LARTC - Apr 2007 - tc questions

Hi to all of you!!!

I am a Computer Science student trying to do the pre-grade thesis. I am trying 
to develop a free software tool to help administrators to control the 
traffic. Right now this tool is based on tc and iptables.
I am having some problems trying to understand tc and tc examples:
- Why in almost every list of tc rules based on htb class, there is a "tc 
qdisc dev ... root ... htb default ..." as a root node? Is it mandatory to 
work with htb class?
- I understood that every class node has its own qdisc attached (fifo by 
default, right?). If that is the case, why when I do "tc qdisc show
..." it
JUST shows me those qdisc I explicitly attached to classes without any child 
class?
- What should I expect if I run something like this?

tc qdisc add dev eth0 root handle 1: htb default 10
tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 90mbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit
tc class add dev eth0 parent 1:20 classid 1:21 htb rate 10mbit

I guessed the traffic redirected to 1:21 should have 1kbit of rate at most 
(because of its parent 1:20), but when I ran this, I got a higher rate 
(because of the 10mbit rate, I guess). Why? Shouldn''t parent classes
restrict
children''s rate?

Thanks in advance. Regards, Ale.

-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana

Hi Alejandro
>Hi to all of you!!!
>
>I am a Computer Science student trying to do the pre-grade thesis. I am
trying 
>to develop a free software tool to help administrators to control the 
>traffic. Right now this tool is based on tc and iptables.
>I am having some problems trying to understand tc and tc examples:
>- Why in almost every list of tc rules based on htb class, there is
>  a "tc qdisc dev ... root ... htb default ..." as a root node?
>  Is it mandatory to work with htb class?
It is not mandatory to attach a HTB qdisc to the root. You can attach
it to any classfull qdisc''s cass.

You can only create HTB classes under a HTB qdisc, and you can only
create CBQ classes under a CBQ class. However you can attach any
qdisc to a given class.
What is exactly that you find strange?
>- I understood that every class node has its own qdisc attached
>  (fifo by default, right?).
Correct.
To be exact, most qdiscs use Packet FIFO (pfifo) by default, but that''s
not a rule (there are exceptions).
>If that is the case, why when I do "tc qdisc show ..." it 
>JUST shows me those qdisc I explicitly attached to classes without any
child 
>class?
The default pFIFO qdisc that get attached to the classes are not
shown by the above command.
>- What should I expect if I run something like this?
>
>tc qdisc add dev eth0 root handle 1: htb default 10
>tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
>tc class add dev eth0 parent 1:1 classid 1:10 htb rate 90mbit
>tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit
>tc class add dev eth0 parent 1:20 classid 1:21 htb rate 10mbit
>
>I guessed the traffic redirected to 1:21 should have 1kbit of rate at
most 
>(because of its parent 1:20), but when I ran this, I got a higher rate 
>(because of the 10mbit rate, I guess). Why? Shouldn''t parent
classes
restrict 
>children''s rate?
I would say that that is a misconfiguration.
Neither the tc command nor the kernel gives you any warning.
You could implement it as part of your project ... :)

You are right. Class 1:20 does not limit the class 1:21''s rate to
1kbit.
This is due to the way the kernel schedules the HTB classes.
Note that since you did not use the "ceil" config option, class 1:21
gets by default "ceil" = "rate" = 10mbit, and therefore it
can not
borrow from its parent 1:20.
There would be nothing to borrow anyway, since 1:20 is limited to
1kbit (rate=cel=1kbit).

Regards
/Christian
[http://benve.info]

On Wednesday 04 April 2007 13:13, Christian Benvenuti
wrote:
> Hi Alejandro
Hi Christian!
> It is not mandatory to attach a HTB qdisc to the root. You can attach
> it to any classfull qdisc''s cass.
Yes, I know. I was trying to ask why to attach htb qdisc instead of htb class 
to the root. In fact, I really don''t understand what means "htb
qdisc" since
I just know htb as a classfull tc node, and (I guess) qdisc are classless tc 
nodes (am I wrong?)
> You can only create HTB classes under a HTB qdisc, and you can only
> create CBQ classes under a CBQ class. However you can attach any
> qdisc to a given class.
> What is exactly that you find strange?
Well, I thought I just could attach qdisc nodes to class nodes, not viceversa, 
and that''s the case when attaching htb qdisc to the root and then,
declaring
a child of the root as a htb class, doesn''t it?
> Correct.
> To be exact, most qdiscs use Packet FIFO (pfifo) by default, but
that''s
> not a rule (there are exceptions).
Haha, well, that''s why rules are for: to break them with exceptions ;)
...just kidding, of course!
> The default pFIFO qdisc that get attached to the classes are not
> shown by the above command.
...and which is the command that will show them??
> I would say that that is a misconfiguration.
> Neither the tc command nor the kernel gives you any warning.
> You could implement it as part of your project ... :)
I agree with you: it is a wrong configuration, and I need to deal with it as 
part of my project. But I am able to run those lines, and I will get a 
behavior, and I want to know if there is some kind of logic around it: ...how 
it works??
> You are right. Class 1:20 does not limit the class 1:21''s rate to
1kbit.
> This is due to the way the kernel schedules the HTB classes.
Could you (please) tell me more about how the kernel do this?
> Note that since you did not use the "ceil" config option, class
1:21
> gets by default "ceil" = "rate" = 10mbit, and therefore
it can not
> borrow from its parent 1:20.
> There would be nothing to borrow anyway, since 1:20 is limited to
> 1kbit (rate=cel=1kbit).
>
> Regards
> /Christian
> [http://benve.info]
Thank you very much!!

-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana

Alejandro Ramos Encinosa wrote:
> Hi to all of you!!!
> 
> I am a Computer Science student trying to do the pre-grade thesis. I am
trying
> to develop a free software tool to help administrators to control the 
> traffic. Right now this tool is based on tc and iptables.
> I am having some problems trying to understand tc and tc examples:
> - Why in almost every list of tc rules based on htb class, there is a
"tc
> qdisc dev ... root ... htb default ..." as a root node? Is it
mandatory to
> work with htb class?
> - I understood that every class node has its own qdisc attached (fifo by 
> default, right?). If that is the case, why when I do "tc qdisc show
..." it
> JUST shows me those qdisc I explicitly attached to classes without any
child
> class?
> - What should I expect if I run something like this?
> 
> tc qdisc add dev eth0 root handle 1: htb default 10
> tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 90mbit
> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit
> tc class add dev eth0 parent 1:20 classid 1:21 htb rate 10mbit
> 
> I guessed the traffic redirected to 1:21 should have 1kbit of rate at most 
> (because of its parent 1:20), but when I ran this, I got a higher rate 
> (because of the 10mbit rate, I guess). Why? Shouldn''t parent
classes restrict
> children''s rate?
> 
> Thanks in advance. Regards, Ale.
> 
In addition to what Christian said - have you seen the docs on the htb 
homepage -

http://luxik.cdi.cz/~devik/qos/htb/

and Steph Coene''s work -

http://www.docum.org

Andy.

Hi Alejandro
>Yes, I know. I was trying to ask why to attach htb qdisc instead
>of htb class to the root.
>In fact, I really don''t understand what means "htb qdisc"
since
>I just know htb as a classfull tc node, and (I guess) qdisc are
>classless tc nodes (am I wrong?)
mhmh, I think you are a little confused here. I would recommend
reading both the document on HTB pointed out by Andy and the
general LARTC howto.

Traffic control defines different object types:

- qdisc (queueing disciplines: how packets enqueued/dequeued)
  HTB is one kind of qdisc.

- classes (a mechanims for organizing packets inside qdiscs)
  Only classfull qdiscs allow you to create classes ...
  HTB is a classful qdisc.

- classifiers (used to define filters to map traffic to classes)

- classifier extensions: legacy policers and actions.
  (one of the action types is "police", which replaces the legacy
  policers)

- ...
>> You can only create HTB classes under a HTB qdisc, and you can only
>> create CBQ classes under a CBQ class. However you can attach any
>> qdisc to a given class.
>> What is exactly that you find strange?
>Well, I thought I just could attach qdisc nodes to class nodes, not
>viceversa, and that''s the case when attaching htb qdisc to the root
>and then, declaring a child of the root as a htb class, doesn''t it?
You can create classes inside classfull qdiscs. The classes you create
are of the same type as the parent qdisc, which explains why you create
HTB classes inside HTB qdiscs.

You can attach a qdisc to class
(if you want to replace the default pFIFO).

Well, you can also attach a qdisc directly to another qdisc if you
like, but it makes sense only in few cases.
>> The default pFIFO qdisc that get attached to the classes are not
>> shown by the above command.
>...and which is the command that will show them??
There is no command that does that.
If you really want to see them, you can explicitly attach a pFIFO
queue to the classes.
>> I would say that that is a misconfiguration.
>> Neither the tc command nor the kernel gives you any warning.
>> You could implement it as part of your project ... :)
>I agree with you: it is a wrong configuration, and I need to deal with
it as 
>part of my project. But I am able to run those lines, and I will get a 
>behavior, and I want to know if there is some kind of logic around
it: ...how 
>it works??
There are lots of misconfigurations that neither the tc command nor
the kernel detects or cares about. The one you pointed out is
just one of them.
>> You are right. Class 1:20 does not limit the class 1:21''s rate
to
>> 1kbit.
>> This is due to the way the kernel schedules the HTB classes.
>Could you (please) tell me more about how the kernel do this?
You can refer to the document pointed out by Andy:
	http://luxik.cdi.cz/~devik/qos/htb/
Devik has documented HTB fairly well.

This is a simplified model:

  for each level L (starting from the leafs)
    for each  priority P (starting from the highest priority)
      for each class C with priority P at level L 
        serve class C

Regards
/Christian
[http://benve.info]

First of all, I want to thank to Christian and Andy for answer me.
Hi to all!
> mhmh, I think you are a little confused here. I would recommend
> reading both the document on HTB pointed out by Andy and the
> general LARTC howto.
I will.
> Traffic control defines different object types:
>
> - qdisc (queueing disciplines: how packets enqueued/dequeued)
>   HTB is one kind of qdisc.
>
> - classes (a mechanims for organizing packets inside qdiscs)
>   Only classfull qdiscs allow you to create classes ...
>   HTB is a classful qdisc.
>
> - classifiers (used to define filters to map traffic to classes)
>
> - classifier extensions: legacy policers and actions.
>   (one of the action types is "police", which replaces the legacy
>   policers)
Oh!!, now I understand!!
> >> The default pFIFO qdisc that get attached to the classes are not
> >> shown by the above command.
> >
> >...and which is the command that will show them??
>
> There is no command that does that.
> If you really want to see them, you can explicitly attach a pFIFO
> queue to the classes.
I can do that, but I even have more problems: if I attach a qdisc to a class 
(lets say, attach an sfq qdisc to an htb class) and the class node is not a 
leaf, then when I do `tc qdisc show dev eth0` it doesn''t show me the
qdisc
attached. Why? How can I get its statistics?
>   for each level L (starting from the leafs)
>     for each  priority P (starting from the highest priority)
>       for each class C with priority P at level L
>         serve class C
hmm, that make sense for me
> Regards
> /Christian
> [http://benve.info]
Thanks in advance. Regards, Ale.

-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana

Hi to all.
>>>> why when I do "tc qdisc show ..." it JUST shows me
those qdisc I
>>>> explicitly attached to classes without any child class?
>
>>> The default pFIFO qdisc that get attached to the classes are not
>>> shown by the above command.
>
>>...and which is the command that will show them??
>
> There is no command that does that.
> If you really want to see them, you can explicitly attach a pFIFO
> queue to the classes.
I have a little question here:
If I understood well, if I want to see a classless qdisc statistics I must 
explicity attach the qdisc to the classful qdisc. However, I have (for 
example) the following configuration and I still don''t get the
statistics for
120: (just for 1: and 121:):

----------------------------8<--------------------------------8<-----------------------------
tc qdisc add dev eth1 root handle 1: htb default 10

tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit

tc class add dev eth1 parent 1:1 classid 1:10 htb rate 2mbit
tc class add dev eth1 parent 1:1 classid 1:20 htb rate 98mbit
tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10

tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
tc qdisc add dev eth1 parent 1:21 handle 121: sfq perturb 10

tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 10.6.70.1 
flowid 1:20
tc filter add dev eth1 protocol ip parent 1:20 prio 1 u32 match ip sport 80 
0xffff flowid 1:21
---------------------------->8-------------------------------->8-----------------------------

If I run `tc -s qdisc show dev eth1'' then I will get something like 

----------------------------8<--------------------------------8<-----------------------------
qdisc htb 1: r2q 10 default 10 direct_packets_stat 0
 Sent 2284 bytes 7 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc sfq 121: parent 1:21 limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
---------------------------->8-------------------------------->8-----------------------------

i.e. not 120: at all!!! and I need to get that flow.
Worth of that is that if I run `tc -s class show dev eth1'' then I will
get
this for class 1:20

----------------------------8<--------------------------------8<-----------------------------
class htb 1:20 parent 1:1 rate 98000Kbit ceil 98000Kbit burst 50580b cburst 
50580b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 4229 ctokens: 4229
---------------------------->8-------------------------------->8-----------------------------

and I am sure I am generating traffic that matchs its filter. Can any of you 
to help me?

PS: what I really want is a way to obtain statistics for each qdisc.
-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana

Hello.

I may be misunderstanding what you are trying to do, but I think

tc -s class ls dev eth1

shows the stats you want.

note on the "class" word

On 4/9/07, Alejandro Ramos Encinosa <alex@uh.cu>
wrote:
> Hi to all.
>
> >>>> why when I do "tc qdisc show ..." it JUST shows
me those qdisc I
> >>>> explicitly attached to classes without any child class?
> >
> >>> The default pFIFO qdisc that get attached to the classes are
not
> >>> shown by the above command.
> >
> >>...and which is the command that will show them??
> >
> > There is no command that does that.
> > If you really want to see them, you can explicitly attach a pFIFO
> > queue to the classes.
> I have a little question here:
> If I understood well, if I want to see a classless qdisc statistics I must
> explicity attach the qdisc to the classful qdisc. However, I have (for
> example) the following configuration and I still don''t get the
statistics for
> 120: (just for 1: and 121:):
>
>
----------------------------8<--------------------------------8<-----------------------------
> tc qdisc add dev eth1 root handle 1: htb default 10
>
> tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit
>
> tc class add dev eth1 parent 1:1 classid 1:10 htb rate 2mbit
> tc class add dev eth1 parent 1:1 classid 1:20 htb rate 98mbit
> tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
>
> tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
> tc qdisc add dev eth1 parent 1:21 handle 121: sfq perturb 10
>
> tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst
10.6.70.1
> flowid 1:20
> tc filter add dev eth1 protocol ip parent 1:20 prio 1 u32 match ip sport 80
> 0xffff flowid 1:21
>
---------------------------->8-------------------------------->8-----------------------------
>
> If I run `tc -s qdisc show dev eth1'' then I will get something
like
>
>
----------------------------8<--------------------------------8<-----------------------------
> qdisc htb 1: r2q 10 default 10 direct_packets_stat 0
>  Sent 2284 bytes 7 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> qdisc sfq 121: parent 1:21 limit 128p quantum 1514b perturb 10sec
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>
---------------------------->8-------------------------------->8-----------------------------
>
> i.e. not 120: at all!!! and I need to get that flow.
> Worth of that is that if I run `tc -s class show dev eth1'' then I
will get
> this for class 1:20
>
>
----------------------------8<--------------------------------8<-----------------------------
> class htb 1:20 parent 1:1 rate 98000Kbit ceil 98000Kbit burst 50580b cburst
> 50580b
>  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
>  lended: 0 borrowed: 0 giants: 0
>  tokens: 4229 ctokens: 4229
>
---------------------------->8-------------------------------->8-----------------------------
>
> and I am sure I am generating traffic that matchs its filter. Can any of
you
> to help me?
>
> PS: what I really want is a way to obtain statistics for each qdisc.
> --
> Alejandro Ramos Encinosa <alex@uh.cu>
> Fac. Matemática Computación
> Universidad de La Habana
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

-- 
Marco

Alejandro Ramos Encinosa wrote:
> tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
> 
> tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
This is a misconfiguration, it doesn''t make sense to add sfq and
another
htb class to 1:20.

Andy.

Hi,
>Hello.
>
>I may be misunderstanding what you are trying to do, but I think
>
>tc -s class ls dev eth1
>
>shows the stats you want.
>
>note on the "class" word
The above command is good for getting the statistics, but it does not
return the current status of the class''s queue (i.e., the number of
packets in it).
However, in most cases the statistics is what you want, therefore Marco
is right.

Regards
/Christian
[http://benve.info]

On Tuesday 10 April 2007 22:11, Andy Furniss wrote:
> Alejandro Ramos Encinosa wrote:
> > tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
> >
> > tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
>
> This is a misconfiguration, it doesn''t make sense to add sfq and
another
> htb class to 1:20.
...why? The case I am trying to deal with is an scenario where some traffic 
goes into 1:20 (something like the traffic from/to the subnet 10.6.70.0/24) 
and then, I want to shape specifically some other traffic type (for example, 
the ssh connections from/to subnet 10.6.70.0/24). Is there another way to do 
it? Please, take a in mind that (in my example) I want to enclose the whole 
traffic from/to the subnet 10.6.70.0/24 and from that traffic I want to give 
an special treatment to ssh traffic.
>
> Andy.
Regards, Ale.

-- 
Alejandro Ramos Encinosa <alex@uh.cu>
Fac. Matemática Computación
Universidad de La Habana

Alejandro Ramos Encinosa wrote:
> On Tuesday 10 April 2007 22:11, Andy Furniss wrote:
>   
>> Alejandro Ramos Encinosa wrote:
>>     
>>> tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
>>>
>>> tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
>>>       
>> This is a misconfiguration, it doesn''t make sense to add sfq
and another
>> htb class to 1:20.
>>     
> ...why? The case I am trying to deal with is an scenario where some traffic
> goes into 1:20 (something like the traffic from/to the subnet 10.6.70.0/24)
> and then, I want to shape specifically some other traffic type (for
example,
> the ssh connections from/to subnet 10.6.70.0/24). Is there another way to
do
> it? Please, take a in mind that (in my example) I want to enclose the whole
> traffic from/to the subnet 10.6.70.0/24 and from that traffic I want to
give
> an special treatment to ssh traffic.
>   
>> Andy.
>>     
> Regards, Ale.
>   
You can''t attach qdisc to HTB inner class, because only leaf classes
can
hold packet queue. You have to create inner class with bandwith 
allocation for 10.6.70.0/24 and attach child classes to it (for SSH, 
RDP, ... whatever). Please check HTB manual and theory here 
http://luxik.cdi.cz/~devik/qos/htb/ (especially section 3. Sharing 
hierarchy)
/ak

Alejandro Ramos Encinosa wrote:
> On Tuesday 10 April 2007 22:11, Andy Furniss wrote:
>> Alejandro Ramos Encinosa wrote:
>>> tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
>>>
>>> tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
>> This is a misconfiguration, it doesn''t make sense to add sfq
and another
>> htb class to 1:20.
> ...why? The case I am trying to deal with is an scenario where some traffic
> goes into 1:20 (something like the traffic from/to the subnet 10.6.70.0/24)
> and then, I want to shape specifically some other traffic type (for
example,
> the ssh connections from/to subnet 10.6.70.0/24). Is there another way to
do
> it? Please, take a in mind that (in my example) I want to enclose the whole
> traffic from/to the subnet 10.6.70.0/24 and from that traffic I want to
give
> an special treatment to ssh traffic.
>> Andy.
> Regards, Ale.
> 
You could add two htb classes under 1:20 and give one higher prio, or 
you could use the prio qdisc. If you really care about latency and have 
many bulk classes on a slow link then hfsc is better than htb. Linux 
hfsc could still be improved.

sfq and b/pfifo should be added on leafs, so you could still use them if 
you created two classes under 1:20.

If you don''t specify a qdisc on htb leafs you get pfifo - but the queue
length will be chosen from the interface that htb is added to - 1000 for 
eth (possibly too long) or 3 on ppp/vlan (too short), so it''s worth 
thinking about queue lengths, adding a qdisc and using the limit 
parameter common to b/pfifo and sfq. (default sfq is 128).

Andy.

Hi Alejandro,
>> Alejandro Ramos Encinosa wrote:
>> > tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10
>> >
>> > tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit
>>
>> This is a misconfiguration, it doesn''t make sense to add sfq
and another
>> htb class to 1:20.
>...why? The case I am trying to deal with is an scenario where some traffic 
>goes into 1:20 (something like the traffic from/to the subnet 10.6.70.0/24) 
>and then, I want to shape specifically some other traffic type (for example,
>the ssh connections from/to subnet 10.6.70.0/24). Is there another way to do
>it? Please, take a in mind that (in my example) I want to enclose the whole 
>traffic from/to the subnet 10.6.70.0/24 and from that traffic I want to give
>an special treatment to ssh traffic.
>>
>
> Andy.
I hope you already managed to find a solution to the above problem.

<GENERIC COMMENT>
I think a question posted on this list does not get any answer in
four main cases:
1- It is not formulated well.
2- No one knows the answer.
3- Everyone knows the answer and thinks someone else will reply sooner
   or later.
4- The same question has been posted already many times and therefore
   a simple search in the list archive would be sufficient to find the
   answer/solution.

If you did find a solution to your problem and you think it can come
useful to others too, I would kindly suggest you to share it with the
list members (especially in the case 2 above).
</GENERIC COMMENT>

Anyway, let me try to answer your questions.

Andy is right: qdisc attached to non-leaf classes are not used by HTB (even
though you can configure them).
Packets must be queued into the leaf classes'' queues.
Non-leaf classes are used only for link-sharing (in the case of HTB).

Here are two examples of solutions to your problem:

1) You define two filters:
   - one for the     SSH(to/from 10.6.70.0/24) traffic
   - one for the Not-SSH to/from 10.6.70.0/24 traffic.
   Both filters would map traffic to 1:20.
   The first filter must be tested first (therefore you should assign
   it an higher priority).
   The rate/ceil parameters configured on 1:20 would apply to all the
   traffic that goes to 1:20 (SSH and Not-SSH).
   By assigning a policer to the first filter you would be able to shape
   the SSH traffic explicitly.

2) Instead of using the same class 1:20 for both SSH and Not-SSH traffic,
   you can create two classes under 1:20, say 1:21 for SSH and 1:22 for Not-SSH.
   In this case you would not need to attach any policer to the filters
   because you can configure two independent rate/ceil parameters for the two
   classes.

Regards
/Christian
[http://benve.info]