Re: [bwm-tools-tech] nfmark or user problem? - replace user?
Brought to you by:
nkukard
Menu
▾
▴
Re: [bwm-tools-tech] nfmark or user problem? - replace user?
|
From: go0ogl3 <go...@gm...> - 2005-06-15 10:38:20
|
Hello,
some of the output of the iptables follows:
--cut here---
# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 83 packets, 6106 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 83 packets, 6106 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>udp dpt:53 MARK set 0x69
0 0 MARK tcp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>tcp dpt:53 MARK set 0x69
0 0 MARK udp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>udp spt:53 MARK set 0xcd
0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>tcp spt:53 MARK set 0xcd
0 0 MARK tcp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>length 0:100 MARK set 0x6e
0 0 MARK udp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>length 0:100 MARK set 0x6e
0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>length 0:100 MARK set 0xd2
0 0 MARK udp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>length 0:100 MARK set 0xd2
0 0 MARK icmp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>MARK set 0x73
0 0 MARK icmp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>MARK set 0xd7
0 0 MARK tcp -- * * 10.0.12.0/24 <http://10.0.12.0/24>
0.0.0.0/0<http://0.0.0.0/0>multiport ports 80,81,82,443,3128,8080 MARK
set 0x78
0 0 MARK tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
10.0.12.0/24<http://10.0.12.0/24>multiport ports
80,81,82,443,3128,8080 MARK set 0xdc
---and here---
All the counters are zero because I've re-apllied the rules just before the=
=20
listing. The counters are increasing for the specified rule if I make=20
traffic of that type. in the bwmd chain i have something like:
---cut here---
Chain bwmd (34 references)
target prot opt source destination
QUEUE all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> MARK=
=20
match !0x0
ACCEPT all -- 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
---and here---
If it's neccesary I can give you the scripts I'm using for generating the=
=20
rules.
I guess I should make some rule after marking to jump in the bwmd chain=20
because the target is MARK, but I'll try that later when I'll have some=20
time. Thank you for opening my eyes. :)
go0ogl3
On 6/15/05, Kobe Lenjou <ko...@mo...> wrote:
> Hello,
>=20
> Please list the output of 'iptables -L -n -v -t mangle' with your
> question. That's much better to read then your raw script.
>=20
> Your packets are probably wrong marked. Please note that one
> matching mark ('-j MARK) does NOT end processing of the chain, so if the
> packets matches another rule the mark will be overwritten. I wrote on my
> site, always list your marks from generic to specific (the lower the
> mark, the less specific the rule should be)
>=20
> Greetz
> Kobe
>=20
> go0ogl3 wrote:
>=20
> >Hello list,
> >
> >I am trying to use the nfmark feature to "help" use my 256kbit
> >bandwith wisely. I came up with a setup like this:
> >
> >The iptables part:
> >
> >---cut here---
> >IPT=3D`which iptables`
> >mark=3D"-j MARK --set-mark"
> >mf=3D"-t mangle -A FORWARD"
> >
> >iptables -N bwmd
> >iptables -A bwmd -m mark ! --mark 0x0 -j QUEUE
> >iptables -A bwmd -j ACCEPT
> >
> >echo " DNS"
> >$IPT $mf -p udp -s $lan --dport 53 $mark 105
> >$IPT $mf -p tcp -s $lan --dport 53 $mark 105
> >$IPT $mf -p udp -d $lan --sport 53 $mark 205
> >$IPT $mf -p tcp -d $lan --sport 53 $mark 205
> >
> >echo " ICMP"
> >$IPT $mf -p icmp -s $lan $mark 115
> >$IPT $mf -p icmp -d $lan $mark 215
> >..............
> >---and here---
> >
> >The download part of my firewall.xml file is:
> >
> >---cut here---
> > # trafic shape DOWNLOAD
> >
> > <flow name=3D"Main_in" max-rate=3D"30720" burst-rate=3D"30720"
> >queue-len=3D"30" queue-size=3D"30720" stats-len=3D"5" report-timeout=3D"=
60">
> >
> > <flow name=3D"Normal_in" max-rate=3D"30720" burst-rate=3D"30720"
> >queue-len=3D"30" queue-size=3D"30720" stats-len=3D"5" report-timeout=3D"=
60">
> > <flow name=3D"DNS_in" max-rate=3D"3072" burst-rate=3D"30720"
> >queue-len=3D"1" queue-size=3D"1" stats-len=3D"5" report-timeout=3D"60">
> > <queue prio=3D"5" nfmark=3D"105">
> > DNS_in;
> > </queue>
> > </flow>
> > <flow name=3D"ICMP_in" max-rate=3D"3072"
> >burst-rate=3D"30720" queue-len=3D"15" queue-size=3D"960" stats-len=3D"5"
> >report-timeout=3D"60">
> > <queue prio=3D"15" nfmark=3D"115">
> > ICMP_in;
> > </queue>
> > </flow>
> > <flow name=3D"HTTP_in" max-rate=3D"30720"
> >burst-rate=3D"30720" queue-len=3D"10" queue-size=3D"10240" stats-len=3D"=
5"
> >report-timeout=3D"60">
> > <queue prio=3D"20" nfmark=3D"120">
> > HTTP_in;
> > </queue>
> > </flow>
> > </flow>
> >
> > <flow name=3D"Bulk_in" max-rate=3D"30720" burst-rate=3D"30720"
> >queue-len=3D"90" queue-size=3D"92120" stats-len=3D"5" report-timeout=3D"=
60">
> > <flow name=3D"Other_in" max-rate=3D"15360"
> >burst-rate=3D"30720" queue-len=3D"60" queue-size=3D"61440" stats-len=3D"=
5"
> >report-timeout=3D"60">
> > <queue prio=3D"50" nfmark=3D"150">
> > Other_in;
> > </queue>
> > </flow>
> > <flow name=3D"P2P_in" max-rate=3D"15360"
> >burst-rate=3D"30720" queue-len=3D"90" queue-size=3D"92120" stats-len=3D"=
5"
> >report-timeout=3D"60">
> > <queue prio=3D"90" nfmark=3D"190">
> > P2P_in;
> > </queue>
> > </flow>
> > </flow>
> >
> > </flow>
> >
> > # ---end--- trafic shape DOWNLOAD
> >---and here---
> >
> >
> > The Problem (tested with icmp-ping type 8 packets):
> >- the packets get marked, then they reach the QUEUE target, I can see
> >the packets in the "Main_in" flow using bwm_monitor, but they are not
> >"classified" in the "ICMP_in" flow. Any other packet types (like http,
> >p2p, etc) are getting in the "Main" flow but they are not classified
> >in the coresponding flow according to the nfmark.
> > In the bwm_tools manual is something like: "nfmark=3D"..." -
> >Mandatory/Optional parameter to specify the NFMARK of the traffic that
> >applies to this flow. This must be used at the deepest level of flow
> >embedding to match traffic. Each nfmark value MUST be unique! " but
> >there is an example here:
> >"http://bwm-tools.pr.linuxrulz.org/doc/Integration.html#index-nfmark-55"
> >
> > I am using the bwm-tools 0.2.1, kernel 2.6.11.11 <http://2.6.11.11>,=20
iptables v1.2.11
> >
> >Where is the mistake?
> >
> >P.S.:
> >- I'm not very sure of the 'correct' usage of "queue-len" and
> >"queue-size" (in my config are --testing-- values)
> >- I'm not very sure if bwm-tools "understands" what I want to
> >accomplish with my hierarhical setup (I want dns, icmp and http
> >traffic to have priority and to be interactive-like and p2p and other
> >traffic to have last priority even if it will have a huge delay)
> >- I'm willing to write some sort of a manual (in about 2 weeks I hope
> >I'll have more free time) with examples if I will be able to fully
> >understand the "inner game" of bwm-tools
> >- Please excuse my english and my long email but i'm sleepy now...
> >
> >go0ogl3
> >
> >
> >-------------------------------------------------------
> >SF.Net <http://SF.Net> email is sponsored by: Discover Easy Linux=20
Migration Strategies
> >from IBM. Find simple to follow Roadmaps, straightforward articles,
> >informative Webcasts and more! Get everything you need to get up to
> >speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dclick
> >_______________________________________________
> >bwm-tools-tech mailing list
> >bwm...@li...
> >https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech
> >
> >
> >
> >
>=20
>=20
> -------------------------------------------------------
> SF.Net <http://SF.Net> email is sponsored by: Discover Easy Linux=20
Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclic=
k
> _______________________________________________
> bwm-tools-tech mailing list
> bwm...@li...
> https://lists.sourceforge.net/lists/listinfo/bwm-tools-tech
>
|
