[LARTC] tc filter - based on iptables - MAC - MARK not working -

[LARTC] tc filter - based on iptables - MAC - MARK not working -

[Daniel Dafoe]

== tc filter - based on iptables - MAC fw marking not
working =


DEV="eth1"
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate
600kbps ceil 3276800kbit
tc class add dev $DEV parent 1:1 classid 1:15 htb rate
3kbps prio 4
tc class add dev $DEV parent 1:1 classid 1:20 htb rate
500kbps prio 3
tc qdisc add dev $DEV parent 1:15 handle 150: sfq
perturb 10
tc qdisc add dev $DEV parent 1:20 handle 200: sfq
perturb 10

tc filter add dev $DEV parent 1:0 protocol ip prio 3
handle 2 fw classid 1:15
tc filter add dev $DEV parent 1:0 protocol ip prio 2
handle 3 fw classid 1:20
iptables -t mangle -A FORWARD  -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
iptables -t mangle -A INPUT   -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING   -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
#iptables -t mangle -A FORWARD  -s 192.168.0.33 -j
MARK --set-mark 0x2
#iptables -t mangle -A FORWARD -d 192.168.0.33 -j MARK
--set-mark 0x2

Tried several times:
tc qdisc del dev eth0 root
iptables -F -t mangle
and run the above script in every possible way 
but the damn thing does not take into account my MAC
=== I tried to mark on INPUT, FORWARD AND PREROUTING
-- none of them seems to work
If i uncomment and try on -s, -d ip works great but I
really need to match  MAC addresses

I looked at my kernel MAC -- related config:
I have kernel 2.6.10 with:
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
and other settings ( I took almost all options 
related)
.............
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP_ROUTE_FWMARK=y


etc..

What I'm missing here ?

Best regards


		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[Andy Furniss]

Daniel Dafoe wrote:
> == tc filter - based on iptables - MAC fw marking not
> working =
> 
> 
> DEV="eth1"

<snip>


> Tried several times:
> tc qdisc del dev eth0 root

eth0?

iptables src MAC works for me with 1.3.1 - can you see the rule and 
counters matching with iptables -L -vnt mangle?

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -

[Daniel Dafoe]

--- Andy Furniss <andy.furniss@dsl.pipex.com> wrote:

Thanks for your input: 
modified  DEV="eth0"
indeed was a typo -- but still no luck with shaping



iptables -L -vnt mangle

Chain PREROUTING (policy ACCEPT 5172K packets, 2786M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination
20470 3127K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain INPUT (policy ACCEPT 1772K packets, 594M bytes)
 pkts bytes target     prot opt in     out     source 
             destination
  849  114K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain FORWARD (policy ACCEPT 3389K packets, 2191M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination
19621 3013K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain OUTPUT (policy ACCEPT 1937K packets, 1567M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination

Chain POSTROUTING (policy ACCEPT 5306K packets, 3756M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination


Best regards,

Daniel

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[Andy Furniss]

Daniel Dafoe wrote:
> --- Andy Furniss <andy.furniss@dsl.pipex.com> wrote:
> 
> Thanks for your input: 
> modified  DEV="eth0"
> indeed was a typo -- but still no luck with shaping
> 
> 
> 
> iptables -L -vnt mangle
> 
> Chain PREROUTING (policy ACCEPT 5172K packets, 2786M
> bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
> 20470 3127K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2
> 
> Chain INPUT (policy ACCEPT 1772K packets, 594M bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
>   849  114K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2
> 
> Chain FORWARD (policy ACCEPT 3389K packets, 2191M
> bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
> 19621 3013K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2

Well that bit looks OK can you see these packets going to the sfqs if 
you do

tc -s qdisc ls dev eth0 ?

I notice from the first post you have a really high ceil and mix kbps 
and kbit. bps = bytes per sec -

 > tc class add dev $DEV parent 1: classid 1:1 htb rate
 > 600kbps ceil 3276800kbit

Andy.


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -

[Daniel Dafoe]

Thanks again for your response

tc -s qdisc ls dev eth0
qdisc htb 1: r2q 10 default 20 direct_packets_stat 0
 Sent 12664555 bytes 9717 pkts (dropped 0, overlimits
374)
qdisc sfq 150: parent 1:15 limit 128p quantum 1514b
perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 200: parent 1:20 limit 128p quantum 1514b
perturb 10sec
 Sent 12664555 bytes 9717 pkts (dropped 0, overlimits
0)

Strange ----> overlimits but not dropped

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -

[Daniel Dafoe]

I really don't get it :

Recompiled my kernel dozen times now is
2.6.11-gentoo-r5 but still packets are marked by
iptables but not shaped by tc. It only works when I
mark packets on source/destination ip

As soon as I comment last two lines and uncomment the
first one shaping is gone .... 

iptables -t mangle -A FORWARD  -m mac --mac-source
00-0d-87-60-61-37 -j MARK --set-mark 0x2

#iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
MARK --set-mark 0x2
#iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
MARK --set-mark 0x2

Best regards

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[gypsy]

Daniel Dafoe wrote:
> 
> I really don't get it :
> 
> Recompiled my kernel dozen times now is
> 2.6.11-gentoo-r5 but still packets are marked by
> iptables but not shaped by tc. It only works when I
> mark packets on source/destination ip
> 
> As soon as I comment last two lines and uncomment the
> first one shaping is gone ....
> 
> iptables -t mangle -A FORWARD  -m mac --mac-source
> 00-0d-87-60-61-37 -j MARK --set-mark 0x2
> 
> #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
> MARK --set-mark 0x2
> #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
> MARK --set-mark 0x2
> 
> Best regards

See http://kernel.umbrella.ro/net/

and 

http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking

Maybe something there will help.
--
gypsy
http://yesican.chsoft.biz/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[Daniel Dafoe]

Reading along the Net it seems that MAC marking is not
working with egress HTB (because ipables marks
packages based on --mac-source ). So my only choice is
using ingress or u32.

So this is how I did it:

I called bellow script add_shaping

DEV="eth0"
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate
200kbps ceil 200kbps
tc class add dev $DEV parent 1:1 classid 1:15 htb rate
10kbps ceil 13kbps prio 3
tc class add dev $DEV parent 1:1 classid 1:20 htb rate
150kbps ceil 187kbps prio 2
tc qdisc add dev $DEV parent 1:15 handle 150: sfq
perturb 10
tc qdisc add dev $DEV parent 1:20 handle 200: sfq
perturb 10



U32="tc filter add dev $DEV parent 1:0 protocol ip
u32"

for computers in `cat /sistem/class15 | awk '{ print
$1 }'`
do
in="`echo $computers | awk '{split($1,a,":"); print
a[1]a[2] }'`"
fin="`echo $computers | awk '{split($1,a,":"); print
a[3]a[4]a[5]a[6] }'`"
$U32 match u16 0x0800 0xffff at -2 match u32 0x$fin
0xFFFFFFFF at -12 match u16 0x$in 0xFFFF at -14
classid 1:15
done


Explanation:  On a file called /sistem/class15 I have
MAC list

00:0D:87:60:61:37 JOHNNY
00:0E:A6:69:2B:74 HORY
00:50:8D:F9:E3:51 GIMMY

The script above (not so elegant I think but is my
first attempt on awk) parse /sistem/class15 and add
filter rules to match classid 1:15

I'll make scripts for files like /sistem/classxx to
match class xx and classid 1:xx and so on -- after
this I only modify files:

/sistem/class15
/sistem/class20
/sistem/classxx

and run:
tc qdisc del dev eth0 root (actually made a new script
rm_shaping)
and of course run the awk script again (./add_shaping)

So finally all I have to do is rm_shaping, add_shaping
and my modifications of /sistem/classxx files are
loaded   --- 

And shaping works like a charm ...:)


Best regards





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[Andy Furniss]

Daniel Dafoe wrote:
> I really don't get it :
> 
> Recompiled my kernel dozen times now is
> 2.6.11-gentoo-r5 but still packets are marked by
> iptables but not shaped by tc. It only works when I
> mark packets on source/destination ip
> 
> As soon as I comment last two lines and uncomment the
> first one shaping is gone .... 

So you may need to match on MAC dst rather than src or did you try with 
just -s 192.168.0.22 alone?

Andy.


> 
> iptables -t mangle -A FORWARD  -m mac --mac-source
> 00-0d-87-60-61-37 -j MARK --set-mark 0x2
> 
> #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
> MARK --set-mark 0x2
> #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
> MARK --set-mark 0x2
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] tc filter - based on iptables - MAC - MARK not working

[Andy Furniss]

Daniel Dafoe wrote:
> Reading along the Net it seems that MAC marking is not
> working with egress HTB (because ipables marks
> packages based on --mac-source ). So my only choice is
> using ingress or u32.
> 
> So this is how I did it:
> 
> I called bellow script add_shaping
> 
> DEV="eth0"
> tc qdisc add dev $DEV root handle 1: htb default 20
> tc class add dev $DEV parent 1: classid 1:1 htb rate
> 200kbps ceil 200kbps
> tc class add dev $DEV parent 1:1 classid 1:15 htb rate
> 10kbps ceil 13kbps prio 3
> tc class add dev $DEV parent 1:1 classid 1:20 htb rate
> 150kbps ceil 187kbps prio 2
> tc qdisc add dev $DEV parent 1:15 handle 150: sfq
> perturb 10
> tc qdisc add dev $DEV parent 1:20 handle 200: sfq
> perturb 10
> 
> 
> 
> U32="tc filter add dev $DEV parent 1:0 protocol ip
> u32"
> 
> for computers in `cat /sistem/class15 | awk '{ print
> $1 }'`
> do
> in="`echo $computers | awk '{split($1,a,":"); print
> a[1]a[2] }'`"
> fin="`echo $computers | awk '{split($1,a,":"); print
> a[3]a[4]a[5]a[6] }'`"
> $U32 match u16 0x0800 0xffff at -2 match u32 0x$fin
> 0xFFFFFFFF at -12 match u16 0x$in 0xFFFF at -14
> classid 1:15
> done
> 
> 
> Explanation:  On a file called /sistem/class15 I have
> MAC list
> 
> 00:0D:87:60:61:37 JOHNNY
> 00:0E:A6:69:2B:74 HORY
> 00:50:8D:F9:E3:51 GIMMY
> 
> The script above (not so elegant I think but is my
> first attempt on awk) parse /sistem/class15 and add
> filter rules to match classid 1:15
> 
> I'll make scripts for files like /sistem/classxx to
> match class xx and classid 1:xx and so on -- after
> this I only modify files:
> 
> /sistem/class15
> /sistem/class20
> /sistem/classxx
> 
> and run:
> tc qdisc del dev eth0 root (actually made a new script
> rm_shaping)
> and of course run the awk script again (./add_shaping)
> 
> So finally all I have to do is rm_shaping, add_shaping
> and my modifications of /sistem/classxx files are
> loaded   --- 
> 
> And shaping works like a charm ...:)

Glad you got it working - I didn't see this when I replied earlier 
mozilla didn't thread it with the rest.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc