4.5. User based Quality of Service

4.5.1. Setting up Kernel on non libnetfilter_queue system

Official Linux kernels are not able to mark packets with ip_queue framework before 2.6.14 release. It is thus necessary to patch the kernel (if pre 2.6.14), this has to be done by using the ip_queue_vwmark patch available in the patch-o-matic-ng from netfilter. This will generate a modified version of both ip_queue module and libipq.a file.

Once the new libipq.a is installed, you can now compile nufw:

./configure --with-user-mark ${EXTRA_OPTIONS_YOU_LIKE}
make
make install

4.5.2. Setting up nufw

nufw can now be run with -m to use userid marking. This option is compatible with -M.

4.5.3. Setting up Netfilter

As nufw only works with initialisation packets it can not pull the userid mark of each packet of a connection. Thus, this is necessary to use CONNMARK[1] which is a target able to propagate marks accross connections. A basic setup is the following:

iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

4.5.4. Using marking modules

The nuauth variable nuauth_finalize_packet_module lists module which attach a hook called just before nuauth answer to nufw about a packet. It is usually used to modify the mark of the packet following a given strategy. By splitting the mark in different part, this is possible to define complexe marking policy which can later be used by Linux routing and QoS systems.

Extensive documentation can be found in the file README.mark

4.5.5. Using NuFW mark

Netfilter mark can be use by the Quality of Service system and the routing system of Linux.

So it is possible to do differenciated routing between different users by using command like:

ip rule add fwmark XXX lookup TABLE

This is almost the same for QoS, by using tc filter one needs to put user's flows in a specific class:

tc filter add dev IFACE  prio 5 protocol ip handle 102 fw flowid FLOWID

For more information about routing and quality of service you can read lartc.