Dear All! I reach the point that I must ask you what I have to do. I am beginner at traffic shaping and I''m very confused with it. :) Here''s my script that doesn''t do what I want to do with it: tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10 tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil 30kbit tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil 20kbit tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil 15kbit tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst 15k tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10 tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10 tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10 tc filter add dev eth1 parent 1: protocol ip u32 match ip dst 192.168.1.0/24 flowid 1:1 tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst 192.168.1.2 flowid 1:100 tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos 0x10 0xff flowid 1:101 tc filter add dev eth1 parent 1:100 protocol ip u32 match ip protocol 1 0xff flowid 1:101 tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21 0xffff flowid 1:103 Packets do not go to 1:103 when I download from ftp site. The last 3 filter doesn''t work at all. All packets go to 1:1. I think this class-system doesn''t work the way I think. Do you have any idea where did I make the mistake? (of course I want to add much more classes later but it''s just the test phase) Thank you in advance! Kertész Viktor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, The problem is with your FTP filter: FTP data are transferred on a dynamic, autonegociated port. With your filter, only FTP control-traffic from _your_ FTP server would go to 1:103. Francois. ----- Original Message ----- From: "Kertész Viktor" <kviktor@i-trade.hu> To: "lartc lista" <LARTC@mailman.ds9a.nl> Sent: Thursday, October 17, 2002 10:09 AM Subject: [LARTC] why dont packets go where i want?> Dear All! > > I reach the point that I must ask you what I have to do. I am beginnerat> traffic shaping and I''m very confused with it. :) > Here''s my script that doesn''t do what I want to do with it: > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10 > > tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit > tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit > tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil30kbit> tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil20kbit> tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil15kbit> > tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst 15k > > tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10 > tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10 > tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10 > > tc filter add dev eth1 parent 1: protocol ip u32 match ip dst192.168.1.0/24> flowid 1:1 > > tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst192.168.1.2> flowid 1:100 > > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos 0x100xff> flowid 1:101 > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip protocol1 0xff> flowid 1:101 > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 210xffff> flowid 1:103 > > Packets do not go to 1:103 when I download from ftp site. The last 3filter> doesn''t work at all. All packets go to 1:1. I think this class-system > doesn''t work the way I think. Do you have any idea where did I makethe> mistake? (of course I want to add much more classes later but it''sjust the> test phase) Thank you in advance! > > Kertész Viktor > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Small mistake, here is the correct answer: The problem is with your FTP filter: FTP data are transferred on a dynamic, autonegociated port. With your filter, only FTP _control-traffic_ from FTP server would go to 1:103. Francois.> Hello, > > The problem is with your FTP filter: > FTP data are transferred on a dynamic, autonegociated port. > With your filter, only FTP control-traffic from _your_ FTP server > would go to 1:103. > > > Francois. > > ----- Original Message ----- > From: "Kertész Viktor" <kviktor@i-trade.hu> > To: "lartc lista" <LARTC@mailman.ds9a.nl> > Sent: Thursday, October 17, 2002 10:09 AM > Subject: [LARTC] why dont packets go where i want? > > > > Dear All! > > > > I reach the point that I must ask you what I have to do. I ambeginner> at > > traffic shaping and I''m very confused with it. :) > > Here''s my script that doesn''t do what I want to do with it: > > tc qdisc del dev eth1 root > > tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10 > > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit > > tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit > > tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbitceil> 30kbit > > tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbitceil> 20kbit > > tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbitceil> 15kbit > > > > tc class add dev eth1 parent 1: classid 1:2 htb rate 700kbit burst15k> > > > tc qdisc add dev eth1 parent 1:101 handle 101: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:102 handle 102: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:103 handle 103: sfq perturb 10 > > > > tc filter add dev eth1 parent 1: protocol ip u32 match ip dst > 192.168.1.0/24 > > flowid 1:1 > > > > tc filter add dev eth1 parent 1:1 protocol ip u32 match ip dst > 192.168.1.2 > > flowid 1:100 > > > > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip tos0x10> 0xff > > flowid 1:101 > > tc filter add dev eth1 parent 1:100 protocol ip u32 match ipprotocol> 1 0xff > > flowid 1:101 > > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport21> 0xffff > > flowid 1:103 > > > > Packets do not go to 1:103 when I download from ftp site. The last 3 > filter > > doesn''t work at all. All packets go to 1:1. I think thisclass-system> > doesn''t work the way I think. Do you have any idea where did I make > the > > mistake? (of course I want to add much more classes later but it''s > just the > > test phase) Thank you in advance! > > > > Kertész Viktor > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://lartc.org/>_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, Even if i use passive transfer? Notice that ping request/ping reply also don''t work. How do you mean that it only works from MY ftp server? How could i shape ftp traffic from every ftp host? Thanks! Viktor> Hello, > > The problem is with your FTP filter: > FTP data are transferred on a dynamic, autonegociated port. > With your filter, only FTP control-traffic from _your_ FTP server > would go to 1:103. > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 17 Oct 2002, [iso-8859-2] Kertész Viktor wrote:> Here''s my script that doesn''t do what I want to do with it: > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1 htb default 2 r2q 10 > > tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit > tc class add dev eth1 parent 1: classid 1:100 htb rate 300kbit > tc class add dev eth1 parent 1:100 classid 1:101 htb rate 10kbit ceil 30kbit > tc class add dev eth1 parent 1:100 classid 1:102 htb rate 10kbit ceil 20kbit > tc class add dev eth1 parent 1:100 classid 1:103 htb rate 10kbit ceil 15kbit[--cut--] Since your script looks almost identical to mine, I wonder: Does your HTB setup limit traffic to the specified rates?> tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21 0xffff > flowid 1:103You want dport instead. However, isn''t HTB only for _outbound_ traffic shaping? AFAIK you need to use ingress for inbound. walter _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
My simple network sheme:
eth0 eth1
internet--------gw(traffic shaping)-------client
I''d like to make this script work on a gateway with more than 100
clients.(ISP''s gw)
>
> Since your script looks almost identical to mine, I wonder:
> Does your HTB setup limit traffic to the specified rates?
This setup set the 300kbit limit (1:1). I think the problem is with my
filtering rules.
Classes below 1:100 didn''t get any packet.
>
> > tc filter add dev eth1 parent 1:100 protocol ip u32 match ip sport 21
0xffff> > flowid 1:103
>
> You want dport instead. However, isn''t HTB only for _outbound_
traffic
> shaping? AFAIK you need to use ingress for inbound.
Packets are going out en eth1, aren''t they? Why dport? Packets are
coming
from port 21(ftp port) with passive mode. Tell me if i am wrong.
Viktor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> Packets are going out en eth1, aren''t they? Why dport? Packets arecoming> from port 21(ftp port) with passive mode. Tell me if i am wrong.ftp-data 20/tcp ftp-data 20/udp ftp 21/tcp ftp 21/udp FTP data (passive) use port 20. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 17 Oct 2002, Kertész Viktor wrote:> My simple network sheme: > eth0 eth1 > internet--------gw(traffic shaping)-------client > I''d like to make this script work on a gateway with more than 100 > clients.(ISP''s gw)Same here.> This setup set the 300kbit limit (1:1). I think the problem is with my > filtering rules. > Classes below 1:100 didn''t get any packet.I''d like to know if packets are dropped with if the 300kbit limit is eceeded. If bandwidth isn''t limited, there is no need for filters anyway. Could you mail me the output of ''tc -s class ls dev eth1'' ? Thanks.> Packets are going out en eth1, aren''t they? Why dport? Packets are coming > from port 21(ftp port) with passive mode. Tell me if i am wrong.For passive mode uploads, packets are coming from a private port (>1024) and going to port 21. You cannot shape traffic for downloads with HTB, you''ll need ingress instead. I''m not 100% (but quite!) sure there (just into traffic shaping a few days), so would somebody please correct me if I''m wrong here. Walter _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> I''d like to know if packets are dropped with if the 300kbit limit is > eceeded. If bandwidth isn''t limited, there is no need for filters anyway. > Could you mail me the output of ''tc -s class ls dev eth1'' ? Thanks.Here you are: (i made ssh,ping,ftp traffic) class htb 1:101 parent 1:100 leaf 101: prio 0 rate 10Kbit ceil 30Kbit burst 1611b cburst 1637b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1031680 ctokens: 349439 class htb 1:1 root prio 0 rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b Sent 472615 bytes 401 pkts (dropped 0, overlimits 0) rate 5005bps 4pps lended: 401 borrowed: 0 giants: 0 tokens: 40788 ctokens: 40788 class htb 1:100 root rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 42324 ctokens: 42324 class htb 1:103 parent 1:100 leaf 103: prio 0 rate 10Kbit ceil 15Kbit burst 1611b cburst 1618b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1031680 ctokens: 690773 class htb 1:2 root prio 0 rate 700Kbit ceil 700Kbit burst 15Kb cburst 2495b Sent 164 bytes 2 pkts (dropped 0, overlimits 0) lended: 2 borrowed: 0 giants: 0 tokens: 139703 ctokens: 22090 class htb 1:102 parent 1:100 leaf 102: prio 0 rate 10Kbit ceil 20Kbit burst 1611b cburst 1624b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1031680 ctokens: 519999> > For passive mode uploads, packets are coming from a private port (>1024) > and going to port 21.I see. Checked it out with tcpdump.> > You cannot shape traffic for downloads with HTB, you''ll need ingress > instead. I''m not 100% (but quite!) sure there (just into traffic shaping a > few days), so would somebody please correct me if I''m wrong here.You make me very disappointed. Wondershaper told me that it is possible. I just wanted to add a level in the class-tree. I think I have to think about it once more. :) Viktor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thursday 17 October 2002 11:01, Kertész Viktor wrote:> Hello, > > Even if i use passive transfer? Notice that ping request/ping reply also > don''t work. How do you mean that it only works from MY ftp server? How > could i shape ftp traffic from every ftp host? Thanks!There is a helper for iptables that can match _all_ ftp traffic (so data + control) packets. If you mark the packets with iptabes, you can use the fw filter to put the packets in the class you want. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 17 Oct 2002, Kertész Viktor wrote:> Here you are: (i made ssh,ping,ftp traffic) > class htb 1:101 parent 1:100 leaf 101: prio 0 rate 10Kbit ceil 30Kbit burst > 1611b cburst 1637b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 1031680 ctokens: 349439 > > class htb 1:1 root prio 0 rate 300Kbit ceil 300Kbit burst 1983b cburst 1983b > Sent 472615 bytes 401 pkts (dropped 0, overlimits 0) > rate 5005bps 4pps > lended: 401 borrowed: 0 giants: 0 > tokens: 40788 ctokens: 40788[--cut--] You have neither dropped or overlimit packets too. Was traffic really limited to the specified rate?> > > > For passive mode uploads, packets are coming from a private port > > (>1024) and going to port 21. > I see. Checked it out with tcpdump.Small typo though: replace "private" with "public".> > You cannot shape traffic for downloads with HTB, you''ll need ingress > > instead. I''m not 100% (but quite!) sure there (just into traffic shaping a > > few days), so would somebody please correct me if I''m wrong here.> You make me very disappointed. Wondershaper told me that it is possible. I > just wanted to add a level in the class-tree. I think I have to think about > it once more. :)I also had a look at wondershaper. Wondershaper uses an ingress qdisc for inbound traffic. Where does it tell you that you can shape _incoming_ traffic with htb? Walter _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> You have neither dropped or overlimit packets too. Was traffic really > limited to the specified rate?On a 100Mbit network I downloaded at 36kbyte/s. I think it''s correct.> > You make me very disappointed. Wondershaper told me that it is possible.I> > just wanted to add a level in the class-tree. I think I have to thinkabout> > it once more. :) > > I also had a look at wondershaper. Wondershaper uses an ingress qdisc for > inbound traffic. Where does it tell you that you can shape _incoming_ > traffic with htb?I think we are out of sync about what outgoing traffic means. :) (and i am sure i am wrong) When traffic goes through the gw, outgoing traffic means to the gw that packets leave it''s eth1 nic, isn''t it? From wondershaper i just took examples. Of course wondershaper shapes outgoing traffic with htb. Once more, i download on the client machine, not on the gw. Thanks for replies! :) Viktor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 17 Oct 2002, Kertész Viktor wrote:> I think we are out of sync about what outgoing traffic means. :) (and i am > sure i am wrong) When traffic goes through the gw, outgoing traffic means to > the gw that packets leave it''s eth1 nic, isn''t it? From wondershaper i just > took examples. Of course wondershaper shapes outgoing traffic with htb. Once > more, i download on the client machine, not on the gw. Thanks for replies!...leave it''s eth1 nic... Well, it just hit me as this might explain why my setup does not work. I''m shaping eth1 and uploading from a machine on the lan, not on the gateway, just like you. However, outgoing traffic might be incoming traffic for the internal interface. I''m really confused now about in and out or directions in general. I''ll post a seperate mail regarding this. Wondershaper is pretty straightforward. Just a single ppp0 interface. I guess it cannot be mapped to a setup with multiple interfaces that easily. My misconception... Thanks for your "input"! Regards, Walter _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Kertész Viktor wrote:>I think we are out of sync about what outgoing traffic means. :) (and i am >sure i am wrong) When traffic goes through the gw, outgoing traffic means to >the gw that packets leave it''s eth1 nic, isn''t it? From wondershaper i just >took examples. Of course wondershaper shapes outgoing traffic with htb. Once >more, i download on the client machine, not on the gw. Thanks for replies! >:) > >Outgoing traffic to _any_ machine is the traffic that is /leaving/ _any_ of its network interfaces. -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, Oct 17, 2002 at 11:44:13AM +0200, Francois Dessart wrote:> ftp-data 20/tcp > ftp-data 20/udp > ftp 21/tcp > ftp 21/udp > FTP data (passive) use port 20.This is incorrect. Both standard and passive FTP use tcp/21 as a control channel (logins, commands, etc.). Standard FTP uses tcp/20 as the server''s source port for data transfers. Prior to a transfer, the client listens on an arbitrary port and instructs the server to connect to it for the transfer. Passive FTP does not use tcp/20 at all. Instead of the server connecting to the client, the client connects to the server for data transfers. The server chooses an arbitrary port for the client to connect to. The intent of passive FTP was to work around firewalls that don''t permit inbound connections. -James _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 17 Oct 2002, Walter Haidinger wrote:> You cannot shape traffic for downloads with HTB, you''ll need ingress > instead. I''m not 100% (but quite!) sure there (just into traffic shaping a > few days), so would somebody please correct me if I''m wrong here.Well, luckily I was wrong here! Just shape the traffic of the internal interface, i.e. the one _sending_ the (downloaded) data to your client machine. For you this is eth1. Walter _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thanks for this explanation.> Passive FTP does not use tcp/20 at all. Instead of the serverconnecting> to the client, the client connects to the server for data transfers.The> server chooses an arbitrary port for the client to connect to. Theintent> of passive FTP was to work around firewalls that don''t permit inbound > connections.So with passive FTP, both ports (source and dest) are dynamic. Correct? How to match this data tranfer with iptables? Thanks. Francois. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday 18 October 2002 08:21, Francois Dessart wrote:> Thanks for this explanation. > > > Passive FTP does not use tcp/20 at all. Instead of the server > > connecting > > > to the client, the client connects to the server for data transfers. > > The > > > server chooses an arbitrary port for the client to connect to. The > > intent > > > of passive FTP was to work around firewalls that don''t permit inbound > > connections. > > So with passive FTP, both ports (source and dest) are dynamic. Correct? > > How to match this data tranfer with iptables?There is a -m helper option so you can load additional modules. There is a module that matches ftp packets (both data and control), but I don''t know the syntax. A google search on "iptables -m helper ftp" will help http://www.netfilter.org/documentation/pomlist/pom-oldnat.html#helper : If you want to match all packets belonging to ftp-sessions: (both ftp-command and ftp-data connections) iptables -A INPUT -m helper --helper ftp -j ACCEPT Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Fri, Oct 18, 2002 at 08:41:42AM +0200, Stef Coene wrote:> There is a -m helper option so you can load additional modules. There is a > module that matches ftp packets (both data and control), but I don''t know the > syntax. A google search on "iptables -m helper ftp" will help > http://www.netfilter.org/documentation/pomlist/pom-oldnat.html#helper :Looks like it''s been submitted for kernel inclusion with newnat: http://www.netfilter.org/documentation/pomlist/pom-submitted.html#helper For now, though, you''ll still need to use patch-o-matic to be able to use this module.> If you want to match all packets belonging to ftp-sessions: > (both ftp-command and ftp-data connections) > > iptables -A INPUT -m helper --helper ftp -j ACCEPTYou''ll also need the ip_conntrack_ftp module to be loaded. -James _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/