thr3ads.net - LARTC - Newbie ask [Dec 2002]

If this information is useful, please help other people find it:
Share via:

liang jian

2002-Dec-28 07:13 UTC

Newbie ask

My Settings:

LAN--------------| TC |------------------EX

                        |

                     DMZ

iptables -t mangle -A OUTPUT -o $DEV -p tcp  --dport 80 -j MARK --set-mark 1

iptables -t mangle -A OUTPUT -o $DEV -p tcp  --dport 22 -j MARK --set-mark 2

tc qdisc add dev $DEV root handle 1: cbq bandwidth $BANDWIDTH rate 1Mbit avpkt
1000 mpu 64

tc class add dev $DEV parent 1:0 classid 1:2 cbq bandwidth $BANDWIDTH rate
$RATE_PRIO  allot 1514  maxburst 20 avpkt 1000  isolated bounded

tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth $BANDWIDTH rate
$RATE_LOW  allot 1514  maxburst 20 avpkt 1000  isolated bounded

tc class add dev $DEV parent 1:3 classid 1:5 cbq bandwidth $BANDWIDTH rate
$RATE_LOW_FAV allot 1514  maxburst 2 avpkt 1000 isolated bounded

tc class add dev $DEV parent 1:3 classid 1:6 cbq bandwidth $BANDWIDTH rate
$RATE_LOW_LOW allot 1514  maxburst 2 avpkt 1000 isolated bounded

tc qdisc add dev $DEV parent 1:2 handle 2: tbf rate 0.5Mbit burst 20kb latency
70ms peakrate 10Mbit minburst 1540
tc qdisc add dev $DEV parent 1:3 handle 3: tbf rate 0.5Mbit burst 20kb latency
70ms peakrate 10Mbit minburst 1540
tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:2

tc filter add dev $DEV parent 1:0 protocol ip handle 2 fw flowid 1:5
tc filter add dev $DEV parent 1:0 protocol ip handle 3 fw flowid 1:6


I land DMZ''s ssh or surfing from LAN.

#tc -s class ls dev eth1
class cbq 1: root rate 1Mbit (bounded,isolated) prio no-transmit
 Sent 557044 bytes 719 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 6249 undertime 0
class cbq 1:2 parent 1: leaf 2: rate 700Kbit (bounded,isolated) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 257728 undertime 0
class cbq 1:3 parent 1: leaf 3: rate 300Kbit (bounded,isolated) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 603732 undertime 0
class cbq 1:5 parent 1:3 rate 180Kbit (bounded,isolated) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 74457 undertime 0
class cbq 1:6 parent 1:3 rate 120Kbit (bounded,isolated) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 111751 undertime 0


why class 1:5 and 1:6 send 0 bytes 0 pkts?



---------------------------------
Do You Yahoo!?
"IBM优惠价特权，谁先来谁先得！"
--0-1975817877-1041059632=:6100
Content-Type: text/html; charset=gb2312
Content-Transfer-Encoding: 8bit

<P>My Settings:</P>
<P>LAN--------------| TC |------------------EX</P>
<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|</P>
<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DMZ</P>
<P>iptables -t mangle -A OUTPUT -o $DEV -p tcp&nbsp; --dport 80 -j
MARK --set-mark 1</P>
<P>iptables -t mangle -A OUTPUT -o $DEV -p tcp&nbsp; --dport 22 -j
MARK --set-mark 2</P>
<P>tc qdisc add dev $DEV root handle 1: cbq bandwidth $BANDWIDTH rate
1Mbit avpkt 1000 mpu 64</P>
<P>tc class add dev $DEV parent 1:0 classid 1:2 cbq bandwidth $BANDWIDTH
rate $RATE_PRIO&nbsp; allot 1514&nbsp; maxburst 20 avpkt 1000&nbsp;
isolated bounded</P>
<P>tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth $BANDWIDTH
rate $RATE_LOW&nbsp; allot 1514&nbsp; maxburst 20 avpkt 1000&nbsp;
isolated bounded</P>
<P>tc class add dev $DEV parent 1:3 classid 1:5 cbq bandwidth $BANDWIDTH
rate $RATE_LOW_FAV allot 1514&nbsp; maxburst 2 avpkt 1000 isolated
bounded</P>
<P>tc class add dev $DEV parent 1:3 classid 1:6 cbq bandwidth $BANDWIDTH
rate $RATE_LOW_LOW allot 1514&nbsp; maxburst 2 avpkt 1000 isolated
bounded</P>
<P>tc qdisc add dev $DEV parent 1:2 handle 2: tbf rate 0.5Mbit burst 20kb
latency 70ms peakrate 10Mbit minburst 1540<BR>tc qdisc add dev $DEV parent
1:3 handle 3: tbf rate 0.5Mbit burst 20kb latency 70ms peakrate 10Mbit minburst
1540<BR>tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid
1:2</P>
<P>tc filter add dev $DEV parent 1:0 protocol ip handle 2 fw flowid
1:5<BR>tc filter add dev $DEV parent 1:0 protocol ip handle 3 fw flowid
1:6<BR></P>
<P>I land DMZ''s ssh or surfing from LAN.</P>
<P>#tc -s class ls dev eth1<BR>class cbq 1: root rate 1Mbit
(bounded,isolated) prio no-transmit<BR>&nbsp;Sent 557044 bytes 719
pkts (dropped 0, overlimits 0)<BR>&nbsp; borrowed 0 overactions 0
avgidle 6249 undertime 0<BR>class cbq 1:2 parent 1: leaf 2: rate 700Kbit
(bounded,isolated) prio no-transmit<BR>&nbsp;Sent 0 bytes 0 pkts
(dropped 0, overlimits 0)<BR>&nbsp; borrowed 0 overactions 0 avgidle
257728 undertime 0<BR>class cbq 1:3 parent 1: leaf 3: rate 300Kbit
(bounded,isolated) prio no-transmit<BR>&nbsp;Sent 0 bytes 0 pkts
(dropped 0, overlimits 0)<BR>&nbsp; borrowed 0 overactions 0 avgidle
603732 undertime 0<BR>class cbq 1:5 parent 1:3 rate 180Kbit
(bounded,isolated) prio no-transmit<BR>&nbsp;Sent 0 bytes 0 pkts
(dropped 0, overlimits 0)<BR>&nbsp; borrowed 0 overactions 0 avgidle
74457 undertime 0<BR>class cbq 1:6 parent 1:3 rate 120Kbit
(bounded,isolated) prio no-transmit<BR>&nbsp;Sent 0 bytes 0 pkts
(dropped 0, overlimits 0)<BR>&nbsp; borrowed 0 overactions 0 avgidle
11
 
 1751 undertime 0<BR></P>
<P>why class 1:5 and 1:6 send 0 bytes 0
pkts?</P><p><br><hr size=1><b>Do You
Yahoo!?</b><br>
<a
href="http://rd.yahoo.com/mail_cn/tag/?http://ad.cn.doubleclick.net/clk;4983632;7740969;c?http://www.ibm.com/cn/promotion/optin/reg.shtml">"IBM优惠价特权，谁先来谁先得！"</a>
--0-1975817877-1041059632=:6100--
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Stef Coene

2002-Dec-28 10:31 UTC

head link

Re: Newbie ask

On Saturday 28 December 2002 08:13, liang jian wrote:> My Settings:
>
> LAN--------------| TC |------------------EX
>
>
>
>                      DMZ
>
> iptables -t mangle -A OUTPUT -o $DEV -p tcp  --dport 80 -j MARK --set-mark
> 1
>
> iptables -t mangle -A OUTPUT -o $DEV -p tcp  --dport 22 -j MARK --set-mark
> 2
>
> tc qdisc add dev $DEV root handle 1: cbq bandwidth $BANDWIDTH rate 1Mbit
> avpkt 1000 mpu 64
>
> tc class add dev $DEV parent 1:0 classid 1:2 cbq bandwidth $BANDWIDTH rate
> $RATE_PRIO  allot 1514  maxburst 20 avpkt 1000  isolated bounded
>
> tc class add dev $DEV parent 1:0 classid 1:3 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW  allot 1514  maxburst 20 avpkt 1000  isolated bounded
>
> tc class add dev $DEV parent 1:3 classid 1:5 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW_FAV allot 1514  maxburst 2 avpkt 1000 isolated bounded
>
> tc class add dev $DEV parent 1:3 classid 1:6 cbq bandwidth $BANDWIDTH rate
> $RATE_LOW_LOW allot 1514  maxburst 2 avpkt 1000 isolated bounded
>
> tc qdisc add dev $DEV parent 1:2 handle 2: tbf rate 0.5Mbit burst 20kb
> latency 70ms peakrate 10Mbit minburst 1540 tc qdisc add dev $DEV parent 1:3
> handle 3: tbf rate 0.5Mbit burst 20kb latency 70ms peakrate 10Mbit minburst
> 1540 tc filter add dev $DEV parent 1:0 protocol ip handle 1 fw flowid 1:2
>
> tc filter add dev $DEV parent 1:0 protocol ip handle 2 fw flowid 1:5
> tc filter add dev $DEV parent 1:0 protocol ip handle 3 fw flowid 1:6
>
>
> I land DMZ''s ssh or surfing from LAN.
>
> #tc -s class ls dev eth1
> class cbq 1: root rate 1Mbit (bounded,isolated) prio no-transmit
>  Sent 557044 bytes 719 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 6249 undertime 0
> class cbq 1:2 parent 1: leaf 2: rate 700Kbit (bounded,isolated) prio
> no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 257728 undertime 0
> class cbq 1:3 parent 1: leaf 3: rate 300Kbit (bounded,isolated) prio
> no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 603732 undertime 0
> class cbq 1:5 parent 1:3 rate 180Kbit (bounded,isolated) prio no-transmit
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 74457 undertime 0
> class cbq 1:6 parent 1:3 rate 120Kbit (bounded,isolated) prio no-transmit
>  Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
>   borrowed 0 overactions 0 avgidle 111751 undertime 0
>
>
> why class 1:5 and 1:6 send 0 bytes 0 pkts?Class 1:5 contains all packets with dport 22.  So you want to put all ftp-data 
packets in it.  Right?  But ftp can use a dynamic port for ftp-data.
And you have a filter to redirect all packets with mark 3 to class 1:6 but you 
never mark the packets with mark 3.  You only mark them with 1 and 2 so I 
think you miss an iptables command.

And an other tip.  Remove the isolated parameter.  It''s not working and
it
will only caue troubles.

Stef


-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Stef Coene

2002-Dec-28 11:24 UTC

head link

Re: Newbie ask

On Saturday 28 December 2002 11:57, Andre Meij wrote:> >> why class 1:5 and 1:6 send 0 bytes 0 pkts?
> >
> > Class 1:5 contains all packets with dport 22.  So you want to put all
> > ftp-data  packets in it.  Right?  But ftp can use a dynamic port for
> > ftp-data.
>
> Port 22 is ssh as far as I knowOops.  Indeed.  20 & 21 is ftp.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Robert Penz

2002-Dec-28 11:27 UTC

head link

Re: Newbie ask

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 28 December 2002 12:24, Stef Coene wrote:> Oops.  Indeed.  20 & 21 is ftp.port 21 is the control channel port, but port 20 doesn''t need to be the
data
port. e.g. passive ftp or if the server chooses an other port than 20 to send 
the data from.

its only sure that its port 20 if you control the ftp and deny passiv ftp.


- -- 
Regards,
Robert
- ----------------
Robert Penz
robert.penz AT outertech.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+DYq38tTsQqJDUBMRAqsUAJ45ryr/ucyRyuR3MT9G+1Swxq7F2gCcDkwg
LmGF/nOqNCrXwAlGHPtr374=/Ao/
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Patrick McHardy

2002-Dec-28 11:38 UTC

head link

Re: Newbie ask

Hi.

On Sat, 28 Dec 2002, Robert Penz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Saturday 28 December 2002 12:24, Stef Coene wrote:
> > Oops.  Indeed.  20 & 21 is ftp.
> port 21 is the control channel port, but port 20 doesn''t need to
be the data
> port. e.g. passive ftp or if the server chooses an other port than 20 to
send
> the data from.
>
> its only sure that its port 20 if you control the ftp and deny passiv ftp.
anyway for qos it is probably mostly important to detect and mark ftp data
connections. this can easily be done with CONNMARK which gives the same
mark to RELATED connection as the expectants mark. Another possibility
might be the helper match, but i''ve never tried it.

Bye,
Patrick

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

LARTC - Dec 2002 - Newbie ask

Newbie ask

Re: Newbie ask

Re: Newbie ask

Re: Newbie ask

Re: Newbie ask