I have applied the patch to IPTABLES which allows me to use it on a bridge.
The iptables rules are working as I am using it for other things as well.
If you do not have the patch applied, you get an error message when trying
to run IPTABLES.

The one filter rule I am using is as follows:

tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
1:2a

I have the browsing match into the IPTABLES as it is a simpler one to check
if it is working before I try the FTP connection tracking portion.

Thanks

Wayne


----- Original Message -----
From: "Stef Coene" <stef.coene@docum.org>
To: "Wayne" <wayne@fengshuifont.com>;
<lartc@mailman.ds9a.nl>
Sent: Wednesday, August 20, 2003 2:26 PM
Subject: Re: [LARTC] FTP Connection Tracking in a Bridge


> On Wednesday 20 August 2003 10:48, Wayne wrote:
> > Hello,
> >
> > I have a box running as a bridge and am trying to track the passive
FTP
> > sessions by marking them with iptables (CONNMARK option installed) and
then
> > trying to pick up the mark using tc filter fwmark. This is not
working.
> >
> > I have checked the marking of the packets and this is working fine
because
> > I can see the marks when I cat /proc/net/ip_conntrack.
> >
> > Having setup my queues and using the following command:
> >
> > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw
classid
> > 1:2a
> >
> > I do not get any traffic going in to this queue. I am running kernel
> > 2.4.21.
> >
> > My question is whether the packet that I have marked is actually every
> > getting to the tc filter. As I am running a bridge, does the packet
get
> > marked in iptables PREROUTING, and then go straight to the FORWARD
rule
and
> > then out.
> >
> > What is the sequence in which iptables processes the packet and then
the
tc
> > filter processes the packet.
> >
> > Many thanks
> Just wondering, can you really use iptables on a bridge?  I thought you
have
> to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>

On Wednesday 20 August 2003 14:39, Wayne wrote:
> I have applied the patch to IPTABLES which allows me to use it on a bridge.
> The iptables rules are working as I am using it for other things as well.
> If you do not have the patch applied, you get an error message when trying
> to run IPTABLES.
>
> The one filter rule I am using is as follows:
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
> I have the browsing match into the IPTABLES as it is a simpler one to check
> if it is working before I try the FTP connection tracking portion.
You need more filter statements.  You have parent 1:2 but how is traffic
redirected to this class ???

Stef

--

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net