Tos, Mark and tunnels

Tos, Mark and tunnels

[David Rye of Roadtech]

I was thinking on a set-up involving Filtering, Traffic Shaping and
Tunnels.

This trough up a couple of questions that I hope someone can give a 
definitive answer to.

If some or all of my traffic is tunnelled I see a potential problem
when trying to shape traffic leaving the network.
As far as I can see with ESP packets Route2 filters can only 
differentiate on the destination IP as they can not see the encrypted
traffic.

I have seen a reference to the 2.6 kernels IPsec implementation that 
implying that if you use a netfilter rule to set a mark on the incoming 
packets before they enter the tunnel, that the mark is replicated to 
the ESP Packets created.

Is this correct?

If so it would allow shaping providing the shaping is done on the same
box
as the tunnelling.

Does the TOS field also get replicated?

This would allow for TOS based traffic shaping on a downstream box.

Are the tos field or Marks replicated to the ESP packets for 
freeswan/openswan and the 2.4 Kernel.

Are the IP headers TOS value, or netfilter Marks replicated to the new
packet for the other tunnel protocols, IPIP, GRE, and so on.

while on the subject of MARKs and TOS values.

Is there any way of setting a MARK or the TOS on ftp data connections
that 
match as related using the ip_conntrack_ftp module?
Without setting the same mark on packets relating to other connections?

-- 
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://hostman@road-runner.net

Re: Tos, Mark and tunnels

[Jason Opperisano]

On Mon, 2004-10-04 at 16:25, David Rye of Roadtech wrote:
> I was thinking on a set-up involving Filtering, Traffic Shaping and
> Tunnels.
> 
> This trough up a couple of questions that I hope someone can give a 
> definitive answer to.
> 
> If some or all of my traffic is tunnelled I see a potential problem
> when trying to shape traffic leaving the network.
> As far as I can see with ESP packets Route2 filters can only 
> differentiate on the destination IP as they can not see the encrypted
> traffic.
> 
> I have seen a reference to the 2.6 kernels IPsec implementation that 
> implying that if you use a netfilter rule to set a mark on the incoming 
> packets before they enter the tunnel, that the mark is replicated to 
> the ESP Packets created.
> 
> Is this correct?

yes.  marks follow packets through the stack regardless what other
processing takes place on the packet.  a packet MARK-ed in PREROUTING
will still have that mark in place in POSTROUTING and every point
between.

> If so it would allow shaping providing the shaping is done on the same
> box
> as the tunnelling.
> 
> Does the TOS field also get replicated?

i do not believe so.  however, you can use a combination of MARK-ing and
matching on "-m tos --tos X" and the resetting the TOS on the
encrypted/decrypted packet based on the mark with "-j TOS --set-tos"

> This would allow for TOS based traffic shaping on a downstream box.
> 
> Are the tos field or Marks replicated to the ESP packets for 
> freeswan/openswan and the 2.4 Kernel.
> 
> Are the IP headers TOS value, or netfilter Marks replicated to the new
> packet for the other tunnel protocols, IPIP, GRE, and so on.
> 
> while on the subject of MARKs and TOS values.
> 
> Is there any way of setting a MARK or the TOS on ftp data connections
> that 
> match as related using the ip_conntrack_ftp module?
> Without setting the same mark on packets relating to other connections?

  iptables [...] -m helper --helper ftp [...]

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Tos, Mark and tunnels

[Jason Opperisano]

On Mon, 2004-10-04 at 16:25, David Rye of Roadtech wrote:
> Are the tos field or Marks replicated to the ESP packets for 
> freeswan/openswan and the 2.4 Kernel.

clicked 'send' too soon...  for this piece, you can use "hidetos=no" in
the "config-setup" of your free/openswan config.

check out http://wiki.openswan.org/index.php/FAQ for more details.

-j

-- 
Jason Opperisano <opie@817west.com>