I''ll try to use the tcrules files as you say :) Thank you UN CORDIAL SALUDO Miguel Ángel Domínguez Durán. Departamento Técnico. Cherrytel Comunicaciones, S.L. mdominguez@cherrytel.com http://www.cherrytel.com/ Tlf. 902 115 673 Fax 952218170
Miguel Ángel Domínguez Durán
2005-Feb-16 09:59 UTC
Re: Bandwith Control with a firewall/bridge
>Miguel Ángel Domínguez Durán wrote: >> Hello again, >> First, excuse me for my poor english. >> I''m trying now to make bandwith control in a firewall machine running >> Shorewall. This machine is also a bridge using bridge-utils >> bridge-utils-devel. It is a mandrake 10. The configuration is something >> like >> this: >> >> FTP/Webserver ------| eth0 eth1 >> Mailserver -------------|------BRIDGE/FIREWALL------Router-----Internet >> DB App. server -------| >> >> I have installed iptoute2 and all kernel options needed. I have stated >> TC_ENABLED = Yes and copied my own script in the tcstart file so >> shorewall >> should run it when it gets restarted. I don''t get any errors when the >> script >> is executed, but all the packets go through the default queue in uplink >> and >> downlink when i analize the queues using . >> I use the following script to start the bridge:>This is really off-topic but you cannot use -i and -o in a bridged >environment in your iptables rules (why aren''t you using the tcrules >file to mark your packets??? that way, the correct rules would get >generated).>You must use "-m physdev --physdev-{in|out}"I''ve used the tcrules to mark the packets and removed the iptables commands in the tcstart script. When i restarted shorewall everything seemed to be working ok, but a few minutes later the machine hanged on!!! The tcrules file is: ############################################################################## #MARK SOURCE DEST PROTO 20 0.0.0.0/0 213.9.139.30,213.9.139.31,213.9.139.32 all 21 0.0.0.0/0 213.9.139.22,213.9.139.71 all 22 0.0.0.0/0 213.9.139.25 all 23 0.0.0.0/0 213.9.139.24 all 70 213.9.139.30,213.9.139.31,213.9.139.32 0.0.0.0/0 all 71 213.9.139.22,213.9.139.71 0.0.0.0/0 all 72 213.9.139.25 0.0.0.0/0 all 73 213.9.139.24 0.0.0.0/0 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The rest of the fields that doesn''t appear are left blank What could be wrong? Thanks UN CORDIAL SALUDO Miguel Ángel Domínguez Durán. Departamento Técnico. Cherrytel Comunicaciones, S.L. mdominguez@cherrytel.com http://www.cherrytel.com/ Tlf. 902 115 673 Fax 952218170
Miguel Ángel Domínguez Durán wrote:> > I''ve used the tcrules to mark the packets and removed the iptables > commands in the tcstart script. When i restarted shorewall everything > seemed to be working ok, but a few minutes later the machine hanged on!!! > > What could be wrong? >I have no idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
José Ramos Caballero wrote:> I''ll try to use the tcrules files as you say :)José, I was just looking at the code that processes the tcrules file and it doesn''t generate the correct rules for a bridge either :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> José Ramos Caballero wrote: > >>I''ll try to use the tcrules files as you say :) > > > José, > > I was just looking at the code that processes the tcrules file and it > doesn''t generate the correct rules for a bridge either :-( >Sigh -- I shouldn''t read code before I''ve had my morning coffee. The code IS correct and generates physdev matches for bridge ports. firewall:2344 *) verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" r="$(match_source_dev) $source " ;; -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Miguel Ángel Domínguez Durán
2005-Feb-21 08:45 UTC
Re: Bandwith Control with a firewall/bridge
Sigh -- I shouldn''t read code before I''ve had my morning
coffee. The
code IS correct and generates physdev matches for bridge ports.
firewall:2344
*)
verify_interface $source || fatal_error "Unknown interface $source
in rule \"$rule\""
r="$(match_source_dev) $source "
;;
-Tom
---------------------------------------------------------------------
Hi again :)
The problem is still there, i tried to modify my tcstart script and tcrules
files to make it work but everytime i restart shorewall, after a little
while the machine hangs on... :(
Here is my tcstart script:
#!/bin/bash
#
#
DEV1=eth1 #salida a red interna
DEV0=eth0 #salida a internet
# Note that this is significantly lower than the capacity of
1500.
# Because of this, you may not want to bother limiting inbound
traffic
# until a better implementation such as TCP window
manipulation can be used.
#
# End Configuration Options
#
if [ "$1" = "status" ]
then
echo "Enlace descendente"
echo "[qdisc]"
tc -s qdisc show dev $DEV1
echo "[class]"
tc -s class show dev $DEV1
echo "[filter]"
tc -s filter show dev $DEV1
echo "Enlace ascendente"
echo "[qdisc]"
tc -s qdisc show dev $DEV0
echo "[class]"
tc -s class show dev $DEV0
echo "[filter]"
tc -s filter show dev $DEV0
exit
fi
# Reset everything to a known state (cleared)
tc qdisc del dev $DEV0 root 2> /dev/null > /dev/null
tc qdisc del dev $DEV1 root 2> /dev/null > /dev/null
if [ "$1" = "stop" ]
then
echo "Shaping removed on $DEV1."
echo "Shaping removed on $DEV0."
exit
fi
###########################################################
#
# Inbound Shaping (limits total bandwidth to 900Kbps)
# Este es el enlace descendente, desde internet hacia la red interna de
Cherrytel
# set queue size to give latency of about 2 seconds on low-prio packets
# ip link set dev $DEV1 qlen 30
# changes mtu on the outbound device. Lowering the mtu will result
# in lower latency but will also cause slightly lower throughput due
# to IP and TCP protocol overhead.
# ip link set dev $DEV1 mtu 1000
# add HTB root qdisc
tc qdisc add dev $DEV1 root handle 1: htb default 37
# add main rate limit classes
tc class add dev $DEV1 parent 1: classid 1:1 htb rate 900kbit
# add leaf classes - We grant each class at LEAST it''s "fair
share" of
bandwidth.
# this way no class will ever be starved by another
class. Each
# class is also permitted to consume all of the available
bandwidth
# if no other classes are in use.
tc class add dev $DEV1 parent 1:1 classid 1:20 htb rate 64kbit ceil 900kbit
tc class add dev $DEV1 parent 1:1 classid 1:21 htb rate 64kbit ceil 900kbit
tc class add dev $DEV1 parent 1:1 classid 1:22 htb rate 64kbit ceil 900kbit
tc class add dev $DEV1 parent 1:1 classid 1:37 htb rate 676kbit ceil 900kbit
#por defecto
tc class add dev $DEV1 parent 1:1 classid 1:23 htb rate 32kbit ceil 32kbit
#prueba, maq WiFi
# attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ
insures that
# within each class connections will be
treated (almost) fairly.
tc qdisc add dev $DEV1 parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:21 handle 21: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:22 handle 22: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:37 handle 37: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:23 handle 23: sfq perturb 10
tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 20 fw classid
1:20
tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 21 fw classid
1:21
tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 22 fw classid
1:22
tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 23 fw classid
1:23
tc filter add dev $DEV1 protocol ip parent 1:0 prio 0 handle 37 fw classid
1:37
# Done with inbound shaping
#
####################################################
echo "Control del enlace descendente activado."
#Si solo se desea controlar el enlace descendente, quitar el comentario de
la siguiente instruccion exit
#exit
###########################################################
#
# Outbound Shaping (limits total bandwidth to 900Kbps)
# Este es el enlace ascendente, desde la red interna de Cherrytel a internet
# set queue size to give latency of about 2 seconds on low-prio packets
# ip link set dev $DEV0 qlen 30
# changes mtu on the outbound device. Lowering the mtu will result
# in lower latency but will also cause slightly lower throughput due
# to IP and TCP protocol overhead.
# ip link set dev $DEV0 mtu 1000
# add HTB root qdisc
tc qdisc add dev $DEV0 root handle 2: htb default 87
# add main rate limit classes
tc class add dev $DEV0 parent 2: classid 2:1 htb rate 900kbit
# add leaf classes - We grant each class at LEAST it''s "fair
share" of
bandwidth.
# this way no class will ever be starved by another
class. Each
# class is also permitted to consume all of the available
bandwidth
# if no other classes are in use.
tc class add dev $DEV0 parent 2:1 classid 2:70 htb rate 64kbit ceil 900kbit
tc class add dev $DEV0 parent 2:1 classid 2:71 htb rate 64kbit ceil 900kbit
tc class add dev $DEV0 parent 2:1 classid 2:72 htb rate 64kbit ceil 900kbit
tc class add dev $DEV0 parent 2:1 classid 2:87 htb rate 676kbit ceil 900kbit
#por defecto
tc class add dev $DEV0 parent 2:1 classid 2:73 htb rate 32kbit ceil 32kbit
#prueba
# attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ
insures that
# within each class connections will be
treated (almost) fairly.
tc qdisc add dev $DEV0 parent 2:70 handle 70: sfq perturb 10
tc qdisc add dev $DEV0 parent 2:71 handle 71: sfq perturb 10
tc qdisc add dev $DEV0 parent 2:72 handle 72: sfq perturb 10
tc qdisc add dev $DEV0 parent 2:87 handle 87: sfq perturb 10
tc qdisc add dev $DEV0 parent 2:73 handle 73: sfq perturb 10
tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 70 fw classid
2:70
tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 71 fw classid
2:71
tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 72 fw classid
2:72
tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 73 fw classid
2:73
tc filter add dev $DEV0 protocol ip parent 2:0 prio 0 handle 87 fw classid
2:87
# Done with outbound shaping
#
####################################################
echo "Control del enlace ascendente activado."
exit
And the tcrules file contains the following:
##############################################################################
#MARK SOURCE DEST
PROTO PORT(S) CLIENT USER
20 0.0.0.0/0
213.9.139.30,213.9.139.31,213.9.139.32 all
21 0.0.0.0/0 213.9.139.22,213.9.139.71
all
22 0.0.0.0/0 213.9.139.25
all
23 0.0.0.0/0 213.9.139.24
all
70 213.9.139.30,213.9.139.31,213.9.139.32 0.0.0.0/0
all
71 213.9.139.22,213.9.139.71 0.0.0.0/0
all
72 213.9.139.25 0.0.0.0/0
all
73 213.9.139.24 0.0.0.0/0
all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Please, tell me if I''m doing something wrong.
Thank you for your great support.
UN CORDIAL SALUDO
Miguel Ángel Domínguez Durán.
Departamento Técnico.
Cherrytel Comunicaciones, S.L.
mdominguez@cherrytel.com
http://www.cherrytel.com/
Tlf. 902 115 673
Fax 952218170
Miguel Ángel Domínguez Durán wrote:> --------------------------------------------------------------------- > Hi again :) > The problem is still there, i tried to modify my tcstart script and > tcrules files to make it work but everytime i restart shorewall, after a > little while the machine hangs on... :(I''m sorry but there is nothing that I can do to help you -- marking packets (which is all that Shorewall is doing) should not hang your system and I don''t know traffic control well enough to even comment on your TC script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key