problem s htb a virtualnima sitema

Zdravim, mam nakonfigurovani asi 15 vlan siti na eth1, a resim problem ze mi nefunguje omezovani
skript pro omezovani pro jednu ip je
tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.2 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.3 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.4 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.5 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.6 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.7 parent 1: classid 1:2 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1

tc class add dev eth0 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.2 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.3 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.4 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.5 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.6 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc class add dev eth1.7 parent 1:2 classid 1:1002 htb rate 2000kbit ceil 4000kbit burst 5k quantum 1500 prio 1
tc filter add dev eth0 parent 1: protocol ip handle 1002 fw flowid 1:1002

iptables -t mangle -I in -d 172.26.244.14 -j MARK --set-mark 1002
iptables -t mangle -I out -s 172.26.244.14 -j MARK --set-mark 1002

tc filter add dev eth1 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.2 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.3 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.4 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.5 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.6 parent 1: protocol ip handle 1002 fw flowid 1:1002
tc filter add dev eth1.7 parent 1: protocol ip handle 1002 fw flowid 1:1002

a mam podezreni ze iptables nejsou schopni oznacit traffic prichazejici z vlany, oznaci mi pouze ten co prijde z eth0, nebo eth1, ale zadny z virtualni site

Nejake napady co s tim? :)

no ja bych rekl, ze tak jak chapes ty pravidla co je ted mas, tak jedine s IMQ. protoze dev eth1.X je proste pro ruzny X interne v kernelu ruzny zarizeni, takze to sdileni a pujcovani nebude fungovat.

bez IMQ by to slo tak, ze budes markovat vlany - staci i iptables, kdyz das do FORWARD -i eth1.X -j MARK --set-mark 1X tak by to mohlo delat to co chces, ale jeste to radsi testni s -j LOG...

jinak potom ty class povesit vsechny na dev eth0 nebo eth1 a filterm podle flowid rozhodit. Pokud mas jeste dalsi pravidla pro flowid, tak budes muset hold zakombinovat a pouzit treba marky XY kde X bude to vlan pravidlo a Y bude to druhy pravidlo a iptables se trosku zkomplikuji, ale nebude to az tak strasny.

Dotaz: problem s htb a virtualnima sitema

Odpovědi