +0200 [thread overview]
Message-ID: <59BE8A6C-B066-48C9-AD66-7EDBE2C7482E@gmail.com> (raw)
In-Reply-To: <9ED435A1-F1B8-4220-9466-FA3E9D100B1D@gmail.com>
Hi Pablo
unfortunately i can't find any documentation on how to do it :(
Martin
> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@gmail.com> wrote:
>
> Hi Pablo
>
> base on this rule :
>
> table inet nft-qos-static {
> set limit_ul {
> typeof ip saddr
> flags dynamic
> }
> set limit_dl {
> typeof ip daddr
> flags dynamic
> }
>
> chain download {
> type filter hook postrouting priority filter; policy accept;
> ip daddr @limit_dl drop
>
> }
> chain upload {
> type filter hook prerouting priority filter ; policy accept;
> ip saddr @limit_ul drop;
> }
> flowtable fastnat {
> hook ingress priority filter; devices = { eth0, eth1 };
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
>
> where to set this , please help.
>
>
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>>
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update
>>>
>>> I try to make rule for limiter in offload mode :
>>>
>>> table inet nft-qos-static {
>>> set limit_ul {
>>> typeof ip saddr
>>> flags dynamic
>>> }
>>> set limit_dl {
>>> typeof ip daddr
>>> flags dynamic
>>> }
>>>
>>> chain upload {
>>> type filter hook prerouting priority filter ; policy accept;
>>> ip saddr @limit_ul drop;
>>> }
>>>
>>> chain download {
>>> type filter hook postrouting priority filter; policy accept;
>>> ip daddr @limit_dl drop;
>>>
>>> }
>>> flowtable fastnat {
>>> hook ingress priority filter; devices = { eth0, eth1 };
>>> }
>>> chain forward {
>>> type filter hook forward priority filter; policy accept;
>>> ip protocol { tcp , udp } flow offload @fastnat;
>>> }
>>> }
>>>
>>> its not work perfect only upload limit work , download get full channel
>>>
>>> in test i set 100mbit up/down upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>>
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>>
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>>
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
>
next prev parent reply other threads:[~2022-03-24 21:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 20:44 bug report and future request Martin Zaharinov
2022-03-21 21:27 ` Florian Westphal
2022-03-22 7:14 ` Martin Zaharinov
2022-03-22 10:32 ` Florian Westphal
2022-03-22 22:55 ` Martin Zaharinov
2022-03-24 7:52 ` Martin Zaharinov
2022-03-24 12:09 ` Martin Zaharinov
2022-03-24 12:20 ` Pablo Neira Ayuso
2022-03-24 12:23 ` Martin Zaharinov
2022-03-24 21:43 ` Martin Zaharinov [this message]
2022-04-05 14:12 ` Martin Zaharinov
2022-04-05 14:12 ` Martin Zaharinov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59BE8A6C-B066-48C9-AD66-7EDBE2C7482E@gmail.com \
--to=micron10@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.