Jonathan Gazeley wrote:> Dear all,
>
> I am trying to set up multi-user traffic control. In short, I want each
> user (each IP) to be hard limited to 128kbit download and 64kbit upload.
> On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc)
> to be prioritised to minimise latency. It sounds like it ought to be
> done with a classful qdisc but I don''t really know what
I''m doing. I
> think I want something like the following:
>
> root class (global limit 100mbit)
> |
> + 192.168.0.1 class - limit 128kbit
> | + priority 0: SSH, ICMP, ACK, etc
> | + priority 1: all other traffic
> |
> + 192.168.0.2 class - limit 128kbit
> | + etc
>
> ... and similarly for the uplink, but with a per-IP limit of 64kbit.
>
> I''m not sure if it''s good to have ~250 classes for the IP
addresses, and
> sub classes within those for the different priorities, or if all the
> traffic should be rate-limited by IP first, and then sorted into a
> handful of shared classes, to be dequeued.
I am not sure how well htb will behave with 250 classes when they are
all active - but I don''t think the second option will work as if you
rate limit first then you will have already delayed the interactive.
Also you can''t easily double queue traffic anyway.
>
> I have taken advice from this list for the past couple of weeks and I
> have a semi functional script now. However the latency suddenly jumps to
> >4000ms as soon as the user starts downloading.
That sounds like your classification is failing to separate the traffic
properly. What does the script look like.
Also my script uses> police rate to limit upload speed - but this is not particularly
> effective and also not really required, as the box is able to shape
> traffic in both directions. It is also a NAT box.
Policing could be an option both ways - each user may see a bit of loss
on interactive when downloading, but unless they have loads of bulk
connections open there shouldn''t be too much, and policing
doesn''t add
latency.
>
> Related, not but strictly to do with tc, is there any way of concisely
> and effectively logging connections between NATd users and external IPs?
> I need to be able to maintain a log which tells me that a certain user
> was connected to a certain remote host on a certain port at a certain
> time and date, for legal reasons.
Not sure really - would just dumping the conntrack table periodically be
enough? maybe not as you could miss some I suppose.
You could try asking on the netfilter users list, there are libs/user
space daemons that can log/process packets from netfilter, but I don''t
know the detail.
netfilter@lists.netfilter.org
Andy.