Re: bug report and future request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pablo

base on this rule : 

table inet nft-qos-static {
        set limit_ul {
                typeof ip saddr
                flags dynamic
        }
        set limit_dl {
                typeof ip daddr
                flags dynamic
        }

        chain download {
                type filter hook postrouting priority filter; policy accept;
                ip daddr @limit_dl drop

        }
        chain upload {
                type filter hook prerouting priority filter ; policy accept;
                ip saddr @limit_ul drop;
        }
        flowtable fastnat {
                hook ingress priority filter; devices = { eth0, eth1 };
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip protocol { tcp , udp } flow offload @fastnat;
        }
}


where to set this , please help.


> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> 
> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>> One more update 
>> 
>> I try to make rule for limiter in offload mode :
>> 
>> table inet nft-qos-static {
>>        set limit_ul {
>>                typeof ip saddr
>>                flags dynamic
>>        }
>>        set limit_dl {
>>                typeof ip daddr
>>                flags dynamic
>>        }
>> 
>>        chain upload {
>>                type filter hook prerouting priority filter ; policy accept;
>>                ip saddr @limit_ul drop;
>>        }
>> 
>>        chain download {
>>                type filter hook postrouting priority filter; policy accept;
>>                ip daddr @limit_dl drop;
>> 
>>        }
>>        flowtable fastnat {
>>                hook ingress priority filter; devices = { eth0, eth1 };
>>        }
>>        chain forward {
>>                type filter hook forward priority filter; policy accept;
>>                ip protocol { tcp , udp } flow offload @fastnat;
>>        }
>> }
>> 
>> its not work perfect only upload limit work , download get full channel 
>> 
>> in test i set 100mbit up/down  upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>> 
>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
> 
> If you want to combine ratelimit/policing with flowtable, then you
> have to use the ingress and egress hooks, not prerouting and
> postrouting.
> 
> Make sure you place the flowtable in a priority that comes after the
> priority of your ingress hook.





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux