From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Furniss Date: Tue, 08 Feb 2005 12:15:59 +0000 Subject: Re: [LARTC] Shaping and forward Message-Id: <4208AD7F.5090605@dsl.pipex.com> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Kenneth Kalmer wrote: > Lartc readers > > I have a peculiar problem with shaping and firewalling. > > My tc rules work great, below is a smaller version: > > #Root > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb default 100 > > #Root Class > tc class add dev eth0 parent 1: classid 1:1 htb rate 1024kbit quantum > 20000 burst 15k > > #Class for each user > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 32kbit ceil > 128kbit prio 0 quantum 20000 burst 15k > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 32kbit ceil > 128kbit prio 0 quantum 20000 burst 15k > ... > > # SFQ qdisc for each user class > tc qdisc add dev eth0 parent 1:2 handle 12: sfq perturb 10 > tc qdisc add dev eth0 parent 1:3 handle 13: sfq perturb 10 > ... > > #Filters > tc filter add dev eth0 protocol ip parent 1: prio 0 handle 2 fw classid 1:2 > tc filter add dev eth0 protocol ip parent 1: prio 0 handle 3 fw classid 1:3 > ... > > #iptables mangle rules > iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.1 -j MARK --set-mark 2 > iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.2 -j MARK --set-mark 2 You are shaping on eth0 but marking -o eth1 > ... > > #iptables allow forwarding on MAC address > iptables -A FORWARD -o ppp0 -m mac --mac-source 00:0D:61:30:10:75 -j ACCEPT > iptables -A FORWARD -o eth1 -m mac --mac-source 00:10:B5:01:AA:D0 -j ACCEPT > ... You need a rule to accept -i ppp0. Andy. > > Should note that the default policy of filter->forward is DROP. All > other chains are defaulting on ACCEPT > > Now, no users can connect through the gateway. Our test traffic for > the shapping works perfectly, but no internet traffic works. iptables > -nvL output shows that the packets move through the forward chain in > filter, but it doesn't reach the mangle table for marking the packets. > It's as if the packets disappear... > > Anybody got some ideas? I still have to test the shaping using u32 > matching, using iptables to do forwarding. > > Thanks in advance > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/