Hi all,
I''m using HTB with Linux 2.4.21, and have gotten a little problem
that I don''t quite understand. I''d be very glad if any of you
could help me tell what''s wrong.
My setup is like this:
ISP - [ eth0 ''firewall machine'' eth1 ] - LAN
I''d like to split the traffic evenly between the firewall and the LAN,
and then prioritize traffic within those classes, similarly to the
example in the HTB User Guide. I want something like this:
qdisc root 1: htb default 2
1:9 htb rate 240
1:1 htb rate 120 ceil 240
1:11 htb rate 20 ceil 80 prio 1
filter: ssh, ack, etc
11: pfifo
1:12 htb rate 60 ceil 200 prio 2
no filter
12: pfifo
1:13 htb rate 20 ceil 80 prio 3
filter: direct connect
13: pfifo
1:2 htb rate 120 ceil 240
1:21 htb rate 20 ceil 80 prio 1
21: pfifo
1:22 htb rate 60 ceil 200 prio 2
22: pfifo
1:23 htb rate 20 ceil 80 prio 3
23: pfifo
I then use iptables -j MARK to set a ''1'' if the traffic comes
from
eth1. If not, it should end up in 1:2, and 1:1 and 1:2 should be able
to borrow from each other.
If I only have 1:1 and 1:2 and no filters at all, locally generated
traffic correctly ends up in 1:2. Then I added these 7 lines, and
expected traffic to move down to 1:22. However, when I run
''tc -s qdisc show dev eth0'' I see that traffic runs through
1:0, but
''tc -s class show dev eth0'' shows nothing.
tc class add dev eth0 parent 1:2 classid 1:21 htb rate 20kbit ceil 100kbit prio
1
tc class add dev eth0 parent 1:2 classid 1:22 htb rate 60kbit ceil 200kbit prio
2
tc class add dev eth0 parent 1:2 classid 1:23 htb rate 20kbit ceil 60kbit prio
3
tc qdisc add dev eth0 parent 1:21 handle 121: pfifo limit 2
tc qdisc add dev eth0 parent 1:22 handle 122: sfq perturb 10
tc qdisc add dev eth0 parent 1:23 handle 123: sfq perturb 10
tc filter add dev eth0 parent 1:2 protocol ip u32 match ip dst 0.0.0.0/0 flowid
1:22
I have another setup which is almost identical to the example in the
User Guide, and that works great. The kids got really happy that they
could play counterstrike while I was using direct connect. Super!
I really want to split the bandwidth more evenly between the machines
though, which is why I created this two level setup.
What have I done wrong? Why doesn''t the filter on 1:2 move the
packets to 1:22?
Lots of thanks in advance!
My complete script looks like this.
#!/bin/sh
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null
tc qdisc add dev eth0 root handle 1: htb default 9
tc class add dev eth0 parent 1:0 classid 1:9 htb rate 200kbit ceil 200kbit
tc class add dev eth0 parent 1:9 classid 1:1 htb rate 120kbit ceil 200kbit
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 20kbit ceil 80kbit prio
1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 60kbit ceil 200kbit prio
2
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil 80kbit prio
3
tc qdisc add dev eth0 parent 1:11 handle 111: pfifo limit 2
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10
tc class add dev eth0 parent 1:9 classid 1:2 htb rate 120kbit ceil 200kbit prio
0
tc class add dev eth0 parent 1:2 classid 1:21 htb rate 20kbit ceil 100kbit prio
1
tc class add dev eth0 parent 1:2 classid 1:22 htb rate 60kbit ceil 200kbit prio
2
tc class add dev eth0 parent 1:2 classid 1:23 htb rate 20kbit ceil 60kbit prio
3
tc qdisc add dev eth0 parent 1:2 handle 120: pfifo limit 2
tc qdisc add dev eth0 parent 1:21 handle 121: pfifo limit 2
tc qdisc add dev eth0 parent 1:22 handle 122: sfq perturb 10
tc qdisc add dev eth0 parent 1:23 handle 123: sfq perturb 10
# To the firewall or LAN?
tc filter add dev eth0 parent 1:9 protocol ip prio 1 handle 1 fw classid 1:1
tc filter add dev eth0 parent 1:9 protocol ip prio 1 handle 2 fw classid 1:2
# To LAN
# TOS Minimum Delay (ssh, NOT scp) in 1:10:
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
match ip tos 0x10 0xff flowid 1:10
# CS
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
match ip dport 27015 0xffff flowid 1:10
# Diablo
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
match ip dport 6112 0xffff flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
match ip dport 4000 0xffff flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
match ip dport 22 0xffff flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 11 u32 \
match ip protocol 1 0xff flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 12 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 12 u32 \
match ip dport 411 0xfffe flowid 1:13
tc filter add dev eth0 parent 1: protocol ip prio 13 u32 \
match ip dst 0.0.0.0/0 flowid 1:12
# To the firewall
# TOS Minimum Delay (ssh, NOT scp) in 1:21:
tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
match ip tos 0x10 0xff flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
match ip dport 22 0xffff flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
match ip sport 22 0xffff flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 11 u32 \
match ip protocol 1 0xff flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
match ip dport 411 0xfffe flowid 1:23
tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
match ip dst 0.0.0.0/0 flowid 1:22
/Basic
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Daniel Brahneborg
2003-Jul-26 07:49 UTC
Re: HTB and filters on many levels - Workaround found
I found a little workaround, but I''m not really happy with it. On Fri, Jul 25, 2003 at 12:03:21AM +0200, Daniel Brahneborg wrote:> My setup is like this: > > ISP - [ eth0 ''firewall machine'' eth1 ] - LAN > > I''d like to split the traffic evenly between the firewall and the LAN, > and then prioritize traffic within those classes, similarly to the > example in the HTB User Guide. I want something like this: > > qdisc root 1: htb default 2 > 1:9 htb rate 240 > 1:1 htb rate 120 ceil 240 > 1:11 htb rate 20 ceil 80 prio 1 > filter: ssh, ack, etc > 11: pfifo > 1:12 htb rate 60 ceil 200 prio 2 > no filter > 12: pfifo > 1:13 htb rate 20 ceil 80 prio 3 > filter: direct connect > 13: pfifo > 1:2 htb rate 120 ceil 240 > 1:21 htb rate 20 ceil 80 prio 1 > 21: pfifo > 1:22 htb rate 60 ceil 200 prio 2 > 22: pfifo > 1:23 htb rate 20 ceil 80 prio 3 > 23: pfifo > > I then use iptables -j MARK to set a ''1'' if the traffic comes from > eth1. If not, it should end up in 1:2, and 1:1 and 1:2 should be able > to borrow from each other.What I do now is to use ipfilter to set marks on the packets for all six classes, and then set all filters on 1:0. A bit more work for iptables, but it seems to work. Is it a bug that a fiter can''t be added to a class? /Basic _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Steen Suder, privat
2003-Sep-16 17:59 UTC
Re: Re: HTB and filters on many levels - Workaround found
Daniel Brahneborg wrote:> I found a little workaround, but I''m not really happy with it.<SNIP>>>I then use iptables -j MARK to set a ''1'' if the traffic comes from >>eth1. If not, it should end up in 1:2, and 1:1 and 1:2 should be able >>to borrow from each other. > > > What I do now is to use ipfilter to set marks on the packets for all six > classes, and then set all filters on 1:0. A bit more work for iptables, > but it seems to work. Is it a bug that a fiter can''t be added to a class?It''s by design AFAIK. Packets are enqueued at qdiscs and, thus, it is only meaningful to be able to attach filters to qdiscs. I may be wrong though... Also, the HTB docs instructs the user to attach filters to the root. -- Mvh. / Best regards, Steen Suder <http://www.suder.dk/> ICQ UIN 4133803 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene
2003-Sep-16 18:45 UTC
Re: Re: HTB and filters on many levels - Workaround found
On Tuesday 16 September 2003 19:59, Steen Suder, privat wrote:> Daniel Brahneborg wrote: > > I found a little workaround, but I''m not really happy with it. > > <SNIP> > > >>I then use iptables -j MARK to set a ''1'' if the traffic comes from > >>eth1. If not, it should end up in 1:2, and 1:1 and 1:2 should be able > >>to borrow from each other. > > > > What I do now is to use ipfilter to set marks on the packets for all six > > classes, and then set all filters on 1:0. A bit more work for iptables, > > but it seems to work. Is it a bug that a fiter can''t be added to a > > class? > > It''s by design AFAIK. > Packets are enqueued at qdiscs and, thus, it is only meaningful to be > able to attach filters to qdiscs. > > I may be wrong though... > > Also, the HTB docs instructs the user to attach filters to the root.You don''t have to. You can add the filters to classes and "stack" them. If a packet is enqueued in the htb qdisc, all filters attached to the root qdisc are checked. If a packet is redirected to a leaf class, it''s dequeued in the qdisc attached to the class. If a packet is redirected to a class, the filters attached to that class are examined. In previously htb versions, htb hangs if you redirect a packet to a non-leaf class. That''s solved in later versions. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/