RE: [LARTC] iptables CLASSIFY and MARK not working?

Eliot, Wireless and Server Administrator, Great Lakes Internet Thu, 01 Jun 2006 11:11:13 -0700

> On Tuesday 30 May 2006 16:25, Eliot, Wireless and Server
Administrator, 
> Great Lakes Internet wrote:
> [snip]
> > You'll notice that the iptables rules show matches for class 5:510,
> > 5:511, and others; yet, the only class taking traffic here is 5:2.
>
> just to exaust possibilities... 
>
> i think that 5:2 is working cause 
> 0x2==2(decimal), but 
> 0x510!=510(decimal)
> 0x1fe==510(decimal)
> 
> in my experience iptables output is in HEX wile tc otput is in DEC
> So give a try with 
> tc class==510
> iptables MARK==1fe 
> and so on...


Yes, iptables uses HEX:

int string_to_priority(const char *s, unsigned int *p)
{
  unsigned int i, j;

  if (sscanf(s, "%x:%x", &i, &j) != 2)
    return 1;

  *p = TC_H_MAKE(i<<16, j);
  return 0;
}


In fact, not only does iptables use HEX for input/output of these rules,
but so does TC (the strtoul explicitly states base 16):

int get_qdisc_handle(__u32 *h, const char *str)
{
  __u32 maj;
  char *p;

  maj = TC_H_UNSPEC;
  if (strcmp(str, "none") == 0)
    goto ok;
  maj = strtoul(str, &p, 16);
  if (p == str)
    return -1;
  maj <<= 16;
  if (*p != ':' && *p!=0)
    return -1;
ok:
  *h = maj;
  return 0;
}

int get_tc_classid(__u32 *h, const char *str)
{
  __u32 maj, min;
  char *p;

  maj = TC_H_ROOT;
  if (strcmp(str, "root") == 0)
    goto ok;
  maj = TC_H_UNSPEC;
  if (strcmp(str, "none") == 0)
    goto ok;
  maj = strtoul(str, &p, 16);
  if (p == str) {
    maj = 0;
    if (*p != ':')
      return -1;
  }
  if (*p == ':') {
    if (maj >= (1<<16))
      return -1;
    maj <<= 16;
    str = p+1;
    min = strtoul(str, &p, 16);
    if (*p != 0)
      return -1;
    if (min >= (1<<16))
      return -1;
    maj |= min;
  } else if (*p != 0)
    return -1;

ok:
  *h = maj;
  return 0;
}

So, I have updated all my rules to use HEX instead of DEC. Here are my
new rules:


- Creating qdiscs on interfaces
  - tc qdisc add dev br1 root handle 1: hfsc default 2

  - tc class add dev br1 parent 1:0 classid 1:1 hfsc sc umax 1500b dmax
3ms rate 30Mbit                                                       
  - tc class add dev br1 parent 1:0 classid 1:2 hfsc ls m1 60Mbit d 2s
m2 60Mbit ul m1 60Mbit d 2s m2 60Mbit                                  
  - tc class add dev br1 parent 1:0 classid 1:3 hfsc ls m1 10Mbit d 2s
m2 10Mbit                                                              

  - tc qdisc add dev wivl4 root handle 5: hfsc default 2

  - tc class add dev wivl4 parent 5:0 classid 5:1 hfsc sc umax 1500b
dmax 3ms rate 30Mbit

  - tc class add dev wivl4 parent 5:0 classid 5:2 hfsc ls m1 60Mbit d 2s
m2 60Mbit ul m1 60Mbit d 2s m2 60Mbit                                
  - tc class add dev wivl4 parent 5:0 classid 5:3 hfsc ls m1 10Mbit d 2s
m2 10Mbit                                                            

- Starting bandwidth shaping for user
  - tc class add dev br1 parent 0x1:0 classid 0x1:0x1FE hfsc sc umax
1500b dmax 30ms rate 128Kbit

  - tc class add dev br1 parent 0x1:0 classid 0x1:0x1FF hfsc ls m1
640Kbit d 2000ms m2 128Kbit rt m1 640Kbit d 2000ms m2 128Kbit ul m1
640Kbit d 2000ms
m2 512Kbit

  - tc class add dev br1 parent 0x1:0 classid 0x1:0x200 hfsc ls m1
256Kbit d 2000ms m2 256Kbit



  - tc qdisc add dev br1 parent 0x1:0x1FE handle 0x1C7:0 sfq

  - tc qdisc add dev br1 parent 0x1:0x1FF handle 0x1C8:0 sfq

  - tc qdisc add dev br1 parent 0x1:0x200 handle 0x1C9:0 sfq




  - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x1FE hfsc sc umax
1500b dmax 30ms rate 128Kbit                                           
  - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x1FF hfsc ls m1
2560Kbit d 2000ms m2 512Kbit rt m1 2560Kbit d 2000ms m2 512Kbit ul m1
2560Kbit d 2000ms m2 2048Kbit

  - tc class add dev wivl4 parent 0x5:0 classid 0x5:0x200 hfsc ls m1
1024Kbit d 2000ms m2 1024Kbit



  - tc qdisc add dev wivl4 parent 0x5:0x1FE handle 0x1DB:0 sfq

  - tc qdisc add dev wivl4 parent 0x5:0x1FF handle 0x1DC:0 sfq

  - tc qdisc add dev wivl4 parent 0x5:0x200 handle 0x1DD:0 sfq


 

- Adding rules to classify traffic for 00:05:9E:81:3D:07
  - iptables -A macfilter -m mac --mac-source 00:05:9E:81:3D:07

  - iptables -I macfilter_nat -t nat -m mac --mac-source
00:05:9E:81:3D:07 -j ACCEPT



- Adding rules to flag General traffic
  - iptables -A PREROUTING -t mangle -m mac --mac-source
00:05:9E:81:3D:07 -j MARK --set-mark 0x1FF

  - iptables -A PREROUTING -t mangle -m mark --mark 0x1FF -j CONNMARK
--save-mark                                                             


- Adding rules to flag VoIP/Interactive traffic
  - iptables -A PREROUTING -t mangle -p udp -m mac --mac-source
00:05:9E:81:3D:07 -m multiport --ports 53,4569,5060,10000:20000 -j MARK
--set-mark 510
  - iptables -A PREROUTING -t mangle -p tcp -m mac --mac-source
00:05:9E:81:3D:07 -m multiport --ports 22,23,53 -j MARK --set-mark 0x1FE

  - iptables -A PREROUTING -t mangle -p icmp -m mac --mac-source
00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE

  - iptables -A PREROUTING -t mangle -p tcp --tcp-flags ACK,PSH ACK -m
length --length 0:128 -m mac --mac-source 00:05:9E:81:3D:07 -j MARK
--set-mark 0x1FE
  - iptables -A PREROUTING -t mangle -p udp --dport 53 -m mac
--mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE

  - iptables -A PREROUTING -t mangle -p udp --sport 53 -m mac
--mac-source 00:05:9E:81:3D:07 -j MARK --set-mark 0x1FE

  - iptables -A PREROUTING -t mangle -m mark --mark 0x1FE -j CONNMARK
--save-mark                                                             


- Adding rules to flag P2P traffic
  - iptables -A PREROUTING -t mangle -m mac --mac-source
00:05:9E:81:3D:07 -m ipp2p --ipp2p -j MARK --set-mark 0x200

  - iptables -A PREROUTING -t mangle -m mark --mark 0x200 -j CONNMARK
--save-mark                                                             
  - iptables -I FORWARD -t mangle -m mark --mark 0x1FE -j ACCEPT

  - iptables -I FORWARD -t mangle -m mark --mark 0x1FF -j ACCEPT

  - iptables -I FORWARD -t mangle -m mark --mark 0x200 -j ACCEPT



- Adding rules to classify traffic on br1
  - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FE -j
CLASSIFY --set-class 0x1C7:0

  - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x1FF -j
CLASSIFY --set-class 0x1C8:0

  - iptables -A POSTROUTING -t mangle -o br1 -m mark --mark 0x200 -j
CLASSIFY --set-class 0x1C9:0



- Adding rules to classify traffic on wivl4
  - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FE -j
CLASSIFY --set-class 0x1DB:0                                           
  - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x1FF -j
CLASSIFY --set-class 0x1DC:0                                           
  - iptables -A POSTROUTING -t mangle -o wivl4 -m mark --mark 0x200 -j
CLASSIFY --set-class 0x1DD:0                                           





However, this still does not work:




Chain POSTROUTING (policy ACCEPT 812K packets, 441M bytes)
 pkts bytes target     prot opt in     out     source
destination
 2071  129K CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x1fe CLASSIFY set 1c7:0
    2   521 CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x1ff CLASSIFY set 1c8:0
    0     0 CLASSIFY   all  --  *      br1     0.0.0.0/0
0.0.0.0/0           MARK match 0x200 CLASSIFY set 1c9:0
 2760 4060K CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x1fe CLASSIFY set 1db:0
    3   500 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x1ff CLASSIFY set 1dc:0
    0     0 CLASSIFY   all  --  *      wivl4   0.0.0.0/0
0.0.0.0/0           MARK match 0x200 CLASSIFY set 1dd:0


wireless-r1 bwlimit # tc -s qdisc show dev wivl4
qdisc hfsc 5: default 2
 Sent 8554815 bytes 7797 pkt (dropped 6, overlimits 13 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 1db: parent 5:1fe limit 128p quantum 1514b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 1dc: parent 5:1ff limit 128p quantum 1514b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 1dd: parent 5:200 limit 128p quantum 1514b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0



I am really at a loss here. I am targeting a qdisc directly with the
classify command in iptables. I am using HEX throughout my rule base.
The numbers all line up correctly (iptables classify numbers match a
valid class/qdisc id in tc). Each classid is globally unique (it is used
only once). I am using the latest iptables, the latest tc, and the
latest kernel. I have even verified that both iptables and tc are
reading/writing to skb->priority in the code base.

Short of modifying the iptables and tc code in the kernel and in the
userspace programs to print out debugging information, I am not sure
what else to do. 

Can anyone at least verify that iptables CLASSIFY target actually works
on their system? That would at least be helpful. And if it works on your
system, can you try pasting my rules into your system and see if they
work? 

If anyone else has any more ideas, I would love to entertain them. 

 
Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and System Engineer
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] iptables CLASSIFY and MARK not working?

Reply via email to