Iptables connrate match extension?

tievolu · May 4, 2020, 9:21am

I'm trying to use the iptables connrate match extension, but I can't get it working:

root@XXXXXXXXX:/# iptables -t mangle -A TEST_CHAIN -m connrate --connrate 0:1000 -j ACCEPT
iptables v1.8.3 (legacy): Couldn't load match `connrate':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

I have the iptables-mod-conntrack-extra package installed, but it turns out the description of this package doesn't actually mention connrate. Is there some other package I need to install?

trendy · May 4, 2020, 10:49am

I could not find anything relevant in the available packages

tievolu · May 4, 2020, 11:15am

I'm not sure if this is a deliberate decision or an oversight. I've filed a bug report to find out:

https://bugs.openwrt.org/index.php?do=details&task_id=3065

tievolu · May 4, 2020, 7:40pm

Weirdly, I found an example script on the OpenWRT site which uses connrate, so I wonder if it used to be possible to use this extension somehow?

tievolu · May 7, 2020, 3:02pm

Just as a quick follow up, I've managed to achieve my goal using the hashlimit extension instead. I'll leave that bug report open though.

trendy · May 7, 2020, 3:14pm

Could you post here the rule you used and mark the post as solved?

tievolu · May 7, 2020, 3:33pm

Sure. My use case is for DSCP classification. I have a chain called SET_INTERACTIVE which sets the DSCP tag on the packet (to CS2/16 in this case) and stores the DSCP value in the connection mark, so it can be restored later on for other packets on the same connection. This same chain is used to restore the DSCP tag after matching against the connmark.

I put remote admin connections into this class (VNC, SSH, NAS interface etc.). However, my NAS uses the same port for its GUI as it does for file uploads/downloads, and I don't want the latter classified as CS2. So I need to limit the match to connections where the transfer rate is less than a threshold, say 1000KB/s.

The connrate extension is the obvious choice, but it can be done with hashlimit as well, as follows:

iptables -A SET_INTERACTIVE -m hashlimit --hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-rate-match --hashlimit-above 1000kb/s --hashlimit-burst 1000kb --hashlimit-name limit-interactive -j RETURN

I add this rule to the SET_INTERACTIVE chain before the rule that tags packets as CS2. If the rate on a packet's flow exceeds 1000KB/s we RETURN out of the chain, which prevents the packet from being tagged as CS2. In my setup the packet will just fall through the rest of my chains and remain as the default, CS0. However, the connection retains the CS2 connmark so the "demotion" of its packets to CS0 will be lifted if the flow rate drops below 1000KB/s.

system · May 17, 2020, 3:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.