I''m trying to set up htb traffic shaping. I''m running RH 7.3, so the first thing I did was to go grab the new tc from htb''s website. Then, I set up a few things in tcrules. Next, I grabbed the htb example from the Shorewall quickstart area and commented out all but the first line: run_tc qdisc add dev eth0 root handle 1: htb default 30 `shorewall check` says everything is fine, but when I try to run `shorewall restart` I get: Processing /etc/shorewall/tcstart ... RTNETLINK answers: Invalid argument I know next to nothing about this sort of thing (traffic shaping), so any help would be greatly appreciated. -Chris
--On Tuesday, March 04, 2003 08:50:59 AM -0800 Chris Petersen <lists@forevermore.net> wrote:> I''m trying to set up htb traffic shaping. I''m running RH 7.3, so the > first thing I did was to go grab the new tc from htb''s website. Then, I > set up a few things in tcrules. Next, I grabbed the htb example from > the Shorewall quickstart area and commented out all but the first line: > > run_tc qdisc add dev eth0 root handle 1: htb default 30 > > `shorewall check` says everything is fine, but when I try to run > `shorewall restart` I get:Not surprising since Shorewall check doesn''t look at the tcrules file...> > Processing /etc/shorewall/tcstart ... > RTNETLINK answers: Invalid argument > > I know next to nothing about this sort of thing (traffic shaping), so > any help would be greatly appreciated. >I don''t believe that the RH7.3 kernels have HTB support. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> Not surprising since Shorewall check doesn''t look at the tcrules file...sorry. forgot to mention that I''m using the 2.4.20 openmosix kernel rpm. It should have htb, though perhaps not. How might I find that out? -Chris
--On Tuesday, March 04, 2003 05:29:42 PM -0800 Chris Petersen <lists@forevermore.net> wrote:>> Not surprising since Shorewall check doesn''t look at the tcrules file... > > sorry. forgot to mention that I''m using the 2.4.20 openmosix kernel > rpm. It should have htb, though perhaps not. How might I find that > out? >grep -i /proc/ksyms If that produces a lot of output then you probably have HTB support. In that case, you need to follow the instructions at http://www.shorewall.net/troubleshoot.htm under the heading "If the firewall fails to start". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> grep -i /proc/ksymsthat''s an incomplete statement... grep for what? `cat ...` returns a bunch of text, as does `grep -i htb ...`> If that produces a lot of output then you probably have HTB support. In > that case, you need to follow the instructions at > http://www.shorewall.net/troubleshoot.htm under the heading "If the > firewall fails to start".ok, thanks. I''ll poke around there for awhile. -Chris
--On Tuesday, March 04, 2003 06:31:12 PM -0800 Chris Petersen <lists@forevermore.net> wrote:>> grep -i /proc/ksyms > > that''s an incomplete statement... grep for what? `cat ...` returns a > bunch of text, as does `grep -i htb ...` >Yes -- I meant "grep -i htb /proc/ksyms".... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > If that produces a lot of output then you probably have HTB support. In > > that case, you need to follow the instructions at > > http://www.shorewall.net/troubleshoot.htm under the heading "If the > > firewall fails to start".ok, I poked around a bit, and figured out that at some point an rpm update must have overwritten my newer copy of tc, so I grabbed it again and things seem to work. But that leads to more questions. I see in both the shorewall and the advanced routing guides the use of 1:10 1:20 and 1:30 for htb, but there doesn''t seem to be any explanation for how I set these - in shorewall''s tcrules file the id is only listed as an integer - is that the 10/20/30 or something else? - there isn''t a matching tcrules file to go with the example tcstart). again, any help is appreciated.. -Chris
--On Tuesday, March 04, 2003 07:44:47 PM -0800 Chris Petersen <lists@forevermore.net> wrote:> > But that leads to more questions. I see in both the shorewall and the > advanced routing guides the use of 1:10 1:20 and 1:30 for htb, but there > doesn''t seem to be any explanation for how I set these - in shorewall''s > tcrules file the id is only listed as an integer - is that the 10/20/30 > or something else?It is the "handle" value in the filter definitions. e.g., run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10 - - there isn''t a matching tcrules file to go with the> example tcstart).What exactly about the following excerpt from the Traffic Shaping page isn''t clear to you? "My tcrules file that went with this tcstart file is shown in Example 1 above." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Ok, I think I''ve figured out most of what I need to know for this
except
a couple of things...
First, my desired routing setup:
I have net, loc and dmz zones set up. I''d like to shape things such
that:
ssh *always* has the highest priority (I got the info for doing this
from the advanced routing howto). traffic from loc is second highest.
then dmz, then stuff coming from the firewall (it hosts a couple of
things on a separate IP, to specific other IP''s).
I (think I) know how to set all of this up between tcrules and tcstart,
but am curious about precedence.... if I set up something in tcrules
like:
2 10.0.0.0/24 0.0.0.0/0 all - -
and then later define:
3 10.0.0.50 0.0.0.0/0 all - -
will that work? Or will I end up with the packets marked with both
numbers? Or merely ignore all of the "3" marks because "2"
already
handled packets from that IP? (in which case, would reversing the order
of these statements have any effect?)
And though slightly OT, I have the same question about the tcstart
file. If I define:
tc class add dev eth0 parent 1:1 classid 1:10 htb \
rate ${UPLINK}kbit burst 15k prio 10
and then later define:
tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \
match ip dport 22 0xffff \
match ip tos 0x10 0xff \
flowid 1:10
will the second statement override the first for the appropriate
packets, or be ignored because its packets were already mapped out in
the first? (those statements were copied from a shell script, and I
haven''t tested them in shorewall yet, but you get the idea).
Anyway, hopefully these are my last bunch of questions about this....
:) TIA for any help....
-Chris
--On Wednesday, March 05, 2003 10:10:11 PM -0800 Chris Petersen <lists@forevermore.net> wrote:> > I (think I) know how to set all of this up between tcrules and tcstart, > but am curious about precedence.... if I set up something in tcrules > like: > > 2 10.0.0.0/24 0.0.0.0/0 all - - > > and then later define: > > 3 10.0.0.50 0.0.0.0/0 all - - > > will that work?Yes -- in the tcrules file, the LAST match controls the mark value.> > And though slightly OT, I have the same question about the tcstart > file. If I define: > > tc class add dev eth0 parent 1:1 classid 1:10 htb \ > rate ${UPLINK}kbit burst 15k prio 10 > > and then later define: > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 \ > match ip dport 22 0xffff \ > match ip tos 0x10 0xff \ > flowid 1:10 > > will the second statement override the first for the appropriate > packets, or be ignored because its packets were already mapped out in > the first? (those statements were copied from a shell script, and I > haven''t tested them in shorewall yet, but you get the idea). >I don''t know what you mean by "override". The second statement defines a filter which directs a certain set of packets (outbound ssh with TOS 16) to be shaped according to the class defined in the first statement. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> I don''t know what you mean by "override". The second statement defines a > filter which directs a certain set of packets (outbound ssh with TOS 16) to > be shaped according to the class defined in the first statement.crap, I must have pasted the wrong thing (evolution often seems to have its own clipboard).. Anyway, I''m trying to set up a filter based on a mark (traffic from one group of ip''s through the firewall)... and also one to match on any ssh traffic (or icmp or whatever)... I''m wondering whether or not it makes a difference which order I define these in (ie. if I define the ip-based filter first, will ssh traffic from that ip block even make it to the ssh filter?). ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
--On Thursday, March 06, 2003 03:19:34 PM -0800 Chris Petersen <lists@forevermore.net> wrote:> crap, I must have pasted the wrong thing (evolution often seems to have > its own clipboard).. Anyway, I''m trying to set up a filter based on a > mark (traffic from one group of ip''s through the firewall)... and also > one to match on any ssh traffic (or icmp or whatever)... I''m wondering > whether or not it makes a difference which order I define these in (ie. > if I define the ip-based filter first, will ssh traffic from that ip > block even make it to the ssh filter?).I don''t know -- I''ve not tried overlapping filters. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net