All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Why my script doesn't work ???
@ 2002-12-07 13:44 Gabor Csuri
  2002-12-07 15:11 ` Stef Coene
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Gabor Csuri @ 2002-12-07 13:44 UTC (permalink / raw)
  To: lartc

Hi All,

 I'm using iptables-1.2.7a on RedHat8 kernel 2.4.20.
I wanted to limit the file-sharing traffic to the internet.
I marked the packets with iptables:

iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1

iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1

and I put some new lines to wondershaper 1.1a (before "#start filters"
label) :

tc class add dev $DEV parent 1:1 classid 1:40 cbq rate $[$UPLINK/10]kbit \
   allot 1600 prio 2 avpkt 1000
tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40

#start filters
...

I realized there is a 80Kbit/s traffic to a site (port 2334) from inside.
My $UPLINK is 80.
How can be this?

Thanks, Gabor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [LARTC] Why my script doesn't work ???
  2002-12-07 13:44 [LARTC] Why my script doesn't work ??? Gabor Csuri
@ 2002-12-07 15:11 ` Stef Coene
  2002-12-07 21:41 ` Gabor Csuri
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Stef Coene @ 2002-12-07 15:11 UTC (permalink / raw)
  To: lartc

On Saturday 07 December 2002 14:44, Gabor Csuri wrote:
> Hi All,
>
>  I'm using iptables-1.2.7a on RedHat8 kernel 2.4.20.
> I wanted to limit the file-sharing traffic to the internet.
> I marked the packets with iptables:
>
> iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> 192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1
>
> iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> 192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1
>
> and I put some new lines to wondershaper 1.1a (before "#start filters"
> label) :
>
> tc class add dev $DEV parent 1:1 classid 1:40 cbq rate $[$UPLINK/10]kbit \
>    allot 1600 prio 2 avpkt 1000
> tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
> tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40
>
> #start filters
> ...
>
> I realized there is a 80Kbit/s traffic to a site (port 2334) from inside.
> My $UPLINK is 80.
> How can be this?
Can you check the counters of iptables so you are sure you are marking the 
packets ???  And the same for tc : tc -s -d show class deb eth0.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: [LARTC] Why my script doesn't work ???
  2002-12-07 13:44 [LARTC] Why my script doesn't work ??? Gabor Csuri
  2002-12-07 15:11 ` Stef Coene
@ 2002-12-07 21:41 ` Gabor Csuri
  2002-12-08 12:13 ` Stef Coene
  2002-12-08 22:28 ` Gabor Csuri
  3 siblings, 0 replies; 5+ messages in thread
From: Gabor Csuri @ 2002-12-07 21:41 UTC (permalink / raw)
  To: lartc

Hi,

 here is my outputs coming:

[root@basement sysconfig]# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 2082K packets, 1828M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 30207 packets, 3707K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
 pkts bytes target     prot opt in     out     source
destination
88476   60M MARK       tcp  --  *      *       192.168.1.0/24
!192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
53899   13M MARK       tcp  --  *      *       192.168.1.0/24
!192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1

Chain OUTPUT (policy ACCEPT 35682 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 2078K packets, 1823M bytes)
 pkts bytes target     prot opt in     out     source
destination
[root@basement sysconfig]#
[root@basement sysconfig]# tc -s -d class show dev ppp0
class cbq 1: root rate 10Mbit cell 8b (bounded,isolated) prio no-transmit/8
weight 10Mbit allot 1492b
level 2 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:10 parent 1:1 leaf 10: rate 80Kbit cell 8b prio 1/1 weight
80Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 21230491 bytes 509446 pkts (dropped 0, overlimits 2127)
  borrowed 0 overactions 1447 avgidle 624 undertime 0
class cbq 1:1 parent 1: rate 80Kbit cell 8b (bounded,isolated) prio 5/5
weight 80Kbit allot 1500b
level 1 ewma 5 avpkt 1000b maxidle 23us
 Sent 56095919 bytes 539304 pkts (dropped 0, overlimits 0)
  borrowed 11572 overactions 0 avgidle -44724 undertime 46502
class cbq 1:20 parent 1:1 leaf 20: rate 72Kbit cell 8b prio 2/2 weight
72Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 34865428 bytes 29858 pkts (dropped 0, overlimits 96751)
  borrowed 11572 overactions 4191 avgidle 624 undertime 0
class cbq 1:30 parent 1:1 leaf 30: rate 64Kbit cell 8b prio 2/2 weight
64Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2 weight 8Kbit
allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0


Gabor.


> On Saturday 07 December 2002 14:44, Gabor Csuri wrote:
> > Hi All,
> >
> >  I'm using iptables-1.2.7a on RedHat8 kernel 2.4.20.
> > I wanted to limit the file-sharing traffic to the internet.
> > I marked the packets with iptables:
> >
> > iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> > 192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1
> >
> > iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> > 192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1
> >
> > and I put some new lines to wondershaper 1.1a (before "#start filters"
> > label) :
> >
> > tc class add dev $DEV parent 1:1 classid 1:40 cbq rate
> $[$UPLINK/10]kbit \
> >    allot 1600 prio 2 avpkt 1000
> > tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
> > tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40
> >
> > #start filters
> > ...
> >
> > I realized there is a 80Kbit/s traffic to a site (port 2334)
> from inside.
> > My $UPLINK is 80.
> > How can be this?
> Can you check the counters of iptables so you are sure you are
> marking the
> packets ???  And the same for tc : tc -s -d show class deb eth0.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [LARTC] Why my script doesn't work ???
  2002-12-07 13:44 [LARTC] Why my script doesn't work ??? Gabor Csuri
  2002-12-07 15:11 ` Stef Coene
  2002-12-07 21:41 ` Gabor Csuri
@ 2002-12-08 12:13 ` Stef Coene
  2002-12-08 22:28 ` Gabor Csuri
  3 siblings, 0 replies; 5+ messages in thread
From: Stef Coene @ 2002-12-08 12:13 UTC (permalink / raw)
  To: lartc

On Saturday 07 December 2002 22:41, Gabor Csuri wrote:
> Hi,
>
>  here is my outputs coming:
>
> [root@basement sysconfig]# iptables -t mangle -nvL
> Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 88476   60M MARK       tcp  --  *      *       192.168.1.0/24
> !192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
> 53899   13M MARK       tcp  --  *      *       192.168.1.0/24
> !192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1
Ok, the packets are marked.

> [root@basement sysconfig]# tc -s -d class show dev ppp0
> class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2 weight 8Kbit
> allot 1600b
> level 0 ewma 5 avpkt 1000b maxidle 23us
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 624 undertime 0
So no packet is redirected to class 1:40 like you want.  Is it possible that 
you have a filter that matches the same packets and it processed before the 
extra filter you added?  You can try to put your filter at the top of the 
script or give it a lower prio parameter so it has a higher priority.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: [LARTC] Why my script doesn't work ???
  2002-12-07 13:44 [LARTC] Why my script doesn't work ??? Gabor Csuri
                   ` (2 preceding siblings ...)
  2002-12-08 12:13 ` Stef Coene
@ 2002-12-08 22:28 ` Gabor Csuri
  3 siblings, 0 replies; 5+ messages in thread
From: Gabor Csuri @ 2002-12-08 22:28 UTC (permalink / raw)
  To: lartc

Hi Stef,

You were alright.
I had to add a priority to my filter :

tc filter add dev $DEV parent 1:0 protocol ip prio 1 \
   handle 1 fw flowid 1:40

Thanks a lot, Gabor.

> On Saturday 07 December 2002 22:41, Gabor Csuri wrote:
> > Hi,
> >
> >  here is my outputs coming:
> >
> > [root@basement sysconfig]# iptables -t mangle -nvL
> > Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > 88476   60M MARK       tcp  --  *      *       192.168.1.0/24
> > !192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
> > 53899   13M MARK       tcp  --  *      *       192.168.1.0/24
> > !192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1
> Ok, the packets are marked.
>
> > [root@basement sysconfig]# tc -s -d class show dev ppp0
> > class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2
> weight 8Kbit
> > allot 1600b
> > level 0 ewma 5 avpkt 1000b maxidle 23us
> >  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> >   borrowed 0 overactions 0 avgidle 624 undertime 0
> So no packet is redirected to class 1:40 like you want.  Is it
> possible that
> you have a filter that matches the same packets and it processed
> before the
> extra filter you added?  You can try to put your filter at the top of the
> script or give it a lower prio parameter so it has a higher priority.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-12-08 22:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-07 13:44 [LARTC] Why my script doesn't work ??? Gabor Csuri
2002-12-07 15:11 ` Stef Coene
2002-12-07 21:41 ` Gabor Csuri
2002-12-08 12:13 ` Stef Coene
2002-12-08 22:28 ` Gabor Csuri

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.