Re: u32 classifier

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

VladSun wrote:
> terraja-based написа:
>> Hi folks...!!!
>> I´ve a problem that i did not solve it.
>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the
>> firewall) using IMQ,
>> If i classify by PORT (source or destination) all seems to be fine,
>> but...BUT...if i want to restrict by IP addresss (internal IP address)
>> i can´t do it, because my hosts go to Internet toward the firewall
>> using NAT, so after NAT my IP address in Internet is not my internal
>> address, because the NAT acction change my source and internal IP
>> address.
>> So...so...so...how can i limit the traffic by IP address using TC,
>> IMQ, U32..etc...?????
>> Can i modify some field in the TCP header with u32 filter?, i did read
>> the TCP RFC and nothing, i can´t guess how can solve it...
>>   
> Use iptables MARK, and TC fw.

SCENARIO
========

tc utility, iproute2-ss061214
kernel 2.6.20-1.2952.fc6

Mark packets:
#iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1

Shape marked packets with tc fw:
#tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil
90Mbit prio 6
#tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5
#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2

Result in iptables seems ok:
Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes)
    pkts      bytes target     prot opt in     out     source
    destination
 3827080 4103809298 MARK       all  --  *      eth1    0.0.0.0/0
    0.0.0.0/0           MARK set 0x1

Result in tc:
filter parent 11: protocol ip pref 49152 fw
filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2

So there are no matches in this filter, the other filters work fine (for
example: rule hit 5846685 success 5846685). The class is empty too:
class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil
90000Kbit burst 2850b cburst 12847b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

What could be the problem?


Cheers,
-- 
Catalin Bucur      mailto:cata@xxxxxxxxxxxx
NOC @ Genius Network SRL - Galati - Romania
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux