Hi folks...!!! I´ve a problem that i did not solve it. i want to limit the DOWNLOAD to my hosts (upstream traffic for the firewall) using IMQ, If i classify by PORT (source or destination) all seems to be fine, but...BUT...if i want to restrict by IP addresss (internal IP address) i can´t do it, because my hosts go to Internet toward the firewall using NAT, so after NAT my IP address in Internet is not my internal address, because the NAT acction change my source and internal IP address. So...so...so...how can i limit the traffic by IP address using TC, IMQ, U32..etc...????? Can i modify some field in the TCP header with u32 filter?, i did read the TCP RFC and nothing, i can´t guess how can solve it... Please, HELPPPPPPP ME...!!! -- terraja-based _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi Maybe you have to review your IMQ behavior and choose CONFIG_IMQ_BEHAVIOR_AA or CONFIG_IMQ_BEHAVIOR_AB during the kernel compilation (and not CONFIG_IMQ_BEHAVIOR_BA or CONFIG_IMQ_BEHAVIOR_BB) Regards Afshin On Sat, 2007-06-02 at 06:19 -0300, terraja-based wrote:> Hi folks...!!! > > > I´ve a problem that i did not solve it. > i want to limit the DOWNLOAD to my hosts (upstream traffic for the > firewall) using IMQ, > > If i classify by PORT (source or destination) all seems to be fine, > but...BUT...if i want to restrict by IP addresss (internal IP address) > i can´t do it, because my hosts go to Internet toward the firewall > using NAT, so after NAT my IP address in Internet is not my internal > address, because the NAT acction change my source and internal IP > address. > > So...so...so...how can i limit the traffic by IP address using TC, > IMQ, U32..etc...????? > > Can i modify some field in the TCP header with u32 filter?, i did read > the TCP RFC and nothing, i can´t guess how can solve it... > Please, HELPPPPPPP ME...!!! > > > -- > terraja-based > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Afshin Tajvidi IT Technical Architect
terraja-based написа:> Hi folks...!!! > I´ve a problem that i did not solve it. > i want to limit the DOWNLOAD to my hosts (upstream traffic for the > firewall) using IMQ, > If i classify by PORT (source or destination) all seems to be fine, > but...BUT...if i want to restrict by IP addresss (internal IP address) > i can´t do it, because my hosts go to Internet toward the firewall > using NAT, so after NAT my IP address in Internet is not my internal > address, because the NAT acction change my source and internal IP > address. > So...so...so...how can i limit the traffic by IP address using TC, > IMQ, U32..etc...????? > Can i modify some field in the TCP header with u32 filter?, i did read > the TCP RFC and nothing, i can´t guess how can solve it... > Please, HELPPPPPPP ME...!!! > > > -- > terraja-based > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >Use iptables MARK, and TC fw.
VladSun wrote:> terraja-based написа: >> Hi folks...!!! >> I´ve a problem that i did not solve it. >> i want to limit the DOWNLOAD to my hosts (upstream traffic for the >> firewall) using IMQ, >> If i classify by PORT (source or destination) all seems to be fine, >> but...BUT...if i want to restrict by IP addresss (internal IP address) >> i can´t do it, because my hosts go to Internet toward the firewall >> using NAT, so after NAT my IP address in Internet is not my internal >> address, because the NAT acction change my source and internal IP >> address. >> So...so...so...how can i limit the traffic by IP address using TC, >> IMQ, U32..etc...????? >> Can i modify some field in the TCP header with u32 filter?, i did read >> the TCP RFC and nothing, i can´t guess how can solve it... >> > Use iptables MARK, and TC fw.SCENARIO ======= tc utility, iproute2-ss061214 kernel 2.6.20-1.2952.fc6 Mark packets: #iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 Shape marked packets with tc fw: #tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil 90Mbit prio 6 #tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5 #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2 Result in iptables seems ok: Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes) pkts bytes target prot opt in out source destination 3827080 4103809298 MARK all -- * eth1 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 Result in tc: filter parent 11: protocol ip pref 49152 fw filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2 So there are no matches in this filter, the other filters work fine (for example: rule hit 5846685 success 5846685). The class is empty too: class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil 90000Kbit burst 2850b cburst 12847b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 What could be the problem? Cheers, -- Catalin Bucur mailto:cata@geniusnet.ro NOC @ Genius Network SRL - Galati - Romania
Catalin Bucur написа:> VladSun wrote: > >> terraja-based написа: >> >>> Hi folks...!!! >>> I´ve a problem that i did not solve it. >>> i want to limit the DOWNLOAD to my hosts (upstream traffic for the >>> firewall) using IMQ, >>> If i classify by PORT (source or destination) all seems to be fine, >>> but...BUT...if i want to restrict by IP addresss (internal IP address) >>> i can´t do it, because my hosts go to Internet toward the firewall >>> using NAT, so after NAT my IP address in Internet is not my internal >>> address, because the NAT acction change my source and internal IP >>> address. >>> So...so...so...how can i limit the traffic by IP address using TC, >>> IMQ, U32..etc...????? >>> Can i modify some field in the TCP header with u32 filter?, i did read >>> the TCP RFC and nothing, i can´t guess how can solve it... >>> >>> >> Use iptables MARK, and TC fw. >> > > SCENARIO > =======> > tc utility, iproute2-ss061214 > kernel 2.6.20-1.2952.fc6 > > Mark packets: > #iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1 > > Shape marked packets with tc fw: > #tc class add dev eth1 parent 11:1 classid 11:2 htb rate 10Mbit ceil > 90Mbit prio 6 > #tc qdisc add dev eth1 parent 11:2 sfq quantum 1500 perturb 5 > #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2 > > Result in iptables seems ok: > Chain OUTPUT (policy ACCEPT 8054768 packets, 8122202853 bytes) > pkts bytes target prot opt in out source > destination > 3827080 4103809298 MARK all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK set 0x1 > > Result in tc: > filter parent 11: protocol ip pref 49152 fw > filter parent 11: protocol ip pref 49152 fw handle 0x1 classid 11:2 > > So there are no matches in this filter, the other filters work fine (for > example: rule hit 5846685 success 5846685). The class is empty too: > class htb 11:2 parent 11:1 leaf 8003: prio 6 rate 10000Kbit ceil > 90000Kbit burst 2850b cburst 12847b > Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) > rate 0bit 0pps backlog 0b 0p requeues 0 > > What could be the problem? > > > Cheers, >11:1 is not your root class, right? If so, try to apply the filter to root class - i.e. something like tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2
VladSun wrote: > 11:1 is not your root class, right?> > If so, try to apply the filter to root class - i.e. something like > > tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:211:0 is my root class, and the line is (as I write below): #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2 -- Catalin Bucur mailto:cata@geniusnet.ro NOC @ Genius Network SRL - Galati - Romania
Hi,>ladSun wrote: > > 11:1 is not your root class, right? >> >> If so, try to apply the filter to root class - i.e. something like >> >> tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw classid 11:2 > >11:0 is my root class, and the line is (as I write below): >#tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2Do you mean to say that the handle of the root _qdisc_ is 11:0? (I could not find that configuration command in your email) Is the traffic that should match the filter going through the qdisc at all? (you can check the qdisc counters) If it is, then maybe there is another filter (with higher priority?) that catches the packets earlier. Can it be the case? Regards /Christian [ http://benve.info ]
Christian Benvenuti wrote:> Do you mean to say that the handle of the root _qdisc_ is 11:0? > (I could not find that configuration command in your email) > > Is the traffic that should match the filter going through the qdisc at all? > (you can check the qdisc counters) > > If it is, then maybe there is another filter (with higher priority?) > that catches the packets earlier. Can it be the case?No, none of this was the cause. I think that was fw filter. I''ve changed to u32 and everything works fine: Before: #tc filter add dev eth1 parent 11:0 protocol ip handle 1 fw classid 11:2 After: #tc filter add dev eth1 parent 11:0 protocol ip prio 1 u32 match ip dst 192.168.10.0/24 match mark 1 0xffff flowid 11:2 Cheers, -- Catalin Bucur mailto:cata@geniusnet.ro NOC @ Genius Network SRL - Galati - Romania