thr3ads.net - Shorewall users - Traffic control not work correctly [Jan 2006]

If this information is useful, please help other people find it:
Share via:

hoa nguyen

2006-Jan-20 12:48 UTC

Traffic control not work correctly

Hi,

 

I try to set up traffic control that priority my VOIP
traffic. I user Fedora 4 (Kernel 2.6.14-1.1656_FC4),
But It seem like not working correctly. Please see my
configuration as below:

 

Eth0 = Internal

Eth3= Internet

 

In tcdevices

 

eth3            512kbit         128kbit

 

In tcclasses

 

eth3            1       64kbit          full          
 1

eth3            255     1kbit           full          
 7               default

 

In tcrules

 

#Voip Class

1:P     192.168.33.41           0.0.0.0/0       udp   
         -               5060,6000:6004  -            
  -

1:P     0.0.0.0/0               192.168.33.41   udp   
         5060,6000:6004  -               -            
  -

 

#Default Traffic

255:P   0.0.0.0/0               0.0.0.0/0       all   
         -               -               -            
  -

 

 

When I start making call, I saw VOIP traffic comes in
and out of eth3. See my tcpdump

 

[root@Firewall shorewall]# tcpdump -i eth3 src
192.168.33.41

tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode

listening on eth3, link-type EN10MB (Ethernet),
capture size 96 bytes

23:27:30.357215 IP 192.168.33.41.1025 >
ns.optus.net.au.domain:  9791+ A? sip.myfone.com.au.
(35)

23:27:30.403953 IP 192.168.33.41.5060 >
202.177.222.24.5060: UDP, length 701

23:27:30.579968 IP 192.168.33.41.5060 >
202.177.222.24.5060: UDP, length 360

23:27:30.836928 IP 192.168.33.41.5060 >
202.177.222.24.5060: UDP, length 889

23:27:31.408685 IP 192.168.33.41.5060 >
202.177.222.24.5060: UDP, length 381

23:27:31.426282 IP 192.168.33.41.6001 >
202.177.222.20.7453: UDP, length 20

23:27:31.482312 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.502268 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.521678 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.541686 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.562242 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.582251 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.602232 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.622600 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

23:27:31.642138 IP 192.168.33.41.6000 >
202.177.222.20.7452: UDP, length 172

 

 

When run command  shorewall show tc . I did not see
VOIP traffic hit to the right class. See below:

 

Shorewall-3.0.4 Traffic Control at Firewall - Fri Jan
20 23:30:05 EST 2006

 

Device eth0:

qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1
1 1 1 1 1 1 1

 Sent 49616074 bytes 95395 pkt (dropped 0, overlimits
0 requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

 

Device eth1:

qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1
1 1 1 1 1 1 1

 Sent 546 bytes 9 pkt (dropped 0, overlimits 0
requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

 

Device eth2:

qdisc pfifo_fast 0: bands 3 priomap  1 2 2 2 1 2 0 0 1
1 1 1 1 1 1 1

 Sent 546 bytes 9 pkt (dropped 0, overlimits 0
requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

 

Device eth3:

qdisc htb 1: r2q 10 default 1255 direct_packets_stat 0
ver 3.17

 Sent 34700 bytes 174 pkt (dropped 0, overlimits 0
requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

qdisc ingress ffff: ----------------

 Sent 33867 bytes 155 pkt (dropped 0, overlimits 0
requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 11: parent 1:11 limit 128p quantum 1514b
flows 128/1024 perturb 10sec

 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues
0)

 rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 1255: parent 1:1255 limit 128p quantum 1514b
flows 128/1024 perturb 10sec

 Sent 34700 bytes 174 pkt (dropped 0, overlimits 0
requeues 0)

 rate 0bit 0pps backlog 0b 0p requeues 0

class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 1500
rate 64000bit ceil 128000bit burst 1631b/8 mpu 0b
overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0

 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues
0)

 rate 0bit 0pps backlog 0b 0p requeues 0

 lended: 0 borrowed: 0 giants: 0

 tokens: 208896 ctokens: 106496

 

class htb 1:1 root rate 128000bit ceil 128000bit burst
1663b/8 mpu 0b overhead 0b cburst 1663b/8 mpu 0b
overhead 0b level 7

 Sent 34700 bytes 174 pkt (dropped 0, overlimits 0
requeues 0)

 rate 56bit 0pps backlog 0b 0p requeues 0

 lended: 108 borrowed: 0 giants: 0

 tokens: 103936 ctokens: 103936

 

class htb 1:1255 parent 1:1 leaf 1255: prio 7 quantum
1500 rate 1000bit ceil 128000bit burst 1599b/8 mpu 0b
overhead 0b cburst 1663b/8 mpu 0b overhead 0b level 0

 Sent 34700 bytes 174 pkt (dropped 0, overlimits 0
requeues 0)

 rate 64bit 0pps backlog 0b 0p requeues 0

 lended: 66 borrowed: 108 giants: 0

 tokens: 12779520 ctokens: 103936

 

 

 

Aslo Output of shorewall show mangle

 

Shorewall-3.0.4 Mangle Table at Firewall - Fri Jan 20
23:31:36 EST 2006

 

Counters reset Thu Jan 19 23:51:17 EST 2006

 

Chain FORWARD (policy ACCEPT 129K packets, 47M bytes)

 pkts bytes target     prot opt in     out     source 
             destination

 129K   46M tcfor      all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 

Chain INPUT (policy ACCEPT 2325 packets, 204K bytes)

 pkts bytes target     prot opt in     out     source 
             destination

 

Chain OUTPUT (policy ACCEPT 8635 packets, 1392K bytes)

 pkts bytes target     prot opt in     out     source 
             destination

 1530  244K outtos     all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 1530  244K tcout      all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 

Chain POSTROUTING (policy ACCEPT 130K packets, 47M
bytes)

 pkts bytes target     prot opt in     out     source 
             destination

 129K   46M tcpost     all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 

Chain PREROUTING (policy ACCEPT 131K packets, 47M
bytes)

 pkts bytes target     prot opt in     out     source 
             destination

 131K   46M pretos     all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 131K   46M tcpre      all  --  *      *      
0.0.0.0/0            0.0.0.0/0

 

Chain outtos (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

 

Chain pretos (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

 1742  655K TOS        udp  --  *      *      
192.168.33.41        0.0.0.0/0           udp spt:5060
TOS set 0x10

40936 8168K TOS        udp  --  *      *      
192.168.33.41        0.0.0.0/0           udp
spts:6000:6004 TOS set 0x10

 1742  733K TOS        udp  --  eth3   *      
0.0.0.0/0            192.168.33.41       udp dpt:5060
TOS set 0x10

40677 8135K TOS        udp  --  eth3   *      
0.0.0.0/0            192.168.33.41       udp
dpts:6000:6004 TOS set 0x10

 

Chain tcfor (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

 

Chain tcout (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

 

Chain tcpost (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

    0     0 CLASSIFY   all  --  *      eth3   
0.0.0.0/0            0.0.0.0/0           MARK match
0x1 CLASSIFY set 1:11

  154 32125 CLASSIFY   all  --  *      eth3   
0.0.0.0/0            0.0.0.0/0           MARK match
0xff CLASSIFY set 1:1255

 

Chain tcpre (1 references)

 pkts bytes target     prot opt in     out     source 
             destination

   22  9114 MARK       udp  --  *      *      
192.168.33.41        0.0.0.0/0           udp spt:5060
MARK set 0x1

  104 20548 MARK       udp  --  *      *      
192.168.33.41        0.0.0.0/0           udp
spts:6000:6004 MARK set 0x1

   22  9419 MARK       udp  --  *      *      
0.0.0.0/0            192.168.33.41       udp dpt:5060
MARK set 0x1

  103 20600 MARK       udp  --  *      *      
0.0.0.0/0            192.168.33.41       udp
dpts:6000:6004 MARK set 0x1

  578 84102 MARK       all  --  *      *      
0.0.0.0/0            0.0.0.0/0           MARK set 0xff

 

 

Can you tell what I did wrong??

 

Thanks

 

Hoa Nguyen

Network Administrator.



		
____________________________________________________ 
Do you Yahoo!? 
Find a local business fast with Yahoo! Local Search 
http://au.local.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Tom Eastep

2006-Jan-20 14:45 UTC

head link

Re: Traffic control not work correctly

>
> In tcrules
>
>
>
> #Voip Class
>
> 1:P     192.168.33.41           0.0.0.0/0       udp
>          -               5060,6000:6004  -
>   -
>
> 1:P     0.0.0.0/0               192.168.33.41   udp
>          5060,6000:6004  -               -
>   -
> #Default Traffic
>
> 255:P   0.0.0.0/0               0.0.0.0/0       all
From the top of the tcrules file:

#
#                              I M P O R T A N T ! ! ! !
#
#               Unlike rules in the /etc/shorewall/rules file, evaluation
#               of rules in this file will continue after a match. So the
#               final mark for each packet will be the one assigned by the
#               LAST tcrule that matches.
#

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Shorewall users - Jan 2006 - Traffic control not work correctly

Traffic control not work correctly

Re: Traffic control not work correctly