ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000155ClearOSapp-bandwidth - Bandwidth Managerpublic2010-10-06 04:382018-10-30 18:30
Reportertimb80 
Assigned Todsokoloski 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionopen 
PlatformOSOS Version
Product Version5.2 
Target VersionFixed in Version 
Summary0000155: Bandwidth rules for download traffic destined to local IP address not effective
DescriptionRefer to forum post for more details
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,6/func,view/id,17546/limit,10/limitstart,10/#18489 [^]

This is related to itpables and the order in which traffic is passed through the mangle and nat tables.

Bandwidth filtering occurs at the mangle PRE/POST routing chains - via redirection to the virtual IMQ devices.

For upload traffic - traffic is passed through the mangle table before nat POSTROUTING so traffic still contains the local IP (source).

For downoad traffic - traffic is passed through the mangle table before nat PREROUTING, at the mangle PREROUTING chain so contains the desintation IP of the WAN only.

This makes download rules that are meant to match LAN traffic ineffective (i.e. for throttling downloads). Matching by port only will still be ok
Steps To Reproduce
Additional InformationSome iptables links that confirm this behaviour
http://www.faqs.org/docs/iptables/traversingoftables.html [^]
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables [^]
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2010-10-06 04:38timb80New Issue
2010-10-06 15:33user2Statusnew => assigned
2010-10-06 15:33user2Assigned To => dsokoloski
2010-12-07 06:54timb80Note Added: 0000312
2010-12-07 07:13timb80Note Added: 0000313
2012-01-04 16:44timb80Note Added: 0000403
2012-01-04 16:45timb80Note Edited: 0000403
2012-10-02 10:15user2Target Version => 6.4.0 Alpha 1
2012-12-06 12:35user2Target Version6.4.0 Alpha 1 => 6.4.0 Beta 1
2012-12-21 09:33user2Target Version6.4.0 Beta 1 => 6.4.0 Beta 2
2013-02-21 20:00user2Target Version6.4.0 Beta 2 => 6.4.0
2013-03-14 11:56user2Target Version6.4.0 => 6.4.0 Updates
2013-07-29 13:58user2Target Version6.4.0 Updates => 6 Future
2014-04-22 13:28user2Target Version6 Future => Future
2015-05-25 05:10user2Target VersionFuture =>
2018-10-30 18:30user2Statusassigned => resolved
2018-10-30 18:30user2Statusresolved => closed

Notes
(0000312)
timb80   
2010-12-07 06:54   
After some more research, it appears you can hook the IMQ devices in after NAT but it requires a kernel patch

See the following link, and section below
http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/ImqFaq#When_does_IMQ_and_filters_attach [^]

And the following ipv4 patch
http://www.linuximq.net/patchs/imq-nat.diff [^]
(0000313)
timb80   
2010-12-07 07:13   
EDIT: For 2.6 kernels it appears it can be adjusted at config by amending

Default config:-
CONFIG_IMQ_BEHAVIOR_AB=y
PREROUTING - After NAT
POSTROUTING - Before NAT

And change to:-
CONFIG_IMQ_BEHAVIOR_AA=y
PREROUTING - After NAT
POSTROUTING - After NAT

Note sure what affects this would have on download traffic destined for ClearOS, but this way you would be able to throttle traffic passing through the box...
(0000403)
timb80   
2012-01-04 16:44   
(edited on: 2012-01-04 16:45)
Just a note that this is still present in the 2.6.32-220 config (ClearOS 6.2 Beta2)