From: bert hubert <ahu@ds9a.nl>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] How to MARK NATtted packets coming from external interface to an internal host ?
Date: Sun, 16 Dec 2001 13:52:13 +0000 [thread overview]
Message-ID: <marc-lartc-100851082029705@msgid-missing> (raw)
In-Reply-To: <marc-lartc-100824638812421@msgid-missing>
On Thu, Dec 13, 2001 at 02:42:59PM -0200, Claudio L. Salvadori wrote:
> I have considered using 'tc filter' with the u32 classifier
> but I couldn't find a way to differentiate between traffic coming
> from the Internet (source ip = any) from traffic originating
> in the gateway (source ip = ip of eth0). I need this because
> I would like to shape only traffic coming from the Internet.
> Internal clients should be able to download data from the gateway
> without any bandwidth restriction.
That basically means that you should use iptables. My own version of
iptables can to this:
# iptables -t mangle -A OUTPUT -d 1.2.3.4 -j PRIO --classid 10:2
To match only locally generated packets. Change OUTPUT to PREROUTING to
process all non-local packets.
I'm trying to push this into the kernel, but will take a while.
> If at least there was a NOT (! like in iptables) operator
> in the match syntax I could assume that traffic not coming from the
> source ip of eth0 is coming from the Internet. Something like this:
>
> tc filter add dev eth0 parent 10:1\
> protocol ip\
> prio 1\
> u32\
> NOT operator --> match ip src ! (eth0 IP)\
> match ip dst (client IP)\
> classid 10:2
>
> Any ideas on how to differentiate these two kinds of traffic
> using 'tc filter' ?
Yes, make two rules. One that first exempts anything from your eth0 IP. Give
it prio 0, and the next rule prio 1, which will never see packets from your
local IP.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Software & Services
Trilab The Technology People
Netherlabs BV / Rent-a-Nerd.nl - Nerd Available -
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
prev parent reply other threads:[~2001-12-16 13:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-12-13 12:27 [LARTC] How to MARK NATtted packets coming from external interface to an internal host ? Claudio L. Salvadori
2001-12-13 13:39 ` bert hubert
2001-12-13 16:42 ` Claudio L. Salvadori
2001-12-16 13:52 ` bert hubert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-100851082029705@msgid-missing \
--to=ahu@ds9a.nl \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.