From mboxrd@z Thu Jan 1 00:00:00 1970 From: GGounot Date: Thu, 25 Sep 2014 20:14:37 +0000 Subject: Re: Ingress filtering Message-Id: <542477AD.1080800@laposte.net> List-Id: References: <20140925121920.5bd32939@lobo.lobo.dom> In-Reply-To: <20140925121920.5bd32939@lobo.lobo.dom> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: lartc@vger.kernel.org Le 25/09/2014 21:32, Andrew Beverley a écrit : > On Thu, 2014-09-25 at 18:44 +0200, GGounot wrote: >> Le 25/09/2014 12:19, marco@nucleus.it a écrit : >>> Hi to all, >>> i read some stuff about ingress filtering with ifb module. >>> >>> According to someone it is impossible but for someone not. >>> >>> possible: >>> https://wiki.archlinux.org/index.php/Advanced_traffic_control >>> >>> no possible: >>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg15545.html >>> http://www.spinics.net/lists/netfilter/msg53729.html >>> http://www.spinics.net/lists/lartc/msg22358.html >>> >>> It is possible to use connection mark (ctmark) or packet mark (nfmark) >>> with the tc filter on ifb or the only possibility is with the patch >>> provided by these links ? >>> https://aur.archlinux.org/packages/act_connmark/ >>> https://aur.archlinux.org/packages/iproute2-connmark/ >>> >>> or im missing something ? >>> >>> Thanks >>> -- >>> To unsubscribe from this list: send the line "unsubscribe lartc" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >> Hi Marco. >> >> Ingress shaping is possible : >> >> #!/bin/bash >> ## Paths and definitions >> tc=/sbin/tc >> EHT=eth0 # Change for your device! >> IFB=ifb0 # Use a unique ifb per rate limiter! >> modprobe ifb >> modprobe act_mirred >> # Clear old queuing disciplines (qdisc) on the interfaces >> $tc qdisc del dev $EHT root 2>/dev/null >> $tc qdisc del dev $EHT ingress 2>/dev/null >> $tc qdisc del dev $IFB root 2>/dev/null >> $tc qdisc del dev $IFB ingress 2>/dev/null >> # Create ingress on external interface >> $tc qdisc add dev $EHT handle ffff: ingress >> ifconfig $IFB up # if the interace is not up bad things happen >> # Forward all ingress traffic to the IFB device >> $tc filter add dev $EHT parent ffff: protocol all u32 match u32 0 0 >> action mirred egress redirect dev $IFB >> # (Example !) Create an EGRESS filter on the IFB device >> $tc qdisc add dev $IFB root handle 1: htb default 0 >> $tc class add dev $ETH parent 1:0 classid 1:1 htb rate 1000kbps ceil >> 1000kbps prio 0 >> $tc class add dev $ETH parent 1:1 classid 1:300 htb rate 300kbps ceil >> 300kbps prio 0 >> $tc qdisc add dev $ETH parent 1:300 handle 300: sfq perturb 10 >> $tc filter add dev $ETH parent 1:0 prio 0 protocol ip handle 300 fw >> flowid 1:300 >> >> iptables -t mangle -I FORWARD -i eth0 -j MARK --set-mark 300 >> >> (not tested) > Again, not tested, but I don't think that will work. The marks get added > after the traffic has been through the IFB device. You're right, iptables cannot be used on ingress traffic, sorry for this mistake. You must use tc's internal filters. http://lartc.org/howto/lartc.qdisc.filters.html > > I'm a long time out of the loop on this, but IIRC, you can ineed do > ingress shaping using the IFB device, but you won't have the full range > of netfilter functionality such as packet marking. The IFB device sits > before the entire netfilter stack. > > You can't attach an IFB device any later in the traffic flow, but you > could look at IMQ, which allow you to hook into other areas. It's not > part of the vanilla kernel though. > > Andy > > >