Re: AW: [LARTC] qos inside ipsec tunnel

[Mohan Sundaram <mohan.tux@gmail.com>]

Martin Bene wrote:
> Hi Marco,
>
> > Hello everybody.
> > I would like to do some kind of shaping inside an
> > ipsec tunnel implemented by Openswan and linux
> > 2.6.18.x with xfrm (no KLIPS): for example, to
> > limit outbound smtp traffic inside the tunnel.
> > Question: where should I attach the qdisc to? Eth0?
> > I'm asking this, because tcpdump only see the ESP
> > packet on the eth0 and not the 'clear' packet.
> Heh  - just subscribed to LARC list because I'm working on a similar
> problem. 
>
> Yes, you'll have to attach your classes to eth0 device. However, by the
> time qos gets to see the packets, they'll be encrypted, so you won't be
> able to just use tc filter with u32 classifier to select on port 25.
>
> What should work is to mark the packets in PREROUTING in the mangle
> table and assign them to the classes you want based on the fwmark:
>
> iptables -t mangle -A PREROUTING -d <private ip vpn remote side>/24 -p
> tcp -m multiport --port 25 -j MARK --set-mark 102
> tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 102 fw
> flowid 1:20
>
> Hope this helps, Martin
Has anyone tested this? Does the mark get carried across encapsulations 
or is the packet context a new one on encapsulation? I know that IPSec 
RFC says inner packet headers have to be copied to the outer header. 
Does that include the TOS byte too? Do not know what OpenSWAN does. If 
that were the case, assigning TOS prior to encapsulation and classifying 
by TOS at the device will work.
Mohan
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc