* [LARTC] fw as filter broken?
@ 2005-04-08 21:06 Troy Caldwell
2005-04-08 21:16 ` Catalin(ux aka Dino) BOIE
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Troy Caldwell @ 2005-04-08 21:06 UTC (permalink / raw)
To: lartc
Can someone verify that using fw as a filter in iproute2-2.6.11-050330 is
broken. Doesn't seem to work in any case and I saw an earlier post that
would lead me to believe this is the case. If so does anyone have a
temporary fix?
Thanks,
Troy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] fw as filter broken?
2005-04-08 21:06 [LARTC] fw as filter broken? Troy Caldwell
@ 2005-04-08 21:16 ` Catalin(ux aka Dino) BOIE
2005-04-08 21:53 ` Troy Caldwell
2005-04-09 19:52 ` Andy Furniss
2 siblings, 0 replies; 4+ messages in thread
From: Catalin(ux aka Dino) BOIE @ 2005-04-08 21:16 UTC (permalink / raw)
To: lartc
On Fri, 8 Apr 2005, Troy Caldwell wrote:
> Can someone verify that using fw as a filter in iproute2-2.6.11-050330 is
> broken. Doesn't seem to work in any case and I saw an earlier post that
> would lead me to believe this is the case. If so does anyone have a
> temporary fix?
> Thanks,
> Troy
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Can you post your script, please?
---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] fw as filter broken?
2005-04-08 21:06 [LARTC] fw as filter broken? Troy Caldwell
2005-04-08 21:16 ` Catalin(ux aka Dino) BOIE
@ 2005-04-08 21:53 ` Troy Caldwell
2005-04-09 19:52 ` Andy Furniss
2 siblings, 0 replies; 4+ messages in thread
From: Troy Caldwell @ 2005-04-08 21:53 UTC (permalink / raw)
To: lartc
I'm using the patch for dummy as an imq replacement that Jamal posted a
little while back.
I've tried to do the same thing on an egress qdisc to try to limit outbound
speed and still had no luck. My u32 filters work fine, but are not enough
for our setup here.
Here's what I've got...
export TC="/usr/sbin/tc"
$TC qdisc add dev eth0 handle ffff: ingress
$TC filter add dev eth0 parent ffff: protocol ip prio 1 u32 match u32 0 0
flowid 1:1 action mirred egress redirect dev dummy0
modprobe dummy
ifconfig dummy0 up
iptables -t mangle -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j
TCPMSS --set-mss 1350 iptables -t mangle -I POSTROUTING -s xxx.xxx.xx.xx -o
eth1 -j MARK --set-mark 14 iptables -t mangle -I POSTROUTING -s
xxx.xxx.xx.xxx -o eth1 -j MARK --set-mark 14 iptables -t mangle -I
POSTROUTING -s 172.20.5.1 -o eth1 -j MARK --set-mark 14 iptables -t mangle
-A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -I PREROUTING -j
CONNMARK --restore-mark iptables -t mangle -I PREROUTING 2 -m mark ! --mark
0x0 -j ACCEPT
$TC qdisc add dev dummy0 root handle 1: htb default 50
$TC class add dev dummy0 parent 1: classid 1:1 htb rate 100mbps ceil 100mbps
$TC class add dev dummy0 parent 1: classid 1:2 htb rate 1500kbit ceil
1500kbit $TC class add dev dummy0 parent 1:1 classid 1:14 htb rate 95mbps
ceil 100mbps #ECC $TC class add dev dummy0 parent 1:2 classid 1:15 htb rate
750kbit ceil 1500kbit prio 0 $TC class add dev dummy0 parent 1:15 classid
1:50 htb rate 730kbit ceil 1500kbit prio 0 $TC class add dev dummy0 parent
1:15 classid 1:51 htb rate 20kbit ceil 1500kbit prio 1 #VPN $TC class add
dev dummy0 parent 1:2 classid 1:16 htb rate 750kbit ceil 1500kbit prio 0
$TC filter add dev dummy0 parent 1: protocol ip prio 1 u32 match ip protocol
50 0xff flowid 1:16 $TC filter add dev dummy0 parent 1: protocol ip prio 1
u32 match ip src 172.20.5.1/31 flowid 1:14 $TC filter add dev dummy0 parent
1: protocol ip prio 1 handle 50 fw classid 1:50 $TC filter add dev dummy0
parent 1: protocol ip prio 1 handle 51 fw classid 1:51 $TC filter add dev
dummy0 parent 1: protocol ip prio 1 handle 9 fw classid 1:60 $TC filter add
dev dummy0 parent 1: protocol ip prio 1 handle 14 fw classid 1:14
Thanks,
Troy
-----Original Message-----
From: Catalin(ux aka Dino) BOIE
Sent: Friday, April 08, 2005 4:16 PM
To: Troy Caldwell
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] fw as filter broken?
On Fri, 8 Apr 2005, Troy Caldwell wrote:
> Can someone verify that using fw as a filter in iproute2-2.6.11-050330
> is broken. Doesn't seem to work in any case and I saw an earlier post
> that would lead me to believe this is the case. If so does anyone
> have a temporary fix? Thanks,
> Troy
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Can you post your script, please?
---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] fw as filter broken?
2005-04-08 21:06 [LARTC] fw as filter broken? Troy Caldwell
2005-04-08 21:16 ` Catalin(ux aka Dino) BOIE
2005-04-08 21:53 ` Troy Caldwell
@ 2005-04-09 19:52 ` Andy Furniss
2 siblings, 0 replies; 4+ messages in thread
From: Andy Furniss @ 2005-04-09 19:52 UTC (permalink / raw)
To: lartc
Troy Caldwell wrote:
> I'm using the patch for dummy as an imq replacement that Jamal posted a
> little while back.
> I've tried to do the same thing on an egress qdisc to try to limit outbound
> speed and still had no luck. My u32 filters work fine, but are not enough
> for our setup here.
>
> Here's what I've got...
>
> export TC="/usr/sbin/tc"
>
> $TC qdisc add dev eth0 handle ffff: ingress
> $TC filter add dev eth0 parent ffff: protocol ip prio 1 u32 match u32 0 0
> flowid 1:1 action mirred egress redirect dev dummy0
Ingress dummy is before conntrack so connmark won't work.
There is going to be a way to do it but the match isn't written yet.
I am suprised it doesn't work on egress.
You could use IMQ as that hooks after PREROUTING mangle.
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-04-09 19:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-08 21:06 [LARTC] fw as filter broken? Troy Caldwell
2005-04-08 21:16 ` Catalin(ux aka Dino) BOIE
2005-04-08 21:53 ` Troy Caldwell
2005-04-09 19:52 ` Andy Furniss
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.