Please please help, i''ve lost lots of sleep over this. Here''s my set-up: 4 computers on a LAN in my house, having IPs 192.168.0.7, 192.168.0.50, 192.168.0.52, 192.168.0.58. A router/linux-box (which runs the shaping/tc_commands), which is the default gateway of the 4 machines: 192.168.0.1. It masquerades the internet connection. Internet connection: ADSL PPPoE. The ADSL modem is connected to eth0 of the router, and PPPoE makes ppp0. eth1 is the LAN. Yes, kernel is compiled correctly (has advanced router option, patched with HTB, etc). Here''s my script. Essentially what I want to do is give each of the 4 ppl a fourth of the bandwidth, giving myself a higher ceiling because I use more bandwidth than they do. --------------------------------- tc qdisc add dev eth1 root handle 1: htb default 14 tc class add dev eth1 parent 1: classid 1:1 htb rate 12kbps ceil 12kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 4kbps ceil 10kbps burst 1k prio 1 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 4kbps ceil 7kbps burst 1k prio 2 tc class add dev eth1 parent 1:1 classid 1:12 htb rate 4kbps ceil 7kbps burst 1k prio 2 tc class add dev eth1 parent 1:1 classid 1:13 htb rate 4kbps ceil 7kbps burst 1k prio 2 tc class add dev eth1 parent 1:1 classid 1:14 htb rate 1kbps ceil 10kbps burst 1k prio 2 # use SFQ (stochastic fair queueing) for everything tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10 tc qdisc add dev eth1 parent 1:12 handle 12: sfq perturb 10 tc qdisc add dev eth1 parent 1:13 handle 13: sfq perturb 10 tc qdisc add dev eth1 parent 1:14 handle 14: sfq perturb 10 # matchings tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.7/32 flowid 1:10 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.58/32 flowid 1:11 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.50/32 flowid 1:12 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.52/32 flowid 1:13 -------------------------------------- The PROBLEM: no matter how hard I try, NO packets EVER get onto any flow but the default, 1:14. Eg. my computer (192.168.0.7) can send many packets thru the gateway, and none of them get put on flow 1:10 like they should, they all go onto 1:14, the default. Why? Add''l QUESTIONS: Which interface should I be using?! Ideally i''d like to use ppp0, but I guess I can''t because i''m masquerading? Therefore I should use eth1, the internal lan-side ethernet card? Also, have I got the SFQ tied in right? Perhaps my matchings/filters should use 10:something instead of 1:10 etc? ... I''ve tried MARKing packets with IPtables, that doesn''t work either. Is that a better method ? (I feel that it isn''t, right now...) Lots of questions eh?! All answers appreciated! Thanks, Tim Carr
Tim Carr wrote: I guess that''s because your router does masquerading so source addresses are changed , and filters don''t match.> Please please help, i''ve lost lots of sleep over this. Here''s my > set-up: 4 computers on a LAN in my house, having IPs 192.168.0.7, > 192.168.0.50, 192.168.0.52, 192.168.0.58.A router/linux-box (which > runs the shaping/tc_commands), which is the default gateway of the 4 > machines: 192.168.0.1. It masquerades the internet connection.Internet > connection: ADSL PPPoE. The ADSL modem is connected to eth0 of the > router, and PPPoE makes ppp0. eth1 is the LAN. Yes, kernel is > compiled correctly (has advanced router option, patched with HTB, > etc). Here''s my script. Essentially what I want to do is give each of > the 4 ppl a fourth of the bandwidth, giving myself a higher ceiling > because I use more bandwidth than they do. > ---------------------------------tc qdisc add dev eth1 root handle 1: > htb default 14 tc class add dev eth1 parent 1: classid 1:1 htb rate > 12kbps ceil 12kbpstc class add dev eth1 parent 1:1 classid 1:10 htb > rate 4kbps ceil 10kbps burst 1k prio 1tc class add dev eth1 parent 1:1 > classid 1:11 htb rate 4kbps ceil 7kbps burst 1k prio 2tc class add dev > eth1 parent 1:1 classid 1:12 htb rate 4kbps ceil 7kbps burst 1k prio > 2tc class add dev eth1 parent 1:1 classid 1:13 htb rate 4kbps ceil > 7kbps burst 1k prio 2tc class add dev eth1 parent 1:1 classid 1:14 htb > rate 1kbps ceil 10kbps burst 1k prio 2 > # use SFQ (stochastic fair queueing) for everything > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10 > tc qdisc add dev eth1 parent 1:12 handle 12: sfq perturb 10 > tc qdisc add dev eth1 parent 1:13 handle 13: sfq perturb 10 > tc qdisc add dev eth1 parent 1:14 handle 14: sfq perturb 10 # > matchings > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src > 192.168.0.7/32 flowid 1:10 > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src > 192.168.0.58/32 flowid 1:11 > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src > 192.168.0.50/32 flowid 1:12 > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src > 192.168.0.52/32 flowid 1:13-------------------------------------- The > PROBLEM: no matter how hard I try, NO packets EVER get onto any flow > but the default, 1:14. Eg. my computer (192.168.0.7) can send many > packets thru the gateway, and none of them get put on flow 1:10 like > they should, they all go onto 1:14, the default. Why? Add''l > QUESTIONS: Which interface should I be using?! Ideally i''d like to use > ppp0, but I guess I can''t because i''m masquerading? Therefore I should > use eth1, the internal lan-side ethernet card? Also, have I got the > SFQ tied in right? Perhaps my matchings/filters should use > 10:something instead of 1:10 etc? ... I''ve tried MARKing packets with > IPtables, that doesn''t work either. Is that a better method ? (I feel > that it isn''t, right now...) Lots of questions eh?! All answers > appreciated! Thanks, Tim Carr-- Vincent EGAL Email : egal@ipanematech.com
On Thu, Feb 28, 2002 at 09:31:14AM +0100, EGAL Vincent wrote:> Tim Carr wrote: > > I guess that''s because your router does masquerading so source addresses > are changed , and filters don''t match.Exactly - queueing disciplines and their attached filters come *way* after iptables or ipchains have doen their work. If you need information from before mangling, you should use fwmark to tag packets, and then filter based on that fwmark. How to do this is in the HOWTO. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
> 4 computers on a LAN in my house, having IPs 192.168.0.7, > 192.168.0.50, 192.168.0.52, 192.168.0.58. A router/linux-box (which > runs the shaping/tc_commands), which is the default gateway of the 4 > machines: 192.168.0.1. It masquerades the internet connection. > Internet connection: ADSL PPPoE. The ADSL modem is connected to eth0 > of the router, and PPPoE makes ppp0. eth1 is the LAN. Yes, kernel is > compiled correctly (has advanced router option, patched with HTB, > etc). >[...] > tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.52/32 flowid 1:13 > > The PROBLEM: no matter how hard I try, NO packets EVER get onto any > flow but the default, 1:14. Eg. my computer (192.168.0.7) can send > many packets thru the gateway, and none of them get put on flow 1:10 > like they should, they all go onto 1:14, the default. Why?eth1 is your LAN so that you are QoSing packets going toward you. Then use "dst 192.168.0.52/32" instead of "src 192.168.0.52/32" in your filters.> Add''l QUESTIONS: Which interface should I be using?! Ideally i''d like > to use ppp0, but I guess I can''t because i''m masquerading? Therefore I > should use eth1, the internal lan-side ethernet card? Also, have I gotdepends what direction you want to masquerade ;) devik
>From: Martin Devera <devik@cdi.cz> >To: Tim Carr <cygnusx__1@hotmail.com> >CC: lartc@mailman.ds9a.nl >Subject: Re: [LARTC] HTB: Filtering flat out not working :( >Date: Thu, 28 Feb 2002 09:54:31 +0100 (CET) > >eth1 is your LAN so that you are QoSing packets going toward you. >Then use "dst 192.168.0.52/32" instead of "src 192.168.0.52/32" >in your filters.Ahh right. So i''m trying to do the impossible, shape the packets coming from the lan... crap. But if I do things on destination like you''ve mentioned, things still don''t get picked up (same problem, still doesn''t work). My guess is this is because the returned masqueraded packets don''t have a clean destination of 192.168.0.x etc, they have some funky return address so they aren''t matching the filters (still). Argh. Is there no solution for QoSing masq''d connections?! Another person suggested MARKing the packets, but as I already wrote, I haven''t had luck with this either. Tim _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Absolutely, but you''ll notice in my follow up post that nowhere does it tell you how to use ''tc'' to throw the MARKed packets into a certain flow. The HOWTO tells you how to route marked packets, not how to shape them... ideas? do you happen to know the TC command sytax? All i need is one example.... tim>From: Ben <bench@silentmedia.com> >To: Tim Carr <cygnusx__1@hotmail.com> >Subject: Re: [LARTC] HTB: Filtering flat out not working :( >Date: Thu, 28 Feb 2002 09:54:44 -0800 (PST) > >Actually, somebody replied with the idea of using fwmarks. That sounds >perfect to me.... mark on the internal interface, and then sort on the >external interface. > >On Thu, 28 Feb 2002, Tim Carr wrote: > > > > > > > >My understanding - and it''s not very complete because I also just sent >out > > >mail about my htb setup not working :) - is that you want to place the > > >qdisc on the output interface - in this case, ppp. And in your case, I > > >think you''re right, you can''t do that, because you''re doing masq. >There''s > > >something called ingres policing you might look at. > > > > So you don''t think HTB could work for masquerading at all?! My idea was >to > > put it on ETH1 (local lan side). That way packets get shaped before they > > even hit the masquerading. I guess the masquerading is happening even >before > > eth1''s filtering rules get used. > > > > What about setting up a virtual ethernet adapter or something of the >like; > > setting that as the gateway for the LAN machines, doing the shaping, >THEN > > forwarding it to ETH1? > > > > Tim > > > > > > _________________________________________________________________ > > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > >_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
I''ve seen examples like this, but what I''m not clear on is if the filter handle has to be the same as the fwmark or if the flowid has to be <class parent>:<fwmark>. Either way seems not right, but nothing else seems to make sense, based on the examples I''ve seen. On Fri, 1 Mar 2002, Viktor Kemmet wrote:> # Mark Packets according to destination port number > iptables -I OUTPUT -t mangle -p udp --destination-port 5003 -j MARK --set-mark 3 > iptables -I OUTPUT -t mangle -p udp --destination-port 5002 -j MARK --set-mark 2 > iptables -I OUTPUT -t mangle -p udp --destination-port 5001 -j MARK --set-mark 1 > > $TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ > value 0xb8 > #becomes AF11 > $TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ > value 0x28 > #becomes AF21 > $TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ > value 0x48 > > $TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 1 fw flowid 1:1 > $TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 2 fw flowid 1:2 > $TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 3 fw flowid 1:3
On Fri, Mar 01, 2002 at 01:47:17AM +0100, Viktor Kemmet wrote:> being honest, I don''t understand the "handle" keyword in this command ;-) > The numbers 1, 2, 3, I think they belong to the "fw" keyword.They do. -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Hi,
this one is borrowed and modified from one example in the
iproute2-package (Edge..):
###############################################################################
# DS-marking packets using iptables fw-marking
TC=tc
IP=ip
EGDEV="dev eth0"
# Flush chain
iptables -F OUTPUT -t mangle
# Mark Packets according to destination port number
iptables -I OUTPUT -t mangle -p udp --destination-port 5003 -j MARK --set-mark 3
iptables -I OUTPUT -t mangle -p udp --destination-port 5002 -j MARK --set-mark 2
iptables -I OUTPUT -t mangle -p udp --destination-port 5001 -j MARK --set-mark 1
iptables -L OUTPUT -t mangle
echo
# attach a dsmarker
#
$TC qdisc add $EGDEV handle 1:0 root dsmark indices 64 set_tc_index
#
# values of the DSCP to change depending on the class
#
#becomes EF
$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \
value 0xb8
#becomes AF11
$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \
value 0x28
#becomes AF21
$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \
value 0x48
#
#
# The class mapping
#
$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 1 fw flowid 1:1
$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 2 fw flowid 1:2
$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 3 fw flowid 1:3
#
echo "---- qdisc parameters Egress ----------"
$TC qdisc ls $EGDEV
echo "---- Class parameters Egress ----------"
$TC class ls $EGDEV
echo "---- filter parameters Egress ----------"
$TC filter ls $EGDEV parent 1:0
Tim Carr wrote:
>
> Absolutely, but you''ll notice in my follow up post that nowhere
does
> it tell you how to use ''tc'' to throw the MARKed packets
into a certain
> flow. The HOWTO tells you how to route marked packets, not how to
> shape them... ideas? do you happen to know the TC command sytax? All i
> need is one example....
>
> tim
>
>> From: Ben <bench@silentmedia.com>
>> To: Tim Carr <cygnusx__1@hotmail.com>
>> Subject: Re: [LARTC] HTB: Filtering flat out not working :(
>> Date: Thu, 28 Feb 2002 09:54:44 -0800 (PST)
>>
>> Actually, somebody replied with the idea of using fwmarks. That sounds
>> perfect to me.... mark on the internal interface, and then sort on the
>> external interface.
>>
>> On Thu, 28 Feb 2002, Tim Carr wrote:
>>
>> >
>> >
>> > >My understanding - and it''s not very complete because
I also just
>> sent out
>> > >mail about my htb setup not working :) - is that you want to
place
>> the
>> > >qdisc on the output interface - in this case, ppp. And in your
>> case, I
>> > >think you''re right, you can''t do that,
because you''re doing masq.
>> There''s
>> > >something called ingres policing you might look at.
>> >
>> > So you don''t think HTB could work for masquerading at
all?! My idea
>> was to
>> > put it on ETH1 (local lan side). That way packets get shaped
before
>> they
>> > even hit the masquerading. I guess the masquerading is happening
>> even before
>> > eth1''s filtering rules get used.
>> >
>> > What about setting up a virtual ethernet adapter or something of
>> the like;
>> > setting that as the gateway for the LAN machines, doing the
>> shaping, THEN
>> > forwarding it to ETH1?
>> >
>> > Tim
>> >
>> >
>> > _________________________________________________________________
>> > Chat with friends online, try MSN Messenger:
http://messenger.msn.com
>> >
>>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
being honest, I don''t understand the "handle" keyword in this command ;-) The numbers 1, 2, 3, I think they belong to the "fw" keyword. Ben wrote:> I''ve seen examples like this, but what I''m not clear on is if the filter > handle has to be the same as the fwmark or if the flowid has to be <class > parent>:<fwmark>. Either way seems not right, but nothing else seems to > make sense, based on the examples I''ve seen. > > On Fri, 1 Mar 2002, Viktor Kemmet wrote: > > >># Mark Packets according to destination port number >>iptables -I OUTPUT -t mangle -p udp --destination-port 5003 -j MARK --set-mark 3 >>iptables -I OUTPUT -t mangle -p udp --destination-port 5002 -j MARK --set-mark 2 >>iptables -I OUTPUT -t mangle -p udp --destination-port 5001 -j MARK --set-mark 1 >> >>$TC class change $EGDEV classid 1:1 dsmark mask 0x3 \ >> value 0xb8 >>#becomes AF11 >>$TC class change $EGDEV classid 1:2 dsmark mask 0x3 \ >> value 0x28 >>#becomes AF21 >>$TC class change $EGDEV classid 1:3 dsmark mask 0x3 \ >> value 0x48 >> >>$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 1 fw flowid 1:1 >>$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 2 fw flowid 1:2 >>$TC filter add $EGDEV parent 1:0 protocol ip prio 4 handle 3 fw flowid 1:3 >> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >
On Thursday 28 February 2002 20:45, you wrote:> Absolutely, but you''ll notice in my follow up post that nowhere does it > tell you how to use ''tc'' to throw the MARKed packets into a certain flow. > The HOWTO tells you how to route marked packets, not how to shape them... > ideas? do you happen to know the TC command sytax? All i need is one > example....I use the fw filter all the time. I have a lot of examples on docum.org. The idea is simple. You mark a packet and you use that mark to catch the packets with the fw filter. The number of the mark is not important and has nothing to do with the class. The handle keyword is to say wich mark the filter has to use. So handle 10 will catch all packets with mark 10. Stef -- stef.coene@docum.org More QOS info : http://www.docum.org/ Title : "Using Linux as bandwidth manager"
Martin Devera
2002-Mar-01 08:03 UTC
Re: fw_mark [was HTB: Filtering flat out not working :(]
By the way, you can attach fw_mark classifier WITHOUT specifying
any marks and then it will try to directly map mark to class numbers.
You can then specify class numbers directly in ip{chains,tables} ;)
devik
On Fri, 1 Mar 2002, Stef Coene wrote:
> On Thursday 28 February 2002 20:45, you wrote:
> > Absolutely, but you''ll notice in my follow up post that
nowhere does it
> > tell you how to use ''tc'' to throw the MARKed packets
into a certain flow.
> > The HOWTO tells you how to route marked packets, not how to shape
them...
> > ideas? do you happen to know the TC command sytax? All i need is one
> > example....
> I use the fw filter all the time. I have a lot of examples on docum.org.
> The idea is simple. You mark a packet and you use that mark to catch the
> packets with the fw filter.
> The number of the mark is not important and has nothing to do with the
class.
> The handle keyword is to say wich mark the filter has to use. So handle 10
> will catch all packets with mark 10.
>
>
> Stef
>
> --
>
> stef.coene@docum.org
> More QOS info : http://www.docum.org/
> Title : "Using Linux as bandwidth manager"
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
On Friday 01 March 2002 09:03, Martin Devera wrote:> By the way, you can attach fw_mark classifier WITHOUT specifying > any marks and then it will try to directly map mark to class numbers. > You can then specify class numbers directly in ip{chains,tables} ;) > devikTrue Thx Stef -- stef.coene@docum.org More QOS info : http://www.docum.org/ Title : "Using Linux as bandwidth manager"
Michael T. Babcock
2002-Mar-01 19:30 UTC
Re: fw_mark [was HTB: Filtering flat out not working :(]
On Fri, Mar 01, 2002 at 09:03:30AM +0100, Martin Devera wrote:> By the way, you can attach fw_mark classifier WITHOUT specifying > any marks and then it will try to directly map mark to class numbers. > You can then specify class numbers directly in ip{chains,tables} ;)I saw this discussed here on the list before and when I tried to find more details I came up dry -- do you happen to remember/know the mapping? -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/
Martin Devera
2002-Mar-01 22:03 UTC
Re: fw_mark [was HTB: Filtering flat out not working :(]
I found it in sources. When fwmark has no subfilters then maps fwmark directly into classid. So that 0x0002010 is classid 2:10 On Fri, 1 Mar 2002, Michael T. Babcock wrote:> On Fri, Mar 01, 2002 at 09:03:30AM +0100, Martin Devera wrote: > > By the way, you can attach fw_mark classifier WITHOUT specifying > > any marks and then it will try to directly map mark to class numbers. > > You can then specify class numbers directly in ip{chains,tables} ;) > > I saw this discussed here on the list before and when I tried to find > more details I came up dry -- do you happen to remember/know the mapping?