RE: [LARTC] Bridge + TC
> I posted out on this problem some time ago and could never get 2.4.25 or > any 2.6 kernel to work with TC + Bridging. If anyone has this working > and has actually tested it (I am actually just doing IP based iptables > filtering from my bridge interface) please let us know what version of > iproute you used and what patches you applied and with which version of > the kernel. -Vanilla kernel 2.6.3 form kernel.org - no patches applied just ethernet bridging and Bridged IP/ARP packets filtering enabled in kernel config. -iptables snapshot v1.2.9-20040302 -as far as I remember tc is from the htb homepage http://luxik.cdi.cz/~devik/qos/htb/ Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Roy Walker wrote: I posted out on this problem some time ago and could never get 2.4.25 or any 2.6 kernel to work with TC + Bridging. If anyone has this working and has actually tested it (I am actually just doing IP based iptables filtering from my bridge interface) please let us know what version of iproute you used and what patches you applied and with which version of the kernel. The older 2.4.2x kernel's seem to work fine for this (I am currently running 2.4.22). I just got this working under 2.4.25 on a different test rig (with only 2 interfaces) - installed Debian Testing, patched and compiled a kernel with relevant stuff, start the bridge, apply tc rules, and *poof* packets get filtered/classified properly. All within 1.5 hrs. `tc -s class show dev eth0` shows the right stuff going through the right filters at the right rate. Versions/patches: iproute-20010824-13, from Debian testing iptables-1.2.9, from Debian testing (Used: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x4 --> no ebtables needed) ebtables-brnf-5-vs-2.4.25 patch from ebtables.sourceforge.net kernel-2.4.25, with above ebtables patch Hopefully it'll still work with 3 interfaces when I get 2.4.25 on the original test rig! Cheers, jon ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Bridge + TC
I posted out on this problem some time ago and could never get 2.4.25 or any 2.6 kernel to work with TC + Bridging. If anyone has this working and has actually tested it (I am actually just doing IP based iptables filtering from my bridge interface) please let us know what version of iproute you used and what patches you applied and with which version of the kernel. The older 2.4.2x kernel's seem to work fine for this (I am currently running 2.4.22). Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 15, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: Re: [LARTC] Bridge + TC Hi, > I have also tried that. I'm using 2.6.3-mm3 -> packets don't seem to > Perhaps the key here is 2.4. I might have to revert... There was a change with kernel 2.6.0 for incoming and outgoing interfaces of a bridge device (at least for iptables - that's why I'm guessing it also affects ebtables): > ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 > ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 Well for iptables a similar rule would look like: iptables -A FORWARD -i eth1 -j MARK --set-mark 0x1 If eth1 is a port of a bridge you have to use with 2.6.x this: iptables -A FORWARD -m physdev --physdev-in eth1 -j MARK --set-mark 0x1 Having a closer look at this may help solving your problem? Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Hi, > I have also tried that. I'm using 2.6.3-mm3 -> packets don't seem to > Perhaps the key here is 2.4. I might have to revert... There was a change with kernel 2.6.0 for incoming and outgoing interfaces of a bridge device (at least for iptables - that's why I'm guessing it also affects ebtables): > ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 > ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 Well for iptables a similar rule would look like: iptables -A FORWARD -i eth1 -j MARK --set-mark 0x1 If eth1 is a port of a bridge you have to use with 2.6.x this: iptables -A FORWARD -m physdev --physdev-in eth1 -j MARK --set-mark 0x1 Having a closer look at this may help solving your problem? Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Jeroen Vriesman wrote: So I would suggest testing: 1) no filter rule for 1:10 which is default This shouldn't affect things in the end though, correct? (I.e. it's overkill, but it won't hurt anything, right?) (I've also had it pass by default through the 1:1, in which case nothing passed through 1:10, nor 1:20 - everything went through 1:1.) 2) no filters with handle 1, (I start at 101 for the filters) tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 "handle 1" - is that not how it picks up on nfmark? If nfmark is set to 1, is this not the part that picks up that nfmark? 3) marking with iptables in mangle PREROUTING I have also tried that. I'm using 2.6.3-mm3 -> packets don't seem to pass through iptables anymore unless they're specifically routed rather than bridged (can anyone confirm this?). I have another (2-if, no QoS) bridge running 2.4, and iptables commands filter fine. With this new bridge running 2.6, dropping everything with iptables doesn't work 'iptables -A FORWARD -j DROP' doesn't affect the bridge in the least - hosts continue to talk through the bridge. (Same in ebtables works as expected though.) should work, it's working fine here on 2.4.24+ebtables Perhaps the key here is 2.4. I might have to revert... Thanks for the input. Now I have something else to try! Cheers, jon ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + TC
Hi, I've got an almost simular setup, which is working fine. something I noticed: You say everything is going into class 1:10, which is both your default AND you got a filter for it <-?? I also see that your "default filter" has handle 1, in my setup the handles of the filters are unique. For the rest, the only real difference is that I mark in the iptables mangle PREROUTING table, maybe an idea to test that. So I would suggest testing: 1) no filter rule for 1:10 which is default 2) no filters with handle 1, (I start at 101 for the filters) 3) marking with iptables in mangle PREROUTING should work, it's working fine here on 2.4.24+ebtables Cheers, Jeroen. On Mon, 15 Mar 2004 11:15:48 + Jon Anderson <[EMAIL PROTECTED]> wrote: > I'm hoping someone can provide a little input that might help me out a > little... > > I've recently tried to setup a 3-interface transparent bridge, where 2 > internal interfaces (eth1,eth2) funnel into 1 outgoing interface (eth0). > The idea was to be that eth1 gets priority over eth2 in all cases. > > The bridge works flawlessly - it passes all layer2 traffic through > properly. The traffic control however, does not work at all. (The LARTC > Howto says bridging + tc should "work as advertised", but no examples or > instructions are given...) > > The conclusion I came to was that bridging is done in layer2, and so > traffic control code (typically layer3) never gets to touch it. Am I wrong? > > Setup was: mark packets with ebtables, then filter into 2 qdiscs based > on those marks. > > Ebtables bit: > ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 > ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 > - This works, as ebtables' counters do count matching packets correctly > (connecting a machine to and interface, and starting . (I assume that > they set sk_buff->nfmark properly.) > > . > > Classes: > tc qdisc add dev eth0 root handle 1: htb default 10 > tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 450kbit ceil 500kbit prio 0 > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 50kbit ceil 500kbit prio 1 > > tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 > > tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:20 > > As I understand it, the second last line should put packets with nfmark 1 into class > 1:10 (450-500 kbit), and the last line should put packets with nfmark 2 into class > 1:20 (50-500kbit). > > With an active host plugged into eth2, all I get is traffic going through the > default class (1:10) according to 'tc -s show class dev eth0' > > If anyone could offer any suggestions, I'd be glad to hear 'em. > > Cheers, > > jon anderson > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Bridge + TC
I'm hoping someone can provide a little input that might help me out a little... I've recently tried to setup a 3-interface transparent bridge, where 2 internal interfaces (eth1,eth2) funnel into 1 outgoing interface (eth0). The idea was to be that eth1 gets priority over eth2 in all cases. The bridge works flawlessly - it passes all layer2 traffic through properly. The traffic control however, does not work at all. (The LARTC Howto says bridging + tc should "work as advertised", but no examples or instructions are given...) The conclusion I came to was that bridging is done in layer2, and so traffic control code (typically layer3) never gets to touch it. Am I wrong? Setup was: mark packets with ebtables, then filter into 2 qdiscs based on those marks. Ebtables bit: ebtables -A FORWARD -i eth1 -j mark --set-mark 0x1 ebtables -A FORWARD -i eth2 -j mark --set-mark 0x2 - This works, as ebtables' counters do count matching packets correctly (connecting a machine to and interface, and starting . (I assume that they set sk_buff->nfmark properly.) . Classes: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 450kbit ceil 500kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 50kbit ceil 500kbit prio 1 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:20 As I understand it, the second last line should put packets with nfmark 1 into class 1:10 (450-500 kbit), and the last line should put packets with nfmark 2 into class 1:20 (50-500kbit). With an active host plugged into eth2, all I get is traffic going through the default class (1:10) according to 'tc -s show class dev eth0' If anyone could offer any suggestions, I'd be glad to hear 'em. Cheers, jon anderson ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
