Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Prefer local subnets #16

Open
DoM1niC opened this issue Nov 10, 2021 · 1 comment
Open

[Question] Prefer local subnets #16

DoM1niC opened this issue Nov 10, 2021 · 1 comment

Comments

@DoM1niC
Copy link

DoM1niC commented Nov 10, 2021
edited
Loading

Anybody a Idea
I don't want limit local subnets only external source IPs like my IPTables Example

TC=/sbin/tc
IFETH=ens3             # Interface

$TC qdisc add dev $IFETH root handle 1: htb
$TC class add dev $IFETH parent 1:0 classid 1:5 htb rate 5mbit
$TC filter add dev $IFETH parent 1:0 protocol ip handle 5 fw flowid 1:5

/usr/sbin/iptables-legacy -A OUTPUT -t mangle -p tcp -d 0.0.0.0/0 -j MARK --set-mark 6
/usr/sbin/iptables-legacy -A OUTPUT -t mangle -p tcp -d 10.0.0.0/8 -j MARK --set-mark 2
/usr/sbin/iptables-legacy -A OUTPUT -t mangle -p tcp -d 192.168.0.0/16 -j MARK --set-mark 2

I want a kind of mark or priority to except my local Clients from the world to limit the outbound traffic.

I found this Table .... it works to limit all uploaded traffic...

table inet nft-qos-static {

define PRIVATE = {
	192.168.0.0/16,
	127.0.0.1,
        10.0.0.0/8
}

        chain local {
                type filter hook prerouting priority 0; policy accept;
				#ip protocol tcp ip saddr $PRIVATE limit rate over 10100 kbytes/second drop
        }

        chain upload {
                type filter hook prerouting priority 1; policy accept;
				ip protocol tcp ip saddr $PRIVATE limit rate over 51100 kbytes/second drop
				ip protocol tcp limit rate over 2100 kbytes/second drop
        }

        chain download {
                type filter hook postrouting priority 0; policy accept;
        }
}

table netdev nft-qos-priority {
        chain filter {
                type filter hook ingress device ens3 priority 0; policy accept;
        }
}
@DoM1niC
Copy link
Author

DoM1niC commented Nov 10, 2021

Ok I found a way to use the TC Marks with NFTables

table ip mangle {

define PRIVATE = {
	192.168.0.0/16,
	127.0.0.1,
    10.0.0.0/8,
}

	chain PREROUTING {
		type filter hook prerouting priority 0; policy accept;
	}

	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type route hook output priority 0; policy accept;
		ip protocol tcp ip daddr != $PRIVATE mark set 2
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}

table ip6 mangle {

define PRIVATE6 = {
	2a02:8106:229:6100::/64
}

	chain PREROUTING {
		type filter hook prerouting priority 0; policy accept;
	}

	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy accept;
	}

	chain OUTPUT {
		type route hook output priority 0; policy accept;
		ip6 daddr != $PRIVATE6 mark set 6
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}

Works now fully without IPTables... 👍🏻

@DoM1niC DoM1niC closed this as completed Nov 10, 2021
@DoM1niC DoM1niC reopened this Nov 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DoM1niC