SFQ + throttling to specific hosts

SFQ + throttling to specific hosts

[Roy Kidder]

I'm guessing this question has already been asked and answered, but I've 
searched and couldn't find an example for what I'm trying to do.

My Linux firewall has eth0 on the outside, eth1 on the inside. I would 
like to throttle two IPs on my internal network to a predetermined 
bandwidth (say 80K) while using SFQ for everything else. I have the SFQ 
part working with the following:

   tc qdisc del dev eth1 root
   tc qdisc add dev eth1 root handle 1: htb default 10
   tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE
   tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil 
$UPRATE mtu 1500
   tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10

But I'm not quite sure how to go about rate limiting the two IPs in 
question. From what I've read, CBQ is what I'd use, but can I use that 
along with SFQ? If so, how?

Thanks,
Roy

Re: SFQ + throttling to specific hosts

[GGounot]

Le 30/07/2014 00:10, Roy Kidder a écrit :
> I'm guessing this question has already been asked and answered, but 
> I've searched and couldn't find an example for what I'm trying to do.
>
> My Linux firewall has eth0 on the outside, eth1 on the inside. I would 
> like to throttle two IPs on my internal network to a predetermined 
> bandwidth (say 80K) while using SFQ for everything else. I have the 
> SFQ part working with the following:
>
>   tc qdisc del dev eth1 root
>   tc qdisc add dev eth1 root handle 1: htb default 10
>   tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE
>   tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil 
> $UPRATE mtu 1500
>   tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
>
> But I'm not quite sure how to go about rate limiting the two IPs in 
> question. From what I've read, CBQ is what I'd use, but can I use that 
> along with SFQ? If so, how?

I use this :

# Remove any existing qdisc on eth1
tc qdisc del dev eth1 root
# HTB
tc qdisc add dev eth1 root handle 1:0 htb default 0
# Define max line speed (the maximum speed that the network card is 
capable of)
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000kbps ceil 
1000kbps prio 0
# Define limits
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbps ceil 
80kbps prio 0
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbps ceil 
80kbps prio 0
# SFQ
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10


# You must then redirect the traffic to limit it, you have 2 choices :
# * using a simple "tc" filter and manage redirection with "iptables"
# * or only use "tc"
# using both at the same time may have unexpected behaviour

## 1) Filter traffic using IPTABLES ##
# Filter with FW MARK
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1080 fw 
flowid 1:10
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1180 fw 
flowid 1:11
# Use iptables' power to match IP/Port Source/Destination, etc.
iptables -t mangle -I  FORWARD -d 192.168.0.24 -o eth1 -j MARK 
--set-mark 1080
iptables -t mangle -I  FORWARD -d 192.168.0.35 -o eth1 -j MARK 
--set-mark 1180
# with table FORWARD you match only traffic coming from Internet, not 
coming out from firewall
# if your firewal is also a proxy, then traffic is seen as outcoming, 
not forwarded (because client computer is not connected to Internet but 
to squid on firewall)

## 2) Filter traffic using TC ##
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 
192.168.0.24 flowid 1:10
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 
192.168.0.35 flowid 1:10



Hope this helps.