LARTC - Apr 2005 - tc filter - based on iptables - MAC - MARK not working - altough marking on ip src, dst address works

=== tc filter - based on iptables - MAC fw marking not
working =

DEV="eth1"
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate
600kbps ceil 3276800kbit
tc class add dev $DEV parent 1:1 classid 1:15 htb rate
3kbps prio 4
tc class add dev $DEV parent 1:1 classid 1:20 htb rate
500kbps prio 3
tc qdisc add dev $DEV parent 1:15 handle 150: sfq
perturb 10
tc qdisc add dev $DEV parent 1:20 handle 200: sfq
perturb 10

tc filter add dev $DEV parent 1:0 protocol ip prio 3
handle 2 fw classid 1:15
tc filter add dev $DEV parent 1:0 protocol ip prio 2
handle 3 fw classid 1:20
iptables -t mangle -A FORWARD  -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
iptables -t mangle -A INPUT   -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING   -m mac --mac-source
00:0D:87:60:61:37 -j MARK --set-mark 2
#iptables -t mangle -A FORWARD  -s 192.168.0.33 -j
MARK --set-mark 0x2
#iptables -t mangle -A FORWARD -d 192.168.0.33 -j MARK
--set-mark 0x2

Tried several times:
tc qdisc del dev eth0 root
iptables -F -t mangle
and run the above script in every possible way 
but the damn thing does not take into account my MAC
===== I tried to mark on INPUT, FORWARD AND PREROUTING
-- none of them seems to work
If i uncomment and try on -s, -d ip works great but I
really need to match  MAC addresses

I looked at my kernel MAC -- related config:
I have kernel 2.6.10 with:
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
and other settings ( I took almost all options 
related)
.............
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP_ROUTE_FWMARK=y


etc..

What I''m missing here ?

Best regards


		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail

Daniel Dafoe wrote:
> === tc filter - based on iptables - MAC fw marking not
> working => 
> 
> DEV="eth1"
<snip>

> Tried several times:
> tc qdisc del dev eth0 root
eth0?

iptables src MAC works for me with 1.3.1 - can you see the rule and 
counters matching with iptables -L -vnt mangle?

Andy.

--- Andy Furniss <andy.furniss@dsl.pipex.com> wrote:

Thanks for your input: 
modified  DEV="eth0"
indeed was a typo -- but still no luck with shaping



iptables -L -vnt mangle

Chain PREROUTING (policy ACCEPT 5172K packets, 2786M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination
20470 3127K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain INPUT (policy ACCEPT 1772K packets, 594M bytes)
 pkts bytes target     prot opt in     out     source 
             destination
  849  114K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain FORWARD (policy ACCEPT 3389K packets, 2191M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination
19621 3013K MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MAC
00:0D:87:60:61:37 MARK set 0x2

Chain OUTPUT (policy ACCEPT 1937K packets, 1567M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination

Chain POSTROUTING (policy ACCEPT 5306K packets, 3756M
bytes)
 pkts bytes target     prot opt in     out     source 
             destination


Best regards,

Daniel

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Daniel Dafoe wrote:
> --- Andy Furniss <andy.furniss@dsl.pipex.com> wrote:
> 
> Thanks for your input: 
> modified  DEV="eth0"
> indeed was a typo -- but still no luck with shaping
> 
> 
> 
> iptables -L -vnt mangle
> 
> Chain PREROUTING (policy ACCEPT 5172K packets, 2786M
> bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
> 20470 3127K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2
> 
> Chain INPUT (policy ACCEPT 1772K packets, 594M bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
>   849  114K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2
> 
> Chain FORWARD (policy ACCEPT 3389K packets, 2191M
> bytes)
>  pkts bytes target     prot opt in     out     source 
>              destination
> 19621 3013K MARK       all  --  *      *      
> 0.0.0.0/0            0.0.0.0/0           MAC
> 00:0D:87:60:61:37 MARK set 0x2
Well that bit looks OK can you see these packets going to the sfqs if 
you do

tc -s qdisc ls dev eth0 ?

I notice from the first post you have a really high ceil and mix kbps 
and kbit. bps = bytes per sec -

 > tc class add dev $DEV parent 1: classid 1:1 htb rate
 > 600kbps ceil 3276800kbit

Andy.

Thanks again for your response

tc -s qdisc ls dev eth0
qdisc htb 1: r2q 10 default 20 direct_packets_stat 0
 Sent 12664555 bytes 9717 pkts (dropped 0, overlimits
374)
qdisc sfq 150: parent 1:15 limit 128p quantum 1514b
perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 200: parent 1:20 limit 128p quantum 1514b
perturb 10sec
 Sent 12664555 bytes 9717 pkts (dropped 0, overlimits
0)

Strange ----> overlimits but not dropped

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

I really don''t get it :

Recompiled my kernel dozen times now is
2.6.11-gentoo-r5 but still packets are marked by
iptables but not shaped by tc. It only works when I
mark packets on source/destination ip

As soon as I comment last two lines and uncomment the
first one shaping is gone .... 

iptables -t mangle -A FORWARD  -m mac --mac-source
00-0d-87-60-61-37 -j MARK --set-mark 0x2

#iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
MARK --set-mark 0x2
#iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
MARK --set-mark 0x2

Best regards

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Daniel Dafoe wrote:
> 
> I really don''t get it :
> 
> Recompiled my kernel dozen times now is
> 2.6.11-gentoo-r5 but still packets are marked by
> iptables but not shaped by tc. It only works when I
> mark packets on source/destination ip
> 
> As soon as I comment last two lines and uncomment the
> first one shaping is gone ....
> 
> iptables -t mangle -A FORWARD  -m mac --mac-source
> 00-0d-87-60-61-37 -j MARK --set-mark 0x2
> 
> #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
> MARK --set-mark 0x2
> #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
> MARK --set-mark 0x2
> 
> Best regards
See http://kernel.umbrella.ro/net/

and 

http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking

Maybe something there will help.
--
gypsy
http://yesican.chsoft.biz/lartc

Daniel Dafoe wrote:
> I really don''t get it :
> 
> Recompiled my kernel dozen times now is
> 2.6.11-gentoo-r5 but still packets are marked by
> iptables but not shaped by tc. It only works when I
> mark packets on source/destination ip
> 
> As soon as I comment last two lines and uncomment the
> first one shaping is gone .... 
So you may need to match on MAC dst rather than src or did you try with 
just -s 192.168.0.22 alone?

Andy.

> 
> iptables -t mangle -A FORWARD  -m mac --mac-source
> 00-0d-87-60-61-37 -j MARK --set-mark 0x2
> 
> #iptables -t mangle -A PREROUTING -s 192.168.0.22 -j
> MARK --set-mark 0x2
> #iptables -t mangle -A PREROUTING -d 192.168.0.22 -j
> MARK --set-mark 0x2