LARTC - May 2003 - problem with tc filter

Hi all,

i''m running a linux ethernet bridge with HTB and netfilter support. 
For the
firewalling part i mark some special pakets with -j MARK --set-mark 12 or
--setmark 22. After that i use

tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw classid
1:12 and
tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 22 fw classid
2:22

That works very well but at some point of my project i need to switch over
just using one mark (or more exact using just one firewall-rule) for both
filters. So i tried to change the second filter:

tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw classid
1:12
tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 12 fw classid
2:22

That did not work, just the first filter was used but the other never
catched a paket. My question: is there a way to handle this by a mask for the
handle for example? Any hints are very much appreciated!

Thanks in advance,
Mike.


-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Monday 05 May 2003 20:10, miller69@gmx.net wrote:
> Hi all,
>
> i''m running a linux ethernet bridge with HTB and netfilter
support.  For
> the firewalling part i mark some special pakets with -j MARK --set-mark 12
> or --setmark 22. After that i use
>
> tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw classid
> 1:12 and
> tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 22 fw classid
> 2:22
>
> That works very well but at some point of my project i need to switch over
> just using one mark (or more exact using just one firewall-rule) for both
> filters. So i tried to change the second filter:
>
> tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw classid
> 1:12
> tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 12 fw classid
> 2:22
>
> That did not work, just the first filter was used but the other never
> catched a paket. My question: is there a way to handle this by a mask for
> the handle for example? Any hints are very much appreciated!
Why not doing 
tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 12 fw classid 2:22

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> On Monday 05 May 2003 20:10, miller69@gmx.net wrote:
> > That works very well but at some point of my project i need to switch
> over
> > just using one mark (or more exact using just one firewall-rule) for
> both
> > filters. So i tried to change the second filter:
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw
> classid
> > 1:12
> > tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 12 fw
> classid
> > 2:22
> >
> > That did not work, just the first filter was used but the other never
> > catched a paket. My question: is there a way to handle this by a mask
> for
> > the handle for example? Any hints are very much appreciated!
> Why not doing 
> tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 12 fw classid
> 2:22
I''ve tried it and the answer was:
RTNETLINK answers: Invalid argument

So that did not work. Any other ideas? I really need this going!

Thanks,
Mike.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Monday 05 May 2003 21:15, miller69@gmx.net wrote:
> > On Monday 05 May 2003 20:10, miller69@gmx.net wrote:
> > > That works very well but at some point of my project i need to
switch
> >
> > over
> >
> > > just using one mark (or more exact using just one firewall-rule)
for
> >
> > both
> >
> > > filters. So i tried to change the second filter:
> > >
> > > tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 12 fw
> >
> > classid
> >
> > > 1:12
> > > tc filter add dev eth1 parent 2:0 protocol ip prio 4 handle 12 fw
> >
> > classid
> >
> > > 2:22
> > >
> > > That did not work, just the first filter was used but the other
never
> > > catched a paket. My question: is there a way to handle this by a
mask
> >
> > for
> >
> > > the handle for example? Any hints are very much appreciated!
> >
> > Why not doing
> > tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 12 fw
classid
> > 2:22
>
> I''ve tried it and the answer was:
> RTNETLINK answers: Invalid argument
>
> So that did not work. Any other ideas? I really need this going!
Something else.  Qdisc 2:0 is attached to 1:12 I suppose.  But why?  This is 
not needed if 1: and 2: are htb qdiscs.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> Something else.  Qdisc 2:0 is attached to 1:12 I suppose.  But why?  This
> is 
> not needed if 1: and 2: are htb qdiscs.
I thing the best thing is that i''ll post my whole setup, maybe the
problem
comes out more clear then.
My bridge uses two ports (eth0 and eth1).  I''ve got one qdisc for each
ethernet card.

tc qdisc add dev eth0 root handle 1:0 htb default 10
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit ceil 100mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 9mbit ceil 9mbit prio
4
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 89mbit ceil 100mbit
prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 10kbit ceil 20kbit
prio 5

tc qdisc add dev eth1 root handle 2:0 htb default 20
tc class add dev eth1 parent 2:0 classid 2:2 htb rate 10mbit ceil 10mbit
tc class add dev eth1 parent 2:2 classid 2:20 htb rate 9mbit ceil 9mbit prio
1
tc class add dev eth1 parent 2:2 classid 2:22 htb rate 10kbit ceil 20kbit
prio 5

The main goal is to do bridging between 
1:10 <-> 2:20 and 
1:12 <-> 2:22 

The 1:11 class is for the local traffic to/from the bridge, an iptables rule
covers this part.  What I want now is mark a bridged paket and put it in
both classes, 1:12 AND 2:22 for example.  But at the moment a paket that is
marked with handle 12 always runs through 1:12 but the response (an ACK paket
for
example) doesn''t touch 2:22 as i want to but  uses the default an goes
through 2:20.
At the netfilter side i use connmark that puts a mark at a whole connection
(it''s an extension to conntrack) so after marking one paket of a
connection
every following paket gets the same mark.
Thats why i need a way to use the same mark twice (once for each qdisc). 
Sorry for my bad english i hope you know what i''m up to.

Thanks for any help!

Mike.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Monday 05 May 2003 23:04, miller69@gmx.net wrote:
> > Something else.  Qdisc 2:0 is attached to 1:12 I suppose.  But why? 
This
> > is
> > not needed if 1: and 2: are htb qdiscs.
>
> I thing the best thing is that i''ll post my whole setup, maybe the
problem
> comes out more clear then.
> My bridge uses two ports (eth0 and eth1).  I''ve got one qdisc for
each
> ethernet card.
>
> tc qdisc add dev eth0 root handle 1:0 htb default 10
> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit ceil 100mbit
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 9mbit ceil 9mbit
> prio 4
> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 89mbit ceil 100mbit
> prio 1
> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 10kbit ceil 20kbit
> prio 5
>
> tc qdisc add dev eth1 root handle 2:0 htb default 20
> tc class add dev eth1 parent 2:0 classid 2:2 htb rate 10mbit ceil 10mbit
> tc class add dev eth1 parent 2:2 classid 2:20 htb rate 9mbit ceil 9mbit
> prio 1
> tc class add dev eth1 parent 2:2 classid 2:22 htb rate 10kbit ceil 20kbit
> prio 5
>
> The main goal is to do bridging between
> 1:10 <-> 2:20 and
> 1:12 <-> 2:22
>
> The 1:11 class is for the local traffic to/from the bridge, an iptables
> rule covers this part.  What I want now is mark a bridged paket and put it
> in both classes, 1:12 AND 2:22 for example.  But at the moment a paket that
> is marked with handle 12 always runs through 1:12 but the response (an ACK
> paket for example) doesn''t touch 2:22 as i want to but  uses the
default an
> goes through 2:20.
> At the netfilter side i use connmark that puts a mark at a whole connection
> (it''s an extension to conntrack) so after marking one paket of a
connection
> every following paket gets the same mark.
I''m just wondering.  You use connmark to mark the whole connection, but
isn''t
that only working in 1 direction?  You want to mark on eth0 and use that mark 
also to shape on eth1.  But I don''t think conntrack can mark the
packets in
both directions.
> Thats why i need a way to use the same mark twice (once for each qdisc).
> Sorry for my bad english i hope you know what i''m up to.
No problem.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

> I''m just wondering.  You use connmark to mark the whole
connection, but
> isn''t 
> that only working in 1 direction?  
Ok, first I was not sure about this question but I took a look at
/proc/net/ip_conntrack :

tcp      6 379813 ESTABLISHED src=153.19.72.215 dst=139.18.38.96 sport=1240
dport=1214 src=139.18.38.96 dst=153.19.72.215 sport=1214 dport=1240 [ASSURED]
use=1 mark=22

This is a single entry, so I believe it puts a mark at the wohle connection
in both directions. And quick test approved this. I used the following
commands to count marked packets in the POSTROUTING chain.
iptables -A POSTROUTING -t mangle -o eth0 -m mark --mark 12 -j ACCEPT
iptables -A POSTROUTING -t mangle -o eth1 -m mark --mark 12 -j ACCEPT

That gave the followig output:

 648K  703M ACCEPT     all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          MARK match 0xc
 520K  103M ACCEPT     all  --  *      eth1    0.0.0.0/0           
0.0.0.0/0          MARK match 0xc

As you can see there are packets leaving the bridge at eth0 and at eth1 as
well marked with the same handle.
> You want to mark on eth0 and use that mark also to shape on eth1.  
Exactly, so as the connmark part seems to be working is there a chance to
get tc filter working in the same way to? Any comments would be very much
appreciated!

Thanks,
Mike.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 07 May 2003 11:39, miller69@gmx.net wrote:
> Hi,
>
> > I''m just wondering.  You use connmark to mark the whole
connection, but
> > isn''t
> > that only working in 1 direction?
>
> Ok, first I was not sure about this question but I took a look at
> /proc/net/ip_conntrack :
>
> tcp      6 379813 ESTABLISHED src=153.19.72.215 dst=139.18.38.96 sport=1240
> dport=1214 src=139.18.38.96 dst=153.19.72.215 sport=1214 dport=1240
> [ASSURED] use=1 mark=22
>
> This is a single entry, so I believe it puts a mark at the wohle connection
> in both directions. And quick test approved this. I used the following
> commands to count marked packets in the POSTROUTING chain.
> iptables -A POSTROUTING -t mangle -o eth0 -m mark --mark 12 -j ACCEPT
> iptables -A POSTROUTING -t mangle -o eth1 -m mark --mark 12 -j ACCEPT
>
> That gave the followig output:
>
>  648K  703M ACCEPT     all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0          MARK match 0xc
>  520K  103M ACCEPT     all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0          MARK match 0xc
>
> As you can see there are packets leaving the bridge at eth0 and at eth1 as
> well marked with the same handle.
Ok.  So the mark is in both directions.
> > You want to mark on eth0 and use that mark also to shape on eth1.
>
> Exactly, so as the connmark part seems to be working is there a chance to
> get tc filter working in the same way to? Any comments would be very much
> appreciated!
I have no idea.  It should work.  If iptables can see the mark, the fw filter 
can.  So the fw filter should be able to use the mark.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/