From mboxrd@z Thu Jan 1 00:00:00 1970 From: GGounot Date: Wed, 30 Jul 2014 11:31:35 +0000 Subject: Re: SFQ + throttling to specific hosts Message-Id: <53D8D797.8030108@laposte.net> List-Id: References: <53D81BD2.4000803@thirtyonegifts.com> In-Reply-To: <53D81BD2.4000803@thirtyonegifts.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Le 30/07/2014 00:10, Roy Kidder a =E9crit : > I'm guessing this question has already been asked and answered, but=20 > I've searched and couldn't find an example for what I'm trying to do. > > My Linux firewall has eth0 on the outside, eth1 on the inside. I would=20 > like to throttle two IPs on my internal network to a predetermined=20 > bandwidth (say 80K) while using SFQ for everything else. I have the=20 > SFQ part working with the following: > > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1: htb default 10 > tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE > tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil=20 > $UPRATE mtu 1500 > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > But I'm not quite sure how to go about rate limiting the two IPs in=20 > question. From what I've read, CBQ is what I'd use, but can I use that=20 > along with SFQ? If so, how? I use this : # Remove any existing qdisc on eth1 tc qdisc del dev eth1 root # HTB tc qdisc add dev eth1 root handle 1:0 htb default 0 # Define max line speed (the maximum speed that the network card is=20 capable of) tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000kbps ceil=20 1000kbps prio 0 # Define limits tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbps ceil=20 80kbps prio 0 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbps ceil=20 80kbps prio 0 # SFQ tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10 # You must then redirect the traffic to limit it, you have 2 choices : # * using a simple "tc" filter and manage redirection with "iptables" # * or only use "tc" # using both at the same time may have unexpected behaviour ## 1) Filter traffic using IPTABLES ## # Filter with FW MARK tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1080 fw=20 flowid 1:10 tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1180 fw=20 flowid 1:11 # Use iptables' power to match IP/Port Source/Destination, etc. iptables -t mangle -I FORWARD -d 192.168.0.24 -o eth1 -j MARK=20 --set-mark 1080 iptables -t mangle -I FORWARD -d 192.168.0.35 -o eth1 -j MARK=20 --set-mark 1180 # with table FORWARD you match only traffic coming from Internet, not=20 coming out from firewall # if your firewal is also a proxy, then traffic is seen as outcoming,=20 not forwarded (because client computer is not connected to Internet but=20 to squid on firewall) ## 2) Filter traffic using TC ## tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src=20 192.168.0.24 flowid 1:10 tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src=20 192.168.0.35 flowid 1:10 Hope this helps.