Hello, Thanks for the answer!
Regarding marking/nonmarking - I need to define two classes and two corresponding filters. It's not obvious for me how to define TC filter which triggers if the package is from/to certain IP address and belongs to certain type of connection (e.g., I need to distinghuish ssh traffic from other types of traffic for the same IP). I have found that it is possible but it looks like iptables way is much clear and straighforward. But main problem for me is a need to assign unique ids to classes and marks. Even if I don't use iptables marks, this problem does not disappear - I still need to assign ids. Two new class ids for every new connection. One of the ideas I had on how to avoid this is to assign VTI for every connnection. In this case the TC rules will be applied to this specific VTI. But I do not have any idea how to do it. It looks like https://wiki.strongswan.org/projects/strongswan/wiki/Connmark is used for other purposes (?) 2015-07-31 16:16 GMT+03:00 Noel Kuntze <n...@familie-kuntze.de>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Vitaly, > > Assuming the shaping part of the network stack > sees incoming ESP/AH packets twice (one time as ESP/AH packets > and then one time as their payload , which happens with tcpdump, > you don't need to mark the packets at all to shape them. You can > just access their proterties (IP source/destination, protocol, TOS, ...) > using u32 matches in tc and shape on those properties. > > If you still want to use iptables to mark packets, then be aware > that MARK is _not_ a terminating target. > > Because SSH and SCP both work on tcp port 22 and use SSH > (no surprise) as session protocol, you can't distinguish them > from another. You need to make the scp client set the TOS > field on the packets it sends, so you can tell them > apart from SSH packets. > >> iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j >> CONNMARK --set-mark ${MARKFW_ONE} > That rule is completely useless, because the CONNMARK applies to > the /whole/ connection. So you'd prioritize the connection, not the packet. -- WBR & WBW, Vitaly _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users