Re: [LARTC] Some questions concerning IPtables (& IMQ/SFQ)

From: Tobias Geiger <tobias.geiger@web.de>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Some questions concerning IPtables (& IMQ/SFQ)
Date: Fri, 03 May 2002 15:08:32 +0000	[thread overview]
Message-ID: <marc-lartc-102045237231073@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102043736815080@msgid-missing>

On Fri, May 03, 2002 at 04:50:18PM +0200, Nils Lichtenfeld wrote:
> Hi there!
Hi Nils
> 
> Some questions I couldn't find an answer for:
> IPtables:
> - Is it possible to filter those ACK-packets (to eleminate problems
> with ADSL-connections) with IPtables? It wasn't possible with IPchains,
> so u32 had to be used. Now there is this nice little --tcp-flags
> option. But I just don't know if this is all I need. The u32 was
> checking for packetsize too. So if there is a eqivalent to the u32
> ACK-filterrule, what would it look like?
> 
> What I have found in the ML is this:
> ----
> # Set ACK as prioritized traffic (ACK's are less than 100 bytes)
> $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j
> MARK --set-mark 1
> $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j
> RETURN
> ----
> 
> Wouldn't that apply on a lot more packets than only the ACK ones? What
> is the exact specification of an ACK-packet?

I don't know the exact technical specification for ACK packets, but i
use the example below, and it work's (i mean as far as i can see, no
"other" packets get in my $ack-queue)

> 
> - With IPchains it was possible to mark and return in one rule. Looking
> at the example above this doesn't seem possible (two -j operators). Is
> that right?
>
sorry, don't know
 
> - Can I have for example one custom chain and have forward and output
> send its packets to it?
> 
well i think so. 
i use constructs like these:

start_ingress_iptables() {

        $iptables -t mangle -N IMQ_INGRESS
        $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport ssh -j MARK --set-mark $high
        $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport http -j MARK --set-mark $high
        $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -m length --length 40:100 -j MARK --set-mark $ack
        $iptables -t mangle -A IMQ_INGRESS -j IMQ --todev 0
        $iptables -t mangle -A PREROUTING -i ${SHAPEDEV} -j IMQ_INGRESS

}

and i see no reason why i couln't add something like:
	iptables -t mangle -A POSTROUTING -o somedevice -j IMQ_INGRESS


> - Is there a howto that explains -t mangel, -A PREROUTING/POSTROUTING
> etc.? The only IPtables HowTo I have found is
> http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSe
> m/downloads/netfilter/iptables-HOWTO.html
>
netfilter.org ?!
 
> - From Patricks' IMQ-page:
> ----
> SFQ is very useful as a leaf qdisc. But by default, its internal queue
> length is 128 which is too much for small classes or even for
> not-so-fast links. Changing SFQ_DEPTH in net/sched/ sch_sfq.c to about
> 10-20 results in flows responding much faster to bandwidth changes.
> ----
> 
> Is that ment for SFQ in general or only in conjunction with IMQ?
> 
I think it's meant for slower links in general. 
btw i made the experience that SFQ_DEPTH has to be a value dividable by 8
(i use 24 and in my subjective opinion i have better interactivity)

> 
> Thank you.
> Greetings, Nils
>

Greetings

Tobias 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/