You got it the wrong way.
Let me explain.
Tc shapes outgoing packets, not incoming.
So .. if you want to shape download, you have to shape it using eth0
interface.
Add rules to match packets from source port 80 or destination lan/firewalled
ip. ( this is why your download shaping works )
If you want to shape upload, you have to shape it using eth1 int. (this is
where you should change some things ).
Add rules to match packets to destination port 80 or source lan/firewalled
ip using eht1. ( note that since shaping is done after the routing, the SNAT
rules in iptables will be applied before shaping occurs.. so .. you
can''t
shape outgoing packets by source using nat in the same time).
Anyway .. if you don''t like how tc works there is a kernel patch IMQ.
Google for it... using it you can shape incoming packets, as they arrive on
the interface. :D
Iosif Peterfi
Forte Systems S.R.L.
http://www.fortesys.ro/
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]
On Behalf Of Christian Bauer
Sent: Wednesday, June 01, 2005 3:51 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] TC Filtering Problems
Dear Admins and Hackers,
maybe i am to stupid to use ''tc''. But i having logical
Problems to
understand the Filter Rules in tc.
Common Config:
There is a Linux Engine (Debian) with a 2.6.11.11 Kernel which act as
Packetshaper.
Two Interfaces eth0 and eth1 are installed. Interface ''eth0''
is the Firewall
Side Net
195.185.185.0/24. Interface ''eth1'' goes to the Internet
(switch and Routers
to the isps).
Both Interfaces are bridged. The TEST Client is located on the eth0 Device
of the Packetshaper.
Kernel Module: (lsmod)
Module Size Used by
mirred 7744 0
sch_dsmark 7424 0
police 10976 0
pedit 7648 0
gact 7008 0
cls_rsvp 7424 0
cls_route 7808 0
sch_prio 5888 0
ipt_state 2048 0
ipt 8288 0
sch_htb 18816 0
cls_tcindex 8192 0
cls_u32 9220 0
cls_fw 5504 0
TC Config (a htb Qdisc):
for d in eth0 eth1;
do
tc qdisc add dev $d root handle 1:0 htb default 12
tc class add dev $d parent 1:2 classid 1:2 htb rate 8096mbit
tc class add dev $d parent 1:2 classid 1:10 htb rate 64kbit ceil 64kbit prio
0
tc class add dev $d parent 1:2 classid 1:12 htb rate 1024mbit ceil 1024mbit
prio 0
done
Http Filter ( looks for (Source)Port 80 on Offset 20 in the Ip Packet
(Httpserver Answer) ):
tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match u32
0x500000
0xffff0000 at 20 classid 1:10
This Filter is working and the http download on the Firewall Side is
resticted to 64 kbit
as you can see below.
tc -s filter show dev eth0 :
filter parent 1: protocol ip pref 100 u32
filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800
bkt 0 flowid 1:10 (rule hit 151 success 129)
match 00500000/ffff0000 at 20 (success 129 )
But why i !cant! filter Packets with dstPort 80 or Src Ip on eth0:
Dstport 80:
tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match u32 0x50
0xffff at nexthdr+0 classid 1:10
or
Source Ipaddress:
tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip src
195.185.185.2/32 classid 1:10
On these Filters are no success Counters. Our Firewall cant it be. I connect
our Testlaptop directly to
the eth0 Packetshaper Device. When i run a "tcpdump -i eth0" on the
Packetshaper i saw the Src
Ipaddress 195.185.185.2 and dstport 80 Packets. I cant understand why tc not
able to find the
SRC IP Fields in the Packets on eth0 of the Packetshaper. At first i thought
the problem will be
the br_fw (bridgerouter) Option in the Kernel. Without these Option the
Problem is still alive.
In my Eyes it´s not logical! Please can anyone help me? Have no Idea left.
I hope there is a Hacker or Admin which can me tell the Filterlogic.
thanks in advance
Christian
______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/