[LARTC] Reviewing my shaping strategy

From: "Roché Compaan" <roche@upfrontsystems.co.za>
To: lartc@vger.kernel.org
Subject: [LARTC] Reviewing my shaping strategy
Date: Tue, 01 Apr 2003 08:58:08 +0000	[thread overview]
Message-ID: <marc-lartc-104918764609144@msgid-missing> (raw)

Hi everybody

I've been using htb to shape traffic successfully for quite a while now
but I am wondering if it can be improved in some ways.

We are 3 companies sharing a 192Kbit connection to our ISP. I want each
company to have a rate of 64Kbit and a ceiling of 192Kbit so that they
can borrow from each other. Additionally we want ssh to have very low
delays and be quite responsive. I also want to ensure that incoming DNS
and SYN requests don't time out when all 3 companies is using all
of their available 64Kbit. After all, if these packets don't make it
through then the shaping can't be fair.

This is how my setup looks. I have a bridge over 2 ethernet cards so
that I can effectively shape incoming and outgoing traffic. I'm only
showing filters for one ethernet card here.

# root class
tc class add dev eth1 parent 1: classid 1:1 htb rate 192kbit ceil 192kbit

# I use 2Kbit from each company for SYN, ACK and DNS request, leaving
# them with 62Kbit each 
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 6kbit ceil 192kbit prio 0

# For each company I give ssh a higher priority
# Company 1 (2, 3 has the same classes)
tc class add dev eth1 parent 1:1 classid 1:21 htb \
    rate 62kbit ceil 192kbit prio 1
# Class for SSH
tc class add dev eth1 parent 1:21 classid 1:210 htb \
    rate 32kbit ceil 192kbit prio 0
# The rest
tc class add dev eth1 parent 1:21 classid 1:211 htb \
    rate 30kbit ceil 192kbit prio 1

# ACK bit filter
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip protocol 6 0xff \
        match u8 0x05 0x0f at 0 \
        match u16 0x0000 0xffc0 at 2 \
        match u8 0x10 0xff at 33 \
        flowid 1:10

# I don't know if this one is correct????
# SYN bit filter
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip protocol 6 0xff \
        match u8 0x02 0x0f at 0 \
        flowid 1:10

# DNS filter
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip dport 53 0xffff \
        match ip protocol 17 0xff \
        flowid 1:10
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip sport 53 0xffff \
        match ip protocol 17 0xff \
        flowid 1:10

# Company1 Filters (2, 3 has the same filters)
# Filter for SSH
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip dst X.Y.Z \
        match ip dport 22 0xffff \
        match ip protocol 6 0xff \
        flowid 1:210
# Filter for the rest
tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
        match ip dst X.Y.Z \
        flowid 1:211

If you think the above can be improved in any way or see obvious gaps in
my shaping strategy please let me know.

One final question I have. If one uses the u32 filter does the mask get
XOR'ed or AND'ed with the incoming packet. Is there any easy way to
calculate the mask?

-- 
Roché Compaan
Upfront Systems                 http://www.upfrontsystems.co.za
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/