I'm attempting to set up a hierarchy of tc qdiscs with filters, but the
filters don't seem to be working correctly. I'm running iptables 1.3.5
with iproute 2.6.16.20060323 on a Gentoo 2.6.18 kernel. The system
takes all my tc setup, but does not filter packets as I am expecting it
to based on my ruleset. My tc qdiscs and classes are added correctly and report as I'd expect with "tc -s -d qdisc show dev eth1", and the filters seem to report what I want. The iptables script is set correctly, which I verified by testing for the NF_MARK that was expected on the packets. Pay particular attention to NF_MARK 0xFF, which I want to end up in tc class 20:1. However, when I run "tc -s -d class show dev eth1" I see nothing going into 20:1, and lots going into 20:2. Full output of these commands appears near the bottom of this message. Please also see attached for a pdf representation of my tc setup that may make understanding what I'm trying to do a bit easier. First, I mark my packets using NF_MARK in iptables like this: I know the above works because the hit counters in iptables act as I expect (see also the result of the iptables -L output below.)# mangle/POSTROUTING chain # Catch-all mark: iptables -t mangle -A POSTROUTING -o $WAN_NIC -j MARK --set-mark 0xFF # Skype & SSH traffic: iptables -t mangle -A POSTROUTING -p UDP -s ${LAN}.13 --sport 56168 -o $WAN_NIC -j MARK --set-mark 0x100 iptables -t mangle -A POSTROUTING -p ICMP -o $WAN_NIC -j MARK --set-mark 0x100 iptables -t mangle -A POSTROUTING -p TCP -m multiport --sports 22200:22201 -j MARK --set-mark 0x101 # Streaming media: iptables -t mangle -A POSTROUTING -p UDP --sport 1234 -o $WAN_NIC -j MARK --set-mark 0x105 # BitTorrent - presently defined via connmark match on torrent user locally: iptables -t mangle -A POSTROUTING -m connmark --mark 0x1000 -j MARK --set-mark 0x1F0 #testing to verify that the 0xFF mark is working as expected: iptables -t mangle -A POSTROUTING -m mark ! --mark 0xFF -j RETURN iptables -t mangle -A POSTROUTING -m mark --mark 0xFF iptables -t mangle -A POSTROUTING -m mark ! --mark 0xFF Then, I enable my tc qdiscs, classes, and filters like this: My qdiscs and classes report to be set up how I asked, and they function. However, 20:1 never sees any traffic despite many packets hitting the 0xFF mark in iptables (I tested for 0xFF at the end of the POSTROUTING chain, so I know packets are leaving this chain with this mark.) It seems they get put into 20:2 per the default rule on 20:. The same holds true for the 10:2 class, as nothing ever goes into 10:1 or 10:3, even when these marks are set at the end of the POSTROUTING chain traversal.MAX="45056bps" tc qdisc add dev eth1 root handle 1: htb default 1 tc class add dev eth1 parent 1: classid 1:1 htb rate ${MAX} tc qdisc add dev eth1 parent 1:1 handle 2: prio tc qdisc add dev eth1 parent 2:1 handle 10: htb default 2 # put mark 0x100 into 10:1 tc class add dev eth1 parent 10: classid 10:1 htb rate 8192bps ceil ${MAX} tc filter add dev eth1 pref 1 protocol ip parent 1: handle 0x100 fw classid 10:1 # put mark 0x101 into 10:2 tc class add dev eth1 parent 10: classid 10:2 htb rate 15360bps ceil ${MAX} tc filter add dev eth1 pref 2 protocol ip parent 1: handle 0x101 fw classid 10:2 # put mark 0x105 into 10:3 tc class add dev eth1 parent 10: classid 10:3 htb rate 30720bps ceil ${MAX} tc filter add dev eth1 pref 3 protocol ip parent 1: handle 0x105 fw classid 10:3 tc qdisc add dev eth1 parent 2:2 handle 20: htb default 2 # put mark 0xFF into 20:1 tc class add dev eth1 parent 20: classid 20:1 htb rate 10240bps ceil ${MAX} tc filter add dev eth1 pref 5 protocol ip parent 1: handle 0xFF fw classid 20:1 # stuff without a mark goes here per the default - shouldn't happen tc class add dev eth1 parent 20: classid 20:2 htb rate 15360bps ceil ${MAX} # put mark 0x1F0 into 2:3 tc qdisc add dev eth1 parent 2:3 handle 30: bfifo limit 64k tc filter add dev eth1 pref 4 protocol ip parent 1: handle 0x1F0 fw classid 2:3 Finally, I also tried the same setup except commenting out all my filter commands in the tc script. I then added the "-j CLASSIFY #:#" syntax to my iptables rules to directly classify to the classes I want. The same effects were visible in this case as I described above. It's as if the packets get sorted into the tc tree without any filtering of any kind, despite filters showing up with "tc -s -d filter show dev eth1". Any ideas as to what I am doing wrong are appreciated as I'm don't know what I'm missing. For completeness, below is the result of my tc and relevant iptables listings after my scripts are run (and with a number of packets sent on my interface): tc -s -d qdisc show dev eth1: tc -s -d class show dev eth1:qdisc htb 1: r2q 10 default 1 direct_packets_stat 0 ver 3.17 Sent 129462870 bytes 135363 pkt (dropped 46, overlimits 87892 requeues 0) backlog 0b 5p requeues 0 qdisc prio 2: parent 1:1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 129462870 bytes 135363 pkt (dropped 46, overlimits 0 requeues 0) backlog 0b 5p requeues 0 qdisc htb 10: parent 2:1 r2q 10 default 2 direct_packets_stat 0 ver 3.17 Sent 8370 bytes 93 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc htb 20: parent 2:2 r2q 10 default 2 direct_packets_stat 0 ver 3.17 Sent 947507 bytes 8007 pkt (dropped 0, overlimits 1030 requeues 0) backlog 0b 0p requeues 0 qdisc bfifo 30: parent 2:3 limit 64Kb Sent 128506939 bytes 127262 pkt (dropped 46, overlimits 0 requeues 0) backlog 4225b 5p requeues 0 tc -s -d filter show dev eth1:class htb 1:1 root leaf 2: prio 0 quantum 4505 rate 360448bit ceil 360448bit burst 2Kb/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 129335552 bytes 135231 pkt (dropped 46, overlimits 0 requeues 0) rate 338568bit 47pps backlog 0b 0p requeues 0 lended: 135231 borrowed: 0 giants: 0 tokens: 11940 ctokens: 11940 class prio 2:1 parent 2: leaf 10: class prio 2:2 parent 2: leaf 20: class prio 2:3 parent 2: leaf 30: class htb 10:1 root prio 0 quantum 1000 rate 65536bit ceil 360448bit burst 1680b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 205200 ctokens: 45498 class htb 10:2 root prio 0 quantum 1536 rate 122880bit ceil 360448bit burst 1752b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 8370 bytes 93 pkt (dropped 0, overlimits 0 requeues 0) rate 24bit 0pps backlog 0b 0p requeues 0 lended: 93 borrowed: 0 giants: 0 tokens: 108398 ctokens: 43545 class htb 10:3 root prio 0 quantum 3072 rate 245760bit ceil 360448bit burst 1906b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 62076 ctokens: 45498 class htb 20:1 root prio 0 quantum 1024 rate 81920bit ceil 360448bit burst 1701b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 166210 ctokens: 45498 class htb 20:2 root prio 0 quantum 1536 rate 122880bit ceil 360448bit burst 1752b/8 mpu 0b overhead 0b cburst 2Kb/8 mpu 0b overhead 0b level 0 Sent 941657 bytes 7983 pkt (dropped 0, overlimits 0 requeues 0) rate 1256bit 2pps backlog 0b 0p requeues 0 lended: 7983 borrowed: 0 giants: 0 tokens: 92799 ctokens: 38245 iptables --line-numbers -xnvL POSTROUTING -t mangle:filter parent 1: protocol ip pref 1 fw filter parent 1: protocol ip pref 1 fw handle 0x100 classid 10:1 filter parent 1: protocol ip pref 2 fw filter parent 1: protocol ip pref 2 fw handle 0x101 classid 10:2 filter parent 1: protocol ip pref 3 fw filter parent 1: protocol ip pref 3 fw handle 0x105 classid 10:3 filter parent 1: protocol ip pref 4 fw filter parent 1: protocol ip pref 4 fw handle 0x1f0 classid 2:3 filter parent 1: protocol ip pref 5 fw filter parent 1: protocol ip pref 5 fw handle 0xff classid 20:1 Chain POSTROUTING (policy ACCEPT 270084736 packets, 194631738808 bytes) num pkts bytes target prot opt in out source destination 1 144850 137138305 MARK all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK set 0xff 2 22 1366 MARK udp -- * eth1 192.168.42.13 0.0.0.0/0 udp spt:56168 MARK set 0x100 3 41 1342 MARK icmp -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK set 0x100 4 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 22200:22201 MARK set 0x101 5 0 0 MARK udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp spt:1234 MARK set 0x105 6 139456 136418911 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x1000 MARK set 0x1f0 7 154381 140258853 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0xff 8 5351 717886 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xff 9 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0xff -- Josh |
Attachment:
tc_diagram.pdf
Description: Adobe PDF document
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc