From: Andy Furniss <adf.lists@gmail.com>
To: lartc@vger.kernel.org
Subject: Re: How to classify a port range?
Date: Sat, 17 Dec 2016 22:43:38 +0000 [thread overview]
Message-ID: <5855BF9A.9020504@gmail.com> (raw)
In-Reply-To: <2cc58282-00cf-0fb5-9583-3ebc86f7eedd@itlabs.bg>
Yassen Damyanov wrote:
> Hi again LARTC list,
>
> Andy helped recently to spot a bug in an ematch filter definition that
> classifies a range of ports (thanks again!)
>
> Now I again have a problem with that same classifier, this time on an
> ifb device which is "connected" to an eth device to allow for richer
> ingress control:
>
> # ip link set dev ifb0 up
> # tc qdisc add dev eth0 handle ffff: ingress
> # tc filter add dev eth0 parent ffff: protocol ip u32 match u32 0 0
> action mirred egress redirect dev ifb0
>
> # tc qdisc add dev ifb0 root handle 1:0 htb
> # tc class add dev ifb0 parent 1:0 classid 1:1 htb rate 30gbit
> # tc filter add dev ifb0 parent 1:0 protocol ip prio 1 u32 match ip
> protocol 6 0xff flowid 1:1
> # tc qdisc add dev ifb0 parent 1:1 handle 2:0 htb
> # tc class add dev ifb0 parent 2:0 classid 2:1 htb rate 2mbit
> # tc filter add dev ifb0 parent 2:0 protocol ip prio 1 basic match
> "cmp(u16 at 2 layer transport gt 8079) and cmp(u16 at 2 layer transport
> lt 8089)" flowid 2:1
>
> When doing measurements, the speed within the shaped range is way below
> what would be if no shaping is done, but substantially higher than the
> htb rate specified (2mbit). It also differs significantly from test to
> test.
>
> If I just put a u32 filter like this:
>
> # tc filter add dev ifb0 parent 2:0 protocol ip prio 1 u32 match ip
> dport 8080 0xffff flowid 2:1
>
> -- this works as expected.
>
> I see this in the ematch man page and I guess it might be related, but I
> am not sure how:
>
> """
> When using the ipset ematch with the "ifb" device, the outgoing device
> will be the ifb device itself, e.g. "ifb0". The original interface
> (i.e. the device the packet arrived on) is treated as the incoming
> interface.
> """
>
> Does anyone see what am I missing and how to get that ematch working on
> the ifb? Thanks!
Seems to work for me with a quick test on lan.
Random thoughts -
Putting htb qdisc under htb is allowed, but not normal and
gets in dmesg "htb: htb qdisc 2: is non-work-conserving?"
30 gig is really high and I see htb sets burst and cburst to 0.
Your qlens will be picked up from ifb, default 32 which may be too
low for the high bandwidth/htb direct traffic.
Nics may be doing hardware/driver software offloads, causing
giant packets to hit the qdisc - you can disable with ethtool.
prev parent reply other threads:[~2016-12-17 22:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-23 10:56 How to classify a port range? Yassen Damyanov
2016-11-24 23:29 ` Andy Furniss
2016-11-25 14:52 ` Yassen Damyanov
2016-11-25 17:19 ` Andy Furniss
2016-11-25 18:34 ` Yassen Damyanov
2016-12-17 16:12 ` Yassen Damyanov
2016-12-17 22:43 ` Andy Furniss [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5855BF9A.9020504@gmail.com \
--to=adf.lists@gmail.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.