[LARTC] Problems with tc filter (getting packets into a CBQ)

[LARTC] Problems with tc filter (getting packets into a CBQ)

[Edwin Chiu]

Hi,

I'm having trouble getting traffic into the desired CBQ..

Here is my simple configuration:

tc qdisc del dev eth0 root 2> /dev/null
tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit \
	avpkt 1200 cell 8

tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit \
	rate 2Mbit weight 0.2Mbit prio 8 allot 1514 cell 8 \
	maxburst 20 avpkt 1200

tc class add dev eth0 parent 1:1 classid 1:100 cbq bandwidth 2Mbit \
	rate 130Kbit weight 13Kbit prio 8 allot 1514 cell 8 \
	maxburst 20 avpkt 1200

tc qdisc add dev eth0 parent 1:100 tbf rate 128Kbit buffer 10Kb/8 \
	limit 15Kb mtu 1500

tc filter add dev eth0 parent 1:0 protocol ip prio 1 \
	u32 match ip sport 119 0xffff flowid 1:100 \


But no traffic shows up.... (A simple telnet news.giganews.com 119 to
test):

lum:/home/edwin# tc -s qdisc
qdisc tbf 8036: dev eth0 rate 128Kbit burst 10Kb lat 381.5ms 
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 

qdisc cbq 1: dev eth0 rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 913009 bytes 12538 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 749 undertime 0

qdisc tbf 8016: dev eth0 rate 128Kbit burst 10Kb lat 381.5ms 
 Sent 14954 bytes 202 pkts (dropped 0, overlimits 0) 

lum:/home/edwin# tc -s class show dev eth0
class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 428 bytes 7 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 749 undertime 0
class cbq 1:100 parent 1:1 leaf 8038: rate 130Kbit prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 1.57035e+06 undertime 0
class cbq 1:1 parent 1: rate 2Mbit prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 85149 undertime 0


I've also tried marking packets in iptables and using tc to filter those
packets into both flowid and classid 1:100 to no avail.

Thanks in advance.

-- 
Edwin Chiu                                   | ICBM: 43.39N 79.23W
edwin@thetomatoe.com                         | PGP:  1024D/0x16B55226

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problems with tc filter (getting packets into a CBQ)

[Stef Coene]

> tc filter add dev eth0 parent 1:0 protocol ip prio 1 \
> 	u32 match ip sport 119 0xffff flowid 1:100 \
>
>
> But no traffic shows up.... (A simple telnet news.giganews.com 119 to
> test):
So you start a telnet from news.giganews.com to your test system?  Then you 
should match dport 119.  Otherwise I'm wrong :) and the filter is ok.
 
> I've also tried marking packets in iptables and using tc to filter those
> packets into both flowid and classid 1:100 to no avail.
Marking with iptables and using the fw filter, works fine for me.  You can 
find some working examples on www.docum.org.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problems with tc filter (getting packets into a CBQ)

[Edwin Chiu]

On Fri, 2002-05-17 at 20:08, Stef Coene wrote:
> > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \
> > 	u32 match ip sport 119 0xffff flowid 1:100 \
> >
> > But no traffic shows up.... (A simple telnet news.giganews.com 119 to
> > test):
> So you start a telnet from news.giganews.com to your test system?  Then you 
> should match dport 119.  Otherwise I'm wrong :) and the filter is ok.

Sorry, I should have been more clear, I telnet from my test system to
news.giganews.com

$ telnet news.giganews.com 119
Trying 216.166.71.230...
Connected to news-central.giganews.com.
Escape character is '^]'.
200 News.GigaNews.Com (Typhoon v1.2.3)
quit
205 GoodBye
Connection closed by foreign host.

And I want to shape incoming nntp traffic (which is why i match sport
119).

Edwin

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problems with tc filter (getting packets into a CBQ)

[Stef Coene]

> Sorry, I should have been more clear, I telnet from my test system to
> news.giganews.com
>
> $ telnet news.giganews.com 119
> Trying 216.166.71.230...
> Connected to news-central.giganews.com.
> Escape character is '^]'.
> 200 News.GigaNews.Com (Typhoon v1.2.3)
> quit
> 205 GoodBye
> Connection closed by foreign host.
>
> And I want to shape incoming nntp traffic (which is why i match sport
> 119).
That should work.  Maybe you can test it for sure with tcpdump to see if the 
packets are really coming in with sport 119.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problems with tc filter (getting packets into a CBQ)

[Edwin Chiu]

Here is a simple setup that I'm testing. The goal is the shape incoming
NNTP traffic. 

Here is the script:

tc qdisc del dev eth0 root 2>/dev/null
tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit \
	avpkt 1000 cell 8

tc class add dev eth0 parent 1:0 classid 1:100 cbq bandwidth 2Mbit \
	rate 130Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000

tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 \
	fw classid 1:100

iptables -F -t mangle
iptables -A PREROUTING -i eth0 -t mangle -p tcp --sport 119 \
	-j MARK --set-mark 1

Here is the results of a simple test:

# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 220M packets, 107G bytes)
 pkts bytes target     prot opt in     out     source              
destination         
    0     0 MARK       tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          tcp spt:119 MARK set 0x1 

Chain OUTPUT (policy ACCEPT 165M packets, 59G bytes)
 pkts bytes target     prot opt in     out     source              
destination       

# telnet news.giganews.com 119
Trying 216.166.71.230...
Connected to news-central.giganews.com.
Escape character is '^]'.
200 News.GigaNews.Com (Typhoon v1.2.3)
quit
205 GoodBye
Connection closed by foreign host.

# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 220M packets, 107G bytes)
 pkts bytes target     prot opt in     out     source              
destination         
    6   377 MARK       tcp  --  eth0   *       0.0.0.0/0           
0.0.0.0/0          tcp spt:119 MARK set 0x1 

Chain OUTPUT (policy ACCEPT 165M packets, 59G bytes)
 pkts bytes target     prot opt in     out     source              
destination         

# tc -s class show dev eth0
class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 105328 bytes 1459 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:100 parent 1: rate 130Kbit prio 3
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
  borrowed 0 overactions 0 avgidle 1.30863e+06 undertime 0

# tc filter show dev eth0
filter parent 1: protocol ip pref 1 fw 
filter parent 1: protocol ip pref 1 fw handle 0x1 classid 1:100 

Still no packets being filtered into my CBQ, but the packets are clearly
being marked.

--
Edwin Chiu                                   | ICBM: 43.39N 79.23W
edwin@thetomatoe.com                         | PGP:  1024D/0x16B55226

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problems with tc filter (getting packets into a CBQ)

[Stef Coene]

> Still no packets being filtered into my CBQ, but the packets are clearly
> being marked.

I found the error.  You mark the packets when they enter your box with 
iptables on device eth0.  But you add the qdisc and the classes to the same 
device.  But this qdisc and class can only control OUTgoing traffic and you 
want to control incoming traffic.  If this is a firewall with two NIC's, you 
can attach the qdisc and class to the second NIC.  Incoming NTP traffic get's 
marked and get's shaped when it leaves the box on the second NIC.  
If you really want to shape incoming traffic, you will have to use the 
ingress qdisc or the IMQ device.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/