LARTC - Jul 2002 - ingress qdisc on kernel 2.2.21 with ds8 patch

Since some other constraints require me to still run 2.2 kernel.
(drivers for some hardware not working under 2.4)

 I tried to control the ingress traffic with the ingress qdisc with no
success whatsoever. 
 I got 2.2.21 kernel and installed the ds8 patch to have the ingress
qdisc too.
 Recompiled, installed kernel and modules.
 Recompiled tc with diffserv=y.

 I tried a setup very similar to the example Edge2:

ipchains -A input -p tcp -d 0/0 20 --mark 20
ipchains -A input -p tcp -d 0/0 21 --mark 20

tc qdisc add dev eth0 handle ffff: ingress

tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20 fw
police rate 256kbit burst 25k mtu 1.5k drop flowid :1

I tried uploading with a ftp client and there was no traffic limit
imposed on what my box received. 

tc -s qdisc ls shows all counters as 0 (zero).

I looked around for this issue and managed to find exactly my problem
described in a forum at
http://www.geocrawler.com/archives/3/11111/2001/5/0/5806401/ but the
message was unaswered there.

 If anyone has any suggestions, they are most welcome.

-- 
ing. Andrei Boros
mailto:andrei@srr.ro / +40-1-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune

May be you use ftp in passive mode, where port 20 not used


10.07.2002 11:57:48, Andrei Boros <andrei@srr.ro> wrote:
>
> Since some other constraints require me to still run 2.2 kernel.
>(drivers for some hardware not working under 2.4)
>
> I tried to control the ingress traffic with the ingress qdisc with no
>success whatsoever. 
> I got 2.2.21 kernel and installed the ds8 patch to have the ingress
>qdisc too.
> Recompiled, installed kernel and modules.
> Recompiled tc with diffserv=y.
>
> I tried a setup very similar to the example Edge2:
>
>ipchains -A input -p tcp -d 0/0 20 --mark 20
>ipchains -A input -p tcp -d 0/0 21 --mark 20
>
>tc qdisc add dev eth0 handle ffff: ingress
>
>tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20 fw
>police rate 256kbit burst 25k mtu 1.5k drop flowid :1
>
>I tried uploading with a ftp client and there was no traffic limit
>imposed on what my box received. 
>
>tc -s qdisc ls shows all counters as 0 (zero).
>
>I looked around for this issue and managed to find exactly my problem
>described in a forum at
>http://www.geocrawler.com/archives/3/11111/2001/5/0/5806401/ but the
>message was unaswered there.
>
> If anyone has any suggestions, they are most welcome.
>
>-- 
>ing. Andrei Boros
>mailto:andrei@srr.ro / +40-1-303-1870
>Centrul pt. Tehnologia Informatiei
>Societatea Romana de Radiodifuziune
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
-----------------------------------
mailto:alexey_talikov@texlab.com.uz
BR
Alexey Talikov
FORTEK
-----------------------------------

Alexey Talikov wrote:
> 
> May be you use ftp in passive mode, where port 20 not used
> 
No, I set the client not to use passive mode, and confirmed it with
tcpdump. If it were a protocol/port specific thing I''d dig more in that
direction. 
And the statistic counters are on zero at all times. 
If it were passive mode, why didn''t the ingress capture the ftp session
packets on port 21???

I even set firewall to mark everything and the filter directs it to
ingress. Nothing happened.

> > Since some other constraints require me to still run 2.2 kernel.
> >(drivers for some hardware not working under 2.4)
> >
> > I tried to control the ingress traffic with the ingress qdisc with no
> >success whatsoever.
> > I got 2.2.21 kernel and installed the ds8 patch to have the ingress
> >qdisc too.
> > Recompiled, installed kernel and modules.
> > Recompiled tc with diffserv=y.
> >
> > I tried a setup very similar to the example Edge2:
> >
> >ipchains -A input -p tcp -d 0/0 20 --mark 20
> >ipchains -A input -p tcp -d 0/0 21 --mark 20
> >
> >tc qdisc add dev eth0 handle ffff: ingress
> >
> >tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20 fw
> >police rate 256kbit burst 25k mtu 1.5k drop flowid :1
> >
> >I tried uploading with a ftp client and there was no traffic limit
> >imposed on what my box received.
> >
> >tc -s qdisc ls shows all counters as 0 (zero).
> >
> >I looked around for this issue and managed to find exactly my problem
> >described in a forum at
> >http://www.geocrawler.com/archives/3/11111/2001/5/0/5806401/ but the
> >message was unaswered there.
> >
> > If anyone has any suggestions, they are most welcome.
> >
> >--
> >ing. Andrei Boros
> >mailto:andrei@srr.ro / +40-1-303-1870
> >Centrul pt. Tehnologia Informatiei
> >Societatea Romana de Radiodifuziune
> >_______________________________________________
> >LARTC mailing list / LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> 
> -----------------------------------
> mailto:alexey_talikov@texlab.com.uz
> BR
> Alexey Talikov
> FORTEK
> -----------------------------------
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- 
ing. Andrei Boros
mailto:andrei@srr.ro / +40-1-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune

I havent run any 2.2 code in years (and dont have a machine with such
code;->)
Can you turn on debugging in the ingress code?
Does the same syntax work in 2.4?

cheers,
jamal

On Thu, 11 Jul 2002, Andrei Boros wrote:
>
> Alexey Talikov wrote:
> >
> > May be you use ftp in passive mode, where port 20 not used
> >
> No, I set the client not to use passive mode, and confirmed it with
> tcpdump. If it were a protocol/port specific thing I''d dig more in
that
> direction.
> And the statistic counters are on zero at all times.
> If it were passive mode, why didn''t the ingress capture the ftp
session
> packets on port 21???
>
> I even set firewall to mark everything and the filter directs it to
> ingress. Nothing happened.
>
>
> > > Since some other constraints require me to still run 2.2 kernel.
> > >(drivers for some hardware not working under 2.4)
> > >
> > > I tried to control the ingress traffic with the ingress qdisc
with no
> > >success whatsoever.
> > > I got 2.2.21 kernel and installed the ds8 patch to have the
ingress
> > >qdisc too.
> > > Recompiled, installed kernel and modules.
> > > Recompiled tc with diffserv=y.
> > >
> > > I tried a setup very similar to the example Edge2:
> > >
> > >ipchains -A input -p tcp -d 0/0 20 --mark 20
> > >ipchains -A input -p tcp -d 0/0 21 --mark 20
> > >
> > >tc qdisc add dev eth0 handle ffff: ingress
> > >
> > >tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20
fw
> > >police rate 256kbit burst 25k mtu 1.5k drop flowid :1
> > >
> > >I tried uploading with a ftp client and there was no traffic limit
> > >imposed on what my box received.
> > >
> > >tc -s qdisc ls shows all counters as 0 (zero).
> > >
> > >I looked around for this issue and managed to find exactly my
problem
> > >described in a forum at
> > >http://www.geocrawler.com/archives/3/11111/2001/5/0/5806401/ but
the
> > >message was unaswered there.
> > >
> > > If anyone has any suggestions, they are most welcome.
> > >
> > >--
> > >ing. Andrei Boros
> > >mailto:andrei@srr.ro / +40-1-303-1870
> > >Centrul pt. Tehnologia Informatiei
> > >Societatea Romana de Radiodifuziune
> > >_______________________________________________
> > >LARTC mailing list / LARTC@mailman.ds9a.nl
> > >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://lartc.org/
> > >
> >
> > -----------------------------------
> > mailto:alexey_talikov@texlab.com.uz
> > BR
> > Alexey Talikov
> > FORTEK
> > -----------------------------------
> >
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
> --
> ing. Andrei Boros
> mailto:andrei@srr.ro / +40-1-303-1870
> Centrul pt. Tehnologia Informatiei
> Societatea Romana de Radiodifuziune
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> http://thinkgeek.com/sf
> _______________________________________________
> Diffserv-general mailing list
> Diffserv-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/diffserv-general
>

Hello,

On Wed, 10 Jul 2002, Andrei Boros wrote:
>  I tried to control the ingress traffic with the ingress qdisc with no
> success whatsoever.
>  I got 2.2.21 kernel and installed the ds8 patch to have the ingress
> qdisc too.
	You probably have to apply more fixes to be sure something
will not break. I just uploaded some fixes for the 2.2 code as
it appears nobody have the time to deal with it:

http://www.linuxvirtualserver.org/~julian/#qos-2.2

	To all: if there is a good place for such fixes please let
me know.
>  Recompiled, installed kernel and modules.
>  Recompiled tc with diffserv=y.
>
>  I tried a setup very similar to the example Edge2:
	Not "very similar" :) The bug is exactly in the
differences :)

	mark here is in decimal (may be can be hex with 0x20):
> ipchains -A input -p tcp -d 0/0 20 --mark 20
> ipchains -A input -p tcp -d 0/0 21 --mark 20
>
> tc qdisc add dev eth0 handle ffff: ingress
	"handle 20" here is in hex:
> tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20 fw
> police rate 256kbit burst 25k mtu 1.5k drop flowid :1
	if you somewhere use fwmark in ip rules, the fwmark
there is again in hex. Make sure all values match according
to their representation, i.e. 20 in dec is different from
20 in hex.
>  If anyone has any suggestions, they are most welcome.
Regards

--
Julian Anastasov <ja@ssi.bg>

jamal wrote:
> 
> I havent run any 2.2 code in years (and dont have a machine with such
> code;->)
> Can you turn on debugging in the ingress code?
> Does the same syntax work in 2.4?
> 
Couldn''t try the same thing under 2.4 because I have no machine with
2.4
at my disposal.

How do I turn on debugging in the ingress code?



-- 
ing. Andrei Boros
mailto:andrei@srr.ro / +40-1-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune

Julian Anastasov wrote:
> 
>         You probably have to apply more fixes to be sure something
> will not break. I just uploaded some fixes for the 2.2 code as
> it appears nobody have the time to deal with it:
> 
> http://www.linuxvirtualserver.org/~julian/#qos-2.2
I''ll try them asap.
> 
>         To all: if there is a good place for such fixes please let
> me know.
> 
> >  Recompiled, installed kernel and modules.
> >  Recompiled tc with diffserv=y.
> >
> >  I tried a setup very similar to the example Edge2:
> 
>         Not "very similar" :) The bug is exactly in the
> differences :)
I also tried filtering using the u32 match ip dport ... same result.
I even tried u32 match ip (anything ip), same result.
>         mark here is in decimal (may be can be hex with 0x20):
> 
> > ipchains -A input -p tcp -d 0/0 20 --mark 20
> > ipchains -A input -p tcp -d 0/0 21 --mark 20
> >
> > tc qdisc add dev eth0 handle ffff: ingress
> 
>         "handle 20" here is in hex:
> 
> > tc filter add dev eth0 parent ffff: protocol ip prio 50 handle 20 fw
> > police rate 256kbit burst 25k mtu 1.5k drop flowid :1
> 
>         if you somewhere use fwmark in ip rules, the fwmark
> there is again in hex. Make sure all values match according
> to their representation, i.e. 20 in dec is different from
> 20 in hex.
Sorry. However, I don''t know of any place where these differences are
explained clearly.


-- 
ing. Andrei Boros
mailto:andrei@srr.ro / +40-1-303-1870
Centrul pt. Tehnologia Informatiei
Societatea Romana de Radiodifuziune

Hello,

On Fri, 12 Jul 2002, Andrei Boros wrote:
> I also tried filtering using the u32 match ip dport ... same result.
> I even tried u32 match ip (anything ip), same result.
	This is another issue, may be for howto:12.1.2. Bert promised
to clarify them in the Howto:

http://mailman.ds9a.nl/pipermail/lartc/2001q4/thread.html

Search for "tc: u32 match in nexthdr not working?"

	In short, dport and sport do not always match, eg.
for packets with IP Options. Try different examples. May be
your settings are incorrect.
> Sorry. However, I don''t know of any place where these differences
are
> explained clearly.
	Huh. I don''t want to start new howto :)

Regards

--
Julian Anastasov <ja@ssi.bg>

On Fri, 12 Jul 2002, Andrei Boros wrote:
>
> Couldn''t try the same thing under 2.4 because I have no machine
with 2.4
> at my disposal.
>
fair enough.
BTW, now that i am actually thinking, another very stupid question -- if you
are trying to ingress police, do you have policing compiled in under QoS?
double check this. Infact the more i think about the more i believe this
may be your problem.
> How do I turn on debugging in the ingress code?
>
If you edit net/sched/sch_ingress.c at the very top you should see:

----------
#undef DEBUG_INGRESS

#ifdef DEBUG_INGRESS  /* control */
#define DPRINTK(format,args...) printk(KERN_DEBUG format,##args)
#else
#define DPRINTK(format,args...)
#endif

#if 0  /* data */
#define D2PRINTK(format,args...) printk(KERN_DEBUG format,##args)
#else
#define D2PRINTK(format,args...)
#endif
-----------

convert to:

---
#if 1
#define DPRINTK(format,args...) printk(KERN_DEBUG format,##args)
#else
#define DPRINTK(format,args...)
#endif

#if 1  /* data */
#define D2PRINTK(format,args...) printk(KERN_DEBUG format,##args)
#else
#define D2PRINTK(format,args...)
#endif
-----------

run your tests and look at dmesg.

cheers,
jamal

On Fri, 12 Jul 2002, Julian Anastasov wrote:
>
> 	Hello,
>
> On Wed, 10 Jul 2002, Andrei Boros wrote:
>
> >  I tried to control the ingress traffic with the ingress qdisc with no
> > success whatsoever.
> >  I got 2.2.21 kernel and installed the ds8 patch to have the ingress
> > qdisc too.
>
> 	You probably have to apply more fixes to be sure something
> will not break. I just uploaded some fixes for the 2.2 code as
> it appears nobody have the time to deal with it:
Werner and I did announce (about 2 years ago if i am not mistaken) that
we will not be backporting features fixes etc to 2.2 and were hoping to
encourage people to upgrade this way.
>
> http://www.linuxvirtualserver.org/~julian/#qos-2.2
>
> 	To all: if there is a good place for such fixes please let
> me know.
>
Honestly dont remember these patches -- maybe the time lag.
BTW, what is the motivatein behind:
http://www.linuxvirtualserver.org/~julian/01_ingress-breaks-fw-1.diff

> >  Recompiled, installed kernel and modules.
> >  Recompiled tc with diffserv=y.
> > tc qdisc add dev eth0 handle ffff: ingress
>
> 	"handle 20" here is in hex:
>
Is this true with the mark target in iptables?
Bert should probably document this in his HOWTO.

cheers,
jamal

Hello,

On Fri, 12 Jul 2002, jamal wrote:
> Werner and I did announce (about 2 years ago if i am not mistaken) that
> we will not be backporting features fixes etc to 2.2 and were hoping to
> encourage people to upgrade this way.
	There are still 2.2 users :)
> > http://www.linuxvirtualserver.org/~julian/#qos-2.2
> >
> > 	To all: if there is a good place for such fixes please let
> > me know.
> >
>
> Honestly dont remember these patches -- maybe the time lag.
> BTW, what is the motivatein behind:
> http://www.linuxvirtualserver.org/~julian/01_ingress-breaks-fw-1.diff
	At least, FW_REDIRECT, not sure for any others
> cheers,
> jamal
Regards

--
Julian Anastasov <ja@ssi.bg>

On Fri, 12 Jul 2002, Julian Anastasov wrote:
>
> 	Hello,
>
> On Fri, 12 Jul 2002, jamal wrote:
>
> > Werner and I did announce (about 2 years ago if i am not mistaken)
that
> > we will not be backporting features fixes etc to 2.2 and were hoping
to
> > encourage people to upgrade this way.
>
> 	There are still 2.2 users :)
>
If you look at the old postings on the diffserv mailing list youll see
about 70% of the questions were related to "my patch failed" etc
(people
patching in the wrong directory etc). Believe it or not a _lot_ of Linux
users still hate patching (I have matured to accept it) or are not
very skilled or bothered to learn; they just install connectiva 8 and are
off to cook: i.e they just want things to work.
Now unlike MS, we have the code! infact Werner has clearly documented what
the changes from 2.2->2.4 are in his doc. I know the only time i have
lately is for breathing (hopefully fresh air at work) and this backporting
requires abuse of the brain cells more than thinking i.e its mechanical
and therefore requires concentration/focus;

so if someone could submit a backport patch <hint, hint> i think we would
put it up the website. I believe we could even push it into the 2.2 next
release since this stuff is pretty much stable right now.
> > BTW, what is the motivatein behind:
> > http://www.linuxvirtualserver.org/~julian/01_ingress-breaks-fw-1.diff
>
> 	At least, FW_REDIRECT, not sure for any others
>
I am trying to think of some way to probably do this from ingress instead
since some people actually want that overwrite.

cheers,
jamal

Hello,

On Fri, 12 Jul 2002, jamal wrote:
> If you look at the old postings on the diffserv mailing list youll see
> about 70% of the questions were related to "my patch failed" etc
(people
> patching in the wrong directory etc). Believe it or not a _lot_ of Linux
> users still hate patching (I have matured to accept it) or are not
> very skilled or bothered to learn; they just install connectiva 8 and are
> off to cook: i.e they just want things to work.
> Now unlike MS, we have the code! infact Werner has clearly documented what
> the changes from 2.2->2.4 are in his doc. I know the only time i have
> lately is for breathing (hopefully fresh air at work) and this backporting
> requires abuse of the brain cells more than thinking i.e its mechanical
> and therefore requires concentration/focus;
>
> so if someone could submit a backport patch <hint, hint> i think we
would
> put it up the website. I believe we could even push it into the 2.2 next
> release since this stuff is pretty much stable right now.
	At least, we need valid patch with the most needed
fixes. I think, I can walk the both trees and to fix the
obvious bugs that are fixed in 2.4. At first look, the changes
are not too much, so we will be back soon with the most needed
fixes. I can report that the small part of the code I''m using looks
stable enough.
> > > BTW, what is the motivatein behind:
> > >
http://www.linuxvirtualserver.org/~julian/01_ingress-breaks-fw-1.diff
> >
> > 	At least, FW_REDIRECT, not sure for any others
> >
>
> I am trying to think of some way to probably do this from ingress instead
> since some people actually want that overwrite.
	ok :) But then you have to add ipchains support for tc
in addition to the iptables'' one. My wish was to have only the
needed bugfixes :)
> cheers,
> jamal
Regards

--
Julian Anastasov <ja@ssi.bg>