Howdy all, I posted this message to the netfilter mailing-list and didn''t get much response. I apologize if anyone here is getting this for a second time. Anyway, I recently migrated my firewall from a FreeBSD box running ipfilter, ipnat and dummynet to a Gentoo Linux box running netfilter and tc. I have to admit that I''m having problems visualizing tc in my head. So, I was wondering if I could get an assist. Basically, when I run my NNTP client, it uses as much bandwidth as it can get its grubby paws on. I have a 3M wireless connection and my ISP doesn''t limit me, but I think they will if I''m constantly using all 3M. So, since my NNTP traffic is pretty much constantly ongoing, I''d like to limit it to 800kbit. This was a breeze with dummynet, but I''m not getting how to do it correctly with netfilter. Here''s what I tried: $IPT -t mangle -N SHAPE-NNTP $IPT -t mangle -I PREROUTING -i $WANIFACE -j SHAPE-NNTP $IPT -t mangle -A SHAPE-NNTP -p tcp --sport 119 -j MARK --set-mark 119 My thoughts on placing it in PREROUTING is that I''d like to shape the traffic as soon as possible so that my firewall gets the benefit of dealing with the reduced load as soon as possible. But, maybe that''s just foolishness? Here''s the tc rules I tried. tc qdisc add dev $WANIFACE root handle 1: htb default 60 tc class add dev $WANIFACE parent 1: classid 1:1 htb rate 10Mbit tc class add dev $WANIFACE parent 1:1 classid 1:119 htb rate 800kbit tc filter add dev $WANIFACE parent 1:1 protocol ip handle 119 fw flowid 1:119 The one weird thing is that when I do a ''tc filter show dev $WANIFACE'' nothing comes back. But ''tc class show dev $WANIFACE'' and ''tc qdisc show dev $WANIFACE" return useful information. Here''s some information that may be relevant: Linux elijah 2.4.24-hardened-r1 #1 Wed Mar 31 14:20:58 MST 2004 i686 Mobile Pentium II GenuineIntel GNU/Linux iproute-20010824-r4 iptables-1.2.9 Thanks, -- Shane Hickey <shane@howsyournetwork.com>: Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: american analog set - you own me _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Since you were already using dummynet, try using NIST NET, the linux alternative for dummynet. Nirnimesh. On Fri, 2004-04-02 at 03:12, Shane Hickey wrote:> Howdy all, > I posted this message to the netfilter mailing-list and didn''t get much > response. I apologize if anyone here is getting this for a > second time. > Anyway, I recently migrated my firewall from a FreeBSD box running > ipfilter, ipnat and dummynet to a Gentoo Linux box running netfilter and > tc. I have to admit that I''m having problems visualizing tc in my head. > So, I was wondering if I could get an assist. > Basically, when I run my NNTP client, it uses as much bandwidth as it > can get its grubby paws on. I have a 3M wireless connection and my ISP > doesn''t limit me, but I think they will if I''m constantly using all 3M. > So, since my NNTP traffic is pretty much constantly ongoing, I''d like > to limit it to 800kbit. This was a breeze with dummynet, but I''m not > getting how to do it correctly with netfilter. > > Here''s what I tried: > > $IPT -t mangle -N SHAPE-NNTP > $IPT -t mangle -I PREROUTING -i $WANIFACE -j SHAPE-NNTP > $IPT -t mangle -A SHAPE-NNTP -p tcp --sport 119 -j MARK --set-mark 119 > > My thoughts on placing it in PREROUTING is that I''d like to shape the > traffic as soon as possible so that my firewall gets the benefit of > dealing with the reduced load as soon as possible. But, maybe that''s > just foolishness? > > Here''s the tc rules I tried. > > tc qdisc add dev $WANIFACE root handle 1: htb default 60 > tc class add dev $WANIFACE parent 1: classid 1:1 htb rate 10Mbit > tc class add dev $WANIFACE parent 1:1 classid 1:119 htb rate 800kbit > tc filter add dev $WANIFACE parent 1:1 protocol ip handle 119 fw flowid > 1:119 > > The one weird thing is that when I do a ''tc filter show dev $WANIFACE'' > nothing comes back. But ''tc class show dev $WANIFACE'' and ''tc qdisc > show dev $WANIFACE" return useful information. > > Here''s some information that may be relevant: > > Linux elijah 2.4.24-hardened-r1 #1 Wed Mar 31 14:20:58 MST 2004 i686 > Mobile Pentium II GenuineIntel GNU/Linux > iproute-20010824-r4 > iptables-1.2.9 > > Thanks,_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I found the solution to my exact problem (right down the NNTP client) at http://mail.gnu.org/archive/html/pan-users/2003-11/msg00009.html For those who want the answer now with now clicking, you can do it all with this: tc qdisc add dev $WANIFACE handle ffff: ingress tc filter add dev $WANIFACE parent ffff: protocol ip prio 50 u32 match ip sport 119 0xffff police rate 800kbit burst 15k drop flowid :1 Thanks. -- Shane Hickey <shane@howsyournetwork.com>: Network/System Consultant GPG KeyID: 777CBF3F Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F Listening to: Bill Frisell - Vernon Reid - Small Hands _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Reasonably Related Threads
- RE: No subject by Steve M
- Is there a good nntp client for Centos 6 that handles SSL native?
- Please add secure NNTP to action.AllowNNTP
- This isn't supposed to be difficult (how to nntp post to the Gmane Pan user group)
- How to pull files that are behind excluded directories