From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek =?iso-8859-2?q?Gre=B9ko?= gresko@kmit.sk Date: Thu, 08 Feb 2001 18:06:56 +0000 Subject: [LARTC] kernel freeze after cbq startup MIME-Version: 1 Content-Type: multipart/mixed; boundary="------------Boundary-00=_KBAGH0E9LB5AN7DGG7EI" Message-Id: List-Id: To: lartc@vger.kernel.org 
--------------Boundary-00=_KBAGH0E9LB5AN7DGG7EI
Content-Type: text/plain;
  charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

Hello,

I want to ask what am I doing wrong. A few seconds after running this scr=
ipt=20
my gateway freezes. I use the 2.4.1 kernel compiled on RH 7.0 system usin=
g=20
the kgcc (egcs-1.1.2) compiler.

I have two ethernet cards. The Internet interface eth1 is connected to th=
e=20
ISP, who shapes out traffic to 128Kbit. I would like to give the high=20
priority to the e-mail and ssh traffic and to shape others by definitions=
 in=20
the cbq-classes file. Also I would like to shape ICMP traffic and SYN=20
segments.

I have also another problem. I use the ingress policer exactly like the 2=
=2E4=20
routing HOWTO says for incoming SYN flood prevention. After using ingress=
 all=20
the SYN traffic to my machine is disabled.

If you could be so glad and help me, please.

Marek

--------------Boundary-00=_KBAGH0E9LB5AN7DGG7EI
Content-Type: application/x-shellscript;
  charset="iso-8859-2";
  name="psched"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="psched"

#!/bin/sh
#

INTRA_DEV=eth0
INTRA_IP=195.168.47.129
INET_DEV=eth1
INET_IP=195.168.26.93

B_INTRA=10Mbit
B_INET=128Kbit
IBANDW=128Kbit
BSYN=4Kbit
BICMP=4Kbit
BSMTP=56Kbit

CLASSFILE=cbq-classes

# Source function library.
. /etc/rc.d/init.d/functions

if [ ! -f /etc/sysconfig/network ]; then
    exit 0
fi

. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /sbin/iptables ] || exit 0
[ "`uname -r | cut -f1,2 -d.`" = "2.2" ] && exit 0

case "$1" in
  start)
	# start ping -f prevention and SYN flooding prevention

	tc qdisc del dev ${INET_DEV} root 2> /dev/null
	tc qdisc del dev ${INTRA_DEV} root 2> /dev/null

	tc qdisc add dev ${INET_DEV} root handle 10: cbq \
		bandwidth ${B_INET} avpkt 1000
	tc qdisc add dev ${INTRA_DEV} root handle 20: cbq \
		bandwidth ${B_INTRA} avpkt 1000

	tc class add dev ${INET_DEV} parent 10:0 classid 10:1 cbq \
		bandwidth ${B_INET} rate ${IBANDW} allot 1514 prio 5 \
		maxburst 20 avpkt 1000 bounded
	tc class add dev ${INTRA_DEV} parent 20:0 classid 20:1 cbq \
		bandwidth ${IBANDW} rate ${IBANDW} allot 1514 prio 5 \
		maxburst 20 avpkt 1000 bounded

	tc class add dev ${INET_DEV} parent 10:1 classid 10:100 cbq \
		bandwidth ${IBANDW} rate ${BICMP} allot 1514 \
		prio 5 maxburst 20 avpkt 250 bounded
	tc class add dev ${INTRA_DEV} parent 20:1 classid 20:100 cbq \
		bandwidth ${IBANDW} rate ${BICMP} allot 1514 \
		prio 5 maxburst 20 avpkt 250 bounded

	tc class add dev ${INET_DEV} parent 10:1 classid 10:101 cbq \
		bandwidth ${IBANDW} rate ${BSYN} allot 1514 \
		prio 5 maxburst 20 avpkt 250 bounded
	tc class add dev ${INTRA_DEV} parent 20:1 classid 20:101 cbq \
		bandwidth ${IBANDW} rate ${BSYN} allot 1514 \
		prio 5 maxburst 20 avpkt 250 bounded

	tc class add dev ${INET_DEV} parent 10:1 classid 10:102 cbq \
		bandwidth ${IBANDW} rate ${BSMTP} allot 1514 \
		prio 5 maxburst 20 avpkt 250
	tc class add dev ${INTRA_DEV} parent 20:1 classid 20:102 cbq \
		bandwidth ${IBANDW} rate ${BSMTP} allot 1514 \
		prio 5 maxburst 20 avpkt 250

	tc filter add dev ${INET_DEV} parent 10:0 protocol ip prio 1 \
		u32 match ip protocol 1 0xFF flowid 10:100
	tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip prio 1 \
		u32 match ip protocol 1 0xFF flowid 20:100

	tc filter add dev ${INET_DEV} parent 10:0 protocol ip prio 2 handle 1 \
		fw flowid 10:101
	tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip prio 2 handle 1 \
		fw flowid 20:101

	tc filter add dev ${INET_DEV} parent 10:0 protocol ip prio 3 handle 2 \
		fw flowid 10:102
	tc filter add dev ${INET_DEV} parent 10:0 protocol ip prio 3 handle 3 \
		fw flowid 10:102

	tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip prio 3 handle 2 \
		fw flowid 20:102
	tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip prio 4 \
		u32 match ip src ${INTRA_IP} flowid 20:0
	tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip prio 5 handle 3 \
		fw flowid 20:102

	# here should classes go
        cid=1001
	grep -v '^#' < ${CLASSFILE} | grep -v '^[ \t]*$' | \
		while read type rate ips; do

		if [ "${type}" = "none" ]; then
			type=
		fi

		tc class add dev ${INET_DEV} parent 10:1 classid 10:$cid cbq \
			bandwidth ${IBANDW} rate ${rate} allot 1514 \
			prio 5 maxburst 20 avpkt 250 ${type}

		tc class add dev ${INTRA_DEV} parent 20:1 classid 20:$cid cbq \
			bandwidth ${IBANDW} rate ${rate} allot 1514 \
			prio 5 maxburst 20 avpkt 250 ${type}

		for i in $ips; do

			tc filter add dev ${INET_DEV} parent 10:0 protocol ip \
				prio 5 \
				u32 match ip src $i flowid 10:$cid

			tc filter add dev ${INTRA_DEV} parent 20:0 protocol ip \
				prio 5 \
				u32 match ip dst $i flowid 20:$cid

		done

		cid=`expr $cid + 1`
	done

	tc filter add dev ${INET_DEV} parent 10:0 protocol ip prio 8 \
		u32 match ip src 0/0 flowid 10:1

	echo Scheduling started.

        touch /var/lock/subsys/psched
        ;;
  stop)
	# stop ping -f prevention
	tc qdisc del dev ${INET_DEV} root
        tc qdisc del dev ${INTRA_DEV} root

	echo Scheduling stopped.

        rm -f /var/lock/subsys/psched
        ;;
  restart)
	$0 stop
	$0 start
	;;
  *)
        echo "Usage: firewall {start|stop|restart}"
        exit
esac

--------------Boundary-00=_KBAGH0E9LB5AN7DGG7EI
Content-Type: text/plain;
  charset="iso-8859-2";
  name="cbq-classes"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="cbq-classes"

bounded 4Kbit 195.168.47.167
none 4Kbit 195.168.47.245 195.168.47.246
none 56Kbit 195.168.47.128/25


--------------Boundary-00=_KBAGH0E9LB5AN7DGG7EI--