From mboxrd@z Thu Jan 1 00:00:00 1970 From: VladSun Date: Wed, 06 Jun 2007 13:50:05 +0000 Subject: Re: [LARTC] u32 classifier Message-Id: <4666BB8D.3080509@relef.net> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: lartc@vger.kernel.org Catalin Bucur написа: > VladSun wrote: > >> terraja-based написа: >> >>> Hi folks...!!! >>> I´ve a problem that i did not solve it. >>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the >>> firewall) using IMQ, >>> If i classify by PORT (source or destination) all seems to be fine, >>> but...BUT...if i want to restrict by IP addresss (internal IP address) >>> i can´t do it, because my hosts go to Internet toward the firewall >>> using NAT, so after NAT my IP address in Internet is not my internal >>> address, because the NAT acction change my source and internal IP >>> address. >>> So...so...so...how can i limit the traffic by IP address using TC, >>> IMQ, U32..etc...????? >>> Can i modify some field in the TCP header with u32 filter?, i did read >>> the TCP RFC and nothing, i can´t guess how can solve it... >>> >>> >> Use iptables MARK, and TC fw. >> > > SCENARIO > ==== > > tc utility, iproute2-ss061214 > kernel 2.6.20-1.2952.fc6 > > Mark packets: > #iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 > > Shape marked packets with tc fw: > #tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil > 90Mbit prio 6 > #tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5 > #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2 > > Result in iptables seems ok: > Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes) > pkts bytes target prot opt in out source > destination > 3827080 4103809298 MARK all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x1 > > Result in tc: > filter parent 11: protocol ip pref 49152 fw > filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2 > > So there are no matches in this filter, the other filters work fine (for > example: rule hit 5846685 success 5846685). The class is empty too: > class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil > 90000Kbit burst 2850b cburst 12847b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > What could be the problem? > > > Cheers, > 11:1 is not your root class, right? If so, try to apply the filter to root class - i.e. something like tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2 _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc