From mboxrd@z Thu Jan  1 00:00:00 1970
From: Martin Josefsson <gandalf@wlug.westbo.se>
Date: Sat, 19 Jan 2002 20:13:31 +0000
Subject: Re: [LARTC] newbie question - how to downgrade ftp-data traffic
Message-Id: <marc-lartc-101147349717033@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-101134351014385@msgid-missing>
In-Reply-To: <marc-lartc-101134351014385@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

On Fri, 18 Jan 2002, Troy Rockwood wrote:

[snip]
> Actually, I checked it with tcpdump (ethereal) and nobody was using
> passive mode.  I'm fine if some people that use ftp accidentally get
> higher priority (by using passive), it's just when the ftp traffic
> drowns out everything else that the problem is.  At present that means
> ftp-data (port 20) traffic.  Thanks for the reply though I may have to
> be more clever in the future if passive is used predominantly.

There is a new match in iptables that you could use. It is a match that's
capable of mathing which conntrack helper a related connection belongs to.

so if you load ip_conntrack_ftp then you can do something like this:

iptables -A FORWARD -m helper --helper ftp -j MARK --set-mark 2

then all packet belonging to ftp connection (both the packets in the
ftp-command connection and all packets in the related data
connections) will have a fwmark of 2. this works for both passive and
active ftp.

You'll find this helper match in the iptables patch-o-matic (either from
cvs or download iptables 1.2.5)

/Martin

Never argue with an idiot. They drag you down to their level, then beat you with experience.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/