[LARTC] how flexible is ingress traffic policing to bandwidth limit?

[LARTC] how flexible is ingress traffic policing to bandwidth limit?

[Greg Stark]

[I sent this earlier but I guess the list is subscriber-only?]

I just set up wondershaper, it has a simple filter on the downstream
direction to limit the bandwidth usage:

tc qdisc add dev $DEV handle ffff: ingress
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

This is effective but is there any way to tell it to choose only certain kinds
of streams for dropping packets? Minimally I would want to tell it to never
drop any packets in a certain list of port numbers. 

Ideally I would want it to never drop any packets that fall into the 1:10
flowid that is set up earlier in wondershaper. I'm unclear if that's possible
though since that flowid is set up for outgoing packets, and some of the
filters don't even make sense for incoming packets (TOS for example).

But even if I could just tell it to never choose packets from particular
ports, that would satisfy my immediate needs.


-- 
greg

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] how flexible is ingress traffic policing to bandwidth limit?

[Jason Boxman]

On Tuesday 08 June 2004 14:35, Greg Stark wrote:
> [I sent this earlier but I guess the list is subscriber-only?]
>
> I just set up wondershaper, it has a simple filter on the downstream
> direction to limit the bandwidth usage:
>
> tc qdisc add dev $DEV handle ffff: ingress
> tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
>    0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
>
> This is effective but is there any way to tell it to choose only certain
> kinds of streams for dropping packets? Minimally I would want to tell it to
> never drop any packets in a certain list of port numbers.

ingress is rather weak.  You can only really police with it.  For what you 
want most people setup the IMQ[1] device and you egress filters on it to 
control what is shaped and how.

[1] http://trash.net/~kaber/imq/

<snip>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] how flexible is ingress traffic policing to bandwidth

[Damion de Soto]

Greg,
>>This is effective but is there any way to tell it to choose only certain
>>kinds of streams for dropping packets? Minimally I would want to tell it to
>>never drop any packets in a certain list of port numbers.
> 
> 
> ingress is rather weak.  You can only really police with it.  For what you 
> want most people setup the IMQ[1] device and you egress filters on it to 
> control what is shaped and how.

You can create different ingress policers that only match specific ports, and give 
them different priorities, but that still won't work as well as using IMQ,
or if your box is a gateway (and you are only shaping traffic going through it),
then you can use egress queues on the LAN interface.

regards,

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear - A CyberGuard Company ---    ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ---  Free Embedded Linux Distro at   http://www.snapgear.org  ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/