Re: [LARTC] Marking returned MASQ'ed packets (ingress, TC, etc.)

From: Barton Hodges <barton@gcmcomputers.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Marking returned MASQ'ed packets (ingress, TC, etc.)
Date: Tue, 12 Jun 2001 23:39:39 +0000	[thread overview]
Message-ID: <marc-lartc-99238925629910@msgid-missing> (raw)
In-Reply-To: <marc-lartc-99238552718946@msgid-missing>

> 
> Please describe your network topology.
> 

Sure, it's a basic masq setup with 1 external (WAN) and 2 
internal (LAN) interfaces

|------------------------------------------|                                         
             |                   <-> eth1/192.168.241.1 | <->
192.168.241.0 LAN
Internet <-> | eth0/12.10.109.52                       
|                                        
             |                   <-> eth2/192.168.242.1 | <->
192.168.242.0 LAN

|------------------------------------------|                                        
                     Gateway Computer w/ 2 NICs

I want to limit the upstream (to the internet) of both eth1 and eth2 to
128kbps.
I want to limit the downstream (from the internet) of eth1 to 128kbps
and 256kbps on eth2.

I can limit the upstream of both interfaces with this:

   tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit avpkt 1000
cell 8

   tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit
rate \
      10Mbit weight 1Mbit prio 8 allot 1514 cell 8 maxburst 100 avpkt
1000

   tc class add dev eth0 parent 1:1 classid 1:10 cbq bandwidth 10Mbit
rate \
      128Kbit weight 12Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt
1000 bounded

   tc qdisc add dev eth0 parent 1:10 tbf rate 128Kbit buffer 10Kb/8
limit 15Kb mtu 1500

   tc filter add dev eth0 parent 1:0 protocol ip prio 100 handle 1 fw
classid 1:10

I can limit the downstream with this:

tc qdisc add dev eth0 handle ffff:0 ingress

tc filter add dev eth0 parent ffff:0 protocol ip prio 5 handle 1 fw \
   police rate 128kbit burst 128kbit mtu 1500 drop

What I think I need is a separate filter for eth1 and eth2 that looks
for different marks (handles?)  Therefore, I need to mark packets
coming through eth0 to eth1 with a 0x1 and from eth0 to eth2 with a 0x2
and filter accordingly (I think).

> > Hi Folks,
> >
> > I'm using a 2.4.x kernel and TC from the iproute2 package
> > so that I can limit traffic through my gateway.  I'm using this
> > to mark packets when they leave the LAN:
> >
> > /sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
> > -m 1
> >
> > When the packets return, I need to have them marked again so that
> > the ingress filter will limit the bandwidth in the opposite direction.
> >
> > The only way I have found to do this, is to mark EVERY packet like this:
> >
> > /sbin/ipchains -A input -i eth0 -s 0.0.0.0/0 -d 12.10.109.52/32 -m 1
> >
> > This works, but what I would really like to do, is mark the
> > 192.168.1.0/24 packets instead (after they have been "un-masq'ed",
> > so that I can limit bandwidth on each interface in the gateway box.
> >
> > Is this possible?
> >
> > Thanks,
> >
> > Barton
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> http://ds9a.nl/2.4Routing/
> >

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/