QoS with netfilter

QoS with netfilter

[Erik]

Am trying to add QoS to some web cam traffic on a network.  Also a
newbie to netfilter.

Packet forwarding and NAT works fine.  I can browse the web just fine
from 10.0.0.5.

Gateway  <---------->Linux router<------------------>webcam
192.168.1.254<-->eth1     eth0 10.0.0.1<------->10.0.0.2

Tried netfilter commands like:
>iptables -t mangle -A FORWARD -s 10.0.0.0/8 -j DSCP --set-dscp 1

This does not work (Using Etheral to inspect traffic)

Furthermore, a command like
>iptables -L FORWARD

list a set of rules etc but this QoS is not one of them apparently...

Please:
a) Suggest a solution to my problem.
b) Suggest a Qos HOWTO. (Other than http://iptables-tutorial.frozentux.net )

Thanks

Re: QoS with netfilter

[Thilo Schulz]

[-- Attachment #1: Type: text/plain, Size: 299 bytes --]

On Saturday 10 December 2005 13:53, Erik wrote:
> Am trying to add QoS to some web cam traffic on a network.  Also a
> newbie to netfilter.

Netfilter is not really meant to do QoS stuff, only to support it. You should 
visit http://www.lartc.org/ for QoS stuff in Linux.

-- 
Thilo Schulz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: QoS with netfilter

[Erik]

The entire http://www.lartc.org/lartc.html has not a single reference
to setting DSCP.

Can you be more specific?


On 12/10/05, Thilo Schulz <arny@ats.s.bawue.de> wrote:
> On Saturday 10 December 2005 13:53, Erik wrote:
> > Am trying to add QoS to some web cam traffic on a network.  Also a
> > newbie to netfilter.
>
> Netfilter is not really meant to do QoS stuff, only to support it. You should
> visit http://www.lartc.org/ for QoS stuff in Linux.
>
> --
> Thilo Schulz
>
>
>

Re: QoS with netfilter (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.12.10 07:53, Erik - erikev@gmail.com wrote:
> Am trying to add QoS to some web cam traffic on a network.
> Also a newbie to netfilter.
>
...
> 
> Tried netfilter commands like:
> >iptables -t mangle -A FORWARD -s 10.0.0.0/8 -j DSCP --set-dscp 1
>
...
> Furthermore, a command like
> >iptables -L FORWARD
> 
> list a set of rules etc but this QoS is not one of them apparently...
>

The -L command has a default table argument, filter.
If you want to see the contents of another table,
you have to specify the table explicitly. Try this:

iptables -t mangle -L -xnv

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: QoS with netfilter

[Cedric Blancher]

Le samedi 10 décembre 2005 à 05:28 -0800, Erik a écrit :
> The entire http://www.lartc.org/lartc.html has not a single reference
> to setting DSCP.

Why is DSCP so important to you ? Basicly, you can use TOS to do exactly
the same thing (it's the same field, different version).


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: QoS with netfilter

[Erik]

dscp is not important. You have a suggestion how to set TOS?

I would ideally like to controll the whole byte. Either TOS or DSCP and ECN.

How can I change all these bits (i.e. the whole byte) with the
netfilter mangle table or other?

On 12/10/05, Cedric Blancher <blancher@cartel-securite.fr> wrote:
> Le samedi 10 décembre 2005 à 05:28 -0800, Erik a écrit :
> > The entire http://www.lartc.org/lartc.html has not a single reference
> > to setting DSCP.
>
> Why is DSCP so important to you ? Basicly, you can use TOS to do exactly
> the same thing (it's the same field, different version).
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
>

Re: QoS with netfilter

[Thilo Schulz]

[-- Attachment #1: Type: text/plain, Size: 217 bytes --]

On Saturday 10 December 2005 19:14, Erik wrote:
> How can I change all these bits (i.e. the whole byte) with the
> netfilter mangle table or other?

Do you know "man"?
man iptables

/DSCP

-- 
Thilo Schulz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: QoS with netfilter

[Cedric Blancher]

Le samedi 10 décembre 2005 à 10:14 -0800, Erik a écrit :
> dscp is not important. You have a suggestion how to set TOS?
> I would ideally like to controll the whole byte. Either TOS or DSCP and ECN.
> How can I change all these bits (i.e. the whole byte) with the
> netfilter mangle table or other?

I think you're taking the problem the wrong way. Altering DSCP/TOS won't
change the way packets are treated, because by default, there's no QoS
policy. So you'll have to set a QoS policy yourself that fits your
needs.

To do this, you have to read LARTC as adivsed before. Then, your QoS
policy can be built upon TOS/DSCP value, but you can use stuff like u32
classifier or MARK.

Have you tried stuff like cbq-init or htb-init (see Google) ?


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: QoS with netfilter

[Daniel Lopes]

Cedric Blancher schrieb:
> Le samedi 10 décembre 2005 à 10:14 -0800, Erik a écrit :
> 
>>dscp is not important. You have a suggestion how to set TOS?
>>I would ideally like to controll the whole byte. Either TOS or DSCP and ECN.
>>How can I change all these bits (i.e. the whole byte) with the
>>netfilter mangle table or other?
> 
> 
> I think you're taking the problem the wrong way. Altering DSCP/TOS won't
> change the way packets are treated, because by default, there's no QoS
> policy. So you'll have to set a QoS policy yourself that fits your
> needs.
> 
> To do this, you have to read LARTC as adivsed before. Then, your QoS
> policy can be built upon TOS/DSCP value, but you can use stuff like u32
> classifier or MARK.
> 
> Have you tried stuff like cbq-init or htb-init (see Google) ?
> 
> 

Perhaps I'm wrong but the handling will be done bei IP as soon as the 
bits are set. That's the way the internet routers should work. With tc 
you can do other schemes of handling. Correct me please if I'm wrong.

Re: QoS with netfilter

[Cedric Blancher]

Le dimanche 11 décembre 2005 à 01:56 +0100, Daniel Lopes a écrit :
> Perhaps I'm wrong but the handling will be done bei IP as soon as the 
> bits are set. That's the way the internet routers should work. With tc 
> you can do other schemes of handling. Correct me please if I'm wrong.

I haven't seen a public router reading TOS/DSCP values from foreign
packets. If so, what would be the point ? Everybody would ask for higher
bandwidth, higher priority, and we would end just the same we were
before.
AFAIK, there's not requirement for an IP stack to apply QoS policy to
TOS/DSCP marked packets, unless the admin has decided so. You have to
use tc for that (at least for TOS I'm sure).


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: QoS with netfilter

[Erik]

I have a lot of answers to this but nobody have responded to what I
asked.  Please bear with me and help me find out what my problem might
*actually* be.

Have anyone actually used this feature in iptables?

No, I do not need this router to handle these packages with *any* QoS.

Other router handle QoS. In fact a lot of router are updated to handle QoS.

What I need is *very* simple.

Please do not refer to man pages, lartc etc. that has no answer to my question.

I am only trying to get a feature to function as described in man iptables.

namely:
>iptables -t mangle -A FORWARD -s 10.0.0.0/8 -j DSCP --set-dscp 1

and then:
 verify that the TOS/DSCP bits are set correctly

I was hoping for a discussion like:
a) confirmation that this feature actually is implemented and should
work with the 2.6.12 kernel (or that it is not!)
b) things to verify like patches etc
c) actual commands to test this

Thanks

Re: QoS with netfilter (nfcan: addressed to exclusive sender for this address)

[Erik]

Thanks,
The packets are getting set properly.  I am however still getting 0x00
on the wire. Quite strange.
Questions:
1) Can the stack force this to zero somwhere else?
2) (Sidebar) How can TOS be set? I see many packets with TOS
set,(according to ipfilter -L, wire is still 0x00) but grep'ing the
'man iptables' gives no hits on TOS

This is on 2.6.12-12mdk and mandriva

On 12/10/05, Jim Laurino <nfcan.x.jimlaur@dfgh.net> wrote:
> On 2005.12.10 07:53, Erik - erikev@gmail.com wrote:
> > Am trying to add QoS to some web cam traffic on a network.
> > Also a newbie to netfilter.
> >
> ...
> >
> > Tried netfilter commands like:
> > >iptables -t mangle -A FORWARD -s 10.0.0.0/8 -j DSCP --set-dscp 1
> >
> ...
> > Furthermore, a command like
> > >iptables -L FORWARD
> >
> > list a set of rules etc but this QoS is not one of them apparently...
> >
>
> The -L command has a default table argument, filter.
> If you want to see the contents of another table,
> you have to specify the table explicitly. Try this:
>
> iptables -t mangle -L -xnv
>
> --
> Jim Laurino
> nfcan.x.jimlaur@dfgh.net
> Please reply to the list.
> Only mail from the listserver reaches this address.
>
>

Re: QoS with netfilter (nfcan: addressed to exclusive sender for this address)

[Cedric Blancher]

Le dimanche 11 décembre 2005 à 01:40 -0800, Erik a écrit :
> 2) (Sidebar) How can TOS be set? I see many packets with TOS
> set,(according to ipfilter -L, wire is still 0x00) but grep'ing the
> 'man iptables' gives no hits on TOS

iptables -j TOS --help

BTW, I know it may not be very useful for you, but:

	iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x20

Has my DSCP field modified to 0x20 for packets sniffed on output. Same
for TOS target.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: QoS with netfilter

[Thilo Schulz]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

On Sunday 11 December 2005 10:18, Erik wrote:
> I have a lot of answers to this but nobody have responded to what I
> asked.  Please bear with me and help me find out what my problem might
> *actually* be.

Sorry you are right.

> Have anyone actually used this feature in iptables?

Yes.

> No, I do not need this router to handle these packages with *any* QoS.
> Other router handle QoS. In fact a lot of router are updated to handle QoS.

These bits should work nice in theory, but in my experience they offer little 
to no improvement.

> a) confirmation that this feature actually is implemented and should
> work with the 2.6.12 kernel (or that it is not!)

It should work, yes.

> b) things to verify like patches etc

No clue.

> c) actual commands to test this

tcpdump -i eth0 -v
 
prints out the tos field on all packets traversing the interface eth0.

-- 
Thilo Schulz

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: QoS with netfilter

[Vinod Chandran]

Hi,

If  you want to know how DSMARK and DSCP is used for QOS, check out the 
following link
http://opalsoft.net/qos/DS-29.htm
However, this doesnt use netfilter.

If you want to use netfilter, I think the best way is to have 
iptablerules in FORWARD, to set mark values on the basis of specific 
conditions,

like --src 192.168.1.0/24 -j MARK --set-mark 1.

This mark value can be further used in tc filter commands..
If this will suffice you,  I can elaborate more on this process.

Regards,
Vinod C



Thilo Schulz wrote:

>On Sunday 11 December 2005 10:18, Erik wrote:
>  
>
>>I have a lot of answers to this but nobody have responded to what I
>>asked.  Please bear with me and help me find out what my problem might
>>*actually* be.
>>    
>>
>
>Sorry you are right.
>
>  
>
>>Have anyone actually used this feature in iptables?
>>    
>>
>
>Yes.
>
>  
>
>>No, I do not need this router to handle these packages with *any* QoS.
>>Other router handle QoS. In fact a lot of router are updated to handle QoS.
>>    
>>
>
>These bits should work nice in theory, but in my experience they offer little 
>to no improvement.
>
>  
>
>>a) confirmation that this feature actually is implemented and should
>>work with the 2.6.12 kernel (or that it is not!)
>>    
>>
>
>It should work, yes.
>
>  
>
>>b) things to verify like patches etc
>>    
>>
>
>No clue.
>
>  
>
>>c) actual commands to test this
>>    
>>
>
>tcpdump -i eth0 -v
> 
>prints out the tos field on all packets traversing the interface eth0.
>
>  
>