SYSTEM WARNING: 'file_get_contents(https://www.clearos.com/?rendertype=json&get=header): failed to open stream: Connection refused' in '/var/www/virtual/newwrapper/cf_topmenu.inc' line 5

Anonymous | Login

2024-12-22 00:09 MST

Project: All Projects ClearCenter ClearOS

Main | My View | View Issues | Change Log | Roadmap | Repositories

View Issue Details [ Jump to Notes ]				[ Issue History ] [ Print ]
ID	Project	Category	View Status	Date Submitted	Last Update
0000155	ClearOS	app-bandwidth - Bandwidth Manager	public	2010-10-06 04:38	2018-10-30 18:30
Reporter	timb80
Assigned To	dsokoloski
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	open
Platform		OS		OS Version
Product Version	5.2
Target Version		Fixed in Version
Summary	0000155: Bandwidth rules for download traffic destined to local IP address not effective
Description	Refer to forum post for more details http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,6/func,view/id,17546/limit,10/limitstart,10/#18489 [^] This is related to itpables and the order in which traffic is passed through the mangle and nat tables. Bandwidth filtering occurs at the mangle PRE/POST routing chains - via redirection to the virtual IMQ devices. For upload traffic - traffic is passed through the mangle table before nat POSTROUTING so traffic still contains the local IP (source). For downoad traffic - traffic is passed through the mangle table before nat PREROUTING, at the mangle PREROUTING chain so contains the desintation IP of the WAN only. This makes download rules that are meant to match LAN traffic ineffective (i.e. for throttling downloads). Matching by port only will still be ok
Additional Information	Some iptables links that confirm this behaviour http://www.faqs.org/docs/iptables/traversingoftables.html [^] http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables [^]
Tags	No tags attached.
Attached Files

Relationships

Relationships

Notes
(0000312) timb80 (developer) 2010-12-07 06:54	After some more research, it appears you can hook the IMQ devices in after NAT but it requires a kernel patch See the following link, and section below http://wiki.nix.hu/cgi-bin/twiki/view/IMQ/ImqFaq#When_does_IMQ_and_filters_attach [^] And the following ipv4 patch http://www.linuximq.net/patchs/imq-nat.diff [^]
(0000313) timb80 (developer) 2010-12-07 07:13	EDIT: For 2.6 kernels it appears it can be adjusted at config by amending Default config:- CONFIG_IMQ_BEHAVIOR_AB=y PREROUTING - After NAT POSTROUTING - Before NAT And change to:- CONFIG_IMQ_BEHAVIOR_AA=y PREROUTING - After NAT POSTROUTING - After NAT Note sure what affects this would have on download traffic destined for ClearOS, but this way you would be able to throttle traffic passing through the box...
(0000403) timb80 (developer) 2012-01-04 16:44 edited on: 2012-01-04 16:45	Just a note that this is still present in the 2.6.32-220 config (ClearOS 6.2 Beta2)

Notes

Issue History
Date Modified	Username	Field	Change
2010-10-06 04:38	timb80	New Issue
2010-10-06 15:33	user2	Status	new => assigned
2010-10-06 15:33	user2	Assigned To	=> dsokoloski
2010-12-07 06:54	timb80	Note Added: 0000312
2010-12-07 07:13	timb80	Note Added: 0000313
2012-01-04 16:44	timb80	Note Added: 0000403
2012-01-04 16:45	timb80	Note Edited: 0000403
2012-10-02 10:15	user2	Target Version	=> 6.4.0 Alpha 1
2012-12-06 12:35	user2	Target Version	6.4.0 Alpha 1 => 6.4.0 Beta 1
2012-12-21 09:33	user2	Target Version	6.4.0 Beta 1 => 6.4.0 Beta 2
2013-02-21 20:00	user2	Target Version	6.4.0 Beta 2 => 6.4.0
2013-03-14 11:56	user2	Target Version	6.4.0 => 6.4.0 Updates
2013-07-29 13:58	user2	Target Version	6.4.0 Updates => 6 Future
2014-04-22 13:28	user2	Target Version	6 Future => Future
2015-05-25 05:10	user2	Target Version	Future =>
2018-10-30 18:30	user2	Status	assigned => resolved
2018-10-30 18:30	user2	Status	resolved => closed

Issue History