[LARTC] tcng/tc setup

[LARTC] tcng/tc setup

[Gareth Glaccum]

Hi all,
Can someone please help with a tcng setup? I have played with tc and tcng in 
the past, and now would like to get some serious rules in place. However, I 
have a difficulty in setting them up.

My setup is as follows:
One machine working as a firewall:
eth0 is the interface connected to a 512K DSL line
eth1 is connected to a LAN
eth2 is connected to another LAN, a bit like a DMZ

eth1 and 2 are totaly different subnets, 10.1.1.x and 10.2.1.x both class B, 
(sorry, this is a system I inherited, I am slowly getting ready to collapse 
it all to class C).

I wanted to set the following rules:
High priority data needs to be some ssh from 10.1.1.x/16 (all) to external 
IPs.
Priority is to be given to data going to 10.1.1.x/16 over the DMZ data.
Input is 55KB/s, output is 25KB/s

To the DMZ from the LAN, there should be no throttling.
To the LAN from the DMZ, there should be no throttling. (100Mbs/s)
SSH data should be given priority over HTTP
SMTP should be given priority over HTTP
HTTP is given priority over anything else
Interfaces,
eth0,
512Kb/s input, 256 Kb/s output
eth1, 100Mb/s each way
eth2, 100Mb/s each way

And I wrote out some rules. These rules seem to be correct, as far as I can 
tell, but I stupidly forgot that this is all egress, and it cannot be done 
as easily with ingress. Can someone please help by showing me how I can 
modify these to give me control over the bandwidth in (albeit limited) as 
well as out? Also could someone explain how I can easily write flows to test 
all of the possible traffic I might be experiencing?
My aim is, that any normal ssh to any machine, whether comming from the DMZ 
to the internet, or from the LAN to the internet, should get at least 2KB/s 
low-latency traffic each, even if other machines or other connections are 
being made in the background.
I am wondering whether my first qdisc should infact be an SFQ and then HTBs 
below it?
All help will be gratefully received.
Thank you,
Gareth

----- Start long probably incorrect tcng code (I have left out the ingress 
code I had, because it didn't work at all, and I didn't understand any of 
it)
#define INTERNET eth0
#define LAN eth1
#define DMZ eth2

#define INTERNET_IP 0.0.0.0/0
#define DMZ_IP 10.2.1.0/16
#define LAN_IP 10.1.1.0/16

#define maxadsl 600kbps/2
#define highadsl 500kbps/2
#define medadsl 400kbps/2
#define midadsl 300kbps/2
#define lowadsl 200kbps/2
#define intadsl 150kbps/2
#define vloadsl 100kbps/2
#define noadsl 50kbps/2

dev INTERNET {

$meter = trTCM( cir 128kbps, cbs 10kB, pir 200kbps, pbs 10 kB );
	egress {
		class(<$lanssh>)
			if tcp_sport = 22 || tcp_dport = 22
			if ip_src = LAN_IP || ip_dst = LAN_IP;
		class(<$dmzssh>)
			if tcp_sport = 22 || tcp_dport = 22
			if ip_src = DMZ_IP || ip_dst = DMZ_IP;
		class(<$ssh>)
			if tcp_sport = 22 || tcp_dport = 22
			if ip_tos_delay=1 ;
		class(<$smtp>)
			if tcp_sport = 25 || tcp_dport = 25;
		class(<$lanhttp>)
			if tcp_sport = 80 || tcp_dport = 80
			if ip_src = LAN_IP || ip_dst = LAN_IP;
		class(<$dmzhttp>)
			if tcp_sport = 80 || tcp_dport = 80
			if ip_src = DMZ_IP || ip_dst = DMZ_IP;
		class(<$http>)
			if tcp_sport = 80 || tcp_dport = 80;
		class(<$othermed>)
			if trTCM_green( $meter);
		class(<$otherslow>)
			if trTCM_yellow( $meter);
		drop if trTCM_red ( $meter);
		class(<$otherslow>) if 1;
		drop if 1;



		htb(){
			class ( rate maxadsl, ceil maxadsl){
				$ssh = class ( rate medadsl, ceil highadsl) {
					$lanssh = class ( rate midadsl , ceil medadsl){ sfq ( perturb 10 sec 
);};
					$dmzssh = class (rate vloadsl, ceil lowadsl){ sfq ( perturb 10 sec );};
				};
				$smtp = class ( rate midadsl, ceil highadsl) {sfq ( perturb 10 sec );};
				$http = class ( rate lowadsl, ceil highadsl) {
					$lanhttp = class (rate lowadsl , ceil highadsl) {sfq ( perturb 10 sec 
);};
					$dmzhttp = class (rate lowadsl, ceil highadsl) {sfq ( perturb 10 sec 
);};
				};
				$othermed = class ( rate lowadsl, ceil medadsl) {sfq ( perturb 10 sec 
);};
				$otherslow = class ( rate noadsl, ceil intadsl) {sfq ( perturb 10 sec 
);};
			}
		}
	}

}

_________________________________________________________________
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tcng/tc setup

[Jason Boxman]

On Wednesday 14 July 2004 05:54, Gareth Glaccum wrote:
> Hi all,
> Can someone please help with a tcng setup? I have played with tc and tcng
> in the past, and now would like to get some serious rules in place.
> However, I have a difficulty in setting them up.

I'd suggest using `tc` and using Netfilter to classify traffic.  There are 
quite a few matches you just can't do with tcng.

<snip>
> And I wrote out some rules. These rules seem to be correct, as far as I can
> tell, but I stupidly forgot that this is all egress, and it cannot be done
> as easily with ingress. Can someone please help by showing me how I can
> modify these to give me control over the bandwidth in (albeit limited) as
> well as out? Also could someone explain how I can easily write flows to
> test all of the possible traffic I might be experiencing?

tcng is supposed to let you perform all kinds of simulations on your traffic, 
but I have never gotten it to work.  If someone has produced useful 
information, I'd love to know how.

> My aim is, that any normal ssh to any machine, whether comming from the DMZ
> to the internet, or from the LAN to the internet, should get at least 2KB/s
> low-latency traffic each, even if other machines or other connections are
> being made in the background.
> I am wondering whether my first qdisc should infact be an SFQ and then HTBs
> below it?

That is not possible.  sfq is a classless qdisc.  It cannot contain anything.  
You would need to attach sfq to htb classes, instead, for instance.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/