From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rene Gallati Date: Thu, 05 Aug 2004 09:40:28 +0000 Subject: Re: [LARTC] iptables mark + openvpn will the mark survive ? Message-Id: <4112008C.3040508@draxinusom.ch> List-Id: References: <200408041718.01844.etienne@unix.za.org> In-Reply-To: <200408041718.01844.etienne@unix.za.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hello, > I want to setup bandwidth restrictions for a few clients that use openvpn= to=20 > connect to my server. I'm using iptables to mark the packets in the mangl= e=20 > table (PRE/POSTROUTING) on eth0 before they get sent via the tunnel. Will= the=20 > mark survive even if the packets then get routed via an openvpn tunnel (t= unX)=20 > out the box or does openvpn change it removing the mark ? openVPN is just a userspace process that - depending on configuration -=20 doesn't even need root access to run. (provided the device nodes are set=20 up accordingly). Depending on what you do, the mark should survive (never tested this),=20 or not. If you are just forwarding to a tun/tap, the mark should survive like=20 usual. There is no difference between a tun/tap device and another=20 ethernet device with regard to this point. However, once a packet reaches the tun/tap, it gets transfered to=20 openVPN which encrypts it and sends it out using udp (or tcp, depending=20 on configuration) of a real interface. These outgoing packets are not=20 having the mark on them, primarily because they are completely different=20 packets that were generated by openVPN and not really directly related=20 to what went into the tun/tap device. I suspect that is however what=20 you'd like to achieve. Note that openVPN does has its own shaping=20 directive (--shaper n) which may help you in this case. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/