[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 05:40:12 CEST 2015

Hash: SHA256

Hello Vitaly,

Why do you want to assign a unique mark to each IP?
You can simply create a filter for each type of traffic and then
apply QoS to that. There's no obvious need to track
each IP's connections seperately. TCP ACKs should be prioritized anyway,
together with ICMP, independent of the connection.
TCP packets always have the destination and source ports in the headers,
so you can tell them apart, too, if needed.

Creating two classes and two filters should be quite easy, I never
used tc myself, so I can't help you with that, but lartc.org should.

connmark is used if there are IPsec peers behind the same IP
and they need to be distinguished.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.08.2015 um 11:55 schrieb Vitaly Repin:
> Hello,
> Thanks for the answer!
> Regarding marking/nonmarking - I need to define two classes and two
> corresponding filters.  It's not obvious for me how to define TC
> filter which triggers if the package is from/to certain IP address and
> belongs to certain type of connection (e.g., I need to distinghuish
> ssh traffic from other types of traffic for the same IP).  I have
> found that it is possible but it looks like iptables way is much clear
> and straighforward.
> But main problem for me is a need to assign unique ids to classes and
> marks. Even if I don't use iptables marks, this problem does not
> disappear - I still need to assign ids. Two new class ids for every
> new connection.
> One of the ideas I had on how to avoid this is to assign VTI for every
> connnection. In this case the TC rules will be applied to this
> specific VTI.  But I do not have any idea how to do it.
> It looks like https://wiki.strongswan.org/projects/strongswan/wiki/Connmark
> is used for other purposes (?)
> 2015-07-31 16:16 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:
>> Hash: SHA256
>> Hello Vitaly,
>> Assuming the shaping part of the network stack
>> sees incoming ESP/AH packets twice (one time as ESP/AH packets
>> and then one time as their payload , which happens with tcpdump,
>> you don't need to mark the packets at all to shape them. You can
>> just access their proterties (IP source/destination, protocol, TOS, ...)
>> using u32 matches in tc and shape on those properties.
>> If you still want to use iptables to mark packets, then be aware
>> that MARK is _not_ a terminating target.
>> Because SSH and SCP both work on tcp port 22 and use SSH
>> (no surprise) as session protocol, you can't distinguish them
>> from another. You need to make the scp client set the TOS
>> field on the packets it sends, so you can tell them
>> apart from SSH packets.
>>>  iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j CONNMARK --set-mark ${MARKFW_ONE}
>> That rule is completely useless, because the CONNMARK applies to
>> the /whole/ connection. So you'd prioritize the connection, not the packet.

Version: GnuPG v2


More information about the Users mailing list