Very simple setup: I have several machines, one of which (192.168.0.198) is used exclusively as a vnc client to a remote site. I want it to get priority over guff like email and web etc. tc qdisc add dev eth1 root handle 1: prio tc qdisc add dev eth1 parent 1:1 handle 10: pfifo tc qdisc add dev eth1 parent 1:2 handle 20: pfifo tc qdisc add dev eth1 parent 1:3 handle 30: pfifo iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 Effect: zero. All the vnc traffic from x.198 goes into 1:2. I''ve tried all the tables (PREROUTE etc) to no avail. I even tried applying the TOS change to ALL traffice bound for eth1 (the outside line) and still saw no change in the queuing despite tcpdump showing that the tos bits were being set. Why does this not work? It seems as if the priority is being set before iptables'' mangle rules are applied. Thomas Worthington -- Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 05 Nov 2003 12:34:20 -0000, Thomas Worthington <lartc@tww.cx> wrote:> > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16Sorry, that line crept in from one of the experimental setups: it should of course be: iptables -t mangle -I OUTPUT -s 192.168.0.198 -j TOS --set-tos 16 TWW _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 05 November 2003 15:03, Thomas Worthington wrote:> On Wed, 05 Nov 2003 12:34:20 -0000, Thomas Worthington <lartc@tww.cx> > > wrote: > > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 > > Sorry, that line crept in from one of the experimental setups: it should > of course be: > > iptables -t mangle -I OUTPUT -s 192.168.0.198 -j TOS --set-tos 16What''s the output of iptables -L -v -n -t mangle Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 5 Nov 2003 21:11:10 +0100, Stef Coene <stef.coene@docum.org> wrote:> What''s the output of > iptables -L -v -n -t mangle > > Stef >Currently: Chain PREROUTING (policy ACCEPT 6088 packets, 2069K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1134 packets, 116K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4954 packets, 1953K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) pkts bytes target prot opt in out source destination 0 0 TOS all -- * * 192.168.0.198 0.0.0.0/0 TOS set 0x10 Chain POSTROUTING (policy ACCEPT 5759 packets, 2051K bytes) pkts bytes target prot opt in out source destination Thomas -- Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi there, i am going to explain you my setup and post you my scripts in
case they are of any help to anybody :)
This mail is a little long, but i think the only way you can undestandme
is writing you my whole code..
1.- I have to ADSL connections connected through ehternet cards eth0 and
eth1 to the routers
-Both ADSL are 2Mbit downsteam / 300kbit upstream
-eth2 goes to my 200 users LAN.
2.- I am doing load balancing (that works great)
3.- I have a mail and web server redirected to eth0''s ADSL.
4.- My QoS setup attached to eth0 and eth1
1 Qdisc for high-priority traffic (mark 1)
1 Qdisc for low-priority traffic (mark 2)
1 Qdisc for SYN,ACK traffic (mark 3)
1 Qdisc for ICMP traffic (mark 4)
1 Qdisc for Web-server traffic (mark 5)
->Scripts below
5.- Since i am doing load balancing i have a stateful firewall as
explained in Nano HOWTO
->Firewall scripts below
6.- Use the mangle table to mark packets and redirect them to the Qdisc
Let me explain my reasoning:
I want to mark interactive traffic like HTTP,SMTP,etc to
mark 1
Mark DNS traffic and MSN Messenger(dport 1863) to
interactive High priority mark 1
Mark p2p programs with the ipp2p module to mark p2p
programs to mark 2
(dport 1214 is Imesh)
In order to make sure ACKS and SYN traffic is going out
propperly i have an special qdisc
If any traffic is unmarked, mark it as low-priority
->Mangle setup below
---->PROBLEM:
The problem comes after having this setup running for an hour or so,
when interactive traffic has VERY HIGH latency, or nearly dIES.
Anybody having mor or less a similar setup, because i am driving mad
here!
Any suggestions are welcome :) Thank you very much!!!!!
My BOX is an athlon 900MHz with 1GB ram:
cat /proc/sys/net/ipv4/ip_conntrack_max
57336
txqueuelen on all eth cards is 100.
----> SCRIPTS
IPTABLES MANGLE Table
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4
iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
iptables -t mangle -A POSTROUTING -m string --string
''KazaaClient''
-j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN
-j MARK --set-mark 3
iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags
SYN,RST,ACK ACK -j chkack
iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK
--set-mark 2
Script for QoS attached to eth0
#!/bin/bash
DEV=eth0
tc qdisc add dev ${DEV} handle 1: root htb default 10
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
######################################
## Interactive traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10
#######################################
# Non Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20
########################################
## SYN,ACK Traffic
tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit
ceil 250kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
########################################
## ICMP Traffic
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40
########################################
## Web-Server Traffic
tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst
perturb 10 depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw
flowid 1:50
Script for QoS attached to eth1
#!/bin/bash
DEV=eth1
tc qdisc add dev ${DEV} handle 1: root htb default 10
tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
########################################
## Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10
#######################################
# Non Interactive Traffic
tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit
ceil 200kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20
########################################
## SYN,ACK Traffic
tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit
ceil 250kbit quantum 1500
tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
#tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8
0x10 0xff at 33 flowid 1:30
########################################
## ICMP Traffic
tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40
Firewall setup
####################################################
## Stateful Firewall
##
##
##
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A OUTPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP
iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP
iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP
iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP
iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Where did you get the information that setting TOS with netfilter would affect prio classification ? From what I can see in the source, prio classifies by skb->priority which only inheirits a value from tos field during the forwarding process. I can recall skb->priority also beeing affected by setsockopt(IP_TOS) (besides SO_PRIORITY) but not by simply setting the tos field in the ip header. Best regards, Patrick BTW: the netfilter CLASSIFY target from 2.6 or netfiler patch-o-matic can set skb->priority which is what you need. Thomas Worthington wrote:> Very simple setup: I have several machines, one of which > (192.168.0.198) is used exclusively as a vnc client to a remote site. > I want it to get priority over guff like email and web etc. > > tc qdisc add dev eth1 root handle 1: prio > tc qdisc add dev eth1 parent 1:1 handle 10: pfifo > tc qdisc add dev eth1 parent 1:2 handle 20: pfifo > tc qdisc add dev eth1 parent 1:3 handle 30: pfifo > > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 > > Effect: zero. All the vnc traffic from x.198 goes into 1:2. > > I''ve tried all the tables (PREROUTE etc) to no avail. I even tried > applying the TOS change to ALL traffice bound for eth1 (the outside > line) and still saw no change in the queuing despite tcpdump showing > that the tos bits were being set. > > Why does this not work? It seems as if the priority is being set > before iptables'' mangle rules are applied. > > Thomas Worthington >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 05 Nov 2003 23:25:38 +0100, Patrick McHardy <kaber@trash.net> wrote:> Where did you get the information that setting TOS with > netfilter would affect prio classification ? From what > I can see in the source, prio classifies by skb->priority > which only inheirits a value from tos field during the > forwarding process. I can recall skb->priority also > beeing affected by setsockopt(IP_TOS) (besides SO_PRIORITY) > but not by simply setting the tos field in the ip header.Well, it just seemed obvious. One man''s "obvious" being another''s "bloody stupid idea", of course. Since prio is all based on tos bits it seems logical that changing those bits would have some effect. I was partly just asking the simple question: are the TOS bits used to prioritise before netfilter gets its hand on them? The answer, from what you say, seems to be "yes". It seems a shame since its such an eligant and intuative way to do simple shaping of this sort> > Best regards, > Patrick > > BTW: the netfilter CLASSIFY target from 2.6 or netfiler > patch-o-matic can set skb->priority which is what you need.This is for active duty so I''ll not be running 2.6 until someone tells me it''s stable... Thanks, Thomas> Thomas Worthington wrote: > >> Very simple setup: I have several machines, one of which >> (192.168.0.198) is used exclusively as a vnc client to a remote site. I >> want it to get priority over guff like email and web etc. >> >> tc qdisc add dev eth1 root handle 1: prio >> tc qdisc add dev eth1 parent 1:1 handle 10: pfifo >> tc qdisc add dev eth1 parent 1:2 handle 20: pfifo >> tc qdisc add dev eth1 parent 1:3 handle 30: pfifo >> >> iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos >> 16 >> >> Effect: zero. All the vnc traffic from x.198 goes into 1:2. >> >> I''ve tried all the tables (PREROUTE etc) to no avail. I even tried >> applying the TOS change to ALL traffice bound for eth1 (the outside >> line) and still saw no change in the queuing despite tcpdump showing >> that the tos bits were being set. >> >> Why does this not work? It seems as if the priority is being set before >> iptables'' mangle rules are applied. >> >> Thomas Worthington >> > >-- Using M2, Opera''s revolutionary e-mail client: http://www.opera.com/m2/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wednesday 05 November 2003 22:26, Thomas Worthington wrote:> Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) > pkts bytes target prot opt in out source > destination > 0 0 TOS all -- * * 192.168.0.198 > 0.0.0.0/0 TOS set 0x10None of the packets are matchde by the iptables rule. Are you sure you have to do this in OUTPUT? See : http://www.docum.org/stef.coene/qos/kptd/ If you are trying this on a router, try to change the tos in POSTROUTING. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 6 Nov 2003 22:47:06 +0100, Stef Coene <stef.coene@docum.org> wrote:> On Wednesday 05 November 2003 22:26, Thomas Worthington wrote: >> Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 TOS all -- * * 192.168.0.198 >> 0.0.0.0/0 TOS set 0x10 > None of the packets are matchde by the iptables rule. > Are you sure you have to do this in OUTPUT? See : > http://www.docum.org/stef.coene/qos/kptd/ > If you are trying this on a router, try to change the tos in POSTROUTING. > > Stef >I tried all five tables! It appears that I was simply misguided: setting TOS doe indeed have no effect as it happens after the priority has been set; a different filter is needed. I''m leaving the list now as it seems to be a great way to instantly sign up for tons of spam (as you can imagine, this is the only thing that I''ve ever used this email address for and after only two days it''s become a spam magnet). Thanks to everyone that helped; I''ll try some of the other methods. Thomas Worthington _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/