search for: nfmark

Hello! I am glad to announce a patch for u32 to allow matches on nfmark. The patch is non intrusive (few lines). Why I did this? Because fw classifier cannot be used together with u32. For example, now, you cannot match a mark of 0x90 and a destination port of 80. I know you can do it with iptables to do the marking, but if you use Jamal actions to apply mark to po...

Hi all. Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t work. Sorry for my english. Simple example: iptables -t mangle -I PREROUTING -j MARK --set-mark 1 ${QDISC_ADD} handle ffff: ingress ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \ police rate 128Kbit burst 10k drop flowid 2:11 # tc -s -d qdisc ls dev eth0 qdisc ingress fff...

Hello! This is the try number two. What was changed: - Added selectable choice in Kconfig file (thanks Jamal!) - Don''t abuse tc_u32_sel to not break backward compatibility (thanks Patrick!). Stephen, do you have any comments on iproute2 part? I know it''s not perfect but this is the best way, I think. "u32 match mark vvvv mmmm" it''s intuitive but breaks a

Hi all, Whenever I start up TC and implement traffic policing using ingress, I get logs that goes something like this: Classifier actions preferred over ingress. What does that mean?? This are the relevent lines : tc qdisc add dev $DEV handle ffff: ingress tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

...u32 h, h2; u32 hs; + u32 nfm; switch (skb->protocol) { case __constant_htons(ETH_P_IP): @@ -124,6 +125,7 @@ struct iphdr *iph = skb->nh.iph; h = iph->daddr; hs = iph->saddr; + nfm = skb -> nfmark; h2 = hs^iph->protocol; if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && (iph->protocol == IPPROTO_TCP || @@ -137,6 +139,7 @@ struct ipv6hdr *iph = skb->nh.ipv6h; h = iph->daddr.s6_addr32[3]...

...->tc_verd (okay, that was reaching). If I ping with different QoS bits which I''m assigning to different htb flows, I see (these are my debugging messages in the driver): ~$ ping -Q 0x10 172.29.50.230 kernel: outpkt: priority:06 tclassid:0x0 tc_classid:0x0 tc_index:0x0 tc_verd:0x2000 nfmark:00 ~$ ping -Q 0x08 172.29.50.230 kernel: outpkt: priority:02 tclassid:0x0 tc_classid:0x0 tc_index:0x0 tc_verd:0x2000 nfmark:00 Nada. ''pri'' does change, but it seems to get set by the QoS value directly (?), no change if I map them to different flows anyhow. Now if I use iptab...

...4: CONNMARK target: No operation specified Try `iptables -h'' or ''iptables --help'' for more information. root@prensa:~# strings /usr/lib/iptables/libipt_CONNMARK.so | grep restore restore-mark CONNMARK restore --restore-mark --restore-mark [--mask mask] Restore saved nfmark value CONNMARK target: Can''t specify --restore-mark twice root@prensa:~# iptables -j CONNMARK -h bla bla bla CONNMARK target v1.3.4 options: --set-mark value[/mask] Set conntrack mark value --save-mark [--mask mask] Save the packet nfmark in the connection --restore-mark...

Hi If I have a HTB class with 128kbit, and I want to put "N" users in that class ( in order to share bandwidth fairly ) , which is better for me ? esfq (hash dst) or wrr ? I would attach esfq or wrr to HTB parent class. Also I''ve readed on Jim script that over WRR put a RED qdisc, but I don''t understand it. bests andres

...2.6.20 kernel I obtain this error during the compilation under debian sarge 3.1 CC [M] net/ipv4/netfilter/ipt_TTL.o CC [M] net/ipv4/netfilter/ipt_IPMARK.o net/ipv4/netfilter/ipt_IPMARK.c: In function `target'': net/ipv4/netfilter/ipt_IPMARK.c:37: error: structure has no member named `nfmark'' net/ipv4/netfilter/ipt_IPMARK.c:38: error: structure has no member named `nfmark'' net/ipv4/netfilter/ipt_IPMARK.c: At top level: net/ipv4/netfilter/ipt_IPMARK.c:77: warning: initialization from incompatible pointer type net/ipv4/netfilter/ipt_IPMARK.c:81: warning: initialization...

Hello, Stephen, List! Attached is the patch for iproute2 to add the possibility to use fwmark in u32 filters. The kernel part was included in 2.6.10. Please apply! Thank you! For more info: - Kernel patch (not needed for 2.6.10): http://kernel.umbrella.ro/net/mark_in_u32/net-match-nfmark-in-u32.patch - Examples: http://kernel.umbrella.ro/net/mark_in_u32/examples.txt --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=33 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID ------- Additional Comments From

http://bugzilla.netfilter.org/show_bug.cgi?id=601 Summary: log messages with flags "ACK PSH FIN" Product: netfilter/iptables Version: unspecified Platform: All OS/Version: Debian GNU/Linux Status: NEW Severity: minor Priority: P3 Component: ip_conntrack AssignedTo: laforge at

I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP''s. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1

...piler warning in userspace support for ipv6 REJECT target [ Fabrice Marie ] - check for invalid portranges in tcp+udp helper (e.g. 2000:100) [ Thomas Poehnitz ] - fix save save/restore functions of ip6tables tcp/udp extension [ Harald Welte / Andras Kis-Szabo ] - check for invalid (out of range) nfmark values in MARK target [ Alexey ??? ] - fix save function of MASQUERADE userspace support [ A. van Schie ] - compile fixes for userspace suppot of experimental POOL target [ ? ] - fix save function of userspace support for ah and esp match [ ? ] - fix static build (NO_SHARED_LIBS) [ Roberto Nib...

...ntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x=20 [ Magnus Sandin ] - Add support to REJEC...

...ntrack match, enables matching on more conntrack informatin than state [ Marc Boucher ] - New DSCP match and target (DSCP header field obsoletes TOS) [ Harald Welte ] - New owner match extension: Match on process name [ Marc Boucher ] - Add support for bitwise AND / OR manipulation on nfmark [ Fabrice Marie ] - New experimental patch for disabling TCP connection tracking pickup [ Harald Welte ] - Add support for SACK in all NAT helpers [ Harald Welte ] - Make eggdrop botnet connection tracking support work with eggdrop v1.6.x=20 [ Magnus Sandin ] - Add support to REJEC...

Hi list, I''m playing with tc and found a strange behavior when I try to delete filters. For example, this simple scenario: tc qdisc add dev eth1 root handle 1: htb default 100 tc class add dev eth1 parent 1: classid 1:1 htb rate 128Kbit tc class add dev eth1 parent 1: classid 1:2 htb rate 258Kbit tc class add dev eth1 parent 1: classid 1:100 htb rate 32Kbit tc filter add dev eth1 parent

...<M> Firewall based classifier <M> U32 classifier [ ] U32 classifier performance counters [ ] classify input device (slows things u32/fw) [ ] Use nfmark as a key in U32 classifier <M> Special RSVP classifier <M> Special RSVP classifier for IPv6 [ ] Packet ACTION [*] Traffic policing (needed f...

...+}; + struct __fdb_entry { __u8 mac_addr[6]; Index: wireless-dev/include/linux/skbuff.h =================================================================== --- wireless-dev.orig/include/linux/skbuff.h +++ wireless-dev/include/linux/skbuff.h @@ -296,6 +296,9 @@ struct sk_buff { #endif __u32 nfmark; #endif /* CONFIG_NETFILTER */ +#ifdef CONFIG_BRIDGE_VLAN + unsigned int vlan; +#endif #ifdef CONFIG_NET_SCHED __u16 tc_index; /* traffic control index */ #ifdef CONFIG_NET_CLS_ACT Index: wireless-dev/net/bridge/br_forward.c =================================================================...

Hello, I have a transparent bridge/firewall setup using linux-2.6.3. My iptables commands for the firewall seem to work fine, but my tc traffic shaper rules dont. The tc rules seem to apply ok, but have no effect. Here are my tc rules. Basically im just trying to limit each IP in my internal /24 to 512k of bandwidth in and out. DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV