Hi all,

I'm trying to implement a mechanism to perform a management of the bandwidth for different services running over my network. For instance, Youtube and Netflix are some of those services involved in this process. In order to implement this procedure, my logical flow was the following:

At firewall level:
1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field)
2 - With mangle, mark connections whose dst-address is in the list previously created
3 - Mark packets with a suitable label (e.g., PACKETX) whose connection label is the one defined at the above step

At queues level:
1 - Create a pcq queue in which download and upload are limited at a certain threshold for those packets with mark PACKETX

Using this configuration the overall system does not work and in order to have it working I have to add another Mangle rule in which the connection of all the packets whose src-address is lying within the list automatically created, is market with the same label as in point 2 above.

Personally I have a doubt about the concept of connection marking. Let consider for instance the Netflix service.
In my understanding, the connection between a device in the LAN and the netflix server is created as soon as the device makes a request to the server. There is no way that the netflix server will open a connection from the internet towards the device in the LAN out of nowhere.

This connection (when alive) provides two main benefits:
1 - will be already marked with a particular tag, and
2 - will take care of convoy all the packets going back and forth from the netflix server.

Assuming that the above statements are correct, then it makes me a lot of confusion the fact that I need to mark the connections based also on the src-address. Indeed, I would expect that once the connection is marked, no matter what is the direction of the packets flowing in that connection, they will automatically belong to it.


Am I missing something or making some huge mistake in my assumption?

Thanks

To me, the port opened by the router is the entering point for the responding server you called. As long the router seems it good to keep the port open (established) for the responding server the packets are accepted. When the router closes that port the packet sent later by the server just bounce off.

Your rules only apply up to the gateway and on the internet others take over the routing of your packets and packets back to you.

Hi, thanks for the reply!

Yes, I agree with you. As long as the connection is kept estabilished all the packets should be automatically marked irrispectively from the packet direction. Of course, if the connection is closed, then it will need to be re-estabilished in order to mark the packets again and recover the marking procedure.

However, it is strange the fact that I need to enforce also a mangling rule for connection-marking based on server-side IP src-address. If the connection is estabilished it can be done only from the LAN to the WAN, I do not expect Netflix to open random connections out of nowhere with a device inside a LAN (without considering the fact that is completely crazy as a statement the former one). Since the connection is always estabilished from the LAN to the WAN, I would expect the packets flowing into it to be marked accordingly without the need of re-marking using a src-address based rule.

I am doing this but with a statically created dst-address list. I don't have to create any additional mangling rules on the src-address. To me this suggests something is wrong with your config.

Many thanks for the reply.

I will try to investigate the reason behind this. I'll post here once I will have found the issue.

Thanks again

How did you implement "1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field) ?"

Is iptable --restore-mark done automatically on return traffic? Under actions, I don't see option to do it manually.