Re: SFQ + throttling to specific hosts

[GGounot <g.gounot@laposte.net>]

Le 30/07/2014 00:10, Roy Kidder a écrit :
> I'm guessing this question has already been asked and answered, but 
> I've searched and couldn't find an example for what I'm trying to do.
>
> My Linux firewall has eth0 on the outside, eth1 on the inside. I would 
> like to throttle two IPs on my internal network to a predetermined 
> bandwidth (say 80K) while using SFQ for everything else. I have the 
> SFQ part working with the following:
>
>   tc qdisc del dev eth1 root
>   tc qdisc add dev eth1 root handle 1: htb default 10
>   tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE
>   tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil 
> $UPRATE mtu 1500
>   tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
>
> But I'm not quite sure how to go about rate limiting the two IPs in 
> question. From what I've read, CBQ is what I'd use, but can I use that 
> along with SFQ? If so, how?

I use this :

# Remove any existing qdisc on eth1
tc qdisc del dev eth1 root
# HTB
tc qdisc add dev eth1 root handle 1:0 htb default 0
# Define max line speed (the maximum speed that the network card is 
capable of)
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000kbps ceil 
1000kbps prio 0
# Define limits
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbps ceil 
80kbps prio 0
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbps ceil 
80kbps prio 0
# SFQ
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10


# You must then redirect the traffic to limit it, you have 2 choices :
# * using a simple "tc" filter and manage redirection with "iptables"
# * or only use "tc"
# using both at the same time may have unexpected behaviour

## 1) Filter traffic using IPTABLES ##
# Filter with FW MARK
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1080 fw 
flowid 1:10
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1180 fw 
flowid 1:11
# Use iptables' power to match IP/Port Source/Destination, etc.
iptables -t mangle -I  FORWARD -d 192.168.0.24 -o eth1 -j MARK 
--set-mark 1080
iptables -t mangle -I  FORWARD -d 192.168.0.35 -o eth1 -j MARK 
--set-mark 1180
# with table FORWARD you match only traffic coming from Internet, not 
coming out from firewall
# if your firewal is also a proxy, then traffic is seen as outcoming, 
not forwarded (because client computer is not connected to Internet but 
to squid on firewall)

## 2) Filter traffic using TC ##
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 
192.168.0.24 flowid 1:10
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 
192.168.0.35 flowid 1:10



Hope this helps.