Re: [LARTC] shaping incoming with ingress

Re: [LARTC] shaping incoming with ingress

[Damion de Soto]

Stef Coene wrote:
> Ok, first of all, you can only shape outgoing traffic.  If you have 3 nic's 
> and want to shape traffic from the internet to you, this can be problem.  But 
> you can patch the kernel so you can create a virtial imq device.  And with 
> simple iptables commands, you can redirect all incoming packets from the 
> internet to this imq device.  The good news is you can shape on that imq 
> device.

I've noticed as of late, everyone saying 'you can't shape incoming traffic'
but the best solution is to use the imq device.

what happened to ingress /policer usage?
is this not recommended anymore?
I know it doesn't do as efficient job as the normal egress methods, but is imq a lot 
better ?

when does imq become necessary instead of cbq/htb and ingress?



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer  email:     damion@snapgear.com
SnapGear ---                           ph:         +61 7 3435 2809
  | Custom Embedded Solutions          fax:         +61 7 3891 3630
  | and Security Appliances            web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Martin A. Brown]

Good questions Damion,

 : I've noticed as of late, everyone saying 'you can't shape incoming
 : traffic' but the best solution is to use the imq device.

Well....(you'll love this) the reason everyone is saying "you can't shape
incoming traffic" is because you can't shape incoming traffic (without
IMQ).

Well, in short, what we're really saying is that you can't control what
you receive (without IMQ).  As the recipient of frames/packets, you have
no control over how fast they arrive in your device's input queue.

 : what happened to ingress /policer usage? is this not recommended
 : anymore?

There's nothing at all wrong with using an ingress policer.  I don't
believe it's possible to attach any classes to the ingress qdisc*.  That
is, the ingress qdisc only exists to allow the user to police inbound
traffic.

So, using the ingress qdisc as a dummy qdisc against which to attach a
policing filter (which drops traffic over a given rate) is the only use of
the ingress qdisc.

 : I know it doesn't do as efficient job as the normal egress
 : methods, but is imq a lot better ?

IMQ allows the full expressiveness of the entire set of linux
traffic control tools (from egress filtering) to be applied to

  - ingress traffic redirected through the IMQ device and
  - traffic split across any number of interfaces regardless of
    flow direction

 : when does imq become necessary instead of cbq/htb and ingress?

IMQ becomes necessary when

  - needing to shape or prioritize traffic on multiple interfaces as a
    single unit
  - desiring to shape or prioritize ingress traffic beyond policing a rate
  - needing to shape or prioritize traffic regardless of flow direction

-Martin

  * Maybe somebody will step in and contradict me here?

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Rio Martin.]

On Thursday 31 July 2003 10:00, Martin A. Brown wrote:
> Well....(you'll love this) the reason everyone is saying "you can't shape
> incoming traffic" is because you can't shape incoming traffic (without
> IMQ).

Well, i shape incoming traffic without IMQ (:
I made my bandwidth.manager is on top of every router in my organization, so 
every traffic coming or leaving my organization must be processed by my 
bandwidth.manager first.. 

> Well, in short, what we're really saying is that you can't control what
> you receive (without IMQ).  As the recipient of frames/packets, you have
> no control over how fast they arrive in your device's input queue.

In my bandwidth.manager eth0 would be upgoing packet that needs to be manage, 
while eth1 would be the incoming packet to my LAN network.

Regards,
Rio Martin.
-- 
Game of love, we play, we win only to loose.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[smohan]

>On Thursday 31 July 2003 10:00, Martin A. Brown wrote:
>> Well....(you'll love this) the reason everyone is saying "you can't shape

>> incoming traffic" is because you can't shape incoming traffic (withoutswift-online

>> IMQ).
>
>Well, i shape incoming traffic without IMQ (:
>I made my bandwidth.manager is on top of every router in my organization, so

>every traffic coming or leaving my organization must be processed by my 
>bandwidth.manager first.. 
>
>> Well, in short, what we're really saying is that you can't control what
>> you receive (without IMQ).  As the recipient of frames/packets, you have

>> no control over how fast they arrive in your device's input queue.
>
>In my bandwidth.manager eth0 would be upgoing packet that needs to be manage,

>while eth1 would be the incoming packet to my LAN network.

In the absence of IMQ, this is what is recommended. Use ingress police to cap
overall incoming bandwidth and use qdiscs on LAN interface to shape traffic.
However, in cases like ISPs and a few corporate scenarios, the requirement is
to throttle/manage bandwith for incoming and outgoing traffic e.g. 64kbps incoming+outgoing
for an IP. In your scenarion, incoming and outgoing are capped/managed separately
but they cannot borrow from each other as they are on different interfaces.
IMQ being a single interface for both incoming and outgoing allows this.

>
>Regards,
>Rio Martin.
>-- 
>Game of love, we play, we win only to loose.
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

Mohan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Stef Coene]

On Thursday 31 July 2003 05:00, Martin A. Brown wrote:
> Good questions Damion,
>
>  : I've noticed as of late, everyone saying 'you can't shape incoming
>  : traffic' but the best solution is to use the imq device.
>
> Well....(you'll love this) the reason everyone is saying "you can't shape
> incoming traffic" is because you can't shape incoming traffic (without
> IMQ).
>
> Well, in short, what we're really saying is that you can't control what
> you receive (without IMQ).  As the recipient of frames/packets, you have
> no control over how fast they arrive in your device's input queue.
You can shape outgoing packets because they are queued in a buffer before they 
are sended out.  You can shape because you can reorder packets in that 
buffer.  Incoming packets are not buffered, so you can't change the order.

>  : what happened to ingress /policer usage? is this not recommended
>  : anymore?
>
> There's nothing at all wrong with using an ingress policer.  I don't
> believe it's possible to attach any classes to the ingress qdisc*.  That
> is, the ingress qdisc only exists to allow the user to police inbound
> traffic.
>
> So, using the ingress qdisc as a dummy qdisc against which to attach a
> policing filter (which drops traffic over a given rate) is the only use of
> the ingress qdisc.
Indeed.  And policing is not shaping.  Policing is rate limiting while shaping 
can do more.  For example, shaping can borrow unused bandwidth in a 
controlled way between different flows.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Stef Coene]

On Thursday 31 July 2003 05:55, Rio Martin. wrote:
> On Thursday 31 July 2003 10:00, Martin A. Brown wrote:
> > Well....(you'll love this) the reason everyone is saying "you can't shape
> > incoming traffic" is because you can't shape incoming traffic (without
> > IMQ).
>
> Well, i shape incoming traffic without IMQ (:
> I made my bandwidth.manager is on top of every router in my organization,
> so every traffic coming or leaving my organization must be processed by my
> bandwidth.manager first..
If I understand correctly, you have 1 router with 2 nics.  So you shape 
incoming traffic on nic1 by shaping outgoing traffic on nic2.  This is fine 
for your setup, but if you 3 nic's and you are running some services on the 
router, you will have a problem.

> > Well, in short, what we're really saying is that you can't control what
> > you receive (without IMQ).  As the recipient of frames/packets, you have
> > no control over how fast they arrive in your device's input queue.
>
> In my bandwidth.manager eth0 would be upgoing packet that needs to be
> manage, while eth1 would be the incoming packet to my LAN network.

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Rio Martin.]

On Thursday 31 July 2003 16:46, you wrote:
> If I understand correctly, you have 1 router with 2 nics.  So you shape
> incoming traffic on nic1 by shaping outgoing traffic on nic2.  This is fine
> for your setup, but if you 3 nic's and you are running some services on the
> router, you will have a problem.

If i want to add more service, i will ask my boss to prepare another PC for 
those service, simple isnt it ? (:
It would be better and wont interfere the performance of bandwidth manager ..

Regards,
Rio Martin.

-- 
Game of love, we play, we win only to loose.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] shaping incoming with ingress

[Stef Coene]

On Thursday 31 July 2003 12:00, Rio Martin. wrote:
> On Thursday 31 July 2003 16:46, you wrote:
> > If I understand correctly, you have 1 router with 2 nics.  So you shape
> > incoming traffic on nic1 by shaping outgoing traffic on nic2.  This is
> > fine for your setup, but if you 3 nic's and you are running some services
> > on the router, you will have a problem.
>
> If i want to add more service, i will ask my boss to prepare another PC for
> those service, simple isnt it ? (:
> It would be better and wont interfere the performance of bandwidth manager
> ..
It's best if you have a dedicated shaper in bridge mode behind your firewall.  
So all traffic passes thru the shaper and the shaper sees the real ip 
addresses.  If the shaper is in bridge mode, your don't have to change your 
network toplogy.  And you can even remove the shaper for tests/repairs 
without interrupting your network.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/