First off, please excuse the cross post between lartc and netfiler,
the line between the two is very blurred here (at least for me)...
A thought just crossed my mind now while working on a new iptables/tc
collaboration for a project.
I use iptables to basically seal off a linux gateway, we're very
restrictive on what users can do on the connection. For now I'm using
destination port filtering, will bring in source port filtering for
replies and layer-7 for some help later.
Traffic shaping is done with tc using WRR. All traffic coming from the
server's OUTPUT chain is classified differently from internet traffic,
which passes through WRR (localhost is pfifo_fast).
Now here is the question...
If someone on the network attempts to use an aggressive file sharing
program, one that keeps on connecting to random peers on random ports,
and the server replies that the requested ports are unavailable
("REJECT --reject-with tcp-reset" for TCP, and "REJECT --reject-with
icmp-port-unreachable" for UDP) where applicable; do these packets get
classified as internet traffic or do they pass through the OUTPUT
chain and get classified as local traffic?
I know tcpdump hooks in before netfilter gets to work, but it looked
like the errors came from the internet hosts and not localhost. What
I'm getting at is if these error packers don't get classified
differently from normal internet traffic they can potentially saturate
your class doing shaping for internet traffic, right or wrong? I know
you need a pretty aggressive piece of P2P to get this done...
Any advice & insight would be appreciated
--
Kenneth Kalmer
kenneth.kalmer@xxxxxxxxx
Folding@home stats
http://fah-web.stanford.edu/cgi-bin/main.py?qtype=userpage&username=kenneth%2Ekalmer
