* How is nftables + IFB
@ 2019-09-23 11:08 John Mok
2019-09-24 1:44 ` Trent W. Buck
2019-09-25 14:37 ` Anton Danilov
0 siblings, 2 replies; 4+ messages in thread
From: John Mok @ 2019-09-23 11:08 UTC (permalink / raw)
To: netfilter
Hi all,
I have been using iptales + IFB (Intermediate Functional Block) for
traffic shaping, How is the status of nftables + IFB (or its
successor) ?
Thanks a lot.
John Mok
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How is nftables + IFB
2019-09-23 11:08 How is nftables + IFB John Mok
@ 2019-09-24 1:44 ` Trent W. Buck
2019-09-25 14:37 ` Anton Danilov
1 sibling, 0 replies; 4+ messages in thread
From: Trent W. Buck @ 2019-09-24 1:44 UTC (permalink / raw)
To: netfilter
John Mok <a9121431@gmail.com> writes:
> I have been using iptales + IFB (Intermediate Functional Block) for
> traffic shaping, How is the status of nftables + IFB (or its
> successor) ?
For egress shaping I suggest you start with a CoDel variant.
https://manpages.debian.org/tc-codel
https://en.wikipedia.org/wiki/CoDel
I guess you are talking about ingress shaping.
I have not done this myself.
Here are some initial guesses.
This looks like a typical example;
you can see most of it happens in tc (not xtables/nftables).
The tc part should still Just Work.
https://wiki.archlinux.org/index.php/Advanced_Traffic_Control#Example_of_ingress_traffic_shaping_with_SNAT
The iptables part is (paraphrasing)
#!/usr/bin/iptables-apply
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:QOS -
-A FORWARD -o ppp+ -j QOS
-A OUTPUT -o ppp+ -j QOS
-A QOS -j CONNMARK --restore-mark
-A QOS -s 192.168.1.50 -m mark --mark 0 -j MARK --set-mark 3 -m comment --comment "Traffic from Alice's laptop gets more bandwidth"
-A QOS -j CONNMARK --save-mark
You can see all that's really doing is changing the connmark flag for
traffic going from 192.168.1.50 to the internet.
https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables#connmark
Piping the previous code block into iptables-restore-translate, we see
# Translated by iptables-restore-translate v1.8.3 on Tue Sep 24 11:41:35 2019
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }
add chain ip mangle INPUT { type filter hook input priority -150; policy accept; }
add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; }
add chain ip mangle OUTPUT { type route hook output priority -150; policy accept; }
add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }
add chain ip mangle QOS
add rule ip mangle FORWARD oifname "ppp*" counter jump QOS
add rule ip mangle OUTPUT oifname "ppp*" counter jump QOS
add rule ip mangle QOS counter meta mark set ct mark
add rule ip mangle QOS ip saddr 192.168.1.50 mark 0x0 counter meta mark set 0x3 comment "Traffic from Alice's laptop gets more bandwidth"
add rule ip mangle QOS counter ct mark set mark
# Completed on Tue Sep 24 11:41:35 2019
The translations for "--restore-mark" and "--set-mark" hurt my brain,
but it looks to me like everything should Just Work.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How is nftables + IFB
2019-09-23 11:08 How is nftables + IFB John Mok
2019-09-24 1:44 ` Trent W. Buck
@ 2019-09-25 14:37 ` Anton Danilov
2019-09-26 10:06 ` Mikhail Morfikov
1 sibling, 1 reply; 4+ messages in thread
From: Anton Danilov @ 2019-09-25 14:37 UTC (permalink / raw)
To: John Mok; +Cc: netfilter
Hi.
How exactly do you use the iptables + IFB for traffic shaping?
On Wed, 25 Sep 2019 at 13:29, John Mok <a9121431@gmail.com> wrote:
>
> Hi all,
>
> I have been using iptales + IFB (Intermediate Functional Block) for
> traffic shaping, How is the status of nftables + IFB (or its
> successor) ?
>
> Thanks a lot.
>
> John Mok
--
Anton Danilov.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How is nftables + IFB
2019-09-25 14:37 ` Anton Danilov
@ 2019-09-26 10:06 ` Mikhail Morfikov
0 siblings, 0 replies; 4+ messages in thread
From: Mikhail Morfikov @ 2019-09-26 10:06 UTC (permalink / raw)
To: Anton Danilov; +Cc: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 666 bytes --]
On 25/09/2019 16:37, Anton Danilov wrote:
> Hi.
> How exactly do you use the iptables + IFB for traffic shaping?
I was using iptables + tc. I once described two working examples of
traffic shaping:
iptables + ifb[1]
iptables + imq[2]
The IMQ example needs a patched kernel, but it works a way better
than the IFB one especially in the case of ingress traffic. The
arts are in Polish, but you can look through the commands that were
used to get some basic idea how the mechanism works.
[1]: https://morfikov.github.io/post/konfiguracja-interfejsow-ifb-w-linuxie/
[2]: https://morfikov.github.io/post/konfiguracja-interfejsow-imq-w-linuxie/
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-26 10:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-23 11:08 How is nftables + IFB John Mok
2019-09-24 1:44 ` Trent W. Buck
2019-09-25 14:37 ` Anton Danilov
2019-09-26 10:06 ` Mikhail Morfikov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.