From: Chris Elston <celston@katalix.com>
To: lartc@vger.kernel.org
Subject: Ingress qdisc via fwmark
Date: Tue, 12 Nov 2013 14:29:00 +0000 [thread overview]
Message-ID: <1384266540.24209.41.camel@Desktop> (raw)
Hello,
I'm having a little trouble getting ingress policing working, filtering
based on an iptables fwmark. The iptables fwmark is being set with a new
L2TP packet classifier:
# iptables -A INPUT -t mangle -s 192.168.101.20 -m l2tp --tidR380 --sid4787 --typeÚta -j MARK --set-mark 1
(Note that I have also tried adding to the PREROUTING mangle table
too...)
I have confirmed that the classifier is marking packets:
# iptables -L INPUT -t mangle -v
Chain INPUT (policy ACCEPT 59641 packets, 44M bytes)
pkts bytes target prot opt in out source destination
172 7912 MARK all -- any any lns anywhere l2tp tid 52380 sid 34787 type data MARK set 0x1
I have set up an ingress qdisc with:
# tc qdisc add dev eth1 handle ffff: ingress
And a filter to police the marked packets:
# tc filter add dev eth1 protocol ip parent ffff: prio 1 handle 1 fw police rate 32768 burst 10k drop flowid :1
But none are getting dropped:
# tc -s qdisc show dev eth1
<snip>
qdisc ingress ffff: parent ffff:fff1 ----------------
Sent 15712712 bytes 186225 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
I believe from the HOWTO:
(http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-14.html section 14.2)
that this should be possible, but I've also found mention
(http://www.spinics.net/lists/lartc/msg18021.html) that the new-style
policer happens before PREROUTING.
Also, this diagram suggests that queueing to the ingress qdisc happens
before classification takes place:
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
I'm using kernel 3.2.x, with CONFIG_NET_ACT_POLICE=m.
A previous scheme I had DID manage to drop ingress L2TP packets matching
the specification using the tc u32 filter - but the tc commands were
becoming very complicated and would be difficult to manage dynamically,
hence the switch to an iptables classifier.
I'm hoping that someone on the list can let me know whether this is
actually possible with contemporary kernels, and if so, where I'm going
wrong.
Thanks,
Chris.
next reply other threads:[~2013-11-12 14:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-12 14:29 Chris Elston [this message]
2013-11-12 17:23 ` Ingress qdisc via fwmark Chris Elston
2013-11-12 18:31 ` Andrew Beverley
2013-11-27 17:31 ` Chris Elston
2013-11-27 17:39 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1384266540.24209.41.camel@Desktop \
--to=celston@katalix.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.