Re: bug report and future request

Martin Zaharinov <micron10@xxxxxxxxx> · Thu, 24 Mar 2022 23:43:47 +0200



Hi Pablo

unfortunately i can't find any documentation on how to do it :(


Martin

> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> 
> Hi Pablo
> 
> base on this rule : 
> 
> table inet nft-qos-static {
>        set limit_ul {
>                typeof ip saddr
>                flags dynamic
>        }
>        set limit_dl {
>                typeof ip daddr
>                flags dynamic
>        }
> 
>        chain download {
>                type filter hook postrouting priority filter; policy accept;
>                ip daddr @limit_dl drop
> 
>        }
>        chain upload {
>                type filter hook prerouting priority filter ; policy accept;
>                ip saddr @limit_ul drop;
>        }
>        flowtable fastnat {
>                hook ingress priority filter; devices = { eth0, eth1 };
>        }
>        chain forward {
>                type filter hook forward priority filter; policy accept;
>                ip protocol { tcp , udp } flow offload @fastnat;
>        }
> }
> 
> 
> where to set this , please help.
> 
> 
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> 
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update 
>>> 
>>> I try to make rule for limiter in offload mode :
>>> 
>>> table inet nft-qos-static {
>>>       set limit_ul {
>>>               typeof ip saddr
>>>               flags dynamic
>>>       }
>>>       set limit_dl {
>>>               typeof ip daddr
>>>               flags dynamic
>>>       }
>>> 
>>>       chain upload {
>>>               type filter hook prerouting priority filter ; policy accept;
>>>               ip saddr @limit_ul drop;
>>>       }
>>> 
>>>       chain download {
>>>               type filter hook postrouting priority filter; policy accept;
>>>               ip daddr @limit_dl drop;
>>> 
>>>       }
>>>       flowtable fastnat {
>>>               hook ingress priority filter; devices = { eth0, eth1 };
>>>       }
>>>       chain forward {
>>>               type filter hook forward priority filter; policy accept;
>>>               ip protocol { tcp , udp } flow offload @fastnat;
>>>       }
>>> }
>>> 
>>> its not work perfect only upload limit work , download get full channel 
>>> 
>>> in test i set 100mbit up/down  upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>> 
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>> 
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>> 
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
>