Bridge/htb problem (ebtables)

Mycado · 06-17-2006, 09:15 AM

Hello,

Im on debian sarge on my bridge (eth0 is the local, and eth1 is internet)

Code:

br0       Lien encap:Ethernet  HWaddr 00:01:03:12:XX:XX
          inet adr:193.yy.xx.163  Bcast:193.xx.yy.255  Masque:255.255.255.0
          adr inet6: fe80::201:3ff:fe12:d1ea/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:183841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24106 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:9836308 (9.3 MiB)  TX bytes:3025615 (2.8 MiB)

eth0      Lien encap:Ethernet  HWaddr 00:E0:29:37:XX:XX
          adr inet6: fe80::2e0:29ff:fe37:2546/64 Scope:Lien
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:851270 errors:0 dropped:0 overruns:0 frame:3
          TX packets:468600 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000
          RX bytes:1236586006 (1.1 GiB)  TX bytes:75715661 (72.2 MiB)
          Interruption:9 Adresse de base:0x2000

eth1      Lien encap:Ethernet  HWaddr 00:01:03:12:XX:XX
          adr inet6: fe80::201:3ff:fe12:d1ea/64 Scope:Lien
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:500435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:874990 errors:0 dropped:0 overruns:0 carrier:25
          collisions:0 lg file transmission:1000
          RX bytes:78520555 (74.8 MiB)  TX bytes:1239556825 (1.1 GiB)
          Interruption:5 Adresse de base:0x2400

I put htb rules:

Code:

/tc qdisc del dev eth0 root 2> /dev/null > /dev/null
./tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
./tc qdisc del dev eth1 root 2> /dev/null > /dev/null

# eth0 (internal :D)
./tc qdisc add dev eth0 root handle 1: htb default 41
./tc class add dev eth0 parent 1: classid 1:1 htb rate 10240kbit ceil 10240kbit
./tc class add dev eth0 parent 1:1 classid 1:2 htb rate 2000kbit ceil 2000kbit prio 1
./tc class add dev eth0 parent 1:1 classid 1:3 htb rate 2000kbit ceil 2000kbit prio 1
./tc class add dev eth0 parent 1:1 classid 1:4 htb rate 10240kbit ceil 10240kbit prio 1
./tc class add dev eth0 parent 1:4 classid 1:41 htb rate 256kbit ceil 256kbit prio 2 burst 2kbit
./tc class add dev eth0 parent 1:4 classid 1:42 htb rate 512kbit ceil 512kbit prio 2 burst 2kbit
./tc class add dev eth0 parent 1:4 classid 1:43 htb rate 1024kbit ceil 1024kbit prio 2 burst 2kbit
./tc class add dev eth0 parent 1:4 classid 1:44 htb rate 2048kbit ceil 2048kbit prio 2 burst 2kbit
./tc class add dev eth0 parent 1:4 classid 1:45 htb rate 5120kbit ceil 5120kbit prio 2 burst 2kbit
./tc class add dev eth0 parent 1:4 classid 1:46 htb rate 10240kbit ceil 10240kbit prio 2 burst 2kbit

# eth1 (external :o)
./tc qdisc add dev eth1 root handle 2: htb default 41
./tc class add dev eth1 parent 2: classid 2:1 htb rate 10000kbit ceil 10000kbit
./tc class add dev eth1 parent 2:1 classid 2:2 htb rate 2000kbit ceil 2000kbit prio 1
./tc class add dev eth1 parent 2:1 classid 2:3 htb rate 2000kbit ceil 2000kbit prio 1
./tc class add dev eth1 parent 2:1 classid 2:4 htb rate 10240kbit ceil 10240kbit prio 1
./tc class add dev eth1 parent 2:4 classid 2:41 htb rate 256kbit ceil 256kbit prio 2 burst 2kbit
./tc class add dev eth1 parent 2:4 classid 2:42 htb rate 512kbit ceil 512kbit prio 2 burst 2kbit
./tc class add dev eth1 parent 2:4 classid 2:43 htb rate 1024kbit ceil 1024kbit prio 2 burst 2kbit
./tc class add dev eth1 parent 2:4 classid 2:44 htb rate 2048kbit ceil 2048kbit prio 2 burst 2kbit
./tc class add dev eth1 parent 2:4 classid 2:45 htb rate 5120kbit ceil 5120kbit prio 2 burst 2kbit
./tc class add dev eth1 parent 2:4 classid 2:46 htb rate 10240kbit ceil 10240kbit prio 2 burst 2kbit

# filters
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x12 fw classid 1:2
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x13 fw classid 1:3
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x141 fw classid 1:41
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x142 fw classid 1:42
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x143 fw classid 1:43
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x144 fw classid 1:44
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x145 fw classid 1:45
./tc filter add dev eth0 parent 1: protocol ip prio 1 handle 0x146 fw classid 1:46

./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x22 fw classid 2:2
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x23 fw classid 2:3
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x241 fw classid 2:41
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x242 fw classid 2:42
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x243 fw classid 2:43
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x244 fw classid 2:44
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x245 fw classid 2:45
./tc filter add dev eth1 parent 2: protocol ip prio 1 handle 0x246 fw classid 2:46

I put ebtables rules:

Code:

# ebtables -A FORWARD -p ipv4 -o eth1 --ip-destination 193.xx.yy.107 -j mark --set-mark 0x143 --mark-target ACCEPT
# ebtables -A FORWARD -p ipv4 -i eth0 --ip-source 193.xx.yy.107 -j mark --set-mark 0x143 --mark-target ACCEPT

How can we limit the ip 193.xx.yy.107 ? All the packet traffic cross througt the defaut (default 41).
I think this is a problem of packet MARKing, but don't really found the problem

Anybody can help me ?

Mycado · 06-17-2006, 09:16 AM

Sorry for double post

An admin can suppress the other thread ?

Mycado · 06-18-2006, 01:43 PM

No idea ? :S

Mycado · 06-19-2006, 03:01 AM

Little help

Mycado · 06-20-2006, 03:31 AM

Waahw .. Nobody have any idea

Mycado · 06-21-2006, 03:19 AM

Thanks a lots,

I found the problem.

I put:

Code:

# ebtables local :)
ebtables -A INPUT -j mark --set-mark 0x12 --mark-target ACCEPT
ebtables -A OUTPUT -j mark --set-mark 0x22 --mark-target ACCEPT

# ebtables for 193.xx.yy.107
ebtables -A FORWARD -p ipv4 --ip-destination 193.xx.yy.107 -j mark --set-mark 0x146 --mark-target ACCEPT
ebtables -A FORWARD -p ipv4 --ip-source 193.xx.yy.107 -j mark --set-mark 0x245 --mark-target ACCEPT

And Its work without probem

V.

intel_ro · 06-21-2006, 04:58 AM

as the ebtables is same as iptables but ebtables is using on bridge machine u can use "-t mange -A PREROUTING" chain to mark packets no in forward because forward is in routing proces and htb will ingnore your marks !