l7's edonkey filter does not match all edonkey traffic, it does not match data packets (that you want to shape). It matches however the signaling packets that can be related to data connections. I never tried L7 but I think these may help you iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark On 6/8/07, Saulo Silva <sauloaugustosilva@xxxxxxxxx> wrote:
Hi All , My first message and I have a little problem with my FC6 box trying to block emule traffic using layer7 . Here my network : Internet --------- ADSL Router ------------------- FC6 Box -------------------- Emule Box external ADSL : Dynamic Internal ADSL : 192.168.254.1 external FC6 : 192.168.254.3 internal FC6 : 192.168.253.1 Emule Box : 192.168.253.3 I guess that everything is ok with layer7 . Here my mangle rules . # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix "PREROUTING MARK : " iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark 2 iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD MARK : " The output from log is : Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC=203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=200.209.170.138 DST=192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115 ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= 200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114 ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC= 200.244.104.10 DST=192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042 PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= 200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042 PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 So it's look like mark is working . So now I use the cbq.init script with that configuration : cat /etc/sysconfig/cbq/cbq-0002.emule_in DEVICE=eth0,100Mbit,10Mbit RATE=3Kbit WEIGHT=1Kbit PRIO=5 BOUNDED=yes ISOLATED=yes MARK=2 cat /etc/sysconfig/cbq/cbq-0002.emule_out DEVICE=eth1,100Mbit,10Mbit RATE=3Kbit WEIGHT=1Kbit PRIO=5 BOUNDED=yes ISOLATED=yes MARK=2 that generate this tc codes . /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000 cell 8 /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514 /sbin/tc qdisc del dev eth1 root /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000 cell 8 /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514 /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded isolated /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:2 /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit rate 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded isolated /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:2 Can anyone explain me what is wrong . Why I cannot shape this traffic ???? Any help will be appreciated . Best Regards , Saulo Silva _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
