LARTC - Jul 2005 - iproute2 rules not being followed !!!!!!!

Hi...

I have installed ip route 2 package on Linux kernel 2.4.25

I am using 2 tables:

###################################

ebox:100.254~# ip route list table ALTER
default via 192.168.100.253 dev br0

ebox:100.254~# ip route list table main
10.0.0.254 dev ppp0  proto kernel  scope link  src 10.0.0.1
192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.254
192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.233
192.168.200.0/24 dev eth2  proto kernel  scope link  src 192.168.200.254
127.0.0.0/8 dev lo  scope link
default via 10.0.0.254 dev ppp0



#####################################


Now I set up the rules :

#####################################

ebox:100.254~# ip rule list
0:      from all lookup local
7:      from 216.239.59.147 lookup main
8:      from 202.141.80.6 lookup ALTER
32739:  from 202.141.80.6 lookup ALTER
32740:  from 66.102.11.99 lookup ALTER
32741:  from 66.102.11.104 lookup main
32742:  from 64.73.37.225 lookup main
32743:  from 216.239.59.103 lookup main
32744:  from 210.43.44.8 lookup main
32745:  from 64.233.183.19 lookup main
32746:  from 64.233.183.83 lookup ALTER
32747:  from 64.233.183.106 lookup ALTER
32748:  from 210.157.158.37 lookup ALTER
32749:  from 66.249.87.99 lookup main
32752:  from 213.244.168.210 lookup main
32753:  from 66.197.129.37 lookup ALTER
32754:  from 82.102.4.72 lookup ALTER
32755:  from 216.73.82.14 lookup ALTER
32756:  from 216.73.82.70 lookup ALTER
32757:  from 216.74.132.11 lookup main
32758:  from 216.109.117.205 lookup ALTER
32759:  from 202.138.124.172 lookup main
32760:  from 216.109.127.16 lookup main
32761:  from 209.244.156.19 lookup ALTER
32762:  from 68.142.228.136 lookup ALTER
32763:  from 82.102.4.57 lookup ALTER
32765:  from 216.109.118.65 lookup main
32766:  from all lookup main
32767:  from all lookup default


#####################################


But when I try to trace the route of a packet with destination address
such that according to ip rule table ALTER should be considered ...
its not following the rule...  its always following table Main...

#####################################

ebox:100.254~# tcptraceroute -n 202.141.80.6
Selected device ppp0, address 10.0.0.1, port 40113 for outgoing packets
Tracing the path to 202.141.80.6 on TCP port 80 (http), 30 hops max
 1  10.0.0.254  0.333 ms  0.212 ms  0.210 ms
 2  202.141.80.6 [open]  0.589 ms  0.591 ms  0.588 ms


######################################



I would appreciate if I can get any help on why this is not working .!!!!

Thanks.

Regards 
Shantanu

Hi...

I m really very sorry...

actually I did a very stupid mistake...


in adding rules I added using  "from"  instead of  "to"  
.... :)

I m really sorry for wasting all the time..

REgards 

Shantanu

On 7/17/05, Shantanu Kumar <shantanu.iitg@gmail.com>
wrote:
> Hi...
> 
> I have installed ip route 2 package on Linux kernel 2.4.25
> 
> I am using 2 tables:
> 
> ###################################
> 
> ebox:100.254~# ip route list table ALTER
> default via 192.168.100.253 dev br0
> 
> ebox:100.254~# ip route list table main
> 10.0.0.254 dev ppp0  proto kernel  scope link  src 10.0.0.1
> 192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.254
> 192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.233
> 192.168.200.0/24 dev eth2  proto kernel  scope link  src 192.168.200.254
> 127.0.0.0/8 dev lo  scope link
> default via 10.0.0.254 dev ppp0
> 
> 
> 
> #####################################
> 
> 
> Now I set up the rules :
> 
> #####################################
> 
> ebox:100.254~# ip rule list
> 0:      from all lookup local
> 7:      from 216.239.59.147 lookup main
> 8:      from 202.141.80.6 lookup ALTER
> 32739:  from 202.141.80.6 lookup ALTER
> 32740:  from 66.102.11.99 lookup ALTER
> 32741:  from 66.102.11.104 lookup main
> 32742:  from 64.73.37.225 lookup main
> 32743:  from 216.239.59.103 lookup main
> 32744:  from 210.43.44.8 lookup main
> 32745:  from 64.233.183.19 lookup main
> 32746:  from 64.233.183.83 lookup ALTER
> 32747:  from 64.233.183.106 lookup ALTER
> 32748:  from 210.157.158.37 lookup ALTER
> 32749:  from 66.249.87.99 lookup main
> 32752:  from 213.244.168.210 lookup main
> 32753:  from 66.197.129.37 lookup ALTER
> 32754:  from 82.102.4.72 lookup ALTER
> 32755:  from 216.73.82.14 lookup ALTER
> 32756:  from 216.73.82.70 lookup ALTER
> 32757:  from 216.74.132.11 lookup main
> 32758:  from 216.109.117.205 lookup ALTER
> 32759:  from 202.138.124.172 lookup main
> 32760:  from 216.109.127.16 lookup main
> 32761:  from 209.244.156.19 lookup ALTER
> 32762:  from 68.142.228.136 lookup ALTER
> 32763:  from 82.102.4.57 lookup ALTER
> 32765:  from 216.109.118.65 lookup main
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> 
> #####################################
> 
> 
> But when I try to trace the route of a packet with destination address
> such that according to ip rule table ALTER should be considered ...
> its not following the rule...  its always following table Main...
> 
> #####################################
> 
> ebox:100.254~# tcptraceroute -n 202.141.80.6
> Selected device ppp0, address 10.0.0.1, port 40113 for outgoing packets
> Tracing the path to 202.141.80.6 on TCP port 80 (http), 30 hops max
>  1  10.0.0.254  0.333 ms  0.212 ms  0.210 ms
>  2  202.141.80.6 [open]  0.589 ms  0.591 ms  0.588 ms
> 
> 
> ######################################
> 
> 
> 
> I would appreciate if I can get any help on why this is not working .!!!!
> 
> Thanks.
> 
> Regards
> Shantanu
>

Hello,

i played a few days with tc htb classes and classified my packets using
iptables CLASSIFY target.

here is what i did:
#!/bin/bash
int=''ppp0''
#making all things clear
tc qdisc del dev $int root
iptables -t mangle --flush
iptables -t mangle --delete-chain

if $1
then
#defining classes
tc qdisc add dev $int root handle 1: htb default 20 r2q 2
tc class add dev $int parent 1: classid 1:1 htb rate 22kbps

tc class add dev $int parent 1:1 classid 1:10 htb rate 10kbps ceil
22kbps prio 0
tc class add dev $int parent 1:1 classid 1:20 htb rate 9kbps ceil 15kbps
prio 1
tc class add dev $int parent 1:1 classid 1:30 htb rate 3kbps ceil 13kbps
prio 2
tc qdisc add dev $int parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $int parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $int parent 1:30 handle 30: sfq perturb 10

iptables -t mangle -N TS_FWD
iptables -t mangle -A FORWARD -j TS_FWD

iptables -t mangle -A TS_FWD -o ppp0 -p ! icmp --match length --length
0:70 -j CLASSIFY --set-class 1:10
iptables -t mangle -A TS_FWD -o ppp0 -p ! icmp --match length --length
0:70 -j RETURN

iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 80 -j CLASSIFY --set-class 1:20
iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 80 -j RETURN
iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 443 -j CLASSIFY --set-class 1:20
iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 443 -j RETURN

iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 554 -j CLASSIFY --set-class 1:10
iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
--destination-port 554 -j RETURN
#if $2
#then
#    iptables -t mangle -A TS_FWD -i eth2 -o ppp0 --source 192.168.0.2
-j LOG
#fi
iptables -t mangle -A TS_FWD -i eth2 -o ppp0 --source 192.168.0.2 -j
CLASSIFY --set-class 1:30
fi

It works not really good. I tested it using my internal 100MBit network
interface using multiple ftp connections and classified the packets
based on their source-ip. That works fine with same classes. Immediately
all things i expected took place. Also the prio option worked fine. If i
was running 2 simultanious downloads, the one with the higher piority
gets all borrowable downloadspeed and the one with the lower priority
gets his ashured rate.
But same classes didnt work with my 192kbit 2048kbit ppp link. Well ok,
they are working, but not like i want them to work. The speed changes
takes some seconds to take place. And the priority seems to be ignored.
I have to say, that the i tested the ppp uplink using emule with many
connections (500 - 800) and the higher priority upload was one active
ftp connection.

Whats my fault?

Regards
Richard Hauswald

Staenker wrote:
> Hello,
> 
> i played a few days with tc htb classes and classified my packets using
> iptables CLASSIFY target.
> 
> here is what i did:
> #!/bin/bash
> int=''ppp0''
> #making all things clear
> tc qdisc del dev $int root
> iptables -t mangle --flush
> iptables -t mangle --delete-chain
> 
> if $1
> then
> #defining classes
> tc qdisc add dev $int root handle 1: htb default 20 r2q 2
> tc class add dev $int parent 1: classid 1:1 htb rate 22kbps
> 
> tc class add dev $int parent 1:1 classid 1:10 htb rate 10kbps ceil
> 22kbps prio 0
> tc class add dev $int parent 1:1 classid 1:20 htb rate 9kbps ceil 15kbps
> prio 1
> tc class add dev $int parent 1:1 classid 1:30 htb rate 3kbps ceil 13kbps
> prio 2
> tc qdisc add dev $int parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev $int parent 1:20 handle 20: sfq perturb 10
> tc qdisc add dev $int parent 1:30 handle 30: sfq perturb 10
> 
> iptables -t mangle -N TS_FWD
> iptables -t mangle -A FORWARD -j TS_FWD
> 
> iptables -t mangle -A TS_FWD -o ppp0 -p ! icmp --match length --length
> 0:70 -j CLASSIFY --set-class 1:10
> iptables -t mangle -A TS_FWD -o ppp0 -p ! icmp --match length --length
> 0:70 -j RETURN
> 
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 80 -j CLASSIFY --set-class 1:20
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 80 -j RETURN
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 443 -j CLASSIFY --set-class 1:20
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 443 -j RETURN
> 
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 554 -j CLASSIFY --set-class 1:10
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 -p tcp --source 192.168.0.2
> --destination-port 554 -j RETURN
> #if $2
> #then
> #    iptables -t mangle -A TS_FWD -i eth2 -o ppp0 --source 192.168.0.2
> -j LOG
> #fi
> iptables -t mangle -A TS_FWD -i eth2 -o ppp0 --source 192.168.0.2 -j
> CLASSIFY --set-class 1:30
> fi
> 
> It works not really good. I tested it using my internal 100MBit network
> interface using multiple ftp connections and classified the packets
> based on their source-ip. That works fine with same classes. Immediately
> all things i expected took place. Also the prio option worked fine. If i
> was running 2 simultanious downloads, the one with the higher piority
> gets all borrowable downloadspeed and the one with the lower priority
> gets his ashured rate.
> But same classes didnt work with my 192kbit 2048kbit ppp link. Well ok,
> they are working, but not like i want them to work. The speed changes
> takes some seconds to take place. And the priority seems to be ignored.
> I have to say, that the i tested the ppp uplink using emule with many
> connections (500 - 800) and the higher priority upload was one active
> ftp connection.
> 
> Whats my fault?
I can''t see what rule seperates ftp from the rest, so that could be it
-
check counters/classification with

tc -s class ls dev ppp0

If ftp is going to the right class then it may be that emule network 
traffic consists of loads of small packets. If your ppp0 is adsl then 
the difference between the ip length that htb sees and the actual length 
used on the wire can be significant enough to make you go over limits 
and end up with a 2+ second queue in your modem. Check with ping and 
make icmp go to top priority class. It is possible to patch tc/kernel to 
allow for this.

Andy.