Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
Daniel Dafoe wrote: I really don't get it : Recompiled my kernel dozen times now is 2.6.11-gentoo-r5 but still packets are marked by iptables but not shaped by tc. It only works when I mark packets on source/destination ip As soon as I comment last two lines and uncomment the first one shaping is gone So you may need to match on MAC dst rather than src or did you try with just -s 192.168.0.22 alone? Andy. iptables -t mangle -A FORWARD -m mac --mac-source 00-0d-87-60-61-37 -j MARK --set-mark 0x2 #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j MARK --set-mark 0x2 #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j MARK --set-mark 0x2 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -altough marking on ip src, dst address works
Daniel Dafoe wrote:
Reading along the Net it seems that MAC marking is not
working with egress HTB (because ipables marks
packages based on --mac-source ). So my only choice is
using ingress or u32.
So this is how I did it:
I called bellow script add_shaping
DEV="eth0"
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate
200kbps ceil 200kbps
tc class add dev $DEV parent 1:1 classid 1:15 htb rate
10kbps ceil 13kbps prio 3
tc class add dev $DEV parent 1:1 classid 1:20 htb rate
150kbps ceil 187kbps prio 2
tc qdisc add dev $DEV parent 1:15 handle 150: sfq
perturb 10
tc qdisc add dev $DEV parent 1:20 handle 200: sfq
perturb 10
U32="tc filter add dev $DEV parent 1:0 protocol ip
u32"
for computers in `cat /sistem/class15 | awk '{ print
$1 }'`
do
in="`echo $computers | awk '{split($1,a,":"); print
a[1]a[2] }'`"
fin="`echo $computers | awk '{split($1,a,":"); print
a[3]a[4]a[5]a[6] }'`"
$U32 match u16 0x0800 0x at -2 match u32 0x$fin
0x at -12 match u16 0x$in 0x at -14
classid 1:15
done
Explanation: On a file called /sistem/class15 I have
MAC list
00:0D:87:60:61:37 JOHNNY
00:0E:A6:69:2B:74 HORY
00:50:8D:F9:E3:51 GIMMY
The script above (not so elegant I think but is my
first attempt on awk) parse /sistem/class15 and add
filter rules to match classid 1:15
I'll make scripts for files like /sistem/classxx to
match class xx and classid 1:xx and so on -- after
this I only modify files:
/sistem/class15
/sistem/class20
/sistem/classxx
and run:
tc qdisc del dev eth0 root (actually made a new script
rm_shaping)
and of course run the awk script again (./add_shaping)
So finally all I have to do is rm_shaping, add_shaping
and my modifications of /sistem/classxx files are
loaded ---
And shaping works like a charm ...:)
Glad you got it working - I didn't see this when I replied earlier
mozilla didn't thread it with the rest.
Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -altough marking on ip src, dst address works
Reading along the Net it seems that MAC marking is not
working with egress HTB (because ipables marks
packages based on --mac-source ). So my only choice is
using ingress or u32.
So this is how I did it:
I called bellow script add_shaping
DEV="eth0"
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate
200kbps ceil 200kbps
tc class add dev $DEV parent 1:1 classid 1:15 htb rate
10kbps ceil 13kbps prio 3
tc class add dev $DEV parent 1:1 classid 1:20 htb rate
150kbps ceil 187kbps prio 2
tc qdisc add dev $DEV parent 1:15 handle 150: sfq
perturb 10
tc qdisc add dev $DEV parent 1:20 handle 200: sfq
perturb 10
U32="tc filter add dev $DEV parent 1:0 protocol ip
u32"
for computers in `cat /sistem/class15 | awk '{ print
$1 }'`
do
in="`echo $computers | awk '{split($1,a,":"); print
a[1]a[2] }'`"
fin="`echo $computers | awk '{split($1,a,":"); print
a[3]a[4]a[5]a[6] }'`"
$U32 match u16 0x0800 0x at -2 match u32 0x$fin
0x at -12 match u16 0x$in 0x at -14
classid 1:15
done
Explanation: On a file called /sistem/class15 I have
MAC list
00:0D:87:60:61:37 JOHNNY
00:0E:A6:69:2B:74 HORY
00:50:8D:F9:E3:51 GIMMY
The script above (not so elegant I think but is my
first attempt on awk) parse /sistem/class15 and add
filter rules to match classid 1:15
I'll make scripts for files like /sistem/classxx to
match class xx and classid 1:xx and so on -- after
this I only modify files:
/sistem/class15
/sistem/class20
/sistem/classxx
and run:
tc qdisc del dev eth0 root (actually made a new script
rm_shaping)
and of course run the awk script again (./add_shaping)
So finally all I have to do is rm_shaping, add_shaping
and my modifications of /sistem/classxx files are
loaded ---
And shaping works like a charm ...:)
Best regards
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working -altough marking on ip src, dst address works
Daniel Dafoe wrote: > > I really don't get it : > > Recompiled my kernel dozen times now is > 2.6.11-gentoo-r5 but still packets are marked by > iptables but not shaped by tc. It only works when I > mark packets on source/destination ip > > As soon as I comment last two lines and uncomment the > first one shaping is gone > > iptables -t mangle -A FORWARD -m mac --mac-source > 00-0d-87-60-61-37 -j MARK --set-mark 0x2 > > #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j > MARK --set-mark 0x2 > #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j > MARK --set-mark 0x2 > > Best regards See http://kernel.umbrella.ro/net/ and http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking Maybe something there will help. -- gypsy http://yesican.chsoft.biz/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
I really don't get it : Recompiled my kernel dozen times now is 2.6.11-gentoo-r5 but still packets are marked by iptables but not shaped by tc. It only works when I mark packets on source/destination ip As soon as I comment last two lines and uncomment the first one shaping is gone iptables -t mangle -A FORWARD -m mac --mac-source 00-0d-87-60-61-37 -j MARK --set-mark 0x2 #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j MARK --set-mark 0x2 #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j MARK --set-mark 0x2 Best regards __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
Thanks again for your response tc -s qdisc ls dev eth0 qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 Sent 12664555 bytes 9717 pkts (dropped 0, overlimits 374) qdisc sfq 150: parent 1:15 limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 200: parent 1:20 limit 128p quantum 1514b perturb 10sec Sent 12664555 bytes 9717 pkts (dropped 0, overlimits 0) Strange > overlimits but not dropped __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
Daniel Dafoe wrote: --- Andy Furniss <[EMAIL PROTECTED]> wrote: Thanks for your input: modified DEV="eth0" indeed was a typo -- but still no luck with shaping iptables -L -vnt mangle Chain PREROUTING (policy ACCEPT 5172K packets, 2786M bytes) pkts bytes target prot opt in out source destination 20470 3127K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Chain INPUT (policy ACCEPT 1772K packets, 594M bytes) pkts bytes target prot opt in out source destination 849 114K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Chain FORWARD (policy ACCEPT 3389K packets, 2191M bytes) pkts bytes target prot opt in out source destination 19621 3013K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Well that bit looks OK can you see these packets going to the sfqs if you do tc -s qdisc ls dev eth0 ? I notice from the first post you have a really high ceil and mix kbps and kbit. bps = bytes per sec - > tc class add dev $DEV parent 1: classid 1:1 htb rate > 600kbps ceil 3276800kbit Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
--- Andy Furniss <[EMAIL PROTECTED]> wrote: Thanks for your input: modified DEV="eth0" indeed was a typo -- but still no luck with shaping iptables -L -vnt mangle Chain PREROUTING (policy ACCEPT 5172K packets, 2786M bytes) pkts bytes target prot opt in out source destination 20470 3127K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Chain INPUT (policy ACCEPT 1772K packets, 594M bytes) pkts bytes target prot opt in out source destination 849 114K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Chain FORWARD (policy ACCEPT 3389K packets, 2191M bytes) pkts bytes target prot opt in out source destination 19621 3013K MARK all -- * * 0.0.0.0/00.0.0.0/0 MAC 00:0D:87:60:61:37 MARK set 0x2 Chain OUTPUT (policy ACCEPT 1937K packets, 1567M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5306K packets, 3756M bytes) pkts bytes target prot opt in out source destination Best regards, Daniel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
Daniel Dafoe wrote: === tc filter - based on iptables - MAC fw marking not working == DEV="eth1" Tried several times: tc qdisc del dev eth0 root eth0? iptables src MAC works for me with 1.3.1 - can you see the rule and counters matching with iptables -L -vnt mangle? Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works
=== tc filter - based on iptables - MAC fw marking not working == DEV="eth1" tc qdisc add dev $DEV root handle 1: htb default 20 tc class add dev $DEV parent 1: classid 1:1 htb rate 600kbps ceil 3276800kbit tc class add dev $DEV parent 1:1 classid 1:15 htb rate 3kbps prio 4 tc class add dev $DEV parent 1:1 classid 1:20 htb rate 500kbps prio 3 tc qdisc add dev $DEV parent 1:15 handle 150: sfq perturb 10 tc qdisc add dev $DEV parent 1:20 handle 200: sfq perturb 10 tc filter add dev $DEV parent 1:0 protocol ip prio 3 handle 2 fw classid 1:15 tc filter add dev $DEV parent 1:0 protocol ip prio 2 handle 3 fw classid 1:20 iptables -t mangle -A FORWARD -m mac --mac-source 00:0D:87:60:61:37 -j MARK --set-mark 2 iptables -t mangle -A INPUT -m mac --mac-source 00:0D:87:60:61:37 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mac --mac-source 00:0D:87:60:61:37 -j MARK --set-mark 2 #iptables -t mangle -A FORWARD -s 192.168.0.33 -j MARK --set-mark 0x2 #iptables -t mangle -A FORWARD -d 192.168.0.33 -j MARK --set-mark 0x2 Tried several times: tc qdisc del dev eth0 root iptables -F -t mangle and run the above script in every possible way but the damn thing does not take into account my MAC = I tried to mark on INPUT, FORWARD AND PREROUTING -- none of them seems to work If i uncomment and try on -s, -d ip works great but I really need to match MAC addresses I looked at my kernel MAC -- related config: I have kernel 2.6.10 with: CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y and other settings ( I took almost all options related) . CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_IP_ROUTE_FWMARK=y etc.. What I'm missing here ? Best regards __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
