* traffic shape per ip @ 2013-09-19 18:43 binary 2013-09-19 20:34 ` Andrew Beverley 0 siblings, 1 reply; 7+ messages in thread From: binary @ 2013-09-19 18:43 UTC (permalink / raw) To: netfilter Hello everyone. i am running a small server that everyone connects on it through openvpn. once connected the server offers some services to the connected members (voip, php forms, company email). i would to limit the bandwidth of some users based on IPs: -10.10.0.10-19/24 gets only 1Mbps up/down -10.10.0.20-29/24 gets only 2Mbps up/down -the rest of the subnet is free of traffic shapping the server has an ethernet (eth0) connected to the outside world by public IP and the VPN users connected throught the br0 (virtual interface). i have seen the tc option on the iptables, but this is where i've lost it. the server runs debian wheezy 7.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: traffic shape per ip 2013-09-19 18:43 traffic shape per ip binary @ 2013-09-19 20:34 ` Andrew Beverley [not found] ` <CALFTrnNDLHW0NDJVE_sKRjP7DMsnfKXcuiEXado+p6nYUJpUbA@mail.gmail.com> 2013-10-01 16:44 ` Bob Miller 0 siblings, 2 replies; 7+ messages in thread From: Andrew Beverley @ 2013-09-19 20:34 UTC (permalink / raw) To: binary; +Cc: netfilter On Thu, 2013-09-19 at 21:43 +0300, binary wrote: > i would to limit the bandwidth of some users based on IPs: [...] This is not as simple as you might think. In order to shape per-IP, you'll need to set up a class for each individual IP address, and then filter to that class. I am not aware of a way to write one rule to say "limit each IP address to this amount". Presumably the reason to filter per-IP is to stop single users hogging the bandwidth. If so, a better approach might be to classify the type of traffic and then shape on that, or alternatively share bandwidth evenly per-IP rather than per-connection (as is the default). There is some information on how to do this on this page at the end of the "downlink" section: http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux If you have any more questions you might want to use the LARTC mailing list instead of this mailing list. Andy ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CALFTrnNDLHW0NDJVE_sKRjP7DMsnfKXcuiEXado+p6nYUJpUbA@mail.gmail.com>]
* Re: traffic shape per ip [not found] ` <CALFTrnNDLHW0NDJVE_sKRjP7DMsnfKXcuiEXado+p6nYUJpUbA@mail.gmail.com> @ 2013-09-20 13:17 ` Ray Soucy 2013-10-01 16:47 ` Bob Miller 0 siblings, 1 reply; 7+ messages in thread From: Ray Soucy @ 2013-09-20 13:17 UTC (permalink / raw) To: Andrew Beverley; +Cc: binary, netfilter Bounced for HTML. Re-sending as plaintext. On Fri, Sep 20, 2013 at 9:15 AM, Ray Soucy <rps@maine.edu> wrote: > Try something like this. > > It's not perfect, but it will work for a pool of up to 8000 IPs (TC limit is > 9999 I believe). Sorry for it being in PHP, it was tossed on a box where > everything else is already PHP. > > Verified to work, and a modest Linux system doesn't have a problem keeping > up with it. > > #!/bin/php > <?php > > $config['wan_if'] = 'eth0'; > $config['lan_if'] = 'eth1'; > $config['global_down'] = '300mbit'; > $config['global_up'] = '300mbit'; > $config['default_down'] = '1mbit'; > $config['default_up'] = '1mbit'; > $config['network_list'] = array('172.19.0.0/20'); > > > > > function cidrtorange($network) { > list($ip, $bits) = explode('/', $network); > $ip = ip2long($ip); > $mask = ~((1 << (32 - $bits)) - 1); > $start = ($ip & $mask) + 1; > $end = ($start - 3) - $mask; > $range = array($start, $end); > return $range; > } > > function exec_cmds($cmd) { > $log_data = ""; > $cmd = str_replace('iptables ', '/usr/local/sbin/iptables ', $cmd); > $cmd = str_replace('tc ', '/usr/sbin/tc ', $cmd); > $cmd_list = explode("\n", $cmd); > foreach ($cmd_list as $c) { > if (strlen($c) < 1) continue; > $out = array(); > exec($c . ' 2>&1', $out, $status); > if ($status == 0) $log_data .= $c . "\n"; > else { > $log_data .= '# FAILED ' . $c . "\n"; > foreach ($out as $o) $log_data .= '# ' . $o . "\n"; > } > } > echo $log_data; > } > > > > function do_start() { > global $config; > $host_list = array(); > foreach ($config['network_list'] as $network) { > list($start_ip, $end_ip) = cidrtorange($network); > for ($i = $start_ip + 1; $i < $end_ip; $i++) { > $host = long2ip($i); > $host_list[$host]['down'] = $config['default_down']; > $host_list[$host]['up'] = $config['default_up']; > } > } > $cmd = ""; > $cmd .= 'iptables -t mangle -N Traffic_Control' . "\n"; > $cmd .= 'iptables -t mangle -A PREROUTING -i ' . $config['lan_if'] . ' -j > Traffic_Control' . "\n"; > $cmd .= 'tc qdisc add dev ' . $config['lan_if'] . ' root handle 1: htb > default 9999' . "\n"; > $cmd .= 'tc class add dev ' . $config['lan_if'] . ' parent 1: classid > 1:9999 htb rate ' . $config['global_down'] . "\n"; > $cmd .= 'tc qdisc add dev ' . $config['lan_if'] . ' parent 1:9999 handle > 9999: sfq perturb 10' . "\n"; > $cmd .= 'tc qdisc add dev ' . $config['wan_if'] . ' root handle 1: htb > default 9999' . "\n"; > $cmd .= 'tc class add dev ' . $config['wan_if'] . ' parent 1: classid > 1:9999 htb rate ' . $config['global_up'] . "\n"; > $cmd .= 'tc qdisc add dev ' . $config['wan_if'] . ' parent 1:9999 handle > 9999: sfq perturb 10' . "\n"; > $tc_index = 1; > foreach ($host_list as $host => $lim) { > $cmd .= 'iptables -t mangle -A Traffic_Control -s ' . $host . ' -j MARK > --set-mark ' . $tc_index . "\n"; > $cmd .= 'tc class add dev ' . $config['wan_if'] . ' parent 1: classid > 1:' . $tc_index . ' htb rate ' . $lim['up'] . "\n"; > $cmd .= 'tc filter add dev ' . $config['wan_if'] . ' protocol ip parent > 1: prio 1 handle ' . $tc_index . ' fw flowid 1:' . $tc_index . "\n"; > $cmd .= 'tc class add dev ' . $config['lan_if'] . ' parent 1: classid > 1:' . $tc_index . ' htb rate ' . $lim['down'] . "\n"; > $cmd .= 'tc filter add dev ' . $config['lan_if'] . ' protocol ip parent > 1: prio 1 u32 match ip dst ' . $host . ' flowid 1:' . $tc_index . "\n"; > $tc_index++; > } > exec_cmds($cmd); > } > > function do_stop() { > global $config; > $cmd = ""; > $cmd .= 'tc qdisc del dev ' . $config['lan_if'] . ' root' . "\n"; > $cmd .= 'tc qdisc del dev ' . $config['wan_if'] . ' root' . "\n"; > $cmd .= 'iptables -t mangle -D PREROUTING -i ' . $config['lan_if'] . ' -j > Traffic_Control' . "\n"; > $cmd .= 'iptables -t mangle -F Traffic_Control' . "\n"; > $cmd .= 'iptables -t mangle -X Traffic_Control' . "\n"; > exec_cmds($cmd); > } > > > > > if ($argc == 2) { > if ($argv[1] == 'start') { > do_start(); > } elseif ($argv[1] == 'stop') { > do_stop(); > } elseif ($argv[1] == 'restart') { > do_stop(); > do_start(); > } else { > echo 'Usage: ' . $argv[0] . ' {start|stop|restart}' . "\n"; > } > > } else { > echo 'Usage: ' . $argv[0] . ' {start|stop|restart}' . "\n"; > } > > > > On Thu, Sep 19, 2013 at 4:34 PM, Andrew Beverley <andy@andybev.com> wrote: >> >> On Thu, 2013-09-19 at 21:43 +0300, binary wrote: >> > i would to limit the bandwidth of some users based on IPs: >> >> [...] >> >> This is not as simple as you might think. In order to shape per-IP, >> you'll need to set up a class for each individual IP address, and then >> filter to that class. I am not aware of a way to write one rule to say >> "limit each IP address to this amount". >> >> Presumably the reason to filter per-IP is to stop single users hogging >> the bandwidth. If so, a better approach might be to classify the type of >> traffic and then shape on that, or alternatively share bandwidth evenly >> per-IP rather than per-connection (as is the default). There is some >> information on how to do this on this page at the end of the "downlink" >> section: >> >> >> http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux >> >> If you have any more questions you might want to use the LARTC mailing >> list instead of this mailing list. >> >> Andy >> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > -- > Ray Patrick Soucy > Network Engineer > University of Maine System > > T: 207-561-3526 > F: 207-561-3531 > > MaineREN, Maine's Research and Education Network > www.maineren.net -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: traffic shape per ip 2013-09-20 13:17 ` Ray Soucy @ 2013-10-01 16:47 ` Bob Miller 0 siblings, 0 replies; 7+ messages in thread From: Bob Miller @ 2013-10-01 16:47 UTC (permalink / raw) To: netfilter Perhaps a little late to weigh in, but I found this to be an interesting thread. Ray, thanks for sharing your script, I found it an educational read. I have always found it interesting that nobody ever seems to use/mention tcng to implement the shaping. I found the learning curve a little steep because there isn't a lot of examples and documentation, but now that I have it, shaping is actually very very easy. This said, I have never tried to use it to shape traffic on a vpn, but if you are attaching the vpn to an interface, I don't see why it wouldn't work. In case it is useful, I put an example of how to use tcng to limit speed on a public access network here: http://cocnm.computerisms.ca/index.php/Shape/Track_Bandwidth_-_Finalize_IPTables -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca On Fri, 2013-09-20 at 09:17 -0400, Ray Soucy wrote: > Bounced for HTML. Re-sending as plaintext. > > On Fri, Sep 20, 2013 at 9:15 AM, Ray Soucy <rps@maine.edu> wrote: > > Try something like this. > > > > It's not perfect, but it will work for a pool of up to 8000 IPs (TC limit is > > 9999 I believe). Sorry for it being in PHP, it was tossed on a box where > > everything else is already PHP. > > > > Verified to work, and a modest Linux system doesn't have a problem keeping > > up with it. > > > > #!/bin/php > > <?php > > > > $config['wan_if'] = 'eth0'; > > $config['lan_if'] = 'eth1'; > > $config['global_down'] = '300mbit'; > > $config['global_up'] = '300mbit'; > > $config['default_down'] = '1mbit'; > > $config['default_up'] = '1mbit'; > > $config['network_list'] = array('172.19.0.0/20'); > > > > > > > > > > function cidrtorange($network) { > > list($ip, $bits) = explode('/', $network); > > $ip = ip2long($ip); > > $mask = ~((1 << (32 - $bits)) - 1); > > $start = ($ip & $mask) + 1; > > $end = ($start - 3) - $mask; > > $range = array($start, $end); > > return $range; > > } > > > > function exec_cmds($cmd) { > > $log_data = ""; > > $cmd = str_replace('iptables ', '/usr/local/sbin/iptables ', $cmd); > > $cmd = str_replace('tc ', '/usr/sbin/tc ', $cmd); > > $cmd_list = explode("\n", $cmd); > > foreach ($cmd_list as $c) { > > if (strlen($c) < 1) continue; > > $out = array(); > > exec($c . ' 2>&1', $out, $status); > > if ($status == 0) $log_data .= $c . "\n"; > > else { > > $log_data .= '# FAILED ' . $c . "\n"; > > foreach ($out as $o) $log_data .= '# ' . $o . "\n"; > > } > > } > > echo $log_data; > > } > > > > > > > > function do_start() { > > global $config; > > $host_list = array(); > > foreach ($config['network_list'] as $network) { > > list($start_ip, $end_ip) = cidrtorange($network); > > for ($i = $start_ip + 1; $i < $end_ip; $i++) { > > $host = long2ip($i); > > $host_list[$host]['down'] = $config['default_down']; > > $host_list[$host]['up'] = $config['default_up']; > > } > > } > > $cmd = ""; > > $cmd .= 'iptables -t mangle -N Traffic_Control' . "\n"; > > $cmd .= 'iptables -t mangle -A PREROUTING -i ' . $config['lan_if'] . ' -j > > Traffic_Control' . "\n"; > > $cmd .= 'tc qdisc add dev ' . $config['lan_if'] . ' root handle 1: htb > > default 9999' . "\n"; > > $cmd .= 'tc class add dev ' . $config['lan_if'] . ' parent 1: classid > > 1:9999 htb rate ' . $config['global_down'] . "\n"; > > $cmd .= 'tc qdisc add dev ' . $config['lan_if'] . ' parent 1:9999 handle > > 9999: sfq perturb 10' . "\n"; > > $cmd .= 'tc qdisc add dev ' . $config['wan_if'] . ' root handle 1: htb > > default 9999' . "\n"; > > $cmd .= 'tc class add dev ' . $config['wan_if'] . ' parent 1: classid > > 1:9999 htb rate ' . $config['global_up'] . "\n"; > > $cmd .= 'tc qdisc add dev ' . $config['wan_if'] . ' parent 1:9999 handle > > 9999: sfq perturb 10' . "\n"; > > $tc_index = 1; > > foreach ($host_list as $host => $lim) { > > $cmd .= 'iptables -t mangle -A Traffic_Control -s ' . $host . ' -j MARK > > --set-mark ' . $tc_index . "\n"; > > $cmd .= 'tc class add dev ' . $config['wan_if'] . ' parent 1: classid > > 1:' . $tc_index . ' htb rate ' . $lim['up'] . "\n"; > > $cmd .= 'tc filter add dev ' . $config['wan_if'] . ' protocol ip parent > > 1: prio 1 handle ' . $tc_index . ' fw flowid 1:' . $tc_index . "\n"; > > $cmd .= 'tc class add dev ' . $config['lan_if'] . ' parent 1: classid > > 1:' . $tc_index . ' htb rate ' . $lim['down'] . "\n"; > > $cmd .= 'tc filter add dev ' . $config['lan_if'] . ' protocol ip parent > > 1: prio 1 u32 match ip dst ' . $host . ' flowid 1:' . $tc_index . "\n"; > > $tc_index++; > > } > > exec_cmds($cmd); > > } > > > > function do_stop() { > > global $config; > > $cmd = ""; > > $cmd .= 'tc qdisc del dev ' . $config['lan_if'] . ' root' . "\n"; > > $cmd .= 'tc qdisc del dev ' . $config['wan_if'] . ' root' . "\n"; > > $cmd .= 'iptables -t mangle -D PREROUTING -i ' . $config['lan_if'] . ' -j > > Traffic_Control' . "\n"; > > $cmd .= 'iptables -t mangle -F Traffic_Control' . "\n"; > > $cmd .= 'iptables -t mangle -X Traffic_Control' . "\n"; > > exec_cmds($cmd); > > } > > > > > > > > > > if ($argc == 2) { > > if ($argv[1] == 'start') { > > do_start(); > > } elseif ($argv[1] == 'stop') { > > do_stop(); > > } elseif ($argv[1] == 'restart') { > > do_stop(); > > do_start(); > > } else { > > echo 'Usage: ' . $argv[0] . ' {start|stop|restart}' . "\n"; > > } > > > > } else { > > echo 'Usage: ' . $argv[0] . ' {start|stop|restart}' . "\n"; > > } > > > > > > > > On Thu, Sep 19, 2013 at 4:34 PM, Andrew Beverley <andy@andybev.com> wrote: > >> > >> On Thu, 2013-09-19 at 21:43 +0300, binary wrote: > >> > i would to limit the bandwidth of some users based on IPs: > >> > >> [...] > >> > >> This is not as simple as you might think. In order to shape per-IP, > >> you'll need to set up a class for each individual IP address, and then > >> filter to that class. I am not aware of a way to write one rule to say > >> "limit each IP address to this amount". > >> > >> Presumably the reason to filter per-IP is to stop single users hogging > >> the bandwidth. If so, a better approach might be to classify the type of > >> traffic and then shape on that, or alternatively share bandwidth evenly > >> per-IP rather than per-connection (as is the default). There is some > >> information on how to do this on this page at the end of the "downlink" > >> section: > >> > >> > >> http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux > >> > >> If you have any more questions you might want to use the LARTC mailing > >> list instead of this mailing list. > >> > >> Andy > >> > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe netfilter" in > >> the body of a message to majordomo@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > > -- > > Ray Patrick Soucy > > Network Engineer > > University of Maine System > > > > T: 207-561-3526 > > F: 207-561-3531 > > > > MaineREN, Maine's Research and Education Network > > www.maineren.net > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: traffic shape per ip 2013-09-19 20:34 ` Andrew Beverley [not found] ` <CALFTrnNDLHW0NDJVE_sKRjP7DMsnfKXcuiEXado+p6nYUJpUbA@mail.gmail.com> @ 2013-10-01 16:44 ` Bob Miller 2013-10-01 16:50 ` Andrew Beverley 1 sibling, 1 reply; 7+ messages in thread From: Bob Miller @ 2013-10-01 16:44 UTC (permalink / raw) To: Andrew Beverley; +Cc: binary, netfilter > If you have any more questions you might want to use the LARTC mailing > list instead of this mailing list. I asked about the lartc mailing list on this list some years ago. Based on the response I got, my understanding is that the lartc list is not active, and I was instructed to send my tc questions here instead. Do you have new information such that I should be adjusting my understanding? > > Andy > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: traffic shape per ip 2013-10-01 16:44 ` Bob Miller @ 2013-10-01 16:50 ` Andrew Beverley 2013-10-01 17:21 ` Bob Miller 0 siblings, 1 reply; 7+ messages in thread From: Andrew Beverley @ 2013-10-01 16:50 UTC (permalink / raw) To: bob; +Cc: binary, netfilter On Tue, 2013-10-01 at 09:44 -0700, Bob Miller wrote: > > If you have any more questions you might want to use the LARTC mailing > > list instead of this mailing list. > > I asked about the lartc mailing list on this list some years ago. Based > on the response I got, my understanding is that the lartc list is not > active, and I was instructed to send my tc questions here instead. Do > you have new information such that I should be adjusting my > understanding? The LARTC list did die for a period, but has now been resurrected, hosted on vger.kernel.org. It's not as active as it used to be, but does have the occasional interesting discussion. http://vger.kernel.org/vger-lists.html#lartc Andy ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: traffic shape per ip 2013-10-01 16:50 ` Andrew Beverley @ 2013-10-01 17:21 ` Bob Miller 0 siblings, 0 replies; 7+ messages in thread From: Bob Miller @ 2013-10-01 17:21 UTC (permalink / raw) To: Andrew Beverley; +Cc: binary, netfilter > > I asked about the lartc mailing list on this list some years ago. Based > > on the response I got, my understanding is that the lartc list is not > > active, and I was instructed to send my tc questions here instead. Do > > you have new information such that I should be adjusting my > > understanding? > > The LARTC list did die for a period, but has now been resurrected, > hosted on vger.kernel.org. It's not as active as it used to be, but does > have the occasional interesting discussion. > > http://vger.kernel.org/vger-lists.html#lartc Most excellent, thanks for the info... > > Andy > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-10-01 17:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-19 18:43 traffic shape per ip binary
2013-09-19 20:34 ` Andrew Beverley
[not found] ` <CALFTrnNDLHW0NDJVE_sKRjP7DMsnfKXcuiEXado+p6nYUJpUbA@mail.gmail.com>
2013-09-20 13:17 ` Ray Soucy
2013-10-01 16:47 ` Bob Miller
2013-10-01 16:44 ` Bob Miller
2013-10-01 16:50 ` Andrew Beverley
2013-10-01 17:21 ` Bob Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.