From: Andrew Beverley <andy@andybev.com>
To: "Ethy H. Brito" <ethy.brito@inexo.com.br>
Cc: netfilter@vger.kernel.org
Subject: Re: shaping vlans - revisited
Date: Fri, 04 Feb 2011 02:59:16 +0000 [thread overview]
Message-ID: <1296788356.7587.70.camel@andybev> (raw)
In-Reply-To: <20110203180118.62970fb1@pulsar.inexo.com.br>
> > Are you sure you are marking packets correctly *both* ways? Just because
> > they are being marked in one direction, doesn't mean that they are being
> > marked in the other direction.
>
> Andrew
>
> If you see my first post you will find the filter rule I use to insert the
> packet in each flowid according to its IPMARK.
>
> The marks is performed by these four lines:
>
> /usr/sbin/iptables -t mangle -A POSTROUTING -o eth0 -m mark ! --mark 0 \
> -j IPMARK --addr dst --and-mask 0xffff --or-mask 0x20000
> /usr/sbin/iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 0 \
> -j IPMARK --addr dst --and-mask 0xffff --or-mask 0x0
> /usr/sbin/iptables -t mangle -A POSTROUTING -o eth1 -m mark ! --mark 2 \
> -j IPMARK --addr src --and-mask 0xffff --or-mask 0x0
> /usr/sbin/iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 2 \
> -j IPMARK --addr src --and-mask 0xffff --or-mask 0x40000
>
> and since it is working for eth0 I assume they are correct for both
> interfaces.
Okay.
>
> The script does the same thing to both eth0 and eth1 interfaces.
>
> One extra detail is: this setup was working (just as it is for eth0) until
> two weeks ago when then we created the vlans and splited the traffic among
> them.
>
> >
> > If you add an iptables rule to LOG your traffic on that interface, then
> > you will be able to see the mark value.
>
> This is a problem!
>
> If I run: iptables -I FORWARD -o eth1 -j LOG
> I see NO traffic at all!! Nothing!!
>
> But: iptables -I FORWARD -o vlan+ -j LOG
> gives me tons of logs!!
>
> iptables only see the traffic through vlans and not through eth1.
>
I have to admit I've never played with vlans and iptables, so I was just
guessing based on non-vlan experience.
Stupid question - can you not just attach your qdisc to the vlan
interface and mark the traffic on the vlan interface as well, as if it
was eth1?
Alternatively, if the root qdisc is seeing all the packets but it's the
marking that's not working, then can you not just mark on the vlan
interface rather than eth1?
Andy
next prev parent reply other threads:[~2011-02-04 2:59 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-03 17:29 Fw: shaping vlans - revisited Ethy H. Brito
2011-02-03 18:50 ` Andrew Beverley
2011-02-03 20:01 ` Ethy H. Brito
2011-02-04 2:59 ` Andrew Beverley [this message]
2011-02-04 7:43 ` Marek Kierdelewicz
2011-02-04 14:05 ` Ethy H. Brito
2011-02-04 14:24 ` Andrew Beverley
2011-02-04 16:24 ` Ethy H. Brito
2011-02-05 2:10 ` Andrew Beverley
2011-02-05 12:46 ` Marek Kierdelewicz
2011-02-05 14:42 ` Ethy H. Brito
2011-02-05 14:52 ` Marek Kierdelewicz
2011-02-05 16:32 ` Ethy H. Brito
2011-02-05 16:41 ` Marek Kierdelewicz
2011-02-05 23:26 ` Ethy H. Brito
2011-02-04 3:28 ` Jan Engelhardt
2011-02-04 3:42 ` Grant Taylor
2011-02-04 14:06 ` Ethy H. Brito
2011-02-05 13:56 ` Ethy H. Brito
-- strict thread matches above, loose matches on Subject: below --
2011-02-03 15:38 Ethy H. Brito
2011-02-03 15:46 ` Marek Kierdelewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1296788356.7587.70.camel@andybev \
--to=andy@andybev.com \
--cc=ethy.brito@inexo.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.