* [LARTC] do I need to iptables mark in this scenario?
@ 2005-04-27 14:36 Ron McKown
2005-04-27 14:49 ` Sylvain BERTRAND
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Ron McKown @ 2005-04-27 14:36 UTC (permalink / raw)
To: lartc
Hello,
really new to advanced linux routing, but I have managed to setup
something that sort of works for my needs.
I have a linux box with this configuration:
Internet - eth0 - eth1 - many users
I'm using a NAT to allow my users Internet access.
On some users, I wish to shape their download speeds as to not overload
our outside connection.
Here is what I do to shape them at 64k down: (only two users shown in
this example(but I have hundreds that will be shaped))
SIXFOURd
DEV=eth1
# clean up qdiscs
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 50mbit
# DELL
tc class add dev $DEV parent 1: classid 1:1 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.199 flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
# TYR
tc class add dev $DEV parent 1: classid 1:2 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.133 flowid 1:2
tc qdisc add dev $DEV parent 1:2 sfq perturb 10
each user gets their own section.
This works great for downspeed only, but I also want to shape them at
64k up as well. I can't shape them on eth0, because by the time their
packets get to that interface, they've already been NAT'd to a different
address.
After lots of reading on the mailing list archive, it appears the best
way to handle this is to mark packets from each user, then on eth0 have
HTB or CBQ (really unsure which to use) shape each marked packet
accordingly. Currently, I'm matching by IP (u32?), so should I match by
fwmark instead?
Any help is really appreciated or even a sample script concept would
make the operation more clear!
Ron
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] do I need to iptables mark in this scenario?
2005-04-27 14:36 [LARTC] do I need to iptables mark in this scenario? Ron McKown
@ 2005-04-27 14:49 ` Sylvain BERTRAND
2005-04-27 20:24 ` Andy Furniss
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Sylvain BERTRAND @ 2005-04-27 14:49 UTC (permalink / raw)
To: lartc
On Mer 27 avril 2005 16:36, Ron McKown a écrit :
> Hello,
> really new to advanced linux routing, but I have managed to setup
something that sort of works for my needs.
>
> I have a linux box with this configuration:
>
> Internet - eth0 - eth1 - many users
>
> I'm using a NAT to allow my users Internet access.
>
> On some users, I wish to shape their download speeds as to not overload
our outside connection.
>
> Here is what I do to shape them at 64k down: (only two users shown in
this example(but I have hundreds that will be shaped))
> SIXFOURd
> DEV=eth1
> # clean up qdiscs
> tc qdisc del dev $DEV root 2> /dev/null > /dev/null
> tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 50mbit
>
> # DELL
> tc class add dev $DEV parent 1: classid 1:1 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.199 flowid 1:1
> tc qdisc add dev $DEV parent 1:1 sfq perturb 10
>
> # TYR
> tc class add dev $DEV parent 1: classid 1:2 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.133 flowid 1:2
> tc qdisc add dev $DEV parent 1:2 sfq perturb 10
>
> each user gets their own section.
> This works great for downspeed only, but I also want to shape them at
64k up as well. I can't shape them on eth0, because by the time their
packets get to that interface, they've already been NAT'd to a different
address.
>
> After lots of reading on the mailing list archive, it appears the best
way to handle this is to mark packets from each user, then on eth0 have
HTB or CBQ (really unsure which to use) shape each marked packet
accordingly. Currently, I'm matching by IP (u32?), so should I match by
fwmark instead?
>
> Any help is really appreciated or even a sample script concept would
make the operation more clear!
>
> Ron
http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2241
tc qdisc add dev $DEV handle ffff: ingress
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
This means you can limit bandwidth for incoming packets too.
I think you can shape your users' UL on eth1 with "ingress" without having
to mark packets...
Regards,
Sylvain
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] do I need to iptables mark in this scenario?
2005-04-27 14:36 [LARTC] do I need to iptables mark in this scenario? Ron McKown
2005-04-27 14:49 ` Sylvain BERTRAND
@ 2005-04-27 20:24 ` Andy Furniss
2005-04-28 14:10 ` Ron McKown
2005-04-28 19:25 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: Andy Furniss @ 2005-04-27 20:24 UTC (permalink / raw)
To: lartc
Ron McKown wrote:
> After lots of reading on the mailing list archive, it appears the best
> way to handle this is to mark packets from each user, then on eth0 have
> HTB or CBQ (really unsure which to use) shape each marked packet
> accordingly. Currently, I'm matching by IP (u32?), so should I match by
> fwmark instead?
Yes you could do that or if you are using recent kernel/iptables you can
classify directly.
http://www.netfilter.org/patch-o-matic/pom-submitted.html
If you need to use mark just do something like
$IPTABLES -t mangle -A POSTROUTING --src 192.168.0.4 -j MARK --set-mark 34
and then match it with a filter on eth0
$TC filter add dev eth0 parent 1:0 prio 6 protocol ip handle 34 fw
flowid 1:34
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] do I need to iptables mark in this scenario?
2005-04-27 14:36 [LARTC] do I need to iptables mark in this scenario? Ron McKown
2005-04-27 14:49 ` Sylvain BERTRAND
2005-04-27 20:24 ` Andy Furniss
@ 2005-04-28 14:10 ` Ron McKown
2005-04-28 19:25 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: Ron McKown @ 2005-04-28 14:10 UTC (permalink / raw)
To: lartc
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252", Size: 2901 bytes --]
Hi Andy,
I've followed your advice and it works brilliant. However, I did fail
to mention something else which is causing a problem:
Internet - eth0 - eth1 users (192.168.x.x)
local net- eth2 (10.0.x.x)
There is another interface in this router (eth2) that should not be
shaped at all (it goes to another local network).
My problem is, I can shape Internet traffic going to user on eth1
(down), and user traffic going to Internet on eth0 (up).
However, if the downspeed is being shaped on the eth1, that means that
customers wanting something from eth2 will also be shaped.
I thought maybe I could only mark packets with a destination to eth0,
which means packets going to eth2 would be left untouched, but that
doesn't appear to work, or maybe I'm making a mistake.
here's my marking rule:
iptables -t mangle -A POSTROUTING --src 192.168.0.84 -o eth0 -j MARK --
set-mark 34
and here's the cbq rules (should I be using HTB for this??)
SIXFOURu
VEGA
DEV=eth1
DEVTEST=eth0
tc class add dev $DEV parent 1: classid 1:30 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: prio 6 protocol ip handle 34 fw flowid
1:30
tc qdisc add dev $DEV parent 1:30 sfq perturb 10
tc class add dev $DEVTEST parent 1: classid 1:30 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
tc filter add dev $DEVTEST parent 1: prio 6 protocol ip handle 34 fw
flowid 1:30
tc qdisc add dev $DEVTEST parent 1:30 sfq perturb 10
This current setup does not shape eth0 traffic going to eth1 (because
I'm not using u32, I'm trying to shape on the mark).
On $DEV, if I replace the mark handle with a u32 ip address match, then
shaping will work, but then users downloading from interface eth2 will
also be shaped, which I don't want.
Am I getting close or really going down the wrong path here?
Thanks so much,
Ron
On Wed, 2005-04-27 at 21:24 +0100, Andy Furniss wrote:
> Ron McKown wrote:
>
> > After lots of reading on the mailing list archive, it appears the best
> > way to handle this is to mark packets from each user, then on eth0 have
> > HTB or CBQ (really unsure which to use) shape each marked packet
> > accordingly. Currently, I'm matching by IP (u32?), so should I match by
> > fwmark instead?
>
> Yes you could do that or if you are using recent kernel/iptables you can
> classify directly.
>
> http://www.netfilter.org/patch-o-matic/pom-submitted.html
>
> If you need to use mark just do something like
>
> $IPTABLES -t mangle -A POSTROUTING --src 192.168.0.4 -j MARK --set-mark 34
>
> and then match it with a filter on eth0
>
> $TC filter add dev eth0 parent 1:0 prio 6 protocol ip handle 34 fw
> flowid 1:34
>
> Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] do I need to iptables mark in this scenario?
2005-04-27 14:36 [LARTC] do I need to iptables mark in this scenario? Ron McKown
` (2 preceding siblings ...)
2005-04-28 14:10 ` Ron McKown
@ 2005-04-28 19:25 ` Andy Furniss
3 siblings, 0 replies; 5+ messages in thread
From: Andy Furniss @ 2005-04-28 19:25 UTC (permalink / raw)
To: lartc
Ron McKown wrote:
> Hi Andy,
> I've followed your advice and it works brilliant. However, I did fail
> to mention something else which is causing a problem:
>
> Internet - eth0 - eth1 users (192.168.x.x)
> local net- eth2 (10.0.x.x)
>
> There is another interface in this router (eth2) that should not be
> shaped at all (it goes to another local network).
>
> My problem is, I can shape Internet traffic going to user on eth1
> (down), and user traffic going to Internet on eth0 (up).
> However, if the downspeed is being shaped on the eth1, that means that
> customers wanting something from eth2 will also be shaped.
>
> I thought maybe I could only mark packets with a destination to eth0,
> which means packets going to eth2 would be left untouched, but that
> doesn't appear to work, or maybe I'm making a mistake.
>
> here's my marking rule:
> iptables -t mangle -A POSTROUTING --src 192.168.0.84 -o eth0 -j MARK --
> set-mark 34
I would change marking to FORWARD you can use -i and -o then so for
upload from eth1 to internet.
iptables -t mangle -A FORWARD -i eth1 -o eth0 -j MARK -- set-mark 34
and download
iptables -t mangle -A FORWARD -i eth0 -o eth1 -j MARK -- set-mark 34
>
> and here's the cbq rules (should I be using HTB for this??)
I always use htb because it's what I am used to - I never really played
around with CBQ so can't say it's better or worse.
When I first read LARTC it said HTB was easier - so that's what I used.
Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-04-28 19:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-27 14:36 [LARTC] do I need to iptables mark in this scenario? Ron McKown
2005-04-27 14:49 ` Sylvain BERTRAND
2005-04-27 20:24 ` Andy Furniss
2005-04-28 14:10 ` Ron McKown
2005-04-28 19:25 ` Andy Furniss
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.