Re: bug report and future request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Pablo and Florian 

i try to make this work on egress or ingress but limiter not work 


setup is : 

eth0 uplink - WAN

ppp0 ,ppp1,pppX users

table netdev nft-qos-ingress {
	set limit_ul {
		typeof ip saddr
		flags dynamic
		elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
	}

	chain upload {
		type filter hook ingress device "ppp0" priority -450; policy accept;
		ip saddr @limit_ul drop
	}
}


Here problem is when ppp user disconnect rule for ppp0 remove from nftable (is there options to set here ppp* to list all ppp interface )


for egress i try this setup but not work on egress: 

table netdev nft-qos-egress {
	set limit_dl {
		typeof ip daddr
		flags dynamic
		elements = { 10.0.0.11 limit rate over 12800 kbytes/second burst 600 kbytes }
	}

	chain download {
		type filter hook egress device “eth0" priority -450; policy accept;
		ip daddr @limit_dl drop
	}
}


Idea is to move limiter in egress and ingress.

which should reduce the CPU load perhaps


Best regards,
Martin

> On 24 Mar 2022, at 14:23, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> 
> Hi Pablo
> 
> base on this rule : 
> 
> table inet nft-qos-static {
>        set limit_ul {
>                typeof ip saddr
>                flags dynamic
>        }
>        set limit_dl {
>                typeof ip daddr
>                flags dynamic
>        }
> 
>        chain download {
>                type filter hook postrouting priority filter; policy accept;
>                ip daddr @limit_dl drop
> 
>        }
>        chain upload {
>                type filter hook prerouting priority filter ; policy accept;
>                ip saddr @limit_ul drop;
>        }
>        flowtable fastnat {
>                hook ingress priority filter; devices = { eth0, eth1 };
>        }
>        chain forward {
>                type filter hook forward priority filter; policy accept;
>                ip protocol { tcp , udp } flow offload @fastnat;
>        }
> }
> 
> 
> where to set this , please help.
> 
> 
>> On 24 Mar 2022, at 14:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> 
>> On Thu, Mar 24, 2022 at 02:09:25PM +0200, Martin Zaharinov wrote:
>>> One more update 
>>> 
>>> I try to make rule for limiter in offload mode :
>>> 
>>> table inet nft-qos-static {
>>>       set limit_ul {
>>>               typeof ip saddr
>>>               flags dynamic
>>>       }
>>>       set limit_dl {
>>>               typeof ip daddr
>>>               flags dynamic
>>>       }
>>> 
>>>       chain upload {
>>>               type filter hook prerouting priority filter ; policy accept;
>>>               ip saddr @limit_ul drop;
>>>       }
>>> 
>>>       chain download {
>>>               type filter hook postrouting priority filter; policy accept;
>>>               ip daddr @limit_dl drop;
>>> 
>>>       }
>>>       flowtable fastnat {
>>>               hook ingress priority filter; devices = { eth0, eth1 };
>>>       }
>>>       chain forward {
>>>               type filter hook forward priority filter; policy accept;
>>>               ip protocol { tcp , udp } flow offload @fastnat;
>>>       }
>>> }
>>> 
>>> its not work perfect only upload limit work , download get full channel 
>>> 
>>> in test i set 100mbit up/down  upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).
>>> 
>>> the problem is limiter work only for Upload , is it posible to make work on download rule ?
>> 
>> If you want to combine ratelimit/policing with flowtable, then you
>> have to use the ingress and egress hooks, not prerouting and
>> postrouting.
>> 
>> Make sure you place the flowtable in a priority that comes after the
>> priority of your ingress hook.
> 





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux