Re: Ingress filtering

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 25/09/2014 12:19, marco@xxxxxxxxxx a écrit :

Hi to all,
i read some stuff about ingress filtering with ifb module.

According to someone it is impossible but for someone not.

possible:
  https://wiki.archlinux.org/index.php/Advanced_traffic_control

no possible:
  http://www.mail-archive.com/lartc@xxxxxxxxxxxxxxx/msg15545.html
  http://www.spinics.net/lists/netfilter/msg53729.html
  http://www.spinics.net/lists/lartc/msg22358.html

It is  possible to use connection mark (ctmark) or packet mark (nfmark)
with the tc filter on ifb or the only possibility is with the patch
provided by these links ?
https://aur.archlinux.org/packages/act_connmark/
https://aur.archlinux.org/packages/iproute2-connmark/

or im missing something ?

Thanks
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



Hi Marco.

Ingress shaping is possible :

#!/bin/bash
## Paths and definitions
tc=/sbin/tc
EHT=eth0        # Change for your device!
IFB=ifb0    # Use a unique ifb per rate limiter!
modprobe ifb
modprobe act_mirred
# Clear old queuing disciplines (qdisc) on the interfaces
$tc qdisc del dev $EHT root 2>/dev/null
$tc qdisc del dev $EHT ingress 2>/dev/null
$tc qdisc del dev $IFB root 2>/dev/null
$tc qdisc del dev $IFB ingress 2>/dev/null
# Create ingress on external interface
$tc qdisc add dev $EHT handle ffff: ingress
ifconfig $IFB up # if the interace is not up bad things happen
# Forward all ingress traffic to the IFB device
$tc filter add dev $EHT parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $IFB 
# (Example !) Create an EGRESS filter on the IFB device
$tc qdisc add dev $IFB root handle 1: htb default 0
$tc class add dev $ETH parent 1:0 classid 1:1 htb rate 1000kbps ceil 1000kbps prio 0 $tc class add dev $ETH parent 1:1 classid 1:300 htb rate 300kbps ceil 300kbps prio 0 
$tc qdisc add dev $ETH parent 1:300 handle 300: sfq perturb 10
$tc filter add dev $ETH parent 1:0 prio 0 protocol ip handle 300 fw flowid 1:300 

iptables -t mangle -I FORWARD -i eth0 -j MARK --set-mark 300

(not tested)


--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux