Setting traffic class on return packetsDefault mark for packets using iptablesManaging iptables for home lan...

Humans meet a distant alien species. How do they standardize? - Units of Measure

Accidentally cashed a check twice

Is it OK to bring delicacies from hometown as tokens of gratitude for an out-of-town interview?

Did thousands of women die every year due to illegal abortions before Roe v. Wade?

How is it possible for this NPC to be alive during the Curse of Strahd adventure?

The term for the person/group a political party aligns themselves with to appear concerned about the general public

Unconventional Opposites

Filling region bounded by multiple paths

Why were the Night's Watch required to be celibate?

How can I offer a test ride while selling a bike?

What is the best option to connect old computer to modern TV

How to make thick Asian sauces?

How to decline physical affection from a child whose parents are pressuring them?

Short story written from alien perspective with this line: "It's too bright to look at, so they don't"

Did Darth Vader wear the same suit for 20+ years?

Anyone teach web development? How do you assess it?

Credit card offering 0.5 miles for every cent rounded up. Too good to be true?

Are there practical reasons to NOT use a stepper motor with lead screw for the X and or Y axes?

Is the decompression of compressed and encrypted data without decryption also theoretically impossible?

How to provide realism without making readers think grimdark

Explain Ant-Man's "not it" scene from Avengers: Endgame

Pros and cons of writing a book review?

Why is Colorado so different politically from nearby states?

Is American Express widely accepted in France?



Setting traffic class on return packets


Default mark for packets using iptablesManaging iptables for home lan routingroute gateway proxy traffic through different interface with identical upstream gatewaysNAT box with multiple internal and external interfacesiptables/https: Router getting INPUT traffic originating on port 443IPTables redirect all UDP packets including ESTABLISHEDWhy am I unable to prioritize TCP traffic using ToS fields?How do packets traverse tc/netfilter physical, VLAN and bridge interfaces?How to route specific VPN traffic via specific VPN client?Routing packets to a container that has a destination that is an interface's IP, stopped working in recent kernels:






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







7















I have a network topology:



Server <-> router1 <-> router2 <-> router3 <-> edgeRouter <-> "internet"


All routers are linux based, and support iptables.



The server sets traffic classes with iptables (--set class X:Y), and routers do some "routing" based on the class that is set. (Class depends on the originating application).



The edge routers forwards the packets via our ISP to the internet, and recieves the return (reply) packets. The recieves replies ofcourse have no traffic class set.



Is it possible to use an iptables rule on the edge router (mangle, or something simmilar), to track the return packets (NAT-style, packets from "ESTABLISHED" connections) and to mark the returning packets with the same traffic class as the originating packet? Enabling NAT on the edge router is not a problem.



TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.










share|improve this question














bumped to the homepage by Community 1 hour ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.






















    7















    I have a network topology:



    Server <-> router1 <-> router2 <-> router3 <-> edgeRouter <-> "internet"


    All routers are linux based, and support iptables.



    The server sets traffic classes with iptables (--set class X:Y), and routers do some "routing" based on the class that is set. (Class depends on the originating application).



    The edge routers forwards the packets via our ISP to the internet, and recieves the return (reply) packets. The recieves replies ofcourse have no traffic class set.



    Is it possible to use an iptables rule on the edge router (mangle, or something simmilar), to track the return packets (NAT-style, packets from "ESTABLISHED" connections) and to mark the returning packets with the same traffic class as the originating packet? Enabling NAT on the edge router is not a problem.



    TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.










    share|improve this question














    bumped to the homepage by Community 1 hour ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      7












      7








      7


      1






      I have a network topology:



      Server <-> router1 <-> router2 <-> router3 <-> edgeRouter <-> "internet"


      All routers are linux based, and support iptables.



      The server sets traffic classes with iptables (--set class X:Y), and routers do some "routing" based on the class that is set. (Class depends on the originating application).



      The edge routers forwards the packets via our ISP to the internet, and recieves the return (reply) packets. The recieves replies ofcourse have no traffic class set.



      Is it possible to use an iptables rule on the edge router (mangle, or something simmilar), to track the return packets (NAT-style, packets from "ESTABLISHED" connections) and to mark the returning packets with the same traffic class as the originating packet? Enabling NAT on the edge router is not a problem.



      TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.










      share|improve this question














      I have a network topology:



      Server <-> router1 <-> router2 <-> router3 <-> edgeRouter <-> "internet"


      All routers are linux based, and support iptables.



      The server sets traffic classes with iptables (--set class X:Y), and routers do some "routing" based on the class that is set. (Class depends on the originating application).



      The edge routers forwards the packets via our ISP to the internet, and recieves the return (reply) packets. The recieves replies ofcourse have no traffic class set.



      Is it possible to use an iptables rule on the edge router (mangle, or something simmilar), to track the return packets (NAT-style, packets from "ESTABLISHED" connections) and to mark the returning packets with the same traffic class as the originating packet? Enabling NAT on the edge router is not a problem.



      TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.







      iptables qos






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Sep 15 '14 at 18:50









      JuzerJuzer

      362




      362





      bumped to the homepage by Community 1 hour ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 1 hour ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          3 Answers
          3






          active

          oldest

          votes


















          0














          Since your egress packets have the class set based on application (and I'm guessing that each application uses a certain set of TCP/UDP ports) you could re-classify incoming packets based on those ports.



          eg. to re-classify an established (outbound) HTTP session, on edgeRouter:



          iptables -t mangle -A INPUT -i [WANIF] -m state --state ESTABLISHED,RELATED -p tcp -m tcp --sport 80 -j DSCP --set-dscp-class cs3


          NB: May need to use the FORWARD table instead of INPUT...



          But - To track egress packets, determine what class they had on the way out then apply that same class to ingress packets of the same stream - still possible, but a mountain of work and possibly a custom net-filter module which interfaces with conntrack.






          share|improve this answer
























          • Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

            – Niklas Holm
            Oct 2 '17 at 10:20



















          0














          What is it that you set with --set class X:Y? Class of what exactly? I've searched the man page of iptables but have not found similar to what you describe. I think that you may want to do something like this:




          1. Mark the TOS field of IP packets in "Server".

          2. Let the routers treat the packet specially.


          3. In "edgeRouter" do the following:



              # If a packet arrives from LAN, is marked and we know nothing about the
            #+ connection, then mark the connection
            iptables -t mangle -A PREROUTING -i $LAN_IF -m tos --tos $TOS_VAL -m
            connmark ! --mark $TOS_VAL -j CONNMARK --set-xmark $TOS_VAL

            # Reset the TOS value when going out to prevent strange interpretation
            iptables -t mangle -A POSTROUTING -o $WAN_IF -m tos --tos $TOS_VAL
            -j TOS --set-tos 0x00

            # If a packet arrives from WAN and the connection is marked, then mark
            #+ the packet so that the routers in LAN know how to deal with it
            iptables -t mangle -A PREROUTING -i $WAN_IF -m connmark --mark $TOS_VAL
            -j TOS --set-tos $TOS_VAL







          share|improve this answer































            0















            TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.




            It's not entirely clear by your question what method of classification you're referring to, but in general if we're talking about traffic shaping using tc and queuing disciplines, the following applies.



            act_connmark



            As ingress qdisc processing is done before netfilter, you cannot directly classify ingress traffic using iptables (without recompiling your kernel with IMQ, see below). You can however indirectly classify it by using connection tracking. If available on your kernel you can use the act_connmark module, designed for this exact purpose, which adds a connmark action to tc filters that support it.



            # 0. Load modules and IFB device
            modprobe act_connmark
            modprobe ifb
            ip link set ifb0 up

            # 1. Classify packets by marking them
            iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1

            # 2. Append rule to save the packet mark to the connection mark
            iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

            # 3. Restore the connection mark to the packet mark with 'action connmark'
            # before redirecting to the ifb-device
            tc qdisc add dev eth0 handle ffff: ingress
            tc qdisc add dev ifb0 handle 1: root
            tc filter add dev eth0 parent ffff: prio 1
            protocol ip u32 match u32 0 0 flowid ffff:1
            action connmark
            action mirred egress redirect dev ifb0

            # 4. Apply filters to classify packets based on their mark
            # ... setup qdiscs and classes as usual on ifb0... then
            tc filter add dev ifb0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01



            • Example at the ArchLinux Wiki


            IMQ



            IMQ (Intermediate Queueing Device) circumvents the normal flow of traffic in the kernel by, as I understand it, looping it back through a virtual device after netfilter processing. It is not merged with the kernel tree, thus is not included in most distributions, and requires you the patch and compile the kernel yourself. If you do so, it would work something like this:



            # classify and save mark in POSTROUTING as before... then
            iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
            iptables -t mangle -A PREROUTING -j IMQ --todev 0

            # ... setup qdiscs and classes as usual on imq0 ... then
            tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01


            This would also enable you to do more advanced classifications on ingress using iptables, that might be very cumbersome using plain u32 filters, such as arbitrary port ranges. I cannot speak to the performance or elegance of this solution though, I'm guessing there's a reason it never got merged.




            • IMQ at GitHub






            share|improve this answer
























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "106"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f155751%2fsetting-traffic-class-on-return-packets%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              Since your egress packets have the class set based on application (and I'm guessing that each application uses a certain set of TCP/UDP ports) you could re-classify incoming packets based on those ports.



              eg. to re-classify an established (outbound) HTTP session, on edgeRouter:



              iptables -t mangle -A INPUT -i [WANIF] -m state --state ESTABLISHED,RELATED -p tcp -m tcp --sport 80 -j DSCP --set-dscp-class cs3


              NB: May need to use the FORWARD table instead of INPUT...



              But - To track egress packets, determine what class they had on the way out then apply that same class to ingress packets of the same stream - still possible, but a mountain of work and possibly a custom net-filter module which interfaces with conntrack.






              share|improve this answer
























              • Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

                – Niklas Holm
                Oct 2 '17 at 10:20
















              0














              Since your egress packets have the class set based on application (and I'm guessing that each application uses a certain set of TCP/UDP ports) you could re-classify incoming packets based on those ports.



              eg. to re-classify an established (outbound) HTTP session, on edgeRouter:



              iptables -t mangle -A INPUT -i [WANIF] -m state --state ESTABLISHED,RELATED -p tcp -m tcp --sport 80 -j DSCP --set-dscp-class cs3


              NB: May need to use the FORWARD table instead of INPUT...



              But - To track egress packets, determine what class they had on the way out then apply that same class to ingress packets of the same stream - still possible, but a mountain of work and possibly a custom net-filter module which interfaces with conntrack.






              share|improve this answer
























              • Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

                – Niklas Holm
                Oct 2 '17 at 10:20














              0












              0








              0







              Since your egress packets have the class set based on application (and I'm guessing that each application uses a certain set of TCP/UDP ports) you could re-classify incoming packets based on those ports.



              eg. to re-classify an established (outbound) HTTP session, on edgeRouter:



              iptables -t mangle -A INPUT -i [WANIF] -m state --state ESTABLISHED,RELATED -p tcp -m tcp --sport 80 -j DSCP --set-dscp-class cs3


              NB: May need to use the FORWARD table instead of INPUT...



              But - To track egress packets, determine what class they had on the way out then apply that same class to ingress packets of the same stream - still possible, but a mountain of work and possibly a custom net-filter module which interfaces with conntrack.






              share|improve this answer













              Since your egress packets have the class set based on application (and I'm guessing that each application uses a certain set of TCP/UDP ports) you could re-classify incoming packets based on those ports.



              eg. to re-classify an established (outbound) HTTP session, on edgeRouter:



              iptables -t mangle -A INPUT -i [WANIF] -m state --state ESTABLISHED,RELATED -p tcp -m tcp --sport 80 -j DSCP --set-dscp-class cs3


              NB: May need to use the FORWARD table instead of INPUT...



              But - To track egress packets, determine what class they had on the way out then apply that same class to ingress packets of the same stream - still possible, but a mountain of work and possibly a custom net-filter module which interfaces with conntrack.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Feb 8 '15 at 1:43









              LitchLitch

              31817




              31817













              • Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

                – Niklas Holm
                Oct 2 '17 at 10:20



















              • Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

                – Niklas Holm
                Oct 2 '17 at 10:20

















              Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

              – Niklas Holm
              Oct 2 '17 at 10:20





              Classifying ingress flows with iptables won't work since all ingress qdisc processing is done before netfilter processing.

              – Niklas Holm
              Oct 2 '17 at 10:20













              0














              What is it that you set with --set class X:Y? Class of what exactly? I've searched the man page of iptables but have not found similar to what you describe. I think that you may want to do something like this:




              1. Mark the TOS field of IP packets in "Server".

              2. Let the routers treat the packet specially.


              3. In "edgeRouter" do the following:



                  # If a packet arrives from LAN, is marked and we know nothing about the
                #+ connection, then mark the connection
                iptables -t mangle -A PREROUTING -i $LAN_IF -m tos --tos $TOS_VAL -m
                connmark ! --mark $TOS_VAL -j CONNMARK --set-xmark $TOS_VAL

                # Reset the TOS value when going out to prevent strange interpretation
                iptables -t mangle -A POSTROUTING -o $WAN_IF -m tos --tos $TOS_VAL
                -j TOS --set-tos 0x00

                # If a packet arrives from WAN and the connection is marked, then mark
                #+ the packet so that the routers in LAN know how to deal with it
                iptables -t mangle -A PREROUTING -i $WAN_IF -m connmark --mark $TOS_VAL
                -j TOS --set-tos $TOS_VAL







              share|improve this answer




























                0














                What is it that you set with --set class X:Y? Class of what exactly? I've searched the man page of iptables but have not found similar to what you describe. I think that you may want to do something like this:




                1. Mark the TOS field of IP packets in "Server".

                2. Let the routers treat the packet specially.


                3. In "edgeRouter" do the following:



                    # If a packet arrives from LAN, is marked and we know nothing about the
                  #+ connection, then mark the connection
                  iptables -t mangle -A PREROUTING -i $LAN_IF -m tos --tos $TOS_VAL -m
                  connmark ! --mark $TOS_VAL -j CONNMARK --set-xmark $TOS_VAL

                  # Reset the TOS value when going out to prevent strange interpretation
                  iptables -t mangle -A POSTROUTING -o $WAN_IF -m tos --tos $TOS_VAL
                  -j TOS --set-tos 0x00

                  # If a packet arrives from WAN and the connection is marked, then mark
                  #+ the packet so that the routers in LAN know how to deal with it
                  iptables -t mangle -A PREROUTING -i $WAN_IF -m connmark --mark $TOS_VAL
                  -j TOS --set-tos $TOS_VAL







                share|improve this answer


























                  0












                  0








                  0







                  What is it that you set with --set class X:Y? Class of what exactly? I've searched the man page of iptables but have not found similar to what you describe. I think that you may want to do something like this:




                  1. Mark the TOS field of IP packets in "Server".

                  2. Let the routers treat the packet specially.


                  3. In "edgeRouter" do the following:



                      # If a packet arrives from LAN, is marked and we know nothing about the
                    #+ connection, then mark the connection
                    iptables -t mangle -A PREROUTING -i $LAN_IF -m tos --tos $TOS_VAL -m
                    connmark ! --mark $TOS_VAL -j CONNMARK --set-xmark $TOS_VAL

                    # Reset the TOS value when going out to prevent strange interpretation
                    iptables -t mangle -A POSTROUTING -o $WAN_IF -m tos --tos $TOS_VAL
                    -j TOS --set-tos 0x00

                    # If a packet arrives from WAN and the connection is marked, then mark
                    #+ the packet so that the routers in LAN know how to deal with it
                    iptables -t mangle -A PREROUTING -i $WAN_IF -m connmark --mark $TOS_VAL
                    -j TOS --set-tos $TOS_VAL







                  share|improve this answer













                  What is it that you set with --set class X:Y? Class of what exactly? I've searched the man page of iptables but have not found similar to what you describe. I think that you may want to do something like this:




                  1. Mark the TOS field of IP packets in "Server".

                  2. Let the routers treat the packet specially.


                  3. In "edgeRouter" do the following:



                      # If a packet arrives from LAN, is marked and we know nothing about the
                    #+ connection, then mark the connection
                    iptables -t mangle -A PREROUTING -i $LAN_IF -m tos --tos $TOS_VAL -m
                    connmark ! --mark $TOS_VAL -j CONNMARK --set-xmark $TOS_VAL

                    # Reset the TOS value when going out to prevent strange interpretation
                    iptables -t mangle -A POSTROUTING -o $WAN_IF -m tos --tos $TOS_VAL
                    -j TOS --set-tos 0x00

                    # If a packet arrives from WAN and the connection is marked, then mark
                    #+ the packet so that the routers in LAN know how to deal with it
                    iptables -t mangle -A PREROUTING -i $WAN_IF -m connmark --mark $TOS_VAL
                    -j TOS --set-tos $TOS_VAL








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 15 '16 at 13:42









                  Diego Augusto MolinaDiego Augusto Molina

                  663




                  663























                      0















                      TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.




                      It's not entirely clear by your question what method of classification you're referring to, but in general if we're talking about traffic shaping using tc and queuing disciplines, the following applies.



                      act_connmark



                      As ingress qdisc processing is done before netfilter, you cannot directly classify ingress traffic using iptables (without recompiling your kernel with IMQ, see below). You can however indirectly classify it by using connection tracking. If available on your kernel you can use the act_connmark module, designed for this exact purpose, which adds a connmark action to tc filters that support it.



                      # 0. Load modules and IFB device
                      modprobe act_connmark
                      modprobe ifb
                      ip link set ifb0 up

                      # 1. Classify packets by marking them
                      iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1

                      # 2. Append rule to save the packet mark to the connection mark
                      iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

                      # 3. Restore the connection mark to the packet mark with 'action connmark'
                      # before redirecting to the ifb-device
                      tc qdisc add dev eth0 handle ffff: ingress
                      tc qdisc add dev ifb0 handle 1: root
                      tc filter add dev eth0 parent ffff: prio 1
                      protocol ip u32 match u32 0 0 flowid ffff:1
                      action connmark
                      action mirred egress redirect dev ifb0

                      # 4. Apply filters to classify packets based on their mark
                      # ... setup qdiscs and classes as usual on ifb0... then
                      tc filter add dev ifb0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01



                      • Example at the ArchLinux Wiki


                      IMQ



                      IMQ (Intermediate Queueing Device) circumvents the normal flow of traffic in the kernel by, as I understand it, looping it back through a virtual device after netfilter processing. It is not merged with the kernel tree, thus is not included in most distributions, and requires you the patch and compile the kernel yourself. If you do so, it would work something like this:



                      # classify and save mark in POSTROUTING as before... then
                      iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
                      iptables -t mangle -A PREROUTING -j IMQ --todev 0

                      # ... setup qdiscs and classes as usual on imq0 ... then
                      tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01


                      This would also enable you to do more advanced classifications on ingress using iptables, that might be very cumbersome using plain u32 filters, such as arbitrary port ranges. I cannot speak to the performance or elegance of this solution though, I'm guessing there's a reason it never got merged.




                      • IMQ at GitHub






                      share|improve this answer




























                        0















                        TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.




                        It's not entirely clear by your question what method of classification you're referring to, but in general if we're talking about traffic shaping using tc and queuing disciplines, the following applies.



                        act_connmark



                        As ingress qdisc processing is done before netfilter, you cannot directly classify ingress traffic using iptables (without recompiling your kernel with IMQ, see below). You can however indirectly classify it by using connection tracking. If available on your kernel you can use the act_connmark module, designed for this exact purpose, which adds a connmark action to tc filters that support it.



                        # 0. Load modules and IFB device
                        modprobe act_connmark
                        modprobe ifb
                        ip link set ifb0 up

                        # 1. Classify packets by marking them
                        iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1

                        # 2. Append rule to save the packet mark to the connection mark
                        iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

                        # 3. Restore the connection mark to the packet mark with 'action connmark'
                        # before redirecting to the ifb-device
                        tc qdisc add dev eth0 handle ffff: ingress
                        tc qdisc add dev ifb0 handle 1: root
                        tc filter add dev eth0 parent ffff: prio 1
                        protocol ip u32 match u32 0 0 flowid ffff:1
                        action connmark
                        action mirred egress redirect dev ifb0

                        # 4. Apply filters to classify packets based on their mark
                        # ... setup qdiscs and classes as usual on ifb0... then
                        tc filter add dev ifb0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01



                        • Example at the ArchLinux Wiki


                        IMQ



                        IMQ (Intermediate Queueing Device) circumvents the normal flow of traffic in the kernel by, as I understand it, looping it back through a virtual device after netfilter processing. It is not merged with the kernel tree, thus is not included in most distributions, and requires you the patch and compile the kernel yourself. If you do so, it would work something like this:



                        # classify and save mark in POSTROUTING as before... then
                        iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
                        iptables -t mangle -A PREROUTING -j IMQ --todev 0

                        # ... setup qdiscs and classes as usual on imq0 ... then
                        tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01


                        This would also enable you to do more advanced classifications on ingress using iptables, that might be very cumbersome using plain u32 filters, such as arbitrary port ranges. I cannot speak to the performance or elegance of this solution though, I'm guessing there's a reason it never got merged.




                        • IMQ at GitHub






                        share|improve this answer


























                          0












                          0








                          0








                          TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.




                          It's not entirely clear by your question what method of classification you're referring to, but in general if we're talking about traffic shaping using tc and queuing disciplines, the following applies.



                          act_connmark



                          As ingress qdisc processing is done before netfilter, you cannot directly classify ingress traffic using iptables (without recompiling your kernel with IMQ, see below). You can however indirectly classify it by using connection tracking. If available on your kernel you can use the act_connmark module, designed for this exact purpose, which adds a connmark action to tc filters that support it.



                          # 0. Load modules and IFB device
                          modprobe act_connmark
                          modprobe ifb
                          ip link set ifb0 up

                          # 1. Classify packets by marking them
                          iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1

                          # 2. Append rule to save the packet mark to the connection mark
                          iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

                          # 3. Restore the connection mark to the packet mark with 'action connmark'
                          # before redirecting to the ifb-device
                          tc qdisc add dev eth0 handle ffff: ingress
                          tc qdisc add dev ifb0 handle 1: root
                          tc filter add dev eth0 parent ffff: prio 1
                          protocol ip u32 match u32 0 0 flowid ffff:1
                          action connmark
                          action mirred egress redirect dev ifb0

                          # 4. Apply filters to classify packets based on their mark
                          # ... setup qdiscs and classes as usual on ifb0... then
                          tc filter add dev ifb0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01



                          • Example at the ArchLinux Wiki


                          IMQ



                          IMQ (Intermediate Queueing Device) circumvents the normal flow of traffic in the kernel by, as I understand it, looping it back through a virtual device after netfilter processing. It is not merged with the kernel tree, thus is not included in most distributions, and requires you the patch and compile the kernel yourself. If you do so, it would work something like this:



                          # classify and save mark in POSTROUTING as before... then
                          iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
                          iptables -t mangle -A PREROUTING -j IMQ --todev 0

                          # ... setup qdiscs and classes as usual on imq0 ... then
                          tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01


                          This would also enable you to do more advanced classifications on ingress using iptables, that might be very cumbersome using plain u32 filters, such as arbitrary port ranges. I cannot speak to the performance or elegance of this solution though, I'm guessing there's a reason it never got merged.




                          • IMQ at GitHub






                          share|improve this answer














                          TLDR: How to use iptables to classify ingress packets with the same class as egress for the same connection.




                          It's not entirely clear by your question what method of classification you're referring to, but in general if we're talking about traffic shaping using tc and queuing disciplines, the following applies.



                          act_connmark



                          As ingress qdisc processing is done before netfilter, you cannot directly classify ingress traffic using iptables (without recompiling your kernel with IMQ, see below). You can however indirectly classify it by using connection tracking. If available on your kernel you can use the act_connmark module, designed for this exact purpose, which adds a connmark action to tc filters that support it.



                          # 0. Load modules and IFB device
                          modprobe act_connmark
                          modprobe ifb
                          ip link set ifb0 up

                          # 1. Classify packets by marking them
                          iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1

                          # 2. Append rule to save the packet mark to the connection mark
                          iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

                          # 3. Restore the connection mark to the packet mark with 'action connmark'
                          # before redirecting to the ifb-device
                          tc qdisc add dev eth0 handle ffff: ingress
                          tc qdisc add dev ifb0 handle 1: root
                          tc filter add dev eth0 parent ffff: prio 1
                          protocol ip u32 match u32 0 0 flowid ffff:1
                          action connmark
                          action mirred egress redirect dev ifb0

                          # 4. Apply filters to classify packets based on their mark
                          # ... setup qdiscs and classes as usual on ifb0... then
                          tc filter add dev ifb0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01



                          • Example at the ArchLinux Wiki


                          IMQ



                          IMQ (Intermediate Queueing Device) circumvents the normal flow of traffic in the kernel by, as I understand it, looping it back through a virtual device after netfilter processing. It is not merged with the kernel tree, thus is not included in most distributions, and requires you the patch and compile the kernel yourself. If you do so, it would work something like this:



                          # classify and save mark in POSTROUTING as before... then
                          iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
                          iptables -t mangle -A PREROUTING -j IMQ --todev 0

                          # ... setup qdiscs and classes as usual on imq0 ... then
                          tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw classid 1:01


                          This would also enable you to do more advanced classifications on ingress using iptables, that might be very cumbersome using plain u32 filters, such as arbitrary port ranges. I cannot speak to the performance or elegance of this solution though, I'm guessing there's a reason it never got merged.




                          • IMQ at GitHub







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Oct 2 '17 at 11:28









                          Niklas HolmNiklas Holm

                          32135




                          32135






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Unix & Linux Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f155751%2fsetting-traffic-class-on-return-packets%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Taj Mahal Inhaltsverzeichnis Aufbau | Geschichte | 350-Jahr-Feier | Heutige Bedeutung | Siehe auch |...

                              Baia Sprie Cuprins Etimologie | Istorie | Demografie | Politică și administrație | Arii naturale...

                              Nicolae Petrescu-Găină Cuprins Biografie | Opera | In memoriam | Varia | Controverse, incertitudini...