LARTC - Sep 2007 - complete linux and shaping newbie needs help

Hi there good people,

I''m a newbie in what concerns running Linux on machines other than
desktops, so I need help from all you gurus out there :-)

I have Linux installed on an old computer (Winchip C6, Pentium clone),
acting as a router/firewall for two other computers. Both these
machines are connected to the firewall via a dedicated ethernet card
each, on different subnets, 192.168.0.7 (eth1) and 192.168.10.3
(eth2). Internet connection (eth0) is a 3Mbit/320Kbit cable modem. The
firewall box is configured with iptables, like this:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth1 -j ACCEPT
# iptables -A FORWARD -i eth2 -j ACCEPT

At this point I have to stress out that I am a complete
networking/shaping newbie. I''ve read the FAQ at lartc.org and my head
is still hurting, as it basically felt I was reading greek. Really ;-)

Right now I have wondershaper htb running to smooth things out, and
everything is great. The problem is our internet connection is metered
by the Gb, and our monthly cap is somewhat low. My roommate (computer
connected to eth2, 192.168.10.x) tends to abuse this (a lot), so I was
thinking of throttling his connection to around half of our 3Mbits, in
order to lower our monthly bill. I have read some stuff I found
online, but I must face the reality that I really don''t know what
I''m
doing ;-) So, I thought I''d ask you guys, since you''re
obviously much
more familiar with the subjct.

Could anyone tell me, given the above scenario (masquerading,
wondershaper), what ''tc'' and ''iptables''
commands should I enter on the
firewall to limit his ip (192.168.10.3) to, say, 200kb/s (~1650Kbps,
if I''ve done the math right), hard, without the possibility of
"borrowing" extra bandwidth even if the connection is otherwise idle?

Any help is really appreciated, otherwise I think I''ll have to kick
him out, and I really don''t want to come to that!

Thanks!


Aidan

Do they charge you for download traffic or both for dowload/upload? If you
are in the first case, this slight modification in the wondershaper script
should do the trick.

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

HERE BEGINS THE CHANGE
# filter for your roomate, drop everything that''s
# coming faster than half the DOWNLINK value:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   192.168.10.3/24 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1
HERE ENDS THE CHANGE

# filter *everything* to it (0.0.0.0/0), drop everything that''s
# coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Ups, sorry, I did one mistake, I forgot we are filtering incoming traffic
and the we need to match destination ip. Also there is no need to filter the
hole subnet, so we can set the mask to 32. So this would be the result:

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

HERE BEGINS THE CHANGE
# filter for your roomate, drop everything that''s
# coming faster than half the DOWNLINK value:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip dst \
   192.168.10.3/32 <http://192.168.10.3/24> police rate $[$DOWNLINK/2]kbit
burst 10k drop flowid :1
HERE ENDS THE CHANGE

# filter *everything* to it (0.0.0.0/0), drop everything that''s
# coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

I just have noticed another thing, I just copied the filter but should be
given a different (lower) prio value. I''m not sure whether this is
really
necessary, but I think that it is better to do so:

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

HERE BEGINS THE CHANGE
# filter for your roomate, drop everything that''s
# coming faster than half the DOWNLINK value:

tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \
   192.168.10.3/32 <http://192.168.10.3/24> police rate $[$DOWNLINK/2]kbit
burst 10k drop flowid :1
HERE ENDS THE CHANGE

# filter *everything* to it (0.0.0.0/0), drop everything that''s
# coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Sorry again and again, I''ve just noticed that gmail adds some odd
stuff to the text version of my mails, so this is the definitive (I
hope):

########## downlink #############
# slow downloads down to somewhat less than the real speed  to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:

tc qdisc add dev $DEV handle ffff: ingress

HERE BEGINS THE CHANGE
# filter for your roomate, drop everything that''s
# coming faster than half the DOWNLINK value:

tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \
   192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1
HERE ENDS THE CHANGE

 # filter *everything* to it ( 0.0.0.0/0), drop everything that''s
 # coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

On 9/2/07, Javier Ors <jaorani@gmail.com> wrote:
> Sorry again and again, I''ve just noticed that gmail adds some odd
> stuff to the text version of my mails, so this is the definitive (I
> hope):
Hola Javier,

Thanks for your reply.

Replying to your first question, yes, both upload and download traffic
are accounted towards our monthly cap. Lame ISP, I know, but
unfortuntaly I can''t do anything about it, as it''s the only
game in
town.


[snip snip]
>
> HERE BEGINS THE CHANGE
> # filter for your roomate, drop everything that''s
> # coming faster than half the DOWNLINK value:
>
> tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \
>    192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1
> HERE ENDS THE CHANGE
>
I tried this, but it doesn''t seem to be making any change at all,
unfortunately. I started a large download from ftp.kernel.org and it
was still coming full steam ahead. I let it go on for a minute or two,
hoping it would eventually start to be throttled, but no dice. Is
there perhaps any iptables command that goes with it, or something?

Thanks for taking the time to look into this, much appreciated!

Regards,

Aidan

> I tried this, but it doesn''t seem to be making any change at all,
> unfortunately. I started a large download from ftp.kernel.org and it
> was still coming full steam ahead. I let it go on for a minute or two,
> hoping it would eventually start to be throttled, but no dice. Is
> there perhaps any iptables command that goes with it, or something?
I don''t know. You can also limit with iptables, but should be ok with
this tc filter. Did the script run without errors after making the
changes? Can you check that the filter is really present with tc
filter show dev (your-device) and paste the result... Now that I
think, what device have you got configured in the script? It should be
eth0 (the cable modem).

On 9/2/07, Javier Ors <jaorani@gmail.com> wrote:
>
> I don''t know. You can also limit with iptables, but should be ok
with
> this tc filter. Did the script run without errors after making the
> changes? Can you check that the filter is really present with tc
> filter show dev (your-device) and paste the result... Now that I
> think, what device have you got configured in the script? It should be
> eth0 (the cable modem).

Hi again Javier.

Yes, the script runs fine, no errors, see:

root@fw:/sbin# ./wshaper.htb
+ DOWNLINK=3000
+ UPLINK=273
+ DEV=eth0
+ NOPRIOHOSTSRC+ NOPRIOHOSTDST+ NOPRIOPORTSRC+ NOPRIOPORTDST+
''['' start = status '']''
+ tc qdisc del dev eth0 root
+ tc qdisc del dev eth0 ingress
+ ''['' start = stop '']''
+ tc qdisc add dev eth0 root handle 1: htb default 20
+ tc class add dev eth0 parent 1: classid 1:1 htb rate 273kbit burst 6k
+ tc class add dev eth0 parent 1:1 classid 1:10 htb rate 273kbit burst 6k prio 1
+ tc class add dev eth0 parent 1:1 classid 1:20 htb rate 245kbit burst 6k prio 2
+ tc class add dev eth0 parent 1:1 classid 1:30 htb rate 218kbit burst 6k prio 2
+ tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
+ tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
+ tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10
+ tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip
tos 0x10 0xff flowid 1:10
+ tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip
protocol 1 0xff flowid 1:10
+ tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2
match u8 0x10 0xff at 33 flowid 1:10
+ tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip
dst 0.0.0.0/0 flowid 1:20
+ tc qdisc add dev eth0 handle ffff: ingress
+ tc filter add dev eth0 parent ffff: protocol ip prio 49 u32 match ip
dst 192.168.0.7/32 police rate 1500kbit burst 10k drop flowid :1
+ tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip
src 0.0.0.0/0 police rate 3000kbit burst 10k drop flowid :1

I changed the ip to match my machine (192.168.0.7), in order to do
some tests, to make sure everything was working. That shouldn''t be a
problem, shoud it?

And this is the output of tc filter show dev eth0:

root@fw:/sbin# tc filter show dev eth0
filter parent 1: protocol ip pref 10 u32
filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:10
  match 00100000/00ff0000 at 0
filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht
800 bkt 0 flowid 1:10
  match 00010000/00ff0000 at 8
filter parent 1: protocol ip pref 10 u32 fh 800::802 order 2050 key ht
800 bkt 0 flowid 1:10
  match 00060000/00ff0000 at 8
  match 05000000/0f00ffc0 at 0
  match 00100000/00ff0000 at 32
filter parent 1: protocol ip pref 18 u32
filter parent 1: protocol ip pref 18 u32 fh 801: ht divisor 1
filter parent 1: protocol ip pref 18 u32 fh 801::800 order 2048 key ht
801 bkt 0 flowid 1:20
  match 00000000/00000000 at 16


Is everything the way it is supposed to be?

Thanks again for your time.


Regards,

Aidan

Mmmmmm, could you please post the output of this other command?
tc -s filter show dev eth0 parent ffff:

I''ve searched a little bit and I think that this solution is not going
to work, sorry, I would do the tests on my own machine but for the
moment this is not possible...
If it is what I''m afraid, you are going to have to use another scheme,
but don''t worry, it''s easy to find an alternative solution
anyway.

On 9/2/07, Javier Ors <jaorani@gmail.com> wrote:

Hello again Javier
> Mmmmmm, could you please post the output of this other command?
> tc -s filter show dev eth0 parent ffff:
Sure!

root@fw:/root# tc -s filter show dev eth0 parent ffff:
filter protocol ip pref 49 u32
filter protocol ip pref 49 u32 fh 800: ht divisor 1
filter protocol ip pref 49 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1
police 1d action drop rate 1420Kbit burst 10Kb mtu 2Kb
  match c0a80007/ffffffff at 16
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
filter protocol ip pref 50 u32
filter protocol ip pref 50 u32 fh 801: ht divisor 1
filter protocol ip pref 50 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid :1
police 1e action drop rate 2840Kbit burst 10Kb mtu 2Kb
  match 00000000/00000000 at 12
 Sent 91611539 bytes 113192 pkts (dropped 0, overlimits 24)

> I''ve searched a little bit and I think that this solution is not
going
> to work, sorry, I would do the tests on my own machine but for the
> moment this is not possible...
That''s ok, I appreciate all the trouble you''re going to
already! I
couldn''t possibly ask you more :-)

> If it is what I''m afraid, you are going to have to use another
scheme,
> but don''t worry, it''s easy to find an alternative
solution anyway.
Ok. I''ve been doing some reading, and the little I could understand, I
think the solution would be to mark all packets to/from that
particular machine with iptables MARK or somesuch, and then have a
class in tc set to whatever bandwidth I want to allocate, and some
other tc command to bound those marked packets to that class.

This is all theory, of couse, I haven''t the slightest idea how to
accomplish this, or even if this isn''t complete hogwash :-)


Regards,

Aidan