All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Using tc with iptables marking.
@ 2002-04-16 11:07 Alex Bennee
  0 siblings, 0 replies; only message in thread
From: Alex Bennee @ 2002-04-16 11:07 UTC (permalink / raw)
  To: lartc

Hi,

Excuse the long first post but I thought I had better annotate the script I
have so far. I have been looking for a solution for keeping
my "interactive" browsing whilst people hammer my web-server (hosted inside
the dsl, port forwarded from the router). I've looked at scripts like the
wondershapper but I decided to roll my own as I'm already reasonably au-
fait with the iptables toolchain. The problem is it doesn't work as
expected but I may be missing something. Onwards with the config:

First I set-up iptables to mark outgoing packets (I don't bother with
incomming as ADSL is asymetric and its the upstream interface that
saturates)

    # Setup POSTROUTING marking on dsl output
    # needed for QoS type hacks
    # 1 - outgoing interactive (ssh)
    # 2 - outgoing file stuff (www)
    # 3 - incomming interactive (ssh)
    # 4 - incomming personal use (https, http-tunnel)
    # 5 - incomming web
    # 6 - incomming mail
    # 7 - everything else

    # create the to-dsl table (we can only shape outgoing traffic)
    /sbin/iptables -t mangle -N to-dsl

    # For outgoing packets we need to mark stuff
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 22   -j MARK --set-mark 1
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 80   -j MARK --set-mark 2
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 24   -j MARK --set-mark 3
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 443  -j MARK --set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 8890 -j MARK --set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 80   -j MARK --set-mark 5
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 25   -j MARK --set-mark 6
     # turn it on
/sbin/iptables -t mangle -A POSTROUTING -o ppp0 -j to-dsl

This bit works great. I can do "watch -n 1 -d iptables -t mangle -nvL" and
watch packets get marked to the different rules as I expect. Then I
configure the tc bits thusly:

# root qdisc, shape the upload bandwidth to 256kbits
tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 256kbit rate
240kbit

#create the prioitiser
tc qdisc add dev ppp0 parent 1:0 handle 2: prio bands 6 priomap 0 1 2 3 4 5

# create sfq's for each class
tc qdisc add dev ppp0 parent 2:1 handle 10: sfq
tc qdisc add dev ppp0 parent 2:2 handle 20: sfq
tc qdisc add dev ppp0 parent 2:3 handle 30: sfq
tc qdisc add dev ppp0 parent 2:4 handle 40: sfq
tc qdisc add dev ppp0 parent 2:5 handle 50: sfq
tc qdisc add dev ppp0 parent 2:6 handle 60: sfq

#and now the filters
tc filter add dev ppp0 parent 2:0 protocol ip prio 1 handle 1 fw flowid 10:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 2 handle 2 fw flowid 20:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 3 handle 3 fw flowid 30:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 4 handle 4 fw flowid 40:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 5 handle 5 fw flowid 50:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 6 handle 6 fw flowid 60:0

But when I do a "tc -s -d qdisc ls"

qdisc sfq 60: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 50: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 40: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 30: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 20: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 10: dev ppp0 quantum 1478b limit 128p flows 128/1024
 Sent 90818614 bytes 64922 pkts (dropped 0, overlimits 0)

 qdisc prio 2: dev ppp0 bands 6 priomap  0 1 2 3 4 5 0 0 1 1 1 1 1 1 1 1
 Sent 92824232 bytes 66370 pkts (dropped 0, overlimits 0)

 qdisc cbq 1: dev ppp0 rate 240Kbit cell 8b (bounded,isolated) prio no-
transmit/8 weight 240Kbit allot 1478b
level 0 ewma 5 avpkt 1000b maxidle 1016us
 Sent 94712662 bytes 67725 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 25026 undertime 0

I suspect the problem is due to me misunderstanding the way prio and
priomap work in relation to the filters. I've been looking for any good
examples that show iptables -j MARK, prio and filter being used together
but have yet to come up with any good ones. If I get this to work your
welcome to use it in the FAQ :-)


Alex
www.bennee.com/~alex/


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2002-04-16 11:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-04-16 11:07 [LARTC] Using tc with iptables marking Alex Bennee

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.