Menu
What's new
By:
Filters Better Search

Custom QoS & iptables rules

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Starbloom

Starbloom

Occasional Visitor
Hi Everyone,

I am trying to create my own iptables rules that mark connection from 1-0xff. But I couldn't seem to mark any packet to anything above 6. Why is that? It seems asuswrt is changing the packet marking somehow. Please see my questions in comments below.

Another problem is that I couldn't seem to use iptables classify target. As soon as I use it, the router crashes and reboots. Good I am testing using ssh so it comes back ok without those rules.

Thanks.

Code: 
#!/bin/sh

# Setup mangle table
DEV=$(nvram get wan0_gw_ifname)

# remove default rule with mask 0x7 and replace it with our own mask 0xff
iptables -t mangle -D PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0x7 --ctmask 0x7
iptables -t mangle -D PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -I PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff

# reinitialize QOSO chain
iptables -t mangle -N QOSO
iptables -t mangle -F QOSO

iptables -t mangle -D FORWARD -o ${DEV} -j QOSO
iptables -t mangle -D OUTPUT -o ${DEV} -j QOSO
iptables -t mangle -D POSTROUTING -o br0 -j QOSO

iptables -t mangle -A FORWARD -o ${DEV} -j QOSO
iptables -t mangle -A OUTPUT -o ${DEV} -j QOSO
iptables -t mangle -A POSTROUTING -o br0 -j QOSO

iptables -t mangle -A QOSO -m mark --mark 0xb400 -j RETURN
iptables -t mangle -A QOSO -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff

### Question, why is this rule here? No packets are supposed to be marked within mask 0xff00.
### It does seem some packet will fall into this. but where are they coming from?
### Should it do a return for any packets that have been marked?
iptables -t mangle -A QOSO -m connmark ! --mark 0x0/0xff00 -j RETURN

# DNS, Time, etc
iptables -t mangle -A QOSO -p tcp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 0x2/0xff
iptables -t mangle -A QOSO -p tcp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j RETURN
iptables -t mangle -A QOSO -p udp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 0x2/0xff
iptables -t mangle -A QOSO -p udp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j RETURN

### Question & Problem: It seems I can mark the new connection to 0x7, but only that initial
### packet got classified into the proper tc class.  All the packets after that seems to be classified 
### as the default which is 0x4. Why?
# Limit speed for P2P
iptables -t mangle -A QOSO -p udp -m mac --mac-source <mac_address> -j CONNMARK --set-mark 0x7/0xff
iptables -t mangle -A QOSO -p udp -m mac --mac-source <mac_address> -j RETURN
iptables -t mangle -A QOSO -p tcp -m mac --mac-source <mac_address> -j CONNMARK --set-mark 0x7/0xff
iptables -t mangle -A QOSO -p tcp -m mac --mac-source <mac_address> -j RETURN

# Torrents from server, lowest priority
#iptables -t mangle -I QOSO 4 -p tcp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j RETURN
#iptables -t mangle -I QOSO 4 -p tcp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j CONNMARK --set-mark 0x5/0xff
#iptables -t mangle -I QOSO 4 -p udp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j RETURN
#iptables -t mangle -I QOSO 4 -p udp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j CONNMARK --set-mark 0x5/0xff

iptables -t mangle -A QOSO -d 224.0.0.0/4 -j CONNMARK --set-mark 0x6/0xff
iptables -t mangle -A QOSO -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A QOSO -d 192.168.1.0/24 -j CONNMARK --set-mark 0x6/0xff
iptables -t mangle -A QOSO -d 192.168.1.0/24 -j RETURN
iptables -t mangle -A QOSO -j CONNMARK --set-mark 0x4/0xff
iptables -t mangle -A QOSO -j RETURN
 
Another related question, if I disable the QoS from the WebUI, can you still use scripts in jffs to configure my QoS settings?
 
Starbloom said:
Hi Everyone,

I am trying to create my own iptables rules that mark connection from 1-0xff. But I couldn't seem to mark any packet to anything above 6. Why is that? It seems asuswrt is changing the packet marking somehow. Please see my questions in comments below.

Another problem is that I couldn't seem to use iptables classify target. As soon as I use it, the router crashes and reboots. Good I am testing using ssh so it comes back ok without those rules.

Thanks.

Code: 
#!/bin/sh

# Setup mangle table
DEV=$(nvram get wan0_gw_ifname)

# remove default rule with mask 0x7 and replace it with our own mask 0xff
iptables -t mangle -D PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0x7 --ctmask 0x7
iptables -t mangle -D PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -I PREROUTING -i ${DEV} -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff

# reinitialize QOSO chain
iptables -t mangle -N QOSO
iptables -t mangle -F QOSO

iptables -t mangle -D FORWARD -o ${DEV} -j QOSO
iptables -t mangle -D OUTPUT -o ${DEV} -j QOSO
iptables -t mangle -D POSTROUTING -o br0 -j QOSO

iptables -t mangle -A FORWARD -o ${DEV} -j QOSO
iptables -t mangle -A OUTPUT -o ${DEV} -j QOSO
iptables -t mangle -A POSTROUTING -o br0 -j QOSO

iptables -t mangle -A QOSO -m mark --mark 0xb400 -j RETURN
iptables -t mangle -A QOSO -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff

### Question, why is this rule here? No packets are supposed to be marked within mask 0xff00.
### It does seem some packet will fall into this. but where are they coming from?
### Should it do a return for any packets that have been marked?
iptables -t mangle -A QOSO -m connmark ! --mark 0x0/0xff00 -j RETURN

# DNS, Time, etc
iptables -t mangle -A QOSO -p tcp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 0x2/0xff
iptables -t mangle -A QOSO -p tcp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j RETURN
iptables -t mangle -A QOSO -p udp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j CONNMARK --set-mark 0x2/0xff
iptables -t mangle -A QOSO -p udp -m multiport --dports 53,37,123,3455 -m connbytes --connbytes 0:10239 --connbytes-mode bytes --connbytes-dir both -j RETURN

### Question & Problem: It seems I can mark the new connection to 0x7, but only that initial
### packet got classified into the proper tc class.  All the packets after that seems to be classified
### as the default which is 0x4. Why?
# Limit speed for P2P
iptables -t mangle -A QOSO -p udp -m mac --mac-source <mac_address> -j CONNMARK --set-mark 0x7/0xff
iptables -t mangle -A QOSO -p udp -m mac --mac-source <mac_address> -j RETURN
iptables -t mangle -A QOSO -p tcp -m mac --mac-source <mac_address> -j CONNMARK --set-mark 0x7/0xff
iptables -t mangle -A QOSO -p tcp -m mac --mac-source <mac_address> -j RETURN

# Torrents from server, lowest priority
#iptables -t mangle -I QOSO 4 -p tcp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j RETURN
#iptables -t mangle -I QOSO 4 -p tcp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j CONNMARK --set-mark 0x5/0xff
#iptables -t mangle -I QOSO 4 -p udp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j RETURN
#iptables -t mangle -I QOSO 4 -p udp -m mac --mac-source <mac_address> -m multiport --sports 51701:52397,63707 -j CONNMARK --set-mark 0x5/0xff

iptables -t mangle -A QOSO -d 224.0.0.0/4 -j CONNMARK --set-mark 0x6/0xff
iptables -t mangle -A QOSO -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A QOSO -d 192.168.1.0/24 -j CONNMARK --set-mark 0x6/0xff
iptables -t mangle -A QOSO -d 192.168.1.0/24 -j RETURN
iptables -t mangle -A QOSO -j CONNMARK --set-mark 0x4/0xff
iptables -t mangle -A QOSO -j RETURN
Click to expand...

The firmware source code will tell you what's going on.

SOURCE: https://github.com/RMerl/asuswrt-me...ad31921b1236d054b/release/src/router/rc/qos.c
KEYWORD: qos_rulelist
 
Yes, I went through the qos.c file. It is generating rules which I can see from "iptables -L -n -v -t mangle". My question is if there is other places to modify the connmark/mark. thanks.
 
You must log in or register to reply here.

Similar threads

A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
NoBenefit
Does my iptables looks normal?
Replies
1
Views
1K
ColinTaylor
C
iJorgen
Optimize blocked events from firewall in the system-log
Replies
5
Views
1K
iJorgen
iJorgen
deefour
Forcing device-specific port-range through VPN
Replies
9
Views
988
ZebMcKayhan
Z
grogi
Issue 386.7_2: iptables rules created by VPN Director get lost
Replies
8
Views
2K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
S Solved New ISP - WAN Setup - Will not work with custom WAN DNS - dnsmasq.conf Asuswrt-Merlin 1
S Custom cert "forgotten" on reboot Asuswrt-Merlin 1
L RT-AX58U v2 any custom firmware? Asuswrt-Merlin 2
L dynamic cgnat ip is changing correctly with ddns custom script but shown ip in web interface never changes Asuswrt-Merlin 5
E Internet Traffic Meter - Custom Scale Asuswrt-Merlin 4
L Cloudflare custom DDNS - In-A-Dyn Asuswrt-Merlin 11
K RT-AX-88U asus-merlin 388.6_2 bugs on static IP and custom DDNS Asuswrt-Merlin 5
W custom ddns update every minutes with AX86U 3004.388.7 firmeware Asuswrt-Merlin 21
K Solved How to insert a startup script for Merlin custom scripts Asuswrt-Merlin 16
P dnsmasq custom domain doesn't work on windows 10 Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 770 (members: 25, guests: 745)
Top