Antwort: Re: [LARTC] tc and masquerading probs

Antwort: Re: [LARTC] tc and masquerading probs

[m.dages]

Hi,

thank you for your support. Your idea, looking also at the source ip with
the u32 filter works very well.

Markus


wningtung.leung wrote:
>> On Fri, 18 May 2001 m.dages@avk.net wrote:

>> Ok, now I've read the Linux 2.4 Advance Routing Howto and some other
>> documents that I could found about tc. All the examples describes an
>> environment with a linux box that has 2 ethernet cards, but our router
only
>> have 1. This ony ethernet adapter (eth0) is bounded to the ppp0 device
and
>> handles the LAN traffic.
>> Here's a short sheme:
>>
>> INTERNET  <----->   [ ppp0/Dynamic IP --- Linux router ---
>> eth0/192.168.100.250]  <------> Office Lan 192.168.100.0/24

>It doesn't matter wether it's a eth or ppp device, just look at it as a
>network interface and everything works fine.
>
>The solution I propose (haven't tested it though):
>
>Don't use firewall marks, but use the u32 filter instead.
>
>Look at the source and target IP and redirect the pakket to the correct
>class.
>
>(source != router && dest = low_prio_host)  ->  slow_class
>(source != router && dest = hi_prio_host)  ->  no_limit
>(source = router)  ->  no_limit
>
>This is only an idea for the downstream, I haven't been thinking about
>limitimg the upstream.




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: Antwort: Re: [LARTC] tc and masquerading probs

[Manfred Bartz]

m.dages@avk.net writes:

> wningtung.leung wrote:

> > The solution I propose (haven't tested it though):
> > 
> > Don't use firewall marks, but use the u32 filter instead.
> > 
> > Look at the source and target IP and redirect the pakket to the
> > correct class.
> > 
> > (source != router && dest = low_prio_host)  ->  slow_class
> > (source != router && dest = hi_prio_host)  ->  no_limit
> > (source = router)  ->  no_limit
> > 
> > This is only an idea for the downstream, I haven't been thinking
> > about limitimg the upstream.

> ... looking also at the source ip with the u32 filter works very
> well.

I would like to do just that, but I can't figure out how to specify
multiple conditions for u32 filtering.  Could you give an example?

Currently I have specified filters like:

tc filter add dev eth2 parent 2:0 protocol ip prio 20 u32 \
     match ip dst 192.168.2.12 flowid 2:212

Also, I assume lower ``prio'' values mean the rule takes preference
over rules with higher values?

-- 
Manfred


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: Antwort: Re: [LARTC] tc and masquerading probs

[Wingtung.Leung]

On 22 May 2001, Manfred Bartz wrote:

> I would like to do just that, but I can't figure out how to specify
> multiple conditions for u32 filtering.  Could you give an example?
>
> Currently I have specified filters like:
>
> tc filter add dev eth2 parent 2:0 protocol ip prio 20 u32 \
>      match ip dst 192.168.2.12 flowid 2:212

An example with multiple match conditions:

$TC filter add dev eth0 parent 1:0 protocol ip pref 2 u32 \
  match ip src "143.129.41.222 \
  match ip tos 0x10 0xff \
  flowid 1:22


> Also, I assume lower ``prio'' values mean the rule takes preference
> over rules with higher values?

I look at the preferences another way: they indicate the order in which
the filters are evaluated. Lower preference filters are evaluted before
higher preference filters.




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: Antwort: Re: [LARTC] tc and masquerading probs

[organix]

Hi,

ok, first to all, I've changed my email address to get mails from this
list. Before the change I was m.dages@avk.net.
Ok, now. I've wrote a small shell script to setup my tc config. It
should give you a small overview how I handle different conditions with
the u32 filter. In my setup I give all traffic that comes directly from
the router and destined to a machine of my lan the full bandwidth. Other
traffic for specific destination ip's is limited to 128kbit.
This works because the filter for traffic from the router to the lan
have a higher prio of 15 (smaller value) as the other filters.

Greetings,

Organix 'Markus'


#!/bin/bash
TC=/sbin/tc
DEVICE=eth0
LAN_BW\x100Mbit
LAN_WEIGHT\x10Mbit
SHAPE1_BW\x128Kbit
SHAPE1_WEIGHT\x13Kbit
SHAPE1_ID\x128
DST_IP="192.168.100.7/32 192.168.100.5/32 192.168.100.34/32"
LAN_NET\x192.168.100.0/24
ROUTER_IP\x192.168.100.250/32

# Setup the root qdiscipline
echo "setup root qdisc on $DEVICE"
$TC qdisc add dev $DEVICE root handle 100: cbq bandwidth $LAN_BW avpkt
1000

# Generate the root class
echo "generate root class 100:1"
$TC class add dev $DEVICE parent 100:0 classid 100:1 cbq bandwidth
$LAN_BW rate $LAN_BW allot 1514 weight $LAN_WEIGHT prio 8 maxburst 20
avpkt 1000

# Generate a class for 128Kbit
echo "generate class 100:$SHAPE1_ID"
$TC class add dev $DEVICE parent 100:1 classid 100:$SHAPE1_ID cbq
bandwidth $LAN_BW rate $SHAPE1_BW allot 1513 weight $SHAPE1_WEIGHT prio
5 maxburst 20 avpkt 1000 bounded

# Setup the queues
echo "setup queue for 100:$SHAPE1_ID"
$TC qdisc add dev $DEVICE parent 100:$SHAPE1_ID sfq quantum 1514b
perturb 15

# Setup the filter
echo "setup filter for traffic that comes from this host to lan - PRIO
15"
$TC filter add dev $DEVICE parent 100:0 protocol ip prio 15 u32 match ip
src $ROUTER_IP match ip dst $LAN_NET flowid 100:1

for dstip in $DST_IP
do
echo "setup filter for traffic to $dstip - PRIO 30"
$TC filter add dev $DEVICE parent 100:0 protocol ip prio 30 u32 match ip
dst $dstip flowid 100:$SHAPE1_ID
done




On 22 May 2001 11:27:24 +1000, Manfred Bartz wrote:
> m.dages@avk.net writes:
> 
> > wningtung.leung wrote:
> 
> > > The solution I propose (haven't tested it though):
> > > 
> > > Don't use firewall marks, but use the u32 filter instead.
> > > 
> > > Look at the source and target IP and redirect the pakket to the
> > > correct class.
> > > 
> > > (source != router && dest = low_prio_host)  ->  slow_class
> > > (source != router && dest = hi_prio_host)  ->  no_limit
> > > (source = router)  ->  no_limit
> > > 
> > > This is only an idea for the downstream, I haven't been thinking
> > > about limitimg the upstream.
> 
> > ... looking also at the source ip with the u32 filter works very
> > well.
> 
> I would like to do just that, but I can't figure out how to specify
> multiple conditions for u32 filtering.  Could you give an example?
> 
> Currently I have specified filters like:
> 
> tc filter add dev eth2 parent 2:0 protocol ip prio 20 u32 \
>      match ip dst 192.168.2.12 flowid 2:212
> 
> Also, I assume lower ``prio'' values mean the rule takes preference
> over rules with higher values?
> 
> -- 
> Manfred
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/