> Mike Lander wrote:
>
> >
> > Does this look better?
>
> It did what I expected
>
> -Tom
The fwmark classifiers are now lower than the u32. Also I put a persistant
ping through the tunnel which went to the expected class2.
And behold hit count went up on the u32 class in eth1 and tun1 but
it did not match class1.
Then did a voip call and the ping was not in class1 as before with the tc
rules where allowing. Also before the patch when I tried the same
test pings latentcy went way up with lost packets.
After patch latentcy hardly fluctated at all with a reponse average
of 40ms this should work great Tom.
I had ask in my last post about using tos mark on a packet that had already
made it through tunnel such as below. Would this be "silly" as you
sometimes
describe? As in this firewall should I remove the tos=0x14/0xfc since
it does not match it seems. Below is tun2 has the same results as eth1.
Also see that exactly as expected the other traffic through the tunnel
does not get the fast lane using passtoss. However I wonder if passtoss
is even needed here since there seems to be no match after getting through.
But it will make it nice for downsteam layer two stuff ie wirless bridges
which is there a way to convert the tos bit to a make it friendly with
dscp like if tos was set to 14 like one of my firewall. Cos in my layer
two stuff reads the first 6 bits I believe. Would not that equate
to the 0x2E 46 ef decimal 5 I believe. Then my layer two bridges would
read the first 6 bits as ef46? And be a good traffic cop as well accross
to other buildings wirelessly?
eth1 1 full full 1 tos=0x14/0xfc,tos=0x1c/0xfc
eth1 2 full/2 full 2 tcp-ack,tos-minimize-delay
eth1 3 full/4 full 3 default
eth1 4 full/8 full*8/10 4
#
tun0 1 full full 1
tun0 2 full/4 full 2 tcp-ack,tos-minimize-delay
tun0 3 full/4 full 3 default
tun0 4 full/8 full*8/10 4
Device tun2:
filter parent 5: protocol ip pref 10 u32
filter parent 5: protocol ip pref 10 u32 fh 800: ht divisor 1
filter parent 5: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0
flowid 5:11 (rule hit 1803 success 0)
match 00140000/00fc0000 at 0 (success 0 )
filter parent 5: protocol ip pref 10 u32 fh 800::801 order 2049 key ht 800 bkt 0
flowid 5:11 (rule hit 1803 success 568)
match 001c0000/00fc0000 at 0 (success 568 )
filter parent 5: protocol ip pref 10 u32 fh 800::802 order 2050 key ht 800 bkt 0
flowid 5:12 (rule hit 1235 success 0)
match 00060000/00ff0000 at 8 (success 0 )
match 05000000/0f00ffc0 at 0 (success 0 )
match 00100000/00ff0000 at 32 (success 0 )
filter parent 5: protocol ip pref 10 u32 fh 800::803 order 2051 key ht 800 bkt 0
flowid 5:12 (rule hit 1235 success 0)
match 00100000/00100000 at 0 (success 0 )
filter parent 5: protocol all pref 20 fw
filter parent 5: protocol all pref 20 fw handle 0x1 classid 5:11
filter parent 5: protocol all pref 20 fw handle 0x2 classid 5:12
filter parent 5: protocol all pref 20 fw handle 0x3 classid 5:13
filter parent 5: protocol all pref 20 fw handle 0x4 classid 5:14
Thank you,
Mike
------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org