[LARTC] Couple of tc queries

[al@mail.int.xm.co.za]

[-- Attachment #1: Type: text/plain, Size: 1851 bytes --]

Ok, so I'm working on a traffic shaping configuration to roll out for my
employers. However I'm no wizard @ this and have a few concerns.

My script (attached) is completely hacked on wondershaper. What I need to do
differently from wondershaper is I need seperate throttles for local and
international traffic (I have a list of all the netblocks in my country).

[QUERY 1]

It's important for me to understand tc's rule matching properly: is the first
matching rule taken or do multiple matches apply? At first I had duplicated all
the rules for international and local traffic, with the rules for local traffic
including a match ip dst $i for each local IP block. Now I match those addresses
only and assign a flowid, which I make all my other rules children of- this will
work?

[QUERY 2]

Ok, this is a strange one. In script attached you will find rules for TCP/ACK
and ICMP matching, twice for local and international traffic. The rules for
international traffic result in an "illegal "match"" unless I add them first in
which case the local rules result in an "illegal "match""- what am I doing
wrong?

[QUERY 3]

How slow is tc's matching? I need a few rules, for about 800 IP blocks. Is there
a way for me to index this?

[QUERY 4]

In-bound filtering: How to filter at different rates for local & international
traffic?

[QUERY 5]

At first I had assumed these rules only apply to packets being routed?- Having
run this on our mailserver and having users complain about slow-down :D I now
know this is not the case. Does some-one have an example of how to implement
tc on a machine which is used to provide services to a local network as-well?

--

Don't feel obliged to answer all my questions (though feel free ;D); if you
have time to give me an answer or two, it would be much appreciated.

*Script attached*

Best Regards,
Andrew Lewis

[-- Attachment #2: tc.script --]
[-- Type: text/plain, Size: 7748 bytes --]

#!/bin/bash

#############
# Variables #
#############

# Device to shape (local interface)
DEV=eth0

# Local Bandwidth Throttle (in kilobits)
LOCAL_UPLINK_SPEED=16
LOCAL_DNLINK_SPEED=16

# International Bandwidth Throttle (in kilobits)
INTNL_UPLINK_SPEED=8
INTNL_DNLINK_SPEED=8

# Local Burst Rate (in kilobits)
LOCAL_BURST=4

# International Burst Rate (in kilobits)
INTNL_BURST=2

# Local Traffic: Low Priority:
# Source Netmasks
LOCAL_LOPRIO_HOSTSRC=
# Destination Netmasks
LOCAL_LOPRIO_HOSTDST=
# Source Ports
LOCAL_LOPRIO_PORTSRC=
# Destination Ports
LOCAL_LOPRIO_PORTDST=

# Local Traffic: High Priority:
# Source Netmasks
LOCAL_HIPRIO_HOSTSRC=
# Destination Netmasks
LOCAL_HIPRIO_HOSTDST=
# Source Ports
LOCAL_HIPRIO_PORTSRC=
# Destination Ports
LOCAL_HIPRIO_PORTDST=

# International Traffic: Low Priority:                                          # Source Netmasks
INTNL_LOPRIO_HOSTSRC=
# Destination Netmasks
INTNL_LOPRIO_HOSTDST=
# Source Ports
INTNL_LOPRIO_PORTSRC=
# Destination Ports
INTNL_LOPRIO_PORTDST=
                                                                                
# International Traffic: High Priority:
# Source Netmasks
INTNL_HIPRIO_HOSTSRC=
# Destination Netmasks
INTNL_HIPRIO_HOSTDST=
# Source Ports
INTNL_HIPRIO_PORTSRC=
# Destination Ports
INTNL_HIPRIO_PORTDST=

# Read external file to set local netmasks
LOCAL=`cat local`

####################
# End of Variables #
####################

if [ "$1" = "status" ]
then
  tc -s qdisc ls dev $DEV
  tc -s class ls dev $DEV
  exit
fi

tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

if [ "$1" = "stop" ]
then
  exit
fi

#####################
# Queue Definitions #
#####################

# Root queueing discipline
tc qdisc add dev $DEV root handle 1: htb default 40

# Local: root class
tc class add dev $DEV parent 1: classid 1:1 htb rate ${LOCAL_UPLINK_SPEED}kbit

# International: root class
tc class add dev $DEV parent 1: classid 1:2 htb rate ${INTNL_UPLINK_SPEED}kbit

# Local: high priority class 1:10
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${LOCAL_UPLINK_SPEED}kbit\
  burst ${LOCAL_BURST}k prio 1

# International: high priority class 1:20
tc class add dev $DEV parent 1:2 classid 1:20 htb rate ${INTNL_UPLINK_SPEED}kbit\
  burst ${INTNL_BURST}k prio 1

# Local: default priority class 1:30
tc class add dev $DEV parent 1:1 classid 1:30 htb rate $[9*LOCAL_UPLINK_SPEED/10]kbit \
  burst ${LOCAL_BURST}k prio 2

# International: default priority class 1:40
tc class add dev $DEV parent 1:2 classid 1:40 htb rate $[9*INTNL_UPLINK_SPEED/10]kbit \
  burst ${INTNL_BURST}k prio 2

# Local: low priority class 1:50
tc class add dev $DEV parent 1:1 classid 1:50 htb rate $[8*LOCAL_UPLINK_SPEED/10]kbit \
  burst ${LOCAL_BURST}k prio 3

# International: low priority class 1:60
tc class add dev $DEV parent 1:2 classid 1:60 htb rate $[8*INTNL_UPLINK_SPEED/10]kbit \
  burst ${INTNL_BURST}k prio 3

# Stochastic Fairness Queueing for all

tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
tc qdisc add dev $DEV parent 1:50 handle 50: sfq perturb 10
tc qdisc add dev $DEV parent 1:60 handle 60: sfq perturb 10

##################
# Filters: Local #
##################

echo 1
for i in $LOCAL
do
  tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 match ip dst $i \
    flowid 1:1
done

# High Priority Traffic:
# TOS Minimum Delay (ssh, not scp)
tc filter add dev $DEV parent 1:1 protocol ip prio 10 u32 match ip tos 0x10\
  0xff flowid 1:10
# ICMP in interactive class for impressive measurements
tc filter add dev $DEV parent 1:1 protocol ip prio 10 u32 match ip protocol 1\
  0xff match ip dst $i flowid 1:10
# ACK packets in interactive class to accelerate downloads while uploading
tc filter add dev $DEV parent 1:1 protocol ip prio 10 u32 match ip protocol 6\
  0xff match u8 0x05 0x0f at 0 \
  match u16 0x0000 0xffc0 at 2 \
  match u8 0x10 0xff at 33 \
  flowid 1:10
echo 1:2
for a in $LOCAL_HIPRIO_PORTDST
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 14 u32 match ip dport $a\
      0xffff flowid 1:10
  done
  for a in $LOCAL_HIPRIO_PORTSRC
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 15 u32 match ip sport $a\
      0xffff flowid 1:10
  done
  for a in $LOCAL_HIPRIO_HOSTSRC
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 16 u32 match ip src $a\
      flowid 1:10
  done
  for a in $LOCAL_HIPRIO_HOSTDST
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 17 u32 match ip dst $a\
      flowid 1:10
  done
echo 1:3
  # Low Priority Traffic:
  for a in $LOCAL_LOPRIO_PORTDST
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 14 u32 match ip dport $a\
      0xffff flowid 1:50
  done
  for a in $LOCAL_LOPRIO_PORTSRC
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 15 u32 match ip sport $a\
      0xffff flowid 1:50 
  done
  for a in $LOCAL_LOPRIO_HOSTSRC
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 16 u32 match ip src $a\
      flowid 1:50
  done
  for a in $LOCAL_LOPRIO_HOSTDST
  do
    tc filter add dev $DEV parent 1:1 protocol ip prio 17 u32 match ip dst $a\
      flowid 1:50
  done

##################################
# Filters: International Traffic #
##################################

echo 2
# High Priority Traffic:
# TOS Minimum Delay (ssh, not scp)
tc filter add dev $DEV parent 1:2 protocol ip prio 10 u32 match ip tos 0x10\
  0xff flowid 1:20
# ICMP in interactive class for impressive measurements
tc filter add dev $DEV parent 1:2 protocol ip prio 10 u32 match ip protocol 1\    0xff flowid 1:20
# ACK packets in interactive class to accelerate downloads while uploading
tc filter add dev $DEV parent 1:2 protocol ip prio 10 u32 match ip protocol 6\    0xff match u8 0x05 0x0f at 0 \
  match u16 0x0000 0xffc0 at 2 \
  match u8 0x10 0xff at 33 \
  flowid 1:20
echo 2:1
for a in $INTNL_HIPRIO_PORTDST
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 14 u32 match ip dport $a\
    0xffff flowid 1:20
done
for a in $INTNL_HIPRIO_PORTSRC
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 15 u32 match ip sport $a\
    0xffff match flowid 1:20
done
for a in $INTNL_HIPRIO_HOSTSRC
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 16 u32 match ip src $a\
    flowid 1:20
done
for a in $INTNL_HIPRIO_HOSTDST
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 17 u32 match ip dst $a\
    flowid 1:20
done
echo 2:3
# Low Priority Traffic:
for a in $INTNL_LOPRIO_PORTDST
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 14 u32 match ip dport $a\
    0xffff flowid 1:60
done
for a in $INTNL_LOPRIO_PORTSRC
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 15 u32 match ip sport $a\
    0xffff flowid 1:60
done
for a in $INTNL_LOPRIO_HOSTSRC
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 16 u32 match ip src $a\
    flowid 1:60
done
for a in $INTNL_LOPRIO_HOSTDST
do
  tc filter add dev $DEV parent 1:2 protocol ip prio 17 u32 match ip dst $a\
    flowid 1:60
done

############################################################
# Inbound Traffic Shaping: Drop packets coming in too fast #
############################################################

tc qdisc add dev $DEV handle ffff: ingress

for i in $LOCAL
do
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src $i \
  police rate ${LOCAL_DNLINK_SPEED}kbit burst ${LOCAL_BURST}k drop flowid :1
done
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${INTNL_DNLINK_SPEED}kbit burst ${INTNL_BURST}k drop flowid :1