throwing away unmarked traffic

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A Linux gateway has two interfaces: eth0, with a routable address on an
ISP's network, and eth1, which is 10.0.0.1 on a private network.

There are several hosts connected to eth1, and these are allowed to send
packets out of eth0 only after they login via a form at http://10.0.0.1.
Once a host logs out, the gateway should no longer route packets for it.
Each host also has a specific bandwidth allocation.

I configured the gateway as follows (and it works fine):

    iptables -t nat -A POSTROUTING -s 10/8 -o eth0 -j SNAT --to ...

    ## Per-user rules, created upon login and deleted upon logout.
    #
    # One class per interface. N is some arbitrary number.
    tc class add dev eth1 parent 1: classid 1:N htb rate ... ceil ...
    tc class add dev eth0 parent 1: classid 1:N htb rate ... ceil ...

    # Mark traffic from host A.B.C.D with a unique mark 0xABCD.
    iptables -t mangle -I PREROUTING 1 -i eth1 -s A.B.C.D -j MARK --set-mark 0xABCD
    iptables -t mangle -I PREROUTING 2 -i eth1 -s A.B.C.D -j RETURN

    # Classify outgoing traffic by mark; incoming by private destination.
    tc filter add dev eth0 parent 1: protocol ip handle 0xABCD fw classid 1:N
    tc filter add dev eth1 parent 1: protocol ip u32 match ip dst A.B.C.D flowid 1:N

My problem is with efficiently discarding all unmarked traffic. I am now
doing this as follows:

    # This goes after all the per-user "good mark" rules:
    iptables -t mangle -A PREROUTING -j MARK --set-mark 0xfffffff

    # And this throws away "bad mark" packets.
    tc filter add dev eth0 parent 1: protocol ip handle 0xfffffff fw \
    police mpu 0 mtu 1 action drop/drop

This works fine, but I'd love to hear any suggestions about how to do it
in a better way. (I tried a few other approaches, such as having a rule
in filter/FORWARD that ACCEPTed only "-m mark \! --mark 0" packets, but
that and similar solutions that are O(1) in the number of hosts did not
work as I expected, due to the persistence of conntrack entries.)

Questions, comments, and suggestions are welcome.

-- ams
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux