From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Elston Date: Tue, 12 Nov 2013 17:23:29 +0000 Subject: Re: Ingress qdisc via fwmark Message-Id: <1384277009.8119.3.camel@Desktop> List-Id: References: <1384266540.24209.41.camel@Desktop> In-Reply-To: <1384266540.24209.41.camel@Desktop> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi Remy, Thanks for the suggestion. I think I've implemented it as per your recommendation: # iptables -L PREROUTING -t mangle -v Chain PREROUTING (policy ACCEPT 455K packets, 33M bytes) pkts bytes target prot opt in out source destina= tion =20 227K 21M MARK all -- any any lns anywher= e l2tp tid 54356 sid 62245 type data MARK set 0x1 227K 21M CONNMARK all -- any any lns anywher= e mark match 0x1 CONNMARK save But nothing's hitting the tc filter: # tc -s filter show dev eth1 parent ffff: filter protocol ip pref 1 fw=20 filter protocol ip pref 1 fw handle 0x1 classid :1 police 0x7 rate 32768bi= t burst 10Kb mtu 2Kb action drop overhead 0b=20 ref 1 bind 1 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) # tc -s qdisc show dev eth1 qdisc ingress ffff: parent ffff:fff1 ----------------=20 Sent 21410620 bytes 236564 pkt (dropped 0, overlimits 0 requeues 0)=20 backlog 0b 0p requeues 0=20 Anything jump out at you as obviously incorrect? Thanks, Chris. On Tue, 2013-11-12 at 16:37 +0100, Remy Mudingay wrote: > Opps I forgot to iclude the link. >=20 >=20 > https://hydra.geht.net/tino/howto/linux/net/netfilter/ >=20 >=20 >=20 > On 12 November 2013 16:35, Remy Mudingay > wrote: > Hi Chris, > =20 > =20 > =20 > =20 > What you are trying to achieve can only work on the PREROUTING > table. Take a look at the following diagram to get a clearer > picture of how a packet flows through Linux (Netfilter/Qos). > =20 > =20 > The PREROUTING table is the only netfilter table which is > processed before the ingress qdisc. > You also need to apply the connmark target as in " -j CONNMARK > --save-mark" following you iptables command as follows ; > =20 > =20 > Example: > =20 > =20 > iptables -A PREROUTING -t mangle -s 192.168.101.20 -m l2tp > --tidR380 --sid4787 --type=DAta -j MARK --set-mark 1 > =20 > iptables -A PREROUTING -t mangle -s 192.168.101.20 -m mark > --mark 1 -j CONNMARK --save-mark > =20 > =20 > =20 > I hope that helps. > =20 > =20 > Remy > =20 > =20 > =20 > =20 > =20 > =20 > On 12 November 2013 15:29, Chris Elston > wrote: > Hello, > =20 > I'm having a little trouble getting ingress policing > working, filtering > based on an iptables fwmark. The iptables fwmark is > being set with a new > L2TP packet classifier: > =20 > # iptables -A INPUT -t mangle -s 192.168.101.20 -m > l2tp --tidR380 --sid4787 --type=DAta -j MARK > --set-mark 1 > =20 > (Note that I have also tried adding to the PREROUTING > mangle table > too...) > =20 > I have confirmed that the classifier is marking > packets: > =20 > # iptables -L INPUT -t mangle -v > Chain INPUT (policy ACCEPT 59641 packets, 44M bytes) > pkts bytes target prot opt in out source > destination > 172 7912 MARK all -- any any lns > anywhere l2tp tid 52380 sid > 34787 type data MARK set 0x1 > =20 > I have set up an ingress qdisc with: > =20 > # tc qdisc add dev eth1 handle ffff: ingress > =20 > And a filter to police the marked packets: > =20 > # tc filter add dev eth1 protocol ip parent ffff: prio > 1 handle 1 fw police rate 32768 burst 10k drop > flowid :1 > =20 > But none are getting dropped: > =20 > # tc -s qdisc show dev eth1 > > qdisc ingress ffff: parent ffff:fff1 ---------------- > Sent 15712712 bytes 186225 pkt (dropped 0, overlimits > 0 requeues 0) > backlog 0b 0p requeues 0 > =20 > I believe from the HOWTO: > (http://www.linuxdocs.org/HOWTOs/Adv-Routing-HOWTO-14.htm= l section 14.2) > that this should be possible, but I've also found > mention > (http://www.spinics.net/lists/lartc/msg18021.html) > that the new-style > policer happens before PREROUTING. > =20 > Also, this diagram suggests that queueing to the > ingress qdisc happens > before classification takes place: > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfil= ter-packet-flow.svg > =20 > I'm using kernel 3.2.x, with CONFIG_NET_ACT_POLICE=3Dm. > =20 > A previous scheme I had DID manage to drop ingress > L2TP packets matching > the specification using the tc u32 filter - but the tc > commands were > becoming very complicated and would be difficult to > manage dynamically, > hence the switch to an iptables classifier. > =20 > I'm hoping that someone on the list can let me know > whether this is > actually possible with contemporary kernels, and if > so, where I'm going > wrong. > =20 > Thanks, > =20 > Chris. > =20 > -- > To unsubscribe from this list: send the line > "unsubscribe lartc" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at > http://vger.kernel.org/majordomo-info.html > =20 > =20 >=20 >=20