[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Noel Kuntze noel at familie-kuntze.de
Fri Jul 31 15:16:50 CEST 2015

Hash: SHA256

Hello Vitaly,

Assuming the shaping part of the network stack
sees incoming ESP/AH packets twice (one time as ESP/AH packets
and then one time as their payload , which happens with tcpdump,
you don't need to mark the packets at all to shape them. You can
just access their proterties (IP source/destination, protocol, TOS, ...)
using u32 matches in tc and shape on those properties.

If you still want to use iptables to mark packets, then be aware
that MARK is _not_ a terminating target.

Because SSH and SCP both work on tcp port 22 and use SSH
(no surprise) as session protocol, you can't distinguish them
from another. You need to make the scp client set the TOS
field on the packets it sends, so you can tell them
apart from SSH packets.

>  iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK -j CONNMARK --set-mark ${MARKFW_ONE}
That rule is completely useless, because the CONNMARK applies to
the /whole/ connection. So you'd prioritize the connection, not the packet.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 31.07.2015 um 13:16 schrieb Vitaly Repin:
> Hello,
> (I've sent the same question to LARTC and serverfault but there are no
> answers for more than a week.  Looks strange as I thought that my task
> is pretty common. Want to make sure that there is no ready-made
> solution/howto before going to implement my idea)
> I need to divide bandwidth between several clients connected through IPSEC.
> I found this article:
> https://jve.linuxwall.info/blog/index.php?post/2010/10/16/How-can-I-do-traffic-shaping-in-Linux-by-IP
> But my requirements are a little bit more complicated and I need some
> additional advices.
> == How to assign MARK to a new client ==
> 1) I have not the only one, but several clients who are dynamically
> connecting and receiving IPs. How can I assign firewall mark/class
> ids? My current idea is to store mark in the shared memory and
> increment it with every new client.
> Sounds relatively complicated. I can do it, but may be there is a
> simpler solution? Any other ideas are welcome.
> Other approach I am aware of is to make a hash from IP address. In
> this case hash will be 16 bits (range for tc class id)  while IP
> contains 32 bit. Does not look that good.
> == Filters / Classificators ==
> 2) I want to have two classes per VPN client. One for priority traffic
> and another for everything else. I use two marks to achieve this -
> 2.1 SSH traffic: put into priority queue (ssh but NOT scp):
> iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp -m tos --tos 0x10 -j
> CONNMARK --set-mark ${MARKFW_ONE}
> 2.2 ICMP: put into priority queue:
> iptables -t mangle -A INPUT -i $DEV -s $IP -p icmp -j CONNMARK
> --set-mark ${MARKFW_ONE}
> 2.3 To speed up downloads while an upload is going on, put ACK packets
> in priority class:
> iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK
> -j CONNMARK --set-mark ${MARKFW_ONE}
> 2.4 Everything else:
> iptables -t mangle -A INPUT -i $DEV -s ${IP} -j CONNMARK --set-mark
> And at the end:
> # Propagate netfilter marks on connections
> iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
> Questions are :
> - 2.3: It looks like I am wrong here because this rule shall mark the
> whole connection, not the packet.
>   Shall I simply use -j MARK in this case?
> - 2.2: Shall I replace -j CONNMARK with -j MARK for ICMP case?
> - 2.1 - 2.4. Can I use -j CLASSIFY target instead of marking the
> packets and connections?  I am under impression that I can use it for
> the case 2.2 and   may be 2.3 but NOT in other cases when connection
> shall be marked.
> - 2.1: Is it a proper way to identify ssh traffic (and not scp)?
> Thanks in advance!

Version: GnuPG v2


More information about the Users mailing list