3

I recently made the switch from windows to linux (Manjaro).

To manage traffic I had been using a windows feature that allowed me to specify the name of an application so that its network traffic would be tagged with a specific code (DSCP), my router(pfsense) would then check it and prioritize the traffic accordingly.

It's set up with these levels of priority :

  1. online games
  2. all unclassified traffic (mostly web traffic)
  3. steam/origin/windows updates
  4. torrents

This made it so that me and my brother could be playing online games, with torrents going, and my parents could open a youtube video at any time and the torrents/updates would be throttled down automatically by the router, all throughout we would at worst get 5ms jitter and an extra 10 to 20 ping.

When I was thinking about switching to linux it didn't occur to me that replicating this configuration would be a problem, I was expecting this to be native functionality to iptables or some other linux firewall, but as it turns out while the functionality did exist around 2002/2003, it was dropped for being broken and and deemed too much trouble to fix.

iptables does allow you to mark traffic by based on the process pid, but this isn't great for me since i need to tag the first packet that the application sends out, due to how pfsense classifies traffic for prioritization.

So, over the course of a few weeks, in in trying different search terms before committing to a solution, i have progressed through this options:

SElinux/Aparmor - these do far more than I want/need them to

systemtap - (kernel debugging tool) i was getting ready to fumble my way into getting a script to make iptables rules while reading pid/process name from some kind of live kernel patch (not ideal)

anfd/lpfw - these are firewalls that block everything by default and allow you to setup rules to allow traffic based on the application command name

I'm posting this in the hopes that someone has this figured out because if not I will have to start modifying lpfw or andf to suit my needs.

TL;DR I want to make it so specific applications get their traffic tagged(ToS/DSCP) based on their command name, so that my router can prioritize them appropriately.

Any info on how to replicate this functionality in linux is appreciated.

Depak
  • 31
  • 3
  • 1
    Have you tried adding a rule to the `mangle`table, in the `PreRouting` chain, using `--pid-owner`, and the `--set-tos` target? – Alex Stragies Aug 10 '19 at 15:35
  • 1
    One way is to start applications in a specific network namespace by "class", and then add iptables rules in this namespace to add the tag. This is also convenient if you want some applications to use a VPN, but others to directly use your ISP. – dirkt Aug 10 '19 at 19:28
  • i forgot to add that i had also had seen network namespaces and cgroups, those aren't great because they might interfere with steam home streaming not sure on that just a gess (i only skimmed the documentation on that), even if that works, what I'm really looking for is something that replicates that command name based packet tagging functionality – Depak Aug 11 '19 at 02:51
  • @AlexStragies for this to work this i would have to get the pid and apply the rule before the app sends any packets, the script would have to be something similar to what anfd and lpfw already do, so that's why I am thinking about modifying one of them into fitting my use case. – Depak Aug 11 '19 at 04:00
  • I don't see how network namespaces would interfere with steam home streaming - everything running in the network namespace would just think they are another device on your LAN. Or, depending on how you set it up, behind a second router. But then I don't use steam home streaming. And there is no "command name based packet tagging functionality" in Linux. If you desperately want one, you can write one (lookup the command line of the process by PID, match on that by using your own tables), but maybe it's easier to use the functionality that's already there? – dirkt Aug 11 '19 at 07:28
  • @dirkt I went back to check why i decided against namespaces at the time, the main issue was that i had to change the startup script for the app to run in the namespace, since I plan to run games under wine with startup scripts that i don't want to mess with, and if I had to mess with them I would problably missconfigure something, leading to issues that are hard to track, this is why I'm looking for something that just matches process name at the firewall level, as long as the implementation is done properly, it seems like it would be the most reliable and hassle free option. – Depak Aug 12 '19 at 05:04
  • You don't have to write startup scripts to run app in network namespaces. One way is to start an xterm in a namespace, and all apps started from that xterm will also run in that namespace. That includes the original startup scripts. You'll never have to change existing scripts. Of course, if you have integrated starting apps into your desktop environment, you'll need to adapt this. – dirkt Aug 12 '19 at 06:22

0 Answers0