thr3ads.net - LARTC - fw as filter broken? [Apr 2005]

If this information is useful, please help other people find it:
Share via:

Troy Caldwell

2005-Apr-08 21:06 UTC

fw as filter broken?

Can someone verify that using fw as a filter in iproute2-2.6.11-050330 is
broken.  Doesn''t seem to work in any case and I saw an earlier post
that
would lead me to believe this is the case.  If so does anyone have a
temporary fix?
Thanks,
Troy

Catalin(ux aka Dino) BOIE

2005-Apr-08 21:16 UTC

head link

Re: fw as filter broken?

On Fri, 8 Apr 2005, Troy Caldwell wrote:
> Can someone verify that using fw as a filter in iproute2-2.6.11-050330 is
> broken.  Doesn''t seem to work in any case and I saw an earlier
post that
> would lead me to believe this is the case.  If so does anyone have a
> temporary fix?
> Thanks,
> Troy
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Can you post your script, please?

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

Troy Caldwell

2005-Apr-08 21:53 UTC

head link

RE: fw as filter broken?

I''m using the patch for dummy as an imq replacement that Jamal posted a
little while back.  
I''ve tried to do the same thing on an egress qdisc to try to limit
outbound
speed and still had no luck. My u32 filters work fine, but are not enough
for our setup here.

Here''s what I''ve got...

export TC="/usr/sbin/tc"

$TC qdisc add dev eth0 handle ffff: ingress
$TC filter add dev eth0 parent ffff: protocol ip prio 1 u32 match u32 0 0
flowid 1:1 action mirred egress redirect dev dummy0

modprobe dummy
ifconfig dummy0 up

iptables -t mangle -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j
TCPMSS --set-mss 1350 iptables -t mangle -I POSTROUTING -s xxx.xxx.xx.xx -o
eth1 -j MARK --set-mark 14 iptables -t mangle -I POSTROUTING -s
xxx.xxx.xx.xxx -o eth1 -j MARK --set-mark 14 iptables -t mangle -I
POSTROUTING -s 172.20.5.1 -o eth1 -j MARK --set-mark 14 iptables -t mangle
-A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -I PREROUTING -j
CONNMARK --restore-mark iptables -t mangle -I PREROUTING 2 -m mark ! --mark
0x0 -j ACCEPT

$TC qdisc add dev dummy0 root handle 1: htb default 50
$TC class add dev dummy0 parent 1: classid 1:1 htb rate 100mbps ceil 100mbps
$TC class add dev dummy0 parent 1: classid 1:2 htb rate 1500kbit ceil
1500kbit $TC class add dev dummy0 parent 1:1 classid 1:14 htb rate 95mbps
ceil 100mbps #ECC $TC class add dev dummy0 parent 1:2 classid 1:15 htb rate
750kbit ceil 1500kbit prio 0 $TC class add dev dummy0 parent 1:15 classid
1:50 htb rate 730kbit ceil 1500kbit prio 0 $TC class add dev dummy0 parent
1:15 classid 1:51 htb rate 20kbit ceil 1500kbit prio 1 #VPN $TC class add
dev dummy0 parent 1:2 classid 1:16 htb rate 750kbit ceil 1500kbit prio 0

$TC filter add dev dummy0 parent 1: protocol ip prio 1 u32 match ip protocol
50 0xff flowid 1:16 $TC filter add dev dummy0 parent 1: protocol ip prio 1
u32 match ip src 172.20.5.1/31 flowid 1:14 $TC filter add dev dummy0 parent
1: protocol ip prio 1 handle 50 fw classid 1:50 $TC filter add dev dummy0
parent 1: protocol ip prio 1 handle 51 fw classid 1:51 $TC filter add dev
dummy0 parent 1: protocol ip prio 1 handle 9 fw classid 1:60 $TC filter add
dev dummy0 parent 1: protocol ip prio 1 handle 14 fw classid 1:14


Thanks,
Troy

-----Original Message-----
From: Catalin(ux aka Dino) BOIE 
Sent: Friday, April 08, 2005 4:16 PM
To: Troy Caldwell
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] fw as filter broken?


On Fri, 8 Apr 2005, Troy Caldwell wrote:
> Can someone verify that using fw as a filter in iproute2-2.6.11-050330 
> is broken.  Doesn''t seem to work in any case and I saw an earlier
post
> that would lead me to believe this is the case.  If so does anyone 
> have a temporary fix? Thanks,
> Troy
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl 
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Can you post your script, please?

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/

Andy Furniss

2005-Apr-09 19:52 UTC

head link

Re: fw as filter broken?

Troy Caldwell wrote:> I''m using the patch for dummy as an imq replacement that Jamal
posted a
> little while back.  
> I''ve tried to do the same thing on an egress qdisc to try to limit
outbound
> speed and still had no luck. My u32 filters work fine, but are not enough
> for our setup here.
> 
> Here''s what I''ve got...
> 
> export TC="/usr/sbin/tc"
> 
> $TC qdisc add dev eth0 handle ffff: ingress
> $TC filter add dev eth0 parent ffff: protocol ip prio 1 u32 match u32 0 0
> flowid 1:1 action mirred egress redirect dev dummy0
Ingress dummy is before conntrack so connmark won''t work.
There is going to be a way to do it but the match isn''t written yet.
I am suprised it doesn''t work on egress.
You could use IMQ as that hooks after PREROUTING mangle.

Andy.

Reasonably Related Threads

Search for more reasonably related threads

LARTC - Apr 2005 - fw as filter broken?

fw as filter broken?

Re: fw as filter broken?

RE: fw as filter broken?

Re: fw as filter broken?

Reasonably Related Threads