[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Vitaly Repin vitaly_repin at fsfe.org
Tue Aug 4 11:55:44 CEST 2015


Thanks for the answer!

Regarding marking/nonmarking - I need to define two classes and two
corresponding filters.  It's not obvious for me how to define TC
filter which triggers if the package is from/to certain IP address and
belongs to certain type of connection (e.g., I need to distinghuish
ssh traffic from other types of traffic for the same IP).  I have
found that it is possible but it looks like iptables way is much clear
and straighforward.

But main problem for me is a need to assign unique ids to classes and
marks. Even if I don't use iptables marks, this problem does not
disappear - I still need to assign ids. Two new class ids for every
new connection.

One of the ideas I had on how to avoid this is to assign VTI for every
connnection. In this case the TC rules will be applied to this
specific VTI.  But I do not have any idea how to do it.
It looks like https://wiki.strongswan.org/projects/strongswan/wiki/Connmark
is used for other purposes (?)

2015-07-31 16:16 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:
> Hash: SHA256
> Hello Vitaly,
> Assuming the shaping part of the network stack
> sees incoming ESP/AH packets twice (one time as ESP/AH packets
> and then one time as their payload , which happens with tcpdump,
> you don't need to mark the packets at all to shape them. You can
> just access their proterties (IP source/destination, protocol, TOS, ...)
> using u32 matches in tc and shape on those properties.
> If you still want to use iptables to mark packets, then be aware
> that MARK is _not_ a terminating target.
> Because SSH and SCP both work on tcp port 22 and use SSH
> (no surprise) as session protocol, you can't distinguish them
> from another. You need to make the scp client set the TOS
> field on the packets it sends, so you can tell them
> apart from SSH packets.
>>  iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j CONNMARK --set-mark ${MARKFW_ONE}
> That rule is completely useless, because the CONNMARK applies to
> the /whole/ connection. So you'd prioritize the connection, not the packet.

WBR & WBW, Vitaly

More information about the Users mailing list