search for: ipmark

Hi all I am using a pass trhu router and I need to QoS some clients output by its IP address. The problem is that QoS is due after NATing. Is there some clever way of doing this besides MARKing every packet with some IP hashing in POSTROUTING NAT table? Regards Ethy

Hello, I am trying to use iptables together with tc I need to use IPMARK module of iptables, but I got a strange error after I run ''iptables -t mangle -A POSTROUTING -o eth0 -j IPMARK --addr=dst --and-mask=0xffff --or-mask=0x1000'' The command is copied from iptables manual itself (of course interface changed) I only got " iptables v1.3.5: Unknow...

Hello everybody! Some time ago I''ve decided that using the MARK property of the Linux IP packet structure for the needs of traffic control is not very useful. So I wrote an iptables patch called IPCLASSIFY. It is fully based on IPMARK but it uses the PRIORITY field instead of MARK. The relation between IPCLASSIFY<->CLASSIFY is the same as IPMARK<->MARK. By using IPCLASSIFY not a single TC filter is needed any more! Additionally, the MARK field can be used for something else, more useful. You can find it here :...

Hello, IPMark won''t compile on a vanilla 2.6.20 kernel I obtain this error during the compilation under debian sarge 3.1 CC [M] net/ipv4/netfilter/ipt_TTL.o CC [M] net/ipv4/netfilter/ipt_IPMARK.o net/ipv4/netfilter/ipt_IPMARK.c: In function `target'': net/ipv4/netfilter/ipt_IPMARK.c:37: e...

...d a trafic control rule set for a huge NATed network, and I have it working for single known addresses but I need to scale it to 16M potential client addresses. I''m using iptables for NAT. Incoming traffic is simple because I can match destination address, outgoing traffic I use iptables IPMARK then tc match mark and it works perfectly if I build rules for each client individually. I am worried about performance as the client list increases. I need to place client IPs into classes like routers, freeloaders, lite-access, premium-access, etc. I have no problem with rewriting rules on the f...

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=100 Summary: NETFILTER_VERSION -> IPTABLES_VERSION in libipt_IPMARK.c Product: iptables userspace Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: iptables AssignedTo: laforge@netfilter.org ReportedBy: ofudd@speed-t...

Hello! Currently I am marking packets with IPMARK, and then using following rules: 1: class add dev eth0 parent 1:4 classid 1:100a htb rate $rate ceil $ceil quantum 1600 2: qdisc add dev eth0 parent 1:100a handle 100a:0 sfq perturb 10 3: filter add dev eth0 protocol ip parent 1:0 pref 30 handle 4106 fw classid 1:100a 4: class add dev eth1 pa...

Hi everyone, Xtables-addons 1.5.4 has been released; highlights of this release are the import, cleanup/bugfixing the "condition" and "ipp2p" matches and additionally extending the "IPMARK" by IPv6. I hope people don''t mind, but I have not heard back so far, so I take it it''s ok. LOGMARK (for analyzing packet marks and connection states) now prints the invoking hook and the packet direction. There is now also a compiled manpage that lists all matches'...

...I realized that P2P users are smart enough to bypass limits as sfq doesn''t give fair sharing in this case (thousands of connections from one user versus few from the other). I tried IMQ but it''s instability in my configuration was painfull. So I made something like that: 1. i use IPMARK patch for the iptables to mark all the connections in P2P related class depending on source IP (i use SNAT), 2. modified ESFQ to create hash depending on FWMARK instead of src ip 3. and it worked. So I have uplink policy based on source ip in snat-ed environment without using IMQ. I''...

...which uses many connections, speed seems to be stable. I am using esfq that way: qdisc add dev eth0 parent 1:4 handle 4:0 esfq perturb 600 hash fwmark divisor 13 qdisc add dev eth1 parent 1:2 handle 2:0 esfq perturb 600 hash dst divisor 13 On eth0 every IP is marked with different value by IPMARK module. On eth1 it is not necessary so I use dst hash. I have more values than 2^13 so I can''t use direct hash. Any ideas? Is it possible to use bigger divisor or algorithm is not designed to deal with bigger hash? Any ideas will be appreciated! -- Michał Margula, alchemyx@uznam.net....

Hi, Kernel option CONFIG_IP_ROUTE_FWMARK is missing in 2.6.20. Can you still route traffic based on marks as stated in chapter 11 of LARTC HOWTO? I read in the list that IPMark doesn''t work either, so I thought it might be related. Thanks.

...almost the same. I can''t figure out in what direction I need to dig to solve the problem. Anybody can help me? Is problem in SUSE distributive, or in my wry hands? In old (working) server was installed: iproute2 2.6.15-060110, iptables 1.3.5, patch-o-matic-ng 20060124 (only IPMARK patch) In new server I try from all counted above versions to latests ones: iproute2 2.6.16-060323, patch-o-matic-ng 20060606 -- Best regards, Igor mailto:ivb@is.ua

Hello All, I''ve search the documentation of shorewall, But I didn''t find any document about traffic shaping in ipv6. I want to do a per-ip traffic shaping of ipv6.  TIA -- -Budiwijaya- ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup

...y same htb configuration on both interfaces, only the filters are different. On eth1, packets are classified by their destination address, howewer this does not work on eth0, because packets are already natted when they reach scheduling subsystem -- so their source ip is copied into fwmark by "IPMARK" iptables rule and classified according to this mark. Every ip has it''s own htb class and for each ip something like this is run: tc class add dev eth0 parent 1:0011 classid 1:00ab htb rate 96kbit ceil 1000kbit prio 1 quantum 1500 tc qdisc add dev eth0 parent 1:00ab handle 00ab: es...

...source or destination port numbers etc. It is working very well. Anyway I have encountered some scalability issues, I have to solve before my shaping box collapses. # iptables -vnL FORWARD -t mangle | wc -l 2798 I have almost 3000 items in FORWARD chain in mangle table. Now I am switching to IPMARK target which can mangle packets automaticaly based on their src or dst address. IP address is converted to hex (ex. 10.11.12.13->0a0b0c0d), then 16 less importants bits are left (by and operation with $ffff0000- so it is 0c0d) and then I can OR with some number. I use class 192.168.0.0/16 for cl...

Hi fellows, i''m just a newbie to use the cool tc and played around the last 2 weeks. I''m quite confident - in theory - what''s possible and the basic difference between the queuing disciplines. We''re using a Fedora Core 3 box as Gateway (iptables,tc,iproute2 with NAT). Clients are coming in via eth1 and outgouing traffic (2Mbit/s SDSL) through eth0. So we

Hello everyone, I want an opinion from people who tryed different matching modules to match diferent types of traffic, especially p2p ones. I would like to hear which scales better as CPU usage and latency : ipp2p, iptables-p2p or l7-filter with the p2p patterns. I want to use one of them to block most of p2p (except maybe dc++ and emule which i want to shape). I would use the matching rules in

...iently would be appreciated. The mangle table entry (indicated by ***) is sucking all the cpu. I am running RH7.3 kernel 2.4.18-3 and iptables 1.2.5 This setup has worked well for more than 1000 devices but as the network has grown to 3000+ devices the CPU is not keeping up. I have thought to use IPMARK instead of MARK. Or, to possibly use CLASSIFY. Since this is hard to recreate in the lab I was looking for some experienced advice on the matter. ### root ### tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell 8 tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit av...

Hello all, I am running a coop satellite link for my aviation company here in Iraq. (silly blog www.stardotstar.org). I am running tc with htb with good success so far. I am working on improving it though and need some help. Currently I have just 4 classes, syn/ack/ping, webchat, http, and then other. We are really happy with how this has improved our ability to call home from our rooms and