QoS app. detection ordering problems
Posted: Thu Jan 23, 2014 4:55 pm
I reported this in the bugtracker but it doesn't seem to be used a lot, so I'll repost it here (http://www.gargoyle-router.com/gargoyle/issues/68)
Basically l7protocol rules that are subset of others (e.g. httpvideo vs. http) won't ever work because the checks are done in alphabetical order. I wrote a patch to the iptables generation script so protocols marked as subsets of others are tested first. It is attached in the bug report.
---
After trying to use the 'httpvideo' protocol in QoS in conjunction with lower priority 'http' rules, I noticed no ordering of QoS rules ever allowed httpvideo to match anything: http always matched first. Looking at the iptables rules I then found out the l7-filter protocol matching rules are created in alphabetical order (actually whatever order ls returns, but I digress), which means http is always tested first, and wins by being a superset of httpvideo.
Fortunately protocol files have metadata that helps identify which ones are subset of others. Altering the qos_gargoyle init script to prioritize subset protocols in the rule chain makes httpvideo match properly even when http rules are present.
I included a patch to the latest master. I actually only tested it in 1.5.9 but nothing else seems to have been changed in the firewall utils script relating to l7 between those versions.
Basically l7protocol rules that are subset of others (e.g. httpvideo vs. http) won't ever work because the checks are done in alphabetical order. I wrote a patch to the iptables generation script so protocols marked as subsets of others are tested first. It is attached in the bug report.
---
After trying to use the 'httpvideo' protocol in QoS in conjunction with lower priority 'http' rules, I noticed no ordering of QoS rules ever allowed httpvideo to match anything: http always matched first. Looking at the iptables rules I then found out the l7-filter protocol matching rules are created in alphabetical order (actually whatever order ls returns, but I digress), which means http is always tested first, and wins by being a superset of httpvideo.
Fortunately protocol files have metadata that helps identify which ones are subset of others. Altering the qos_gargoyle init script to prioritize subset protocols in the rule chain makes httpvideo match properly even when http rules are present.
I included a patch to the latest master. I actually only tested it in 1.5.9 but nothing else seems to have been changed in the firewall utils script relating to l7 between those versions.