From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rene Gallati Date: Mon, 09 Aug 2004 15:06:38 +0000 Subject: Re: [LARTC] Duplexing Message-Id: <411792FE.7090508@draxinusom.ch> List-Id: References: <41178695.20908@ycc.com> In-Reply-To: <41178695.20908@ycc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hello, > The recent thread titled: > working ftp shaping, i think > provided a script example where 100Mbps was specified as the rate for a=20 > typical NIC. >=20 > If that NIC is connected to a switch, chances are that it runs at=20 > 100Mbps in each direction concurrently - duplexed Writing a rule that=20 > specifies a 100Mbps rate and thereby a 100Mbps ceil, limits the=20 > connection to half the available bandwidth. >=20 > I haven't seen anything in tc (not iptables) that addresses direction -=20 > inbound or outbound. > Is there a way of writing rules that take duplexing into account so that = > you end up with 2 virtual devices, each capable of 100Mbps, but the=20 > traffic is direction specific? Traffic shaping is generally only outgoing, that is why you need to pull=20 many tricks to be able to *shape* (means control speed) inbound and not=20 only *police* (only drop/allow through). You cannot tell the senders on the internet how fast they should send to=20 you so you can only shape outgoing. With IMQ you can shape incoming,=20 however you already received the packets so delaying/dropping them may=20 not be useful. If you have an internet gateway, you can of course shape both=20 directions, at least what is going through the box. What comes in on=20 eth0 is then outbound on eth1 for example and you can again shape outgoing. Shaping makes most sense where the traffic originates. With that said, I=20 hope your question is answered: Even in full duplex you only have=20 100mbits going out which you can shape. In iptables you can always specify direction. The built-in chain INPUT=20 is only traversed when a packet is inbound *and terminates* on the=20 machine (local service recieves packet). OUTPUT is only traversed when a=20 packet goes out of a machine and has been created on that machine (ie=20 service / program sent data on that machine) and FORWARD is all traffic=20 that comes in on one interface and goes out to another interface,=20 thereby passing through the machine/gateway. Furthemore you can select the input and output interfaces in a given=20 FORWARD rule by the -i and -o matches giving you a direction in the=20 forward case. In OUTPUT or INPUT the direction is already known by the=20 chain name. If you jump from both INPUT and OUTPUT into the same user-defined chain,=20 you can use -i and -o respectively. tc always uses outgoing unless you're working on the INGRESS special=20 case. To shape incoming via IMQ, you need an IMQ dummy interface on=20 whose "outgoing" direction you can shape again. So to answer your last question, yes using the IMQ device you can shape=20 inbound. Otherwise you can only shape outgoing or police incoming using=20 INGRESS. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/