Hello, I know this list gets a lot of traffic so ''ll try and keep this brief. I''ve been working on what I initially thought should be a simple problem, but have been unable to produce satisfactory results. In fact, I''m now wondering wether it can be done at all -- so I''m mailing the experts on this list :). Perhaps someone can tell me wether what I want to do is achieveable or not. In summary what I am trying to do is: * When a UDP stream appears prioritise UDP traffic to the detrmient of all other traffic, even if it means dropping packets from other streams. In otherwords, an uninterruptable UDP stream despite other traffic. Sounds simple? Hrm, not so it seems. I''ve read the Advanced Routing HOW-TO, the HTB documentation, and worked off great base scripts such as wondershaper. I''ve tried CBQ and HTB, including leaf HTB structures, I''ve mixed and match prios and pfifos and tbfs and sfqs, toggled with various rates and policed the ingress. All to no avail. The results always seem to be the same: heavy traffic interrupts the UDP stream, causing almost constant spikes. The stream *is* better than no shaping at all, but the UDP stream is never given such a priority that it *cannot* be interrupted, which is what I''m after. The closest I have got to achieving an almost uninterruptable UDP stream is to cap the bandwidth of the other streams, either using CBQ/HTB on the parents or tbf on the children, but this defeats the purpose somewhat -- when a UDP stream *isn''t* present the ''bulk'' traffic is now always limited to a rate far less that what the link is capable of. What I want is to have all traffic use the link''s full bandwidth except when a UDP stream appears where the bulk traffic rate should dynamically drop or packets should be dropped in favour of creating an uninterruptible UDP stream. Can this be done at all? Here''s what I''ve got so far, any input greatly appreciated. The packets flow through a gateway, so I can control both in and out streams by attaching qdiscs to both eth0 and eth1. With that in mind after testing numerous combinations I''ve settled on using just prio over an CBQ/HTB solution (since it is supposed to attend to other priority classes only if lower ones have been attended to). Note the forced rate limit with tbf for upstream bulk. Link bandwidth is 128/512, eth0 upstream (DSL modem) eth1 down. And lastly I''ve tried with and without an ingress on eth0, and found it more effective with. This is my eth0 script based off wondershaper: --- tc qdisc add dev eth0 root handle 1: prio tc qdisc add dev eth0 parent 1:1 handle 10: pfifo tc qdisc add dev eth0 parent 1:2 handle 20: tbf rate 40kbit latency 25ms buffer 4096 tc qdisc add dev eth0 parent 1:3 handle 30: tbf rate 50kbit latency 25ms buffer 4096 # UDP tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip protocol 17 0xff flowid 1:1 # ACK, WEB etc tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:2 tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip dport 80 0xff flowid 1:2 tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:2 # BULK tc filter add dev eth0 parent 1: protocol ip prio 18 u32 \ match ip dst 0.0.0.0/0 flowid 1:3 # INGRESS tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate 400kbit burst 2k drop flowid :1 --- The eth1 script is the same except for: a) no ingress b) sport for web and c) sfq is used instead of tbf for prios 2 and 3, so no rate limiting is applied (handled by ingress on eth0). This seems to work but only if I limit my ingress to around 350kbit, which is drastically less than what the link is capable of (even without a UDP stream present downloads now come down at about 1/3 of the possible bandwidth :/). Even at 400kbit the UDP downstream starts getting interrupted majorly by other traffic, despite prioritising. From what I have read, especially in regards to prio, this shouldn''t be happening. Insight, wisdom, and suggestions for a solution greatly appreciated! Ashton
Hi,
I have a Squid proxy connected to the Internet by ADSL which serves a small
LAN.
[ ADSL ] -- [(ppp0) PROXY (eth1)] -- [LAN 192.168.0.0/24]
Shaped: (0.0.0.0/0) ---> -------------------------> -->
------------>
Unshaped:
(squid) -----> --> ------------>
I''ve set up traffic shaping using CBQ by IP on eth1. But it shapes ALL
the
traffic sent over local Ethernet, and I''d like to keep proxy traffic
which
didn''t came from ppp0 unshaped. I marked with iptables everything that
comes
from ppp0, but I can''t get it to work with both filters (by handle and
by
IP). I don''t realise how should I create the structure of classes.
Anyway,
it might be enough to leave traffic from ports 80 and 3128 unshaped, but how
can I do it? I browsed the documentation (and googled) and I couldn''t
determine:
a) if more than one filter can be attached to a class;
b) if all filters sharing a class are parsed or the first match exits;
c) if all subclasses of a class are parsed or the first match exits.
I know these are simple questions, but as a newbie I''m pretty stuck in
here.
With answers to a), b) and c) I should be able to configure it by myself.
Anyway, a short sample would be appreciated.
Thanks in advance,
Fernando del Valle
P.S.: Please excuse my poor english :(
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
i''ve say you have a iptables/u32 understanding than a cbq/htb or whatever i think.. a) yes b) its secuentially "readed"...if none match is applyed, you can have a default iptables/u32 rule for example..-s 0/0 -d myip c) i dont understand the question, maybe somenoe else can help you. docum.org and lartc.org have plenty of examples good luck (suerte flaco) On Sat, 2003-04-05 at 11:52, Fernando del Valle wrote:> Hi, > > I have a Squid proxy connected to the Internet by ADSL which serves a small > LAN. > > [ ADSL ] -- [(ppp0) PROXY (eth1)] -- [LAN 192.168.0.0/24] > Shaped: (0.0.0.0/0) ---> -------------------------> --> ------------> > Unshaped: > (squid) -----> --> ------------> > > I''ve set up traffic shaping using CBQ by IP on eth1. But it shapes ALL the > traffic sent over local Ethernet, and I''d like to keep proxy traffic which > didn''t came from ppp0 unshaped. I marked with iptables everything that comes > from ppp0, but I can''t get it to work with both filters (by handle and by > IP). I don''t realise how should I create the structure of classes. Anyway, > it might be enough to leave traffic from ports 80 and 3128 unshaped, but how > can I do it? I browsed the documentation (and googled) and I couldn''t > determine: > > > a) if more than one filter can be attached to a class; > b) if all filters sharing a class are parsed or the first match exits; > c) if all subclasses of a class are parsed or the first match exits. > > I know these are simple questions, but as a newbie I''m pretty stuck in here. > With answers to a), b) and c) I should be able to configure it by myself. > Anyway, a short sample would be appreciated. > > Thanks in advance, > > Fernando del Valle > > P.S.: Please excuse my poor english :(_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Saturday 05 April 2003 16:52, Fernando del Valle wrote:> Hi, > > I have a Squid proxy connected to the Internet by ADSL which serves a small > LAN. > > [ ADSL ] -- [(ppp0) PROXY (eth1)] -- [LAN 192.168.0.0/24] > Shaped: (0.0.0.0/0) ---> -------------------------> --> ------------> > Unshaped: > (squid) -----> --> ------------> > > I''ve set up traffic shaping using CBQ by IP on eth1. But it shapes ALL the > traffic sent over local Ethernet, and I''d like to keep proxy traffic which > didn''t came from ppp0 unshaped. I marked with iptables everything that > comes from ppp0, but I can''t get it to work with both filters (by handle > and by IP). I don''t realise how should I create the structure of classes. > Anyway, it might be enough to leave traffic from ports 80 and 3128 > unshaped, but how can I do it? I browsed the documentation (and googled) > and I couldn''t determine:So you want proxied traffic unshaped. You can use the source address. All traffic from ip-address = eth1 is local traffic , all other traffic is internet traffic. The only problem is proxy traffic. Because you don''t know if the traffic came from ppp0 or it was fetched form the proxy cache. You can mark the packets coming in from ppp0, but the mark is lost when the packet enters the proxy.> a) if more than one filter can be attached to a class;Yes you can. They are ordered based on prio.> b) if all filters sharing a class are parsed or the first match exits;As soon as a filter matches, the packet is sended to the destination of the filter.> c) if all subclasses of a class are parsed or the first match exits.I''m not sure what you want to say. But if a packet enters a class, all filters are tested. If a filter matches, the packet is send to the destination class. And if that class is not a leaf class (it has child classes), the filters attached to that class are tested again. This goes on, untill the packet ends up in a class with not child classes (a leaf class). Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
ok i have a program called arpwatch on the network, monitors arp/ipmatching,
it sees that the public side of the Snat box has its mac address switch
between the public and private interface.
here i tried to provide most the information that i can think of.
iptables v1.2.7a:
____________________
Linux ns.highlandshighspeed.net 2.4.19-gentoo-r10 #5 Sun Mar 9 16:53:57 PST
2003
i686 Intel(R) Pentium(R) 4 CPU 1.60GHz GenuineIntel GNU/Linux
_____________________________
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 198.31.174.56
__________________________
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:198.31.174.56
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
__________________________
eth0 Link encap:Ethernet HWaddr 00:04:75:A0:DE:59
inet addr:a.b.c.d Bcast:198.31.174.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18320637 errors:0 dropped:0 overruns:1 frame:0
TX packets:18395481 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3151929956 (3005.9 Mb) TX bytes:4285940372 (4087.3 Mb)
Interrupt:11 Base address:0xe400
eth1 Link encap:Ethernet HWaddr 00:04:75:A0:DD:F9
inet addr:A.B.C.D Bcast:192.168.33.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20321245 errors:0 dropped:0 overruns:5 frame:0
TX packets:18611116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:768762048 (733.1 Mb) TX bytes:3808977459 (3632.5 Mb)
Interrupt:10 Base address:0xe800
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Chris,
What does the physical interconnection of cables look like?
Where is the arpwatch daemon?
Do you have your public network and private network connected to
the same hub/switch?
Could you give us a bit of ASCII art to show the configuration?
Judging from the symptoms, the only logical explanation I can imagine is
as follows. You have your public and private networks connected to the
same medium (hub/switch). Now, when a host on this network makes an ARP
request for 198.31.174.56, it might get two answers.
From any other box on the network try the following command:
# arping -I eth0 -c 3 198.31.174.56
See here for an explanation of ARP flux, if this is your problem:
http://linux-ip.net/html/ether-arp.html#ether-arp-flux
Good luck,
-Martin
: ok i have a program called arpwatch on the network, monitors arp/ipmatching,
: it sees that the public side of the Snat box has its mac address switch
: between the public and private interface.
: here i tried to provide most the information that i can think of.
:
: iptables v1.2.7a:
: ____________________
: Linux ns.highlandshighspeed.net 2.4.19-gentoo-r10 #5 Sun Mar 9 16:53:57 PST
: 2003
: i686 Intel(R) Pentium(R) 4 CPU 1.60GHz GenuineIntel GNU/Linux
: _____________________________
: /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 198.31.174.56
: __________________________
: Chain PREROUTING (policy ACCEPT)
: target prot opt source destination
:
: Chain POSTROUTING (policy ACCEPT)
: target prot opt source destination
: SNAT all -- anywhere anywhere to:198.31.174.56
:
: Chain OUTPUT (policy ACCEPT)
: target prot opt source destination
: __________________________
: eth0 Link encap:Ethernet HWaddr 00:04:75:A0:DE:59
: inet addr:a.b.c.d Bcast:198.31.174.255 Mask:255.255.255.0
: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
: RX packets:18320637 errors:0 dropped:0 overruns:1 frame:0
: TX packets:18395481 errors:0 dropped:0 overruns:0 carrier:0
: collisions:0 txqueuelen:100
: RX bytes:3151929956 (3005.9 Mb) TX bytes:4285940372 (4087.3 Mb)
: Interrupt:11 Base address:0xe400
:
: eth1 Link encap:Ethernet HWaddr 00:04:75:A0:DD:F9
: inet addr:A.B.C.D Bcast:192.168.33.255 Mask:255.255.255.0
: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
: RX packets:20321245 errors:0 dropped:0 overruns:5 frame:0
: TX packets:18611116 errors:0 dropped:0 overruns:0 carrier:0
: collisions:0 txqueuelen:100
: RX bytes:768762048 (733.1 Mb) TX bytes:3808977459 (3632.5 Mb)
: Interrupt:10 Base address:0xe800
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
that does sound reasonable on what is happening. thx for the help. NAT =====Switch-----switch -----arpwatch = two cables - one cable also gif version @ http://www.highlandshighspeed.net/images/network.gif ----- Original Message ----- From: "Martin A. Brown" <mabrown-lartc@securepipe.com> To: "Chris K Ellsworth" <cke@highlandshighspeed.net> Cc: "LARTC" <lartc@mailman.ds9a.nl> Sent: Saturday, April 05, 2003 10:36 AM Subject: Re: [LARTC] Snat Mac address changing> Chris, > > What does the physical interconnection of cables look like? > Where is the arpwatch daemon? > Do you have your public network and private network connected to > the same hub/switch? > > Could you give us a bit of ASCII art to show the configuration? > > Judging from the symptoms, the only logical explanation I can imagine is > as follows. You have your public and private networks connected to the > same medium (hub/switch). Now, when a host on this network makes an ARP > request for 198.31.174.56, it might get two answers. > > >From any other box on the network try the following command: > > # arping -I eth0 -c 3 198.31.174.56 > > See here for an explanation of ARP flux, if this is your problem: > > http://linux-ip.net/html/ether-arp.html#ether-arp-flux > > Good luck, > > -Martin > > : ok i have a program called arpwatch on the network, monitorsarp/ipmatching,> : it sees that the public side of the Snat box has its mac addressswitch> : between the public and private interface. > : here i tried to provide most the information that i can think of. > : > : iptables v1.2.7a: > : ____________________ > : Linux ns.highlandshighspeed.net 2.4.19-gentoo-r10 #5 Sun Mar 9 16:53:57PST> : 2003 > : i686 Intel(R) Pentium(R) 4 CPU 1.60GHz GenuineIntel GNU/Linux > : _____________________________ > : /bin/echo 1 > /proc/sys/net/ipv4/ip_forward > : iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source198.31.174.56> : __________________________ > : Chain PREROUTING (policy ACCEPT) > : target prot opt source destination > : > : Chain POSTROUTING (policy ACCEPT) > : target prot opt source destination > : SNAT all -- anywhere anywhereto:198.31.174.56> : > : Chain OUTPUT (policy ACCEPT) > : target prot opt source destination > : __________________________ > : eth0 Link encap:Ethernet HWaddr 00:04:75:A0:DE:59 > : inet addr:a.b.c.d Bcast:198.31.174.255 Mask:255.255.255.0 > : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > : RX packets:18320637 errors:0 dropped:0 overruns:1 frame:0 > : TX packets:18395481 errors:0 dropped:0 overruns:0 carrier:0 > : collisions:0 txqueuelen:100 > : RX bytes:3151929956 (3005.9 Mb) TX bytes:4285940372 (4087.3Mb)> : Interrupt:11 Base address:0xe400 > : > : eth1 Link encap:Ethernet HWaddr 00:04:75:A0:DD:F9 > : inet addr:A.B.C.D Bcast:192.168.33.255 Mask:255.255.255.0 > : UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > : RX packets:20321245 errors:0 dropped:0 overruns:5 frame:0 > : TX packets:18611116 errors:0 dropped:0 overruns:0 carrier:0 > : collisions:0 txqueuelen:100 > : RX bytes:768762048 (733.1 Mb) TX bytes:3808977459 (3632.5Mb)> : Interrupt:10 Base address:0xe800 > > -- > Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/