Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002671Endian FirewallQoSpublic2010-02-11 14:002011-02-02 11:47
Reporteraender 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusconfirmedResolutionopen 
PlatformOSOS Version
Product Version2.3 
Target VersionfutureFixed in Version 
Summary0002671: Qos Devices and Classes VPN IPSec
DescriptionWhe can setup Devices and Classes for VPN IPSec.

But if i want see them at the console tc shows nothing.
I do this.

tc qdisc show dev ipsec0
shows
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1

tc classes show dev ipsec0
shows nothing

if i setup a device and classes for OpenVPN Gw2Gw it shows like this

root@frue-fw:~ # tc qdisc show dev tap2
qdisc ingress ffff: ----------------
qdisc hfsc 180: default 6
qdisc sfq 8002: parent 180:2 limit 126p quantum 1514b perturb 10sec
qdisc sfq 8003: parent 180:3 limit 126p quantum 1514b perturb 10sec
qdisc sfq 8004: parent 180:4 limit 126p quantum 1514b perturb 10sec
qdisc sfq 8005: parent 180:5 limit 126p quantum 1514b perturb 10sec
qdisc sfq 8006: parent 180:6 limit 126p quantum 1514b perturb 10sec
root@frue-fw:~ # tc class show dev tap2
class hfsc 180: root
class hfsc 180:1 parent 180: sc m1 0bit d 0us m2 1966Kbit ul m1 0bit d 0us m2 1966Kbit
class hfsc 180:2 parent 180:1 leaf 8002: sc m1 0bit d 13.9ms m2 1081Kbit ul m1 0bit d 0us m2 1966Kbit
class hfsc 180:3 parent 180:1 leaf 8003: sc m1 0bit d 79.6ms m2 589000bit ul m1 0bit d 0us m2 1966Kbit
class hfsc 180:4 parent 180:1 leaf 8004: sc m1 0bit d 113.8ms m2 196000bit ul m1 0bit d 0us m2 1572Kbit
class hfsc 180:5 parent 180:1 leaf 8005: sc m1 0bit d 102.6ms m2 98000bit ul m1 0bit d 0us m2 1966Kbit
class hfsc 180:6 parent 180:1 leaf 8006: sc m1 68576bit d 175.0ms m2 0bit ul m1 0bit d 0us m2 786000bit
root@frue-fw:~ #


So in my opinion QoS for VPN IPSec could not work.
TagsNo tags attached.
Attached Files

- Relationships
related to 0000928assignedpeter-endian firewalls: add possibility to select the different ipsec interfaces, not only ipsec in general 
parent of 0002734confirmedpeter-endian SNAT: rules with IPSEC as source or destination device will be ignored 
child of 0003045confirmedpeter-endian TODO: QoS rework - QoS collecting ticket 
Not all the children of this issue are yet resolved or closed.

-  Notes
(0003911)
peter-endian (administrator)
2010-03-04 13:16

i see, thank you for the report

this happens because tc can't handle ipsec+ as an interface (as iptables does)

solution:
For now we need to explode IPSEC to all known ipsec interfaces and/or add selection for each ipsec interface
This does however not distinguish multiple ipsec tunnels, which need more work on ipsec itself.

- Issue History
Date Modified Username Field Change
2010-02-11 14:00 aender New Issue
2010-03-04 13:16 peter-endian Note Added: 0003911
2010-03-04 13:16 peter-endian Status new => confirmed
2010-03-04 13:16 peter-endian Relationship added related to 0000928
2010-03-04 13:16 peter-endian Relationship added parent of 0002734
2010-06-07 16:05 peter-endian Target Version => future
2010-07-05 18:40 peter-endian Relationship added child of 0003045
2010-09-20 19:24 peter-endian Category Firewall (iptables) => QoS
2011-02-02 11:47 lorenzo-endian Customer Occurencies => 0
2011-02-02 11:47 lorenzo-endian Assigned To => peter-endian

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker