Hello,
I read a few posts that it is possible to mark a packet with iptables,
and then shape it as it leaves on an ipsec tunnel. So far I am having
limited success with the idea.
I am using libreswan with netkey. I tried marking the packets in
mangle/PREROUTING, but I had zero joy with that; I suspect that when the
kernel does its netkey magic the mark is lost. I tried marking at a
number of other spots in the nfpacket flow, I only got results at
mange/POSTROUTING. But it doesn't seem to grab all the packets.
I have 6 remote users on the vpn, I give each of them a mark based on
the IP address they get, and I mark all non-vpn packets with a 7th mark.
I set up 7 classes to match each mark. I determine by the command
`watch -n 1 -d tc -s class show dev eth0` that some packets do go
through each class, but it is only a very small percentage of them
(after watching it for a while now I suspect it is initial syn packets).
The rest all go into the 7th non-vpn class, even though I can log the
packets marked to go to one of the vpn users.
So I am wondering if I have missed a piece of the theory, or if what I
am trying to accomplish just isn't possible. Perhaps it would be better
to setup a class based on src/dst port 500, but I would like to
guarantee each vpn user a fair share of the limited bandwidth (which I
think pretty much requires a separate class for each user), and I am not
sure how that can be accomplished with dynamic remote addresses.
comments or suggestions would be highly appreciated...
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html