From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: How is nftables + IFB
Date: Tue, 24 Sep 2019 11:44:58 +1000 [thread overview]
Message-ID: <87wodycvs5.fsf@goll.lan> (raw)
In-Reply-To: CALYzA8GZY1cJYsibQDOmA3DuUsV3d=KUdc6z04WgUxu-4Ya0jg@mail.gmail.com
John Mok <a9121431@gmail.com> writes:
> I have been using iptales + IFB (Intermediate Functional Block) for
> traffic shaping, How is the status of nftables + IFB (or its
> successor) ?
For egress shaping I suggest you start with a CoDel variant.
https://manpages.debian.org/tc-codel
https://en.wikipedia.org/wiki/CoDel
I guess you are talking about ingress shaping.
I have not done this myself.
Here are some initial guesses.
This looks like a typical example;
you can see most of it happens in tc (not xtables/nftables).
The tc part should still Just Work.
https://wiki.archlinux.org/index.php/Advanced_Traffic_Control#Example_of_ingress_traffic_shaping_with_SNAT
The iptables part is (paraphrasing)
#!/usr/bin/iptables-apply
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:QOS -
-A FORWARD -o ppp+ -j QOS
-A OUTPUT -o ppp+ -j QOS
-A QOS -j CONNMARK --restore-mark
-A QOS -s 192.168.1.50 -m mark --mark 0 -j MARK --set-mark 3 -m comment --comment "Traffic from Alice's laptop gets more bandwidth"
-A QOS -j CONNMARK --save-mark
You can see all that's really doing is changing the connmark flag for
traffic going from 192.168.1.50 to the internet.
https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#connmark
Piping the previous code block into iptables-restore-translate, we see
# Translated by iptables-restore-translate v1.8.3 on Tue Sep 24 11:41:35 2019
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }
add chain ip mangle INPUT { type filter hook input priority -150; policy accept; }
add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; }
add chain ip mangle OUTPUT { type route hook output priority -150; policy accept; }
add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }
add chain ip mangle QOS
add rule ip mangle FORWARD oifname "ppp*" counter jump QOS
add rule ip mangle OUTPUT oifname "ppp*" counter jump QOS
add rule ip mangle QOS counter meta mark set ct mark
add rule ip mangle QOS ip saddr 192.168.1.50 mark 0x0 counter meta mark set 0x3 comment "Traffic from Alice's laptop gets more bandwidth"
add rule ip mangle QOS counter ct mark set mark
# Completed on Tue Sep 24 11:41:35 2019
The translations for "--restore-mark" and "--set-mark" hurt my brain,
but it looks to me like everything should Just Work.
next prev parent reply other threads:[~2019-09-24 1:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-23 11:08 How is nftables + IFB John Mok
2019-09-24 1:44 ` Trent W. Buck [this message]
2019-09-25 14:37 ` Anton Danilov
2019-09-26 10:06 ` Mikhail Morfikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wodycvs5.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.