Hey guys, I''m looking for a way to limit ingress throughput for each tcp session to a destination port on my server. I''ve found lots of ways to limit total throughput to a given port on an ip-level, but that''s not quite the same thing. I''m somewhat surprised this doesn''t seem to be implemented already. Maybe it is and I''m not seeing it? _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Wednesday, February 4, 2004, 9:30:14 PM, you wrote: B> Hey guys, I''m looking for a way to limit ingress throughput for each tcp B> session to a destination port on my server. I''ve found lots of ways to B> limit total throughput to a given port on an ip-level, but that''s not B> quite the same thing. B> I''m somewhat surprised this doesn''t seem to be implemented already. Maybe B> it is and I''m not seeing it? Take a look at a ''connbytes patch'' in the iptables patch-o-matic. It is supposed to limit per connection bandwidth amount, 4GB at maximum. P.Krumins _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
That''s the closest thing I''ve seen to what I want, but it''s not quite there. From what I understand, this lets me identify all sessions that have sent more than x bytes. I want something that says "for every session going to port x, limit incoming throughput to no more than 50KB/5s" - or some other throughput definition that allows bursting. On Wed, 4 Feb 2004, Peteris Krumins wrote:> Wednesday, February 4, 2004, 9:30:14 PM, you wrote: > > B> Hey guys, I''m looking for a way to limit ingress throughput for each tcp > B> session to a destination port on my server. I''ve found lots of ways to > B> limit total throughput to a given port on an ip-level, but that''s not > B> quite the same thing. > > B> I''m somewhat surprised this doesn''t seem to be implemented already. Maybe > B> it is and I''m not seeing it? > > Take a look at a ''connbytes patch'' in the iptables patch-o-matic. > > It is supposed to limit per connection bandwidth amount, 4GB at > maximum. > > > P.Krumins > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Wednesday, February 4, 2004, 11:15:17 PM, you wrote: B> That''s the closest thing I''ve seen to what I want, but it''s not quite B> there. From what I understand, this lets me identify all sessions that B> have sent more than x bytes. Right. B> I want something that says "for every session going to port x, limit B> incoming throughput to no more than 50KB/5s" - or some other throughput B> definition that allows bursting. Well, that is easy. Create as many classes needed, add filters based on MARK value to put the traffic in the correspoing classes, then simply put the connbytes rules (-m connbytes max_bw:) together with a jump to MARK target (-j MARK) in the mangle table. As soon as max_bw will be reached, the packet will get marked and the filter will put the traffic in the appropriate class. P.Krumins _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
So maybe I''m dense, but I thought that throughput limit on classes where class-wide, not for each session in the class. In otherwords, if I limit class A to 50KB/5s, every tcp session in that class fights for the same 50KB/5s. Instead, I want every tcp session to have a thoughput limit of 50KB/5s. Maybe I don''t understand your example? On Thu, 5 Feb 2004, Peteris Krumins wrote:> B> I want something that says "for every session going to port x, limit > B> incoming throughput to no more than 50KB/5s" - or some other throughput > B> definition that allows bursting. > > Well, that is easy. > > Create as many classes needed, add filters based on MARK value to put > the traffic in the correspoing classes, then simply put the connbytes > rules (-m connbytes max_bw:) together with a jump to MARK target > (-j MARK) in the mangle table. > As soon as max_bw will be reached, the packet will get marked and the > filter will put the traffic in the appropriate class. > > > P.Krumins > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thursday, February 5, 2004, 2:48:13 AM, you wrote: B> So maybe I''m dense, but I thought that throughput limit on classes where B> class-wide, not for each session in the class. In otherwords, if I limit B> class A to 50KB/5s, every tcp session in that class fights for the same B> 50KB/5s. You are right. My example would put all sessions exceeding max_bw into the class, thus sessions would fight for the same 50KB/s B> Instead, I want every tcp session to have a thoughput limit of 50KB/5s. I cant think of a good way doing it. Some terrible and hackish method would be creating lots and lots of classes, lots and lots of iptables rule for each source (if only client inits a connection) port, then mark the packets and have lots and lots of filters for each MARK value. This would require smart approach as if no logic optimizations will be done the amount of different match rules would kill the box (and throughput of it). Some approaches would be hashing all the filters by the client''s ip, creating iptables chains for each client, matching more commonly used ports first. P.Krumins _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ben wrote:> Hey guys, I''m looking for a way to limit ingress throughput for each > tcp session to a destination port on my server. I''ve found lots of > ways to limit total throughput to a given port on an ip-level, but > that''s not quite the same thing. > > I''m somewhat surprised this doesn''t seem to be implemented > already. Maybe it is and I''m not seeing it?I have a need for a very similar thing. But in my case, I wish to schedule tcp sessions to a different transfer class if they transfer faster than a certain speed. Doing this on the actual traffic control side of things seems tricky, since none of them have any notion of connections or tcp sessions. Doing this by the way of the ''connbytes'' match, eg. by storing the data in the connection tracking table, seems rather easily doable. What you would wish to do is have a simple per connection token bucket, and just DROP every packet exceeding the rate in the connection, am I right? What I would wish is a bit more complex. I''d like to have per connection token bucket, but have it such that when it runs out of tokens, the rule stops matching, but every packet will still take whatever tokens there are in the bucket. And the rule would start matching again only after a certain amount of tokens has again been amassed in the bucket. This is to prevent too rapid churn between different transfer classes per connection. And I haven''t found anything which would do this for me anywhere. So, I might code it myself if no other solution comes up. -- Naked _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 2004-02-05 at 18:03, Nuutti Kotivuori wrote:> What you would wish to do is have a simple per connection token > bucket, and just DROP every packet exceeding the rate in the > connection, am I right?I don''t want to loose data, so dropping packets definately seems like the wrong thing to do. Unless that''s how ingress filters work? I haven''t used them before. Fortunately I have access to the code of my server application, because it sounds like the easiest thing is going to be to just put per-session rate limiting into that. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ben wrote:> On Thu, 2004-02-05 at 18:03, Nuutti Kotivuori wrote: > >> What you would wish to do is have a simple per connection token >> bucket, and just DROP every packet exceeding the rate in the >> connection, am I right? > > I don''t want to loose data, so dropping packets definately seems > like the wrong thing to do. Unless that''s how ingress filters work? > I haven''t used them before.Dropping packets will not mean losing data - it just means that the TCP connections have to resend the packets and in general means that the connection will throttle itself to the configured rate. But ingress filtering as it is now works exactly like that. The packet that you are receiving has already reached your machine and you either drop it or accept it. If you wish to do something further, you can look into IMQ.> Fortunately I have access to the code of my server application, > because it sounds like the easiest thing is going to be to just put > per-session rate limiting into that.Right, well, it probably is the easiest solution - just note that you will be working from behind your own receive buffers and tcp windows, which means that the connection might initially accept (burst) more data than you expect before the buffers fill. -- Naked _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/