* [LARTC] Newbie ask
@ 2002-12-28 7:13 liang jian
2002-12-28 10:31 ` Stef Coene
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: liang jian @ 2002-12-28 7:13 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 2438 bytes --]
My Settings:
LAN--------------| TC |------------------EX
|
DMZ
iptables -t mangle -A OUTPUT -o $DEV -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o $DEV -p tcp --dport 22 -j MARK --set-mark 2
tc qdisc add dev $DEV root handle 1: cbq bandwidth $BANDWIDTH rate 1Mbit avpkt 1000 mpu 64
tc class add dev $DEV parent 1:0 classid 1:2 cbq bandwidth $BANDWIDTH rate $RATE_PRIO allot 1514 maxburst 20 avpkt 1000 isolated bounded
tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth $BANDWIDTH rate $RATE_LOW allot 1514 maxburst 20 avpkt 1000 isolated bounded
tc class add dev $DEV parent 1:3 classid 1:5 cbq bandwidth $BANDWIDTH rate $RATE_LOW_FAV allot 1514 maxburst 2 avpkt 1000 isolated bounded
tc class add dev $DEV parent 1:3 classid 1:6 cbq bandwidth $BANDWIDTH rate $RATE_LOW_LOW allot 1514 maxburst 2 avpkt 1000 isolated bounded
tc qdisc add dev $DEV parent 1:2 handle 2: tbf rate 0.5Mbit burst 20kb latency 70ms peakrate 10Mbit minburst 1540
tc qdisc add dev $DEV parent 1:3 handle 3: tbf rate 0.5Mbit burst 20kb latency 70ms peakrate 10Mbit minburst 1540
tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:2
tc filter add dev $DEV parent 1:0 protocol ip handle 2 fw flowid 1:5
tc filter add dev $DEV parent 1:0 protocol ip handle 3 fw flowid 1:6
I land DMZ's ssh or surfing from LAN.
#tc -s class ls dev eth1
class cbq 1: root rate 1Mbit (bounded,isolated) prio no-transmit
Sent 557044 bytes 719 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 6249 undertime 0
class cbq 1:2 parent 1: leaf 2: rate 700Kbit (bounded,isolated) prio no-transmit
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 257728 undertime 0
class cbq 1:3 parent 1: leaf 3: rate 300Kbit (bounded,isolated) prio no-transmit
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 603732 undertime 0
class cbq 1:5 parent 1:3 rate 180Kbit (bounded,isolated) prio no-transmit
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 74457 undertime 0
class cbq 1:6 parent 1:3 rate 120Kbit (bounded,isolated) prio no-transmit
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 111751 undertime 0
why class 1:5 and 1:6 send 0 bytes 0 pkts?
---------------------------------
Do You Yahoo!?
"IBM优惠价特权,谁先来谁先得!"
[-- Attachment #2: Type: text/html, Size: 3053 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Newbie ask
2002-12-28 7:13 [LARTC] Newbie ask liang jian
@ 2002-12-28 10:31 ` Stef Coene
2002-12-28 11:24 ` Stef Coene
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stef Coene @ 2002-12-28 10:31 UTC (permalink / raw)
To: lartc
On Saturday 28 December 2002 08:13, liang jian wrote:
> My Settings:
>
> LAN--------------| TC |------------------EX
>
>
>
> DMZ
>
> iptables -t mangle -A OUTPUT -o $DEV -p tcp --dport 80 -j MARK --set-mark
> 1
>
> iptables -t mangle -A OUTPUT -o $DEV -p tcp --dport 22 -j MARK --set-mark
> 2
>
> tc qdisc add dev $DEV root handle 1: cbq bandwidth $BANDWIDTH rate 1Mbit
> avpkt 1000 mpu 64
>
> tc class add dev $DEV parent 1:0 classid 1:2 cbq bandwidth $BANDWIDTH rate
> $RATE_PRIO allot 1514 maxburst 20 avpkt 1000 isolated bounded
>
> tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW allot 1514 maxburst 20 avpkt 1000 isolated bounded
>
> tc class add dev $DEV parent 1:3 classid 1:5 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW_FAV allot 1514 maxburst 2 avpkt 1000 isolated bounded
>
> tc class add dev $DEV parent 1:3 classid 1:6 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW_LOW allot 1514 maxburst 2 avpkt 1000 isolated bounded
>
> tc qdisc add dev $DEV parent 1:2 handle 2: tbf rate 0.5Mbit burst 20kb
> latency 70ms peakrate 10Mbit minburst 1540 tc qdisc add dev $DEV parent 1:3
> handle 3: tbf rate 0.5Mbit burst 20kb latency 70ms peakrate 10Mbit minburst
> 1540 tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:2
>
> tc filter add dev $DEV parent 1:0 protocol ip handle 2 fw flowid 1:5
> tc filter add dev $DEV parent 1:0 protocol ip handle 3 fw flowid 1:6
>
>
> I land DMZ's ssh or surfing from LAN.
>
> #tc -s class ls dev eth1
> class cbq 1: root rate 1Mbit (bounded,isolated) prio no-transmit
> Sent 557044 bytes 719 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 6249 undertime 0
> class cbq 1:2 parent 1: leaf 2: rate 700Kbit (bounded,isolated) prio
> no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 257728 undertime 0
> class cbq 1:3 parent 1: leaf 3: rate 300Kbit (bounded,isolated) prio
> no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 603732 undertime 0
> class cbq 1:5 parent 1:3 rate 180Kbit (bounded,isolated) prio no-transmit
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 74457 undertime 0
> class cbq 1:6 parent 1:3 rate 120Kbit (bounded,isolated) prio no-transmit
> Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> borrowed 0 overactions 0 avgidle 111751 undertime 0
>
>
> why class 1:5 and 1:6 send 0 bytes 0 pkts?
Class 1:5 contains all packets with dport 22. So you want to put all ftp-data
packets in it. Right? But ftp can use a dynamic port for ftp-data.
And you have a filter to redirect all packets with mark 3 to class 1:6 but you
never mark the packets with mark 3. You only mark them with 1 and 2 so I
think you miss an iptables command.
And an other tip. Remove the isolated parameter. It's not working and it
will only caue troubles.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Newbie ask
2002-12-28 7:13 [LARTC] Newbie ask liang jian
2002-12-28 10:31 ` Stef Coene
@ 2002-12-28 11:24 ` Stef Coene
2002-12-28 11:27 ` Robert Penz
2002-12-28 11:38 ` Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Stef Coene @ 2002-12-28 11:24 UTC (permalink / raw)
To: lartc
On Saturday 28 December 2002 11:57, Andre Meij wrote:
> >> why class 1:5 and 1:6 send 0 bytes 0 pkts?
> >
> > Class 1:5 contains all packets with dport 22. So you want to put all
> > ftp-data packets in it. Right? But ftp can use a dynamic port for
> > ftp-data.
>
> Port 22 is ssh as far as I know
Oops. Indeed. 20 & 21 is ftp.
Stef
--
stef.coene@docum.org
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Newbie ask
2002-12-28 7:13 [LARTC] Newbie ask liang jian
2002-12-28 10:31 ` Stef Coene
2002-12-28 11:24 ` Stef Coene
@ 2002-12-28 11:27 ` Robert Penz
2002-12-28 11:38 ` Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Robert Penz @ 2002-12-28 11:27 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 28 December 2002 12:24, Stef Coene wrote:
> Oops. Indeed. 20 & 21 is ftp.
port 21 is the control channel port, but port 20 doesn't need to be the data
port. e.g. passive ftp or if the server chooses an other port than 20 to send
the data from.
its only sure that its port 20 if you control the ftp and deny passiv ftp.
- --
Regards,
Robert
- ----------------
Robert Penz
robert.penz AT outertech.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+DYq38tTsQqJDUBMRAqsUAJ45ryr/ucyRyuR3MT9G+1Swxq7F2gCcDkwg
LmGF/nOqNCrXwAlGHPtr374=
=/Ao/
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Newbie ask
2002-12-28 7:13 [LARTC] Newbie ask liang jian
` (2 preceding siblings ...)
2002-12-28 11:27 ` Robert Penz
@ 2002-12-28 11:38 ` Patrick McHardy
3 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2002-12-28 11:38 UTC (permalink / raw)
To: lartc
Hi.
On Sat, 28 Dec 2002, Robert Penz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Saturday 28 December 2002 12:24, Stef Coene wrote:
> > Oops. Indeed. 20 & 21 is ftp.
> port 21 is the control channel port, but port 20 doesn't need to be the data
> port. e.g. passive ftp or if the server chooses an other port than 20 to send
> the data from.
>
> its only sure that its port 20 if you control the ftp and deny passiv ftp.
anyway for qos it is probably mostly important to detect and mark ftp data
connections. this can easily be done with CONNMARK which gives the same
mark to RELATED connection as the expectants mark. Another possibility
might be the helper match, but i've never tried it.
Bye,
Patrick
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-12-28 11:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-28 7:13 [LARTC] Newbie ask liang jian
2002-12-28 10:31 ` Stef Coene
2002-12-28 11:24 ` Stef Coene
2002-12-28 11:27 ` Robert Penz
2002-12-28 11:38 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox