Thomas Reiß
2004-Apr-19 12:58 UTC
Prioritizing on a Bridge doesn''t seen to work correct, ingress does not functional
Hi there,
i tried to setup up a Linuxbridge for prioritize some interactive (Citrix /
https) Traffic to 1.2.3.4 on my ADSL Link, but i think it work not correct.
Overview:
Router <->Linux Bridge<->internal Net
eth1 eth0
This is my Script (with friendly support from the Linux Advanced Routing &
Traffic control Howto)
#!/bin/sh
#
# ADSL 1500/160kbit Down/Upload
UPLOAD=140
#DOWNLOAD=1130
DOWNLOAD=1330
## IP Adresses TKH = internal, SAD = external
# internel Host
TKH=1.2.3.4
# external Partner
SAD=5.6.7.8
## create QDISK
tc qdisc add dev eth1 root handle 1: htb default 11
## create UPload Class
tc class add dev eth1 parent 1: classid 1:1 htb rate ${UPLOAD}kbit ceil
${UPLOAD}kbit
# Upload Interaktive and "Connection beginn" Class
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 30kbit ceil ${UPLOAD}kbit
prio 0 burst 4k quantum 6000
# Upload Webclass und Default
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 70kbit ceil 100kbit prio
1 burst 2k quantum 1500
# Upload SMTP Class
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbit ceil 100kbit prio
2 quantum 1500
# Handle Mapping
tc qdisc add dev eth1 parent 1:11 handle 120: sfq perturb 10
tc qdisc add dev eth1 parent 1:12 handle 130: sfq perturb 10
#
## Einstellung der Prioritäten der einzelnen Klassen und für den Einsatz mit IP
Tables
#
# Mark Mapping
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12
# Set Mark''s to right Packes
# You can start marking packets adding rules to the PREROUTING chain in the
mangle table.
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
#A good idea is to prioritize packets to begin tcp connections, those with SYN
flag set:
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j
MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j
RETURN
# We have done a -j RETURN so packets don''t traverse all rules. Icmp
packets won''t match other rules below RETURN. Keep that in mind. Now we
can start adding more rules, lets do proper TOS handling:
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Delay -j MARK
--set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Cost -j MARK
--set-mark 0x3
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Maximize-Throughput -j
MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tos --tos Maximize-Throughput -j
RETURN
# high prio Citrix / https Connections
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j RETURN
# low SMTP Connections
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x3
#
# Dowloadbegrenzung
# extra qdisc
tc qdisc add dev eth1 handle ffff: ingress
# filtere/bremSE alles was zu schnell kommt
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src
0.0.0.0/0 police rate ${DOWNLOAD}kbit burst 10k drop flowid :1
So my Problems are:
1) a big Download becomes never more than ~ 100kbit (the most times it will be
much lower). Why that ?
- Should it not have the speed of the Download Rate from the ingress qdisq ?
- The ingress qdisq counter show 0 Packets send. Why isn''t this work ?
2) when the Download run break''s interactivity on the Citrix Clients,
can anybody explain me why ?
- Citrix Clients should have the highest Priority, and counter of the Classes
1:10, 1:11 and 1:12 show different Values.
So i think the mangling with iptables should work.
3) when big E-Mail''s go out of our Network, it break''s
interactivity on the Citrix Clients, can anybody explain me why ?
Here some minor Infos:
- Debian Woody Backport Kernel 2.6.2
- htb Version 3.15
I think i do something wrong, but can please anybody point my to the right
direction ?
Thank You
Thomas
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Damion de Soto
2004-Apr-19 23:32 UTC
Re: Prioritizing on a Bridge doesn''t seen to work correct, ingress does not functional
Thomas Reiß wrote:> i tried to setup up a Linuxbridge for prioritize some interactive (Citrix / https) Traffic to 1.2.3.4 on my ADSL Link, but i think it work not correct.---snip----> 1) a big Download becomes never more than ~ 100kbit (the most times it will be much lower). Why that ? > - Should it not have the speed of the Download Rate from the ingress qdisq ? > - The ingress qdisq counter show 0 Packets send. Why isn''t this work ?---snip---> I think i do something wrong, but can please anybody point my to the right direction ?I couldn''t make ingress policing work with bridges either. I just changed to egress shaping on both interfaces (since it''s a gateway router). I vaguely recall someone else discussing this on the list recently - can''t remember what the result was though. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/