[LARTC] Completely baffled..

[LARTC] Completely baffled..

[Paul J. Caritj]

Hello again,
I am completely stumped. I have the following configuration bound to 
both the ingress and egress adapters of a firewall (the only difference 
between them being that the external interface matches by source ip, the 
internal by destination), the goal of which is to throttle traffic to 
and from the local network on a host-by-host basis. Now, with this 
configuration throttling works perfectly for uploading (ie host -> eth2 
-> eth1 -> *). However, downloading is not throttled at all *except* 
when the machine is uploading and downloading simultaneously; only then 
does the download throttle have any effect.

I tested this using IPerf, with the throttle set to 256kbit both ways. 
Upload always yields the expected results. Download tops out at about 
4.5Mbit - its a wireless link, ie no throttling evident. However, when 
the test machine is running iperf as a client and server simultaneously 
(ie uploading and downloading about the same amount of data 
simultaneously), both directions are throttled as they should be around 
256kbit.

"tc -s class show dev eth2" shows that no packets are being referred to 
this class; this is not the case for the same class on eth1.

Let me know if you would like to see the setup for eth1 (external 
interface) as well; this is the setup on eth2 (internal interface).




qdisc htb 1: r2q 10 default 0 direct_packets_stat 3

class htb 1:fffe root prio 0 rate 256Kbit ceil 256Kbit burst 6Kb cburst 
3565b

filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256
filter parent 1: protocol ip pref 1 u32 fh 2:fe:800 order 2048 key ht 2 
bkt fe flowid 1:fffe
  match 0a00fffe/ffffffff at 16
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 
800 bkt 0 link 2:
  match 0a000000/ffff0000 at 16
    hash mask 000000ff at 12
filter parent 1: protocol ip pref 5 u32
filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1
filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256
filter parent 1: protocol ip pref 5 u32 fh 2:fe:800 order 2048 key ht 2 
bkt fe flowid 1:fffe
  match 0a00fffe/ffffffff at 16
filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 
800 bkt 0 link 2:
  match 0a000000/ffff0000 at 16
    hash mask 000000ff at 12


Please help; I am completely confused.

Thanks,
Paul



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Completely baffled..

[Stef Coene]

On Saturday 25 October 2003 02:53, Paul J. Caritj wrote:
> Hello again,
> I am completely stumped. I have the following configuration bound to
> both the ingress and egress adapters of a firewall (the only difference
> between them being that the external interface matches by source ip, the
> internal by destination), the goal of which is to throttle traffic to
> and from the local network on a host-by-host basis. Now, with this
> configuration throttling works perfectly for uploading (ie host -> eth2
> -> eth1 -> *). However, downloading is not throttled at all *except*
> when the machine is uploading and downloading simultaneously; only then
> does the download throttle have any effect.
>
> I tested this using IPerf, with the throttle set to 256kbit both ways.
> Upload always yields the expected results. Download tops out at about
> 4.5Mbit - its a wireless link, ie no throttling evident. However, when
> the test machine is running iperf as a client and server simultaneously
> (ie uploading and downloading about the same amount of data
> simultaneously), both directions are throttled as they should be around
> 256kbit.
>
> "tc -s class show dev eth2" shows that no packets are being referred to
> this class; this is not the case for the same class on eth1.
>
> Let me know if you would like to see the setup for eth1 (external
> interface) as well; this is the setup on eth2 (internal interface).
>
> qdisc htb 1: r2q 10 default 0 direct_packets_stat 3
>
> class htb 1:fffe root prio 0 rate 256Kbit ceil 256Kbit burst 6Kb cburst
> 3565b
>
> filter parent 1: protocol ip pref 1 u32
> filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1
> filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256
> filter parent 1: protocol ip pref 1 u32 fh 2:fe:800 order 2048 key ht 2
> bkt fe flowid 1:fffe
>   match 0a00fffe/ffffffff at 16
> filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht
> 800 bkt 0 link 2:
>   match 0a000000/ffff0000 at 16
>     hash mask 000000ff at 12
> filter parent 1: protocol ip pref 5 u32
> filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1
> filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256
> filter parent 1: protocol ip pref 5 u32 fh 2:fe:800 order 2048 key ht 2
> bkt fe flowid 1:fffe
>   match 0a00fffe/ffffffff at 16
> filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht
> 800 bkt 0 link 2:
>   match 0a000000/ffff0000 at 16
>     hash mask 000000ff at 12
>
> Please help; I am completely confused.
You are working on a a firewall.  So the box is natting the packets.  That 
means that the source address of the packets you send to the internet is 
rewritten.  So you can't use the source address to classify the packets.

You can use iptables and the fw filtter to mark the packets and classify them 
based on the source address.

Stef

-- 
stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/