nix4me@cfl.rr.com
2004-Oct-07 22:15 UTC
shaping outbound ftp traffic on 1 nic not working properly
>Theory is.. You can only shape outbound traffic.Inbound is via tcp windowshaping etc.. In theory yes, but it is shaping inbound transfers to my server.>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark 20 >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 20 >> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26>Why do you care about destination port? >AFAIK, it shouldn''t affect your wants since you''re >not filtering on >incoming trafficI dont care about destination port. That line was commented. BUT, incoming transfers are being shaped for some reason.>Is this legal?? 10000mbps?? Wow.. 10000*1E6?I just did that to make sure lan traffic was not affected at all. enire script for reference.... I am using the following script to limit my outbound traffic. This scipt runs on a box behind my firewall. It limits my outbound passive ftp traffic to 39K perfectly....just like i want. However, i just noticed that it is also limiting uploads coming to my server. Is there something I can change to make it not limit uploads to my server? #!/bin/bash #shaping passive ftp traffic # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 20 iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 # clear it tc qdisc del dev eth0 root #add the root qdisk tc qdisc add dev eth0 root handle 1: htb default 26 #add main rate limit class tc class add dev eth0 parent 1: classid 1:1 htb rate 10000mbps #add leaf classes tc class add dev eth0 parent 1:1 classid 1:26 htb rate 10000mbps tc class add dev eth0 parent 1:1 classid 1:20 htb rate 39kbps #filter traffic into classes tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ow Mun Heng
2004-Oct-08 06:00 UTC
Re: shaping outbound ftp traffic on 1 nic not working properly
On Fri, 2004-10-08 at 06:15, nix4me@cfl.rr.com wrote:> >Theory is.. You can only shape outbound traffic. > Inbound is via tcp windowshaping etc..In Linux or LARTC IIRC, it''s called ingress filtering. There''s also GRED/RED etc.. but based on what I''ve read, it''s all about dropping packets. TCP windowshaping, although it''s built into TCP architecthure, and There is a /proc entry for it, I still don''t see it''s affects. (or rather, I don''t know how to measure it)> > In theory yes, but it is shaping inbound transfers to my server.YOu''re not doing any other sort of Ingress filters are you??> >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark 20 > >> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 20 > >> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 > > >Why do you care about destination port? > >AFAIK, it shouldn''t affect your wants since you''re >not filtering on > >incoming traffic > > I dont care about destination port. That line was commented. BUT, incoming transfers are being shaped for some reason.Could this be shaping on the ISP side?? What happens when the tc rules are shut off??> Is there something I can change to make it not limit uploads to my server? > #!/bin/bash > #shaping passive ftp traffic > > # mark the outbound passive ftp packets on ports 50000-51000 > iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null > iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null > iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null > > iptables -t mangle -N MYSHAPER-OUT > iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT > > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26[SNIP] Can you determine what ports are being used for inbound data transfers? What makes you select those ports you defined as the outbound?? -- Ow Mun Heng Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel 2.6.7-2.jul1-interactive Neuromancer 13:56:23 up 4:48, 7 users, load average: 0.32, 0.59, 0.50 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
chris
2004-Oct-08 07:06 UTC
Re: shaping outbound ftp traffic on 1 nic not working properly
Is the inbound rate affected even if there are no outbound transfers? Is the speed actually being "limited" to a certain speed, or are you just noticing that the inbound/upload traffic is slower than it should be. The reason I ask is because you''re tagging all outbound ftp-data traffic (ports 50000:51000) and directing it to the class with 39kbps. If you have outbound/download transfers going, they may be using all the available outbound bandwidth for that class and causing outbound ACK packets (for the inbound/upload traffic) to queue and throttle the inbound speed. Please don''t flame me if I''m way off base... Assumption: - data connection is bi-directional. ie. the data connection is made on the specified PASV (server) ports (50000:51000) regardless of whether it''s an upload or download. Test: - simply kill all downloads and see if the uploads are still affected. - or you can tag oubound ACK packets and filter them into the faster class. chris>>Theory is.. You can only shape outbound traffic. > Inbound is via tcp windowshaping etc.. > > In theory yes, but it is shaping inbound transfers to my server. > >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK >>> --set-mark 20 >>> iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark >>> 26 > >>Why do you care about destination port? >>AFAIK, it shouldn''t affect your wants since you''re >not filtering on >>incoming traffic > > I dont care about destination port. That line was commented. BUT, > incoming transfers are being shaped for some reason. > >>Is this legal?? 10000mbps?? Wow.. 10000*1E6? > > I just did that to make sure lan traffic was not affected at all. > > > enire script for reference.... > I am using the following script to limit my outbound traffic. This scipt > runs on a box behind my firewall. It limits my outbound passive ftp > traffic to 39K perfectly....just like i want. However, i just noticed that > it is also limiting uploads coming to my server. > > Is there something I can change to make it not limit uploads to my server? > #!/bin/bash > #shaping passive ftp traffic > > # mark the outbound passive ftp packets on ports 50000-51000 > iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > > /dev/null > iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null > iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null > > iptables -t mangle -N MYSHAPER-OUT > iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT > > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 65437 -j MARK --set-mark > 20 > iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 50000:51000 -j MARK > --set-mark 20 > iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 26 > # clear it > tc qdisc del dev eth0 root > > #add the root qdisk > tc qdisc add dev eth0 root handle 1: htb default 26 > > #add main rate limit class > tc class add dev eth0 parent 1: classid 1:1 htb rate 10000mbps > > #add leaf classes > tc class add dev eth0 parent 1:1 classid 1:26 htb rate 10000mbps > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 39kbps > > #filter traffic into classes > tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid > 1:20 > tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 26 fw flowid > 1:26 > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/