[LARTC] htb/iptables: incoming vs. outgoing shaping?

[LARTC] htb/iptables: incoming vs. outgoing shaping?

[Christian Parpart]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

there's something I really don't understand. What I wanna 
do is to shape my incoming _and_ my outgoing traffic in speperate 
queues. I have a 256kbit up and 256kbit down link on eth1.
I want to use iptables to set the marks.

wan=eth1
lowin=1   # ; highin=2
lowout=5  # ; highout=6

# mark incoming traffic
iptables -t mangle -A PREROUTING -i $wan -p tcp --sport 80  \
           -j MARK --set-mark $lowin
# mark outgoing traffic
iptables -t mangle -A OUTPUT -o $wan -p tcp --dport 80 \
           -j MARK --set-mark $lowout

tc qdisc handle add dev $wan root handle 1:0 htb
tc class add dev $wan parent 1:0 classid 1:1 htb rate 256kbit # input shaping
tc class add dev $wan parent 1:0 classid 1:2 htb rate 256kbit # output shaping
tc class add dev $wan parent 1:1 classid 1:11 htb rate 64kbit # low in
tc class add dev $wan parent 1:1 classid 1:12 htb rate 192kbit # high in
tc class add dev $wan parent 1:2 classid 1:21 htb rate 64kbit # low out
tc class add dev $wan parent 1:2 classid 1:22 htb rate 192kbit # high out

tc filter add dev $wan parent 1:1 protocol ip prio 1 \
    fw handle $lowin flowid 1:11
tc filter add dev $wan parent 1:2 protocol ip prio 1 \
    fw handle $lowout flowid 1:21

What I think I have done is that I've created to main queues (1:1 and 1:2) 
each one rating up to 256kbit. Each main queue got devided into a queue for 
low traffic (non priorized) and one high traffic (priorized).
Then, I attatched the filter that anchors the iptables marked ip packets to 
their corresponding queue.

But does this really work? I also notices somewhere that you just can shape 
input traffic, and for output you need a special IMQ target for iptables, 
why? And why doesn't it work in that way? 

Furthermore, is this right how I mark the outgoing traffic? should this be 
done in POSTROUTING, or even somewhere else? It's that we've 
PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle.

Please, would you help me solving my problem?

Thanks in advance,
Christian Parpart.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9eWOpPpa2GmDVhK0RAgYtAJ9EgbgblPUgeB+1C0rbBMGE2u6MCACdFpOh
ZIoj8dQQ3GYpWjxHrgTT/5Y=
=hq5D
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?

[Stef Coene]

> But does this really work? I also notices somewhere that you just can shape
> input traffic, and for output you need a special IMQ target for iptables,
> why? And why doesn't it work in that way?
it' the other way around.  You can only shape outgoing traffic.  You shape 
traffic by influencing the queue where the packets wait to be sended.  For 
incoming packets, there is no queue, so you can't shape incoming traffic.
But, there is a IMQ device.  You can put all incoming packets in this virtual 
device and this device has a queue.  So you can shape incoming traffic. But 
this can/will introduce extra delays.  There is also a ingress qdisc.  This 
qdisc contains no queue, but you can attach filter to it.  And you can use 
policers on this filter.  A policer is sort of shaper on a filter : it will 
only match the packets at a certain rate.  So you can match packets at a 
certain rate and throttle incoming traffic.  Howerver, this is a one-level 
setup so you can't create a hierarchical setup like you can with htb/cbq.

You never provided a ceil parameter when you created the classes.  So the 
class will never borrow unused bandwidth from each other.
And to be able to shape the traffic, you have to shape at 250 kbit or so.  So 
YOU are the bottleneck and not your router/modem.  You will loose some 
bandwidth, but you will be able the shape it.  So if shaping is not working, 
try to lower the total bandwidth you send/receive.

I suggest reading some docs : lartc.org in general and I have some more info 
about shaping on docum.org.

> Furthermore, is this right how I mark the outgoing traffic? should this be
> done in POSTROUTING, or even somewhere else? It's that we've
> PREROUTING,INPUT, FORWARD,OUTPUT and POSTROUTING have in table mangle.
It depends if the traffic is generated locally or forwarded.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] htb/iptables: incoming vs. outgoing shaping?

[George J. Jahchan]

Outgoing shaping (LAN --> WAN) makes sense as your input rate to the router
is at LAN speeds while its output rate is at (relatively low-bandwidth) WAN
speeds. A good set of rules will provide significant performance benefits
for critical apps, while relegating non-critical ones to a "best effort"
basis.

Shaping incoming traffic with queueing technology (WAN --> LAN) does not
make much sense as queues would occur after packets have crossed a
(presumably congested) WAN link, to be forwarded by the routing engine to a
10, 100 or 1,000 Mbps infrastructure. Queues in such a case add unnecessary
latency and provide no real benefit.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/