Friends:
I do establish a well tc firter as follows:
tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip scr
129.10.10.3 flowid 1:10
Where 1:10 is a HTB class with certain rate and 1:0 its parent qdisc
But when i pretend to filter a source port 21 (for instance) taping:
tc filter add dev eth0 parent 1:0 (protocol ip) prio 0 u32 match ip protocol
0x6 0xff match tcp sport 21 0xffff flowid 1:10
No filter can be added because of a match error. I have already excluded an
included the ¨(protocol ip)¨ from that place and nothing.
I hope you will help me!
----- Original Message -----
From: "Martin A. Brown" <mabrown-lartc@xxxxxxxxxxxxxx>
To: "Bill Gradwohl" <bill@xxxxxxx>
Cc: "lartc list" <lartc@xxxxxxxxxxxxxxx>
Sent: Friday, August 06, 2004 1:32 AM
Subject: Re: NAT & tc filter addresses
> Bill,
>
> : Is there a flow diagram as to where tc actions take place with
> : respect to NAT and other iptables functions on a multihomed box
> : (private & public NICs) ? Are tc filter rules consulted before or
> : after NATing?
>
> For simplicity's sake, let's just talk about packets leaving the box
> (transmit only). All iptables functions have taken place by the
> time the traffic control functions are called.
>
> There are a number of different diagrams which cover this in
> different ways. The KPTD [0], which Stef has already mentioned, the
> Packet Flow diagram [1], which deal with the bridging, brouting
> stuff as well, an older 2.4 packet traversal diagram [2], and my
> recent diagram of just the netfilter system [3].
>
> : My real interest is in basic understanding first, and then
> : solving a real problem second.
>
> Well...further on the self-promotion front--if understanding is what
> you seek, then maybe also my Traffic Control HOWTO would be handy.
> It's available at TLDP [4].
>
> : Example:
> : Firewall Public NIC 123.123.123.1
> : Firewall Private NIC 192.168.168.1
> : Dedicated Video Conferencing equipment @ 192.168.168.100
> :
> : I'd like to write a rule that says any traffic emanating from the
> : private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit
> : as the traffic heads out on to the Internet to find the other end of
the
> : Video Conference.
> :
> : The shaping occurs on the Public NIC, but the only address I have to
> : work with is a private address. By time the traffic hits the public NIC
> : and tc rules are applied, I suspect the packet no longer has a source
IP
> : of private .100, but has been NAT'd to the public NIC address. There's
> : no way to distinguish private .100's traffic via IP address. by time
the
> : tc filters are queried. Is that correct?
>
> That is correct, but you can always use the fwmark.
>
> : What methods are available to do this? I can think of marking all
> : the packets on the private side then looking for the marks on the
> : public side. Or, NAT private.100 to a specific Public IP and then
> : write rules for that new Public IP. What other options are there?
>
> As far as I know, these are the two best options. If you don't wish
> to mess around with marking, the NAT option seems a very good and
> sensible way to go.
>
> If you haven't used tc much, I'd recommend tcng [5]. It's far
> simpler to use (and more intuitive) once you have it installed.
>
> Though I haven't tested the below, I could see something like this
> as a starting point for your experimentation. If you wished to cap
> the video bandwidth at 128k, you could simply use the same parameter
> for the rate and ceil (videobw).
>
> #define private eth0
> #define public eth1
>
> /* assume that the NAT for the video server is separate from
> the source IP of the remainder of the traffic */
>
> #define videobox 192.168.168.100
> #define videopub 123.123.123.100
> #define videobw 128000 bps
> #define halft1 772000 bps
> #define fullt1 1544000 bps
>
>
> /* this should take care of shaping download traffic */
>
> dev private {
> egress {
> class ( <$video> ) if ip_src == videobox ;
> class ( <$other> ) if 1 ;
> htb {
> class ( rate fullt1, ceil fullt1 ) {
> /* guarantee videobw to $video, allow full usage */
> $video = class ( rate videobw, ceil fullt1 ) ;
> /* guarantee half the t1 to other traffic */
> $other = class ( rate halft1, ceil fullt1 ) ;
> }
> }
> }
> }
>
> /* this should take care of shaping upload traffic */
>
> dev public {
> egress {
> class ( <$video> ) if ip_src == videopub ;
> class ( <$other> ) if 1 ;
> htb {
> class ( rate fullt1, ceil fullt1 ) {
> $video = class ( rate videobw, ceil fullt1 ) ;
> $other = class ( rate halft1, ceil fullt1 ) ;
> }
> }
> }
> }
>
> Good luck!
>
> -Martin
>
> [0] http://www.docum.org/docum.org/kptd/
> [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
> [2] http://open-source.arkoon.net/kernel/kernel_net.png
> [3] http://linux-ip.net/nf/nfk-traversal.png
> [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/
> [5] http://tcng.sourceforge.net/
>
> --
> Martin A. Brown --- Wonderfrog Enterprises --- martin@xxxxxxxxxxxxxx
> _______________________________________________
> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
