[Swan] qos

Paul Wouters paul at nohats.ca
Fri Mar 6 00:31:38 EET 2015

On Wed, 4 Mar 2015, Bob Miller wrote:

> I have been investigating the last few days about getting qos to work on a 
> libreswan firewall.  it has a limited upload speed, and two subnets behind it 
> in addition to the vpn subnet, and all 3 groups are getting shutdown from 
> time to time due to activity of the others.

What do you mean with "shutdown"? Do you mean the dpd/liveness probes
are restarting tunnels? Or you just mean "flooded and locked out" ?

> I read in several places that one can mark packets in iptables and tc will 
> recognize them after encapsulation.  However, after quite a bit of 
> experimentation, such as placing the mark at various locations in the 
> tables/chains of iptables, matching esp/udp protocol, or the ip of the 
> internal server or the vpn users, or matching the encrypted packets with dst 
> port 4500, etc., I am finding that the mark either doesn't stay put, or tc 
> matches very little of the marked traffic.

In theory that should work, but any hop can remove any qos bits, so it
all depends on the network path too.

> So since iptables isn't really working out for me, I am wondering if there 
> are other options or methods.  I note xl2tpd has an rx/tx bps, but it sets a 
> maximum and not a minimum, so not quite what I am looking for.  I also note 
> mention of qos in klips patches in the source code for libreswan, but seems 
> for older kernels and I am not sure I want to convert to klips.  Is there 
> some cool tool built into libreswan that I am not finding, or a recommended 
> method documented somewhere to use tc in conjunction with libreswan?

I'd stay away from xl2tpd/pppd. That's just adding another layer and
adding mtu issues.


More information about the Swan mailing list