hello, I try to use iptables rules to drop skype trafic. The iptables rule is : iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 ''27&0x8f=7'' --u32 ''31=0x01020304'' -j ACCEPT the problem I encounter is that i can''t have the match u32 for iptables. Could someone help me ? ___________________________________________________________________________ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com
On Thu, 2006-06-22 at 09:21 +0200, gerald HUET wrote:> hello, > > I try to use iptables rules to drop skype trafic. The > iptables rule is : > iptables -I FORWARD -p udp -m length --length 39 -m > u32 --u32 ''27&0x8f=7'' --u32 ''31=0x01020304'' -j ACCEPTInteresting match... but doesn''t skype work on TCP, too, if UDP doesn''t work? I''ve been told it even runs over http proxy, when there''s no direct internet connection available.> the problem I encounter is that i can''t have the match > u32 for iptables. Could someone help me ?Yes, the u32 match is in the netfilter patch-o-matic repository. You can get the new iptables and patch-o-matic code using subversion, like this: svn co http://svn.netfilter.org/netfilter/trunk/iptables svn co http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng After that, you need to prepare kernel sources and use the ''runme'' script in patch-o-matic-ng to patch iptables and your kernel sources. Hth, Torsten
Hi all, Is it possible to use TC (HTB) in vlan interfaces ? Where can I find more documentation ? Thanks a lot
On Thu, 2006-06-22 at 11:28 -0300, Luciano wrote:> Hi all, > > Is it possible to use TC (HTB) in vlan interfaces ? > Where can I find more documentation ?Yes, that is possible. VLAN interfaces are really different from the physical interface they reside on, kernel-wise. For example, if you put a 1 MBit HTB on eth0, but no qdisc on VLAN device eth0.1, traffic through eth0.1 won''t be throttled at all. I suspect the same goes for iptables rules (but didn''t try that yet). For documentation, see the LARTC howto and the docs on the HTB home page. There are also some ready-made shaping scripts which can help you understanding how all this works. Regards, Torsten
Torsten Luettgert wrote:> On Thu, 2006-06-22 at 11:28 -0300, Luciano wrote: > >> Hi all, >> >> Is it possible to use TC (HTB) in vlan interfaces ? >> Where can I find more documentation ? >> > > Yes, that is possible. VLAN interfaces are really > different from the physical interface they reside > on, kernel-wise. > > For example, if you put a 1 MBit HTB on eth0, > but no qdisc on VLAN device eth0.1, traffic through > eth0.1 won''t be throttled at all. I suspect the same > goes for iptables rules (but didn''t try that yet). > >Let me explain... Due to the fact that vlan id''s add some 4 bytes to the header of the packet, tc filter does not work properly unless you feed it with an offset and a hex match. I use 801.q and TC with iptables and tc filter rules based on iptables mark with great success. I admit it is more complicated this way, but it works... iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j MARK --set-mark 12 iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j RETURN tc class add dev eth0 parent 10:1 classid 10:112 htb rate 20Mbit ceil 20Mbit .............. tc filter add dev eth0 parent 10:0 protocol 802.1q prio 90 handle 12 fw flowid 10:112 tc qdisc add dev eth0 parent 10:112 handle 10112 sfq perturb 10 class htb 10:112 parent 10:1 leaf 112: prio 0 rate 20000Kbit ceil 20000Kbit burst 2Kb cburst 11597b Sent 9638423935 bytes 12057262 pkt (dropped 0, overlimits 0 requeues 0) rate 268048bit 37pps backlog 0b 0p requeues 0 lended: 11929727 borrowed: 127535 giants: 0 tokens: 806 ctokens: 4719> For documentation, see the LARTC howto and the docs > on the HTB home page. There are also some ready-made > shaping scripts which can help you understanding how > all this works. > > Regards, > Torsten > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
On Fri, 2006-06-23 at 01:17 +0300, Radu Oprisan wrote:> Torsten Luettgert wrote: > > On Thu, 2006-06-22 at 11:28 -0300, Luciano wrote: > > > Let me explain... > Due to the fact that vlan id''s add some 4 bytes to the header of the > packet, tc filter does not work properly unless you feed it with an > offset and a hex match. I use 801.q and TC with iptables and tc filter > rules based on iptables mark with great success. I admit it is more > complicated this way, but it works... > > iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j MARK --set-mark 12 > iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j RETURNOh, I see. Didn''t ever think of those problems, because I never use tc filters. My setup would look like iptables -t mangle -A FORWARD -d x.y.z.t -j CLASSIFY --set-class 10:112 which removes a bit of the complexity. Regards, Torsten
How it''ll work for 150kpps ? I think the solution is hashing filters and this can''t be done with iptables -j CLASSIFY ... i think ! PS Does anyone use IFB insted of IMQ ? Torsten Luettgert <t.luettgert@pressestimmen.de> wrote: On Fri, 2006-06-23 at 01:17 +0300, Radu Oprisan wrote:> Torsten Luettgert wrote: > > On Thu, 2006-06-22 at 11:28 -0300, Luciano wrote: > > > Let me explain... > Due to the fact that vlan id''s add some 4 bytes to the header of the > packet, tc filter does not work properly unless you feed it with an > offset and a hex match. I use 801.q and TC with iptables and tc filter > rules based on iptables mark with great success. I admit it is more > complicated this way, but it works... > > iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j MARK --set-mark 12 > iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j RETURNOh, I see. Didn''t ever think of those problems, because I never use tc filters. My setup would look like iptables -t mangle -A FORWARD -d x.y.z.t -j CLASSIFY --set-class 10:112 which removes a bit of the complexity. Regards, Torsten _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature ----- Fight back spam! Download the Blue Frog. http://www.bluesecurity.com/register/s?user=Z2FmdHk%3D __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Torsten Luettgert wrote:> On Fri, 2006-06-23 at 01:17 +0300, Radu Oprisan wrote: > >> Torsten Luettgert wrote: >> >>> On Thu, 2006-06-22 at 11:28 -0300, Luciano wrote: >>> >>> >> Let me explain... >> Due to the fact that vlan id''s add some 4 bytes to the header of the >> packet, tc filter does not work properly unless you feed it with an >> offset and a hex match. I use 801.q and TC with iptables and tc filter >> rules based on iptables mark with great success. I admit it is more >> complicated this way, but it works... >> >> iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j MARK --set-mark 12 >> iptables -A FORWARD -t mangle -d xxx.xxx.xxx.xxx -j RETURN >> > > Oh, I see. Didn''t ever think of those problems, because I never > use tc filters. My setup would look like > > iptables -t mangle -A FORWARD -d x.y.z.t -j CLASSIFY --set-class 10:112 >Ok, you can do it with -j CLASSIFY ... forgot about that. But anyway, the best solution for this if you want speed is to adapt, as in, use the offset trick in u32. I had an email once from somebody who was kind enough to assist me in this problem and if i find it, i will gladly post the translation. Btw, all this marking and -j CLASSIFY uses quite a bit of processing power, which amounts in a bigger timespan from the time the packet enters the system until if finally leaves it.> which removes a bit of the complexity. > > Regards, > Torsten > >