LARTC - Aug 2007 - Classful queuing solution

Dear all,

I am trying to set up multi-user traffic control. In short, I want each 
user (each IP) to be hard limited to 128kbit download and 64kbit upload. 
On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) 
to be prioritised to minimise latency. It sounds like it ought to be 
done with a classful qdisc but I don''t really know what I''m
doing. I
think I want something like the following:

root class (global limit 100mbit)
|
+ 192.168.0.1 class - limit 128kbit
|   + priority 0: SSH, ICMP, ACK, etc
|   + priority 1: all other traffic
|
+ 192.168.0.2 class - limit 128kbit
|   + etc

... and similarly for the uplink, but with a per-IP limit of 64kbit.

I''m not sure if it''s good to have ~250 classes for the IP
addresses, and
sub classes within those for the different priorities, or if all the 
traffic should be rate-limited by IP first, and then sorted into a 
handful of shared classes, to be dequeued.

I have taken advice from this list for the past couple of weeks and I 
have a semi functional script now. However the latency suddenly jumps to 
 >4000ms as soon as the user starts downloading. Also my script uses 
police rate to limit upload speed - but this is not particularly 
effective and also not really required, as the box is able to shape 
traffic in both directions. It is also a NAT box.

Related, not but strictly to do with tc, is there any way of concisely 
and effectively logging connections between NATd users and external IPs? 
I need to be able to maintain a log which tells me that a certain user 
was connected to a certain remote host on a certain port at a certain 
time and date, for legal reasons.

I realise this is a bit of a mammoth request, but I hope someone can 
help me.

Many thanks in advance,
Jonathan

------------------------
Jonathan Gazeley
ResNet | Wireless & VPN Team
Information Systems & Computing
University of Bristol
------------------------

Jonathan Gazeley wrote:
> Dear all,
> 
> I am trying to set up multi-user traffic control. In short, I want each 
> user (each IP) to be hard limited to 128kbit download and 64kbit upload. 
> On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) 
> to be prioritised to minimise latency. It sounds like it ought to be 
> done with a classful qdisc but I don''t really know what
I''m doing. I
> think I want something like the following:
> 
> root class (global limit 100mbit)
> |
> + 192.168.0.1 class - limit 128kbit
> |   + priority 0: SSH, ICMP, ACK, etc
> |   + priority 1: all other traffic
> |
> + 192.168.0.2 class - limit 128kbit
> |   + etc
> 
> ... and similarly for the uplink, but with a per-IP limit of 64kbit.
> 
> I''m not sure if it''s good to have ~250 classes for the IP
addresses, and
> sub classes within those for the different priorities, or if all the 
> traffic should be rate-limited by IP first, and then sorted into a 
> handful of shared classes, to be dequeued.
I am not sure how well htb will behave with 250 classes when they are 
all active - but I don''t think the second option will work as if you 
rate limit first then you will have already delayed the interactive. 
Also you can''t easily double queue traffic anyway.
> 
> I have taken advice from this list for the past couple of weeks and I 
> have a semi functional script now. However the latency suddenly jumps to 
>  >4000ms as soon as the user starts downloading.
That sounds like your classification is failing to separate the traffic 
properly. What does the script look like.

  Also my script uses
> police rate to limit upload speed - but this is not particularly 
> effective and also not really required, as the box is able to shape 
> traffic in both directions. It is also a NAT box.
Policing could be an option both ways - each user may see a bit of loss 
on interactive when downloading, but unless they have loads of bulk 
connections open there shouldn''t be too much, and policing
doesn''t add
latency.
> 
> Related, not but strictly to do with tc, is there any way of concisely 
> and effectively logging connections between NATd users and external IPs? 
> I need to be able to maintain a log which tells me that a certain user 
> was connected to a certain remote host on a certain port at a certain 
> time and date, for legal reasons.
Not sure really - would just dumping the conntrack table periodically be 
enough? maybe not as you could miss some I suppose.

You could try asking on the netfilter users list, there are libs/user 
space daemons that can log/process packets from netfilter, but I don''t 
know the detail.

netfilter@lists.netfilter.org

Andy.

Hi,
>Related, not but strictly to do with tc, is there any way of concisely 
>and effectively logging connections between NATd users and external
>IPs? I need to be able to maintain a log which tells me that a certain
>user was connected to a certain remote host on a certain port at a
>certain time and date, for legal reasons.
You can log traffic with following iptables rule:
iptables -t nat -A PREROUTING -p tcp -j LOG --log-level info
--log-prefix connlog

This will only log new connections, not every packet. Information will
be passed to syslog.