<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:10pt;font-family:Sans">
<p><span style="font-family:Courier 10 Pitch">Hello list members,</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Finaly I'm here after a week of trying to subscribe to this list... pfew...</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Anyway... I have a rather strange problem with tc. I am trying to police the ingress traffic into my network using the iptables MARK feature (in mangle table, PREROUTING) but it seems that tc filters ignore this marks and they don't work at all for me. Let me explain a bit more in detail:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">I have a server behind my linux-firewall box (firewall is with 2.6.10 kernel custom build, iproute2-2.6.11, iptables-1.3.1, gcc-3.4.3), for which server I want to limit the incoming traffic to certain limits (I choose for test 100kbit rate, 100kbit burst, mtu 1500). The server IP address behind the firewall is 192.168.1.218 attached to eth0 interface. Interface eth1 on the firewall faces the incoming traffic from the outside world:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch"> eth0 eth1</span></p>
<p><span style="font-family:Courier 10 Pitch">Server|----------|linux|----------|outside</span></p>
<p><span style="font-family:Courier 10 Pitch"> 192.168.1.0/24 192.168.2.0/24</span></p>
<p><span style="font-family:Courier 10 Pitch">.218 .99 .100</span></p>
<p></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Now, I've created an iptables rule like this:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">iptables -t mangle -I PREROUTING -i eth1 -p tcp -d 192.168.1.218 --dport 22 -j MARK --set-mark 1</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">After this, I added the ingress qdisc and then the filter with tc:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">tc qdisc add dev eth1 handle ffff: ingress</span></p>
<p><span style="font-family:Courier 10 Pitch">tc filter add dev eth1 parent ffff: \</span></p>
<p><span style="font-family:Courier 10 Pitch"> protocol ip prio 50 handle 1 fw \</span></p>
<p><span style="font-family:Courier 10 Pitch"> police rate 100kbit burst 100kbit mtu 1500 drop \</span></p>
<p><span style="font-family:Courier 10 Pitch"> flowid :1</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">I was trying to simulate from outside some traffic towards the server using sftp transfer (I try to limit port 22 access). The total available bandwidth without filters is arround 1Mbit/sec. The file to transfer is quite large (11 MBytes). The results from </span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">tc -d -s filter show dev eth1 parent ffff:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">are showing that no packet was dropped (the output is bellow)</span></p>
<p></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">filter protocol </span><span style="font-family:Courier 10 Pitch;color:#ff0000">ip</span><span style="font-family:Courier 10 Pitch"> pref 50 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">fw</span></p>
<p><span style="font-family:Courier 10 Pitch">filter protocol </span><span style="font-family:Courier 10 Pitch;color:#ff0000">ip</span><span style="font-family:Courier 10 Pitch"> pref 50 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">fw</span><span style="font-family:Courier 10 Pitch"> handle 0x1 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">classid</span><span style="font-family:Courier 10 Pitch"> :1 </span></p>
<p><span style="font-family:Courier 10 Pitch">police 0x6 rate 100000bit burst 12799b </span><span style="font-family:Courier 10 Pitch;color:#ff0000">mtu</span><span style="font-family:Courier 10 Pitch"> 1500b action drop ref 1 bind 1</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch"> Sent 0 bytes 0 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">pkts</span><span style="font-family:Courier 10 Pitch"> (dropped 0, overlimits 0)</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch;color:#ff0000">qdisc</span><span style="font-family:Courier 10 Pitch"> </span><span style="font-family:Courier 10 Pitch;color:#ff0000">pfifo</span><span style="font-family:Courier 10 Pitch">_fast 0: bands 3 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">priomap</span><span style="font-family:Courier 10 Pitch"> 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1</span></p>
<p><span style="font-family:Courier 10 Pitch"> Sent 6823868 bytes 112558 pkt (dropped 0, overlimits 0 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">requeues</span><span style="font-family:Courier 10 Pitch"> 0)</span></p>
<p><span style="font-family:Courier 10 Pitch"> rate 0bit 0</span><span style="font-family:Courier 10 Pitch;color:#ff0000">pps</span><span style="font-family:Courier 10 Pitch"> backlog 0b 0p </span><span style="font-family:Courier 10 Pitch;color:#ff0000">requeues</span><span style="font-family:Courier 10 Pitch"> 0 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">qdisc</span><span style="font-family:Courier 10 Pitch"> ingress </span><span style="font-family:Courier 10 Pitch;color:#ff0000">ffff</span><span style="font-family:Courier 10 Pitch">: ----------------</span></p>
<p><span style="font-family:Courier 10 Pitch"> Sent 4451034 bytes 9297 pkt (dropped 0, overlimits 0 </span><span style="font-family:Courier 10 Pitch;color:#ff0000">requeues</span><span style="font-family:Courier 10 Pitch"> 0)</span></p>
<p><span style="font-family:Courier 10 Pitch"> rate 0bit 0</span><span style="font-family:Courier 10 Pitch;color:#ff0000">pps</span><span style="font-family:Courier 10 Pitch"> backlog 0b 0p </span><span style="font-family:Courier 10 Pitch;color:#ff0000">requeues</span><span style="font-family:Courier 10 Pitch"> 0</span></p>
<p></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">although the packets are marked by </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> (the packet and traffic counters are incremented for that specific MARK rule)</span></p>
<p></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">What puzzled me is that using u32 classifiers with </span><span style="font-family:Courier 10 Pitch;color:#ff0000">tc (match by IP, port, protocol)</span><span style="font-family:Courier 10 Pitch"> for the same kind of traffic everything works just perfect, the available incoming bandwidth to the server is limited to what I want to be and I can see that the filter is dropping the packets.</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Obviously the logical thing is to use the u32 classifiers instead of </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> marks, but I want to keep the classification to be done by </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> as I</span></p>
<p><span style="font-family:Courier 10 Pitch">also do there some decisions for which traffic is allowed (is more that I have customised a start-up script for </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> to match my needs using different</span></p>
<p><span style="font-family:Courier 10 Pitch">switches and predefined variables for ports and </span><span style="font-family:Courier 10 Pitch;color:#ff0000">Ip</span><span style="font-family:Courier 10 Pitch"> addresses). I also have another reason not to use u32 classifiers, I cannot get the logic behind the</span></p>
<p><span style="font-family:Courier 10 Pitch">pattern/mask for selecting a certain port range for </span><span style="font-family:Courier 10 Pitch;color:#ff0000">tcp</span><span style="font-family:Courier 10 Pitch">/</span><span style="font-family:Courier 10 Pitch;color:#ff0000">udp</span><span style="font-family:Courier 10 Pitch"> traffic (I've tried to match my traffic using u32 pattern/mask rules for a port-range after reading some documentation and I still can't make it work, I doing something wrong for sure - this is just me, so ignore it, I'll get it right after more reading).</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Any chance I could get some help for my problem (</span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> marking the packets and </span><span style="font-family:Courier 10 Pitch;color:#ff0000">tc</span><span style="font-family:Courier 10 Pitch"> filtering by these marks)?</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">BTW, I have tried older versions of </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iproute</span><span style="font-family:Courier 10 Pitch">2 with different versions of </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> and kernel 2.6.x and 2.4.x as well, but still no luck. Also I have followed the thread at:</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">http://mailman.ds9a.nl/pipermail/lartc/2005q1/014673.html</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">posted by Catalin, which looks great but still no match by fwmark.</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Should I suspect an </span><span style="font-family:Courier 10 Pitch;color:#ff0000">iptables</span><span style="font-family:Courier 10 Pitch"> wrong </span><span style="font-family:Courier 10 Pitch;color:#ff0000">behavior</span><span style="font-family:Courier 10 Pitch">? Or it's just my stupid brain that</span></p>
<p><span style="font-family:Courier 10 Pitch">tricks me again? </span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Any help is much appreciated.</span></p>
<p></p>
<p><span style="font-family:Courier 10 Pitch">Kind regards,</span></p>
<p><span style="font-family:Courier 10 Pitch">Adrian</span></p>
<p></p>
<p></p>
</body></html>