Tristan DEFERT
2007-Jun-19 15:24 UTC
Internal TC: problem marking rules with a given tcp / udp port
Hi all, I wonder why i can shape all tcp traffic from a particular host, but not from a particular tcp or udp port. Let''s see: i got the following setup: * switch trunked to fw * vlans on fw/switch * shorewall (new)bridge beetwen some vlans * internal shorewall traffic shaping Supposing: vlan20 is the WAN interface, bridged with vlan30 (my DMZ) I want to shape outgoing traffic toward vlan20 My Wan bandwidth is symmetrical 50Mbits/s so my tcdevices: DEVICE IN OUT vlan20 49mbits 49mbits i define two tcclasses: DEVICE MARK RATE CEIL PRIO FLAGS vlan20 1 10kbits 40kbits 1 tcp-ack, tos-minimize-delay vlan20 2 1mbit 2mbits 2 vlan20 3 full/2 full 3 default What works in tcrules: MARK SRC DEST PROTO PORT 1:12 0.0.0.0/0 0.0.0.0/0 tcp - :-) => all my tcp traffic is limited to 2mbits 1:12 $DMZ_server 0.0.0.0/0 tcp - :-) => all my tcp traffic from my DMZ server is limited to 2mbits What does not work in tcrules: 1:12 0.0.0.0/0 0.0.0.0/0 tcp www :-( => DOES NOT WORK 1:12 $DMZ_server 0.0.0.0/0 tcp www :-( => DOES NOT WORK Why does it not work as soon as a specify a port (or a group of ports), either tcp or udp ? More info: * All possible netfilter kernel modules are available from kernel 2.6.18 * In shorewall.conf: TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No BRIDGING=No (NewBridge !!!) Any idea? kernel systune? newbridge problem? forward vs prerouting marking? thanks a lot ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Jun-19 15:35 UTC
Re: Internal TC: problem marking rules with a given tcp / udp port
Tristan DEFERT wrote:> Hi all, > > I wonder why i can shape all tcp traffic from a particular host, but not > from a particular tcp or udp port. Let''s see: > > i got the following setup: > > * switch trunked to fw > * vlans on fw/switch > * shorewall (new)bridge beetwen some vlans > * internal shorewall traffic shaping > > Supposing: > > vlan20 is the WAN interface, bridged with vlan30 (my DMZ) > > I want to shape outgoing traffic toward vlan20 > My Wan bandwidth is symmetrical 50Mbits/s > > so my tcdevices: > DEVICE IN OUT > vlan20 49mbits 49mbits > > i define two tcclasses: > DEVICE MARK RATE CEIL PRIO FLAGS > vlan20 1 10kbits 40kbits 1 tcp-ack, tos-minimize-delay > vlan20 2 1mbit 2mbits 2 > vlan20 3 full/2 full 3 default > > > What works in tcrules: > MARK SRC DEST PROTO PORT > 1:12 0.0.0.0/0 0.0.0.0/0 tcp - > :-) => all my tcp traffic is limited to 2mbits > 1:12 $DMZ_server 0.0.0.0/0 tcp - > :-) => all my tcp traffic from my DMZ server is limited to 2mbits > > What does not work in tcrules: > 1:12 0.0.0.0/0 0.0.0.0/0 tcp www > :-( => DOES NOT WORK > 1:12 $DMZ_server 0.0.0.0/0 tcp www > :-( => DOES NOT WORK > > Why does it not work as soon as a specify a port (or a group of ports), > either tcp or udp ? >I assume that you have an HTTP server in your DMZ? If so, then on outgoing traffic the SOURCE PORT is 80 (www), not the DEST PORT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tristan DEFERT
2007-Jun-20 08:25 UTC
Re: Internal TC: problem marking rules with a given tcp / udp port
Le mardi 19 juin 2007 à 08:35 -0700, Tom Eastep a écrit :> Tristan DEFERT wrote: > > Hi all, > > > > I wonder why i can shape all tcp traffic from a particular host, but not > > from a particular tcp or udp port. Let's see: > > > > i got the following setup: > > > > * switch trunked to fw > > * vlans on fw/switch > > * shorewall (new)bridge beetwen some vlans > > * internal shorewall traffic shaping > > > > Supposing: > > > > vlan20 is the WAN interface, bridged with vlan30 (my DMZ) > > > > I want to shape outgoing traffic toward vlan20 > > My Wan bandwidth is symmetrical 50Mbits/s > > > > so my tcdevices: > > DEVICE IN OUT > > vlan20 49mbits 49mbits > > > > i define two tcclasses: > > DEVICE MARK RATE CEIL PRIO FLAGS > > vlan20 1 10kbits 40kbits 1 tcp-ack, tos-minimize-delay > > vlan20 2 1mbit 2mbits 2 > > vlan20 3 full/2 full 3 default > > > > > > What works in tcrules: > > MARK SRC DEST PROTO PORT > > 1:12 0.0.0.0/0 0.0.0.0/0 tcp - > > :-) => all my tcp traffic is limited to 2mbits > > 1:12 $DMZ_server 0.0.0.0/0 tcp - > > :-) => all my tcp traffic from my DMZ server is limited to 2mbits > > > > What does not work in tcrules: > > 1:12 0.0.0.0/0 0.0.0.0/0 tcp www > > :-( => DOES NOT WORK > > 1:12 $DMZ_server 0.0.0.0/0 tcp www > > :-( => DOES NOT WORK > > > > Why does it not work as soon as a specify a port (or a group of ports), > > either tcp or udp ? > > > > I assume that you have an HTTP server in your DMZ? If so, then on outgoing > traffic the SOURCE PORT is 80 (www), not the DEST PORT.Thx, it was obvious!> > -Tom > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Tristan DEFERT Société Alpha Mosa __________________________________________________________________ Tél. (33) 03 26 48 17 56 Internet : http://www.alphamosa.fr Fax. (33) 03 26 48 10 87 eMail : tristan.d@alphamosa.fr ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users