Shorewall users - Dec 2005 - QoS and Priorities

Hi All,
  I just upgraded to Shorewall 3.0.3.  I''m running it on a PAT gateway,
and
I want to test out the QoS features.  I''ve read through the
documentation,
but I''m not getting the results I was hoping for.  Basically,
I''m looking
for two priority queues.  I want one for bulk traffic traveling over a
couple ports (lower priority), and one for the remaining traffic.  In my
example I included a 3rd queue just for the sake of mimicking the example.
Here are my configs:

TCRULES:

1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-request
1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
#3:P    0.0.0.0/0       0.0.0.0/0       tcp     -       4662
#3:P    0.0.0.0/0       0.0.0.0/0       udp     -       4672
3:P     192.168.1.253/32        0.0.0.0/0

TCCLASSES:

eth1            1       375kbit full    1       tcp-ack
eth1            2       375kbit full    2       default
eth1            3       375kbit full    3       

TCDEVICES:

eth1            5000kbit        375kbit

What I expected-
Essentially two priority queues: 2 would hold default traffic and be
serviced before 3.  3 would hold bulk traffic and be serviced only after 2.

How I tested-
I did a simple test of running bulk upload at full speed on the queue 3
machine (to use all upload bandwidth), then doing an FTP upload from a
different machine.  Theoretically the FTP upload would get priority over the
bulk traffic and go near-full upload speed.

What happened-
The FTP machine got nowhere near full speed...instead I was getting about
7KB, while the bulk traffic was still going at 30 something.

Details-
eth1 is my internet interface.  When matching source ports didn''t work
I
tried matching the entire source machine, which produced the same results.
The device limits are taken directly from my modem config.  

Sorry if I''m missing something simple, but I''m out of ideas. 
Any help
greatly appreciated.




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Hi Matt

Your mail is three days old, so maybe you have already gotten an
answer or figured it out yourself.  But in any case, here is what I
think:

In tcclasses, you specify first the minimum bandwith as 375kbit, then
the maximum bandwith as full.  This is not a good idea; you should set
a low value for the minimum bandwith, maybe 30kbit.  Then whatever is
left of the bandwidth is shared according to the priorities.



Rune



On 12/30/05, Matt LaPlante <sw1@cyberdogtech.com>
wrote:
> Hi All,
> I just upgraded to Shorewall 3.0.3.  I''m running it on a PAT
gateway, and
> I want to test out the QoS features.  I''ve read through the
documentation,
> but I''m not getting the results I was hoping for.  Basically,
I''m looking
> for two priority queues.  I want one for bulk traffic traveling over a
> couple ports (lower priority), and one for the remaining traffic.  In my
> example I included a 3rd queue just for the sake of mimicking the example.
> Here are my configs:
>
> TCRULES:
>
> 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-request
> 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
> #3:P    0.0.0.0/0       0.0.0.0/0       tcp     -       4662
> #3:P    0.0.0.0/0       0.0.0.0/0       udp     -       4672
> 3:P     192.168.1.253/32        0.0.0.0/0
>
> TCCLASSES:
>
> eth1            1       375kbit full    1       tcp-ack
> eth1            2       375kbit full    2       default
> eth1            3       375kbit full    3
>
> TCDEVICES:
>
> eth1            5000kbit        375kbit
>
> What I expected-
> Essentially two priority queues: 2 would hold default traffic and be
> serviced before 3.  3 would hold bulk traffic and be serviced only after 2.
>
> How I tested-
> I did a simple test of running bulk upload at full speed on the queue 3
> machine (to use all upload bandwidth), then doing an FTP upload from a
> different machine.  Theoretically the FTP upload would get priority over
the
> bulk traffic and go near-full upload speed.
>
> What happened-
> The FTP machine got nowhere near full speed...instead I was getting about
> 7KB, while the bulk traffic was still going at 30 something.
>
> Details-
> eth1 is my internet interface.  When matching source ports didn''t
work I
> tried matching the entire source machine, which produced the same results.
> The device limits are taken directly from my modem config.
>
> Sorry if I''m missing something simple, but I''m out of
ideas.  Any help
> greatly appreciated.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Hi Rune,
  Thanks for the reply; you''re the first to get back to me. 
I''m aware I
made the "minimum bandwidth" equal to the full bandwidth, in fact this
was
intentional.  In my configuration, what I''m hoping for is a simple
priority
queue...I don''t want bandwidth to be "distributed" so to
speak, I want one
queue to be fully serviced before the lower queue is touched.  Now based on
my reading of the documentation, I estimated that would be possible by
simply allowing all queues to be maxed out.  If I were to allow for minimums
below full speed, I would still be budgeting some of my bandwidth to low
priority traffic...on the other hand if the minimums match at full (based on
the description), priority should take over and simulate a priority queue
giving all the bandwidth to top priority.  What puzzles me is why, in the
scenario I described, my highest priority queue would be getting such a tiny
amount of the overall bandwidth...it just doesn''t seem to add up.  So
ultimately, I''m hoping someone can give me a more concrete example of
how I
can accomplish my priority queue design (and explain why priority
doesn''t
seem to be having an effect in mine!).

Thanks,
Matt
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-
> admin@lists.sourceforge.net] On Behalf Of Rune Kock
> Sent: Monday, January 02, 2006 9:18 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] QoS and Priorities
> 
> Hi Matt
> 
> Your mail is three days old, so maybe you have already gotten an
> answer or figured it out yourself.  But in any case, here is what I
> think:
> 
> In tcclasses, you specify first the minimum bandwith as 375kbit, then
> the maximum bandwith as full.  This is not a good idea; you should set
> a low value for the minimum bandwith, maybe 30kbit.  Then whatever is
> left of the bandwidth is shared according to the priorities.
> 
> 
> 
> Rune
> 
> 
> 
> On 12/30/05, Matt LaPlante <sw1@cyberdogtech.com> wrote:
> > Hi All,
> > I just upgraded to Shorewall 3.0.3.  I''m running it on a PAT
gateway,
> and
> > I want to test out the QoS features.  I''ve read through the
> documentation,
> > but I''m not getting the results I was hoping for.  Basically,
I''m
> looking
> > for two priority queues.  I want one for bulk traffic traveling over a
> > couple ports (lower priority), and one for the remaining traffic.  In
my
> > example I included a 3rd queue just for the sake of mimicking the
> example.
> > Here are my configs:
> >
> > TCRULES:
> >
> > 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-request
> > 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
> > #3:P    0.0.0.0/0       0.0.0.0/0       tcp     -       4662
> > #3:P    0.0.0.0/0       0.0.0.0/0       udp     -       4672
> > 3:P     192.168.1.253/32        0.0.0.0/0
> >
> > TCCLASSES:
> >
> > eth1            1       375kbit full    1       tcp-ack
> > eth1            2       375kbit full    2       default
> > eth1            3       375kbit full    3
> >
> > TCDEVICES:
> >
> > eth1            5000kbit        375kbit
> >
> > What I expected-
> > Essentially two priority queues: 2 would hold default traffic and be
> > serviced before 3.  3 would hold bulk traffic and be serviced only
after
> 2.
> >
> > How I tested-
> > I did a simple test of running bulk upload at full speed on the queue
3
> > machine (to use all upload bandwidth), then doing an FTP upload from a
> > different machine.  Theoretically the FTP upload would get priority
over
> the
> > bulk traffic and go near-full upload speed.
> >
> > What happened-
> > The FTP machine got nowhere near full speed...instead I was getting
> about
> > 7KB, while the bulk traffic was still going at 30 something.
> >
> > Details-
> > eth1 is my internet interface.  When matching source ports
didn''t work I
> > tried matching the entire source machine, which produced the same
> results.
> > The device limits are taken directly from my modem config.
> >
> > Sorry if I''m missing something simple, but I''m out
of ideas.  Any help
> > greatly appreciated.
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD
SPLUNK!
> > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

A''m I the only one getting double emails from this list?

************************************
*        Joseph Dobransky     
*   Webhosting Administrator
* http://www.nightowlswebspace.com
************************************
*   AIM: CrankyCronos
*   Yahoo: skeeter1jd    
*   MSN: skeeter1jd@hotmail.com  
*   ICQ: 21228143         
************************************



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

On Monday 02 January 2006 07:15, Joseph Dobransky wrote:
> A''m I the only one getting double emails from this list?
You may not be the only one but the problem isn''t universal --
I''m not seeing
double emails.

I suggest that you look at the SMTP headers of two duplicate posts to see 
where the extra one is coming from.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Matt

First, I think your stated goal is probably not desirable.  If you
allow default traffic to get all the bandwidth, your bulk traffic''s
connections will be broken.  It is usually preferable to leave a tiny
amount of bandwidth for bulk, so that the connections are maintained,
but little data gets through.

Secondly, from my understanding of the htb-docs
(http://luxik.cdi.cz/~devik/qos/htb/), it is not possible to give a
class zero bandwidth.  (But I may be wrong here, the htb-docs are not
very clear on this point).

The best you can do is to give a class an extremely low minimum
bandwidth ("rate").  Then it will borrow from any unused bandwidth at
the given moment, according to its priority.



Rune

On 1/2/06, Matt LaPlante <sw1@cyberdogtech.com>
wrote:
> Hi Rune,
>  Thanks for the reply; you''re the first to get back to me. 
I''m aware I
> made the "minimum bandwidth" equal to the full bandwidth, in fact
this was
> intentional.  In my configuration, what I''m hoping for is a simple
priority
> queue...I don''t want bandwidth to be "distributed" so to
speak, I want one
> queue to be fully serviced before the lower queue is touched.  Now based on
> my reading of the documentation, I estimated that would be possible by
> simply allowing all queues to be maxed out.  If I were to allow for
minimums
> below full speed, I would still be budgeting some of my bandwidth to low
> priority traffic...on the other hand if the minimums match at full (based
on
> the description), priority should take over and simulate a priority queue
> giving all the bandwidth to top priority.  What puzzles me is why, in the
> scenario I described, my highest priority queue would be getting such a
tiny
> amount of the overall bandwidth...it just doesn''t seem to add up. 
So
> ultimately, I''m hoping someone can give me a more concrete example
of how I
> can accomplish my priority queue design (and explain why priority
doesn''t
> seem to be having an effect in mine!).
>
> Thanks,
> Matt
>
> > -----Original Message-----
> > From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-
> > admin@lists.sourceforge.net] On Behalf Of Rune Kock
> > Sent: Monday, January 02, 2006 9:18 AM
> > To: shorewall-users@lists.sourceforge.net
> > Subject: Re: [Shorewall-users] QoS and Priorities
> >
> > Hi Matt
> >
> > Your mail is three days old, so maybe you have already gotten an
> > answer or figured it out yourself.  But in any case, here is what I
> > think:
> >
> > In tcclasses, you specify first the minimum bandwith as 375kbit, then
> > the maximum bandwith as full.  This is not a good idea; you should set
> > a low value for the minimum bandwith, maybe 30kbit.  Then whatever is
> > left of the bandwidth is shared according to the priorities.
> >
> >
> >
> > Rune
> >
> >
> >
> > On 12/30/05, Matt LaPlante <sw1@cyberdogtech.com> wrote:
> > > Hi All,
> > > I just upgraded to Shorewall 3.0.3.  I''m running it on a
PAT gateway,
> > and
> > > I want to test out the QoS features.  I''ve read through
the
> > documentation,
> > > but I''m not getting the results I was hoping for. 
Basically, I''m
> > looking
> > > for two priority queues.  I want one for bulk traffic traveling
over a
> > > couple ports (lower priority), and one for the remaining traffic.
In my
> > > example I included a 3rd queue just for the sake of mimicking the
> > example.
> > > Here are my configs:
> > >
> > > TCRULES:
> > >
> > > 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-request
> > > 1:P     0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
> > > #3:P    0.0.0.0/0       0.0.0.0/0       tcp     -       4662
> > > #3:P    0.0.0.0/0       0.0.0.0/0       udp     -       4672
> > > 3:P     192.168.1.253/32        0.0.0.0/0
> > >
> > > TCCLASSES:
> > >
> > > eth1            1       375kbit full    1       tcp-ack
> > > eth1            2       375kbit full    2       default
> > > eth1            3       375kbit full    3
> > >
> > > TCDEVICES:
> > >
> > > eth1            5000kbit        375kbit
> > >
> > > What I expected-
> > > Essentially two priority queues: 2 would hold default traffic and
be
> > > serviced before 3.  3 would hold bulk traffic and be serviced
only after
> > 2.
> > >
> > > How I tested-
> > > I did a simple test of running bulk upload at full speed on the
queue 3
> > > machine (to use all upload bandwidth), then doing an FTP upload
from a
> > > different machine.  Theoretically the FTP upload would get
priority over
> > the
> > > bulk traffic and go near-full upload speed.
> > >
> > > What happened-
> > > The FTP machine got nowhere near full speed...instead I was
getting
> > about
> > > 7KB, while the bulk traffic was still going at 30 something.
> > >
> > > Details-
> > > eth1 is my internet interface.  When matching source ports
didn''t work I
> > > tried matching the entire source machine, which produced the same
> > results.
> > > The device limits are taken directly from my modem config.
> > >
> > > Sorry if I''m missing something simple, but I''m
out of ideas.  Any help
> > > greatly appreciated.
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: Splunk Inc. Do you grep
through log
> > files
> > > for problems?  Stop!  Download the new AJAX search engine that
makes
> > > searching your log files as easy as surfing the  web.  DOWNLOAD
SPLUNK!
> > > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> > >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> > files
> > for problems?  Stop!  Download the new AJAX search engine that makes
> > searching your log files as easy as surfing the  web.  DOWNLOAD
SPLUNK!
> > http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&opclick
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

My stated goal is indeed desirable.  I''m aware that traffic starvation
can
occur to the bulk traffic, and that fact is perfectly acceptable.  Think of
it as an idle priority process on a PC, often used in distributed computing;
the point is to take advantage of excess bandwidth (or processor cycles).  I
don''t want to actually give up regular bandwidth/cycles, merely to take
advantage of otherwise idle time.  My regular traffic gets 100% priority
over the low traffic.

Now, I did a bit more poking around with the controls, and determined that
my initial impression about prioritizing traffic was very incorrect (and I
feel the documentation was a bit misleading).  As I stated earlier, the
traffic was not hardly prioritized when both queues were in use.  On the
other hand, by allocating only one or two k as minimum to the bulk queue, I
immediately saw my default queue go full-speed.  So to that end, traffic is
*not* being prioritized by queue...It''s very clear it''s using
a fair-queuing
technique that shares bandwidth even when high priority and low priority are
both requesting most of the bandwidth.  The only way to do a priority queue
seems to be to remove minimums from the bulk traffic.

That said, I''m still having a problem, but of a different persuasion. 
I was
_successful_ classifying my traffic by source IP address only (in TCrules):

2:P    192.168.1.253/32        0.0.0.0/0

I wanted to restrict classification further, and only queue by source port
on that machine:

2:P     192.168.1.253/32        0.0.0.0/0       tcp     -       4662
2:P     192.168.1.253/32        0.0.0.0/0       udp     -       4672

However I can''t get this latter classification to have any effect.  I
know
for a fact the source ports are correct, I''ve configured port
forwarding and
the server software myself.  The only variable between the system correctly
allocating bandwidth, and not, is the two lines above.  Am I missing
something?  Here is the tcclasses again:

eth1            1       375kbit full    1       default                  
eth1            2       1kbit   full    2

And here''s the shorewall dump:

Device eth1:
qdisc htb 1: r2q 10 default 11 direct_packets_stat 4 ver 3.17
 Sent 26221934 bytes 28223 pkts (dropped 194, overlimits 36921) 
 backlog 180p 
qdisc ingress ffff: ---------------- 
 Sent 960095 bytes 20532 pkts (dropped 0, overlimits 0) 
qdisc sfq 11: parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb
10sec 
 Sent 25863237 bytes 26932 pkts (dropped 0, overlimits 0) 
 backlog 55p 
qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows 128/1024 perturb
10sec 
 Sent 351883 bytes 1285 pkts (dropped 194, overlimits 0) 
 backlog 125p 
class htb 1:11 parent 1:1 leaf 11: prio 1 quantum 4800 rate 375000bit ceil
375000bit burst 1645b/8 mpu 0b overhead 0b cburst 1645b/8 mpu 0b overhead 0b
level 0 
 Sent 25864849 bytes 26935 pkts (dropped 0, overlimits 0) 
 rate 376192bit 44pps backlog 56p 
 lended: 26879 borrowed: 0 giants: 0
 tokens: -61037 ctokens: -61037

class htb 1:1 root rate 375000bit ceil 375000bit burst 1645b/8 mpu 0b
overhead 0b cburst 1645b/8 mpu 0b overhead 0b level 7 
 Sent 26137629 bytes 28039 pkts (dropped 0, overlimits 0) 
 rate 377416bit 45pps 
 lended: 628 borrowed: 0 giants: 0
 tokens: -544512 ctokens: -544512

class htb 1:12 parent 1:1 leaf 12: prio 2 quantum 1500 rate 1000bit ceil
375000bit burst 1599b/8 mpu 0b overhead 0b cburst 1645b/8 mpu 0b overhead 0b
level 0 
 Sent 351883 bytes 1285 pkts (dropped 194, overlimits 0) 
 rate 1104bit 1pps backlog 125p 
 lended: 532 borrowed: 628 giants: 0
 tokens: -13303536 ctokens: 490 

Again, the ultimate goal is to give all traffic, except traffic with source
ports 192.168.1.253 tcp 4662 and 192.168.1.253 udp 4672, full priority.
Those two ports should be minimal priority.  Any ideas?

Thanks.

-
Matt
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-
> admin@lists.sourceforge.net] On Behalf Of Rune Kock
> Sent: Monday, January 02, 2006 1:54 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] QoS and Priorities
> 
> Hi Matt
> 
> First, I think your stated goal is probably not desirable.  If you
> allow default traffic to get all the bandwidth, your bulk
traffic''s
> connections will be broken.  It is usually preferable to leave a tiny
> amount of bandwidth for bulk, so that the connections are maintained,
> but little data gets through.
> 
> Secondly, from my understanding of the htb-docs
> (http://luxik.cdi.cz/~devik/qos/htb/), it is not possible to give a
> class zero bandwidth.  (But I may be wrong here, the htb-docs are not
> very clear on this point).
> 
> The best you can do is to give a class an extremely low minimum
> bandwidth ("rate").  Then it will borrow from any unused
bandwidth at
> the given moment, according to its priority.
> 
> 
> 
> Rune
> 
[snip]
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Hi Matt,

I had no time to review your post deeply, but I think I got your
config mistake.

Your example shows that you try to shape P2P (edonkey) traffic. I
think you see this kind of traffic too simple.
You have to use an extension like the ipp2p module (
http://www.ipp2p.org/ ) for an working classification of this kind of
traffic.

ipp2p can be shorewall-integrated and is very well documented in the
shorewall documentation, but a more tricky than you may have expected.

Take a look at: http://www.shorewall.net/IPP2P.html

In my setup (similar to your goals) it works very well.

You can get the config upon request.

HTH,
Alex


Matt LaPlante schrieb:
> My stated goal is indeed desirable. I''m aware that traffic
> starvation can occur to the bulk traffic, and that fact is
> perfectly acceptable. Think of it as an idle priority process on a
> PC, often used in distributed computing; the point is to take
> advantage of excess bandwidth (or processor cycles). I don''t want
> to actually give up regular bandwidth/cycles, merely to take
> advantage of otherwise idle time. My regular traffic gets 100%
> priority over the low traffic.
>
> Now, I did a bit more poking around with the controls, and
> determined that my initial impression about prioritizing traffic
> was very incorrect (and I feel the documentation was a bit
> misleading). As I stated earlier, the traffic was not hardly
> prioritized when both queues were in use. On the other hand, by
> allocating only one or two k as minimum to the bulk queue, I
> immediately saw my default queue go full-speed. So to that end,
> traffic is *not* being prioritized by queue...It''s very clear
it''s
> using a fair-queuing technique that shares bandwidth even when high
> priority and low priority are both requesting most of the
> bandwidth. The only way to do a priority queue seems to be to
> remove minimums from the bulk traffic.
>
> That said, I''m still having a problem, but of a different
> persuasion. I was _successful_ classifying my traffic by source IP
> address only (in TCrules):
>
> 2:P 192.168.1.253/32 0.0.0.0/0
>
> I wanted to restrict classification further, and only queue by
> source port on that machine:
>
> 2:P 192.168.1.253/32 0.0.0.0/0 tcp -
> 4662 2:P 192.168.1.253/32 0.0.0.0/0 udp -
> 4672
>
> However I can''t get this latter classification to have any effect.
> I know for a fact the source ports are correct, I''ve configured
> port forwarding and the server software myself. The only variable
> between the system correctly allocating bandwidth, and not, is the
> two lines above. Am I missing something? Here is the tcclasses
> again:
>
> eth1 1 375kbit full 1 default
> eth1 2 1kbit full 2
>
> And here''s the shorewall dump:
>
> Device eth1: qdisc htb 1: r2q 10 default 11 direct_packets_stat 4
> ver 3.17 Sent 26221934 bytes 28223 pkts (dropped 194, overlimits
> 36921) backlog 180p qdisc ingress ffff: ---------------- Sent
> 960095 bytes 20532 pkts (dropped 0, overlimits 0) qdisc sfq 11:
> parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb 10sec
> Sent 25863237 bytes 26932 pkts (dropped 0, overlimits 0) backlog
> 55p qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows
> 128/1024 perturb 10sec Sent 351883 bytes 1285 pkts (dropped 194,
> overlimits 0) backlog 125p class htb 1:11 parent 1:1 leaf 11: prio
> 1 quantum 4800 rate 375000bit ceil 375000bit burst 1645b/8 mpu 0b
> overhead 0b cburst 1645b/8 mpu 0b overhead 0b level 0 Sent 25864849
> bytes 26935 pkts (dropped 0, overlimits 0) rate 376192bit 44pps
> backlog 56p lended: 26879 borrowed: 0 giants: 0 tokens: -61037
> ctokens: -61037
>
> class htb 1:1 root rate 375000bit ceil 375000bit burst 1645b/8 mpu
> 0b overhead 0b cburst 1645b/8 mpu 0b overhead 0b level 7 Sent
> 26137629 bytes 28039 pkts (dropped 0, overlimits 0) rate 377416bit
> 45pps lended: 628 borrowed: 0 giants: 0 tokens: -544512 ctokens:
> -544512
>
> class htb 1:12 parent 1:1 leaf 12: prio 2 quantum 1500 rate 1000bit
> ceil 375000bit burst 1599b/8 mpu 0b overhead 0b cburst 1645b/8 mpu
> 0b overhead 0b level 0 Sent 351883 bytes 1285 pkts (dropped 194,
> overlimits 0) rate 1104bit 1pps backlog 125p lended: 532 borrowed:
> 628 giants: 0 tokens: -13303536 ctokens: 490
>
> Again, the ultimate goal is to give all traffic, except traffic
> with source ports 192.168.1.253 tcp 4662 and 192.168.1.253 udp
> 4672, full priority. Those two ports should be minimal priority.
> Any ideas?
>
> Thanks.
>
> - Matt
>


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Sir,

  I am a small ISP in rural India distributing 1 MB
link to 200 

people. 

I have been using rshaper  by Alessandro Rubini for
shaping.

http://freshmeat.net/projects/rshaper/)

My kernel is Linux version 2.4.22-1.2115.nptl( Fedora
Core 1)

Rshaper is very good in controlling incoming bandwidth
(from LAN)

I use  Squid also on this Linux Box..

Right now I am using Delay Pools of Squid to control
bandwidth  per user.  

Squid saves me around 35% of bandwidth and hence I can
 not afford not to use it.  

Squid also gives my clients a feel of speed --an
important thing for me.

Rshaper is no more under active development. The
author advised me to switch to tc..

I use shorewall (2.4.3). 

Rshaper will not work on any new kernel..

I want to switch to kernel 2.6

Any Ideas for this kind of a situation  using tc ,
Squid..

Kindly Help...

Thankx a lot for your time....

Rayudu.



		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Rayudu Madhava wrote:
> ...
> Rshaper is no more under active development. The
> author advised me to switch to tc..
> 
> I use shorewall (2.4.3). 
> ...
> Any Ideas for this kind of a situation  using tc ,
> Squid..
Suggestions:

- Don''t hijack threads.  If you want to get noticed, start a new
thread.

- Read the Shorewall 3.0 documentation - traffic shaping has been
integrated and by all reports works very well.

Paul



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Alex,
  You guessed it.  Apparently there were a couple extra ports at play, other
than the ones configured in the app interface.  That seems to have nailed
it.  Thanks again...

-
Matt
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-
> admin@lists.sourceforge.net] On Behalf Of Alexander Wilms
> Sent: Thursday, January 05, 2006 5:32 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] QoS and Priorities
> 
> Hi Matt,
> 
> I had no time to review your post deeply, but I think I got your
> config mistake.
> 
> Your example shows that you try to shape P2P (edonkey) traffic. I
> think you see this kind of traffic too simple.
> You have to use an extension like the ipp2p module (
> http://www.ipp2p.org/ ) for an working classification of this kind of
> traffic.
> 
> ipp2p can be shorewall-integrated and is very well documented in the
> shorewall documentation, but a more tricky than you may have expected.
> 
> Take a look at: http://www.shorewall.net/IPP2P.html
> 
> In my setup (similar to your goals) it works very well.
> 
> You can get the config upon request.
> 
> HTH,
> Alex
> 
> 
> Matt LaPlante schrieb:
> 
> > My stated goal is indeed desirable. I''m aware that traffic
> > starvation can occur to the bulk traffic, and that fact is
> > perfectly acceptable. Think of it as an idle priority process on a
> > PC, often used in distributed computing; the point is to take
> > advantage of excess bandwidth (or processor cycles). I don''t
want
> > to actually give up regular bandwidth/cycles, merely to take
> > advantage of otherwise idle time. My regular traffic gets 100%
> > priority over the low traffic.
> >
> > Now, I did a bit more poking around with the controls, and
> > determined that my initial impression about prioritizing traffic
> > was very incorrect (and I feel the documentation was a bit
> > misleading). As I stated earlier, the traffic was not hardly
> > prioritized when both queues were in use. On the other hand, by
> > allocating only one or two k as minimum to the bulk queue, I
> > immediately saw my default queue go full-speed. So to that end,
> > traffic is *not* being prioritized by queue...It''s very clear
it''s
> > using a fair-queuing technique that shares bandwidth even when high
> > priority and low priority are both requesting most of the
> > bandwidth. The only way to do a priority queue seems to be to
> > remove minimums from the bulk traffic.
> >
> > That said, I''m still having a problem, but of a different
> > persuasion. I was _successful_ classifying my traffic by source IP
> > address only (in TCrules):
> >
> > 2:P 192.168.1.253/32 0.0.0.0/0
> >
> > I wanted to restrict classification further, and only queue by
> > source port on that machine:
> >
> > 2:P 192.168.1.253/32 0.0.0.0/0 tcp -
> > 4662 2:P 192.168.1.253/32 0.0.0.0/0 udp -
> > 4672
> >
> > However I can''t get this latter classification to have any
effect.
> > I know for a fact the source ports are correct, I''ve
configured
> > port forwarding and the server software myself. The only variable
> > between the system correctly allocating bandwidth, and not, is the
> > two lines above. Am I missing something? Here is the tcclasses
> > again:
> >
> > eth1 1 375kbit full 1 default
> > eth1 2 1kbit full 2
> >
> > And here''s the shorewall dump:
> >
> > Device eth1: qdisc htb 1: r2q 10 default 11 direct_packets_stat 4
> > ver 3.17 Sent 26221934 bytes 28223 pkts (dropped 194, overlimits
> > 36921) backlog 180p qdisc ingress ffff: ---------------- Sent
> > 960095 bytes 20532 pkts (dropped 0, overlimits 0) qdisc sfq 11:
> > parent 1:11 limit 128p quantum 1514b flows 128/1024 perturb 10sec
> > Sent 25863237 bytes 26932 pkts (dropped 0, overlimits 0) backlog
> > 55p qdisc sfq 12: parent 1:12 limit 128p quantum 1514b flows
> > 128/1024 perturb 10sec Sent 351883 bytes 1285 pkts (dropped 194,
> > overlimits 0) backlog 125p class htb 1:11 parent 1:1 leaf 11: prio
> > 1 quantum 4800 rate 375000bit ceil 375000bit burst 1645b/8 mpu 0b
> > overhead 0b cburst 1645b/8 mpu 0b overhead 0b level 0 Sent 25864849
> > bytes 26935 pkts (dropped 0, overlimits 0) rate 376192bit 44pps
> > backlog 56p lended: 26879 borrowed: 0 giants: 0 tokens: -61037
> > ctokens: -61037
> >
> > class htb 1:1 root rate 375000bit ceil 375000bit burst 1645b/8 mpu
> > 0b overhead 0b cburst 1645b/8 mpu 0b overhead 0b level 7 Sent
> > 26137629 bytes 28039 pkts (dropped 0, overlimits 0) rate 377416bit
> > 45pps lended: 628 borrowed: 0 giants: 0 tokens: -544512 ctokens:
> > -544512
> >
> > class htb 1:12 parent 1:1 leaf 12: prio 2 quantum 1500 rate 1000bit
> > ceil 375000bit burst 1599b/8 mpu 0b overhead 0b cburst 1645b/8 mpu
> > 0b overhead 0b level 0 Sent 351883 bytes 1285 pkts (dropped 194,
> > overlimits 0) rate 1104bit 1pps backlog 125p lended: 532 borrowed:
> > 628 giants: 0 tokens: -13303536 ctokens: 490
> >
> > Again, the ultimate goal is to give all traffic, except traffic
> > with source ports 192.168.1.253 tcp 4662 and 192.168.1.253 udp
> > 4672, full priority. Those two ports should be minimal priority.
> > Any ideas?
> >
> > Thanks.
> >
> > - Matt
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click