Hi,
I have a router/firewall running Linux (like the most of you) and I
wanted to do some traffic control.
I''ve created an root PRIO qdisc like the example in paragraph 9.5.3.1
(http://www.lartc.org/howto/lartc.qdisc.classful.html#AEN903) with three
SFQ child-classes.
I wanted for interactive (ssh, telnet, ftp-control) and dns-traffic to
be placed in the first queue, http should go in the second and all the
other traffic should be placed in the third queue.
For those interested these are the commands issued:
#create the queues
tc qdisc add dev eth0 root handle 1: prio
tc qdisc add dev eth0 parent 1:1 handle 10: sfq
tc qdisc add dev eth0 parent 1:2 handle 20: sfq
tc qdisc add dev eth0 parent 1:3 handle 30: sfq
#add the filters
tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid
1:10
tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid
1:20
tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid
1:30
Next I created some iptables rules for marking
#Traffic for band #1
iptables -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp --sport 22 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --sport 23 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp --sport 23 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --sport 21 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp --sport 21 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --sport 53 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp --dport 53 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p udp --sport 53 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark
0x1
iptables -t mangle -A PREROUTING -p tcp --sport 53 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --dport 53 -j RETURN
iptables -t mangle -A PREROUTING -p udp --sport 53 -j RETURN
iptables -t mangle -A PREROUTING -p udp --dport 53 -j RETURN
#HTTP traffic should go to band #2
iptables -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark
0x2
iptables -t mangle -A PREROUTING -p tcp --sport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark
0x2
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j RETURN
#All others should go to band #3
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x3
iptables -t mangle -A PREROUTING -j RETURN
I''d have thought that should do the trick but when I issue the command:
tc -s qdisc ls dev eth0
I got this as the output:
qdisc sfq 30: quantum 1514b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 20: quantum 1514b
Sent 37645739 bytes 63959 pkts (dropped 0, overlimits 0)
qdisc sfq 10: quantum 1514b
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc prio 1: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 37671714 bytes 64170 pkts (dropped 0, overlimits 0)
As you can see all the traffic goes to 20: while it shouldn''t. I
thought
that iptables would mark the traffic and the tc filter commands should
direct traffic to the appropriate band.
What am I doing wrong?
Thank you for your time
Jonathan Maasland
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/