All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Ingress policing (matching netfilter marks)
@ 2005-12-27  4:17 Michael
  2005-12-30  5:24 ` Michael
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Michael @ 2005-12-27  4:17 UTC (permalink / raw)
  To: lartc

Hi,

I'm having issues with policing my incoming traffic by matching packet marks
made by iptables. I've checked as many sites and guides as I can find, and I
seem to be doing the exact same thing as they all are, but there's still no
success. As such, I was wondering if anyone can have a quick look to see if
I've done anything obviously stupid?

Essentially, I can get the egress working fine, matching packets based on
criteria in iptables. However, doing the same for ingress using:
`tc qdisc add dev $DEV handle ffff: ingress`
`tc filter add dev $DEV parent ffff: protocol ip prio 1 handle $MARK_BULK fw
police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1`

does nothing: packets go through the qdisc fine, but nothing matches the
filter:

michael@bob:~$ sudo tc -s -d qdisc show dev ppp0
qdisc ingress ffff: ----------------
 Sent 47169399 bytes 46532 pkts (dropped 0, overlimits 0)

michael@bob:~$ sudo tc -s -d filter show dev ppp0 root
filter parent ffff: protocol ip pref 1 fw
filter parent ffff: protocol ip pref 1 fw handle 0x1e classid :1  police
0x28 rate 600000bit burst 8Kb mtu 2Kb action drop
ref 1 bind 1

 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

I suspected I just might not be marking things correctly, so I tried u32
matching 0.0.0.0/0 - that worked fine, but for _all_ traffic (as it should).
So I tried marking *every* packet with $MARK_BULK (and verified that the
mark was correct using a log match, and watching the syslog file) in both
prerouting and postrouting chains, yet this didn't help either.

Regardless of what I do, I can't get the above filter to match anything at
all - I'm sure the packets are marked correctly, I just can't match them.
Any ideas?

(I'll copy my entire configs below for reference if needed.)

Cheers!
Michael



####################### CONFIG FILES - firewall #######################

#!/bin/bash

###########################################################################
#
# Custom functions and configuration
#

RetrieveIP() {
	nic="$1"
	TEMP=""

	if ! /sbin/ifconfig | grep $nic > /dev/null; then
		echo -e "\n\n interface $nic does not exist...  Aborting!"
		exit 1;
	fi

	TEMP=`ifconfig $nic | awk '/inet addr/ { gsub(".*:", "", $2) ; print
$2 }'`

	if [ "$TEMP" = '' ]; then
		echo "Aborting: Unable to determine the IP of $nic ... DHCP
problem?"
		exit 1
	else
		echo "$TEMP"
	fi
}


#### 1.1 Internet Configuration.
INET_IFACE="ppp0"
INET_IP=`RetrieveIP $INET_IFACE`

#### 1.2 Local Area Network configuration.
LAN_IFACE="eth0"
LAN_IP=`RetrieveIP $LAN_IFACE`
LAN_IP_RANGE="192.168.0.0/24"

#### 1.4 Localhost Configuration.
LO_IFACE="lo"
LO_IP="127.0.0.1"

#### 1.5 IPTables Configuration.
IPTABLES="/sbin/iptables"

#### 1.6 Misc Configuration.
#MARK_FORWARD=$[2#00000001]
#MARK_PRIORITY=$[2#00000010]
#MARK_GENERAL=$[2#00000100]
#MARK_BULK=$[2#00001000]

MARK_FORWARD=1
MARK_PRIORITY\x10
MARK_GENERAL 
MARK_BULK0

DUMPER_IP="192.168.0.6"


###########################################################################
#
# Firewall START function
#

firewall_start ()
{
	######## 3.1 Required proc configuration

	# Enable forwarding
	echo 1 > /proc/sys/net/ipv4/ip_forward

	# no IP spoofing
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
	then
		for i in /proc/sys/net/ipv4/conf/*/rp_filter
		do
			echo 1 > $i
		done
	fi

	# Disable Source Routed Packets
	for i in /proc/sys/net/ipv4/conf/*/accept_source_route
	do
		echo 0 > $i
	done


	######## 
	######## 4. rules set up.
	######## 

	######## 4.1 Filter table


	#### 4.1.1 Set policies

	$IPTABLES -P INPUT DROP
	$IPTABLES -P OUTPUT DROP
	$IPTABLES -P FORWARD DROP


	#### 4.1.2 Create userspecified chains

	# Create chain for bad tcp packets
	$IPTABLES -N bad_tcp

	# Create separate chains for ICMP, TCP and UDP to traverse
	$IPTABLES -N tcp_packets
	$IPTABLES -N udp_packets
	$IPTABLES -N icmp_packets
	$IPTABLES -N common


	#### 4.1.3 Create content in userspecified chains

	# bad_tcp chain
	$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j REJECT --reject-with tcp-reset
	$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
	$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP

	# TCP rules
	$IPTABLES -A tcp_packets -p tcp --dport 20 -j common
	$IPTABLES -A tcp_packets -p tcp --dport 21 -j common
	$IPTABLES -A tcp_packets -p tcp --dport 22 -j common
	$IPTABLES -A tcp_packets -p tcp --dport 80 -j common
	$IPTABLES -A tcp_packets -p tcp --dport 443 -j common

	# UDP ports
	#$IPTABLES -A udp_packets -p udp --destination-port 53 -j common

	# ICMP rules
	$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j common
	$IPTABLES -A icmp_packets -p icmp --icmp-type 11 -j common

	# common chain
	$IPTABLES -A common -p tcp --syn -j ACCEPT
	$IPTABLES -A common -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
	$IPTABLES -A common -p tcp -j DROP
	$IPTABLES -A common -p ! tcp -j ACCEPT


	#### 4.1.4 INPUT chain

	# Bad TCP packets we don't want.
	$IPTABLES -A INPUT -p tcp -j bad_tcp

	# Rules for special networks not part of the Internet
	$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
	$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

	# Rules for incoming packets from the internet.
	$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
	$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j tcp_packets
	$IPTABLES -A INPUT -p udp -i $INET_IFACE -j udp_packets
	$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j icmp_packets

	# Log weird packets that don't match the above.
	$IPTABLES -A INPUT -m limit --limit 6/minute --limit-burst 6 -j LOG
--log-level DEBUG --log-prefix "iptables INPUT: "


	#### 4.1.5 FORWARD chain

	# Bad TCP packets we don't want
	$IPTABLES -A FORWARD -p tcp -j bad_tcp

	# Accept the packets we actually want to forward
	$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
	$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPTABLES -A FORWARD -m connmark --mark $MARK_FORWARD/$MARK_FORWARD
-j ACCEPT
#	$IPTABLES -A FORWARD -j ACCEPT

	# Log weird packets that don't match the above.
	$IPTABLES -A FORWARD -m limit --limit 6/minute --limit-burst 6 -j
LOG --log-level DEBUG --log-prefix "iptables FORWARD: "


	#### 4.1.6 OUTPUT chain

	# Bad TCP packets we don't want.
	$IPTABLES -A OUTPUT -p tcp -j bad_tcp

	# Special OUTPUT rules to decide which IP's to allow.
	$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
	$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
	$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

	# Log weird packets that don't match the above.
	$IPTABLES -A OUTPUT -m limit --limit 6/minute --limit-burst 6 -j LOG
--log-level DEBUG --log-prefix "iptables OUTPUT: "




	######## 4.2 nat table

	#### 4.2.1 Set policies

	#### 4.2.2 Create user specified chains

	#### 4.2.3 Create content in user specified chains

	#### 4.2.4 PREROUTING chain

	# Emule stuff - forward to DUMPER
	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 4662 -d
$INET_IP -j DNAT --to-destination $DUMPER_IP
	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 4672 -d
$INET_IP -j DNAT --to-destination $DUMPER_IP
	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 34567
-d $INET_IP -j DNAT --to-destination $DUMPER_IP

	#### 4.2.5 POSTROUTING chain

	# Enable simple IP Forwarding and Network Address Translation
	$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP

	#### 4.2.6 OUTPUT chain




	######## 4.3 mangle table

	#### 4.3.1 Set policies

	#### 4.3.2 Create user specified chains

	#### 4.3.3 Create content in user specified chains

	#### 4.3.4 PREROUTING chain
	
	# Forwarding marks for packets that have to go to the internal
network
	# Emule
	# Debugging - set EVERYTHING to BULK
#	$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK

	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp --dport 4662
-d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p udp --dport 4672
-d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp --dport
34567 -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
	
	# Shaping and throttling marks for the shaper script (downstream)
	# Priority traffic: All UDP, ICMP, and SSH 
	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --or-mark
$MARK_PRIORITY
	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --or-mark
$MARK_PRIORITY
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK
--or-mark $MARK_PRIORITY
	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j MARK
--or-mark $MARK_PRIORITY
	
	# General traffic: Web stuff
	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 80 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 443 -j MARK
--or-mark $MARK_GENERAL
	
	# Everything else - put it on BULK traffic
	$IPTABLES -t mangle -A PREROUTING -m mark --mark 0/$[$MARK_BULK |
$MARK_GENERAL | $MARK_PRIORITY] -j MARK --or-mark $MARK_BULK

	# Detection logs. Used for debugging to ensure markings are correct.
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark
$MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG --log-prefix "IPT -
MARK det FWD"
#	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
$MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG --log-prefix "IPT -
CONN det PRIO"
#	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
$MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG --log-prefix "IPT -
CONN det GEN"
#	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
$MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix "IPT - CONN det
BULK"

#	$IPTABLES -t mangle -A PREROUTING -m mark --mark
$MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG --log-prefix
"MARK_PRIORITY    "
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark $MARK_PRIORITY -j
LOG --log-level DEBUG --log-prefix "MARK_PRIORITY EX "
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark
$MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG --log-prefix
"MARK_GENERAL     "
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark $MARK_GENERAL -j
LOG --log-level DEBUG --log-prefix "MARK_GENERAL EX  "
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark
$MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix "MARK_BULK
"
#	$IPTABLES -t mangle -A PREROUTING -m mark --mark $MARK_BULK -j LOG
--log-level DEBUG --log-prefix "MARK_BULK EX     "

#	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
$MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG --log-prefix
"FORWARDING...  "

	# Debugging - set EVERYTHING to BULK
#	$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK


	#### 4.3.5 INPUT chain

	#### 4.3.6 FORWARD chain

	#### 4.3.7 OUTPUT chain

	#### 4.3.8 POSTROUTING chain

	# Shaping and throttling marks for the shaper script (upstream)
	# Priority traffic: TOS packets, all UDP, ICMP, SSH
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j
MARK --or-mark $MARK_PRIORITY
	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --or-mark
$MARK_PRIORITY
	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --or-mark
$MARK_PRIORITY
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK
--or-mark $MARK_PRIORITY
	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK
--or-mark $MARK_PRIORITY
    
	# Normal traffic: Web, SSL, ACKs
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK
--or-mark $MARK_GENERAL
	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j
MARK --or-mark $MARK_GENERAL

	# Bulk traffic: everything else by default
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput
-j MARK --or-mark $MARK_BULK

	# Debugging - set EVERYTHING to BULK
#	$IPTABLES -t mangle -A POSTROUTING -j MARK --set-mark $MARK_BULK
}



firewall_stop ()
{
	# proc configuration

	# Disable forwarding
	echo 0 > /proc/sys/net/ipv4/ip_forward

	# IP spoofing
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
	then
		for i in /proc/sys/net/ipv4/conf/*/rp_filter
		do
			echo 0 > $i
		done
	fi


	# reset the default policies in the filter table.
	$IPTABLES -P INPUT ACCEPT
	$IPTABLES -P FORWARD ACCEPT
	$IPTABLES -P OUTPUT ACCEPT

	# reset the default policies in the nat table.
	$IPTABLES -t nat -P PREROUTING ACCEPT
	$IPTABLES -t nat -P POSTROUTING ACCEPT
	$IPTABLES -t nat -P OUTPUT ACCEPT

	# reset the default policies in the mangle table.
	$IPTABLES -t mangle -P PREROUTING ACCEPT
	$IPTABLES -t mangle -P POSTROUTING ACCEPT
	$IPTABLES -t mangle -P INPUT ACCEPT
	$IPTABLES -t mangle -P OUTPUT ACCEPT
	$IPTABLES -t mangle -P FORWARD ACCEPT

	# flush all the rules in the tables.
	$IPTABLES -F
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

	# erase all chains that's not default in the tables.
	$IPTABLES -X
	$IPTABLES -t nat -X
	$IPTABLES -t mangle -X
}



case "$1" in
  start)
        firewall_start
        ;;
  stop)
        firewall_stop
        ;;
  restart|force-reload)
        firewall_stop
        sleep 1
        firewall_start
        ;;
  *)
        echo "Usage: firewall {start|stop|restart}" >&2
        exit 3
        ;;
esac







####################### CONFIG FILES - shaper #######################

#!/bin/bash

###########################################################################
#
# Environment variables
#

DEV=ppp0
UPSTREAM\x192
DOWNSTREAM`0
BURSTd

#MARK_FORWARD=$[2#00000001]
#MARK_PRIORITY=$[2#00000010]
#MARK_GENERAL=$[2#00000100]
#MARK_BULK=$[2#00001000]

MARK_FORWARD=1
MARK_PRIORITY\x10
MARK_GENERAL 
MARK_BULK0



###########################################################################
#
# Script functions
#

#### Status report
shaper_status ()
{
	tc -s class ls dev $DEV
	tc -s qdisc ls dev $DEV
}


#### Stop function
shaper_stop ()
{
	tc qdisc del dev $DEV root 2> /dev/null
	tc qdisc del dev $DEV ingress 2> /dev/null
}


###########################################################################
#
# Start function
#

shaper_start ()
{
	#### Upstream

	# Install HTB qdisc with three classes and rate limting
	tc qdisc add dev $DEV root handle 1: htb default 30 r2q 2
	tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPSTREAM}kbit
ceil ${UPSTREAM}kbit burst 8k cburst 2k
	tc class add dev $DEV parent 1:1 classid 1:10 htb rate
$[4*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 1
	tc class add dev $DEV parent 1:1 classid 1:20 htb rate
$[3*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 2
	tc class add dev $DEV parent 1:1 classid 1:30 htb rate
$[3*$UPSTREAM/10]kbit ceil $[6*$UPSTREAM/10]kbit prio 3 burst 1024 cburst
1024

	# Install qdiscs to maximise the efficiency of each class
	tc qdisc add dev $DEV parent 1:10 handle 10: pfifo limit 25
	tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
	tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10

	# Apply filtering based on packets matched in the firewall
	tc filter add dev $DEV parent 1: prio 1 protocol ip handle
$MARK_PRIORITY fw flowid 1:10
	tc filter add dev $DEV parent 1: prio 2 protocol ip handle
$MARK_GENERAL fw flowid 1:20
	tc filter add dev $DEV parent 1: prio 3 protocol ip handle
$MARK_BULK fw flowid 1:30

	#### Downstream

	# Attach ingress qdisc
	tc qdisc add dev $DEV handle ffff: ingress

	# Police everything but high priority traffic
#	tc filter add dev $DEV parent ffff: protocol ip prio 1 handle
$MARK_BULK fw police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid
:1

tc filter add dev $DEV parent ffff: protocol ip prio 1 handle $MARK_BULK fw
police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1

#tc filter add dev $DEV parent ffff: protocol ip prio 1 u32 match ip src
0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1

#tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src
0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1

#	tc filter add dev $DEV parent ffff: protocol ip handle $MARK_BULK \
#		fw flowid :1 police rate ${DOWNSTREAM}kbit burst ${BURST}
action drop
}


case "$1" in
	start)
		shaper_start
		;;
	stop)
		shaper_stop
		;;
	restart|force-reload)
		shaper_stop
		sleep 1
		shaper_start
		;;
	status)
		shaper_status
		;;
	*)
		echo "Usage: adsl-shaper {start|stop|restart|status}" >&2
		exit 3
		;;
esac

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: [LARTC] Ingress policing (matching netfilter marks)
  2005-12-27  4:17 [LARTC] Ingress policing (matching netfilter marks) Michael
@ 2005-12-30  5:24 ` Michael
  2005-12-30 11:57 ` Andy Furniss
  2005-12-30 14:55 ` Michael
  2 siblings, 0 replies; 4+ messages in thread
From: Michael @ 2005-12-30  5:24 UTC (permalink / raw)
  To: lartc

Hi Everyone,

I've played around with this some more, and it would appear that the
policing works fine, it's just getting the marks detected that's a problem.

That is, I've changed to a u32 match (as opposed to the fw one that I was
using), with a filter that is 'u32 match mark $MARK_BULK 0xffffffff'. This
doesn't get matched at all (ie. I get '(rule hit 2996312 success 0)' from a
`filter show`), however a 'u32 match mark 0 0xffffffff' works perfectly -
matches every single packet. As far as I understand, that means that that
filter is perceiving every single packet to have a mark of exactly 0,
correct?

I'm curious as to how I can detect the packets properly: at the moment, my
mangle table is something like this:

$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A PREROUTING -j RETURN
$IPTABLES -t mangle -A INPUT -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A INPUT -j RETURN
$IPTABLES -t mangle -A FORWARD -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A FORWARD -j RETURN
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A OUTPUT -j RETURN
$IPTABLES -t mangle -A POSTROUTING -j MARK --set-mark $MARK_BULK
$IPTABLES -t mangle -A POSTROUTING -j RETURN

so I'm pretty sure there's *no* chance of packets not getting marked. :-)
however, they simply arn't detected. :~( Any ideas?

As a followup, where exactly does the ingress and egress shaping and
policing get applied in relation to the iptables rules? Specifically, where
do the filters get applied in context of this picture:
http://foldoc.thexdershome.com/iptables/images/tables_traverse.jpg (sorry
for the hotlinking). At a guess, I'd speculate that ingress is where the
"routing decision" is (near the top), and egress is right at the end, down
the bottom?

The reason I'm asking that is because I'm curious as to which tables should
have the marking rules to ensure they get detected properly. Also, I'm
curious as to if NAT and other modifications would have been applied to
packets before they're worked on by tc rules.

Thanks for your help, and apologies for the long post. :-)

Cheers! Happy New Year! :-)

Michael Sallaway


> -----Original Message-----
> From: lartc-bounces@mailman.ds9a.nl 
> [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Michael
> Sent: Tuesday, 27 December 2005 2:18 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Ingress policing (matching netfilter marks)
> 
> Hi,
> 
> I'm having issues with policing my incoming traffic by 
> matching packet marks
> made by iptables. I've checked as many sites and guides as I 
> can find, and I
> seem to be doing the exact same thing as they all are, but 
> there's still no
> success. As such, I was wondering if anyone can have a quick 
> look to see if
> I've done anything obviously stupid?
> 
> Essentially, I can get the egress working fine, matching 
> packets based on
> criteria in iptables. However, doing the same for ingress using:
> `tc qdisc add dev $DEV handle ffff: ingress`
> `tc filter add dev $DEV parent ffff: protocol ip prio 1 
> handle $MARK_BULK fw
> police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1`
> 
> does nothing: packets go through the qdisc fine, but nothing 
> matches the
> filter:
> 
> michael@bob:~$ sudo tc -s -d qdisc show dev ppp0
> qdisc ingress ffff: ----------------
>  Sent 47169399 bytes 46532 pkts (dropped 0, overlimits 0)
> 
> michael@bob:~$ sudo tc -s -d filter show dev ppp0 root
> filter parent ffff: protocol ip pref 1 fw
> filter parent ffff: protocol ip pref 1 fw handle 0x1e classid 
> :1  police
> 0x28 rate 600000bit burst 8Kb mtu 2Kb action drop
> ref 1 bind 1
> 
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> 
> I suspected I just might not be marking things correctly, so 
> I tried u32
> matching 0.0.0.0/0 - that worked fine, but for _all_ traffic 
> (as it should).
> So I tried marking *every* packet with $MARK_BULK (and 
> verified that the
> mark was correct using a log match, and watching the syslog 
> file) in both
> prerouting and postrouting chains, yet this didn't help either.
> 
> Regardless of what I do, I can't get the above filter to 
> match anything at
> all - I'm sure the packets are marked correctly, I just can't 
> match them.
> Any ideas?
> 
> (I'll copy my entire configs below for reference if needed.)
> 
> Cheers!
> Michael
> 
> 
> 
> ####################### CONFIG FILES - firewall 
> #######################
> 
> #!/bin/bash
> 
> ##############################################################
> #############
> #
> # Custom functions and configuration
> #
> 
> RetrieveIP() {
> 	nic="$1"
> 	TEMP=""
> 
> 	if ! /sbin/ifconfig | grep $nic > /dev/null; then
> 		echo -e "\n\n interface $nic does not exist...  
> Aborting!"
> 		exit 1;
> 	fi
> 
> 	TEMP=`ifconfig $nic | awk '/inet addr/ { gsub(".*:", 
> "", $2) ; print
> $2 }'`
> 
> 	if [ "$TEMP" = '' ]; then
> 		echo "Aborting: Unable to determine the IP of 
> $nic ... DHCP
> problem?"
> 		exit 1
> 	else
> 		echo "$TEMP"
> 	fi
> }
> 
> 
> #### 1.1 Internet Configuration.
> INET_IFACE="ppp0"
> INET_IP=`RetrieveIP $INET_IFACE`
> 
> #### 1.2 Local Area Network configuration.
> LAN_IFACE="eth0"
> LAN_IP=`RetrieveIP $LAN_IFACE`
> LAN_IP_RANGE="192.168.0.0/24"
> 
> #### 1.4 Localhost Configuration.
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> 
> #### 1.5 IPTables Configuration.
> IPTABLES="/sbin/iptables"
> 
> #### 1.6 Misc Configuration.
> #MARK_FORWARD=$[2#00000001]
> #MARK_PRIORITY=$[2#00000010]
> #MARK_GENERAL=$[2#00000100]
> #MARK_BULK=$[2#00001000]
> 
> MARK_FORWARD=1
> MARK_PRIORITY\x10
> MARK_GENERAL 
> MARK_BULK0
> 
> DUMPER_IP="192.168.0.6"
> 
> 
> ##############################################################
> #############
> #
> # Firewall START function
> #
> 
> firewall_start ()
> {
> 	######## 3.1 Required proc configuration
> 
> 	# Enable forwarding
> 	echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> 	# no IP spoofing
> 	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> 	then
> 		for i in /proc/sys/net/ipv4/conf/*/rp_filter
> 		do
> 			echo 1 > $i
> 		done
> 	fi
> 
> 	# Disable Source Routed Packets
> 	for i in /proc/sys/net/ipv4/conf/*/accept_source_route
> 	do
> 		echo 0 > $i
> 	done
> 
> 
> 	######## 
> 	######## 4. rules set up.
> 	######## 
> 
> 	######## 4.1 Filter table
> 
> 
> 	#### 4.1.1 Set policies
> 
> 	$IPTABLES -P INPUT DROP
> 	$IPTABLES -P OUTPUT DROP
> 	$IPTABLES -P FORWARD DROP
> 
> 
> 	#### 4.1.2 Create userspecified chains
> 
> 	# Create chain for bad tcp packets
> 	$IPTABLES -N bad_tcp
> 
> 	# Create separate chains for ICMP, TCP and UDP to traverse
> 	$IPTABLES -N tcp_packets
> 	$IPTABLES -N udp_packets
> 	$IPTABLES -N icmp_packets
> 	$IPTABLES -N common
> 
> 
> 	#### 4.1.3 Create content in userspecified chains
> 
> 	# bad_tcp chain
> 	$IPTABLES -A bad_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
> --state NEW -j REJECT --reject-with tcp-reset
> 	$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "New not syn:"
> 	$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP
> 
> 	# TCP rules
> 	$IPTABLES -A tcp_packets -p tcp --dport 20 -j common
> 	$IPTABLES -A tcp_packets -p tcp --dport 21 -j common
> 	$IPTABLES -A tcp_packets -p tcp --dport 22 -j common
> 	$IPTABLES -A tcp_packets -p tcp --dport 80 -j common
> 	$IPTABLES -A tcp_packets -p tcp --dport 443 -j common
> 
> 	# UDP ports
> 	#$IPTABLES -A udp_packets -p udp --destination-port 53 -j common
> 
> 	# ICMP rules
> 	$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j common
> 	$IPTABLES -A icmp_packets -p icmp --icmp-type 11 -j common
> 
> 	# common chain
> 	$IPTABLES -A common -p tcp --syn -j ACCEPT
> 	$IPTABLES -A common -p tcp -m state --state 
> ESTABLISHED,RELATED -j
> ACCEPT
> 	$IPTABLES -A common -p tcp -j DROP
> 	$IPTABLES -A common -p ! tcp -j ACCEPT
> 
> 
> 	#### 4.1.4 INPUT chain
> 
> 	# Bad TCP packets we don't want.
> 	$IPTABLES -A INPUT -p tcp -j bad_tcp
> 
> 	# Rules for special networks not part of the Internet
> 	$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
> 	$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
> 
> 	# Rules for incoming packets from the internet.
> 	$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 	$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j tcp_packets
> 	$IPTABLES -A INPUT -p udp -i $INET_IFACE -j udp_packets
> 	$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
> 
> 	# Log weird packets that don't match the above.
> 	$IPTABLES -A INPUT -m limit --limit 6/minute 
> --limit-burst 6 -j LOG
> --log-level DEBUG --log-prefix "iptables INPUT: "
> 
> 
> 	#### 4.1.5 FORWARD chain
> 
> 	# Bad TCP packets we don't want
> 	$IPTABLES -A FORWARD -p tcp -j bad_tcp
> 
> 	# Accept the packets we actually want to forward
> 	$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> 	$IPTABLES -A FORWARD -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> 	$IPTABLES -A FORWARD -m connmark --mark 
> $MARK_FORWARD/$MARK_FORWARD
> -j ACCEPT
> #	$IPTABLES -A FORWARD -j ACCEPT
> 
> 	# Log weird packets that don't match the above.
> 	$IPTABLES -A FORWARD -m limit --limit 6/minute 
> --limit-burst 6 -j
> LOG --log-level DEBUG --log-prefix "iptables FORWARD: "
> 
> 
> 	#### 4.1.6 OUTPUT chain
> 
> 	# Bad TCP packets we don't want.
> 	$IPTABLES -A OUTPUT -p tcp -j bad_tcp
> 
> 	# Special OUTPUT rules to decide which IP's to allow.
> 	$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> 	$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> 	$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
> 
> 	# Log weird packets that don't match the above.
> 	$IPTABLES -A OUTPUT -m limit --limit 6/minute 
> --limit-burst 6 -j LOG
> --log-level DEBUG --log-prefix "iptables OUTPUT: "
> 
> 
> 
> 
> 	######## 4.2 nat table
> 
> 	#### 4.2.1 Set policies
> 
> 	#### 4.2.2 Create user specified chains
> 
> 	#### 4.2.3 Create content in user specified chains
> 
> 	#### 4.2.4 PREROUTING chain
> 
> 	# Emule stuff - forward to DUMPER
> 	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp 
> --dport 4662 -d
> $INET_IP -j DNAT --to-destination $DUMPER_IP
> 	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp 
> --dport 4672 -d
> $INET_IP -j DNAT --to-destination $DUMPER_IP
> 	$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp 
> --dport 34567
> -d $INET_IP -j DNAT --to-destination $DUMPER_IP
> 
> 	#### 4.2.5 POSTROUTING chain
> 
> 	# Enable simple IP Forwarding and Network Address Translation
> 	$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT 
> --to-source
> $INET_IP
> 
> 	#### 4.2.6 OUTPUT chain
> 
> 
> 
> 
> 	######## 4.3 mangle table
> 
> 	#### 4.3.1 Set policies
> 
> 	#### 4.3.2 Create user specified chains
> 
> 	#### 4.3.3 Create content in user specified chains
> 
> 	#### 4.3.4 PREROUTING chain
> 	
> 	# Forwarding marks for packets that have to go to the internal
> network
> 	# Emule
> 	# Debugging - set EVERYTHING to BULK
> #	$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
> 
> 	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp 
> --dport 4662
> -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
> 	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p udp 
> --dport 4672
> -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
> 	$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -p tcp --dport
> 34567 -d $INET_IP -j CONNMARK --set-mark $MARK_FORWARD/$MARK_FORWARD
> 	
> 	# Shaping and throttling marks for the shaper script 
> (downstream)
> 	# Priority traffic: All UDP, ICMP, and SSH 
> 	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --or-mark
> $MARK_PRIORITY
> 	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --or-mark
> $MARK_PRIORITY
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK
> --or-mark $MARK_PRIORITY
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j MARK
> --or-mark $MARK_PRIORITY
> 	
> 	# General traffic: Web stuff
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 80 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 443 -j MARK
> --or-mark $MARK_GENERAL
> 	
> 	# Everything else - put it on BULK traffic
> 	$IPTABLES -t mangle -A PREROUTING -m mark --mark 
> 0/$[$MARK_BULK |
> $MARK_GENERAL | $MARK_PRIORITY] -j MARK --or-mark $MARK_BULK
> 
> 	# Detection logs. Used for debugging to ensure markings 
> are correct.
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG 
> --log-prefix "IPT -
> MARK det FWD"
> #	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG 
> --log-prefix "IPT -
> CONN det PRIO"
> #	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG 
> --log-prefix "IPT -
> CONN det GEN"
> #	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix 
> "IPT - CONN det
> BULK"
> 
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_PRIORITY/$MARK_PRIORITY -j LOG --log-level DEBUG --log-prefix
> "MARK_PRIORITY    "
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark 
> $MARK_PRIORITY -j
> LOG --log-level DEBUG --log-prefix "MARK_PRIORITY EX "
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_GENERAL/$MARK_GENERAL -j LOG --log-level DEBUG --log-prefix
> "MARK_GENERAL     "
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark 
> $MARK_GENERAL -j
> LOG --log-level DEBUG --log-prefix "MARK_GENERAL EX  "
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark
> $MARK_BULK/$MARK_BULK -j LOG --log-level DEBUG --log-prefix "MARK_BULK
> "
> #	$IPTABLES -t mangle -A PREROUTING -m mark --mark 
> $MARK_BULK -j LOG
> --log-level DEBUG --log-prefix "MARK_BULK EX     "
> 
> #	$IPTABLES -t mangle -A PREROUTING -m connmark --mark
> $MARK_FORWARD/$MARK_FORWARD -j LOG --log-level DEBUG --log-prefix
> "FORWARDING...  "
> 
> 	# Debugging - set EVERYTHING to BULK
> #	$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark $MARK_BULK
> 
> 
> 	#### 4.3.5 INPUT chain
> 
> 	#### 4.3.6 FORWARD chain
> 
> 	#### 4.3.7 OUTPUT chain
> 
> 	#### 4.3.8 POSTROUTING chain
> 
> 	# Shaping and throttling marks for the shaper script (upstream)
> 	# Priority traffic: TOS packets, all UDP, ICMP, SSH
> 	$IPTABLES -t mangle -A POSTROUTING -m tos --tos 
> Minimize-Delay -j
> MARK --or-mark $MARK_PRIORITY
> 	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --or-mark
> $MARK_PRIORITY
> 	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --or-mark
> $MARK_PRIORITY
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK
> --or-mark $MARK_PRIORITY
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK
> --or-mark $MARK_PRIORITY
>     
> 	# Normal traffic: Web, SSL, ACKs
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK
> --or-mark $MARK_GENERAL
> 	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length 
> --length :64 -j
> MARK --or-mark $MARK_GENERAL
> 
> 	# Bulk traffic: everything else by default
> 	$IPTABLES -t mangle -A POSTROUTING -m tos --tos 
> Maximize-Throughput
> -j MARK --or-mark $MARK_BULK
> 
> 	# Debugging - set EVERYTHING to BULK
> #	$IPTABLES -t mangle -A POSTROUTING -j MARK --set-mark $MARK_BULK
> }
> 
> 
> 
> firewall_stop ()
> {
> 	# proc configuration
> 
> 	# Disable forwarding
> 	echo 0 > /proc/sys/net/ipv4/ip_forward
> 
> 	# IP spoofing
> 	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> 	then
> 		for i in /proc/sys/net/ipv4/conf/*/rp_filter
> 		do
> 			echo 0 > $i
> 		done
> 	fi
> 
> 
> 	# reset the default policies in the filter table.
> 	$IPTABLES -P INPUT ACCEPT
> 	$IPTABLES -P FORWARD ACCEPT
> 	$IPTABLES -P OUTPUT ACCEPT
> 
> 	# reset the default policies in the nat table.
> 	$IPTABLES -t nat -P PREROUTING ACCEPT
> 	$IPTABLES -t nat -P POSTROUTING ACCEPT
> 	$IPTABLES -t nat -P OUTPUT ACCEPT
> 
> 	# reset the default policies in the mangle table.
> 	$IPTABLES -t mangle -P PREROUTING ACCEPT
> 	$IPTABLES -t mangle -P POSTROUTING ACCEPT
> 	$IPTABLES -t mangle -P INPUT ACCEPT
> 	$IPTABLES -t mangle -P OUTPUT ACCEPT
> 	$IPTABLES -t mangle -P FORWARD ACCEPT
> 
> 	# flush all the rules in the tables.
> 	$IPTABLES -F
> 	$IPTABLES -t nat -F
> 	$IPTABLES -t mangle -F
> 
> 	# erase all chains that's not default in the tables.
> 	$IPTABLES -X
> 	$IPTABLES -t nat -X
> 	$IPTABLES -t mangle -X
> }
> 
> 
> 
> case "$1" in
>   start)
>         firewall_start
>         ;;
>   stop)
>         firewall_stop
>         ;;
>   restart|force-reload)
>         firewall_stop
>         sleep 1
>         firewall_start
>         ;;
>   *)
>         echo "Usage: firewall {start|stop|restart}" >&2
>         exit 3
>         ;;
> esac
> 
> 
> 
> 
> 
> 
> 
> ####################### CONFIG FILES - shaper #######################
> 
> #!/bin/bash
> 
> ##############################################################
> #############
> #
> # Environment variables
> #
> 
> DEV=ppp0
> UPSTREAM\x192
> DOWNSTREAM`0
> BURSTd
> 
> #MARK_FORWARD=$[2#00000001]
> #MARK_PRIORITY=$[2#00000010]
> #MARK_GENERAL=$[2#00000100]
> #MARK_BULK=$[2#00001000]
> 
> MARK_FORWARD=1
> MARK_PRIORITY\x10
> MARK_GENERAL 
> MARK_BULK0
> 
> 
> 
> ##############################################################
> #############
> #
> # Script functions
> #
> 
> #### Status report
> shaper_status ()
> {
> 	tc -s class ls dev $DEV
> 	tc -s qdisc ls dev $DEV
> }
> 
> 
> #### Stop function
> shaper_stop ()
> {
> 	tc qdisc del dev $DEV root 2> /dev/null
> 	tc qdisc del dev $DEV ingress 2> /dev/null
> }
> 
> 
> ##############################################################
> #############
> #
> # Start function
> #
> 
> shaper_start ()
> {
> 	#### Upstream
> 
> 	# Install HTB qdisc with three classes and rate limting
> 	tc qdisc add dev $DEV root handle 1: htb default 30 r2q 2
> 	tc class add dev $DEV parent 1: classid 1:1 htb rate 
> ${UPSTREAM}kbit
> ceil ${UPSTREAM}kbit burst 8k cburst 2k
> 	tc class add dev $DEV parent 1:1 classid 1:10 htb rate
> $[4*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 1
> 	tc class add dev $DEV parent 1:1 classid 1:20 htb rate
> $[3*$UPSTREAM/10]kbit ceil ${UPSTREAM}kbit prio 2
> 	tc class add dev $DEV parent 1:1 classid 1:30 htb rate
> $[3*$UPSTREAM/10]kbit ceil $[6*$UPSTREAM/10]kbit prio 3 burst 
> 1024 cburst
> 1024
> 
> 	# Install qdiscs to maximise the efficiency of each class
> 	tc qdisc add dev $DEV parent 1:10 handle 10: pfifo limit 25
> 	tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
> 	tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
> 
> 	# Apply filtering based on packets matched in the firewall
> 	tc filter add dev $DEV parent 1: prio 1 protocol ip handle
> $MARK_PRIORITY fw flowid 1:10
> 	tc filter add dev $DEV parent 1: prio 2 protocol ip handle
> $MARK_GENERAL fw flowid 1:20
> 	tc filter add dev $DEV parent 1: prio 3 protocol ip handle
> $MARK_BULK fw flowid 1:30
> 
> 	#### Downstream
> 
> 	# Attach ingress qdisc
> 	tc qdisc add dev $DEV handle ffff: ingress
> 
> 	# Police everything but high priority traffic
> #	tc filter add dev $DEV parent ffff: protocol ip prio 1 handle
> $MARK_BULK fw police rate ${DOWNSTREAM}kbit burst 
> ${BURST}kbit drop flowid
> :1
> 
> tc filter add dev $DEV parent ffff: protocol ip prio 1 handle 
> $MARK_BULK fw
> police rate ${DOWNSTREAM}kbit burst ${BURST}kbit drop flowid :1
> 
> #tc filter add dev $DEV parent ffff: protocol ip prio 1 u32 
> match ip src
> 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit 
> drop flowid :1
> 
> #tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 
> match ip src
> 0.0.0.0/0 police rate ${DOWNSTREAM}kbit burst ${BURST}kbit 
> drop flowid :1
> 
> #	tc filter add dev $DEV parent ffff: protocol ip handle 
> $MARK_BULK \
> #		fw flowid :1 police rate ${DOWNSTREAM}kbit 
> burst ${BURST}
> action drop
> }
> 
> 
> case "$1" in
> 	start)
> 		shaper_start
> 		;;
> 	stop)
> 		shaper_stop
> 		;;
> 	restart|force-reload)
> 		shaper_stop
> 		sleep 1
> 		shaper_start
> 		;;
> 	status)
> 		shaper_status
> 		;;
> 	*)
> 		echo "Usage: adsl-shaper 
> {start|stop|restart|status}" >&2
> 		exit 3
> 		;;
> esac
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] Ingress policing (matching netfilter marks)
  2005-12-27  4:17 [LARTC] Ingress policing (matching netfilter marks) Michael
  2005-12-30  5:24 ` Michael
@ 2005-12-30 11:57 ` Andy Furniss
  2005-12-30 14:55 ` Michael
  2 siblings, 0 replies; 4+ messages in thread
From: Andy Furniss @ 2005-12-30 11:57 UTC (permalink / raw)
  To: lartc

Michael wrote:
> Hi Everyone,
> 
> I've played around with this some more, and it would appear that the
> policing works fine, it's just getting the marks detected that's a problem.

There is a Kernel config option near policer called packet action if you 
select it, policer will be before PREROUTING if it is unselected then 
you will be able to select the old policer, which is after PREROUTING.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: [LARTC] Ingress policing (matching netfilter marks)
  2005-12-27  4:17 [LARTC] Ingress policing (matching netfilter marks) Michael
  2005-12-30  5:24 ` Michael
  2005-12-30 11:57 ` Andy Furniss
@ 2005-12-30 14:55 ` Michael
  2 siblings, 0 replies; 4+ messages in thread
From: Michael @ 2005-12-30 14:55 UTC (permalink / raw)
  To: lartc


> > I've played around with this some more, and it would appear that the
> > policing works fine, it's just getting the marks detected 
> that's a problem.
> 
> There is a Kernel config option near policer called packet 
> action if you 
> select it, policer will be before PREROUTING if it is unselected then 
> you will be able to select the old policer, which is after PREROUTING.

*thankyou*! it works brilliantly, now. (Well, the marks are getting matched,
at least - I'm still tweaking the settings.)

Never realized that was an issue: I suspected it might be a kernel config
issue, so I went through and simply enabled everything related to these
network-ish functions. Obviously, brute force and ignorance isn't the best
option all the time. ;-)

Thanks heaps for your help.

Cheers,
Michael

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-12-30 14:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-27  4:17 [LARTC] Ingress policing (matching netfilter marks) Michael
2005-12-30  5:24 ` Michael
2005-12-30 11:57 ` Andy Furniss
2005-12-30 14:55 ` Michael

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.