question on fwmark speed boost

question on fwmark speed boost

[Wolfgang Hennerbichler]

Hi,

following tc config:

tc qdisc add dev wan0 root handle 1: htb default 12
tc class add dev wan0 parent 1:0 classid 1:12 htb rate 9500mbit ceil
9500mbit
tc class add dev wan0 parent 1:0 classid 1:2001 htb rate 9500mbit ceil
9500mbit
tc class add dev wan0 parent 1:0 classid 1:2002 htb rate 100kbit ceil
100kbit

# add filter - all marked packets should be classified automatically
according to the fwmark - as far as I've read online

tc filter add dev wan0 parent 1:0 protocol ip fw

iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
iptables -A POSTROUTING -m physdev --physdev-out wan0 -p udp -s 1.2.3.4
-t mangle -j MARK --set-mark 2001
iptables -A POSTROUTING -m physdev --physdev-out wan0 -p tcp -s 1.2.3.4
-t mangle -j MARK --set-mark 2002
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark


my filter does not work as intended. I thought it would automatically
use the marks, and put the traffic into the right classes. It doesn't
seem to work. I have troubles finding documentation on this, so maybe
anybody can shed some light on this.

Wolfgang

-- 
http://www.wogri.com

Re: question on fwmark speed boost

[Wolfgang Hennerbichler]

Follow-Up: This is the only pice of information I have found on my problem:

http://marc.info/?l=lartc&m\x105421129231583&w=2

=> You can reduce the number of fw filters rules if you use the mark as
hash key.
So if you add
tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw
and you have a packet with mark 39, it will placed in class 1:39.


Wolfgang

On 07/03/2013 02:39 PM, Wolfgang Hennerbichler wrote:
> Hi,
> 
> following tc config:
> 
> tc qdisc add dev wan0 root handle 1: htb default 12
> tc class add dev wan0 parent 1:0 classid 1:12 htb rate 9500mbit ceil
> 9500mbit
> tc class add dev wan0 parent 1:0 classid 1:2001 htb rate 9500mbit ceil
> 9500mbit
> tc class add dev wan0 parent 1:0 classid 1:2002 htb rate 100kbit ceil
> 100kbit
> 
> # add filter - all marked packets should be classified automatically
> according to the fwmark - as far as I've read online
> 
> tc filter add dev wan0 parent 1:0 protocol ip fw
> 
> iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
> iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
> iptables -A POSTROUTING -m physdev --physdev-out wan0 -p udp -s 1.2.3.4
> -t mangle -j MARK --set-mark 2001
> iptables -A POSTROUTING -m physdev --physdev-out wan0 -p tcp -s 1.2.3.4
> -t mangle -j MARK --set-mark 2002
> iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark
> 
> 
> my filter does not work as intended. I thought it would automatically
> use the marks, and put the traffic into the right classes. It doesn't
> seem to work. I have troubles finding documentation on this, so maybe
> anybody can shed some light on this.
> 
> Wolfgang
> 


-- 
DI (FH) Wolfgang Hennerbichler
Software Development
Unit Advanced Computing Technologies
RISC Software GmbH
A company of the Johannes Kepler University Linz

IT-Center
Softwarepark 35
4232 Hagenberg
Austria

Phone: +43 7236 3343 245
Fax: +43 7236 3343 250
wolfgang.hennerbichler@risc-software.at
http://www.risc-software.at

Re: question on fwmark speed boost

[Andy Furniss]

Wolfgang Hennerbichler wrote:
> Follow-Up: This is the only pice of information I have found on my problem:
>
> http://marc.info/?l=lartc&m\x105421129231583&w=2
>
> => You can reduce the number of fw filters rules if you use the mark as
> hash key.
> So if you add
> tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw
> and you have a packet with mark 39, it will placed in class 1:39.

I've never tried that, if it does work maybe you need to use 0x39 for 
the mark as classes are in hex.

iptables can do this

-j CLASSIFY --set-class 1:39

If you have a lot of marks and a complicated set up you could consider 
the u32 mark match which will let you use masks and I guess explicitly 
set up hashing - again be sure to work in hex.

Re: question on fwmark speed boost

[Wolfgang Hennerbichler]

-- 
http://www.wogri.at

On Jul 4, 2013, at 00:29 , Andy Furniss <adf.lists@gmail.com> wrote:

> Wolfgang Hennerbichler wrote:
>> Follow-Up: This is the only pice of information I have found on my problem:
>> 
>> http://marc.info/?l=lartc&m\x105421129231583&w=2
>> 
>> => You can reduce the number of fw filters rules if you use the mark as
>> hash key.
>> So if you add
>> tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw
>> and you have a packet with mark 39, it will placed in class 1:39.
> 
> I've never tried that, if it does work maybe you need to use 0x39 for the mark as classes are in hex.

thanks, will try to do it in HEX. 

> iptables can do this
> 
> -j CLASSIFY --set-class 1:39

I know, but this doesn't support connection tracking, as far as I've read. And I really net a well-performing setup here - and this performs very well: 
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

> If you have a lot of marks and a complicated set up you could consider the u32 mark match which will let you use masks and I guess explicitly set up hashing - again be sure to work in hex.

yeah. but this is something I would love to work around, u32 hashing seems so complicated… 

> 
> --
> To unsubscribe from this list: send the line "unsubscribe lartc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: question on fwmark speed boost

[Andy Furniss]

Wolfgang Hennerbichler wrote:
> Follow-Up: This is the only pice of information I have found on my problem:
>
> http://marc.info/?l=lartc&m\x105421129231583&w=2
>
> => You can reduce the number of fw filters rules if you use the mark as
> hash key.
> So if you add
> tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw
> and you have a packet with mark 39, it will placed in class 1:39.

OK, so after saying I've never done this I remembered I had long ago and 
found a test :-)

Using "handle 1" seems to get the filter rejected - but the main thing 
is the way you have to mark to match the first part of your classid -

tc qdisc add dev eth0 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:a htb rate 1mbit
tc class add dev eth0 parent 1: classid 1:b htb rate 1mbit
tc class add dev eth0 parent 1: classid 1:c htb rate 1mbit
tc filter add dev eth0 parent 1:0 protocol ip fw

iptables -t mangle -I OUTPUT -o eth0 -p tcp -j MARK --set-mark 0x1000a
iptables -t mangle -I OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1000b
iptables -t mangle -I OUTPUT -o eth0 -p udp -j MARK --set-mark 0x1000c


ph4[/home/andy]# iptables -L OUTPUT -vnt mangle

Chain OUTPUT (policy ACCEPT 84 packets, 14747 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     3   196 MARK       udp  --  *      eth0    0.0.0.0/0 
0.0.0.0/0            MARK set 0x1000c
     7   588 MARK       icmp --  *      eth0    0.0.0.0/0 
0.0.0.0/0            MARK set 0x1000b
    74 13963 MARK       tcp  --  *      eth0    0.0.0.0/0 
0.0.0.0/0            MARK set 0x1000a


ph4[/home/andy]# tc -s class ls dev eth0

class htb 1:c root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 
2850b
  Sent 238 bytes 3 pkt (dropped 0, overlimits 0 requeues 0)
  rate 0bit 0pps backlog 0b 0p requeues 0
  lended: 3 borrowed: 0 giants: 0
  tokens: 346750 ctokens: 346750

class htb 1:a root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 
2850b
  Sent 14999 bytes 74 pkt (dropped 0, overlimits 0 requeues 0)
  rate 32bit 0pps backlog 0b 0p requeues 0
  lended: 74 borrowed: 0 giants: 0
  tokens: 348000 ctokens: 348000

class htb 1:b root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 
2850b
  Sent 686 bytes 7 pkt (dropped 0, overlimits 0 requeues 0)
  rate 0bit 0pps backlog 0b 0p requeues 0
  lended: 7 borrowed: 0 giants: 0
  tokens: 344000 ctokens: 344000

Re: question on fwmark speed boost

[Wolfgang Hennerbichler]

Yay. Thanks. Will try in a couple of days. 

Wolfgang 

-- 
Sent from my mobile device

On 10.07.2013, at 12:00, "Andy Furniss" <adf.lists@gmail.com> wrote:

> Wolfgang Hennerbichler wrote:
>> Follow-Up: This is the only pice of information I have found on my problem:
>> 
>> http://marc.info/?l=lartc&m\x105421129231583&w=2
>> 
>> => You can reduce the number of fw filters rules if you use the mark as
>> hash key.
>> So if you add
>> tc filter add dev eth0 parent 1:0 protocol ip handle 1 fw
>> and you have a packet with mark 39, it will placed in class 1:39.
> 
> OK, so after saying I've never done this I remembered I had long ago and found a test :-)
> 
> Using "handle 1" seems to get the filter rejected - but the main thing is the way you have to mark to match the first part of your classid -
> 
> tc qdisc add dev eth0 root handle 1: htb
> tc class add dev eth0 parent 1: classid 1:a htb rate 1mbit
> tc class add dev eth0 parent 1: classid 1:b htb rate 1mbit
> tc class add dev eth0 parent 1: classid 1:c htb rate 1mbit
> tc filter add dev eth0 parent 1:0 protocol ip fw
> 
> iptables -t mangle -I OUTPUT -o eth0 -p tcp -j MARK --set-mark 0x1000a
> iptables -t mangle -I OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1000b
> iptables -t mangle -I OUTPUT -o eth0 -p udp -j MARK --set-mark 0x1000c
> 
> 
> ph4[/home/andy]# iptables -L OUTPUT -vnt mangle
> 
> Chain OUTPUT (policy ACCEPT 84 packets, 14747 bytes)
> pkts bytes target     prot opt in     out     source destination
>    3   196 MARK       udp  --  *      eth0    0.0.0.0/0 0.0.0.0/0            MARK set 0x1000c
>    7   588 MARK       icmp --  *      eth0    0.0.0.0/0 0.0.0.0/0            MARK set 0x1000b
>   74 13963 MARK       tcp  --  *      eth0    0.0.0.0/0 0.0.0.0/0            MARK set 0x1000a
> 
> 
> ph4[/home/andy]# tc -s class ls dev eth0
> 
> class htb 1:c root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 2850b
> Sent 238 bytes 3 pkt (dropped 0, overlimits 0 requeues 0)
> rate 0bit 0pps backlog 0b 0p requeues 0
> lended: 3 borrowed: 0 giants: 0
> tokens: 346750 ctokens: 346750
> 
> class htb 1:a root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 2850b
> Sent 14999 bytes 74 pkt (dropped 0, overlimits 0 requeues 0)
> rate 32bit 0pps backlog 0b 0p requeues 0
> lended: 74 borrowed: 0 giants: 0
> tokens: 348000 ctokens: 348000
> 
> class htb 1:b root prio 0 rate 1000Kbit ceil 1000Kbit burst 2850b cburst 2850b
> Sent 686 bytes 7 pkt (dropped 0, overlimits 0 requeues 0)
> rate 0bit 0pps backlog 0b 0p requeues 0
> lended: 7 borrowed: 0 giants: 0
> tokens: 344000 ctokens: 344000
> 
> 
> 

Re: question on fwmark speed boost

[Wolfgang Hennerbichler]

On Jul 10, 2013, at 12:00 , Andy Furniss <adf.lists@gmail.com> wrote:
> OK, so after saying I've never done this I remembered I had long ago and found a test :-)
> 
> Using "handle 1" seems to get the filter rejected - but the main thing is the way you have to mark to match the first part of your classid -
> 
> tc qdisc add dev eth0 root handle 1: htb
> tc class add dev eth0 parent 1: classid 1:a htb rate 1mbit
> tc class add dev eth0 parent 1: classid 1:b htb rate 1mbit
> tc class add dev eth0 parent 1: classid 1:c htb rate 1mbit
> tc filter add dev eth0 parent 1:0 protocol ip fw
> 
> iptables -t mangle -I OUTPUT -o eth0 -p tcp -j MARK --set-mark 0x1000a
> iptables -t mangle -I OUTPUT -o eth0 -p icmp -j MARK --set-mark 0x1000b
> iptables -t mangle -I OUTPUT -o eth0 -p udp -j MARK --set-mark 0x1000c

yay. that was it. it doesn't (yet) work with ip6tables. but ip[4]tables rocks now. Thank you so much for this information. 

Wolfgang