Hi folks, Basically I have this : |Router A| ----- ethernet --- | SWITCH | --- ethernet ---- |ROUTER B| What I need : to mark packets passing through "ROUTER A" in such way that the marks remain until they reach "ROUTER B", so that the router can decide what to do with them based on the first router''s mark. The questions : 1. can that be done ? 2. if the answer to the first q. is yes, can that be done w/o patching the kernel on the first router w/ experimental patches ? Thankyou, Cezar Atanasiu _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Le lun 24/11/2003 à 16:16, Cezar Atanasiu a écrit :> Hi folks, > The questions : > > 1. can that be done ?not that way, fw mark are lost when you leave the computer> 2. if the answer to the first q. is yes, can that be done w/o patching > the kernel on the first router w/ experimental patches ?you can do that in a "capillotracté" way (such an idea) by using tunnels (gre or ipip) and doing some iproute2 an A do push packet in a tunnel corresponding to their mark and have B route by interface. BR, -- Eric Leblond NuFW, Now User Filtering Works (http://www.nufw.org)
On Mon, 24 Nov 2003 16:43:40 +0100 Eric Leblond <eric@regit.org> wrote:> Le lun 24/11/2003 à 16:16, Cezar Atanasiu a écrit : > > Hi folks, > > The questions : > > > > 1. can that be done ? > > not that way, fw mark are lost when you leave the computerI know, that is why I asked.> > > 2. if the answer to the first q. is yes, can that be done w/o > > patching > > the kernel on the first router w/ experimental patches ? > > you can do that in a "capillotracté" way (such an idea) by using > tunnels(gre or ipip) and doing some iproute2 an A do push packet in a > tunnel corresponding to their mark and have B route by interface.Hmm, that would become too complicated. There is no other way ?> > BR, > -- > Eric Leblond > NuFW, Now User Filtering Works (http://www.nufw.org) >-- Cezar ATANASIU GMB Computers Departamentul Internet Tel/fax: +40 241 619222/673199 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi cezar, why not use the TOS mark -- it is carried in the packet''s tcp header ... you can only have 8 types/marks however ... cheers charles On Mon, 2003-11-24 at 17:03, Cezar Atanasiu wrote:> On Mon, 24 Nov 2003 16:43:40 +0100 > Eric Leblond <eric@regit.org> wrote: > > > Le lun 24/11/2003 à 16:16, Cezar Atanasiu a écrit : > > > Hi folks, > > > The questions : > > > > > > 1. can that be done ? > > > > not that way, fw mark are lost when you leave the computer > > I know, that is why I asked. > > > > > > 2. if the answer to the first q. is yes, can that be done w/o > > > patching > > > the kernel on the first router w/ experimental patches ? > > > > you can do that in a "capillotracté" way (such an idea) by using > > tunnels(gre or ipip) and doing some iproute2 an A do push packet in a > > tunnel corresponding to their mark and have B route by interface. > > Hmm, that would become too complicated. There is no other way ? > > > > > BR, > > -- > > Eric Leblond > > NuFW, Now User Filtering Works (http://www.nufw.org) > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
In answer to CA''s question and EL''s response, Along the same lines, if you encapsulated the marked packet (IP in IP) and set (mangled) the TOS bits in the envelope packet, they could carry the mark without modifying the original packet. Would be a completely non-standard usage of the TOS bits (unless they happened to correspond to the reasons that you are marking packets,;>), but - since they wouldn''t get out of your area of responsibility, it might provide an easy-to-setup-and-manage alternative. You would only need one "tunnel" that way, not one for each type of mark... Of course, you could always filter the packet in user-land, encapsulating in an envelope with the mark data, and re-filter again at the second router (again in user-land), to de-cap and re-mark. No kernel patches needed... Dick Shorter dicks@jetsoft.com -----Original Message <editted> ----- Subject: Re: [LARTC] howto mark packets> 2. if the answer to the first q. is yes, can that be done w/o patching > the kernel on the first router w/ experimental patches ?you can do that in a "capillotracté" way (such an idea) by using tunnels (gre or ipip) and doing some iproute2 an A do push packet in a tunnel corresponding to their mark and have B route by interface. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello Cezar, CA> Hmm, that would become too complicated. There is no other way ? Quick and dirty solution would be to mark packets on Router A by changing the TOS to some known value (iptables/ -t mangle -j TOS --set-tos ..) and filtering by TOS value on Router B (tc/ filter u32 match ip tos .. 0xff). P.Krumins _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/