1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Toggle QOS without disrupting custom IPTables rules.

Discussion in 'Tomato Firmware' started by StickMonster, Aug 29, 2012.

  1. StickMonster

    StickMonster Networkin' Nut Member

    In my experience, I've been able to toggle QOS on or off without breaking any existing "normal" connections. That's great.

    In my case, I have a custom iptables rule to change the port number on a specific outgoing connection, so I can treat a service running on a non-standard port as if it is running on the standard port. So I have something like this in my firewall script tab.

    Code:
    iptables -t nat -A PREROUTING -d 123.123.123.123 -p tcp --dport 445 -j DNAT --to-destination 123.123.123.123:9445
    iptables -t nat -A PREROUTING -d 123.123.123.123 -p udp --dport 445 -j DNAT --to-destination 123.123.123.123:9445
    However, toggling QOS seems to break existing connections that rely on this rule. (New ones can be established, of course, but it disrupts anything in progress).

    Can I save these rules somewhere else so that they are treated more like the other rules, and stay intact through a QOS toggle? For example, in /etc/iptables or a shell script somewhere that modifies that config file before the service is restarted?

    I'm running Shibby's build.
     
  2. Porter

    Porter LI Guru Member

    Why isn't QoS on or off all the time? Why do you toggle it?
     
  3. StickMonster

    StickMonster Networkin' Nut Member

    It's on during the day, so I can dial back bandwidth sucking low priorities, like backups, in favor of VOIP, web, etc. At night, I turn it off to maximize bandwidth for those low priorities while there's no competition.
     
  4. Porter

    Porter LI Guru Member

    I've just checked whether anything in the firewall script section ends up in /etc/iptables anyway. Apparently it doesn't. But getting your commands into /etc/iptables probably won't help you either because what seems to happen is that each time you toggle QoS the whole firewall gets shut down and then started again. So there is no way for your commands to survive this. I'm just guessing, but this is what probably happens in my oppinion.

    Your only option seems to be to have a well configured QoS-system. Is your low priority traffic really interfering with anthing else during the day? How bad is it?
     
  5. StickMonster

    StickMonster Networkin' Nut Member

    Thanks for your help Porter.

    What's interesting is that other connections survive the toggle, and obviously those connections are dependent on NAT, the firewall etc, so even though I suspect that you are correct in that the whole firewall gets shut down and restarted, it seems to be able to do this gracefully for the rules that are managed by the GUI.

    The fact that mine don't makes me suspect that the firewall restarts with it's own generated rules, and then applies the firewall script as a separate step, and it's that brief step in between that is doing me in. So maybe if I could inject my rules into the right place, I'd be okay.

    In the short term, I am able to call /etc/qos stop and /etc/qos start without breaking my connections, but that's not ideal, as then the state is out of sync with the GUI, and I still can't make adjustments to QOS without breaking the connections.
     

Share This Page