Hi , this is the situation , I am using a Linux gateway to shape the outbound traffic coming from a LAN, configured ( for example ) as following ( using htb ): ETH0 ( public interface ) 1 ROOT class rate 10240 kbit, ceil 10240 2 LEAF class rate 8192, ceil 8192 3 LEAF class rate 2048 , ceil 2048 ETH1 ( LAN ) Then i define the following rules : tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw flowid 1:2 tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw flowid 1:3 And set the iptables rules to assign the fwmarks : /sbin/iptables -t mangle -F mygroup /sbin/iptables -t mangle -X mygroup /sbin/iptables -t mangle -N mygroup /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j MARK --set-mark 0x20 /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j RETURN /sbin/iptables -t mangle -A mygroup -j MARK --set-mark 0x10 /sbin/iptables -t mangle -A mygroup -j RETURN In theory , this should assign all packets with dest port 80 forwarded from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class. And it works, until i do something like this : iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j REDIRECT --to-ports 3128 to set up transparent proxy redirection to the local squid ( 10.1.0.0/24 is the subnet of eth1 ). The redirection works but no packets end up in the 0x20 class. Any way to shape even transparent-proxied traffic ? thanks, Enrico _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
first you should mark packets in postrouting chain for what you need forward chain dont touch local trafic, which is your proxy. next, since you redirect packets to port 3128 you should match on this port not on 80. but then you will mark all packets from port 3128 no matter they are redirected or not. (all proxy trafic will be marked) Also you can simply match with tc on port 80, since tc is after nat and it will see the same port the user will see. for such simple setup no marking is nesecary. ----- Original Message ----- From: "Enrico Demarin" <enricod@videotron.ca> To: <lartc@mailman.ds9a.nl> Sent: Monday, March 22, 2004 4:35 PM Subject: [LARTC] Fwmark and REDIRECT rules> Hi , > > this is the situation , I am using a Linux gateway to shape the outbound > traffic coming from a LAN, configured ( for example ) as following ( > using htb ): > > > ETH0 ( public interface ) > > > 1 ROOT class rate 10240 kbit, ceil 10240 > > 2 LEAF class rate 8192, ceil 8192 > > 3 LEAF class rate 2048 , ceil 2048 > > ETH1 ( LAN ) > > Then i define the following rules : > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw > flowid 1:2 > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw > flowid 1:3 > > And set the iptables rules to assign the fwmarks : > > /sbin/iptables -t mangle -F mygroup > /sbin/iptables -t mangle -X mygroup > /sbin/iptables -t mangle -N mygroup > > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j MARK > --set-mark 0x20 > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j > RETURN > > /sbin/iptables -t mangle -A mygroup -j MARK --set-mark 0x10 > /sbin/iptables -t mangle -A mygroup -j RETURN > > In theory , this should assign all packets with dest port 80 forwarded > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class. > > And it works, until i do something like this : > > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j > REDIRECT --to-ports 3128 > > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24 > is the subnet of eth1 ). > > The redirection works but no packets end up in the 0x20 class. > > Any way to shape even transparent-proxied traffic ? > > thanks, > Enrico > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ok. I am marking because I will also add rules for a second ethernet interface, eth2, which serves a 10.2.0.0/24 segment, and i want to split the internet feed ( 10 megabits ) in 2 5 megabits links : i need marking to mark all the traffic coming to eth1 to it''s 5 megabit classes and the traffic coming from eth2 to the other tree ( i would define 2 root classes of 5 megabits, with separate leafs ). - Enrico On Mon, 2004-03-22 at 12:18, Roy wrote:> first you should mark packets in postrouting chain for what you need > forward chain dont touch local trafic, which is your proxy. > > next, since you redirect packets to port 3128 you should match on this port > not on 80. > but then you will mark all packets from port 3128 no matter they are > redirected or not. > (all proxy trafic will be marked) > > Also you can simply match with tc on port 80, since tc is after nat and it > will see the same port the user will see. > for such simple setup no marking is nesecary. > > ----- Original Message ----- > From: "Enrico Demarin" <enricod@videotron.ca> > To: <lartc@mailman.ds9a.nl> > Sent: Monday, March 22, 2004 4:35 PM > Subject: [LARTC] Fwmark and REDIRECT rules > > > > Hi , > > > > this is the situation , I am using a Linux gateway to shape the outbound > > traffic coming from a LAN, configured ( for example ) as following ( > > using htb ): > > > > > > ETH0 ( public interface ) > > > > > > 1 ROOT class rate 10240 kbit, ceil 10240 > > > > 2 LEAF class rate 8192, ceil 8192 > > > > 3 LEAF class rate 2048 , ceil 2048 > > > > ETH1 ( LAN ) > > > > Then i define the following rules : > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw > > flowid 1:2 > > > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw > > flowid 1:3 > > > > And set the iptables rules to assign the fwmarks : > > > > /sbin/iptables -t mangle -F mygroup > > /sbin/iptables -t mangle -X mygroup > > /sbin/iptables -t mangle -N mygroup > > > > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup > > > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j MARK > > --set-mark 0x20 > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j > > RETURN > > > > /sbin/iptables -t mangle -A mygroup -j MARK --set-mark 0x10 > > /sbin/iptables -t mangle -A mygroup -j RETURN > > > > In theory , this should assign all packets with dest port 80 forwarded > > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class. > > > > And it works, until i do something like this : > > > > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j > > REDIRECT --to-ports 3128 > > > > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24 > > is the subnet of eth1 ). > > > > The redirection works but no packets end up in the 0x20 class. > > > > Any way to shape even transparent-proxied traffic ? > > > > thanks, > > Enrico > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/