Hi All, I''m using Shorewall 3.0.4 and I''m wondering if it is possible to do traffic shapping on only one interface from a bridge. The firewall has got 3 NIC, eth0, eth1, eth2. eth0 and eth2 are bridged, but if I''m right, when you specify a traffic rate for a link, you do it for the interface. In my case, eth0 and eth2 do not appear in the interface file, but it is an interface called br0 that is specified. The problem is that I belive that if I limit the rate for eth0 which is connected to the WAN, this will limit the traffic to eth2 (DMZ) from eth1 (LAN) as well, because the bandwidth limit will be specified for br0, and not specifically for eth0 and eth2. What do you think ? Bruno
On Tue, 2006-01-31 at 11:33 +0100, Bruno Léon wrote:> Hi All,Hi Bruno,> > I''m using Shorewall 3.0.4 and I''m wondering if it is possible to do > traffic shapping on only one interface from a bridge. > The firewall has got 3 NIC, eth0, eth1, eth2. >normally this should not be a problem. I use it only on the outgoing interface of my firewall...> eth0 and eth2 are bridged, but if I''m right, when you specify a traffic > rate for a link, you do it for the interface. In my case, eth0 and eth2 > do not appear in the interface file, but it is an interface called br0 > that is specified. > > The problem is that I belive that if I limit the rate for eth0 which is > connected to the WAN, this will limit the traffic to eth2 (DMZ) from > eth1 (LAN) as well, because the bandwidth limit will be specified for > br0, and not specifically for eth0 and eth2. >you need to set the limits for the real interface, not br0. Although eth0 is not in your interface file, it is there, just without an ip address (which you don''t need for bridging or traffic shaping). I haven''t done this myself but i am quite sure that it will work (At least the "LinuxAdvanced Routing & TrafficControl HOWTO" tells me this ;-). --arne -- Arne Bernin <arne@alamut.de> http://www.ucBering.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks Arne, I effectively tried this during the afternoon and it kind of worked, or at least shgorewall is still starting... I set up the tcdevices files with eth0 400kbps 400kbps Then I set set tcclasses to eth0 7 150kbps 150kbps 7 eth0 88 30kbps 80kbps 16 default Finally, tcrules is 7 $FW 0.0.0.0/0 tcp 22 88 $FW 0.0.0.0/0 tcp !22 Don''t look at the rate limits, this is only to check if it works. What I''m doing to test is simply to scp a file to another computer, and what I would like to see is an upload rate of 150kpbs. However, the actual rate is 80kpbs which means that the rule doesn''t match, thus the default is applied. However, if i look at the mangle table directly, before doing the scp we have: Chain tcout (1 references) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x7 131 57572 MARK tcp -- any any anywhere anywhere tcp dpt:!ssh MARK set 0x58 *and after: *Chain tcout (1 references) pkts bytes target prot opt in out source destination 677 941K MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x7 259 79544 MARK tcp -- any any anywhere anywhere tcp dpt:!ssh MARK set 0x58 This is weird because it seems that the rule matches (the counter is increased), but the rate that is applied is the one of the other classes. Any ideas? Bruno. Arne Bernin a écrit :> On Tue, 2006-01-31 at 11:33 +0100, Bruno Léon wrote: > >> Hi All, >> > > Hi Bruno, > > >> I''m using Shorewall 3.0.4 and I''m wondering if it is possible to do >> traffic shapping on only one interface from a bridge. >> The firewall has got 3 NIC, eth0, eth1, eth2. >> >> > > normally this should not be a problem. I use it only on the outgoing > interface of my firewall... > > >> eth0 and eth2 are bridged, but if I''m right, when you specify a traffic >> rate for a link, you do it for the interface. In my case, eth0 and eth2 >> do not appear in the interface file, but it is an interface called br0 >> that is specified. >> >> The problem is that I belive that if I limit the rate for eth0 which is >> connected to the WAN, this will limit the traffic to eth2 (DMZ) from >> eth1 (LAN) as well, because the bandwidth limit will be specified for >> br0, and not specifically for eth0 and eth2. >> >> > > you need to set the limits for the real interface, not br0. Although > eth0 is not in your interface file, it is there, just without an ip > address (which you don''t need for bridging or traffic shaping). I > haven''t done this myself but i am quite sure that it will work (At least > the "LinuxAdvanced Routing & TrafficControl HOWTO" tells me this ;-). > > --arne > >-- Bruno LEON MTA Team AgreenTech - JD FoodsOrigins 14 E rue Patis Tatelin Parc d’affaires Métropolis 35708 Rennes Tel. : + 33 (0)2 99 84 68 28 Mobile : + 33 (0)6 88 63 37 74 Fax. : + 33 (0)2 99 84 68 36
On Tue, 2006-01-31 at 18:58 +0100, Bruno Léon wrote:> Thanks Arne,Hi Bruno,> *Chain tcout (1 references) > pkts bytes target prot opt in out source destination > 677 941K MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x7 > 259 79544 MARK tcp -- any any anywhere anywhere tcp dpt:!ssh MARK set 0x58 > > This is weird because it seems that the rule matches (the counter is > increased), but the rate that is applied is the one of the other classes. > Any ideas? >it looks strange, indeed. Could you please send the output of tc filter show dev eth0 and tc class show dev eth0 maybe this shows something.> Bruno.--arne -- Arne Bernin <arne@alamut.de> http://www.ucBering.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
tc filter show dev eth0 doesn''t display anything.... tc class show dev eth0 class htb 1:1 root rate 3200Kbit ceil 3200Kbit burst 1999b cburst 1999b class htb 1:188 parent 1:1 leaf 188: prio 7 rate 240000bit ceil 640000bit burst 1629b cburst 1679b class htb 1:17 parent 1:1 leaf 17: prio 7 rate 1200Kbit ceil 1200Kbit burst 1749b cburst 1749b I don''t see what it means, but if it gives you some clue great :-) Bruno Arne Bernin a écrit :> On Tue, 2006-01-31 at 18:58 +0100, Bruno Léon wrote: > >> Thanks Arne, >> > Hi Bruno, > > >> *Chain tcout (1 references) >> pkts bytes target prot opt in out source destination >> 677 941K MARK tcp -- any any anywhere anywhere tcp dpt:ssh MARK set 0x7 >> 259 79544 MARK tcp -- any any anywhere anywhere tcp dpt:!ssh MARK set 0x58 >> >> This is weird because it seems that the rule matches (the counter is >> increased), but the rate that is applied is the one of the other classes. >> Any ideas? >> >> > > it looks strange, indeed. Could you please send the output of > tc filter show dev eth0 > and > tc class show dev eth0 > > maybe this shows something. > > > >> Bruno. >> > > --arne > >-- Bruno LEON MTA Team AgreenTech - JD FoodsOrigins 14 E rue Patis Tatelin Parc d’affaires Métropolis 35708 Rennes Tel. : + 33 (0)2 99 84 68 28 Mobile : + 33 (0)6 88 63 37 74 Fax. : + 33 (0)2 99 84 68 36
On Wed, 2006-02-01 at 10:52 +0100, Bruno Léon wrote: Hi Bruno,> tc filter show dev eth0 > > doesn''t display anything.... >nothing ? Ok, i just took a look it seems the code has changed since last time i looked at it... Could you send a complete dump (either gzipped to this list or as private mail (for security reasons)) created with /sbin/shorewall dump > shorewall.dump> tc class show dev eth0 >--arne -- Arne Bernin <arne@alamut.de> http://www.ucBering.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642