LARTC - Dec 2002 - Why my script doesn''t work ???

Hi All,

 I''m using iptables-1.2.7a on RedHat8 kernel 2.4.20.
I wanted to limit the file-sharing traffic to the internet.
I marked the packets with iptables:

iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1

iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1

and I put some new lines to wondershaper 1.1a (before "#start filters"
label) :

tc class add dev $DEV parent 1:1 classid 1:40 cbq rate $[$UPLINK/10]kbit \
   allot 1600 prio 2 avpkt 1000
tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40

#start filters
...

I realized there is a 80Kbit/s traffic to a site (port 2334) from inside.
My $UPLINK is 80.
How can be this?

Thanks, Gabor

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Saturday 07 December 2002 14:44, Gabor Csuri wrote:
> Hi All,
>
>  I''m using iptables-1.2.7a on RedHat8 kernel 2.4.20.
> I wanted to limit the file-sharing traffic to the internet.
> I marked the packets with iptables:
>
> iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> 192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1
>
> iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> 192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1
>
> and I put some new lines to wondershaper 1.1a (before "#start
filters"
> label) :
>
> tc class add dev $DEV parent 1:1 classid 1:40 cbq rate $[$UPLINK/10]kbit \
>    allot 1600 prio 2 avpkt 1000
> tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
> tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40
>
> #start filters
> ...
>
> I realized there is a 80Kbit/s traffic to a site (port 2334) from inside.
> My $UPLINK is 80.
> How can be this?
Can you check the counters of iptables so you are sure you are marking the 
packets ???  And the same for tc : tc -s -d show class deb eth0.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

 here is my outputs coming:

[root@basement sysconfig]# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 2082K packets, 1828M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 30207 packets, 3707K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
 pkts bytes target     prot opt in     out     source
destination
88476   60M MARK       tcp  --  *      *       192.168.1.0/24
!192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
53899   13M MARK       tcp  --  *      *       192.168.1.0/24
!192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1

Chain OUTPUT (policy ACCEPT 35682 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 2078K packets, 1823M bytes)
 pkts bytes target     prot opt in     out     source
destination
[root@basement sysconfig]#
[root@basement sysconfig]# tc -s -d class show dev ppp0
class cbq 1: root rate 10Mbit cell 8b (bounded,isolated) prio no-transmit/8
weight 10Mbit allot 1492b
level 2 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:10 parent 1:1 leaf 10: rate 80Kbit cell 8b prio 1/1 weight
80Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 21230491 bytes 509446 pkts (dropped 0, overlimits 2127)
  borrowed 0 overactions 1447 avgidle 624 undertime 0
class cbq 1:1 parent 1: rate 80Kbit cell 8b (bounded,isolated) prio 5/5
weight 80Kbit allot 1500b
level 1 ewma 5 avpkt 1000b maxidle 23us
 Sent 56095919 bytes 539304 pkts (dropped 0, overlimits 0)
  borrowed 11572 overactions 0 avgidle -44724 undertime 46502
class cbq 1:20 parent 1:1 leaf 20: rate 72Kbit cell 8b prio 2/2 weight
72Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 34865428 bytes 29858 pkts (dropped 0, overlimits 96751)
  borrowed 11572 overactions 4191 avgidle 624 undertime 0
class cbq 1:30 parent 1:1 leaf 30: rate 64Kbit cell 8b prio 2/2 weight
64Kbit allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2 weight 8Kbit
allot 1600b
level 0 ewma 5 avpkt 1000b maxidle 23us
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0


Gabor.

> On Saturday 07 December 2002 14:44, Gabor Csuri wrote:
> > Hi All,
> >
> >  I''m using iptables-1.2.7a on RedHat8 kernel 2.4.20.
> > I wanted to limit the file-sharing traffic to the internet.
> > I marked the packets with iptables:
> >
> > iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> > 192.168.1.1/24 --dport 1024:1862 -j MARK --set-mark 1
> >
> > iptables -A FORWARD -t mangle -p tcp -s 192.168.1.1/24 -d !
> > 192.168.1.1/24 --dport 1864:65535 -j MARK --set-mark 1
> >
> > and I put some new lines to wondershaper 1.1a (before "#start
filters"
> > label) :
> >
> > tc class add dev $DEV parent 1:1 classid 1:40 cbq rate
> $[$UPLINK/10]kbit \
> >    allot 1600 prio 2 avpkt 1000
> > tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10
> > tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:40
> >
> > #start filters
> > ...
> >
> > I realized there is a 80Kbit/s traffic to a site (port 2334)
> from inside.
> > My $UPLINK is 80.
> > How can be this?
> Can you check the counters of iptables so you are sure you are
> marking the
> packets ???  And the same for tc : tc -s -d show class deb eth0.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Saturday 07 December 2002 22:41, Gabor Csuri wrote:
> Hi,
>
>  here is my outputs coming:
>
> [root@basement sysconfig]# iptables -t mangle -nvL
> Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 88476   60M MARK       tcp  --  *      *       192.168.1.0/24
> !192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
> 53899   13M MARK       tcp  --  *      *       192.168.1.0/24
> !192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1
Ok, the packets are marked.
> [root@basement sysconfig]# tc -s -d class show dev ppp0
> class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2 weight 8Kbit
> allot 1600b
> level 0 ewma 5 avpkt 1000b maxidle 23us
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 624 undertime 0
So no packet is redirected to class 1:40 like you want.  Is it possible that 
you have a filter that matches the same packets and it processed before the 
extra filter you added?  You can try to put your filter at the top of the 
script or give it a lower prio parameter so it has a higher priority.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Stef,

You were alright.
I had to add a priority to my filter :

tc filter add dev $DEV parent 1:0 protocol ip prio 1 \
   handle 1 fw flowid 1:40

Thanks a lot, Gabor.
> On Saturday 07 December 2002 22:41, Gabor Csuri wrote:
> > Hi,
> >
> >  here is my outputs coming:
> >
> > [root@basement sysconfig]# iptables -t mangle -nvL
> > Chain FORWARD (policy ACCEPT 2043K packets, 1812M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > 88476   60M MARK       tcp  --  *      *       192.168.1.0/24
> > !192.168.1.0/24     tcp dpts:1024:1862 MARK set 0x1
> > 53899   13M MARK       tcp  --  *      *       192.168.1.0/24
> > !192.168.1.0/24     tcp dpts:1864:65535 MARK set 0x1
> Ok, the packets are marked.
>
> > [root@basement sysconfig]# tc -s -d class show dev ppp0
> > class cbq 1:40 parent 1:1 leaf 40: rate 8Kbit cell 8b prio 2/2
> weight 8Kbit
> > allot 1600b
> > level 0 ewma 5 avpkt 1000b maxidle 23us
> >  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
> >   borrowed 0 overactions 0 avgidle 624 undertime 0
> So no packet is redirected to class 1:40 like you want.  Is it
> possible that
> you have a filter that matches the same packets and it processed
> before the
> extra filter you added?  You can try to put your filter at the top of the
> script or give it a lower prio parameter so it has a higher priority.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/