From: Mohan Sundaram <mohan.tux@gmail.com>
To: lartc@vger.kernel.org
Subject: Re: AW: [LARTC] qos inside ipsec tunnel
Date: Sat, 04 Nov 2006 01:37:51 +0000 [thread overview]
Message-ID: <454BEC1F.40801@vsnl.com> (raw)
In-Reply-To: <BAY103-DAV169728E17ADAF116083771B2FE0@phx.gbl>
Martin Bene wrote:
> Hi Marco,
>
>> Hello everybody.
>> I would like to do some kind of shaping inside an
>> ipsec tunnel implemented by Openswan and linux
>> 2.6.18.x with xfrm (no KLIPS): for example, to
>> limit outbound smtp traffic inside the tunnel.
>> Question: where should I attach the qdisc to? Eth0?
>> I'm asking this, because tcpdump only see the ESP
>> packet on the eth0 and not the 'clear' packet.
>
> Heh - just subscribed to LARC list because I'm working on a similar
> problem.
>
> Yes, you'll have to attach your classes to eth0 device. However, by the
> time qos gets to see the packets, they'll be encrypted, so you won't be
> able to just use tc filter with u32 classifier to select on port 25.
>
> What should work is to mark the packets in PREROUTING in the mangle
> table and assign them to the classes you want based on the fwmark:
>
> iptables -t mangle -A PREROUTING -d <private ip vpn remote side>/24 -p
> tcp -m multiport --port 25 -j MARK --set-mark 102
> tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 102 fw
> flowid 1:20
>
> Hope this helps, Martin
Has anyone tested this? Does the mark get carried across encapsulations
or is the packet context a new one on encapsulation? I know that IPSec
RFC says inner packet headers have to be copied to the outer header.
Does that include the TOS byte too? Do not know what OpenSWAN does. If
that were the case, assigning TOS prior to encapsulation and classifying
by TOS at the device will work.
Mohan
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2006-11-04 1:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-03 16:16 [LARTC] qos inside ipsec tunnel Marco Berizzi
2006-11-03 16:50 ` AW: " Martin Bene
2006-11-04 1:37 ` Mohan Sundaram [this message]
2006-11-04 6:09 ` AW: " Martin Bene
2006-11-05 22:33 ` John Serink
2006-11-06 10:15 ` Martin Bene
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=454BEC1F.40801@vsnl.com \
--to=mohan.tux@gmail.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.