Please consider the following scenario & corresponding question.....
Machine1 Machine2
_________________ _________________
MachineX | | | |
HTTP(1) | | | HTTP Server |
------>-------->| -----|------------------| |
eth0| / |eth1 |eth0 |
10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8|
| HTTP(2) | | |
|_______________| |_______________|
10.20.246.247 dev eth1
10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx
proxy_arp =1
ip_forward=1
Here are my shaping rules (primary goal is to send the web traffic
through a seperate queue)
tc qdisc add dev eth1 root handle 1: htb default 20
tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k
tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil 2mbit
burst 15k
tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst 15k
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10
tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport
0x50 0xffff flowid 1:10
Now, after all of this configuration I''ve observed that:
a) All the web requests comming from "MachineX" go thru the default
queue 20
b) Web traffic generated from "Machine1" does gets send thru queue 10
Why, is the forwarded traffic bypassing the filter?
I inserted debug messages in the ''u32_classify'' function
inside the kernel, just to make sure that the filter is not
failing, but the function never gets called for HTTP(1)
traffic!!!
Regards,
+Amit
email: subscribeamit@yahoo.com
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Is the netmask actually /24 instead of /8 or are you bridging the traffic with Machine1? On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote:> Please consider the following scenario & corresponding question..... > > > Machine1 Machine2 > _________________ _________________ > MachineX | | | | > HTTP(1) | | | HTTP Server | > ------>-------->| -----|------------------| | > eth0| / |eth1 |eth0 | > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > | HTTP(2) | | | > |_______________| |_______________| > > 10.20.246.247 dev eth1 > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > proxy_arp =1 > ip_forward=1 > > Here are my shaping rules (primary goal is to send the web traffic > through a seperate queue) > > tc qdisc add dev eth1 root handle 1: htb default 20 > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil 2mbit > burst 15k > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst 15k > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport > 0x50 0xffff flowid 1:10 > > > Now, after all of this configuration I''ve observed that: > > a) All the web requests comming from "MachineX" go thru the default > queue 20 > b) Web traffic generated from "Machine1" does gets send thru queue 10 > > > Why, is the forwarded traffic bypassing the filter? > > I inserted debug messages in the ''u32_classify'' function > inside the kernel, just to make sure that the filter is not > failing, but the function never gets called for HTTP(1) > traffic!!! > > > Regards, > +Amit > email: subscribeamit@yahoo.com > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/-- Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group
The netmask is /8 in my config, but it can be /24 (doesn''t matter a whole lot). The traffic is not being bridged at Machine1, its simple routing coz I''ve setup a route & ARP entry for Machine2 on Machine1 and IP Forwarding, Proxy ARP is enabled on Machine1. Thanks --- Lawrence MacIntyre <lpz@ornl.gov> wrote:> Is the netmask actually /24 instead of /8 or are you bridging the > traffic with Machine1? > > On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote: > > Please consider the following scenario & corresponding question..... > > > > > > Machine1 Machine2 > > _________________ _________________ > > MachineX | | | | > > HTTP(1) | | | HTTP Server | > > ------>-------->| -----|------------------| | > > eth0| / |eth1 |eth0 | > > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > > | HTTP(2) | | | > > |_______________| |_______________| > > > > 10.20.246.247 dev eth1 > > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > > proxy_arp =1 > > ip_forward=1 > > > > Here are my shaping rules (primary goal is to send the web traffic > > through a seperate queue) > > > > tc qdisc add dev eth1 root handle 1: htb default 20 > > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k > > > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil > 2mbit > > burst 15k > > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst > 15k > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip > dport > > 0x50 0xffff flowid 1:10 > > > > > > Now, after all of this configuration I''ve observed that: > > > > a) All the web requests comming from "MachineX" go thru the default > > queue 20 > > b) Web traffic generated from "Machine1" does gets send thru queue > 10 > > > > > > Why, is the forwarded traffic bypassing the filter? > > > > I inserted debug messages in the ''u32_classify'' function > > inside the kernel, just to make sure that the filter is not > > failing, but the function never gets called for HTTP(1) > > traffic!!! > > > > > > Regards, > > +Amit > > email: subscribeamit@yahoo.com > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product search > > http://shopping.yahoo.com > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > -- > Lawrence MacIntyre 865.574.8696 lpz@ornl.gov > Oak Ridge National Laboratory > High Performance Information Infrastructure Technology Group > >> ATTACHMENT part 2 application/pgp-signature name=signature.asc__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
<being extremely subtle...> I haven''t looked at the code, but the path these packets take through the IP stack may be "unusual". You have configured your network in a very strange manner. Generally, for ethernet networks, you want all interfaces in the same subnet to be on the same broadcast network. You might have better luck if you make Machine1 a bridge or a normal IP router. Is there a reason why you have configured your network in this way? On Fri, 2003-10-17 at 09:25, Amit Gandhi wrote:> The netmask is /8 in my config, but it can be /24 (doesn''t matter a > whole lot). The traffic is not being bridged at Machine1, its simple > routing coz I''ve setup a route & ARP entry for Machine2 on Machine1 and > IP Forwarding, Proxy ARP is enabled on Machine1. > > Thanks > > --- Lawrence MacIntyre <lpz@ornl.gov> wrote: > > Is the netmask actually /24 instead of /8 or are you bridging the > > traffic with Machine1? > > > > On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote: > > > Please consider the following scenario & corresponding question..... > > > > > > > > > Machine1 Machine2 > > > _________________ _________________ > > > MachineX | | | | > > > HTTP(1) | | | HTTP Server | > > > ------>-------->| -----|------------------| | > > > eth0| / |eth1 |eth0 | > > > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > > > | HTTP(2) | | | > > > |_______________| |_______________| > > > > > > 10.20.246.247 dev eth1 > > > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > > > proxy_arp =1 > > > ip_forward=1 > > > > > > Here are my shaping rules (primary goal is to send the web traffic > > > through a seperate queue) > > > > > > tc qdisc add dev eth1 root handle 1: htb default 20 > > > > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k > > > > > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil > > 2mbit > > > burst 15k > > > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst > > 15k > > > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > > > > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip > > dport > > > 0x50 0xffff flowid 1:10 > > > > > > > > > Now, after all of this configuration I''ve observed that: > > > > > > a) All the web requests comming from "MachineX" go thru the default > > > queue 20 > > > b) Web traffic generated from "Machine1" does gets send thru queue > > 10 > > > > > > > > > Why, is the forwarded traffic bypassing the filter? > > > > > > I inserted debug messages in the ''u32_classify'' function > > > inside the kernel, just to make sure that the filter is not > > > failing, but the function never gets called for HTTP(1) > > > traffic!!! > > > > > > > > > Regards, > > > +Amit > > > email: subscribeamit@yahoo.com > > > > > > __________________________________ > > > Do you Yahoo!? > > > The New Yahoo! Shopping - with improved product search > > > http://shopping.yahoo.com > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > > -- > > Lawrence MacIntyre 865.574.8696 lpz@ornl.gov > > Oak Ridge National Laboratory > > High Performance Information Infrastructure Technology Group > > > > > > > ATTACHMENT part 2 application/pgp-signature name=signature.asc > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com-- Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group
I think there are ways to apply filters to PreRouting/Forward/PostRouting stages, I might need to MARK these packets using ''iptables'' & then maybe use the FW filter, but what I want to understand is if u32 filter can do the same job without marking the packets? The reason for such a configuration is to make it look like one flat network & all these address are managed by one single central DHCP server. There are reasons for not using it as a bridge, but that drifts us away from the problem at hand. Suffice to say, all this works, machineX can get to machine2 & machine2 can get to any of the machineX. Thanks, +Amit --- Lawrence MacIntyre <lpz@ornl.gov> wrote:> <being extremely subtle...> > > I haven''t looked at the code, but the path these packets take through > the IP stack may be "unusual". You have configured your network in a > very strange manner. Generally, for ethernet networks, you want all > interfaces in the same subnet to be on the same broadcast network. > You > might have better luck if you make Machine1 a bridge or a normal IP > router. Is there a reason why you have configured your network in > this > way? > > On Fri, 2003-10-17 at 09:25, Amit Gandhi wrote: > > The netmask is /8 in my config, but it can be /24 (doesn''t matter a > > whole lot). The traffic is not being bridged at Machine1, its simple > > routing coz I''ve setup a route & ARP entry for Machine2 on Machine1 > and > > IP Forwarding, Proxy ARP is enabled on Machine1. > > > > Thanks > > > > --- Lawrence MacIntyre <lpz@ornl.gov> wrote: > > > Is the netmask actually /24 instead of /8 or are you bridging the > > > traffic with Machine1? > > ><SNIP> __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I found out the culprit piece of code in the u32 filter classifier. Some
foundation first. I am using 2.4.18 kernel on MPC855T the powerpc
version.
Now the following code snippet from ''cls_u32.c''
static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp,
struct tcf_result *res)
{
struct {
struct tc_u_knode *knode;
u8 *ptr;
} stack[TC_U32_MAXDEPTH];
struct tc_u_hnode *ht = (struct tc_u_hnode*)tp->root;
u8 *ptr = skb->nh.raw;
struct tc_u_knode *n;
int sdepth = 0;
int off2 = 0;
int sel = 0;
int i;
/********* CULPRIT CODE *******/
#if !defined(__i386__) && !defined(__mc68000__)
if ( (unsigned long)ptr & 3 )
return -1;
#endif
/********* CULPRIT CODE *******/
......
.........
The above code checks for word alignment of a packet on PowerPC
platforms and it somehow fails for forwarded packets then packets
generated by the local host. Now, I checked newer versions of kernel &
it seems that this piece of code has been removed from them.
So, this issue is closed.
Thanks,
+Amit
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/