1

I have an OpenVPN server where I control traffic from clients to server subnets using iptables. Now, additionally, I want to control bandwidth of the network using tc.

Here are the class definitions:

tc qdisc add dev tun0 root handle 1:0 htb default 100
tc class add dev tun0 parent 1:0 classid 1:1 htb rate 1000mbit ceil 1000mbit
tc class add dev tun0 parent 1:1 classid 1:11 htb rate 4mbit ceil 10mbit
tc class add dev tun0 parent 1:1 classid 1:12 htb rate 4mbit ceil 10mbit
...
tc class add dev tun0 parent 1:1 classid 1:100 htb rate 4mbit ceil 10mbit

# Finally add the filter
tc filter add dev tun0 protocol all parent 1:0 prio 1 handle 11 fw flowid 1:11

The corresponding iptables rule:

iptables -I FORWARD -s 10.11.0.2 -d 10.20.69.0/25 -j MARK --set-mark 11

I can see the packets hitting the rule:

# iptables -vnL
Chain INPUT (policy ACCEPT 8967K packets, 12G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 322K  427M MARK       all  --  *      *       10.11.0.2            10.20.69.0/25        MARK set 0xb
1620K 2149M ACCEPT     all  --  *      *       10.11.0.2            10.20.69.0/25
 455K   24M ACCEPT     all  --  *      *       10.20.69.0/25        10.11.0.2
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.10.0.0/16
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.20.0.0/15

But they don't hit the correct tc rule (default 100 instead of 11):

# tc -s class show dev tun0
class htb 1:11 parent 1:1 prio 0 rate 4Mbit ceil 10Mbit burst 1600b cburst 1600b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 50000 ctokens: 20000

class htb 1:1 root rate 1Gbit ceil 1Gbit burst 1375b cburst 1375b
 Sent 9956908 bytes 191082 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
 lended: 11375 borrowed: 0 giants: 0
 tokens: 180 ctokens: 180

class htb 1:100 parent 1:1 prio 0 rate 4Mbit ceil 10Mbit burst 1600b cburst 1600b
 Sent 9956908 bytes 191082 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
 lended: 179707 borrowed: 11375 giants: 0
 tokens: 48375 ctokens: 19350

class htb 1:12 parent 1:1 prio 0 rate 4Mbit ceil 10Mbit burst 1600b cburst 1600b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 50000 ctokens: 20000

Thanks in advance!

Improve this question

1 Answer 1

Reset to default
0

I think you have an issue with the marking. You should be able to confirm see the mark by running conntrack -L (or is it only the connection mark?).

Your marking command is using the filter table, although it should use the mangle table. Try using instead:

iptables -t mangle -I POSTROUTING -s 10.11.0.2 -d 10.20.69.0/25 -j MARK --set-mark 11

Also, once it works, you can use connmark and restore-mark to be able to match established connections.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .