Hello, I have a transparent bridge/firewall setup using linux-2.6.3. My iptables commands for the firewall seem to work fine, but my tc traffic shaper rules dont. The tc rules seem to apply ok, but have no effect. Here are my tc rules. Basically im just trying to limit each IP in my internal /24 to 512k of bandwidth in and out. DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 512kbit allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.19.184 flowid 1:1 tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src 192.168.19.184 flowid 1:1 Any thoughts as to why this doesnt seem to work on a bridge? It does work if the box is setup to be a router. Thanks, Ryan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ryan Rothert wrote:>Any thoughts as to why this doesnt seem to work on a bridge? It does work >if the box is setup to be a router. > >I have tried to do bridged traffic control with 2.6. It just doesn''t seem to work. u32 matches won''t work, marking packets with iptables/ebtables then trying to catch them with tc''s fw match doesn''t work. Filters just won''t catch anything in 2.6, and all traffic just leaves through the default class. There are reports of people getting this working, but no real details have emerged. With 2.4, it works without problems. I have a few machines running bridging firewalls with traffic control using 2.4. Works without issues. Any developers want to shed some light on why 2.6 doesn''t seem to go? (Config options?) jon _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 29 Mar 2004, Jon Anderson wrote:> Ryan Rothert wrote: > > >Any thoughts as to why this doesnt seem to work on a bridge? It does work > >if the box is setup to be a router. > > > > > I have tried to do bridged traffic control with 2.6. It just doesn''t > seem to work. u32 matches won''t work, marking packets with > iptables/ebtables then trying to catch them with tc''s fw match doesn''t > work. Filters just won''t catch anything in 2.6, and all traffic just > leaves through the default class. There are reports of people getting > this working, but no real details have emerged. > > With 2.4, it works without problems. I have a few machines running > bridging firewalls with traffic control using 2.4. Works without issues. > > Any developers want to shed some light on why 2.6 doesn''t seem to go? > (Config options?) > > jon >Jon, I dont really need to run 2.6, 2.4 would be fine, what version are you using? Did you compile it yourself? Did you have to apply any extra patches if you compiled it yourself? Thanks, Ryan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ryan Rothert wrote:>I dont really need to run 2.6, 2.4 would be fine, what version are you >using? Did you compile it yourself? Did you have to apply any extra >patches if you compiled it yourself? > >2.4.25+brnf-5 (Patch here: http://sourceforge.net/project/showfiles.php?group_id=39571 ) Yes, compiled myself - almost has to be. If you look through the archive for earlier this month, possibly last (look for "bridge") there''s a little more detail about it. If you have any specific questions, I''d be glad to try and help if I can. jon _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 29 March 2004 20:13, Jon Anderson wrote:> With 2.4, it works without problems. I have a few machines running > bridging firewalls with traffic control using 2.4. Works without issues. > > Any developers want to shed some light on why 2.6 doesn''t seem to go? > (Config options?)There are no real differences, except that arptables doesn''t see bridged traffic, between the 2.4 bridge-nf/ebtables patch and the code in 2.6. So my guess is the problem isn''t the bridge filtering code. cheers, Bart _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Bart De Schuymer wrote:> There are no real differences, except that arptables doesn''t see bridged > >traffic, between the 2.4 bridge-nf/ebtables patch and the code in 2.6. So my >guess is the problem isn''t the bridge filtering code. > >I don''t doubt that the bridging code, and iptables/ebtables is nearly the same, but _something_ is different. (Kernel .config options, QoS code, 2.4/2.6 interface, aliens abducting sk_buff->nfmark, I dunno...) The same system booted with a 2.4 kernel and a 2.6 kernel behave differently. 2.6 was configured with similar options to 2.4. (make oldconfig -> Maybe there''s a new option somewhere that I''m missing?) As far as I can see, bridged traffic control on 2.4 works, 2.6 doesn''t: "tc -s class show dev eth0" on a 2.4 kernel shows packets being classified properly, whereas on 2.6, they are not classified properly. I actually think iptables/ebtables is working properly; In 2.6, ebtables does indeed count the correct number of packets passing through each rule, and assuming that "-j mark" actually marks them, the only possibly answer would be that the tc stuff isn''t catching those marks. I''d be really happy to hear any suggestions or ideas, ''cause I''d really love to get 2.6 working! If there''s _anything_ I can do that might help debug this stuff, I''d be glad to try. Cheers, jon _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi,> I actually think iptables/ebtables is working properly; In 2.6, ebtables > does indeed count the correct number of packets passing through each > rule, and assuming that "-j mark" actually marks them, the only possibly > answer would be that the tc stuff isn''t catching those marks.I''m using kernel 2.6.3 (just patched with CONNMARK) here and everything works great. Using iptables and CONNMARK to mark packets and CLASSIFY to sort it into different HTB (and CBQ) classes is running flawless. box:~ # uname -a Linux ipp2p 2.6.3 #3 Mon Mar 8 12:56:15 CET 2004 i686 i686 i386 GNU/Linux box:~ # tc -s class show dev eth0 class htb 1:11 parent 1:1 prio 5 rate 100Kbit ceil 2000Kbit burst 1727b cburst 4159b Sent 3187475 bytes 55392 pkts (dropped 0, overlimits 0) lended: 55392 borrowed: 0 giants: 0 tokens: 219818 ctokens: 26900 class htb 1:1 root rate 100Mbit ceil 100Mbit burst 132657b cburst 132657b Sent 235605755 bytes 776816 pkts (dropped 0, overlimits 0) rate 1340bps 8pps lended: 0 borrowed: 0 giants: 0 tokens: 16939 ctokens: 16939 class htb 1:10 parent 1:1 prio 1 rate 102300Kbit ceil 100Mbit burst 132528b cburst 132657b Sent 232418280 bytes 721424 pkts (dropped 0, overlimits 0) rate 1340bps 8pps lended: 721424 borrowed: 0 giants: 0 tokens: 16939 ctokens: 16939 box:~ # iptables -t mangle -L -n -v Chain MARKED (1 references) pkts bytes target prot opt in out source destination 55392 2412K CLASSIFY all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth0 CLASSIFY set 1:11 Also using tc filter rules instead of CLASSIFY put traffic in the appropiated classes. For me everything works just as fine as it did with kernel 2.4.x Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/