Anonymous | Login | 2024-12-22 05:53 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000155 | ClearOS | app-bandwidth - Bandwidth Manager | public | 2010-10-06 04:38 | 2018-10-30 18:30 | ||||
Reporter | timb80 | ||||||||
Assigned To | dsokoloski | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | closed | Resolution | open | ||||||
Platform | OS | OS Version | |||||||
Product Version | 5.2 | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0000155: Bandwidth rules for download traffic destined to local IP address not effective | ||||||||
Description | Refer to forum post for more details http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,6/func,view/id,17546/limit,10/limitstart,10/#18489 [^] This is related to itpables and the order in which traffic is passed through the mangle and nat tables. Bandwidth filtering occurs at the mangle PRE/POST routing chains - via redirection to the virtual IMQ devices. For upload traffic - traffic is passed through the mangle table before nat POSTROUTING so traffic still contains the local IP (source). For downoad traffic - traffic is passed through the mangle table before nat PREROUTING, at the mangle PREROUTING chain so contains the desintation IP of the WAN only. This makes download rules that are meant to match LAN traffic ineffective (i.e. for throttling downloads). Matching by port only will still be ok | ||||||||
Additional Information | Some iptables links that confirm this behaviour http://www.faqs.org/docs/iptables/traversingoftables.html [^] http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables [^] | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0000312) timb80 (developer) 2010-12-07 06:54 |
After some more research, it appears you can hook the IMQ devices in after NAT but it requires a kernel patch See the following link, and section below http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/ImqFaq#When_does_IMQ_and_filters_attach [^] And the following ipv4 patch http://www.linuximq.net/patchs/imq-nat.diff [^] |
(0000313) timb80 (developer) 2010-12-07 07:13 |
EDIT: For 2.6 kernels it appears it can be adjusted at config by amending Default config:- CONFIG_IMQ_BEHAVIOR_AB=y PREROUTING - After NAT POSTROUTING - Before NAT And change to:- CONFIG_IMQ_BEHAVIOR_AA=y PREROUTING - After NAT POSTROUTING - After NAT Note sure what affects this would have on download traffic destined for ClearOS, but this way you would be able to throttle traffic passing through the box... |
(0000403) timb80 (developer) 2012-01-04 16:44 edited on: 2012-01-04 16:45 |
Just a note that this is still present in the 2.6.32-220 config (ClearOS 6.2 Beta2) |
Issue History | |||
Date Modified | Username | Field | Change |
2010-10-06 04:38 | timb80 | New Issue | |
2010-10-06 15:33 | user2 | Status | new => assigned |
2010-10-06 15:33 | user2 | Assigned To | => dsokoloski |
2010-12-07 06:54 | timb80 | Note Added: 0000312 | |
2010-12-07 07:13 | timb80 | Note Added: 0000313 | |
2012-01-04 16:44 | timb80 | Note Added: 0000403 | |
2012-01-04 16:45 | timb80 | Note Edited: 0000403 | |
2012-10-02 10:15 | user2 | Target Version | => 6.4.0 Alpha 1 |
2012-12-06 12:35 | user2 | Target Version | 6.4.0 Alpha 1 => 6.4.0 Beta 1 |
2012-12-21 09:33 | user2 | Target Version | 6.4.0 Beta 1 => 6.4.0 Beta 2 |
2013-02-21 20:00 | user2 | Target Version | 6.4.0 Beta 2 => 6.4.0 |
2013-03-14 11:56 | user2 | Target Version | 6.4.0 => 6.4.0 Updates |
2013-07-29 13:58 | user2 | Target Version | 6.4.0 Updates => 6 Future |
2014-04-22 13:28 | user2 | Target Version | 6 Future => Future |
2015-05-25 05:10 | user2 | Target Version | Future => |
2018-10-30 18:30 | user2 | Status | assigned => resolved |
2018-10-30 18:30 | user2 | Status | resolved => closed |