I am wondering if someone can examine why my set up does not give me the
desired result. What I aim to achieve is to make DNS, ICMP, POP3, HTTP,
SSH, SMTP traffic at a higher priority than FTP serving and Kazza traffic.
However, when the FTP server is busy servicing FTP traffic, web browsing
traffic has dragged to almost unusable.
Abstract of my iptables script follows:-
# Mark traffic on the firewall machine itself
$IPTABLES -t mangle -A MANGLE_OUTPUT -p 1 -j MARK --set-mark 1
$IPTABLES -t mangle -A MANGLE_OUTPUT -p 6 -m multiport --sport 22,53 -j
MARK --set-mark 2
$IPTABLES -t mangle -A MANGLE_OUTPUT -p 17 --sport 53 -j MARK --set-mark 2
$IPTABLES -t mangle -A MANGLE_OUTPUT -p 6 -m length --length :64 -j MARK
--set-mark 1
$IPTABLES -t mangle -A MANGLE_OUTPUT -m mark --mark 0 -j MARK --set-mark 3
# Mark traffic on LAN outgoing traffic through the firewall machine
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 -m multiport --sport 22,80 -j
MARK --set-mark 1
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 -m multiport --sport
25,110,21 -j MARK --set-mark 2
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 -m multiport --dport 22,80 -j
MARK --set-mark 1
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 --sport 1214 -j MARK --set-mark 4
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 --dport 1214 -j MARK --set-mark 4
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 17 --sport 1214 -j MARK
--set-mark 4
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 17 --dport 1214 -j MARK
--set-mark 4
$IPTABLES -t mangle -A MANGLE_PREROUTING -p 6 -m length --length :64 -j
MARK --set-mark 1
$IPTABLES -t mangle -A MANGLE_PREROUTING -m mark --mark 0 -j MARK --set-mark 3
Abstract of my TC script:-
tc qdisc add $DEV root handle 1: htb default 40
# shape everything at $UPLINK speed - this prevents huge queues in the DSL
modem that destroy latency
tc class add $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit ceil
${UPLINK}kbit burst 12k
# divide traffic into 4 classes with high prio class 1:10:
tc class add $DEV parent 1:1 classid 1:10 htb rate $[UPLINK/2]kbit ceil
${UPLINK}kbit burst 12k prio 0
tc class add $DEV parent 1:1 classid 1:20 htb rate $[UPLINK/4]kbit ceil
${UPLINK}kbit burst 12k prio 1
tc class add $DEV parent 1:1 classid 1:30 htb rate $[UPLINK/6]kbit ceil
${UPLINK}kbit burst 12k prio 2
tc class add $DEV parent 1:1 classid 1:40 htb rate $[UPLINK/12]kbit ceil
${UPLINK}kbit burst 12k prio 3
# both get Stochastic Fairness
tc qdisc add $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add $DEV parent 1:30 handle 30: sfq perturb 10
tc qdisc add $DEV parent 1:40 handle 40: sfq perturb 10
tc filter add $DEV parent 1:0 prio 0 protocol ip handle 1 fw flowid 1:10
tc filter add $DEV parent 1:0 prio 0 protocol ip handle 2 fw flowid 1:20
tc filter add $DEV parent 1:0 prio 0 protocol ip handle 3 fw flowid 1:30
tc filter add $DEV parent 1:0 prio 0 protocol ip handle 4 fw flowid 1:40
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stef Coene
2004-Jan-22 19:48 UTC
Re: Puzzled why my scripts don''t give me the desired result
On Thursday 22 January 2004 07:50, Terry Tse wrote:> I am wondering if someone can examine why my set up does not give me the > desired result. What I aim to achieve is to make DNS, ICMP, POP3, HTTP, > SSH, SMTP traffic at a higher priority than FTP serving and Kazza traffic. > > However, when the FTP server is busy servicing FTP traffic, web browsing > traffic has dragged to almost unusable.You have to shape in both directions if you want to get good results. Also, if you use different prio''s for the class, you can get in trouble when a low prio class sends more data then the configured rate. If this is the case, the latency will be very high for the low prio class. And ftp traffic is more than port 22. It can be any port. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/