LARTC - Oct 2002 - Fw: wondershaper kills eth0 :(

Hi,

When i do ''wshaper start'' the interface i have defined stops
routing
traffic for some reason.  It resumes routing when i do ''wshaper
stop''.

I''m using debian stable (3.0 woody) with debian''s default
2.4.18-686
kernel.

When I run the script I get no errors, and when I do a
''status'',
everything looks correct.

Can ANYONE please give me a little insight as to what to do?

I have the variables set as follows:

DOWNLINK=1450
UPLINK=180
DEV=eth0

The machine is a NAT machine.  I''m using shorewall to handle the NAT
stuff for me.  But even with shorewall disabled, wshaper still fails.

Thank you for your help.

-Rob

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

So, I''ve isolated the problem to this piece of code from the script:

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent 
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that''s
# coming in too fast:

== HERE =tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip
src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
=========
and I really have no idea why this would cause the interface to drop all
packets (that''s what it seems to be doing).

Anyone have any ideas??

BTW, wondershaper script is at: 

http://lartc.org/wondershaper/

Thanks,
Rob

On Mon, 28 Oct 2002 13:43:35 -0500
Rob <rob00si@fastmail.fm> wrote:
> Hi,
> 
> When i do ''wshaper start'' the interface i have defined
stops routing
> traffic for some reason.  It resumes routing when i do ''wshaper
stop''.
> 
> I''m using debian stable (3.0 woody) with debian''s default
2.4.18-686
> kernel.
> 
> When I run the script I get no errors, and when I do a
''status'',
> everything looks correct.
> 
> Can ANYONE please give me a little insight as to what to do?
> 
> I have the variables set as follows:
> 
> DOWNLINK=1450
> UPLINK=180
> DEV=eth0
> 
> The machine is a NAT machine.  I''m using shorewall to handle the
NAT
> stuff for me.  But even with shorewall disabled, wshaper still fails.
> 
> Thank you for your help.
> 
> -Rob

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

--On Wednesday, October 30, 2002 4:35 PM -0500 Rob <rob00si@fastmail.fm>
wrote:
> tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
>    0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
What''s the value of $DEV and $DOWNLINK at this point?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

<snip from script>

  DOWNLINK=1450
  UPLINK=180
  DEV=eth0

</script>

for some reason it seems to be droping all the packets...
pings/http/ssh/etc...

Do you know if I need to do any sort of Packet Mangling (ie. number the
packets)?

I''m going to include the wondershaper script below:

==========================================================================
#!/bin/bash 

# Wonder Shaper
# please read the README before filling out these values 
#
# Set the following values to somewhat less than your actual download
# and uplink speed. In kilobits. Also set the device that is to be shaped.
DOWNLINK=1450
UPLINK=180
DEV=eth0

# low priority OUTGOING traffic - you can leave this blank if you want
# low priority source netmasks
NOPRIOHOSTSRC=80

# low priority destination netmasks
NOPRIOHOSTDST
# low priority source ports
NOPRIOPORTSRC
# low priority destination ports
NOPRIOPORTDST
# Now remove the following two lines :-)

echo Please read the documentation in ''README'' first :-\)
exit

#########################################################

if [ "$1" = "status" ]
then
	tc -s qdisc ls dev $DEV
	tc -s class ls dev $DEV
	exit
fi


# clean existing down- and uplink qdiscs, hide errors
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

if [ "$1" = "stop" ] 
then 
	exit
fi

###### uplink

# install root CBQ

tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit 

# shape everything at $UPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:
# main class

tc class add dev $DEV parent 1: classid 1:1 cbq rate ${UPLINK}kbit \
allot 1500 prio 5 bounded isolated 

# high prio class 1:10:

tc class add dev $DEV parent 1:1 classid 1:10 cbq rate ${UPLINK}kbit \
   allot 1600 prio 1 avpkt 1000

# bulk and default class 1:20 - gets slightly less traffic, 
#  and a lower priority:

tc class add dev $DEV parent 1:1 classid 1:20 cbq rate $[9*$UPLINK/10]kbit \
   allot 1600 prio 2 avpkt 1000

# ''traffic we hate''

tc class add dev $DEV parent 1:1 classid 1:30 cbq rate $[8*$UPLINK/10]kbit \
   allot 1600 prio 2 avpkt 1000

# all get Stochastic Fairness:
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10

# start filters
# TOS Minimum Delay (ssh, NOT scp) in 1:10:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:10

# ICMP (ip protocol 1) in the interactive class 1:10 so we 
# can do measurements & impress our friends:
tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 \
        match ip protocol 1 0xff flowid 1:10

# prioritize small packets (<64 bytes)

tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   flowid 1:10


# some traffic however suffers a worse fate
for a in $NOPRIOPORTDST
do
	tc filter add dev $DEV parent 1: protocol ip prio 14 u32 \
	   match ip dport $a 0xffff flowid 1:30
done

for a in $NOPRIOPORTSRC
do
 	tc filter add dev $DEV parent 1: protocol ip prio 15 u32 \
	   match ip sport $a 0xffff flowid 1:30
done

for a in $NOPRIOHOSTSRC
do
 	tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \
	   match ip src $a flowid 1:30
done

for a in $NOPRIOHOSTDST
do
 	tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \
	   match ip dst $a flowid 1:30
done

# rest is ''non-interactive'' ie ''bulk'' and
ends up in 1:20

tc filter add dev $DEV parent 1: protocol ip prio 18 u32 \
   match ip dst 0.0.0.0/0 flowid 1:20


########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent 
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that''s
# coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

==========================================================================On
Wed, 30 Oct 2002 15:27:31 -0800
Kenneth Porter <shiva@sewingwitch.com> wrote:
> --On Wednesday, October 30, 2002 4:35 PM -0500 Rob
<rob00si@fastmail.fm>
> wrote:
> 
> > tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip
src \
> >    0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
> 
> What''s the value of $DEV and $DOWNLINK at this point?

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

--On Wednesday, October 30, 2002 10:07 PM -0500 Rob <rob00si@fastmail.fm>
wrote:
># low priority OUTGOING traffic - you can leave this blank if you want
># low priority source netmasks
> NOPRIOHOSTSRC=80
BTW, this looks like a bug in the script. The 80 should be the value for
NOPRIOPORTSRC. (But this shouldn''t kill the connection.)

You might try throwing a "set -x" at the top of the script to expand
and
echo commands before they execute, to see what''s really getting issued.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

Ok, here is the output of the script w/ the ''-x''

+ DOWNLINK=1450
+ UPLINK=180
+ DEV=eth0
+ NOPRIOHOSTSRC=80
+ NOPRIOHOSTDST+ NOPRIOPORTSRC+ NOPRIOPORTDST+ ''['' start =
status '']''
+ tc qdisc del dev eth0 root
+ tc qdisc del dev eth0 ingress
+ ''['' start = stop '']''
+ tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 10mbit
+ tc class add dev eth0 parent 1: classid 1:1 cbq rate 180kbit allot 1500 prio 5
bounded isolated
+ tc class add dev eth0 parent 1:1 classid 1:10 cbq rate 180kbit allot 1600 prio
1 avpkt 1000
+ tc class add dev eth0 parent 1:1 classid 1:20 cbq rate 162kbit allot 1600 prio
2 avpkt 1000
+ tc class add dev eth0 parent 1:1 classid 1:30 cbq rate 144kbit allot 1600 prio
2 avpkt 1000
+ tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
+ tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
+ tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
+ tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10
0xff flowid 1:10
+ tc filter add dev eth0 parent 1:0 protocol ip prio 11 u32 match ip protocol 1
0xff flowid 1:10
+ tc filter add dev eth0 parent 1: protocol ip prio 12 u32 match ip protocol 6
0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 flowid 1:10
+ tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip src 80
flowid 1:30
+ tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip dst
0.0.0.0/0 flowid 1:20
+ tc qdisc add dev eth0 handle ffff: ingress
+ tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src
0.0.0.0/0 police rate 1450kbit burst 10k drop flowid :1

===============================================================
Do you see anything obvious?  The commands that kill the connection in the
last one... seems to drop all pacets instead of being selective... *sigh*

Anyway, thanks for ANY help you can give :)

-Rob
On Wed, 30 Oct 2002 19:34:30 -0800
Kenneth Porter <shiva@sewingwitch.com> wrote:
> --On Wednesday, October 30, 2002 10:07 PM -0500 Rob
<rob00si@fastmail.fm>
> wrote:
> 
> ># low priority OUTGOING traffic - you can leave this blank if you want
> ># low priority source netmasks
> > NOPRIOHOSTSRC=80
> 
> BTW, this looks like a bug in the script. The 80 should be the value for
> NOPRIOPORTSRC. (But this shouldn''t kill the connection.)
> 
> You might try throwing a "set -x" at the top of the script to
expand and
> echo commands before they execute, to see what''s really getting
issued.
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

--On Wednesday, October 30, 2002 11:46 PM -0500 Rob <rob00si@fastmail.fm>
wrote:
> + tc qdisc add dev eth0 handle ffff: ingress
> + tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip
> src 0.0.0.0/0 police rate 1450kbit burst 10k drop flowid :1
That looks reasonable. I''ve been using this on 3 systems now and
haven''t
seen this. Two are Red Hat 7.2 and one is Red Hat 8, so I''m puzzled why
it''s hanging up for you.

I''d suggest commenting out the last line of wshaper and then manually
issuing the tc filter, tinkering with the parameters to see if you can
narrow down what about it is failing.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/