Re: Ssh flow does not go into correct class. Help!

[CcM <beatlelittle@xxxxxxxxxxxx>]

You're right. Thank you very much!

"Catalin(ux aka Dino) BOIE" <util@xxxxxxxxxxxxxxx> wrote:

> iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20
> iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN
>
> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
>
> I expect data from ssh server to my client 10.190.6.16 should goes into
> 1:11, and other data goes into default 1:13. But when I use ssh client
> on other machine(not 10.190.6.16), the data seems also goes into 1:11(I
> got this from tc -s -d class show dev eth0). Why?

Because you didn't flush the mangle table. Your example works ok for me.
Add a iptables -t mangle -F before running the script.

>
> "Catalin(ux aka Dino) BOIE" wrote:
> On Thu, 27 Jan 2005, CcM wrote:
>
>> Now I want to control ports with ips specified, like following, it seems not wo rk, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why?
>>
>> tc qdisc add dev eth0 root handle 1: htb default 13
>> tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1
>> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
>> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
>> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
>>
>> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20
>> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN
>>
>> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21
>> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN
>
> I bet you use passive mode in ftp so you get a weird port, not ftp-data
> (20). ftp is tricky to match. You can use this:
> iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \
> -j MARK --set-mark 21
> This will mark with 21 all ftp control+data connections.
>
>>
>> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
>> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12
>>
>>
>> "Catalin(ux aka Dino) BOIE" wrote:
>> On Wed, 26 Jan 2005, CcM wrote:
>>
>>> It does work! Thanks!
>>> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle?
>>>
>>> "Catalin(ux aka Dino) BOIE" wrote:
>>> Use:
>>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \
>>> --set-mark 20
>>
>> Because local generated packets doesn't go through PREROUTING.
>> But, best is to use OUTPUT.
>>
>>>
>>> ---
>>> Catalin(ux aka Dino) BOIE
>>> catab at deuroconsult.ro
>>> http://kernel.umbrella.ro/
>>> _______________________________________________
>>> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
>>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>>
>>>
>>>
>>> ---------------------------------
>>> Do You Yahoo!?
>>> 注册世界一流品质的雅虎免费电邮
>>
& gt;> ---
>> Catalin(ux aka Dino) BOIE
>> catab at deuroconsult.ro
>> http://kernel.umbrella.ro/
>>
>>
>> ---------------------------------
>> Do You Yahoo!?
>> 注册世界一流品质的雅虎免费电邮
>
> ---
> Catalin(ux aka Dino) BOIE
> catab at deuroconsult.ro
> http://kernel.umbrella.ro/
>
>
> ---------------------------------
> Do You Yahoo!?
> 注册世界一流品质的雅虎免费电邮

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

---

Do You Yahoo!?
注册世界一流品质的雅虎免费电邮