similar to: Ingress and Classifier & netfilter

Hi all. Since I move on to 2.6 kernel , filter ingress policy based on nfmark won´t work. Sorry for my english. Simple example: iptables -t mangle -I PREROUTING -j MARK --set-mark 1 ${QDISC_ADD} handle ffff: ingress ${FILTER_ADD} parent ffff: protocol ip prio 100 handle 1 fw \ police rate 128Kbit burst 10k drop flowid 2:11 # tc -s -d qdisc ls dev eth0 qdisc ingress ffff: ----------------

Hi all! On http://lartc.org/howto/lartc.adv-filter.html I read that a classifiers available bases the decision on how the firewall has marked the packet and on http://lartc.org/howto/lartc.qdisc.filters.html the following example: "tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1" "iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6" My

Im getting into tc. How can I control P2P (peer to peer) traffic??? which filters??? any ideas??? Hugonik

Hello! I am glad to announce a patch for u32 to allow matches on nfmark. The patch is non intrusive (few lines). Why I did this? Because fw classifier cannot be used together with u32. For example, now, you cannot match a mark of 0x90 and a destination port of 80. I know you can do it with iptables to do the marking, but if you use Jamal actions to apply mark to policed packets, you need

Hi, I''m having issues with policing my incoming traffic by matching packet marks made by iptables. I''ve checked as many sites and guides as I can find, and I seem to be doing the exact same thing as they all are, but there''s still no success. As such, I was wondering if anyone can have a quick look to see if I''ve done anything obviously stupid? Essentially, I

Hello! This is the try number two. What was changed: - Added selectable choice in Kconfig file (thanks Jamal!) - Don''t abuse tc_u32_sel to not break backward compatibility (thanks Patrick!). Stephen, do you have any comments on iproute2 part? I know it''s not perfect but this is the best way, I think. "u32 match mark vvvv mmmm" it''s intuitive but breaks a

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=33 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID ------- Additional Comments From

Hello, I am using the following iptables POSTROUTING rule to NAT some RFC 1918 addresses: iptables -t nat -A POSTROUTING -s 192.168.19.23 ! 192.168.0.0/255.255.0.0 -p tcp --dport 80 -j SNAT --to-source 10.32.4.2 (I am using SNAT instead of MASQUERADE for performance reasons). I have several addresses on the 192.168.0.0/16 subnet that I am SNAT''ing similarly. Problem is, ''tc

Hi, I have searched the archives on the topic, and it seems that the list gurus favor load balancing to be done in the kernel as opposed to other means. I have been using a home-grown approach, which splits traffic based on `-m statistic --mode random --probability X`, then CONNMARKs the individual connections and the kernel happily routes them. I understand that for > 2 links it will become

I set up this config: +------+ -+ ISP1 +--+ +------+ | +-------+ +--+ linux | +------+ | +-------+ -+ ISP2 +--+ +------+ No problem. Standard setup with two ISP''s. Both routed subnets. Default gateway is ISP1. No magic here. Now I put a server behind the Linux box. I want the server to be reachable on an /extra/ IP in the routed subnet of ISP2. +------+ -+ ISP1

https://bugzilla.netfilter.org/show_bug.cgi?id=1272 Bug ID: 1272 Summary: netdev-ingress.nft is missing from files/netfilter/ Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at

Can someone verify that using fw as a filter in iproute2-2.6.11-050330 is broken. Doesn''t seem to work in any case and I saw an earlier post that would lead me to believe this is the case. If so does anyone have a temporary fix? Thanks, Troy

Hi, I have a suspicious problem with multiple uplinks configuration. First of all my configuration: 1) kernel 2.6.20.3 2) iptables 1.3.7 3) last iproute (for masked marks) All wan interfaces are bridged (stp disabled) in only one interface (wan0), all lan interfaces are bridged (stp enabled) in only one interface (zlan0). The wan0 bridge is to allow UPnP works. To allow related

Dear. folks I want to shaping FTP traffic. I can get following information from Stef Coene's Homepage, www.docom.org. "Ftp uses random ports, so matching the data traffic is not easy. However it can done if you use iptables to mark ftp-data packets and use that mark with the fw filter. For more info see http://home.regit.org/connmark.html. " General information about the conntrack

Hi, I have a setup like this: class 1:1 rate 7600kbit (on a imq device) | |\class 1:10 rate 100kbit ceil 5600kbit prio 7 (here goes p2p traffic) \class 1:12 rate 7500kbit ceil 7600kbit | |\class 1:121 rate 3100 ceil 7500kbit prio 0 |\class 1:122 rate 2200 ceil 7500kbit prio 2 \class 1:123 rate 2200 ceil 7500kbit prio

Hi, I''m trying to police the incoming traffic by using ingress qdisc,this is what I have in my script tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 4 \ handle 1: u32 divisor 1 tc filter add dev eth0 parent ffff: protocol ip prio 4 u32 \ match ip dport 4001 0xffff \ police rate 2000kbit burst 50k drop \ flowid

The LARTC howto correctly describes load balancing and split access for traffic from a machine with multiple ISP connections (http://www.lartc.org/lartc.html#LARTC.RPDB.MULTIPLE-LINKS) -- *provided* the traffic originates from the machine itself (i.e. traffic regularly handled by the INPUT and OUTPUT chains of iptables). When forwarding traffic from an attached local network, the following

Hello, I have a transparent bridge/firewall setup using linux-2.6.3. My iptables commands for the firewall seem to work fine, but my tc traffic shaper rules dont. The tc rules seem to apply ok, but have no effect. Here are my tc rules. Basically im just trying to limit each IP in my internal /24 to 512k of bandwidth in and out. DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV

Hello list, I just wonder if someone did any performance tests (speed of processing the packets) or maybe could advise about this two scenario: 1. packets are marked with iptables and processed by tc using filters 2. packets are sent by iptables directly to tc using CLASSIFY chain, thus avoiding the tc filters I had some thinking about these two ways of dealing with egress traffic and my

Hello! I''ve put some questions on this list some weeks ago and I''ve got good answers. Thank you! Now I''ve finished my (beautyful) script and I ran it on my router... About my script: It routes packages based on their destination on the Internet. I have about 1650 preffered destination networks listed in some file. The script read this file and marks every package for