Re: [half_OT]Traffic shaping with tc and iptables

[Nikolay Kichukov <hijacker@oldum.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
#create engress htb shaper:
tc qdisc add dev $IF root handle 1: htb
#setup some iface limits
tc class add dev $IF parent 1: classid 1:1 htb rate ${MAXOUT}kbit ceil ${MAXOUT}kbit burst 50kb

#add subclass for your application attached to the root class 1:1 - 1:10, set proper ceil value!
tc class add dev $IF parent 1:1 classid 1:10 htb rate 128kbit ceil ${MAXOUT}kbit prio 1 burst 5kb

#then just add filters, in that case port 53 - DNS
tc filter add dev $IF parent 1:0 protocol ip prio 10 u32 match ip dport 53 0xffff flowid 1:10


you are good to go!
tc qdisc -s show dev $IF

will tell you what is going on.

HTH,
- -N

On 09/08/2011 05:00 PM, Marco Coda wrote:
> 2011/9/8 Gáspár Lajos <swifty@freemail.hu>:
> 
> 
>> - If you send an e-mail then you connect from your system (from a random
>> port) to a mail server (to 25)...
>> Would you try with my proposed settings???
> 
> I just tried it, with rare 1Mbit, bandwidth 2 Mbit and iptables with
> --dport 25 and, even if the iptables rule is matched (I can see the
> packet count measuring the right size of the mail), tc seems to ignore
> those packets. I know that my postfix open a connection to another mta
> from a pseudo-random port to 25, but with --dport option tc does not
> consider these packets. Instead, with --sport option, I don't know
> why, something is filtered...
> 
>> - If you set your upload limit to 10kbit then you can send 1,25KByte per
>> sec. (It is veeerrryy slooow.)
> 
> In this moment I set this speed so I can test the server with small
> attachments... When the script will be definitively complete,I'll set
> the real values..
> 
> 
> 2011/9/8 Nikolay Kichukov <hijacker@oldum.net>:
> 
>> tc does not require iptables to shape traffic at all. So why bothering?
> 
> I want to limit only one port, not the entire interface. I don't want
> other ports (such as pop3 or imap) limited
> So I used iptables for marking and then tc filter handle fw for filtering..
> How should i do?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOaNfCAAoJEDFLYVOGGjgXIcsIAKTB5Azc5860kSvNmyLjaDTH
WgZfmiPzoyuSK88WhXaIVBXcwLgpBVVqkZZRV3AyXKQ/ucTGax6daDZdmINw+i53
YIkKzQCknaEff/WdVCfVi404OERxz/tzUwHAqN4/DsS7/h55XPkpmBEgUahIYeWP
3RQZ9mNFkzpdYWnoLefFgtgBjxecShocQ2wyRAybl4KJQnl+5tv+tTQqiOQ0t6Cz
aPyX4w26qaluQiSTQ6SXeJ846HWASjvAt3KIXaS1xc9c000OeGT0vHCLBf+I5whE
sghiHVMBqcF8IVs+s+2vVn200d2MSzfhtz2llYAiEqxExXOhQ1y6nm8k1XSqfu8=
=ip57
-----END PGP SIGNATURE-----