Hello, I have a box running as a bridge and am trying to track the passive FTP sessions by marking them with iptables (CONNMARK option installed) and then trying to pick up the mark using tc filter fwmark. This is not working. I have checked the marking of the packets and this is working fine because I can see the marks when I cat /proc/net/ip_conntrack. Having setup my queues and using the following command: tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a I do not get any traffic going in to this queue. I am running kernel 2.4.21. My question is whether the packet that I have marked is actually every getting to the tc filter. As I am running a bridge, does the packet get marked in iptables PREROUTING, and then go straight to the FORWARD rule and then out. What is the sequence in which iptables processes the packet and then the tc filter processes the packet. Many thanks Wayne
On Wed, 2003-08-20 at 10:48, Wayne wrote:> Hello, > > I have a box running as a bridge and am trying to track the passive > FTP sessions by marking them with iptables (CONNMARK option installed) > and then trying to pick up the mark using tc filter fwmark. This is > not working.Are you setting the mark (std fw mark) ? the connmark is not saved when leaving netfilter and reaching the QOS system. See : http://home.regit.org/connmark.html for details BR, -- Eric Leblond <eric@regit.org> Regit.org
You must use fwmark setting and not connmark. Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Wayne Sent: Wednesday, August 20, 2003 2:18 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] FTP Connection Tracking in a Bridge Hello, I have a box running as a bridge and am trying to track the passive FTP sessions by marking them with iptables (CONNMARK option installed) and then trying to pick up the mark using tc filter fwmark. This is not working. I have checked the marking of the packets and this is working fine because I can see the marks when I cat /proc/net/ip_conntrack. Having setup my queues and using the following command: tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a I do not get any traffic going in to this queue. I am running kernel 2.4.21. My question is whether the packet that I have marked is actually every getting to the tc filter. As I am running a bridge, does the packet get marked in iptables PREROUTING, and then go straight to the FORWARD rule and then out. What is the sequence in which iptables processes the packet and then the tc filter processes the packet. Many thanks Wayne _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I believe I am using fwmark as below. Any input would be appreciated: Here is part of the setup: iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 21 -t mangle -j MARK --set-mark 14 iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 80 -t mangle -j MARK --set-mark 2 iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 3128 -t mangle -j MARK --set-mark 2 iptables -A PREROUTING -t mangle -j CONNMARK --save-mark tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a Here is part of /proc/net/ip_conntrack showing the packet is getting marked: tcp 6 431989 ESTABLISHED src=10.0.1.99 dst=196.34.2.188 sport=1838 dport=3128 src=196.34.2.188 dst=10.0.1.99 sport=3128 dport=1838 [ASSURED] use=1 mark=2 Here is part of the QOS class stats show no packets being picked up by the filter command: class htb 1:2 parent 1:1001 leaf 2a: prio 0 quantum 1500 rate 22Kbit ceil 120Kbit burst 1627b/8 mpu 0b cburst 1752b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 473600 ctokens: 93492 Thanks Wayne ----- Original Message ----- From: "S Mohan" <smohan@vsnl.com> To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl> Sent: Wednesday, August 20, 2003 12:00 PM Subject: RE: [LARTC] FTP Connection Tracking in a Bridge> You must use fwmark setting and not connmark. > > Mohan > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On > Behalf Of Wayne > Sent: Wednesday, August 20, 2003 2:18 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] FTP Connection Tracking in a Bridge > > > Hello, > I have a box running as a bridge and am trying to track the passive FTP > sessions by marking them with iptables (CONNMARK option installed) andthen> trying to pick up the mark using tc filter fwmark. This is not working. > I have checked the marking of the packets and this is working fine becauseI> can see the marks when I cat /proc/net/ip_conntrack. > Having setup my queues and using the following command: > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > I do not get any traffic going in to this queue. I am running kernel2.4.21.> My question is whether the packet that I have marked is actually every > getting to the tc filter. As I am running a bridge, does the packet get > marked in iptables PREROUTING, and then go straight to the FORWARD ruleand> then out. > What is the sequence in which iptables processes the packet and then thetc> filter processes the packet. > Many thanks > Wayne > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 20 August 2003 12:06, Wayne wrote:> I believe I am using fwmark as below. Any input would be appreciated: > > > Here is part of the setup: > > iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark > iptables -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT > iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 21 -t mangle -j > MARK --set-mark 14 > iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 80 -t mangle -j > MARK --set-mark 2 > iptables -A PREROUTING -m mark --mark 0 -p tcp --sport 3128 -t mangle -j > MARK --set-mark 2 > iptables -A PREROUTING -t mangle -j CONNMARK --save-mark > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > > > Here is part of /proc/net/ip_conntrack showing the packet is getting > marked: > > tcp 6 431989 ESTABLISHED src=10.0.1.99 dst=196.34.2.188 sport=1838 > dport=3128 src=196.34.2.188 dst=10.0.1.99 sport=3128 dport=1838 [ASSURED] > use=1 mark=2 > > Here is part of the QOS class stats show no packets being picked up by the > filter command: > > class htb 1:2 parent 1:1001 leaf 2a: prio 0 quantum 1500 rate 22Kbit ceil > 120Kbit burst 1627b/8 mpu 0b cburst 1752b/8 mpu 0b level 0 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 473600 ctokens: 93492 > > ThanksCan you also post your filter rules ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 20 August 2003 10:48, Wayne wrote:> Hello, > > I have a box running as a bridge and am trying to track the passive FTP > sessions by marking them with iptables (CONNMARK option installed) and then > trying to pick up the mark using tc filter fwmark. This is not working. > > I have checked the marking of the packets and this is working fine because > I can see the marks when I cat /proc/net/ip_conntrack. > > Having setup my queues and using the following command: > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > > I do not get any traffic going in to this queue. I am running kernel > 2.4.21. > > My question is whether the packet that I have marked is actually every > getting to the tc filter. As I am running a bridge, does the packet get > marked in iptables PREROUTING, and then go straight to the FORWARD rule and > then out. > > What is the sequence in which iptables processes the packet and then the tc > filter processes the packet. > > Many thanksJust wondering, can you really use iptables on a bridge? I thought you have to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 2003-08-20 at 14:26, Stef Coene wrote:> On Wednesday 20 August 2003 10:48, Wayne wrote: > > Hello,> Just wondering, can you really use iptables on a bridge? I thought you have > to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.htmlThere''s also a patch that brings a few change and enable filtering with iptables. BR, -- Eric Leblond <eric@regit.org> Regit.org
I have applied the patch to IPTABLES which allows me to use it on a bridge. The iptables rules are working as I am using it for other things as well. If you do not have the patch applied, you get an error message when trying to run IPTABLES. The one filter rule I am using is as follows: tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid 1:2a I have the browsing match into the IPTABLES as it is a simpler one to check if it is working before I try the FTP connection tracking portion. Thanks Wayne ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl> Sent: Wednesday, August 20, 2003 2:26 PM Subject: Re: [LARTC] FTP Connection Tracking in a Bridge> On Wednesday 20 August 2003 10:48, Wayne wrote: > > Hello, > > > > I have a box running as a bridge and am trying to track the passive FTP > > sessions by marking them with iptables (CONNMARK option installed) andthen> > trying to pick up the mark using tc filter fwmark. This is not working. > > > > I have checked the marking of the packets and this is working finebecause> > I can see the marks when I cat /proc/net/ip_conntrack. > > > > Having setup my queues and using the following command: > > > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > > 1:2a > > > > I do not get any traffic going in to this queue. I am running kernel > > 2.4.21. > > > > My question is whether the packet that I have marked is actually every > > getting to the tc filter. As I am running a bridge, does the packet get > > marked in iptables PREROUTING, and then go straight to the FORWARD ruleand> > then out. > > > > What is the sequence in which iptables processes the packet and then thetc> > filter processes the packet. > > > > Many thanks > Just wondering, can you really use iptables on a bridge? I thought youhave> to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html > > Stef > > -- > > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Doh. So dumb of me. I have documented this but this skipped my attention. Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed. The packet does not traverse any other traditional netfilter table. This is the reason for the existence of ebtables. ebtables provides all these tables within its realm. Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Stef Coene Sent: Wednesday, August 20, 2003 5:57 PM To: Wayne; lartc@mailman.ds9a.nl Subject: Re: [LARTC] FTP Connection Tracking in a Bridge On Wednesday 20 August 2003 10:48, Wayne wrote:> Hello, > > I have a box running as a bridge and am trying to track the passive FTP > sessions by marking them with iptables (CONNMARK option installed) andthen> trying to pick up the mark using tc filter fwmark. This is not working. > > I have checked the marking of the packets and this is working fine because > I can see the marks when I cat /proc/net/ip_conntrack. > > Having setup my queues and using the following command: > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > > I do not get any traffic going in to this queue. I am running kernel > 2.4.21. > > My question is whether the packet that I have marked is actually every > getting to the tc filter. As I am running a bridge, does the packet get > marked in iptables PREROUTING, and then go straight to the FORWARD ruleand> then out. > > What is the sequence in which iptables processes the packet and then thetc> filter processes the packet. > > Many thanksJust wondering, can you really use iptables on a bridge? I thought you have to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 20 August 2003 14:39, Wayne wrote:> I have applied the patch to IPTABLES which allows me to use it on a bridge. > The iptables rules are working as I am using it for other things as well. > If you do not have the patch applied, you get an error message when trying > to run IPTABLES. > > The one filter rule I am using is as follows: > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > 1:2a > > I have the browsing match into the IPTABLES as it is a simpler one to check > if it is working before I try the FTP connection tracking portion.You need more filter statements. You have parent 1:2 but how is traffic redirected to this class ??? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Sorted. The problem was related to one of the filter statements. Interesting how we alwayts overlook the simple explanations as to why something does not work. Thanks for all the help. Wayne ----- Original Message ----- From: "Stef Coene" <stef.coene@docum.org> To: "Wayne" <wayne@fengshuifont.com>; <lartc@mailman.ds9a.nl> Sent: Wednesday, August 20, 2003 5:17 PM Subject: Re: [LARTC] FTP Connection Tracking in a Bridge> On Wednesday 20 August 2003 14:39, Wayne wrote: > > I have applied the patch to IPTABLES which allows me to use it on abridge.> > The iptables rules are working as I am using it for other things aswell.> > If you do not have the patch applied, you get an error message whentrying> > to run IPTABLES. > > > > The one filter rule I am using is as follows: > > > > tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid > > 1:2a > > > > I have the browsing match into the IPTABLES as it is a simpler one tocheck> > if it is working before I try the FTP connection tracking portion. > You need more filter statements. You have parent 1:2 but how is traffic > redirected to this class ??? > > Stef > > -- > > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 20 August 2003 15:14, S Mohan wrote:> Doh. So dumb of me. I have documented this but this skipped my attention. > Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed. > The packet does not traverse any other traditional netfilter table. This is > the reason for the existence of ebtables. ebtables provides all these > tables within its realm.Just for the record, as I''m the maintainer of ebtables and the bridge-nf code I can safely say that these statements above are not correct. ebtables is there to filter on non-IP stuff, more specifically the Ethernet header. In 2.6 or in a patched (with the bridge-nf patch) 2.4 kernel, the PREROUTING/FORWARD/POSTROUTING iptables chains see bridged traffic. This is therefore different than the behaviour with the old patch vs 2.2 for ipchains. Anyone interested can go to ebtables.sourceforge.net, the working of iptables on a bridge is explained there in detail. Please update your documentation. cheers, Bart _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/