[LARTC] Re: [Linux Diffserv] fw filter and one more thing

[Stef Coene <stef.coene@docum.org>]

Kuba,
I post this message also to the LARTC mailinglist (www.lartc.org).

> So I have 2 working configurations limiting traffic coming from LAN.
>
> - First is marking incoming packets and tbf queue on the outgoing
> interface ?
>
> - Second is something like this:
> tc filter add dev eth1 parent ffff: protocol ip u32 match ip src
> 192.168.252.101 police rate 128kbit burst 10k drop flowid :1
> ....
> and so on for every ip address
This is ingress shaping.

> Which do you think is better ?
> All I need is limiting bandwidth to 128kbit and also it would be nicy if
> every IP address had equal share of the bandwidth in case it;s
> congested. And I'm not sure whether policy rate provides me the latter.
You can use your first solution, but with the cbq or htb qdisc.  You can 
create classes within these qdiscs.  So you can create 1 class / ip and each 
class can share his bandwidth with other classes.  Filtering can be done with 
the iptables marks and the fw filter.

> There's one more problem. I need to do transparent proxying at that
> router, and I suppose that passing the packets to squid will cause the
> change of MARK. I haven't checked it yet though. I'm just going to do
> that....
> Does anyone have any suggestions ?
Squid is a proxy so all connections are terminated in the proxy.  So all marks 
are gone.  You can try to use the delay pools in squid.  There was also a 
sugestion on the LARTC mailing list to patch squid so it can mark the packets 
like iptables.  
Or you have to do ingress shaping with the policers.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/