From mboxrd@z Thu Jan 1 00:00:00 1970 From: "GoMi ." Date: Wed, 18 Jun 2003 11:20:47 +0000 Subject: [LARTC] Problem with iptables and CONNTRACK Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org I know this is not the right place to ask this question, but i have an=20 stateful firewall and i am doing CONNTRACKING to mark the tcp connections, = and then with filters based on fw marks put them in the right qdisc. The problem is that i have an uplink bandwith of 300kbit restricted to=20 250kbit by the htb class. Here is my script to mark my traffic with qdiscs: DEV=3Deth0 tc qdisc add dev ${DEV} handle 1: root htb default 20 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit ## Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil=20 200kbit tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10 ## Non Interactive tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil=20 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20 ## ICMP tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40 ## Web-Server tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbi= t=20 quantum 1500 tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10=20 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50 and here is my mangle setup iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -m mark --mark 0 -j kazaa iptables -t mangle -A POSTROUTING -m mark --mark 0 -j marks iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark marks and kazaa are just -j MARK according the traffic I am monitoring at wich speed is each class sending data, and it only goes = up to 10KB alltogether.. Does anybody know why is it not going up to at least 20-23 KB =BF? i am goi= ng=20 crazy! :) Interactive traffic goes quite good actually, but since i am getting so low= =20 uplink speed, i suppose i am not getting a good usage of the downlink=20 traffic, maybe because it does not send ack packets quickly enough. Anybody willing to help? :) _________________________________________________________________ Charla con tus amigos en l=EDnea mediante MSN Messenger:=20 http://messenger.yupimsn.com/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/