[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Fri Jul 31 15:16:50 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Vitaly,

Assuming the shaping part of the network stack
sees incoming ESP/AH packets twice (one time as ESP/AH packets
and then one time as their payload , which happens with tcpdump,
you don't need to mark the packets at all to shape them. You can
just access their proterties (IP source/destination, protocol, TOS, ...)
using u32 matches in tc and shape on those properties.

If you still want to use iptables to mark packets, then be aware
that MARK is _not_ a terminating target.

Because SSH and SCP both work on tcp port 22 and use SSH
(no surprise) as session protocol, you can't distinguish them
from another. You need to make the scp client set the TOS
field on the packets it sends, so you can tell them
apart from SSH packets.

>  iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j CONNMARK --set-mark ${MARKFW_ONE}
That rule is completely useless, because the CONNMARK applies to
the /whole/ connection. So you'd prioritize the connection, not the packet.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 31.07.2015 um 13:16 schrieb Vitaly Repin:
> Hello,
>
> (I've sent the same question to LARTC and serverfault but there are no
> answers for more than a week.  Looks strange as I thought that my task
> is pretty common. Want to make sure that there is no ready-made
> solution/howto before going to implement my idea)
>
> I need to divide bandwidth between several clients connected through IPSEC.
>
> I found this article:
> https://jve.linuxwall.info/blog/index.php?post/2010/10/16/How-can-I-do-traffic-shaping-in-Linux-by-IP
>
> But my requirements are a little bit more complicated and I need some
> additional advices.
>
> == How to assign MARK to a new client ==
>
> 1) I have not the only one, but several clients who are dynamically
> connecting and receiving IPs. How can I assign firewall mark/class
> ids? My current idea is to store mark in the shared memory and
> increment it with every new client.
>
> Sounds relatively complicated. I can do it, but may be there is a
> simpler solution? Any other ideas are welcome.
>
> Other approach I am aware of is to make a hash from IP address. In
> this case hash will be 16 bits (range for tc class id)  while IP
> contains 32 bit. Does not look that good.
>
> == Filters / Classificators ==
>
> 2) I want to have two classes per VPN client. One for priority traffic
> and another for everything else. I use two marks to achieve this -
> MARKFW_ONE and MARKFW_TWO
>
> 2.1 SSH traffic: put into priority queue (ssh but NOT scp):
>
> iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp -m tos --tos 0x10 -j
> CONNMARK --set-mark ${MARKFW_ONE}
>
> 2.2 ICMP: put into priority queue:
>
> iptables -t mangle -A INPUT -i $DEV -s $IP -p icmp -j CONNMARK
> --set-mark ${MARKFW_ONE}
>
> 2.3 To speed up downloads while an upload is going on, put ACK packets
> in priority class:
>
> iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK
> -j CONNMARK --set-mark ${MARKFW_ONE}
>
> 2.4 Everything else:
>
> iptables -t mangle -A INPUT -i $DEV -s ${IP} -j CONNMARK --set-mark
> ${MARKFW_TWO}
>
>
> And at the end:
>
> # Propagate netfilter marks on connections
> iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
>
> Questions are :
>
> - 2.3: It looks like I am wrong here because this rule shall mark the
> whole connection, not the packet.
>   Shall I simply use -j MARK in this case?
> - 2.2: Shall I replace -j CONNMARK with -j MARK for ICMP case?
> - 2.1 - 2.4. Can I use -j CLASSIFY target instead of marking the
> packets and connections?  I am under impression that I can use it for
> the case 2.2 and   may be 2.3 but NOT in other cases when connection
> shall be marked.
> - 2.1: Is it a proper way to identify ssh traffic (and not scp)?
>
> Thanks in advance!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVu3U/AAoJEDg5KY9j7GZYSsQP/iddDlDOzxrBuJ3tFFxfhw2y
FY9OXc9EP5avbA2Sx2iW8xIiX1Of3bMZ7RQxVXBWtED1/vKt36dg5LlaaK+iyTEe
urN6WlO5a0YpEkPKhDhaWFR+TsSFLr60csNhg+/fp04wDp/AYGFBE4Ih1ASz8DNN
7Uem1teYzjl29n5uAB7xpa9KjlUxz3iEIoOxWHp3x1F4Z9aXI3RQH0TPY6q/mJUD
+HUPuABd92CxJ6QCcxeH0DwQfGlQUDmb2tkdSEFVf8zXetoFRLm2e2QCaqMVYQwG
um2dEvC09CdMjC/JJKBqH5/bRvnd+H5x4O9IyS2/Aaq76G0FHRrgtyyFMYqdonvJ
EeEOWu9iNZhw+4Oah1DqXrwxPgE/l+P8Ajpt51mKO0EyaY+6Lcrk4dw/nB4q5qEs
cx4jmMlQYHQvyUV2A90VNve+7ObsNue0Yd4gIil/mHC/HldHApqTB9Y50up9vzAL
NWnL57jgzKl7QfzJcJ0DDntnswtL+5WRyei65JeceqsLFBu0czb8pKoMXOPcxb4X
W8jJ1uzvQy/Rh0FAHnEBZ7VqpQp3oD5m6XW90tD9WHWXj+dE39U/2ov47KMq8jGE
JaVB6ERDXUz/FXoggNvbpRp1fIISLwtaP2VRE4TZ5KgmXA1yrapOr4L9x0V32lCr
x7emAdrTPca2tSy/UPNO
=AbMv
-----END PGP SIGNATURE-----