All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] traffic not getting into class
@ 2007-12-17 11:09 richard lucassen
  2007-12-18 14:38 ` Shane McKinley
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: richard lucassen @ 2007-12-17 11:09 UTC (permalink / raw)
  To: lartc

Hello list,

I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip sport 22 0xffff \
    classid 1:11 # ssh

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 22 0xffff \
    classid 1:11 # ssh

{and a few more 1:11 filters]

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x11 0xff \
    match ip sport 123 0xffff \
    classid 1:11 # return packets NTP

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x06 0xff \
    match u8 0x05 0x0f at 0 \
    match u8 0x10 0xff at 33 \
    match u16 0x000 0xffc0 at 2 \
    classid 1:11 # ACK's

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 80 0xffff \
    classid 1:12 # Webserver

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip sport 443 0xffff \
    classid 1:13 # webmail server
    
  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 21 0xffff \
    classid 1:14 # ftp-server

This works fine, but traffic for 1:14 (ftp) never gets into 1:14.

Is there a certain rule order in which filters must be written? As far
as I can see I haven't made any mistakes in these filters...

Anyone a hint?

R.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: [LARTC] traffic not getting into class
  2007-12-17 11:09 [LARTC] traffic not getting into class richard lucassen
@ 2007-12-18 14:38 ` Shane McKinley
  2007-12-20 13:00 ` Andrei Kovacs
  2007-12-23 22:51 ` Gustin Johnson
  2 siblings, 0 replies; 4+ messages in thread
From: Shane McKinley @ 2007-12-18 14:38 UTC (permalink / raw)
  To: lartc

Wouldn't it depend on if you are using passive FTP or not?

http://www.slacksite.com/other/ftp.html 


Shane McKinley
Habersham EMC

-----Original Message-----
From: richard lucassen [mailto:mailinglists@lucassen.org] 
Sent: Monday, December 17, 2007 6:10 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] traffic not getting into class

Hello list,

I have these sorts of filters, putting traffic into the appropiate
classid (1:15 is the default class):

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip sport 22 0xffff \
    classid 1:11 # ssh

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 22 0xffff \
    classid 1:11 # ssh

{and a few more 1:11 filters]

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x11 0xff \
    match ip sport 123 0xffff \
    classid 1:11 # return packets NTP

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 1 protocol ip u32 \
    match ip protocol 0x06 0xff \
    match u8 0x05 0x0f at 0 \
    match u8 0x10 0xff at 33 \
    match u16 0x000 0xffc0 at 2 \
    classid 1:11 # ACK's

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 2 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 80 0xffff \
    classid 1:12 # Webserver

  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 3 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip sport 443 0xffff \
    classid 1:13 # webmail server
    
  ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
    match ip protocol 0x6 0xff \
    match ip dport 21 0xffff \
    classid 1:14 # ftp-server

This works fine, but traffic for 1:14 (ftp) never gets into 1:14.

Is there a certain rule order in which filters must be written? As far
as I can see I haven't made any mistakes in these filters...

Anyone a hint?

R.

--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak aloud
and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] traffic not getting into class
  2007-12-17 11:09 [LARTC] traffic not getting into class richard lucassen
  2007-12-18 14:38 ` Shane McKinley
@ 2007-12-20 13:00 ` Andrei Kovacs
  2007-12-23 22:51 ` Gustin Johnson
  2 siblings, 0 replies; 4+ messages in thread
From: Andrei Kovacs @ 2007-12-20 13:00 UTC (permalink / raw)
  To: lartc

>   ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \
>     match ip protocol 0x6 0xff \
>     match ip dport 21 0xffff \
>     classid 1:14 # ftp-server
>
> This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
>
> Is there a certain rule order in which filters must be written? As far
> as I can see I haven't made any mistakes in these filters...
>
> Anyone a hint?
>

Port 21 is used only by the control connection of FTP. Active mode FTP
uses port 20 to do the actual downloading and Passive mode uses random
ports. I think you need to mark packets in iptables using
ip_conntrack_ftp helper to identify ftp packets.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] traffic not getting into class
  2007-12-17 11:09 [LARTC] traffic not getting into class richard lucassen
  2007-12-18 14:38 ` Shane McKinley
  2007-12-20 13:00 ` Andrei Kovacs
@ 2007-12-23 22:51 ` Gustin Johnson
  2 siblings, 0 replies; 4+ messages in thread
From: Gustin Johnson @ 2007-12-23 22:51 UTC (permalink / raw)
  To: lartc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<snip>
> 
> ${TC} filter add dev ${DEV_IFB} parent 1:0 prio 4 protocol ip u32 \ 
> match ip protocol 0x6 0xff \ match ip dport 21 0xffff \ classid 1:14
> # ftp-server
> 
> This works fine, but traffic for 1:14 (ftp) never gets into 1:14.
> 
> Is there a certain rule order in which filters must be written? As
> far as I can see I haven't made any mistakes in these filters...

FTP is more complicated to filter than ssh.  There is a control
connection and a data connection.

> Anyone a hint?

The following sites give some info on the ftp protocal, though there is
a ton of more info if you use google.

http://www.slacksite.com/other/ftp.html
http://www.troubleshootingnetworks.com/ftpinfo.html

As an aside, ftp services really should be replaced with one of the
better alternatives.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHbuaEwRXgH3rKGfMRAq2dAJ9fYPz6yvBQPuima3sUNCt0OQpHWQCfcxHw
nUC+eYmSP+0MNj+DEkyUQDkkBW
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-12-23 22:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-17 11:09 [LARTC] traffic not getting into class richard lucassen
2007-12-18 14:38 ` Shane McKinley
2007-12-20 13:00 ` Andrei Kovacs
2007-12-23 22:51 ` Gustin Johnson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.