LARTC - Sep 2007 - using tc to drop packets based on the diffserc or tos value

Hi all,

I am wondering if anyone can help me to resolve a problem.

I am trying to use tc command in linux to drop udp
packets of specific diffserv value.

I am able set diffserv value successfully in the udp packet
using command:-

[root@scotch src]#iptables --table mangle --append OUTPUT \
--out-interface eth0 --protocol udp --source-port 5060 \
--jump DSCP --set-dscp 8

but i am not able to drop a packet with a specific diffserv value.

i have worked out a command, but its not working:-

[root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8
police drop

its showing error "Illegal "match".

Can any one of you guide me , what is the correct way of doing it.
Its imporatnt, Please post reply ASAP.

Raghuvendra

Raghuvendra Kumar | BTSL
414 | Ext
011-41619770 | Desk
+91-9818143739 | Mobile
raghuvendra.kumar@bhartitelesoft.com | EMail

Raghuvendra Kumar wrote:
> Hi all,
> 
 > [...]
> 
> [root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8
police drop
> 
> its showing error "Illegal "match".
> 
> Can any one of you guide me , what is the correct way of doing it.
> Its imporatnt, Please post reply ASAP.
> 
For instance:

tc qdisc add dev eth0 root handle 1: hfsc default 99
# (.. remaining classes / etc. ..)

tc filter add dev eth0 parent 1:0 protocol ip  prio 1 u32 \
	match ip dsfield 0x08 0xff action drop

Remember that mask is mandatory.

Also check out doc/actions directory for info about extended actions in 
iproute tarball.


Out of curiosity - why not just:

iptables -A OUTPUT -o eth0 -p udp --sport 5060 -j DROP

... or with something like -j REJECT --reject-with icmp-port-unreachable, 
depending on your needs. Assuming it''s not just for testing purposes,
and
you actually want to drop the traffic generated by your host from that 
particular port.

Hi Michal,

Thanks for your much needed suggestion.

Actually i have a video Delivey server(suppose it supports 240 simultaneous
calls).
It takes request from various users for video delivery.

Now suppose if i want that after load reaches to 200, i should only allow
premium users.In order to identify, non- preimum user,i check their diffserv
value and drop their packets.This helps me to achieve QOS.

Problem is that i have read various tutorials of tc but i am yet not
comfertable.

Default settings on my machine is: -

[root@scotch root]# ip link list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:02:b3:f1:89:0c brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:02:b3:f1:89:0d brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

Can i user filter on the default qdisc attached on the eth0.If then how?
(although i read somewhere that there is very little customization that we can
do the default qdisc)?

If i used some classful qdisc than how would i restore my default setting?

Do we have better way achieving the same?

Can you suggest me some useful tutorials?

Please do reply.

Regards,

Raghuvendra Kumar | BTSL
414 | Ext
011-41619770 | Desk
+91-9818143739 | Mobile
raghuvendra.kumar@bhartitelesoft.com | EMail

-----Original Message-----
From: Michal Soltys [mailto:nozo@ziu.info]
Sent: Monday, September 17, 2007 2:07 AM
To: Raghuvendra Kumar
Cc: ''lartc@mailman.ds9a.nl''
Subject: Re: [LARTC] using tc to drop packets based on the diffserc or
tos value


Raghuvendra Kumar wrote:
> Hi all,
>
 > [...]
>
> [root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8
police drop
>
> its showing error "Illegal "match".
>
> Can any one of you guide me , what is the correct way of doing it.
> Its imporatnt, Please post reply ASAP.
>
For instance:

tc qdisc add dev eth0 root handle 1: hfsc default 99
# (.. remaining classes / etc. ..)

tc filter add dev eth0 parent 1:0 protocol ip  prio 1 u32 \
        match ip dsfield 0x08 0xff action drop

Remember that mask is mandatory.

Also check out doc/actions directory for info about extended actions in
iproute tarball.


Out of curiosity - why not just:

iptables -A OUTPUT -o eth0 -p udp --sport 5060 -j DROP

... or with something like -j REJECT --reject-with icmp-port-unreachable,
depending on your needs. Assuming it''s not just for testing purposes,
and
you actually want to drop the traffic generated by your host from that
particular port.

Thanks.

one more thing. I am using a iptable command to match dscp value and drop
corresponding packets.

iptables -A INPUT -o eth0 -p udp -m --dscp 0x08 -j DROP

is the syntex of the command correct?

its showing following error: -

iptables v1.2.8: Couldn''t load match
`--dscp'':/lib/iptables/libipt_--dscp.so: cannot open shared object
file: No such file or directory

what should i do resolve the problem?

Regards,

Raghuvendra Kumar | BTSL
414 | Ext
011-41619770 | Desk
+91-9818143739 | Mobile
raghuvendra.kumar@bhartitelesoft.com | EMail

-----Original Message-----
From: Mohan Sundaram [mailto:mohan.tux@gmail.com]
Sent: Monday, September 17, 2007 11:24 AM
To: Raghuvendra Kumar
Subject: Re: [LARTC] using tc to drop packets based on the diffserc or
tos value


Raghuvendra Kumar wrote:
> Hi Michal,
>
> Thanks for your much needed suggestion.
>
> Actually i have a video Delivey server(suppose it supports 240 simultaneous
calls).
> It takes request from various users for video delivery.
>
> Now suppose if i want that after load reaches to 200, i should only allow
> premium users.In order to identify, non- preimum user,i check their
diffserv
> value and drop their packets.This helps me to achieve QOS.
>
You can send premium customer traffic thro'' a high prio class. This
way,
non-premium traffic will always be accorded lower priority and thus
dropped if choke occurs.

TOS marks must work. Another mechanism is to use fwmark in iptables and
classify using mark in tc.

Mohan

> Hi Michal,
> 
> Can i user filter on the default qdisc attached on the eth0.If then how? 
> (although i read somewhere that there is very little customization that 
> we can do the default qdisc)?
Yes, default qdisc - pfifo_fast - is pretty limited, with 3 bands assigned 
to specific tos values'' combinations.
> If i used some classful qdisc than how would i restore my default 
> setting?
Just delete the new qdisc you created, you will go back to pfifo_fast.
> Do we have better way achieving the same?
Well, HFSC or HTB would be a good choice, with SFQ or ESFQ attached to the 
leafs (if i.e. using classes per groups of users).
> Can you suggest me some useful tutorials?
In no particular order (and not necessarily related to your questions):

1) Information about extended tc actions (mirred, ipt, ...) :

iproute2 tarball -> doc/actions

remark: currently it seems, that if you use more than 1 ipt
action in a filter rules, tc will segfault

Also look for info in Russel''s docs

2) Excellent Russel''s set of docs

http://ace-host.stuart.id.au/russell/files/tc/doc/

remark: contrary to other sources of info (i.e. lartc howto), the u32 docs 
here are superbly accurate and (almost) complete.

minor missing info in u32:
   indev purpose (?)
   mark match (this one is simple, i.e. tc .... u32 match mark 1 flowid X:Y -
     - note that flowid/classid must be last here, or tc will complain).
   dscp can be used instead of tos

3) LARTC howto

http://lartc.org/#download

Pretty old, plenty of info, also plenty of missing info, and some
(like u32) leaving a LOT of important details (almost plain wrong).

4) iproute+tc notes

http://snafu.freedom.org/linux2.2/iproute-notes.html

Also can be found in iproute tarball. Missing info remarks as in 3)

5) Traffic control howto

http://tldp.org/HOWTO/Traffic-Control-HOWTO/index.html

6) Linux policy routing

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

7) ip command reference

http://linux-ip.net/gl/ip-cref/

8) some elementary classification info (BASIC)

http://marc.info/?l=lartc&m=117569441229800&w=2

9) some discussion with plenty of good info related to HFSC

http://marc.info/?t=107799591400001&r=1&w=2

10) other HFSC documentation info

http://linux-ip.net/articles/hfsc.en/
http://www.cs.cmu.edu/~istoica/hfsc-tr.ps.gz (good, but detailed and long)
http://www.sonycsl.co.jp/~kjc/software/TIPS.txt (note that *BSD''s HFSC
   implementation, is a bit different (no concave curves, 80% limit on
   realtime, ...). Good simple overview, but be careful.

11) marc.info, google, ...

Thanks.
You are really a great help to me.

Regards,


Raghuvendra Kumar | BTSL
414 | Ext
011-41619770 | Desk
+91-9818143739 | Mobile
raghuvendra.kumar@bhartitelesoft.com | EMail

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl]On Behalf Of Michal Soltys
Sent: Wednesday, September 19, 2007 2:57 AM
To: ''lartc@mailman.ds9a.nl''
Subject: Re: [LARTC] using tc to drop packets based on the diffserc or
tos value

> Hi Michal,
>
> Can i user filter on the default qdisc attached on the eth0.If then how?
> (although i read somewhere that there is very little customization that
> we can do the default qdisc)?
Yes, default qdisc - pfifo_fast - is pretty limited, with 3 bands assigned
to specific tos values'' combinations.
> If i used some classful qdisc than how would i restore my default
> setting?
Just delete the new qdisc you created, you will go back to pfifo_fast.
> Do we have better way achieving the same?
Well, HFSC or HTB would be a good choice, with SFQ or ESFQ attached to the
leafs (if i.e. using classes per groups of users).
> Can you suggest me some useful tutorials?
In no particular order (and not necessarily related to your questions):

1) Information about extended tc actions (mirred, ipt, ...) :

iproute2 tarball -> doc/actions

remark: currently it seems, that if you use more than 1 ipt
action in a filter rules, tc will segfault

Also look for info in Russel''s docs

2) Excellent Russel''s set of docs

http://ace-host.stuart.id.au/russell/files/tc/doc/

remark: contrary to other sources of info (i.e. lartc howto), the u32 docs
here are superbly accurate and (almost) complete.

minor missing info in u32:
   indev purpose (?)
   mark match (this one is simple, i.e. tc .... u32 match mark 1 flowid X:Y -
     - note that flowid/classid must be last here, or tc will complain).
   dscp can be used instead of tos

3) LARTC howto

http://lartc.org/#download

Pretty old, plenty of info, also plenty of missing info, and some
(like u32) leaving a LOT of important details (almost plain wrong).

4) iproute+tc notes

http://snafu.freedom.org/linux2.2/iproute-notes.html

Also can be found in iproute tarball. Missing info remarks as in 3)

5) Traffic control howto

http://tldp.org/HOWTO/Traffic-Control-HOWTO/index.html

6) Linux policy routing

http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

7) ip command reference

http://linux-ip.net/gl/ip-cref/

8) some elementary classification info (BASIC)

http://marc.info/?l=lartc&m=117569441229800&w=2

9) some discussion with plenty of good info related to HFSC

http://marc.info/?t=107799591400001&r=1&w=2

10) other HFSC documentation info

http://linux-ip.net/articles/hfsc.en/
http://www.cs.cmu.edu/~istoica/hfsc-tr.ps.gz (good, but detailed and long)
http://www.sonycsl.co.jp/~kjc/software/TIPS.txt (note that *BSD''s HFSC
   implementation, is a bit different (no concave curves, 80% limit on
   realtime, ...). Good simple overview, but be careful.

11) marc.info, google, ...
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc