I''ll try to use the tcrules files as you say :) Thank you UN CORDIAL SALUDO Miguel Ángel Domínguez Durán. Departamento Técnico. Cherrytel Comunicaciones, S.L. mdominguez@cherrytel.com http://www.cherrytel.com/ Tlf. 902 115 673 Fax 952218170
Miguel Ángel Domínguez Durán
2005-Feb-16 09:59 UTC
Re: Bandwith Control with a firewall/bridge
>Miguel Ángel Domínguez Durán wrote: >> Hello again, >> First, excuse me for my poor english. >> I''m trying now to make bandwith control in a firewall machine running >> Shorewall. This machine is also a bridge using bridge-utils >> bridge-utils-devel. It is a mandrake 10. The configuration is something >> like >> this: >> >> FTP/Webserver ------| eth0 eth1 >> Mailserver -------------|------BRIDGE/FIREWALL------Router-----Internet >> DB App. server -------| >> >> I have installed iptoute2 and all kernel options needed. I have stated >> TC_ENABLED = Yes and copied my own script in the tcstart file so >> shorewall >> should run it when it gets restarted. I don''t get any errors when the >> script >> is executed, but all the packets go through the default queue in uplink >> and >> downlink when i analize the queues using . >> I use the following script to start the bridge:>This is really off-topic but you cannot use -i and -o in a bridged >environment in your iptables rules (why aren''t you using the tcrules >file to mark your packets??? that way, the correct rules would get >generated).>You must use "-m physdev --physdev-{in|out}"I''ve used the tcrules to mark the packets and removed the iptables commands in the tcstart script. When i restarted shorewall everything seemed to be working ok, but a few minutes later the machine hanged on!!! The tcrules file is: ############################################################################## #MARK SOURCE DEST PROTO 20 0.0.0.0/0 213.9.139.30,213.9.139.31,213.9.139.32 all 21 0.0.0.0/0 213.9.139.22,213.9.139.71 all 22 0.0.0.0/0 213.9.139.25 all 23 0.0.0.0/0 213.9.139.24 all 70 213.9.139.30,213.9.139.31,213.9.139.32 0.0.0.0/0 all 71 213.9.139.22,213.9.139.71 0.0.0.0/0 all 72 213.9.139.25 0.0.0.0/0 all 73 213.9.139.24 0.0.0.0/0 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The rest of the fields that doesn''t appear are left blank What could be wrong? Thanks UN CORDIAL SALUDO Miguel Ángel Domínguez Durán. Departamento Técnico. Cherrytel Comunicaciones, S.L. mdominguez@cherrytel.com http://www.cherrytel.com/ Tlf. 902 115 673 Fax 952218170
Miguel Ángel Domínguez Durán wrote:> > I''ve used the tcrules to mark the packets and removed the iptables > commands in the tcstart script. When i restarted shorewall everything > seemed to be working ok, but a few minutes later the machine hanged on!!! > > What could be wrong? >I have no idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
José Ramos Caballero wrote:> I''ll try to use the tcrules files as you say :)José, I was just looking at the code that processes the tcrules file and it doesn''t generate the correct rules for a bridge either :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> José Ramos Caballero wrote: > >>I''ll try to use the tcrules files as you say :) > > > José, > > I was just looking at the code that processes the tcrules file and it > doesn''t generate the correct rules for a bridge either :-( >Sigh -- I shouldn''t read code before I''ve had my morning coffee. The code IS correct and generates physdev matches for bridge ports. firewall:2344 *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Miguel Ángel Domínguez Durán
2005-Feb-21 08:45 UTC
Re: Bandwith Control with a firewall/bridge
Sigh -- I shouldn''t read code before I''ve had my morning coffee. The code IS correct and generates physdev matches for bridge ports. firewall:2344 *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; -Tom --------------------------------------------------------------------- Hi again :) The problem is still there, i tried to modify my tcstart script and tcrules files to make it work but everytime i restart shorewall, after a little while the machine hangs on... :( Here is my tcstart script: #!/bin/bash # # DEV1=eth1 #salida a red interna DEV0=eth0 #salida a internet # Note that this is significantly lower than the capacity of 1500. # Because of this, you may not want to bother limiting inbound traffic # until a better implementation such as TCP window manipulation can be used. # # End Configuration Options # if [ "$1" = "status" ] then echo "Enlace descendente" echo "[qdisc]" tc -s qdisc show dev $DEV1 echo "[class]" tc -s class show dev $DEV1 echo "[filter]" tc -s filter show dev $DEV1 echo "Enlace ascendente" echo "[qdisc]" tc -s qdisc show dev $DEV0 echo "[class]" tc -s class show dev $DEV0 echo "[filter]" tc -s filter show dev $DEV0 exit fi # Reset everything to a known state (cleared) tc qdisc del dev $DEV0 root 2> /dev/null > /dev/null tc qdisc del dev $DEV1 root 2> /dev/null > /dev/null if [ "$1" = "stop" ] then echo "Shaping removed on $DEV1." echo "Shaping removed on $DEV0." exit fi ########################################################### # # Inbound Shaping (limits total bandwidth to 900Kbps) # Este es el enlace descendente, desde internet hacia la red interna de Cherrytel # set queue size to give latency of about 2 seconds on low-prio packets # ip link set dev $DEV1 qlen 30 # changes mtu on the outbound device. Lowering the mtu will result # in lower latency but will also cause slightly lower throughput due # to IP and TCP protocol overhead. # ip link set dev $DEV1 mtu 1000 # add HTB root qdisc tc qdisc add dev $DEV1 root handle 1: htb default 37 # add main rate limit classes tc class add dev $DEV1 parent 1: classid 1:1 htb rate 900kbit # add leaf classes - We grant each class at LEAST it''s "fair share" of bandwidth. # this way no class will ever be starved by another class. Each # class is also permitted to consume all of the available bandwidth # if no other classes are in use. tc class add dev $DEV1 parent 1:1 classid 1:20 htb rate 64kbit ceil 900kbit tc class add dev $DEV1 parent 1:1 classid 1:21 htb rate 64kbit ceil 900kbit tc class add dev $DEV1 parent 1:1 classid 1:22 htb rate 64kbit ceil 900kbit tc class add dev $DEV1 parent 1:1 classid 1:37 htb rate 676kbit ceil 900kbit #por defecto tc class add dev $DEV1 parent 1:1 classid 1:23 htb rate 32kbit ceil 32kbit #prueba, maq WiFi # attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. tc qdisc add dev $DEV1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $DEV1 parent 1:21 handle 21: sfq perturb 10 tc qdisc add dev $DEV1 parent 1:22 handle 22: sfq perturb 10 tc qdisc add dev $DEV1 parent 1:37 handle 37: sfq perturb 10 tc qdisc add dev $DEV1 parent 1:23 handle 23: sfq perturb 10 tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 20 fw classid 1:20 tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 21 fw classid 1:21 tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 22 fw classid 1:22 tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 23 fw classid 1:23 tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 37 fw classid 1:37 # Done with inbound shaping # #################################################### echo "Control del enlace descendente activado." #Si solo se desea controlar el enlace descendente, quitar el comentario de la siguiente instruccion exit #exit ########################################################### # # Outbound Shaping (limits total bandwidth to 900Kbps) # Este es el enlace ascendente, desde la red interna de Cherrytel a internet # set queue size to give latency of about 2 seconds on low-prio packets # ip link set dev $DEV0 qlen 30 # changes mtu on the outbound device. Lowering the mtu will result # in lower latency but will also cause slightly lower throughput due # to IP and TCP protocol overhead. # ip link set dev $DEV0 mtu 1000 # add HTB root qdisc tc qdisc add dev $DEV0 root handle 2: htb default 87 # add main rate limit classes tc class add dev $DEV0 parent 2: classid 2:1 htb rate 900kbit # add leaf classes - We grant each class at LEAST it''s "fair share" of bandwidth. # this way no class will ever be starved by another class. Each # class is also permitted to consume all of the available bandwidth # if no other classes are in use. tc class add dev $DEV0 parent 2:1 classid 2:70 htb rate 64kbit ceil 900kbit tc class add dev $DEV0 parent 2:1 classid 2:71 htb rate 64kbit ceil 900kbit tc class add dev $DEV0 parent 2:1 classid 2:72 htb rate 64kbit ceil 900kbit tc class add dev $DEV0 parent 2:1 classid 2:87 htb rate 676kbit ceil 900kbit #por defecto tc class add dev $DEV0 parent 2:1 classid 2:73 htb rate 32kbit ceil 32kbit #prueba # attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. tc qdisc add dev $DEV0 parent 2:70 handle 70: sfq perturb 10 tc qdisc add dev $DEV0 parent 2:71 handle 71: sfq perturb 10 tc qdisc add dev $DEV0 parent 2:72 handle 72: sfq perturb 10 tc qdisc add dev $DEV0 parent 2:87 handle 87: sfq perturb 10 tc qdisc add dev $DEV0 parent 2:73 handle 73: sfq perturb 10 tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 70 fw classid 2:70 tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 71 fw classid 2:71 tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 72 fw classid 2:72 tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 73 fw classid 2:73 tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 87 fw classid 2:87 # Done with outbound shaping # #################################################### echo "Control del enlace ascendente activado." exit And the tcrules file contains the following: ############################################################################## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER 20 0.0.0.0/0 213.9.139.30,213.9.139.31,213.9.139.32 all 21 0.0.0.0/0 213.9.139.22,213.9.139.71 all 22 0.0.0.0/0 213.9.139.25 all 23 0.0.0.0/0 213.9.139.24 all 70 213.9.139.30,213.9.139.31,213.9.139.32 0.0.0.0/0 all 71 213.9.139.22,213.9.139.71 0.0.0.0/0 all 72 213.9.139.25 0.0.0.0/0 all 73 213.9.139.24 0.0.0.0/0 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Please, tell me if I''m doing something wrong. Thank you for your great support. UN CORDIAL SALUDO Miguel Ángel Domínguez Durán. Departamento Técnico. Cherrytel Comunicaciones, S.L. mdominguez@cherrytel.com http://www.cherrytel.com/ Tlf. 902 115 673 Fax 952218170
Miguel Ángel Domínguez Durán wrote:> --------------------------------------------------------------------- > Hi again :) > The problem is still there, i tried to modify my tcstart script and > tcrules files to make it work but everytime i restart shorewall, after a > little while the machine hangs on... :(I''m sorry but there is nothing that I can do to help you -- marking packets (which is all that Shorewall is doing) should not hang your system and I don''t know traffic control well enough to even comment on your TC script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key