Shorewall users - Aug 2007 - traffic shaping

I try use setup traffic shaping with Shorewall-4.0.2 and have fault.
When i start Shorewall with tc-files configured i get follow messages:

...
RTNETLINK answers: No such file or directory
We have an error talking to the kernel
    ERROR: Command "tc filter add dev eth2 parent ffff: protocol ip prio 
50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid 
:1" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 375: 28072 Завершено      ${VARDIR}/.start 
$debugging start

    If i run Shorewall's tc-command from shell i get:

gate / # tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match 
ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1
RTNETLINK answers: Invalid argument
We have an error talking to the kernel

    What's wrong?
    Thank you very much.
    Alex
  


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>     I try use setup traffic shaping with Shorewall-4.0.2 and have fault.
> When i start Shorewall with tc-files configured i get follow messages:
> 
> ...
> RTNETLINK answers: No such file or directory
> We have an error talking to the kernel
>     ERROR: Command "tc filter add dev eth2 parent ffff: protocol ip
prio
> 50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid 
> :1" Failed
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/shorewall: line 375: 28072 Завершено      ${VARDIR}/.start 
> $debugging start
> 
>     If i run Shorewall''s tc-command from shell i get:
> 
> gate / # tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match 
> ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1
> RTNETLINK answers: Invalid argument
> We have an error talking to the kernel
> 
>     What''s wrong?
Looks like your kernel doesn''t have ''traffic
policing'' support
(CONFIG_NET_ACT_POLICE).

You can work around the problem temporarily by specifying zero (0) as the
IN-BANDWIDTH.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Thank's!
    No, i have CONFIG_NET_ACT_POLICE=m and after i run load 'act_police'
module all work fine.
    Thank you very much.
>>     I try use setup traffic shaping with Shorewall-4.0.2 and have
fault.
>> When i start Shorewall with tc-files configured i get follow messages:
>> 
>> ...
>> RTNETLINK answers: No such file or directory
>> We have an error talking to the kernel
>>     ERROR: Command "tc filter add dev eth2 parent ffff: protocol
ip prio
>> 50 u32 match ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid
>> :1" Failed
>> Processing /etc/shorewall/stop ...
>> IP Forwarding Enabled
>> Processing /etc/shorewall/stopped ...
>> /sbin/shorewall: line 375: 28072 Завершено      ${VARDIR}/.start 
>> $debugging start
>> 
>>     If i run Shorewall's tc-command from shell i get:
>> 
>> gate / # tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 
>>match 
>> ip src 0.0.0.0/0 police rate 500kbit burst 10k drop flowid :1
>> RTNETLINK answers: Invalid argument
>> We have an error talking to the kernel
>> 
>>     What's wrong?
  
> Looks like your kernel doesn't have 'traffic policing' support
> (CONFIG_NET_ACT_POLICE).
> 
> You can work around the problem temporarily by specifying zero (0) as 
>the
> IN-BANDWIDTH.
  


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

I configure traffic shaping with Shorewall-4.0.2 and a little 
misunderstood. In 'traffic_shaping.htm' of Shorewall documentation 
written:

If the sum of the RATEs for all classes assigned to an INTERFACE exceed 
that interfaces's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit will not be 
honored.

    But how understand follow example from same source?

#INTERFACE      MARK    RATE            CEIL            PRIORITY 
   OPTIONS
ppp0            1       full            full            1 
      tcp-ack,tos-minimize-delay
ppp0            2       9*full/10       9*full/10       2       default
ppp0            3       8*full/10       8*full/10       2

    If i use 'full' value for one class i don't leave any bandwidth
for
others classes. If NO, can i use 'full' value many times for different
classes (in 'RATE' column)?

    Alex

  
        


---------
Эффективное, быстрое, живое изучение английского языка в Школе мистера Бола
(http://www.mrball.nsys.by). Занятия с 03.09.07. Самые современные патенты,
методики и know-how.
Запись на интервью: тел. 284-7949, email mrball@nsys.by



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>     I configure traffic shaping with Shorewall-4.0.2 and a little 
> misunderstood. In ''traffic_shaping.htm'' of Shorewall
documentation
> written:
> 
> If the sum of the RATEs for all classes assigned to an INTERFACE exceed 
> that interfaces''s OUT-BANDWIDTH, then the OUT-BANDWIDTH limit will
not be
> honored.
> 
>     But how understand follow example from same source?
> 
> #INTERFACE      MARK    RATE            CEIL            PRIORITY 
>    OPTIONS
> ppp0            1       full            full            1 
>       tcp-ack,tos-minimize-delay
> ppp0            2       9*full/10       9*full/10       2       default
> ppp0            3       8*full/10       8*full/10       2
It''s a poor example. For a better one, see 
http://www.shorewall.net/XenMyWay-Routed.html. It contains the following:

#INTERFACE      MARK    RATE            CEIL            PRIORITY        OPTIONS
$EXT_IF         10      5*full/10       full            1              
tcp-ack,tos-minimize-delay
$EXT_IF         20      3*full/10       9*full/10       2               default
$EXT_IF         30      2*full/10       6*full/10       3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The sum of the guarantees in the RATE column are less than
''full''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> alex wrote:
>>     I configure traffic shaping with Shorewall-4.0.2 and a little 
>> misunderstood. In ''traffic_shaping.htm'' of Shorewall
documentation
>> written:
>>
>> If the sum of the RATEs for all classes assigned to an INTERFACE exceed
>> that interfaces''s OUT-BANDWIDTH, then the OUT-BANDWIDTH limit
will not be
>> honored.
>>
>>     But how understand follow example from same source?
>>
>> #INTERFACE      MARK    RATE            CEIL            PRIORITY 
>>    OPTIONS
>> ppp0            1       full            full            1 
>>       tcp-ack,tos-minimize-delay
>> ppp0            2       9*full/10       9*full/10       2       default
>> ppp0            3       8*full/10       8*full/10       2
> 
> It''s a poor example. For a better one, see 
> http://www.shorewall.net/XenMyWay-Routed.html. It contains the following:
> 
> #INTERFACE      MARK    RATE            CEIL            PRIORITY       
OPTIONS
> $EXT_IF         10      5*full/10       full            1              
tcp-ack,tos-minimize-delay
> $EXT_IF         20      3*full/10       9*full/10       2              
default
> $EXT_IF         30      2*full/10       6*full/10       3
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> The sum of the guarantees in the RATE column are less than
''full''.
Make that ''equal to full''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Accordingly this advice from ''traffic_shaping.htm'':

Normally, packet marking occurs in the PREROUTING chain before any address 
rewriting takes place. This makes it impossible to mark inbound packets 
based on their destination address when SNAT or Masquerading are being 
used. You can cause packet marking to occur in the FORWARD chain by using 
the MARK_IN_FORWARD_CHAIN option in shorewall.conf.

    i MUST use ''MARK_IN_FORWARD_CHAIN=Yes'' or
'':F'' suffix in a lot of
rules
in ''tcrules'' if i use NAT/SNAT (configured in
''masq'' file) and want to use
internal (private) IP-addresses (or networks) in ''tcrules''.
    Do i correct understand?

    Alex

         






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-17 at 17:01 +0300, alex wrote:
> Accordingly this advice from ''traffic_shaping.htm'':
> 
> Normally, packet marking occurs in the PREROUTING chain before any address 
> rewriting takes place. This makes it impossible to mark inbound packets 
> based on their destination address when SNAT or Masquerading are being 
> used. You can cause packet marking to occur in the FORWARD chain by using 
> the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
> 
>     i MUST use ''MARK_IN_FORWARD_CHAIN=Yes'' or
'':F'' suffix in a lot of
> rules
> in ''tcrules'' if i use NAT/SNAT (configured in
''masq'' file) and want to use
> internal (private) IP-addresses (or networks) in
''tcrules''.
>     Do i correct understand?
The only time where the above applies is if you want to mark incoming
traffic by its destination IP and you are SNAT/Masquerading.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

>> Accordingly this advice from ''traffic_shaping.htm'':
>> 
>> Normally, packet marking occurs in the PREROUTING chain before any 
>>address 
>> rewriting takes place. This makes it impossible to mark inbound packets
>> based on their destination address when SNAT or Masquerading are being 
>> used. You can cause packet marking to occur in the FORWARD chain by 
>>using 
>> the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
>> 
>>     i MUST use ''MARK_IN_FORWARD_CHAIN=Yes'' or
'':F'' suffix in a lot of
>> rules
>> in ''tcrules'' if i use NAT/SNAT (configured in
''masq'' file) and want to
>>use
>> internal (private) IP-addresses (or networks) in
''tcrules''.
>>     Do i correct understand?
> 
> The only time where the above applies is if you want to mark incoming
> traffic by its destination IP and you are SNAT/Masquerading.
  
   Destination address is local (not external) IPs?
   And i can want this only for tc-rules for external interface.
   Am i right?

   Alex
         






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-17 at 17:48 +0300, alex wrote:
> >> Accordingly this advice from
''traffic_shaping.htm'':
> >> 
> >> Normally, packet marking occurs in the PREROUTING chain before any
> >>address 
> >> rewriting takes place. This makes it impossible to mark inbound
packets
> >> based on their destination address when SNAT or Masquerading are
being
> >> used. You can cause packet marking to occur in the FORWARD chain
by
> >>using 
> >> the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
> >> 
> >>     i MUST use ''MARK_IN_FORWARD_CHAIN=Yes'' or
'':F'' suffix in a lot of
> >> rules
> >> in ''tcrules'' if i use NAT/SNAT (configured in
''masq'' file) and want to
> >>use
> >> internal (private) IP-addresses (or networks) in
''tcrules''.
> >>     Do i correct understand?
> > 
> > The only time where the above applies is if you want to mark incoming
> > traffic by its destination IP and you are SNAT/Masquerading.
>   
>    Destination address is local (not external) IPs?
>    And i can want this only for tc-rules for external interface.
>    Am i right?
If the destination address is LOCAL, then the traffic is going out of
the LOCAL interface. So this would only apply if you are shaping the
LOCAL interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

>> >> Accordingly this advice from
''traffic_shaping.htm'':
>> >> 
>> >> Normally, packet marking occurs in the PREROUTING chain before
any
>> >>address 
>> >> rewriting takes place. This makes it impossible to mark
inbound
>>packets 
>> >> based on their destination address when SNAT or Masquerading
are
>>being 
>> >> used. You can cause packet marking to occur in the FORWARD
chain by
>> >>using 
>> >> the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
>> >> 
>> >>     i MUST use ''MARK_IN_FORWARD_CHAIN=Yes''
or '':F'' suffix in a lot of
>> >> rules
>> >> in ''tcrules'' if i use NAT/SNAT (configured
in ''masq'' file) and want
>>to 
>> >>use
>> >> internal (private) IP-addresses (or networks) in
''tcrules''.
>> >>     Do i correct understand?
>> > 
>> > The only time where the above applies is if you want to mark
incoming
>> > traffic by its destination IP and you are SNAT/Masquerading.
>>   
>>    Destination address is local (not external) IPs?
>>    And i can want this only for tc-rules for external interface.
>>    Am i right?
> 
> If the destination address is LOCAL, then the traffic is going out of
> the LOCAL interface. So this would only apply if you are shaping the
> LOCAL interface.
    Yes, and when i shaping the LOCAL going out traffic i shaping inbound
EXTERNEL traffic on EXTERNAL interface (if i make corresponding tc-rule):

5       $EXT_IF           $INT_IF:192.168.5.45       all


    And yet one question. If i use follow ONE tc-rule:

1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request

    would it be suit for any interfaces in tc-classes (i want so):

$DMZ_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay

$EXT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay

$INT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay


    Alex


         






-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-08-17 at 18:04 +0300, alex wrote:
> > If the destination address is LOCAL, then the traffic is going out of
> > the LOCAL interface. So this would only apply if you are shaping the
> > LOCAL interface.
> 
>     Yes, and when i shaping the LOCAL going out traffic i shaping inbound
> EXTERNEL traffic on EXTERNAL interface (if i make corresponding tc-rule):
> 
> 5       $EXT_IF           $INT_IF:192.168.5.45       all
That rule would only affect tcclasses on $INT_IF. And you would want
that to read:

5:F	$EXT_IF		$INT_IF:192.168.5.45	all
---
> 
> 
>     And yet one question. If i use follow ONE tc-rule:
> 
> 1       0.0.0.0/0       0.0.0.0/0       icmp    echo-request
> 
>     would it be suit for any interfaces in tc-classes (i want so):
Yes. Except for traffic that originates on the firewall itself. The
above rule only affects forwarded traffic.
> 
> $DMZ_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay
> 
> $EXT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay
> 
> $INT_IF   1    10kbit  full     1        tcp-ack,tos-minimize-delay

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

If i right understand, Shorewall (4.0.3, perl) can configure 'tc' only 
for
outgoing traffic of the interfaces. But if i want to shape incoming traffic 
i
can to shape on another interface outgoing traffic that is incoming on first 
interface.
                  ------------------
                 |                  |
  ----> interface-1    Firewall    interface-2 ---->
                 |                  |
                  ------------------
    Am i right?

    And yet question.
    How can i shape incoming traffic for self firewall (e.g. i running 
ftp-server on firewall).
    I think that i must use TC_ENABLED=Yes and self write tc-rules in
'tcstart' but don't use 'tcclasses', 'tcdevices',
'tcrules' files. And for
this case i must use 'ifb' module.
    Am i right?
  
    Thank you very much for any advice.
    Shubnik Aleksandr
     

--------
Горячее предложение от курсов иностранных языков “Streamline”!
Всем, кто успеет записаться на курсы до 7 сентября, будет предоставлена 
неделя бесплатных занятий в первом семестре обучения!  http://www.str.by/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>     If i right understand, Shorewall (4.0.3, perl) can configure
''tc'' only
>for
>outgoing traffic of the interfaces. But if i want to shape incoming traffic
>i
>can to shape on another interface outgoing traffic that is incoming on first
>interface.
>                   ------------------
>                  |                  |
>   ----> interface-1    Firewall    interface-2 ---->
>                  |                  |
>                   ------------------
>     Am i right?
Yes, but ...
>     And yet question.
>     How can i shape incoming traffic for self firewall (e.g. i running
>ftp-server on firewall).
You can''t !

So in effect, you can only shape inbound traffic on i/f1 as it exits 
i/f2 IFF there is minimal traffic coming for the firewall itself. 
Internal traffic from the firewall to i/f2 can be dealt with by 
sufficiently complicated tc setup !

If you have inbound traffic to the firewall, then really the best you 
can do is police the inbound rate on i/f1.

The alternative is to move the externally visible service to an 
internal server so there is no ''missing'' traffic when you
shape the
traffic out of i/f2

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

>>     If i right understand, Shorewall (4.0.3, perl) can configure
'tc' only
>>for
>>outgoing traffic of the interfaces. But if i want to shape incoming
traffic
>>i
>>can to shape on another interface outgoing traffic that is incoming on 
>>first
>>interface.
>>                   ------------------
>>                  |                  |
>>   ----> interface-1    Firewall    interface-2 ---->
>>                  |                  |
>>                   ------------------
>>     Am i right?
> 
> Yes, but ...
> 
>>     And yet question.
>>     How can i shape incoming traffic for self firewall (e.g. i running
>>ftp-server on firewall).
> 
> You can't !
> 
> So in effect, you can only shape inbound traffic on i/f1 as it exits 
> i/f2 IFF there is minimal traffic coming for the firewall itself. 
> Internal traffic from the firewall to i/f2 can be dealt with by 
> sufficiently complicated tc setup !
    No, only inbound traffic from i/f1 to firewall itself interesting
to me (not from firewall to i/f2). So as i have 1Gbit ethernet on i/f2
and ADSL on i/f1.
  
> If you have inbound traffic to the firewall, then really the best you 
> can do is police the inbound rate on i/f1.
    With 'ifb' module only and 'tcstart' file or not?
  
> The alternative is to move the externally visible service to an 
> internal server so there is no 'missing' traffic when you shape the
> traffic out of i/f2
     

--------
Горячее предложение от курсов иностранных языков “Streamline”!
Всем, кто успеет записаться на курсы до 7 сентября, будет предоставлена 
неделя бесплатных занятий в первом семестре обучения!  http://www.str.by/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
> 
>     With ''ifb'' module only and
''tcstart'' file or not?
>   
Alex -- Someone has to be the first to try new and unusual things. In
the case of ''ifb'', you are probably the first Shorewall user
to want to
use it with Shorewall so *you* get to be the pioneer. Don''t expect us
to
spend our time experimenting with this combination on your behalf. And
trying to get ifb and Shorewall to work together would clearly involve a
lot of experimentation.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

>>     With 'ifb' module only and 'tcstart' file or not?
> 
> Alex -- Someone has to be the first to try new and unusual things. In
> the case of 'ifb', you are probably the first Shorewall user to
want to
> use it with Shorewall so *you* get to be the pioneer. Don't expect us
to
> spend our time experimenting with this combination on your behalf. And
> trying to get ifb and Shorewall to work together would clearly involve a
> lot of experimentation.
      Thank you for direct manner Tom but in previous letter i want to know
also:
      if i use 'tcstart' files (with TC_ENABLED=Yes), remaining tc-files
('tcclasses', 'tcdevices', 'tcrules') don't work
(with builtin shaper)?

      Alex

     

--------
Горячее предложение от курсов иностранных языков “Streamline”!
Всем, кто успеет записаться на курсы до 7 сентября, будет предоставлена 
неделя бесплатных занятий в первом семестре обучения!  http://www.str.by/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>>>     With ''ifb'' module only and
''tcstart'' file or not?
>> Alex -- Someone has to be the first to try new and unusual things. In
>> the case of ''ifb'', you are probably the first
Shorewall user to want to
>> use it with Shorewall so *you* get to be the pioneer. Don''t
expect us to
>> spend our time experimenting with this combination on your behalf. And
>> trying to get ifb and Shorewall to work together would clearly involve
a
>> lot of experimentation.
> 
>       Thank you for direct manner Tom but in previous letter i want to know
> also:
>       if i use ''tcstart'' files (with TC_ENABLED=Yes),
remaining tc-files
> (''tcclasses'', ''tcdevices'',
''tcrules'') don''t work (with builtin shaper)?
If you decide to not try to use TC_ENABLED=Internal with ifb and use
TC_ENABLED=Yes instead, then the tcclasses and tcdevices files are
ignored. The tcrules file is still processed normally.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Hello Tom,
    I wrote to you before about strange behaviour of traffic shaping
when i use 10mbit and 100mbit limits. Now i made more accurate test
and found some interesting.
    I have one interface (for test).

params:
     DMZ_IF=eth1

interfaces:
     dmz     $DMZ_IF         detect          detectnets,logmartians

routestopped:
     $DMZ_IF         -

rules:
     SSH/ACCEPT      $FW             dmz

policy:
     $FW             dmz             REJECT          info
     $FW             all             REJECT          info
     dmz             $FW             REJECT          info
     dmz             all             REJECT          info
     all             all             REJECT          info

zones:
     fw      firewall
     dmz     ipv4

     I probe to get file by sftp from DMZ to FW:

sftp> get /home/file.xyz
Fetching /home/file.xyz to file.xyz  <...>  28%   28MB  27.5MB/s   00:02
ETA

     Now i add only one string into 'tcdevices':

$DMZ_IF         500mbit         500mbit

     And try get file again:
sftp> get /home/file.xyz
Fetching /home/file.xyz to file.xyz  <...>   1% 1120KB  64.0KB/s   25:45
ETA

     Catastrophic speed decrease.
     This is output of 'shorewall show tc':

Shorewall 4.0.3 Traffic Control at gate.btis.by - Fri Sep  7 20:10:10 EEST 
2007

Device eth1:
qdisc htb 1: r2q 10 default 0 direct_packets_stat 0 ver 3.17
  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
  rate 0bit 0pps backlog 0b 0p requeues 0
qdisc ingress ffff: ----------------
  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
  rate 0bit 0pps backlog 0b 0p requeues 0
class htb 1:1 root prio 0 quantum 200000 rate 500000Kbit ceil 500000Kbit 
burst 626562b/8 mpu 0b overhead 0b cburst 626562b/8 mpu 0b overhea
d 0b level 0
  Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
  rate 0bit 0pps backlog 0b 0p requeues 0
  lended: 0 borrowed: 0 giants: 0
  tokens: 10025 ctokens: 10025

     And at the end when i make this 'tc' configuration by hand (not
with
'tcdevices') all work fine.

tc qdisc add dev eth1 root handle 1: htb default 0
tc qdisc add dev eth1 ingress
tc class add dev eth1 parent 1: classid 1:1 htb rate 500mbit ceil 500mbit

     I think matter in 'iptables' rules.

     Thank you for any advice.
     Shubnik Aleksandr

      

--------
Горячее предложение от курсов иностранных языков 'Streamline'!
Всем, кто успеет записаться на курсы до 7 сентября, будет предоставлена 
неделя бесплатных занятий в первом семестре обучения!  http://www.str.by/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

alex wrote:
>     Hello Tom,
>     I wrote to you before about strange behaviour of traffic shaping
> when i use 10mbit and 100mbit limits. Now i made more accurate test
> and found some interesting.
>     I have one interface (for test).
Alex,

If you want me to look at this, you are going to have to supply the
output of "shorewall dump".

But remember -- you are the only one who seems to be able to reproduce
this problem so it is very unlikely that I will find anything in the dump.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, 2007-09-07 at 16:10 -0700, Tom Eastep wrote:
> alex wrote:
> >     Hello Tom,
> >     I wrote to you before about strange behaviour of traffic shaping
> > when i use 10mbit and 100mbit limits. Now i made more accurate test
> > and found some interesting.
> >     I have one interface (for test).
> 
> Alex,
> 
> If you want me to look at this, you are going to have to supply the
> output of "shorewall dump".
Alex,

I''ve thought about this a bit more and I would like two more things in
addition to the dump:

a) A trace of ''shorewall restart'' using the failing
configuration.
b) A copy of the resulting compiled script (will be
in /var/lib/shorewall/.restart if the command is ''restart'').

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello Tom,
    Thank you very much for your attention to my question.
    I attached all additional info about you wrote. All data
from failing configuation (with added interface in
''tcdevices'').

    Alex
>> >     Hello Tom,
>> >     I wrote to you before about strange behaviour of traffic
shaping
>> > when i use 10mbit and 100mbit limits. Now i made more accurate
test
>> > and found some interesting.
>> >     I have one interface (for test).
>> 
>> Alex,
>> 
>> If you want me to look at this, you are going to have to supply the
>> output of "shorewall dump".
> 
> Alex,
> 
> I''ve thought about this a bit more and I would like two more
things in
> addition to the dump:
> 
> a) A trace of ''shorewall restart'' using the failing
configuration.
> b) A copy of the resulting compiled script (will be
> in /var/lib/shorewall/.restart if the command is
''restart'').
         

--------
Все магазины TUT. http://shop.tut.by/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Mon, 2007-09-10 at 09:32 +0100, alex wrote:
> Hello Tom,
>     Thank you very much for your attention to my question.
>     I attached all additional info about you wrote. All data
> from failing configuation (with added interface in
''tcdevices'').
Thanks Alex -- but there is no trace file.

	shorewall trace restart 2> trace.out
                                   ---------

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Mon, 2007-09-10 at 09:32 +0100, alex wrote:
> Hello Tom,
>     Thank you very much for your attention to my question.
>     I attached all additional info about you wrote. All data
> from failing configuation (with added interface in
''tcdevices'').
I''ve continued to try to reproduce this problem without success.
Here''s
the root class information in my test:

class htb 2:1 root rate 500000Kbit ceil 500000Kbit burst 251562b/8 mpu 0b
overhead 0b cburst 251562b/8 mpu 0b overhead 0b level 7
 Sent 45149058 bytes 34229 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 6136bit 2pps backlog 0b 0p requeues 0 
 lended: 0 borrowed: 0 giants: 0
 tokens: 4020 ctokens: 4020

Looks just like yours. The generated shell code is also the same. 

As I adjust my tcclasses file, I can control the traffic rate:

ftp> get linux-2.6.18.2.tar.bz2
local: linux-2.6.18.2.tar.bz2 remote: linux-2.6.18.2.tar.bz2
200 PORT command successful
150-Connecting to port 53255
150 40874.7 kbytes to download
226-File successfully transferred
226 362.306 seconds (measured here), 112.82 Kbytes per second
                                     -------------
41855741 bytes received in 362.81 secs (112.7 kB/s)
ftp> get linux-2.6.18.2.tar.bz2
local: linux-2.6.18.2.tar.bz2 remote: linux-2.6.18.2.tar.bz2
200 PORT command successful
150-Connecting to port 37858
150 40874.7 kbytes to download
226-File successfully transferred
226 35.022 seconds (measured here), 1.14 Mbytes per second
                                    -----------
41855741 bytes received in 35.04 secs (1166.4 kB/s)
ftp> get linux-2.6.18.2.tar.bz2
local: linux-2.6.18.2.tar.bz2 remote: linux-2.6.18.2.tar.bz2
200 PORT command successful
150-Connecting to port 45215
150 40874.7 kbytes to download
226-File successfully transferred
226 4.010 seconds (measured here), 9.96 Mbytes per second
                                   -----------
41855741 bytes received in 3.99 secs (10251.2 kB/s)
ftp> 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>> Hello Tom,
>>     Thank you very much for your attention to my question.
>>     I attached all additional info about you wrote. All data
>> from failing configuation (with added interface in
''tcdevices'').
> 
> Thanks Alex -- but there is no trace file.
> 
> 	shorewall trace restart 2> trace.out
>                                   ---------
    Sorry Tom,
    I attached this file.

    Alex
         

--------
Все магазины TUT. http://shop.tut.by/


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Tue, 2007-09-11 at 11:34 +0300, alex wrote:
> >> Hello Tom,
> >>     Thank you very much for your attention to my question.
> >>     I attached all additional info about you wrote. All data
> >> from failing configuation (with added interface in
''tcdevices'').
> > 
> > Thanks Alex -- but there is no trace file.
> > 
> > 	shorewall trace restart 2> trace.out
> >                                   ---------
> 
>     Sorry Tom,
>     I attached this file.
Alex,

I see nothing unusual in the trace. Your TC setup is identical to mine
and mine works exactly as expected.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello Tom.
    Seams i find what is the matter in my problem.
    First, different is that i run follow 'tc' command by hand (in my
test):

tc qdisc add dev eth1 root handle 1: htb default 0
tc qdisc add dev eth1 ingress
tc class add dev eth1 parent 1: classid 1:1 htb rate 500mbit ceil 500mbit

    But Shorewall generate same 'tc' commands with one 'filter':

tc qdisc add dev eth1 root handle 1: htb default 0
tc class add dev eth1 parent 1: classid 1:1 htb rate 500mbit
tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 
0.0.0.0/0 police rate 500000kbit burst 10k drop flowid :1

    And second, that i use OpenVZ system and test traffic shaping between
two virtual machines. In this circumstance if i increase input rate for
interface not less than 12000mbit (in my case) all work fine (with Shorewall
'tc-filter' rule). But when i decrease input rate less than 12000mbit
(500mbit in my tests) download speed have fault.

'tcdevices':

$DMZ_IF         500mbit         500mbit

    May be this info will be interested for you.
    I posted this info to OpenVZ developers.
    Thank you very much for help.
    Alex

>> >> Hello Tom,
>> >>     Thank you very much for your attention to my question.
>> >>     I attached all additional info about you wrote. All data
>> >> from failing configuation (with added interface in
'tcdevices').
>> > 
>> > Thanks Alex -- but there is no trace file.
>> > 
>> > 	shorewall trace restart 2> trace.out
>> >                                   ---------
>> 
>>     Sorry Tom,
>>     I attached this file.
> 
> Alex,
> 
> I see nothing unusual in the trace. Your TC setup is identical to mine
> and mine works exactly as expected.
> 
> -Tom
          

--------
20 сентября, 19:00, Дворец Спорта: МакSим, A'Studio, Сергей Лазарев, 
Ляпис Трубецкой на Музыкальных наградах MTV в Минске.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On Wed, 2007-09-12 at 16:14 +0300, alex wrote:
> 
>     May be this info will be interested for you.
>     I posted this info to OpenVZ developers.
>     Thank you very much for help.
>     Alex
Thanks for the update Alex -- glad to hear that you may have a handle on
the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Don't mention it Tom,
    Thank YOU for help.
    But situation is yet more interesting so, as i wrote at my first
letters on this theme, shaping work fine when i decrease input rate limit
less then 10mbit. And therefore between 10mbit and 12000mbit is some
black hole.
    Alex
>>     May be this info will be interested for you.
>>     I posted this info to OpenVZ developers.
>>     Thank you very much for help.
>>     Alex
> 
> Thanks for the update Alex -- glad to hear that you may have a handle on
> the problem.
> 
> -Tom
            

--------
Процесс обучения индивидуален. Курсы иностранных языков 'Streamline' 
предлагают своим клиентам комфортное и эффективное обучение 
в группах V.I.P. численностью до 8-ми человек. http://www.str.by/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users