[PATCH 1/6] firewall: Only check relevant bits for NAT fix rules

List overview All Threads
Download

newer

older

[PATCH 1/2] shutdown.cgi: Add...

[PATCH 1/4] Tor: Enable syscall...

Michael Tremer

4 Oct 2021 4 Oct '21

5:52 p.m.

In order to use the highest two bits for surciata bypass, we will need to make sure that whenever we compare any other marks, we do not care about anything else.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/firewall/rules.pl | 11 +++++++---- src/initscripts/system/firewall | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0dd1c9024..9d280045a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = ( "100.64.0.0/10", );

+# MARK masks +my $NAT_MASK = 0x0f000000; + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -829,10 +832,8 @@ sub add_dnat_mangle_rules { my $interface = shift; my @options = @_;

- my $mark = 0; + my $mark = 0x01000000; foreach my $zone ("GREEN", "BLUE", "ORANGE") { - $mark++; - # Skip rule if not all required information exists. next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"}); @@ -845,9 +846,11 @@ sub add_dnat_mangle_rules { $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};

push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); - push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); + push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));

run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); + + $mark <<= 1; } }

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index baa39abe1..9d023a349 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` fi

+NAT_MASK="0x0f000000" + function iptables() { /sbin/iptables --wait "$@" } @@ -282,17 +284,17 @@ iptables_init() {

if [ -n "${GREEN_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}" fi

if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" + -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}" fi

if [ -n "${ORANGE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" + -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi

# RED chain, used for the red interface

-- 2.31.0

Show replies by date

Michael Tremer

4 Oct 4 Oct

5:52 p.m.

New subject: [PATCH 2/6] QoS: Use the two right hand bytes to mark packets

In order to not deal with any marks from NAT and the IPS, this patch adds masks to all places where packets are being marked for individual QoS classes.

Instead of being able to use the "fw" match in tc, we have to use the u32 to apply the mask.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/qos/makeqosscripts.pl | 57 ++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 22 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index cbbbf70f8..3af046ac3 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -56,6 +56,12 @@ my $portfile = "/var/ipfire/qos/portconfig"; my $tosfile = "/var/ipfire/qos/tosconfig"; my $fqcodel_options = "limit 10240 quantum 1514";

+# Define iptables MARKs +my $QOS_INC_MASK = 0x0000ff00; +my $QOS_INC_SHIFT = 8; +my $QOS_OUT_MASK = 0x000000ff; +my $QOS_OUT_SHIFT = 0; + &General::readhash("${General::swroot}/ethernet/settings", %netsettings);

$qossettings{'ENABLED'} = 'off'; @@ -74,6 +80,10 @@ $qossettings{'VALID'} = 'yes';

&General::readhash("${General::swroot}/qos/settings", %qossettings);

+my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK"; +my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK"; +my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK"; + open( FILE, "< $classfile" ) or die "Unable to read $classfile"; @classes = <FILE>; close FILE; @@ -200,9 +210,11 @@ foreach $classentry (sort @classes) if ($qossettings{'RED_DEV'} eq $classline[0]) { $qossettings{'DEVICE'} = $classline[0]; $qossettings{'CLASS'} = $classline[1]; - print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 1:$qossettings{'CLASS'}\n"; + print "\ttc filter add dev $qossettings{'DEVICE'} parent 1:0 prio 0 protocol ip"; + printf(" u32 match mark 0x%x 0x%x flowid 1:%d\n", ($qossettings{'CLASS'} << $QOS_OUT_SHIFT), $QOS_OUT_MASK, $qossettings{'CLASS'}); } } + print <<END

### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES @@ -213,28 +225,28 @@ print <<END iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN

### MARK ACKs - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN

- iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN

- iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-mark $qossettings{'ACK'} + iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN

### SET TOS @@ -247,7 +259,7 @@ END $qossettings{'TOS'} = abs $tosruleline[2] * 2; if ( $tosruleline[1] eq $qossettings{'RED_DEV'} ) { - print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n"; + print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n"; print "\tiptables -t mangle -A QOS-OUT -m tos --tos $qossettings{'TOS'} -j RETURN\n"; } } @@ -282,7 +294,7 @@ print "\n\t### SET PORT-RULES\n"; if ($qossettings{'DPORT'} ne ''){ print "--dport $qossettings{'DPORT'} "; } - print "-j MARK --set-mark $qossettings{'CLASS'}\n"; + print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n"; print "\tiptables -t mangle -A QOS-OUT "; if ($qossettings{'QIP'} ne ''){ print "-s $qossettings{'QIP'} "; @@ -326,7 +338,7 @@ END if ($qossettings{'DIP'} ne ''){ print "-d $qossettings{'DIP'} "; } - print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n"; + print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . $qossettings{'CLASS'} << $QOS_OUT_SHIFT . "/$QOS_OUT_MASK\n"; print "\tiptables -t mangle -A QOS-OUT "; if ($qossettings{'QIP'} ne ''){ print "-s $qossettings{'QIP'} "; @@ -341,7 +353,7 @@ END print <<END

### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS - iptables -t mangle -A QOS-OUT -m mark --mark 0 -j MARK --set-mark $qossettings{'DEFCLASS_OUT'} + iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK

### ### $qossettings{'IMQ_DEV'} @@ -410,7 +422,8 @@ foreach $classentry (sort @classes) if ($qossettings{'IMQ_DEV'} eq $classline[0]) { $qossettings{'DEVICE'} = $classline[0]; $qossettings{'CLASS'} = $classline[1]; - print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip handle $qossettings{'CLASS'} fw flowid 2:$qossettings{'CLASS'}\n"; + print "\ttc filter add dev $qossettings{'DEVICE'} parent 2:0 prio 0 protocol ip"; + printf(" u32 match mark 0x%x 0x%x flowid 2:%d\n", ($qossettings{'CLASS'} << $QOS_INC_SHIFT), $QOS_INC_MASK, $qossettings{'CLASS'}); } } print <<END @@ -420,7 +433,7 @@ print <<END iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC

# If the packet is already marked, then skip the processing - iptables -t mangle -A QOS-INC -m mark ! --mark 0 -j RETURN + iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN

### SET TOS END @@ -432,7 +445,7 @@ END $qossettings{'TOS'} = abs $tosruleline[2] * 2; if ( $tosruleline[1] eq $qossettings{'IMQ_DEV'} ) { - print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 -m tos --tos $qossettings{'TOS'} -j MARK --set-mark $qossettings{'CLASS'}\n"; + print "\tiptables -t mangle -A QOS-INC -m tos --tos $qossettings{'TOS'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n"; }

} @@ -450,7 +463,7 @@ print "\n\t### SET PORT-RULES\n"; $qossettings{'QPORT'} = $portruleline[4]; $qossettings{'DIP'} = $portruleline[5]; $qossettings{'DPORT'} = $portruleline[6]; - print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 "; + print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK "; if ($qossettings{'QIP'} ne ''){ print "-s $qossettings{'QIP'} "; } @@ -467,7 +480,7 @@ print "\n\t### SET PORT-RULES\n"; if ($qossettings{'DPORT'} ne ''){ print "--dport $qossettings{'DPORT'} "; } - print "-j MARK --set-mark $qossettings{'CLASS'}\n"; + print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n"; } }

@@ -486,23 +499,23 @@ END $qossettings{'L7PROT'} = $l7ruleline[2]; $qossettings{'QIP'} = $l7ruleline[3]; $qossettings{'DIP'} = $l7ruleline[4]; - print "\tiptables -t mangle -A QOS-INC -m mark --mark 0 "; + print "\tiptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK "; if ($qossettings{'QIP'} ne ''){ print "-s $qossettings{'QIP'} "; } if ($qossettings{'DIP'} ne ''){ print "-d $qossettings{'DIP'} "; } - print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-mark $qossettings{'CLASS'}\n"; + print "-m layer7 --l7dir /etc/l7-protocols/protocols --l7proto $qossettings{'L7PROT'} -j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK\n"; } }

print <<END ### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS - iptables -t mangle -A QOS-INC -m mark --mark 0 -m layer7 ! --l7proto unset -j MARK --set-mark $qossettings{'DEFCLASS_INC'} + iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK

# Save mark in connection tracking - iptables -t mangle -A QOS-INC -j CONNMARK --save-mark + iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark

## STARTING COLLECTOR /usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1

-- 2.31.0

Michael Tremer

5:52 p.m.

New subject: [PATCH 3/6] firewall: Always restore all connection marks

This was done by tc only when QoS was enabled

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/qos/makeqosscripts.pl | 1 - src/initscripts/system/firewall | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index 3af046ac3..5bdd5b811 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -370,7 +370,6 @@ print <<END ip link set $qossettings{'IMQ_DEV'} up

tc filter add dev $qossettings{'RED_DEV'} parent ffff: protocol all u32 match u32 0 0 \ - action connmark \ action mirred egress redirect dev $qossettings{'IMQ_DEV'}

### ADD HTB QDISC FOR $qossettings{'IMQ_DEV'} diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9d023a349..7a7d52d57 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -100,6 +100,9 @@ iptables_init() { iptables -t raw -N CONNTRACK iptables -t raw -A PREROUTING -j CONNTRACK

+ # Restore any connection marks + iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark + # Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

-- 2.31.0

Michael Tremer

5:52 p.m.

New subject: [PATCH 4/6] QoS: Drop support for hardcoded ACK rules

This feature has to go in order to take advantage of CONNMARK which will drastically decrease CPU load when passing packets.

We no longer will see every packet in the QOS-INC chain in order to change classification of that packet. It is also party counter-intuitive to have parts of one connection in one class and the corresponding ACK packets in another.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/qos/makeqosscripts.pl | 27 --------------------------- html/cgi-bin/qos.cgi | 22 ++-------------------- 2 files changed, 2 insertions(+), 47 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index 5bdd5b811..230dc3265 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -72,7 +72,6 @@ $qossettings{'DEF_OUT_SPD'} = ''; $qossettings{'DEF_INC_SPD'} = ''; $qossettings{'DEFCLASS_INC'} = ''; $qossettings{'DEFCLASS_OUT'} = ''; -$qossettings{'ACK'} = ''; $qossettings{'RED_DEV'} = `cat /var/ipfire/red/iface`; $qossettings{'IMQ_DEV'} = 'imq0'; $qossettings{'TOS'} = ''; @@ -80,7 +79,6 @@ $qossettings{'VALID'} = 'yes';

&General::readhash("${General::swroot}/qos/settings", %qossettings);

-my $ACK_MARK = ($qossettings{'ACK'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK"; my $DEF_OUT_MARK = ($qossettings{'DEFCLASS_OUT'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK"; my $DEF_INC_MARK = ($qossettings{'DEFCLASS_INC'} << $QOS_INC_SHIFT) . "/$QOS_INC_MASK";

@@ -224,31 +222,6 @@ print <<END ### Don't change mark on traffic for the ipsec tunnel iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN

- ### MARK ACKs - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags SYN,RST SYN -j RETURN - - iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p icmp -m length --length 40:100 -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --syn -m length --length 40:68 -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL RST -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,RST -j RETURN - - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j MARK --set-xmark $ACK_MARK - iptables -t mangle -A QOS-OUT -p tcp --tcp-flags ALL ACK,FIN -j RETURN - ### SET TOS END ; diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi index ab427879e..c2ff4a08d 100644 --- a/html/cgi-bin/qos.cgi +++ b/html/cgi-bin/qos.cgi @@ -68,7 +68,6 @@ $qossettings{'DEF_OUT_SPD'} = ''; $qossettings{'DEF_INC_SPD'} = ''; $qossettings{'DEFCLASS_INC'} = ''; $qossettings{'DEFCLASS_OUT'} = ''; -$qossettings{'ACK'} = ''; $qossettings{'RED_DEV'} = 'ppp0'; $qossettings{'IMQ_DEV'} = 'imq0'; $qossettings{'VALID'} = 'yes'; @@ -518,7 +517,6 @@ END } $qossettings{'DEFCLASS_INC'} = "210"; $qossettings{'DEFCLASS_OUT'} = "110"; - $qossettings{'ACK'} ="101"; $qossettings{'ENABLED'} = 'on'; &General::writehash("${General::swroot}/qos/settings", %qossettings); &General::system("/usr/local/bin/qosctrl", "generate"); @@ -660,7 +658,7 @@ END END ; } - if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')&& ($qossettings{'ACK'} ne '')) { + if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) { print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='66%'> @@ -668,7 +666,6 @@ END <tr><td width='50%' align='right'>$Lang::tr{'downlink std class'}: <td width='30%' align='left'>$qossettings{'DEFCLASS_INC'} <td width='20%' rowspan='3' align='center' valign='middle'><input type='submit' name='ACTIONDEF' value='$Lang::tr{'modify'}' /> <tr><td width='50%' align='right'>$Lang::tr{'uplink std class'}: <td width='30%' align='left'>$qossettings{'DEFCLASS_OUT'} - <tr><td width='50%' align='right'>ACKs: <td width='30%' align='left'>$qossettings{'ACK'} <tr><td colspan='3' width='100%'><hr /> <tr><td colspan='3' width='100%' align='center'> </table> @@ -692,7 +689,7 @@ if ( ($qossettings{'OUT_SPD'} eq '') || ($qossettings{'INC_SPD'} eq '') ) { exit }

-if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') || ($qossettings{'ACK'} eq '') ) { +if ( ($qossettings{'DEFCLASS_INC'} eq '') || ($qossettings{'DEFCLASS_OUT'} eq '') ) { &changedefclasses(); &Header::closebigbox(); &Header::closepage(); @@ -742,21 +739,6 @@ END else { print "<option selected value='$c'>$c</option>\n"; } } print <<END - </select><td width='33%' align='center'>  - </table> - <hr /> - <table width='66%'> - <tr><td width='100%' colspan='3'>$Lang::tr{'enter ack class'} - <tr><td width='33%' align='right'>ACKs:<td width='33%' align='left'><select name='ACK'> -END -; - for ( $c = 100 ; $c <= 120 ; $c++ ) - { - if ( $qossettings{'ACK'} ne $c ) - { print "<option value='$c'>$c</option>\n"; } - else { print "<option selected value='$c'>$c</option>\n"; } - } - print <<END </select><td width='33%' align='center'><input type='submit' name='ACTION' value="$Lang::tr{'save'}" /> </table> </form>

-- 2.31.0

Michael Tremer

5:52 p.m.

New subject: [PATCH 5/6] QoS: Make outgoing packet processing use CONNMARK

This will significantly reduce the load when classifying outgoing traffic as there won't be any overhead as soon as the connection has been classified. The classficiation is being stored in the iptables MARK which will be copied to CONNMARK if changed.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/qos/makeqosscripts.pl | 30 +++++++++--------------------- 1 file changed, 9 insertions(+), 21 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index 230dc3265..b1bb637b3 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -217,7 +217,10 @@ print <<END

### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES iptables -t mangle -N QOS-OUT - iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT + iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT + + # If the packet is already marked, then skip the processing + iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN

### Don't change mark on traffic for the ipsec tunnel iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN @@ -250,7 +253,7 @@ print "\n\t### SET PORT-RULES\n"; $qossettings{'QPORT'} = $portruleline[4]; $qossettings{'DIP'} = $portruleline[5]; $qossettings{'DPORT'} = $portruleline[6]; - print "\tiptables -t mangle -A QOS-OUT "; + print "\tiptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK "; if ($qossettings{'QIP'} ne ''){ print "-s $qossettings{'QIP'} "; } @@ -268,24 +271,6 @@ print "\n\t### SET PORT-RULES\n"; print "--dport $qossettings{'DPORT'} "; } print "-j MARK --set-xmark " . ($qossettings{'CLASS'} << $QOS_OUT_SHIFT) . "/$QOS_OUT_MASK\n"; - print "\tiptables -t mangle -A QOS-OUT "; - if ($qossettings{'QIP'} ne ''){ - print "-s $qossettings{'QIP'} "; - } - if ($qossettings{'DIP'} ne ''){ - print "-d $qossettings{'DIP'} "; - } - print "-p $qossettings{'PPROT'} "; -# if (($qossettings{'QPORT'} ne '') || ($qossettings{'DPORT'} ne '')){ -# print "-m multiport "; -# } - if ($qossettings{'QPORT'} ne ''){ - print "--sport $qossettings{'QPORT'} "; - } - if ($qossettings{'DPORT'} ne ''){ - print "--dport $qossettings{'DPORT'} "; - } - print "-j RETURN\n\n"; } }

@@ -328,6 +313,9 @@ print <<END ### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS iptables -t mangle -A QOS-OUT -m mark --mark 0/$QOS_OUT_MASK -j MARK --set-xmark $DEF_OUT_MARK

+ # Save mark in connection tracking + iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j CONNMARK --save-mark + ### ### $qossettings{'IMQ_DEV'} ### @@ -487,7 +475,7 @@ print <<END iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -m layer7 ! --l7proto unset -j MARK --set-xmark $DEF_INC_MARK

# Save mark in connection tracking - iptables -t mangle -A QOS-INC -m mark --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark + iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j CONNMARK --save-mark

## STARTING COLLECTOR /usr/local/bin/qosd $qossettings{'RED_DEV'} >/dev/null 2>&1

-- 2.31.0

Michael Tremer

5:52 p.m.

New subject: [PATCH 6/6] IPsec: Replace MARK 50 by 0x00800000

This change is necessary because we are using the right-hand two bytes for storing the QoS classes.

All IPsec traffic will now be skipped and never classified by the QoS.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/qos/makeqosscripts.pl | 10 +++++----- src/initscripts/system/firewall | 7 +++++-- src/patches/strongswan-ipfire.patch | 12 ++++++------ 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index b1bb637b3..fc8b8b84f 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -61,6 +61,9 @@ my $QOS_INC_MASK = 0x0000ff00; my $QOS_INC_SHIFT = 8; my $QOS_OUT_MASK = 0x000000ff; my $QOS_OUT_SHIFT = 0; +my $IPSEC_MASK = 0x00800000; +my $QOS_INC_SKIP_MASK = $QOS_INC_MASK | $IPSEC_MASK; +my $QOS_OUT_SKIP_MASK = $QOS_OUT_MASK | $IPSEC_MASK;

&General::readhash("${General::swroot}/ethernet/settings", %netsettings);

@@ -220,10 +223,7 @@ print <<END iptables -t mangle -A POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT

# If the packet is already marked, then skip the processing - iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_MASK -j RETURN - - ### Don't change mark on traffic for the ipsec tunnel - iptables -t mangle -A QOS-OUT -m mark --mark 50 -j RETURN + iptables -t mangle -A QOS-OUT -m mark ! --mark 0/$QOS_OUT_SKIP_MASK -j RETURN

### SET TOS END @@ -393,7 +393,7 @@ print <<END iptables -t mangle -A PREROUTING -i $qossettings{'RED_DEV'} -j QOS-INC

# If the packet is already marked, then skip the processing - iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_MASK -j RETURN + iptables -t mangle -A QOS-INC -m mark ! --mark 0/$QOS_INC_SKIP_MASK -j RETURN

### SET TOS END diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 7a7d52d57..ce428393d 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -14,6 +14,9 @@ fi

NAT_MASK="0x0f000000"

+IPSEC_MARK="0x00800000" +IPSEC_MASK="${IPSEC_MARK}" + function iptables() { /sbin/iptables --wait "$@" } @@ -376,8 +379,8 @@ iptables_red_up() { iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT fi

- # Outgoing masquerading (don't masqerade IPsec (mark 50)) - iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + # Outgoing masquerading (don't masqerade IPsec) + iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN

if [ "${IFACE}" = "${GREEN_DEV}" ]; then iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch index 7071983b8..17c40b025 100644 --- a/src/patches/strongswan-ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -42,7 +42,7 @@ + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000 # # allow IPIP traffic because of the implicit SA created by the kernel if # IPComp is used (for small inbound packets that are not compressed) @@ -71,7 +71,7 @@ + iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-xmark 0x00800000/0x00800000 # # IPIP exception teardown if [ -n "$PLUTO_IPCOMP" ] @@ -97,7 +97,7 @@ -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000 + iptables --wait -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT @@ -117,7 +117,7 @@ + iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000 fi # # allow IPIP traffic because of the implicit SA created by the kernel if @@ -194,7 +194,7 @@ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000 + iptables --wait -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ @@ -217,7 +217,7 @@ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT -+ $IPSEC_POLICY_OUT -j MARK --set-mark 50 ++ $IPSEC_POLICY_OUT -j MARK --set-xmark 0x00800000/0x00800000 fi # # IPIP exception teardown

-- 2.31.0

1213

Age (days ago)

1213

Last active (days ago)

development@lists.ipfire.org

5 comments

1 participants

tags (0)

participants (1)

Michael Tremer