All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Furniss <andy.furniss@dsl.pipex.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Help!!! Bandwith Control with a NAT machine
Date: Fri, 11 Feb 2005 21:42:59 +0000	[thread overview]
Message-ID: <420D26E3.8010705@dsl.pipex.com> (raw)
In-Reply-To: <000e01c51039$23d37c90$0eea090a@PORTATILTEC>

Miguel Ángel Domínguez Durán wrote:
> Hello everyone, 
> First of all, sorry for my poor english.
> I've been working with this for a few weeks and I'm getting sick...
> I'm trying to control the bandwith in my network using the following script. The machine where the script is running makes NAT, eth0 is connected to the router and eth1 is connected to the Lan. When I run the script it doesn't appear any errors, i have recompiled a Red Hat kernel 2.4.20, check all the options right and installed iproute2-2.6.9. The result is that every packet is sent to the default queue and I can't understand why. It seems like iptables is not marking any of the packets, all the queues and classes are empty, traffic always goes through default queues in uplink and downlink.
> Here is the script, which is a modification of some things i've found in the net: 
> 
> #!/bin/bash
> #
> #
> 
> DEV1=eth1 #salida a red local
> DEV0=eth0 #salida a internet
> 
> 
> #
> 
> TC=/usr/sbin/tc
> 
> if [ "$1" = "status" ]
> then
>         echo "Enlace descendente"
>         echo "[qdisc]"
>         $TC -s qdisc show dev $DEV1
>         echo "[class]"
>         $TC -s class show dev $DEV1
>         echo "[filter]"
>         $TC -s filter show dev $DEV1
> 
> 
>         echo "Enlace ascendente"
>         echo "[qdisc]"
>         $TC -s qdisc show dev $DEV0
>         echo "[class]"
>         $TC -s class show dev $DEV0
>         echo "[filter]"
>         $TC -s filter show dev $DEV0
> 
> #       echo "[iptables]"
> #       iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null
> #       iptables -t mangle -L MYSHAPER-IN -v -x 2> /dev/null
> 
> 
>         exit
> fi
> 
> # Reset everything to a known state (cleared)
> $TC qdisc del dev $DEV0 root    2> /dev/null > /dev/null
> $TC qdisc del dev $DEV1 root    2> /dev/null > /dev/null
> iptables -t mangle -D PREROUTING -i $DEV0 -j MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
> iptables -t mangle -D PREROUTING -i $DEV1 -j MYSHAPER-IN 2> /dev/null > /dev/null
> iptables -t mangle -F MYSHAPER-IN 2> /dev/null > /dev/null
> iptables -t mangle -X MYSHAPER-IN 2> /dev/null > /dev/null
> 
> #iptables -t mangle -D PREROUTING -i $DEV0 -j MYSHAPER-IN 2> /dev/null > /dev/null
> 
> 
> if [ "$1" = "stop" ]
> then
>         echo "Shaping removed on $DEV1."
>         echo "Shaping removed on $DEV0."
>         exit
> fi
> 
> ###########################################################
> #
> # Inbound Shaping (limits total bandwidth to 1000Kbps)

If you have 1mbit up and down you need to back off a bit from this 
(ceils) - upstream to allow for link overheads - how much depending on 
type of link. Downstream depends on how much you care about latency, as 
a start say 15-20%, you need to do this to have a queue at all.

> # Este es el enlace descendente, desde internet hacia la red interna de Cherrytel
> 
> # set queue size to give latency of about 2 seconds on low-prio packets
> ip link set dev $DEV1 qlen 30

Makes no difference - if you use sfq you can change a define in the 
source or use esfq and specify.

> 
> # changes mtu on the outbound device.  Lowering the mtu will result
> # in lower latency but will also cause slightly lower throughput due
> # to IP and TCP protocol overhead.
> ip link set dev $DEV1 mtu 1000

If I had 1meg symmetrical I doubt I would bother - If you really care 
that much about latency there are other things to do first. If you do 
run low MTU I would specify it as quantum for htb and sfq aswell.

> 
> # add HTB root qdisc
> $TC qdisc add dev $DEV1 root handle 1: htb default 37
> 
> # add main rate limit classes
> $TC class add dev $DEV1 parent 1: classid 1:1 htb rate 1000kbit
> 
> # add leaf classes - We grant each class at LEAST it's "fair share" of bandwidth.
> #                    this way no class will ever be starved by another class.  Each
> #                    class is also permitted to consume all of the available bandwidth
> #                    if no other classes are in use.
> $TC class add dev $DEV1 parent 1:1 classid 1:20 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV1 parent 1:1 classid 1:21 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV1 parent 1:1 classid 1:22 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV1 parent 1:1 classid 1:37 htb rate 832kbit ceil 1000kbit  #por defecto
> 
> $TC class add dev $DEV1 parent 1:1 classid 1:23 htb rate 64kbit ceil 64kbit     #prueba, maq WiFi
> 
> # attach qdisc to leaf classes - here we at SFQ to each priority class.  SFQ insures that
> #                                within each class connections will be treated (almost) fairly.
> $TC qdisc add dev $DEV1 parent 1:20 handle 20: sfq perturb 10
> $TC qdisc add dev $DEV1 parent 1:21 handle 21: sfq perturb 10
> $TC qdisc add dev $DEV1 parent 1:22 handle 22: sfq perturb 10
> $TC qdisc add dev $DEV1 parent 1:37 handle 37: sfq perturb 10
> 
> $TC qdisc add dev $DEV1 parent 1:23 handle 23: sfq perturb 10
> 
> # filter traffic into classes by fwmark - here we direct traffic into priority class according to
> #                                         the fwmark set on the packet (we set fwmark with iptables
> #                                         later).  Note that above we've set the default priority
> #                                         class to 1:37 so unmarked packets (or packets marked with
> #                                         unfamiliar IDs) will be defaulted to the lowest priority
> #                                         class.
> $TC filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
> $TC filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21
> $TC filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22
> $TC filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23
> 
> # Marking the packets. Se marcan los paquetes en el interfaz contrario, para que no se vean
> # afectados por el NAT que hacen las reglas del firewall
> 
> iptables -t mangle -N MYSHAPER-OUT
> iptables -t mangle -I PREROUTING -i $DEV0 -j MYSHAPER-OUT
> 
> #iptables -t mangle -A MYSHAPER-IN -p tcp --sport ssh -j MARK --set-mark 20
> 
> 
> iptables -A MYSHAPER-OUT -d 172.9.264.30 -t mangle -j MARK --set-mark 20
> iptables -A MYSHAPER-OUT -d 172.9.264.31 -t mangle -j MARK --set-mark 20
> iptables -A MYSHAPER-OUT -d 172.9.264.32 -t mangle -j MARK --set-mark 20
> 
> iptables -A MYSHAPER-OUT -d 172.9.234.22 -t mangle -j MARK --set-mark 21
> iptables -A MYSHAPER-OUT -d 172.9.234.71 -t mangle -j MARK --set-mark 21
> 
> iptables -A MYSHAPER-OUT -d 172.9.234.25 -t mangle -j MARK --set-mark 22
> 
> iptables -A MYSHAPER-OUT -d 172.9.234.14 -t mangle -j MARK --set-mark 23
> 
> # redundant- mark any unmarked packets as 26 (low prio)

This won't mark local adresses as the mangle table in PREROUTING is 
before de-nat happens. Also I thought 172.x.x.x private range started at 
172.16.x.x .

You could move MYSHAPER_OUT (though I would call it IN) to FORWARD or 
use tc filters to match the addresses directly rather than match marks.

> 
> #El resto de tráco iríal flujo por defecto, el 2:37.
> 
> # Done with inbound shaping
> #
> ####################################################
> 
> echo "Control del enlace descendente activado."
> 
> #Si solo se desea controlar el enlace descendente, quitar el comentario de la siguiente instruccion exit
> #exit
> 
> ###########################################################
> #
> # Outbound Shaping (limits total bandwidth to 1000Kbps)
> # Este es el enlace ascendente, desde la red interna de Cherrytel a internet
> 
> # set queue size to give latency of about 2 seconds on low-prio packets
> ip link set dev $DEV0 qlen 30
> 
> # changes mtu on the outbound device.  Lowering the mtu will result
> # in lower latency but will also cause slightly lower throughput due
> # to IP and TCP protocol overhead.
> ip link set dev $DEV0 mtu 1000
> 
> # add HTB root qdisc
> $TC qdisc add dev $DEV0 root handle 2: htb default 73
> 
> # add main rate limit classes
> $TC class add dev $DEV0 parent 2: classid 2:1 htb rate 1000kbit
> 
> # add leaf classes - We grant each class at LEAST it's "fair share" of bandwidth.
> #                    this way no class will ever be starved by another class.  Each
> #                    class is also permitted to consume all of the available bandwidth
> #                    if no other classes are in use.
> $TC class add dev $DEV0 parent 2:1 classid 2:70 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV0 parent 2:1 classid 2:71 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV0 parent 2:1 classid 2:72 htb rate 64kbit ceil 1000kbit   
> $TC class add dev $DEV0 parent 2:1 classid 2:87 htb rate 744kbit ceil 1000kbit 
> 
> $TC class add dev $DEV0 parent 2:1 classid 2:73 htb rate 64kbit ceil 64kbit     #prueba
> 
> # attach qdisc to leaf classes - here we at SFQ to each priority class.  SFQ insures that
> #                                within each class connections will be treated (almost) fairly.
> $TC qdisc add dev $DEV0 parent 2:70 handle 70: sfq perturb 10
> $TC qdisc add dev $DEV0 parent 2:71 handle 71: sfq perturb 10
> $TC qdisc add dev $DEV0 parent 2:72 handle 72: sfq perturb 10
> $TC qdisc add dev $DEV0 parent 2:87 handle 87: sfq perturb 10
> 
> $TC qdisc add dev $DEV0 parent 2:73 handle 73: sfq perturb 10
> 
> # filter traffic into classes by fwmark - here we direct traffic into priority class according to
> #                                         the fwmark set on the packet (we set fwmark with iptables
> #                                         later).  Note that above we've set the default priority
> #                                         class to 1:87 so unmarked packets (or packets marked with
> #                                         unfamiliar IDs) will be defaulted to the lowest priority
> #                                         class.
> $TC filter add dev $DEV0 parent 2:0 prio 1 protocol ip handle 70 fw flowid 1:70
> $TC filter add dev $DEV0 parent 2:0 prio 2 protocol ip handle 71 fw flowid 1:71
> $TC filter add dev $DEV0 parent 2:0 prio 3 protocol ip handle 72 fw flowid 1:72
> $TC filter add dev $DEV0 parent 2:0 prio 4 protocol ip handle 73 fw flowid 1:73

These should be flowid 2:70 not 1:70 etc.

Andy.

> 
> # Marking the packets. Se marcan los paquetes en el interfaz contrario, para que no se vean
> # afectados por el NAT que hacen las reglas del firewall
> 
> iptables -t mangle -N MYSHAPER-IN
> iptables -t mangle -I PREROUTING -i $DEV1 -j MYSHAPER-IN
> 
> #iptables -t mangle -A MYSHAPER-IN -p ! tcp -j MARK --set-mark 20
> 
> 
> iptables -A MYSHAPER-IN -s 172.9.234.30 -t mangle -j MARK --set-mark 70
> iptables -A MYSHAPER-IN -s 172.9.234.31 -t mangle -j MARK --set-mark 70
> iptables -A MYSHAPER-IN -s 172.9.234.32 -t mangle -j MARK --set-mark 70
> 
> iptables -A MYSHAPER-IN -s 172.9.234.22 -t mangle -j MARK --set-mark 71
> iptables -A MYSHAPER-IN -s 172.9.234.71 -t mangle -j MARK --set-mark 71
> 
> iptables -A MYSHAPER-IN -s 172.9.234.25 -t mangle -j MARK --set-mark 72
> 
> #Prueba maquina WiFi
> iptables -A MYSHAPER-IN -s 172.9.234.14 -t mangle -j MARK --set-mark 73
> 
> #El resto de tráco iríal flujo por defecto, el 2:87.
> 
> 
> # Done with outbound shaping
> 
> ####################################################
> 
> echo "Control del enlace ascendente activado."
> 
> exit
> 
> Thanks for your help!
> 
> 
> 
> UN CORDIAL SALUDO
> 
> Miguel Ángel Domínguez Durán.
> Departamento Técnico.
> Cherrytel Comunicaciones, S.L.
> mdominguez@cherrytel.com
> http://www.cherrytel.com/
> Tlf. 902 115 673
> Fax 952218170


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

      reply	other threads:[~2005-02-11 21:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-11 12:56 [LARTC] Help!!! Bandwith Control with a NAT machine Miguel Ángel Domínguez Durán
2005-02-11 21:42 ` Andy Furniss [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=420D26E3.8010705@dsl.pipex.com \
    --to=andy.furniss@dsl.pipex.com \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.