Hi, I''m having trouble getting traffic into the desired CBQ.. Here is my simple configuration: tc qdisc del dev eth0 root 2> /dev/null tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit \ avpkt 1200 cell 8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 10Mbit \ rate 2Mbit weight 0.2Mbit prio 8 allot 1514 cell 8 \ maxburst 20 avpkt 1200 tc class add dev eth0 parent 1:1 classid 1:100 cbq bandwidth 2Mbit \ rate 130Kbit weight 13Kbit prio 8 allot 1514 cell 8 \ maxburst 20 avpkt 1200 tc qdisc add dev eth0 parent 1:100 tbf rate 128Kbit buffer 10Kb/8 \ limit 15Kb mtu 1500 tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ u32 match ip sport 119 0xffff flowid 1:100 \ But no traffic shows up.... (A simple telnet news.giganews.com 119 to test): lum:/home/edwin# tc -s qdisc qdisc tbf 8036: dev eth0 rate 128Kbit burst 10Kb lat 381.5ms Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc cbq 1: dev eth0 rate 10Mbit (bounded,isolated) prio no-transmit Sent 913009 bytes 12538 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 749 undertime 0 qdisc tbf 8016: dev eth0 rate 128Kbit burst 10Kb lat 381.5ms Sent 14954 bytes 202 pkts (dropped 0, overlimits 0) lum:/home/edwin# tc -s class show dev eth0 class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit Sent 428 bytes 7 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 749 undertime 0 class cbq 1:100 parent 1:1 leaf 8038: rate 130Kbit prio no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 1.57035e+06 undertime 0 class cbq 1:1 parent 1: rate 2Mbit prio no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 85149 undertime 0 I''ve also tried marking packets in iptables and using tc to filter those packets into both flowid and classid 1:100 to no avail. Thanks in advance. -- Edwin Chiu | ICBM: 43.39N 79.23W edwin@thetomatoe.com | PGP: 1024D/0x16B55226
> tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > u32 match ip sport 119 0xffff flowid 1:100 \ > > > But no traffic shows up.... (A simple telnet news.giganews.com 119 to > test):So you start a telnet from news.giganews.com to your test system? Then you should match dport 119. Otherwise I''m wrong :) and the filter is ok.> I''ve also tried marking packets in iptables and using tc to filter those > packets into both flowid and classid 1:100 to no avail.Marking with iptables and using the fw filter, works fine for me. You can find some working examples on www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net
On Fri, 2002-05-17 at 20:08, Stef Coene wrote:> > tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ > > u32 match ip sport 119 0xffff flowid 1:100 \ > > > > But no traffic shows up.... (A simple telnet news.giganews.com 119 to > > test): > So you start a telnet from news.giganews.com to your test system? Then you > should match dport 119. Otherwise I''m wrong :) and the filter is ok.Sorry, I should have been more clear, I telnet from my test system to news.giganews.com $ telnet news.giganews.com 119 Trying 216.166.71.230... Connected to news-central.giganews.com. Escape character is ''^]''. 200 News.GigaNews.Com (Typhoon v1.2.3) quit 205 GoodBye Connection closed by foreign host. And I want to shape incoming nntp traffic (which is why i match sport 119). Edwin
> Sorry, I should have been more clear, I telnet from my test system to > news.giganews.com > > $ telnet news.giganews.com 119 > Trying 216.166.71.230... > Connected to news-central.giganews.com. > Escape character is ''^]''. > 200 News.GigaNews.Com (Typhoon v1.2.3) > quit > 205 GoodBye > Connection closed by foreign host. > > And I want to shape incoming nntp traffic (which is why i match sport > 119).That should work. Maybe you can test it for sure with tcpdump to see if the packets are really coming in with sport 119. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net
Here is a simple setup that I''m testing. The goal is the shape incoming
NNTP traffic.
Here is the script:
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit \
avpkt 1000 cell 8
tc class add dev eth0 parent 1:0 classid 1:100 cbq bandwidth 2Mbit \
rate 130Kbit prio 3 allot 1514 cell 8 maxburst 20 avpkt 1000
tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 \
fw classid 1:100
iptables -F -t mangle
iptables -A PREROUTING -i eth0 -t mangle -p tcp --sport 119 \
-j MARK --set-mark 1
Here is the results of a simple test:
# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 220M packets, 107G bytes)
pkts bytes target prot opt in out source
destination
0 0 MARK tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:119 MARK set 0x1
Chain OUTPUT (policy ACCEPT 165M packets, 59G bytes)
pkts bytes target prot opt in out source
destination
# telnet news.giganews.com 119
Trying 216.166.71.230...
Connected to news-central.giganews.com.
Escape character is ''^]''.
200 News.GigaNews.Com (Typhoon v1.2.3)
quit
205 GoodBye
Connection closed by foreign host.
# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 220M packets, 107G bytes)
pkts bytes target prot opt in out source
destination
6 377 MARK tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:119 MARK set 0x1
Chain OUTPUT (policy ACCEPT 165M packets, 59G bytes)
pkts bytes target prot opt in out source
destination
# tc -s class show dev eth0
class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit
Sent 105328 bytes 1459 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:100 parent 1: rate 130Kbit prio 3
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 1.30863e+06 undertime 0
# tc filter show dev eth0
filter parent 1: protocol ip pref 1 fw
filter parent 1: protocol ip pref 1 fw handle 0x1 classid 1:100
Still no packets being filtered into my CBQ, but the packets are clearly
being marked.
--
Edwin Chiu | ICBM: 43.39N 79.23W
edwin@thetomatoe.com | PGP: 1024D/0x16B55226
> Still no packets being filtered into my CBQ, but the packets are clearly > being marked.I found the error. You mark the packets when they enter your box with iptables on device eth0. But you add the qdisc and the classes to the same device. But this qdisc and class can only control OUTgoing traffic and you want to control incoming traffic. If this is a firewall with two NIC''s, you can attach the qdisc and class to the second NIC. Incoming NTP traffic get''s marked and get''s shaped when it leaves the box on the second NIC. If you really want to shape incoming traffic, you will have to use the ingress qdisc or the IMQ device. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net