[LARTC] Fwmark and REDIRECT rules

[LARTC] Fwmark and REDIRECT rules

[Enrico Demarin]

Hi , 

this is the situation , I am using a Linux gateway to shape the outbound
traffic coming from a LAN, configured ( for example ) as following (
using htb ):


ETH0 ( public interface )


1 ROOT class rate 10240 kbit, ceil 10240 

2 LEAF class rate 8192, ceil 8192

3 LEAF class rate 2048 , ceil 2048

ETH1 ( LAN )

Then i define the following rules :

tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw
flowid 1:2

tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw
flowid 1:3

And set the iptables rules to assign the fwmarks :

/sbin/iptables -t mangle -F mygroup
/sbin/iptables -t mangle -X mygroup
/sbin/iptables -t mangle -N mygroup

/sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup 

/sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j MARK
--set-mark 0x20
/sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j
RETURN

/sbin/iptables -t mangle -A mygroup   -j MARK --set-mark 0x10
/sbin/iptables -t mangle -A mygroup   -j RETURN

In theory , this should assign all packets with dest port 80 forwarded
from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class.

And it  works, until i do something like this :

iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j
REDIRECT --to-ports 3128

to set up transparent proxy redirection to the local squid ( 10.1.0.0/24
is the subnet of eth1 ).

The redirection works but no packets end up in the 0x20 class.

Any way to shape even transparent-proxied traffic ?

thanks,
Enrico


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Fwmark and REDIRECT rules

[Roy]

first you should mark packets in postrouting chain for what you need
forward chain dont touch local trafic, which is your proxy.

next, since you redirect packets to port 3128 you should match on this port
not on 80.
but then you will mark all packets from port 3128 no matter they are
redirected or not.
(all proxy trafic will be marked)

Also you can simply match with tc on port 80, since tc is after nat and it
will see the same port the user will see.
for such simple setup no marking is nesecary.

----- Original Message ----- 
From: "Enrico Demarin" <enricod@videotron.ca>
To: <lartc@mailman.ds9a.nl>
Sent: Monday, March 22, 2004 4:35 PM
Subject: [LARTC] Fwmark and REDIRECT rules


> Hi ,
>
> this is the situation , I am using a Linux gateway to shape the outbound
> traffic coming from a LAN, configured ( for example ) as following (
> using htb ):
>
>
> ETH0 ( public interface )
>
>
> 1 ROOT class rate 10240 kbit, ceil 10240
>
> 2 LEAF class rate 8192, ceil 8192
>
> 3 LEAF class rate 2048 , ceil 2048
>
> ETH1 ( LAN )
>
> Then i define the following rules :
>
> tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw
> flowid 1:2
>
> tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw
> flowid 1:3
>
> And set the iptables rules to assign the fwmarks :
>
> /sbin/iptables -t mangle -F mygroup
> /sbin/iptables -t mangle -X mygroup
> /sbin/iptables -t mangle -N mygroup
>
> /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup
>
> /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j MARK
> --set-mark 0x20
> /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j
> RETURN
>
> /sbin/iptables -t mangle -A mygroup   -j MARK --set-mark 0x10
> /sbin/iptables -t mangle -A mygroup   -j RETURN
>
> In theory , this should assign all packets with dest port 80 forwarded
> from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class.
>
> And it  works, until i do something like this :
>
> iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j
> REDIRECT --to-ports 3128
>
> to set up transparent proxy redirection to the local squid ( 10.1.0.0/24
> is the subnet of eth1 ).
>
> The redirection works but no packets end up in the 0x20 class.
>
> Any way to shape even transparent-proxied traffic ?
>
> thanks,
> Enrico
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Fwmark and REDIRECT rules

[Enrico Demarin]

Ok. I am marking because I will also add rules for a second ethernet
interface, eth2, which serves a 10.2.0.0/24 segment, and i want to split
the internet feed ( 10 megabits ) in 2 5 megabits links : i need marking
to mark all the traffic coming to eth1 to it's 5 megabit classes  and
the traffic coming from eth2 to the other tree  ( i would define 2 root
classes of 5 megabits, with separate leafs ).

- Enrico

On Mon, 2004-03-22 at 12:18, Roy wrote:
> first you should mark packets in postrouting chain for what you need
> forward chain dont touch local trafic, which is your proxy.
> 
> next, since you redirect packets to port 3128 you should match on this port
> not on 80.
> but then you will mark all packets from port 3128 no matter they are
> redirected or not.
> (all proxy trafic will be marked)
> 
> Also you can simply match with tc on port 80, since tc is after nat and it
> will see the same port the user will see.
> for such simple setup no marking is nesecary.
> 
> ----- Original Message ----- 
> From: "Enrico Demarin" <enricod@videotron.ca>
> To: <lartc@mailman.ds9a.nl>
> Sent: Monday, March 22, 2004 4:35 PM
> Subject: [LARTC] Fwmark and REDIRECT rules
> 
> 
> > Hi ,
> >
> > this is the situation , I am using a Linux gateway to shape the outbound
> > traffic coming from a LAN, configured ( for example ) as following (
> > using htb ):
> >
> >
> > ETH0 ( public interface )
> >
> >
> > 1 ROOT class rate 10240 kbit, ceil 10240
> >
> > 2 LEAF class rate 8192, ceil 8192
> >
> > 3 LEAF class rate 2048 , ceil 2048
> >
> > ETH1 ( LAN )
> >
> > Then i define the following rules :
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw
> > flowid 1:2
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw
> > flowid 1:3
> >
> > And set the iptables rules to assign the fwmarks :
> >
> > /sbin/iptables -t mangle -F mygroup
> > /sbin/iptables -t mangle -X mygroup
> > /sbin/iptables -t mangle -N mygroup
> >
> > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup
> >
> > /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j MARK
> > --set-mark 0x20
> > /sbin/iptables -t mangle -A mygroup   -p tcp -m tcp --dport 80  -j
> > RETURN
> >
> > /sbin/iptables -t mangle -A mygroup   -j MARK --set-mark 0x10
> > /sbin/iptables -t mangle -A mygroup   -j RETURN
> >
> > In theory , this should assign all packets with dest port 80 forwarded
> > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class.
> >
> > And it  works, until i do something like this :
> >
> > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j
> > REDIRECT --to-ports 3128
> >
> > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24
> > is the subnet of eth1 ).
> >
> > The redirection works but no packets end up in the 0x20 class.
> >
> > Any way to shape even transparent-proxied traffic ?
> >
> > thanks,
> > Enrico
> >
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/