[LARTC] Problem with iptables and CONNTRACK

"GoMi ." <gomiuk@xxxxxxxxxxx> · Wed, 18 Jun 2003 11:20:47 +0000

I know this is not the right place to ask this question, but i have an 
stateful firewall and i am doing CONNTRACKING to mark the tcp connections, 
and then with filters based on fw marks put them in the right qdisc.

The problem is that i have an uplink bandwith of 300kbit restricted to 
250kbit by the htb class. Here is my script to mark my traffic with qdiscs:

DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 20
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

## Interactive Traffic

tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 
200kbit

tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo

tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10

## Non Interactive

tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil 
200kbit quantum 1500

tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15

tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20

## ICMP
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40

## Web-Server

tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit 
quantum 1500

tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 
depth 15

tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50

and here is my mangle setup

 iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
 iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
 iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa
 iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks
 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

marks and kazaa are just -j MARK according the traffic

I am monitoring at wich speed is each class sending data, and it only goes 
up to 10KB alltogether..

Does anybody know why is it not going up to at least 20-23 KB ¿? i am going 
crazy! :)

Interactive traffic goes quite good actually, but since i am getting so low 
uplink speed, i suppose i am not getting a good usage of the downlink 
traffic, maybe because it does not send ack packets quickly enough.

Anybody willing to help? :)

_________________________________________________________________

Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.yupimsn.com/

[LARTC] Problem with iptables and CONNTRACK

Linux Advanced Routing and Traffic Control