Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private & public NICs) ? Are tc filter rules consulted before or after NATing? My real interest is in basic understanding first, and then solving a real problem second. Example: Firewall Public NIC 123.123.123.1 Firewall Private NIC 192.168.168.1 Dedicated Video Conferencing equipment @ 192.168.168.100 I''d like to write a rule that says any traffic emanating from the private .100 box gets 128kbit of bandwidth out of a T1''s total 1.55mbit as the traffic heads out on to the Internet to find the other end of the Video Conference. The shaping occurs on the Public NIC, but the only address I have to work with is a private address. By time the traffic hits the public NIC and tc rules are applied, I suspect the packet no longer has a source IP of private .100, but has been NAT''d to the public NIC address. There''s no way to distinguish private .100''s traffic via IP address. by time the tc filters are queried. Is that correct? What methods are available to do this? I can think of marking all the packets on the private side then looking for the marks on the public side. Or, NAT private.100 to a specific Public IP and then write rules for that new Public IP. What other options are there? -- Bill Gradwohl bill@ycc.com http://www.ycc.com SPAMstomper Protected email _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 05 August 2004 18:47, Bill Gradwohl wrote:> Is there a flow diagram as to where tc actions take place with respect > to NAT and other iptables functions on a multihomed box (private & > public NICs) ? Are tc filter rules consulted before or after NATing?See kptd on www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Bill, : Is there a flow diagram as to where tc actions take place with : respect to NAT and other iptables functions on a multihomed box : (private & public NICs) ? Are tc filter rules consulted before or : after NATing? For simplicity''s sake, let''s just talk about packets leaving the box (transmit only). All iptables functions have taken place by the time the traffic control functions are called. There are a number of different diagrams which cover this in different ways. The KPTD [0], which Stef has already mentioned, the Packet Flow diagram [1], which deal with the bridging, brouting stuff as well, an older 2.4 packet traversal diagram [2], and my recent diagram of just the netfilter system [3]. : My real interest is in basic understanding first, and then : solving a real problem second. Well...further on the self-promotion front--if understanding is what you seek, then maybe also my Traffic Control HOWTO would be handy. It''s available at TLDP [4]. : Example: : Firewall Public NIC 123.123.123.1 : Firewall Private NIC 192.168.168.1 : Dedicated Video Conferencing equipment @ 192.168.168.100 : : I''d like to write a rule that says any traffic emanating from the : private .100 box gets 128kbit of bandwidth out of a T1''s total 1.55mbit : as the traffic heads out on to the Internet to find the other end of the : Video Conference. : : The shaping occurs on the Public NIC, but the only address I have to : work with is a private address. By time the traffic hits the public NIC : and tc rules are applied, I suspect the packet no longer has a source IP : of private .100, but has been NAT''d to the public NIC address. There''s : no way to distinguish private .100''s traffic via IP address. by time the : tc filters are queried. Is that correct? That is correct, but you can always use the fwmark. : What methods are available to do this? I can think of marking all : the packets on the private side then looking for the marks on the : public side. Or, NAT private.100 to a specific Public IP and then : write rules for that new Public IP. What other options are there? As far as I know, these are the two best options. If you don''t wish to mess around with marking, the NAT option seems a very good and sensible way to go. If you haven''t used tc much, I''d recommend tcng [5]. It''s far simpler to use (and more intuitive) once you have it installed. Though I haven''t tested the below, I could see something like this as a starting point for your experimentation. If you wished to cap the video bandwidth at 128k, you could simply use the same parameter for the rate and ceil (videobw). #define private eth0 #define public eth1 /* assume that the NAT for the video server is separate from the source IP of the remainder of the traffic */ #define videobox 192.168.168.100 #define videopub 123.123.123.100 #define videobw 128000 bps #define halft1 772000 bps #define fullt1 1544000 bps /* this should take care of shaping download traffic */ dev private { egress { class ( <$video> ) if ip_src == videobox ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { /* guarantee videobw to $video, allow full usage */ $video = class ( rate videobw, ceil fullt1 ) ; /* guarantee half the t1 to other traffic */ $other = class ( rate halft1, ceil fullt1 ) ; } } } } /* this should take care of shaping upload traffic */ dev public { egress { class ( <$video> ) if ip_src == videopub ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { $video = class ( rate videobw, ceil fullt1 ) ; $other = class ( rate halft1, ceil fullt1 ) ; } } } } Good luck! -Martin [0] http://www.docum.org/docum.org/kptd/ [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png [2] http://open-source.arkoon.net/kernel/kernel_net.png [3] http://linux-ip.net/nf/nfk-traversal.png [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/ [5] http://tcng.sourceforge.net/ -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Friends: I do establish a well tc firter as follows: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip scr 129.10.10.3 flowid 1:10 Where 1:10 is a HTB class with certain rate and 1:0 its parent qdisc But when i pretend to filter a source port 21 (for instance) taping: tc filter add dev eth0 parent 1:0 (protocol ip) prio 0 u32 match ip protocol 0x6 0xff match tcp sport 21 0xffff flowid 1:10 No filter can be added because of a match error. I have already excluded an included the ¨(protocol ip)¨ from that place and nothing. I hope you will help me! ----- Original Message ----- From: "Martin A. Brown" <mabrown-lartc@securepipe.com> To: "Bill Gradwohl" <bill@ycc.com> Cc: "lartc list" <lartc@mailman.ds9a.nl> Sent: Friday, August 06, 2004 1:32 AM Subject: Re: [LARTC] NAT & tc filter addresses> Bill, > > : Is there a flow diagram as to where tc actions take place with > : respect to NAT and other iptables functions on a multihomed box > : (private & public NICs) ? Are tc filter rules consulted before or > : after NATing? > > For simplicity''s sake, let''s just talk about packets leaving the box > (transmit only). All iptables functions have taken place by the > time the traffic control functions are called. > > There are a number of different diagrams which cover this in > different ways. The KPTD [0], which Stef has already mentioned, the > Packet Flow diagram [1], which deal with the bridging, brouting > stuff as well, an older 2.4 packet traversal diagram [2], and my > recent diagram of just the netfilter system [3]. > > : My real interest is in basic understanding first, and then > : solving a real problem second. > > Well...further on the self-promotion front--if understanding is what > you seek, then maybe also my Traffic Control HOWTO would be handy. > It''s available at TLDP [4]. > > : Example: > : Firewall Public NIC 123.123.123.1 > : Firewall Private NIC 192.168.168.1 > : Dedicated Video Conferencing equipment @ 192.168.168.100 > : > : I''d like to write a rule that says any traffic emanating from the > : private .100 box gets 128kbit of bandwidth out of a T1''s total 1.55mbit > : as the traffic heads out on to the Internet to find the other end ofthe> : Video Conference. > : > : The shaping occurs on the Public NIC, but the only address I have to > : work with is a private address. By time the traffic hits the public NIC > : and tc rules are applied, I suspect the packet no longer has a sourceIP> : of private .100, but has been NAT''d to the public NIC address. There''s > : no way to distinguish private .100''s traffic via IP address. by timethe> : tc filters are queried. Is that correct? > > That is correct, but you can always use the fwmark. > > : What methods are available to do this? I can think of marking all > : the packets on the private side then looking for the marks on the > : public side. Or, NAT private.100 to a specific Public IP and then > : write rules for that new Public IP. What other options are there? > > As far as I know, these are the two best options. If you don''t wish > to mess around with marking, the NAT option seems a very good and > sensible way to go. > > If you haven''t used tc much, I''d recommend tcng [5]. It''s far > simpler to use (and more intuitive) once you have it installed. > > Though I haven''t tested the below, I could see something like this > as a starting point for your experimentation. If you wished to cap > the video bandwidth at 128k, you could simply use the same parameter > for the rate and ceil (videobw). > > #define private eth0 > #define public eth1 > > /* assume that the NAT for the video server is separate from > the source IP of the remainder of the traffic */ > > #define videobox 192.168.168.100 > #define videopub 123.123.123.100 > #define videobw 128000 bps > #define halft1 772000 bps > #define fullt1 1544000 bps > > > /* this should take care of shaping download traffic */ > > dev private { > egress { > class ( <$video> ) if ip_src == videobox ; > class ( <$other> ) if 1 ; > htb { > class ( rate fullt1, ceil fullt1 ) { > /* guarantee videobw to $video, allow full usage */ > $video = class ( rate videobw, ceil fullt1 ) ; > /* guarantee half the t1 to other traffic */ > $other = class ( rate halft1, ceil fullt1 ) ; > } > } > } > } > > /* this should take care of shaping upload traffic */ > > dev public { > egress { > class ( <$video> ) if ip_src == videopub ; > class ( <$other> ) if 1 ; > htb { > class ( rate fullt1, ceil fullt1 ) { > $video = class ( rate videobw, ceil fullt1 ) ; > $other = class ( rate halft1, ceil fullt1 ) ; > } > } > } > } > > Good luck! > > -Martin > > [0] http://www.docum.org/docum.org/kptd/ > [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png > [2] http://open-source.arkoon.net/kernel/kernel_net.png > [3] http://linux-ip.net/nf/nfk-traversal.png > [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/ > [5] http://tcng.sourceforge.net/ > > -- > Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Friends:Can someone tell me how would this code work?# tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match tcp dst 53 0xffff \ match ip protocol 0x6 0xff \ flowid 1:2 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/