Ok. I am marking because I will also add rules for a second ethernet interface, eth2, which serves a 10.2.0.0/24 segment, and i want to split the internet feed ( 10 megabits ) in 2 5 megabits links : i need marking to mark all the traffic coming to eth1 to it's 5 megabit classes and the traffic coming from eth2 to the other tree ( i would define 2 root classes of 5 megabits, with separate leafs ). - Enrico On Mon, 2004-03-22 at 12:18, Roy wrote: > first you should mark packets in postrouting chain for what you need > forward chain dont touch local trafic, which is your proxy. > > next, since you redirect packets to port 3128 you should match on this port > not on 80. > but then you will mark all packets from port 3128 no matter they are > redirected or not. > (all proxy trafic will be marked) > > Also you can simply match with tc on port 80, since tc is after nat and it > will see the same port the user will see. > for such simple setup no marking is nesecary. > > ----- Original Message ----- > From: "Enrico Demarin" <enricod@xxxxxxxxxxxx> > To: <lartc@xxxxxxxxxxxxxxx> > Sent: Monday, March 22, 2004 4:35 PM > Subject: Fwmark and REDIRECT rules > > > > Hi , > > > > this is the situation , I am using a Linux gateway to shape the outbound > > traffic coming from a LAN, configured ( for example ) as following ( > > using htb ): > > > > > > ETH0 ( public interface ) > > > > > > 1 ROOT class rate 10240 kbit, ceil 10240 > > > > 2 LEAF class rate 8192, ceil 8192 > > > > 3 LEAF class rate 2048 , ceil 2048 > > > > ETH1 ( LAN ) > > > > Then i define the following rules : > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw > > flowid 1:2 > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw > > flowid 1:3 > > > > And set the iptables rules to assign the fwmarks : > > > > /sbin/iptables -t mangle -F mygroup > > /sbin/iptables -t mangle -X mygroup > > /sbin/iptables -t mangle -N mygroup > > > > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup > > > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j MARK > > --set-mark 0x20 > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j > > RETURN > > > > /sbin/iptables -t mangle -A mygroup -j MARK --set-mark 0x10 > > /sbin/iptables -t mangle -A mygroup -j RETURN > > > > In theory , this should assign all packets with dest port 80 forwarded > > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class. > > > > And it works, until i do something like this : > > > > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j > > REDIRECT --to-ports 3128 > > > > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24 > > is the subnet of eth1 ). > > > > The redirection works but no packets end up in the 0x20 class. > > > > Any way to shape even transparent-proxied traffic ? > > > > thanks, > > Enrico > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
