thr3ads.net - LARTC - Problem with fw filters [Oct 2002]

If this information is useful, please help other people find it:
Share via:

Aigars Mahinovs

2002-Oct-26 13:44 UTC

Problem with fw filters

Hi all,

I am trying to priorityse outgoing traffic basing on UID of the sender.
Script follows:

# First mark packets with their respective priority

iptables -t mangle -F OUTPUT

iptables -t mangle -A OUTPUT -m owner --uid-owner root -j MARK
--set-mark 1
iptables -t mangle -A OUTPUT -m owner --uid-owner aigarius -j MARK
--set-mark 2
iptables -t mangle -A OUTPUT -m owner --uid-owner bind -j MARK
--set-mark 3
iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK
--set-mark 4
iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -j MARK
--set-mark 5
iptables -t mangle -A OUTPUT -m owner --uid-owner www-data -j MARK
--set-mark 6
iptables -t mangle -A OUTPUT -m owner --uid-owner ftp -j MARK --set-mark
7
iptables -t mangle -A OUTPUT -m owner --uid-owner ivarix -j MARK
--set-mark 8
iptables -t mangle -A OUTPUT -m owner --uid-owner blacky -j MARK
--set-mark 9
iptables -t mangle -A OUTPUT -j MARK --set-mark 666

# now make outgoing traffic classes
# clean existing qdiscs, hide errors
/home/aigarius/bin/tc qdisc del dev eth0 root    2> /dev/null >
/dev/null

/home/aigarius/bin/tc qdisc add dev eth0 root handle 1: htb
/home/aigarius/bin/tc class add dev eth0 parent 1: classid 1:1 htb rate
100mbit burst 64k
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:10 htb
rate 100mbit burst 64k prio 1
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:20 htb
rate 100mbit burst 64k prio 2
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:30 htb
rate 100mbit burst 64k prio 3
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:40 htb
rate 100mbit burst 64k prio 4
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:50 htb
rate 100mbit burst 64k prio 5
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:60 htb
rate 100mbit burst 64k prio 6
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:70 htb
rate 100mbit burst 64k prio 7
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:80 htb
rate 100mbit burst 64k prio 8
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:90 htb
rate 100mbit burst 64k prio 9
/home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:666 htb
rate 10mbit burst 64k prio 20
# all get Stochastic Fairness:
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:10 handle 10: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:30 handle 30: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:40 handle 40: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:50 handle 50: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:60 handle 60: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:70 handle 70: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:80 handle 80: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:90 handle 90: sfq
perturb 10
/home/aigarius/bin/tc qdisc add dev eth0 parent 1:666 handle 666: sfq
perturb 10
# Filter traffic into classes
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 1 fw flowid 1:10
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 2 fw flowid 1:20
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 3 fw flowid 1:30
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 4 fw flowid 1:40
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 5 fw flowid 1:50
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 6 fw flowid 1:60
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 7 fw flowid 1:70
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 8 fw flowid 1:80
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 9 fw flowid 1:90
/home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
handle 666 fw flowid 1:666
                       
--- END OF SCRIPT ---

Problem:
no shaping is done

# tc -s qdisc show
qdisc sfq 666: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 679086470 bytes 985634 pkts (dropped 0, overlimits 0) 

 qdisc sfq 90: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 80: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 70: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 60: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 50: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 40: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 30: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 20: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc sfq 10: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
10sec 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

 qdisc htb 1: dev eth0 r2q 10 default 0 direct_packets_stat 778 ver 3.6
 Sent 679175569 bytes 986412 pkts (dropped 0, overlimits 9647) 

#iptables -v -t mangle -L OUTPUT
Chain OUTPUT (policy ACCEPT 25M packets, 16G bytes)
 pkts bytes target     prot opt in     out     source              
destination         
 6782  802K MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match root MARK set 0x1 
 7439  393K MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match aigarius MARK set 0x2 
 7878 2018K MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match bind MARK set 0x3 
65687   49M MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match proxy MARK set 0x4 
 752K  524M MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match nobody MARK set 0x5 
24388   35M MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match www-data MARK set 0x6 
44401   62M MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match ftp MARK set 0x7 
    7   600 MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match ivarix MARK set 0x8 
    0     0 MARK       all  --  any    any     anywhere            
anywhere           OWNER UID match blacky MARK set 0x9 
1019K  680M MARK       all  --  any    any     anywhere            
anywhere           MARK set 0x29a 

As I see there is no shaping done -- the filters do not work.
I also do routing based on firewall key -> it doesn''t work either,
but
nothing shows any errors.

Please help. Thanks.

PS. I am using kernel 2.4.19 patched with htb3 and gr-security patch and
htb3 precompiled tc on Debian unstable system. 


-- 
Best regards,
    Aigars Mahinovs        mailto:aigarius@debian.org
 #--------------------------------------------------#
 |     .''''`.                                        |
 |    : :'' :           Debian GNU/Linux             |
 |    `. `''         http://www.debian.org           |
 |      `-                                          |
 #--------------------------------------------------#

Stef Coene

2002-Oct-26 14:09 UTC

head link

Re: Problem with fw filters

Hi,

Prio is a number between 0 and 7.  prio 10 is actually prio 7.

It''s reported before that using the uid in routing keys is not working.
Maybe
it''s the same problem.  The marking is working, but I''m
wondering why the fw
filter is not picking up the packets.  Don''t know.

Stef

On Saturday 26 October 2002 15:44, Aigars Mahinovs
wrote:> Hi all,
>
> I am trying to priorityse outgoing traffic basing on UID of the sender.
> Script follows:
>
> # First mark packets with their respective priority
>
> iptables -t mangle -F OUTPUT
>
> iptables -t mangle -A OUTPUT -m owner --uid-owner root -j MARK
> --set-mark 1
> iptables -t mangle -A OUTPUT -m owner --uid-owner aigarius -j MARK
> --set-mark 2
> iptables -t mangle -A OUTPUT -m owner --uid-owner bind -j MARK
> --set-mark 3
> iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK
> --set-mark 4
> iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -j MARK
> --set-mark 5
> iptables -t mangle -A OUTPUT -m owner --uid-owner www-data -j MARK
> --set-mark 6
> iptables -t mangle -A OUTPUT -m owner --uid-owner ftp -j MARK --set-mark
> 7
> iptables -t mangle -A OUTPUT -m owner --uid-owner ivarix -j MARK
> --set-mark 8
> iptables -t mangle -A OUTPUT -m owner --uid-owner blacky -j MARK
> --set-mark 9
> iptables -t mangle -A OUTPUT -j MARK --set-mark 666
>
> # now make outgoing traffic classes
> # clean existing qdiscs, hide errors
> /home/aigarius/bin/tc qdisc del dev eth0 root    2> /dev/null >
> /dev/null
>
> /home/aigarius/bin/tc qdisc add dev eth0 root handle 1: htb
> /home/aigarius/bin/tc class add dev eth0 parent 1: classid 1:1 htb rate
> 100mbit burst 64k
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:10 htb
> rate 100mbit burst 64k prio 1
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:20 htb
> rate 100mbit burst 64k prio 2
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:30 htb
> rate 100mbit burst 64k prio 3
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:40 htb
> rate 100mbit burst 64k prio 4
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:50 htb
> rate 100mbit burst 64k prio 5
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:60 htb
> rate 100mbit burst 64k prio 6
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:70 htb
> rate 100mbit burst 64k prio 7
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:80 htb
> rate 100mbit burst 64k prio 8
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:90 htb
> rate 100mbit burst 64k prio 9
> /home/aigarius/bin/tc class add dev eth0 parent 1:1 classid 1:666 htb
> rate 10mbit burst 64k prio 20
> # all get Stochastic Fairness:
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:10 handle 10: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:30 handle 30: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:40 handle 40: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:50 handle 50: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:60 handle 60: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:70 handle 70: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:80 handle 80: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:90 handle 90: sfq
> perturb 10
> /home/aigarius/bin/tc qdisc add dev eth0 parent 1:666 handle 666: sfq
> perturb 10
> # Filter traffic into classes
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 1 fw flowid 1:10
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 2 fw flowid 1:20
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 3 fw flowid 1:30
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 4 fw flowid 1:40
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 5 fw flowid 1:50
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 6 fw flowid 1:60
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 7 fw flowid 1:70
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 8 fw flowid 1:80
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 9 fw flowid 1:90
> /home/aigarius/bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10
> handle 666 fw flowid 1:666
>
> --- END OF SCRIPT ---
>
> Problem:
> no shaping is done
>
> # tc -s qdisc show
> qdisc sfq 666: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 679086470 bytes 985634 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 90: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 80: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 70: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 60: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 50: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 40: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 30: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 20: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc sfq 10: dev eth0 quantum 1514b limit 128p flows 128/1024 perturb
> 10sec
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>
>  qdisc htb 1: dev eth0 r2q 10 default 0 direct_packets_stat 778 ver 3.6
>  Sent 679175569 bytes 986412 pkts (dropped 0, overlimits 9647)
>
> #iptables -v -t mangle -L OUTPUT
> Chain OUTPUT (policy ACCEPT 25M packets, 16G bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  6782  802K MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match root MARK set 0x1
>  7439  393K MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match aigarius MARK set 0x2
>  7878 2018K MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match bind MARK set 0x3
> 65687   49M MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match proxy MARK set 0x4
>  752K  524M MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match nobody MARK set 0x5
> 24388   35M MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match www-data MARK set 0x6
> 44401   62M MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match ftp MARK set 0x7
>     7   600 MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match ivarix MARK set 0x8
>     0     0 MARK       all  --  any    any     anywhere
> anywhere           OWNER UID match blacky MARK set 0x9
> 1019K  680M MARK       all  --  any    any     anywhere
> anywhere           MARK set 0x29a
>
> As I see there is no shaping done -- the filters do not work.
> I also do routing based on firewall key -> it doesn''t work
either, but
> nothing shows any errors.
>
> Please help. Thanks.
>
> PS. I am using kernel 2.4.19 patched with htb3 and gr-security patch and
> htb3 precompiled tc on Debian unstable system.
-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Martin Josefsson

2002-Oct-26 16:06 UTC

head link

Re: Problem with fw filters

On Sat, 2002-10-26 at 15:44, Aigars Mahinovs wrote:> Hi all,
> 
> I am trying to priorityse outgoing traffic basing on UID of the sender.
> Script follows:
> 
> # First mark packets with their respective priority
> 
> iptables -t mangle -F OUTPUT
> 
> iptables -t mangle -A OUTPUT -m owner --uid-owner root -j MARK
> --set-mark 1
> iptables -t mangle -A OUTPUT -m owner --uid-owner aigarius -j MARK
> --set-mark 2
> iptables -t mangle -A OUTPUT -m owner --uid-owner bind -j MARK
> --set-mark 3
> iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK
> --set-mark 4
> iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -j MARK
> --set-mark 5
> iptables -t mangle -A OUTPUT -m owner --uid-owner www-data -j MARK
> --set-mark 6
> iptables -t mangle -A OUTPUT -m owner --uid-owner ftp -j MARK --set-mark
> 7
> iptables -t mangle -A OUTPUT -m owner --uid-owner ivarix -j MARK
> --set-mark 8
> iptables -t mangle -A OUTPUT -m owner --uid-owner blacky -j MARK
> --set-mark 9
> iptables -t mangle -A OUTPUT -j MARK --set-mark 666
This won''t work the way you want it to.
MARK doesn''t terminate the rule-traversal... so all packets will be
marked as 666 in the end.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Aigars Mahinovs

2002-Oct-26 16:44 UTC

head link

Re: Problem with fw filters

Hello,

On 26 Oct 2002 18:06:17 +0200, Martin Josefsson <gandalf@wlug.westbo.se>
wrote:> > iptables -t mangle -A OUTPUT -j MARK --set-mark 666
> 
> This won''t work the way you want it to.
> MARK doesn''t terminate the rule-traversal... so all packets will
be
> marked as 666 in the end.
Thanks, that worked.

-- 
Best regards,
    Aigars Mahinovs        mailto:aigarius@debian.org
 #--------------------------------------------------#
 |     .''''`.                                        |
 |    : :'' :           Debian GNU/Linux             |
 |    `. `''         http://www.debian.org           |
 |      `-                                          |
 #--------------------------------------------------#

LARTC - Oct 2002 - Problem with fw filters

Problem with fw filters

Re: Problem with fw filters

Re: Problem with fw filters

Re: Problem with fw filters