From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bob Miller Date: Mon, 02 Mar 2015 20:10:00 +0000 Subject: HTB, IPSec, fw mark Message-Id: <54F4C398.7080409@computerisms.ca> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hello, I read a few posts that it is possible to mark a packet with iptables, and then shape it as it leaves on an ipsec tunnel. So far I am having limited success with the idea. I am using libreswan with netkey. I tried marking the packets in mangle/PREROUTING, but I had zero joy with that; I suspect that when the kernel does its netkey magic the mark is lost. I tried marking at a number of other spots in the nfpacket flow, I only got results at mange/POSTROUTING. But it doesn't seem to grab all the packets. I have 6 remote users on the vpn, I give each of them a mark based on the IP address they get, and I mark all non-vpn packets with a 7th mark. I set up 7 classes to match each mark. I determine by the command `watch -n 1 -d tc -s class show dev eth0` that some packets do go through each class, but it is only a very small percentage of them (after watching it for a while now I suspect it is initial syn packets). The rest all go into the 7th non-vpn class, even though I can log the packets marked to go to one of the vpn users. So I am wondering if I have missed a piece of the theory, or if what I am trying to accomplish just isn't possible. Perhaps it would be better to setup a class based on src/dst port 500, but I would like to guarantee each vpn user a fair share of the limited bandwidth (which I think pretty much requires a separate class for each user), and I am not sure how that can be accomplished with dynamic remote addresses. comments or suggestions would be highly appreciated... -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca