Re: Ingress filtering

[GGounot <g.gounot@laposte.net>]

Le 25/09/2014 21:32, Andrew Beverley a écrit :
> On Thu, 2014-09-25 at 18:44 +0200, GGounot wrote:
>> Le 25/09/2014 12:19, marco@nucleus.it a écrit :
>>> Hi to all,
>>> i read some stuff about ingress filtering with ifb module.
>>>
>>> According to someone it is impossible but for someone not.
>>>
>>> possible:
>>>    https://wiki.archlinux.org/index.php/Advanced_traffic_control
>>>
>>> no possible:
>>>    http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg15545.html
>>>    http://www.spinics.net/lists/netfilter/msg53729.html
>>>    http://www.spinics.net/lists/lartc/msg22358.html
>>>
>>> It is  possible to use connection mark (ctmark) or packet mark (nfmark)
>>> with the tc filter on ifb or the only possibility is with the patch
>>> provided by these links ?
>>> https://aur.archlinux.org/packages/act_connmark/
>>> https://aur.archlinux.org/packages/iproute2-connmark/
>>>
>>> or im missing something ?
>>>
>>> Thanks
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe lartc" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>> Hi Marco.
>>
>> Ingress shaping is possible :
>>
>> #!/bin/bash
>> ## Paths and definitions
>> tc=/sbin/tc
>> EHT=eth0        # Change for your device!
>> IFB=ifb0    # Use a unique ifb per rate limiter!
>> modprobe ifb
>> modprobe act_mirred
>> # Clear old queuing disciplines (qdisc) on the interfaces
>> $tc qdisc del dev $EHT root 2>/dev/null
>> $tc qdisc del dev $EHT ingress 2>/dev/null
>> $tc qdisc del dev $IFB root 2>/dev/null
>> $tc qdisc del dev $IFB ingress 2>/dev/null
>> # Create ingress on external interface
>> $tc qdisc add dev $EHT handle ffff: ingress
>> ifconfig $IFB up # if the interace is not up bad things happen
>> # Forward all ingress traffic to the IFB device
>> $tc filter add dev $EHT parent ffff: protocol all u32 match u32 0 0
>> action mirred egress redirect dev $IFB
>> # (Example !) Create an EGRESS filter on the IFB device
>> $tc qdisc add dev $IFB root handle 1: htb default 0
>> $tc class add dev $ETH parent 1:0 classid 1:1 htb rate 1000kbps ceil
>> 1000kbps prio 0
>> $tc class add dev $ETH parent 1:1 classid 1:300 htb rate 300kbps ceil
>> 300kbps prio 0
>> $tc qdisc add dev $ETH parent 1:300 handle 300: sfq perturb 10
>> $tc filter add dev $ETH parent 1:0 prio 0 protocol ip handle 300 fw
>> flowid 1:300
>>
>> iptables -t mangle -I FORWARD -i eth0 -j MARK --set-mark 300
>>
>> (not tested)
> Again, not tested, but I don't think that will work. The marks get added
> after the traffic has been through the IFB device.

You're right, iptables cannot be used on ingress traffic, sorry for this 
mistake.

You must use tc's internal filters.
http://lartc.org/howto/lartc.qdisc.filters.html

>
> I'm a long time out of the loop on this, but IIRC, you can ineed do
> ingress shaping using the IFB device, but you won't have the full range
> of netfilter functionality such as packet marking. The IFB device sits
> before the entire netfilter stack.
>
> You can't attach an IFB device any later in the traffic flow, but you
> could look at IMQ, which allow you to hook into other areas. It's not
> part of the vanilla kernel though.
>
> Andy
>
>
>