Thanks for all the replies to my questions. After digging
through archives and performing many tests, the following
seems to work just fine.
My (simplified) setup is: Internet <> Masq Box <> LAN
Where Internet is on eth0 and LAN is on eth1
My goal was to limit the upstream and downstream bandwidth
from the LAN to the internet.
First follow Juanjo''s advice:
>After digging, straceĀ“ing ... etc I found that the common
>error with eg.:
> # tc qdisc add dev eth0 handle ffff: ingress
> RTNETLINK answers: No such file or directory
>is due to *iproute2* tool default configuration
>(and most iproute precompiled >packages) in addition to
>correct kernel setup.
>You must change in
> iproute2/Config:
> TC_CONFIG_DIFFSERV=y
>and recompile, etc ...
There was no need to recompile the kernel, but I needed to
install the iproute source RPM, make the changes mentioned,
recompile and replace the tc binary.
Next, I had to make sure that all incoming and outgoing packets
from the LAN were marked, so I made these changes in my
firewall script:
/sbin/ipchains -A input -i eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -m 1
/sbin/ipchains -A output -i eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -m 1
/sbin/ipchains -A forward -i eth1 -s 0.0.0.0/0 -d 0.0.0.0/0 -m 1
/sbin/ipchains -A forward -j MASQ -i eth0 -s 192.168.1.1/24 \
-d 0.0.0.0/0 -m 1
Next, I created this script:
#########################################################
# Start of Script
#########################################################
add_class() {
DEV=$1
HANDLE=$2
UPRATE=$3
DOWNRATE=$4
UPRATEVAL=$(echo $UPRATE | sed s/[a-zA-Z]//g)
UPRATEUNITS=$(echo $UPRATE | sed s/[0-9]//g)
let WEIGHT=UPRATEVAL/10
WEIGHT=$WEIGHT$UPRATEUNITS
#########################################################
# Clear everything first
#########################################################
tc qdisc del dev $DEV root &> /dev/null
tc qdisc del dev $DEV ingress &> /dev/null
sleep 1
#########################################################
# Outgoing traffic
#########################################################
# Setup the queue, with the max bandwidth of the interface
tc qdisc add dev $DEV root handle 1:0 cbq bandwidth 10Mbit \
avpkt 1000 cell 8
# Add the class. Again, bandwidth is 10Mbit.
tc class add dev $DEV parent 1:0 classid 1:1 cbq bandwidth \
10Mbit rate 10Mbit weight 1Mbit prio 8 allot 1514 cell 8 \
maxburst 100 avpkt 1000
# Add the subclass where the bandwidth is limited
tc class add dev $DEV parent 1:1 classid 1:10 cbq bandwidth \
10Mbit rate $UPRATE weight $WEIGHT prio 5 allot 1514 cell \
8 maxburst 20 avpkt 1000 bounded
# We''ve added the queues, now you must tell the kernel they exist
# and how to manage them.
tc qdisc add dev $DEV parent 1:10 tbf rate $UPRATE buffer \
10Kb/8 limit 15Kb mtu 1500
# Now we have to tell the kernel to send packets to the queue.
tc filter add dev $DEV parent 1:0 protocol ip prio 100 handle \
$HANDLE fw classid 1:10
#########################################################
# Incoming Traffic
#########################################################
tc qdisc add dev $DEV handle ffff:0 ingress
tc filter add dev $DEV parent ffff:0 protocol ip prio 5 handle \
$HANDLE fw police rate $DOWNRATE burst $DOWNRATE mtu 1500 drop
}
# Limit the internal LAN to 128kbit up and 64kbit down
add_class eth1 1 128Kbit 64Kbit
#########################################################
# End of Script
#########################################################
I run this script after I run the firewall.
Unless I''m forgetting something, this is all that needed to
be done to get the traffic shaping to work.
This was my first attempt at using most of these utilities,
so I may have made some obvious and ignorant mistakes. If
any of you see anything I have done incorrectly, I would sure
appreciate some feedback.
I hope this helps someone.
Barton