HTB and src/dst filters

All of lore.kernel.org
 help / color / mirror / Atom feed

* HTB and src/dst filters
@ 2015-02-28 19:01 Alex Regan
  0 siblings, 0 replies; 2+ messages in thread
From: Alex Regan @ 2015-02-28 19:01 UTC (permalink / raw)
  To: lartc

Hi,
I posted a message a few days ago and haven't received any responses, so 
thought I would try and simplify my post and ask a few more specific 
questions.

I'm using tc on fedora20 and can't figure out why I can't get it to 
filter ssh traffic originating from the backup server to port 22 on the 
mail server.

tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: htb default 20
tc class add dev eth0 parent 1: classid 1:1 htb rate 1000mbit burst 15k
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 900mbit ceil 
1000mbit burst 15k prio 1
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 2mbit ceil 3mbit 
burst 15k prio 1
tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src \
     1.2.3.4/32 match ip dport 22 0xffff flowid 1:10

I'm expecting ssh traffic from 1.2.3.4 to be filtered through 1:10 while 
everything else to be sent through 1:20.

I'm aware of how to display the traffic counts with 'tc ls' but is there 
a way to monitor the actual packets on a specific filter?

Can I assume that if I have two filters set up that the traffic is going 
through either one or the other?

I was also confused by some of the examples that used port 80 (or 22 in 
my case) as the SOURCE port:

On source/destination port, all IP protocols
     Source: 'match ip sport 80 0xffff', destination: 'match ip dport 80 
0xffff'

How would you ever have port 80 as a SOURCE? Any connections to a web 
server is going to use an unprivileged high port to DESTINATION port 80, 
correct?

Thanks,
Alex

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: HTB and src/dst filters
@ 2015-03-02 15:39 Mike Schmidt
  0 siblings, 0 replies; 2+ messages in thread
From: Mike Schmidt @ 2015-03-02 15:39 UTC (permalink / raw)
  To: lartc

Where is 1.2.3.4 wrt eth0? Remember that you are managing egress
traffic (traffic going out via eth0) and not ingress traffic. If your
ssh server is on eth0, you are on the wrong end. For ingress traffic
you need to either use policing or intermediate devices (like ifb or
imq). ( see section 8.1
http://tldp.org/HOWTO/Traffic-Control-HOWTO/rules.html).

On Sat, Feb 28, 2015 at 2:01 PM, Alex Regan <mysqlstudent@gmail.com> wrote:
> Hi,
> I posted a message a few days ago and haven't received any responses, so
> thought I would try and simplify my post and ask a few more specific
> questions.
>
> I'm using tc on fedora20 and can't figure out why I can't get it to filter
> ssh traffic originating from the backup server to port 22 on the mail
> server.
>
> tc qdisc del dev eth0 root
> tc qdisc add dev eth0 root handle 1: htb default 20
> tc class add dev eth0 parent 1: classid 1:1 htb rate 1000mbit burst 15k
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 900mbit ceil 1000mbit
> burst 15k prio 1
> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 2mbit ceil 3mbit
> burst 15k prio 1
> tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
> tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip src \
>     1.2.3.4/32 match ip dport 22 0xffff flowid 1:10
>
> I'm expecting ssh traffic from 1.2.3.4 to be filtered through 1:10 while
> everything else to be sent through 1:20.
>
> I'm aware of how to display the traffic counts with 'tc ls' but is there a
> way to monitor the actual packets on a specific filter?
>
> Can I assume that if I have two filters set up that the traffic is going
> through either one or the other?
>
> I was also confused by some of the examples that used port 80 (or 22 in my
> case) as the SOURCE port:
>
> On source/destination port, all IP protocols
>     Source: 'match ip sport 80 0xffff', destination: 'match ip dport 80
> 0xffff'
>
> How would you ever have port 80 as a SOURCE? Any connections to a web server
> is going to use an unprivileged high port to DESTINATION port 80, correct?
>
> Thanks,
> Alex
> --
> To unsubscribe from this list: send the line "unsubscribe lartc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Mike SCHMIDT
CTO
Intello Technologies Inc.
mike.schmidt@intello.com
Canada: 1-888-404-6261 x320
USA: 1-888-404-6268 x320
Mobile: 514-409-6898
www.intello.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-03-02 15:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-28 19:01 HTB and src/dst filters Alex Regan
  -- strict thread matches above, loose matches on Subject: below --
2015-03-02 15:39 Mike Schmidt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.