[LARTC] can I use tos and fwmark at the same time?

[LARTC] can I use tos and fwmark at the same time?

[panca sorin]

[-- Attachment #1.1: Type: text/plain, Size: 3343 bytes --]

Hello lartc maintainers and users!
  I have a router with two NICs. One NIC is connected to the Internet and the other to my internal LAN. I made a script for priorizing interactive traffic. The script matches TOS Minimize-Delay for priorizing interactive trafic, and fwmark for metropolitan packets.
 I have two root classes (simulating two circuits) : 1:1 for internet and 1:3 for metropolitan.
 When I watch -n1 tc -s -d qdisc show, the classes that belong to metropolitan traffic (FE) on the two interfaces are not sending nor receiving any byte...
 Can someone help me out this situation? I list my tc and iptables scripts below (for some reason I could't attach them - "Invalid file").
 Thank you in advance!
 ---------------------------------------------------------------------------------------------------------------------
 my_script.sh:
       
#!/bin/bash  tc=/sbin/tc u=kbit U=Mbit RATE=256 metro=1  for eth in ` echo eth0 eth1 `; do     $tc qdisc del dev $eth root &>/dev/null     $tc qdisc add dev $eth root handle 1: htb default FF      # class default - non-priorized traffic     $tc class add dev $eth parent 1: classid 1:1 htb rate $RATE$u ceil $[$RATE-16]$u     $tc class add dev $eth parent 1:1 classid 1:FF htb rate 1$u ceil $[$RATE-16]$u prio 1     $tc qdisc add dev $eth parent 1:FF handle FF: sfq perturb 10      # priorized traffic - Internet (TOS = Minimize-Delay)     $tc class add dev $eth parent 1:1 classid 1:2 htb rate $[$RATE-16]$u ceil $[$RATE-16]$u burst 16k prio 0     $tc filter add dev $eth parent 1: protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:2     $tc qdisc add dev $eth parent 1:2 handle 2: sfq perturb 10      # metropolitan (MARK = 1)     $tc class add dev $eth parent 1: classid 1:3 htb rate 100$U ceil 99$U     $tc class add dev $eth parent 1:3 classid 1:FE htb rate 99$U ceil 99$U     $tc qdisc
 add dev $eth parent 1:FE handle FE: sfq perturb 10     $tc filter add dev $eth parent 1: protocol ip prio 0 handle $metro fw flowid 1:FE done
----------------------------------------------------------------------------------------------------------------------
 output of iptables-save (mangle PREROUTING):
 
 -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 443 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 5050 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 5050 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 6667 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 6667 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN ACK -j TOS --set-tos 0x10
 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1
 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 193.226.0.0/255.255.0.0 -j MARK --set-mark 0x1
 -A PREROUTING -s 193.226.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1
 -A PREROUTING -s 192.129.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1
 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 192.129.0.0/255.255.0.0 -j MARK --set-mark 0x1
 
 

		
---------------------------------
 Yahoo! FareChase - Search multiple travel sites in one click.  

[-- Attachment #1.2: Type: text/html, Size: 6270 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] can I use tos and fwmark at the same time?

[Andy Furniss]

panca sorin wrote:
> Hello lartc maintainers and users!
>   I have a router with two NICs. One NIC is connected to the Internet and the other to my internal LAN. I made a script for priorizing interactive traffic. The script matches TOS Minimize-Delay for priorizing interactive trafic, and fwmark for metropolitan packets.
>  I have two root classes (simulating two circuits) : 1:1 for internet and 1:3 for metropolitan.
>  When I watch -n1 tc -s -d qdisc show, the classes that belong to metropolitan traffic (FE) on the two interfaces are not sending nor receiving any byte...
>  Can someone help me out this situation? I list my tc and iptables scripts below (for some reason I could't attach them - "Invalid file").
>  Thank you in advance!
>  ---------------------------------------------------------------------------------------------------------------------
>  my_script.sh:

I only skimmed through - the lack of CRs make it a bit difficult to read.

One thing to note is that unlike htb, prio 1 is the top prio for filters 
- and you use prio 0 for the metro so this filter won't see traffic that 
has already been fclassified by the prio 1 tos filter.

Also when using tos be aware that some apps set it - so there could be 
other traffic than that set by the iptables rules.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] can I use tos and fwmark at the same time?

[psihozefir]

Andy Furniss <andy.furniss@dsl.pipex.com> wrote:

    I only skimmed through - the lack of CRs make it a bit difficult to read.

    One thing to note is that unlike htb, prio 1 is the top prio for filters
    - and you use prio 0 for the metro so this filter won't see traffic that
    has already been fclassified by the prio 1 tos filter.

    Also when using tos be aware that some apps set it - so there could be
    other traffic than that set by the iptables rules.

    Andy.

I pasted the script from kwrite to Mozilla suite composer. I don't
know why there are no CRs. :(
I know that applications set the tos field (and I hope programmers
know if they are supposed to set it or not, and that they don't
cheat). I rely on this.
I will correct the prio error. My question still remains: is it
possible to use tos AND fwmark in the same rule (and the effect be an
AND - like in iptables, not an OR)?

My script:

#!/bin/bash
tc=/sbin/tc
u=kbit;U=Mbit
RATE%6
metro=1
for dev in ` echo eth0 eth1 `; do
    $tc qdisc del dev $dev root &>/dev/null
    $tc qdisc add dev $dev root handle 1: htb default FF

    # class default - non-priorized traffic
    $tc class add dev $dev parent 1: classid 1:1 \
         htb rate $RATE$u ceil $[$RATE-16]$u
    $tc class add dev $dev parent 1:1 classid 1:FF \
         htb rate 1$u ceil $[$RATE-16]$u prio 1
    $tc qdisc add dev $dev parent 1:FF handle FF: sfq perturb 10

    # priorized traffic - Internet (TOS = Minimize-Delay)
    $tc class add dev $dev parent 1:1 classid 1:2\
         htb rate $[$RATE-16]$u ceil $[$RATE-16]$u burst 16k prio 0
    $tc filter add dev $dev parent 1: protocol ip prio 1\
         u32 match ip tos 0x10 0xff flowid 1:2
    $tc qdisc add dev $dev parent 1:2 handle 2: sfq perturb 10

    # metropolitan (MARK = 1)
    $tc class add dev $dev parent 1: classid 1:3 htb rate 100$U ceil 99$U
    $tc class add dev $dev parent 1:3 classid 1:FE htb rate 99$U ceil 99$U
    $tc qdisc add dev $dev parent 1:FE handle FE: sfq perturb 10
    $tc filter add dev $dev parent 1: protocol ip prio 0\
         handle $metro fw flowid 1:FE
done
EOF

The output of iptables-save (mangle PREROUTING):
 -A PREROUTING -p tcp -m tcp --sport 21:22 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 21:22 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 80 -j TS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 443 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 443 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 5050 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 5050 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --dport 6667:7000 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --sport 6667:7000 -j TOS --set-tos 0x10
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN ACK -j TOS --set-tos 0x10
 -A PREROUTING -s 82.77.124.128/255.255.255.224\
         -d 82.77.124.128/255.255.255.224 -j MARK --set-mark 0x1
 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 193.226.0.0/255.255.0.0\
         -j MARK --set-mark 0x1
 -A PREROUTING -s 193.226.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224\
         -j MARK --set-mark 0x1
 -A PREROUTING -s 192.129.0.0/255.255.0.0 -d 82.77.124.128/255.255.255.224\
         -j MARK --set-mark 0x1
 -A PREROUTING -s 82.77.124.128/255.255.255.224 -d 192.129.0.0/255.255.0.0\
         -j MARK --set-mark 0x1

Thank you!
Sorin.

P.S. I changed my registered e-mail address and I think I cannot post
from the old one, from which I received the message I now reply.
Please BCC my new address. Thank you!
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] can I use tos and fwmark at the same time?

[Andy Furniss]

psihozefir wrote:

> I pasted the script from kwrite to Mozilla suite composer. I don't
> know why there are no CRs. :(
> I know that applications set the tos field (and I hope programmers
> know if they are supposed to set it or not, and that they don't
> cheat). I rely on this.
> I will correct the prio error. My question still remains: is it
> possible to use tos AND fwmark in the same rule (and the effect be an
> AND - like in iptables, not an OR)?

Yes you just make it part of the same filter - though I couldn't get it 
to work with handle X fw. You can do it like this -

tc filter add dev $DEV parent $WHATEVER protocol ip prio 1 u32 match ip 
tos 0x10 0xff match mark 1 0xffffffff flowid $MYID.

Another way would be to setup a tree structure.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc