Hello, I have installed 4.4.11.6 and configured some basic traffic control on a router. The problem is that I do not see any traffic hitting the marks I have set. All traffic is hitting the default class and nothing else. The setup is as follows. A laptop uses two instances of wget to retreive two 348 MB file from a HTTP server running two instances of lighttpd on ports 80 and 3000. The idea is to restrict traffic at eth2 when the bulk of it from the HTTP server is going to the laptop. laptop eth0 <-> eth2 router eth1 <-> eth1 HTTP server laptop: 192.168.2.2 tcdevices #NUMBER IN OUT eth1 100mbit 100mbit eth2 100mbit 100mbit tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth2 1 full/2 full 1 default eth2 10 full/100000 full/90000 10 eth2 20 full/100 full/95 20 tcrules #MARK SOURCE DEST PROTO DEST SOURCE 10 0.0.0.0/0 192.168.2.2 tcp - 80 20 0.0.0.0/0 192.168.2.2 tcp - 3000 Using tc, we see that the traffic never hit marks 10 and 20. All traffic has hit the default class only. This was also observed by looking at iptables'' mangle table. This is quite puzzling. Has anyone experienced something like this ? Thanks for any information. # tc -s -d class show dev eth2 class htb 2:110 parent 2:1 leaf 4: prio 7 quantum 1500 rate 1000bit ceil 1000bit burst 1600b/8 mpu 0 b overhead 0b cburst 1600b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 12500000 ctokens: 12500000 class htb 2:11 parent 2:1 leaf 3: prio 1 quantum 12500 rate 50000Kbit ceil 100000Kbit burst 7843b/8 mpu 0b overhead 0b cburst 14087b/8 mpu 0b overhead 0b level 0 Sent 111133255 bytes 73425 pkt (dropped 0, overlimits 0 requeues 0) rate 32683Kbit 2699pps backlog 0b 0p requeues 0 lended: 43972 borrowed: 29453 giants: 0 tokens: -79 ctokens: 303 class htb 2:1 root rate 100000Kbit ceil 100000Kbit burst 14087b/8 mpu 0b overhead 0b cburst 14087b/8 mpu 0b overhead 0b level 7 Sent 111133255 bytes 73425 pkt (dropped 0, overlimits 0 requeues 0) rate 32683Kbit 2699pps backlog 0b 0p requeues 0 lended: 29453 borrowed: 0 giants: 0 tokens: 303 ctokens: 303 class htb 2:120 parent 2:1 leaf 5: prio 7 quantum 1500 rate 1000Kbit ceil 1052Kbit burst 1724b/8 mpu 0b overhead 0b cburst 1730b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 13476 ctokens: 12854 ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/4/11 5:04 PM, lanas wrote:> Hello, > > I have installed 4.4.11.6 and configured some basic traffic > control on a router. The problem is that I do not see any > traffic hitting the marks I have set. All traffic is hitting the > default class and nothing else. > > The setup is as follows. > > A laptop uses two instances of wget to retreive two 348 MB file > from a HTTP server running two instances of lighttpd on ports 80 > and 3000. The idea is to restrict traffic at eth2 when the bulk > of it from the HTTP server is going to the laptop. > > laptop eth0 <-> eth2 router eth1 <-> eth1 HTTP server > > laptop: 192.168.2.2 > > tcdevices > > #NUMBER IN OUT > eth1 100mbit 100mbit > eth2 100mbit 100mbit > > tcclasses > > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS > eth2 1 full/2 full 1 default > eth2 10 full/100000 full/90000 10 > eth2 20 full/100 full/95 20 >I''m concerned that there is a web site somewhere that is leading people to mis-configure Shorewall''s TC. This is the second very similar configuration that I''ve seen today. Did you find this on some web site other than shorewall.net? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/4/11 5:50 PM, Tom Eastep wrote:> > I''m concerned that there is a web site somewhere that is leading people > to mis-configure Shorewall''s TC. This is the second very similar > configuration that I''ve seen today. Did you find this on some web site > other than shorewall.net?And if you would like to pursue your current configuration further, please include the output of ''shorewall dump'' with your request. Collect that output while stressing the configuration with whatever load you feel isn''t being handled properly. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On Mon, 04 Apr 2011 17:50:04 -0700, Tom Eastep <teastep@shorewall.net> wrote :> On 4/4/11 5:04 PM, lanas wrote: > > Hello, > > > > I have installed 4.4.11.6 and configured some basic traffic > > control on a router. The problem is that I do not see any > > traffic hitting the marks I have set. All traffic is hitting the > > default class and nothing else. > > > > The setup is as follows. > > I''m concerned that there is a web site somewhere that is leading > people to mis-configure Shorewall''s TC. This is the second very > similar configuration that I''ve seen today. Did you find this on some > web site other than shorewall.net?> And if you would like to pursue your current configuration > further, please include the output of ''shorewall dump'' with > your request. Collect that output while stressing the > configuration with whatever load you feel isn''t being handled > properly.I do not have access to the setup right now: I can add a dump later on. I haven''t picked that up from a web site, but I did follow somebody else''s. That way of configuring TC seemingly worked with the 4.0.x series. I''m very curious: what have you noticed that was so wrong ? Thanks ! ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On Tue, 5 Apr 2011 05:35:08 -0400, lanas <lanas@securenet.net> wrote :> I''m very curious: what have you noticed that was so wrong ?Tom, I just saw your reply to Bob Smith. I will read it. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On Mon, 04 Apr 2011 17:50:04 -0700, Tom Eastep <teastep@shorewall.net> wrote :> I''m concerned that there is a web site somewhere that is > leading people to mis-configure Shorewall''s TC. This is the > second very similar configuration that I''ve seen today. Did you > find this on some web site other than shorewall.net?Tom, And so did I pursue this further today, time allowing. I started with a TC configuration from the Shorewall web site, that I modified only slightly. Then I ran this on a router unit, under the same traffic load, using two different shorewall versions. With one version (the older one) it works pretty much as expected, with the other version no traffic ever goes into the TC classes 2 and 3. I made ''shorewall dump''s of both system at two moments during the 2 simultaneous 324 MB HTTP transfers. I''m including here only one dump, from the system showing the problem. Despite holes in my knwoledge about TC, the test here shows two very different results using the same config. Of course, what matters is the newest Shorewall version. The test consisted as before of two HTTP transfers made on ports 80 and 3000, made from a laptop using two instances of wget. The idea for the test is to restrict traffic from the HTTP server, coming out of the router''s eth2, going to the laptop. laptop eth0 <-> eth2 router eth1 <-> eth1 HTTP server Transfer1 is made using port 80, transfer2 is made using port 3000. Transfer averages are provided by wget. TC CONFIGURATION for both tests: tcdevices #NUMBER IN-BANDWITH OUT-BANDWIDTH eth2 100mbit 75mbit tcclasses #INTERFACE MARK RATE: CEIL PRIORITY OPTIONS eth2 1 1*full/10 full 1 default eth2 2 8*full/10 9*full/10 10 eth2 3 1*full/10 8*full/10 20 tcrules #MARK SOURCE DEST PROTO DEST SOURCE 2 0.0.0.0/0 192.168.2.2 tcp - 80 3 0.0.0.0/0 192.168.2.2 tcp - 3000 TEST # 1 - WORKS FINE shorewall 4.0.15 linux 2.6.26-15 iptables 1.3.6.0 transfer 1: 3.20 MB/s transfer 2: 2.63 MB/s excerpt tc shows that traffic is hitting classes 2 and 3: class htb 1:13 parent 1:1 leaf 13: prio 7 quantum 2500 rate 7500Kbit ceil 60000Kbit burst 2535b/8 mpu 0b overhead 0b cburst 9090b/8 mpu 0b overhead 0b level 0 Sent 31539119 bytes 20850 pkt (dropped 127, overlimits 0 requeues 0) rate 10814Kbit 894pps backlog 0b 16p requeues 0 lended: 4949 borrowed: 15885 giants: 0 tokens: -328 ctokens: -106 class htb 1:12 parent 1:1 leaf 12: prio 7 quantum 20000 rate 60000Kbit ceil 67500Kbit burst 9090b/8 mpu 0b overhead 0b cburst 10023b/8 mpu 0b overhead 0b level 0 Sent 35101925 bytes 23189 pkt (dropped 95, overlimits 0 requeues 0) rate 13689Kbit 1130pps backlog 0b 0p requeues 0 lended: 21536 borrowed: 1653 giants: 0 tokens: -132 ctokens: 241 Some of these were also seen with tc: class sfq 12:2b1 parent 12: (dropped 0, overlimits 0 requeues 0) backlog 0b 16p requeues 0 class sfq 13:1c2 parent 13: (dropped 0, overlimits 0 requeues 0) backlog 0b 41p requeues 0 TEST # 2 - DOES NOT WORK shorewall 4.4.11.6 linux 2.6.26-26 iptables 1.4.2 transfer 1: 2.82 MB/s transfer 2: 2.86 MB/s excerpt tc shows that traffic is *not* hitting classes 2 and 3: class htb 1:13 parent 1:1 leaf 4: prio 7 quantum 2500 rate 7500Kbit ceil 60000Kbit burst 2535b/8 mpu 0b overhead 0b cburst 9090b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 2642 ctokens: 1184 class htb 1:12 parent 1:1 leaf 3: prio 7 quantum 20000 rate 60000Kbit ceil 67500Kbit burst 9090b/8 mpu 0b overhead 0b cburst 10023b/8 mpu 0b overhead 0b level 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 1184 ctokens: 1161 No sfq classes were observed during this test. Unfortunately I do not have at the moment the tc versions for these two tests. Attached is a compressed dump from test # 2 Thanks for taking a look into this. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/5/11 4:09 PM, lanas wrote:> > tcrules > > #MARK SOURCE DEST PROTO DEST SOURCE > 2 0.0.0.0/0 192.168.2.2 tcp - 80 > 3 0.0.0.0/0 192.168.2.2 tcp - 3000You are marking in the PREROUTING chain; from the generated Netfilter rules, I can see that MARK_IN_FORWARD_CHAIN=No in shorewall.conf. You must mark in the FORWARD or POSTROUTING chain because marks set in PREROUTING are cleared after routing occurs. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On Tue, 05 Apr 2011 16:39:05 -0700, Tom Eastep <teastep@shorewall.net> wrote :> On 4/5/11 4:09 PM, lanas wrote: > > > > > tcrules> #MARK SOURCE DEST PROTO DEST SOURCE > 2 0.0.0.0/0 192.168.2.2 tcp - 80 > 3 0.0.0.0/0 192.168.2.2 tcp - 3000> You are marking in the PREROUTING chain; from the generated Netfilter > rules, I can see that MARK_IN_FORWARD_CHAIN=No in shorewall.conf. You > must mark in the FORWARD or POSTROUTING chain because marks set in > PREROUTING are cleared after routing occurs.Thanks. At the moment I have no idea how to specifically mark at any point in the processing chains, but I''ll look it up in the complex TC Shorewall info page. I think it has to do with adding a certain :<flag> after the mark. I am still puzzled by the observation that on a older Shorewall (4.0.x) this same config works and on 4.4.x it doesn''t. That sounds as if all previous configurations must be somehow adapted in post install scripts when upgrading to a newer Shorewall, does it ? It also sounds as if the procedure in newer Shorewalls has changed, requiring the possible addition of those chain-specific marks. Is this the case ? ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/6/11 2:46 AM, lanas wrote:> On Tue, 05 Apr 2011 16:39:05 -0700, > Tom Eastep <teastep@shorewall.net> wrote : > >> On 4/5/11 4:09 PM, lanas wrote: >> >>> >>> tcrules > >> #MARK SOURCE DEST PROTO DEST SOURCE >> 2 0.0.0.0/0 192.168.2.2 tcp - 80 >> 3 0.0.0.0/0 192.168.2.2 tcp - 3000 > >> You are marking in the PREROUTING chain; from the generated Netfilter >> rules, I can see that MARK_IN_FORWARD_CHAIN=No in shorewall.conf. You >> must mark in the FORWARD or POSTROUTING chain because marks set in >> PREROUTING are cleared after routing occurs. > > Thanks. At the moment I have no idea how to specifically mark at any > point in the processing chains, but I''ll look it up in the complex TC > Shorewall info page. I think it has to do with adding a > certain :<flag> after the mark.Easiest way is to set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.> > I am still puzzled by the observation that on a older Shorewall > (4.0.x) this same config works and on 4.4.x it doesn''t. That sounds as > if all previous configurations must be somehow adapted in post install > scripts when upgrading to a newer Shorewall, does it ? It also sounds > as if the procedure in newer Shorewalls has changed, requiring the > possible addition of those chain-specific marks. Is this the case ?Shorewall 4.4 is really a totally different product from Shorewall 4.0 and there are a number of incompatibilities; they are detailed at http://www.shorewall.net/LennyToSqueeze.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On 4/6/11 10:30 AM, Tom Eastep wrote:> On 4/6/11 2:46 AM, lanas wrote: >> On Tue, 05 Apr 2011 16:39:05 -0700, >> Tom Eastep <teastep@shorewall.net> wrote : >> >>> On 4/5/11 4:09 PM, lanas wrote: >>> >>>> >>>> tcrules >> >>> #MARK SOURCE DEST PROTO DEST SOURCE >>> 2 0.0.0.0/0 192.168.2.2 tcp - 80 >>> 3 0.0.0.0/0 192.168.2.2 tcp - 3000 >> >>> You are marking in the PREROUTING chain; from the generated Netfilter >>> rules, I can see that MARK_IN_FORWARD_CHAIN=No in shorewall.conf. You >>> must mark in the FORWARD or POSTROUTING chain because marks set in >>> PREROUTING are cleared after routing occurs. >> >> Thanks. At the moment I have no idea how to specifically mark at any >> point in the processing chains, but I''ll look it up in the complex TC >> Shorewall info page. I think it has to do with adding a >> certain :<flag> after the mark. > > Easiest way is to set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.Also, to obtain the 4.0 Shorewall-shell behavior, you can set FORWARD_CLEAR_MARK=No in shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
On Wed, 06 Apr 2011 10:38:45 -0700, Tom Eastep <teastep@shorewall.net> wrote :> Shorewall 4.4 is really a totally different product from > Shorewall 4.0 and there are a number of incompatibilities; they > are detailed at http://www.shorewall.net/LennyToSqueeze.html> Also, to obtain the 4.0 Shorewall-shell behavior, you can set > FORWARD_CLEAR_MARK=No in shorewall.conf.Thank you. Very much appreciated ! Thanks again for your time. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev