From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lawrence MacIntyre <lpz@ornl.gov>
Date: Fri, 17 Oct 2003 13:31:55 +0000
Subject: Re: [LARTC] Forwarded traffic bypassing filter
MIME-Version: 1
Content-Type: multipart/mixed; boundary="=-AhPnCXUjXTO5Gp6eZ/x3"
Message-Id: <marc-lartc-106639932711695@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-106634010031680@msgid-missing>
In-Reply-To: <marc-lartc-106634010031680@msgid-missing>
To: lartc@vger.kernel.org


--=-AhPnCXUjXTO5Gp6eZ/x3
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

<being extremely subtle...>

I haven't looked at the code, but the path these packets take through
the IP stack may be "unusual".  You have configured your network in a
very strange manner.  Generally, for ethernet networks, you want all
interfaces in the same subnet to be on the same broadcast network.  You
might have better luck if you make Machine1 a bridge or a normal IP
router.  Is there a reason why you have configured your network in this
way?

On Fri, 2003-10-17 at 09:25, Amit Gandhi wrote:
> The netmask is /8 in my config, but it can be /24 (doesn't matter a
> whole lot). The traffic is not being bridged at Machine1, its simple
> routing coz I've setup a route & ARP entry for Machine2 on Machine1 and
> IP Forwarding, Proxy ARP is enabled on Machine1.
>=20
> Thanks
>=20
> --- Lawrence MacIntyre <lpz@ornl.gov> wrote:
> > Is the netmask actually /24 instead of /8 or are you bridging the
> > traffic with Machine1?
> >=20
> > On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote:
> > > Please consider the following scenario & corresponding question.....
> > >=20
> > >=20
> > >                     Machine1                             Machine2
> > >                 _________________                  _________________
> > > MachineX        |               |                  |               |
> > > HTTP(1)         |               |                  |  HTTP Server  |
> > > ------>-------->|          -----|------------------|               |
> > >             eth0|         /     |eth1              |eth0           |
> > >  10.20.253.242/8|        /      |10.20.255.238/8   |10.20.246.247/8|
> > >                 |    HTTP(2)    |                  |               |
> > >                 |_______________|                  |_______________|
> > >=20
> > >                 10.20.246.247 dev eth1
> > > 		10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx
> > >                 proxy_arp =3D1
> > >                 ip_forward=3D1
> > >=20
> > > Here are my shaping rules (primary goal is to send the web traffic
> > > through a seperate queue)
> > >=20
> > > tc qdisc add dev eth1 root handle 1: htb default 20
> > >=20
> > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k
> > >=20
> > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil
> > 2mbit
> > > burst 15k
> > > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst
> > 15k
> > >=20
> > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
> > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10
> > >=20
> > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip
> > dport
> > > 0x50 0xffff flowid 1:10
> > >=20
> > >=20
> > > Now, after all of this configuration I've observed that:
> > >=20
> > > a) All the web requests comming from "MachineX" go thru the default
> > > queue 20
> > > b) Web traffic generated from "Machine1" does gets send thru queue
> > 10
> > >=20
> > >=20
> > > Why, is the forwarded traffic bypassing the filter?
> > >=20
> > > I inserted debug messages in the 'u32_classify' function
> > > inside the kernel, just to make sure that the filter is not
> > > failing, but the function never gets called for HTTP(1)
> > > traffic!!!
> > >=20
> > >=20
> > > Regards,
> > > +Amit
> > > email: subscribeamit@yahoo.com
> > >=20
> > > __________________________________
> > > Do you Yahoo!?
> > > The New Yahoo! Shopping - with improved product search
> > > http://shopping.yahoo.com
> > > _______________________________________________
> > > LARTC mailing list / LARTC@mailman.ds9a.nl
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> > http://lartc.org/
> > --=20
> >     Lawrence MacIntyre     865.574.8696     lpz@ornl.gov
> >                Oak Ridge National Laboratory
> > High Performance Information Infrastructure Technology Group
> >=20
> >=20
>=20
> > ATTACHMENT part 2 application/pgp-signature name=3Dsignature.asc
>=20
>=20
>=20
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
--=20
    Lawrence MacIntyre     865.574.8696     lpz@ornl.gov
               Oak Ridge National Laboratory
High Performance Information Infrastructure Technology Group


--=-AhPnCXUjXTO5Gp6eZ/x3
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQA/j+9LCNjP8rawCW4RAlhsAJ4n1VrIapWOn4+AJPPSh9QCHwJ/UQCfXZA1
orL1LCDshJjwB4SduKYo6m4=
=BXGw
-----END PGP SIGNATURE-----

--=-AhPnCXUjXTO5Gp6eZ/x3--
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/