[PATCH] pom-ng version of IMQ target (file is attached this time)

[PATCH] pom-ng version of IMQ target (file is attached this time)

[Brad Fisher]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

(Sorry for the duplicate post, forgot to attach the file... doh)

Attached is a pom-ng version of the IMQ target available from
linuximq.org.  It's based off the 2.4.26 patch, and includes all of the
kernel (linux-2.4.26-imq.diff) and userspace patches (IMQ.pom-ng.patch).

Seems to apply and compile ok for me to the 2.4.26 kernel and iptables
cvs.  You must apply the patch I sent earlier today for pom-ng cvs
before this will work properly, or you will probably end up with a
half-patched kernel or userspace. (see:
http://marc.theaimsgroup.com/?l=netfilter-devel&m=108438884109560&w=2)

Hopefully someone else will find this patch useful.  You are free to use
it as you wish.

-Brad Fisher

[-- Attachment #2: IMQ-pom-ng.tgz --]
[-- Type: application/x-unknown-content-type-WinRAR, Size: 7134 bytes --]

Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Patrick McHardy]

Hi Brad,

Brad Fisher wrote:

>(Sorry for the duplicate post, forgot to attach the file... doh)
>
>Attached is a pom-ng version of the IMQ target available from
>linuximq.org.  It's based off the 2.4.26 patch, and includes all of the
>kernel (linux-2.4.26-imq.diff) and userspace patches (IMQ.pom-ng.patch).
>  
>

Andre Correa already asked me about inclusion of the IMQ target. I would
rather not include at this time it for two reasons:

- IMQ still has stability problems
- Jamal is working on a netfilter-independant replacement, I would like to
see how it works out first. See 
http://marc.theaimsgroup.com/?t=108202471500003&r=1&w=2

Regards
Patrick

Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Brad Fisher]

Patrick McHardy wrote:

> Andre Correa already asked me about inclusion of the IMQ target. I would
> rather not include at this time it for two reasons:
>
> - IMQ still has stability problems
> - Jamal is working on a netfilter-independant replacement, I would like to
> see how it works out first. See
> http://marc.theaimsgroup.com/?t=108202471500003&r=1&w=2
>
> Regards
> Patrick

That's fine, I wasn't really asking for inclusion quite yet (though I would
like to see it happen someday :).  I just wanted to let people who may be
interested know that a pom-ng version of the patch existed.

-Brad

Re: [linuximq] Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Andy Furniss]

Brad Fisher wrote:
> Patrick McHardy wrote:
> 
> 
>>Andre Correa already asked me about inclusion of the IMQ target. I would
>>rather not include at this time it for two reasons:
>>
>>- IMQ still has stability problems
>>- Jamal is working on a netfilter-independant replacement, I would like to
>>see how it works out first. See
>>http://marc.theaimsgroup.com/?t=108202471500003&r=1&w=2
>>
>>Regards
>>Patrick
> 
> 
> That's fine, I wasn't really asking for inclusion quite yet (though I would
> like to see it happen someday :).  I just wanted to let people who may be
> interested know that a pom-ng version of the patch existed.
> 
> -Brad

I am still not sure whether using Dummy will satisfy other IMQ users 
though, the thread above just deals with my setup - using ingress IMQ. 
There must be people on here using IMQ for egress/ multiple IMQs to 
solve their own problems. I changed IMQ to hook before NAT for egress, 
just to see if it worked, as someone on the LARTC list wanted to use 
ESFQ for a large NATed LAN - it appears to be OK - but will a netfilter 
independent replacement allow this sort of flexability?

Andy.

Re: [linuximq] Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Patrick McHardy]

Andy Furniss wrote:
> I am still not sure whether using Dummy will satisfy other IMQ users 
> though, the thread above just deals with my setup - using ingress IMQ. 
> There must be people on here using IMQ for egress/ multiple IMQs to 
> solve their own problems. I changed IMQ to hook before NAT for egress, 
> just to see if it worked, as someone on the LARTC list wanted to use 
> ESFQ for a large NATed LAN - it appears to be OK - but will a netfilter 
> independent replacement allow this sort of flexability?

It probably could, but I don't know how the dummy device receives it's
packets, so I don't know if you can make it see the real source IP.

Your mail made me realize I need patch for exactly the same issue
with ESFQ for work, so if you need it I can send it to you.

Regards
Patrick

> 
> Andy.
> 

Re: [linuximq] Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Andy Furniss]

Patrick McHardy wrote:
> Andy Furniss wrote:
> 
>> I am still not sure whether using Dummy will satisfy other IMQ users 
>> though, the thread above just deals with my setup - using ingress IMQ. 
>> There must be people on here using IMQ for egress/ multiple IMQs to 
>> solve their own problems. I changed IMQ to hook before NAT for egress, 
>> just to see if it worked, as someone on the LARTC list wanted to use 
>> ESFQ for a large NATed LAN - it appears to be OK - but will a 
>> netfilter independent replacement allow this sort of flexability?
> 
> 
> It probably could, but I don't know how the dummy device receives it's
> packets, so I don't know if you can make it see the real source IP.
> 
> Your mail made me realize I need patch for exactly the same issue
> with ESFQ for work, so if you need it I can send it to you.

Yea - it would be nice to see the right way to do it :-)

I guessed using the example of the ingress NAT patch and changed egress 
postrouting hook to NF_IP_PRI_NAT_SRC - 1.

It seems to be OK for me - are there other safe places where IMQ is OK 
or any to be avoided?

Andy.

Re: [linuximq] Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Andre Correa]

Hi Andy, I cannot tell about netfilter, but I would like to see you 
patch anyway for testing and maybe include it on IMQ.

Some patchs sent by people are queued and I hope to review and publish 
then soon. Does your patch changes iptables too? Please send it on pvt.

To be honest I'm not willing to get in a "fight" for putting IMQ patch 
into p-o-m. I think it should be there the way IMQ is right now, but we 
better give it some time. I'm not sure too that dummy will satisfy all 
needs. I'm more to the good-old IMQ implementation.

tks

Andre

Andy Furniss wrote:
> Brad Fisher wrote:
> 
>>Patrick McHardy wrote:
>>
>>
>>
>>>Andre Correa already asked me about inclusion of the IMQ target. I would
>>>rather not include at this time it for two reasons:
>>>
>>>- IMQ still has stability problems
>>>- Jamal is working on a netfilter-independant replacement, I would like to
>>>see how it works out first. See
>>>http://marc.theaimsgroup.com/?t=108202471500003&r=1&w=2
>>>
>>>Regards
>>>Patrick
>>
>>
>>That's fine, I wasn't really asking for inclusion quite yet (though I would
>>like to see it happen someday :).  I just wanted to let people who may be
>>interested know that a pom-ng version of the patch existed.
>>
>>-Brad
> 
> 
> I am still not sure whether using Dummy will satisfy other IMQ users 
> though, the thread above just deals with my setup - using ingress IMQ. 
> There must be people on here using IMQ for egress/ multiple IMQs to 
> solve their own problems. I changed IMQ to hook before NAT for egress, 
> just to see if it worked, as someone on the LARTC list wanted to use 
> ESFQ for a large NATed LAN - it appears to be OK - but will a netfilter 
> independent replacement allow this sort of flexability?
> 
> Andy.
> 
> 
> 
> 
> ------------------------ Yahoo! Groups Sponsor --------------------~--> 
> Yahoo! Domains - Claim yours for only $14.70
> http://us.click.yahoo.com/Z1wmxD/DREIAA/yQLSAA/dkFolB/TM
> --------------------------------------------------------------------~-> 
> 
>  
> Yahoo! Groups Links
> 
> <*> To visit your group on the web, go to:
>      http://groups.yahoo.com/group/linuximq/
> 
> <*> To unsubscribe from this group, send an email to:
>      linuximq-unsubscribe@yahoogroups.com
> 
> <*> Your use of Yahoo! Groups is subject to:
>      http://docs.yahoo.com/info/terms/
>  
> 
> 
> 

Re: [linuximq] Re: [PATCH] pom-ng version of IMQ target (file is attached this time)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

Andy Furniss wrote:
> Patrick McHardy wrote:
>
>> Your mail made me realize I need patch for exactly the same issue
>> with ESFQ for work, so if you need it I can send it to you.
> 
> 
> Yea - it would be nice to see the right way to do it :-)

With this patch esfq uses the original source address if the packet has
been SNATed. It's a hack, but it solves the problem without IMQ.

> 
> I guessed using the example of the ingress NAT patch and changed egress 
> postrouting hook to NF_IP_PRI_NAT_SRC - 1.
> 
> It seems to be OK for me - are there other safe places where IMQ is OK 
> or any to be avoided?

I don't know about the current patches, you better ask the people
maintaining them.

Regards
Patrick

> 
> Andy.
> 


[-- Attachment #2: esfq-source.diff --]
[-- Type: text/x-patch, Size: 1093 bytes --]

diff -urN a/net/sched/sch_esfq.c b/net/sched/sch_esfq.c
--- a/net/sched/sch_esfq.c	2004-06-05 15:45:19.000000000 +0200
+++ b/net/sched/sch_esfq.c	2004-06-05 15:47:21.000000000 +0200
@@ -34,6 +34,7 @@
 #include <linux/etherdevice.h>
 #include <linux/notifier.h>
 #include <linux/init.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <net/ip.h>
 #include <linux/ipv6.h>
 #include <net/route.h>
@@ -109,6 +110,18 @@
 	return h & (q->hash_divisor-1);
 }
 
+static inline u32 esfq_get_source(struct sk_buff *skb)
+{
+	struct ip_conntrack *ct;
+	int dir;
+
+	if (skb->nfct == NULL)
+		return skb->nh.iph->saddr;
+	ct = (struct ip_conntrack *)skb->nfct->master;
+	dir = CTINFO2DIR(skb->nfct - ct->infos);
+	return ct->tuplehash[dir].tuple.src.ip;
+}
+
 static unsigned esfq_hash(struct esfq_sched_data *q, struct sk_buff *skb)
 {
 	u32 h, h2;
@@ -119,7 +132,7 @@
 	{
 		struct iphdr *iph = skb->nh.iph;
 		h = iph->daddr;
-		hs = iph->saddr;
+		hs = esfq_get_source(skb);
 		h2 = hs^iph->protocol;
 		if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) &&
 		    (iph->protocol == IPPROTO_TCP ||