Tos, Mark and tunnels - David Rye of Roadtech

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Rye of Roadtech <d.rye@roadtech.co.uk>
To: netfilter@lists.netfilter.org
Subject: Tos, Mark and tunnels
Date: Mon, 04 Oct 2004 21:25:49 +0100	[thread overview]
Message-ID: <4161B1CD.EA14C2DB@roadtech.co.uk> (raw)

I was thinking on a set-up involving Filtering, Traffic Shaping and
Tunnels.

This trough up a couple of questions that I hope someone can give a 
definitive answer to.

If some or all of my traffic is tunnelled I see a potential problem
when trying to shape traffic leaving the network.
As far as I can see with ESP packets Route2 filters can only 
differentiate on the destination IP as they can not see the encrypted
traffic.

I have seen a reference to the 2.6 kernels IPsec implementation that 
implying that if you use a netfilter rule to set a mark on the incoming 
packets before they enter the tunnel, that the mark is replicated to 
the ESP Packets created.

Is this correct?

If so it would allow shaping providing the shaping is done on the same
box
as the tunnelling.

Does the TOS field also get replicated?

This would allow for TOS based traffic shaping on a downstream box.

Are the tos field or Marks replicated to the ESP packets for 
freeswan/openswan and the 2.4 Kernel.

Are the IP headers TOS value, or netfilter Marks replicated to the new
packet for the other tunnel protocols, IPIP, GRE, and so on.

while on the subject of MARKs and TOS values.

Is there any way of setting a MARK or the TOS on ftp data connections
that 
match as related using the ip_conntrack_ftp module?
Without setting the same mark on packets relating to other connections?

-- 
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://hostman@road-runner.net

next             reply	other threads:[~2004-10-04 20:25 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-10-04 20:25 David Rye of Roadtech [this message]
2004-10-05 12:26 ` Tos, Mark and tunnels Jason Opperisano
2004-10-05 12:31 ` Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4161B1CD.EA14C2DB@roadtech.co.uk \
    --to=d.rye@roadtech.co.uk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.