Re: [LARTC] Question about how TC enforces bandwidth limiting

From: Vadtec <vadtec@vadtec.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Question about how TC enforces bandwidth limiting
Date: Thu, 06 Sep 2007 17:43:03 +0000	[thread overview]
Message-ID: <46E03C27.3010104@vadtec.net> (raw)
In-Reply-To: <46D758ED.2030705@vadtec.net>

Ok, I messed around with 6 different setups over 10 hours yesterday. The 
only one I can get to work properly is my original one.

So, now I'm to the theory stage of trying to figure this out. I got a 
reply from a mailing list user saying I need to do egress filtering in 
two places.

While I could not understand what they were saying very well, it did 
leave me to ponder this theory. It seems to me the whole problem has 
been how I am handling ingress traffic on eth0 (WAN interface). As it 
stands, I do rate limit it and will drop if its coming in to fast. But 
is there anything thats stopping me from routing ingress traffic through 
the egress queues on its way to the LAN? Or will that seriously break 
traffic shaping?

Is what I'm thinking is, the ingress qdisc doesn't really control 
anything. So, if I were to route it (say with an iptables rule) to an 
egress qdisc on eth1, I could truly control ingress traffic.

I really don't think this will work as it seems like I am quashing all 
the traffic down one side of what should be a two sided link. While I 
cannot think of a way to visualize this with ASCII art, I can summarize 
the ingress and egress pathways in linear format, as such:

   Egress (LAN to Internet)
--------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN 
------------------------------------------
|                                                                       

                           |
|                                                                       

                           |
|                                                                       

                           |
|  Ingress (Internet to LAN)                                            

             |
--------LAN <--- eth1 (ingress) <--- eth0 (egress to eth1 ingress) <--- 
eth0 (ingress) <--- WAN traffic <--------

or

   Egress (LAN to Internet)
--------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN 
------------------------------------------
|                                                                       

                           |
|                                                                       

                           |
|                                                                       

                           |
|  Ingress (Internet to LAN)                                            

             |
--------LAN <--- eth1 (egress) <--- eth0 (ingress to eth1 ingress) <--- 
eth0 (ingress) <--- WAN traffic <--------

I hate to be so pessimistic. But so far all I've gotten is everyone 
saying "You need to filter ingress traffic" with no real or concrete 
examples of how to do such a thing. And the LARTC How To doesn't 
describe it very well either. It's like ingress filtering is just not 
done, and those that do it are using such complicated methods that it's 
not worth sharing them.

So, unless someone can provide me with a concrete example of true 
ingress filtering, or how to filter ingress on the LAN side or WAN side 
or whichever side I need to filter it on, I am completely stuck.

Vadtec
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc