tc filter problems
in [Linux Networking]
|
Prev: I am looking to buy the below Cisco models.I also buy networking and telecom equipment from Nortel, Brocade, Juniper, Extreme, Foundry, IBM, HP, Companq and more.
Next: Pinging problem with 2 NICs
From: buck on 10 Aug 2010 14:08 Eric Tao <cong818(a)gmail.com> wrote in news:i3ov7h$j31$1(a)speranza.aioe.org: > Hi, > > I try to divide a linux router traffic into several classes and shape > them using iptables and tc fw filter. Below are my commands: > > iptables: snip > filters: > > tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid > 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw > flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 4 handle > 3 fw flowid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 5 > handle 4 fw flowid 1:14 Set all these PRIOs to the same value - perhaps 4. Use PROTOCOL all. Make sure your firewall marks survive by setting up a rule with no jump that matches the FW MARK value and then check packet counts. > -Eric -- buck
From: Eric Tao on 11 Aug 2010 02:02 D. Stussy wrote: > "Eric Tao" <cong818(a)gmail.com> wrote in message > news:i3qf8v$6li$1(a)speranza.aioe.org... >> Can anybody please help me on this? tc-filters manual is missing and I >> googled and found little help. I tried adjusting prio values of classes >> and filters, still doesn't work. iptables LOG target does show that >> packages are properly marked. >> >> Really appreciate if anyone with tc experience can give me a hint. > > Instead of using iptables to mark certain records, why not define the > conditionals in the tc filter section? > > Thank you for your reply. I need to use iptables ipp2p match to pick out p2p traffic. tc native filters doesn't support that.
From: Eric Tao on 11 Aug 2010 02:18 Hi Andy, thank you for your reply. Finally I found what's wrong with my setup. I am intended to shape traffic on a VPN router. While in my setup all the packages I marked are on pppX link created by pppd, the htb qdisc is actually on eth0. So the marked traffic never went into htb classes. I read from doc in iproute2 source that fw requires ipfwchains patch, and later I found that's only true in the ipchains time. That's really old docs. But glad that tc and filters does work after I adjust my setup. Andy Furniss wrote: > Eric Tao wrote: >> Hi, >> >> I try to divide a linux router traffic into several classes and shape >> them using iptables and tc fw filter. Below are my commands: > > Not sure why it isn't working, maybe more info about the setup of the > router and what you are trying to achieve would help eg. why you need to > use connmark for what could probably be done without, what is eth0 > connected to wan or lan, any nat rules anywhere. > > Some general comments below - though they shouldn't affect your problem > as such. > >> >> iptables: >> >> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark >> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT >> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 >> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 >> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 >> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 >> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark >> >> >> tc qdiscs and classes: >> >> tc qdisc add dev eth0 root handle 1: htb default 14 > > HTB default on eth will catch arp, which is not really desirable. > >> tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps > > Why ceil 3mbps, also incase you didn't know bps means bytes/sec in the > strange world of tc. > >> >> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil >> 300kbps prio 0 >> tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10 > > No filter for this class. > >> >> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil >> 2mbps prio 1 >> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil >> 2mbps prio 2 >> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil >> 2mbps prio 3 >> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil >> 2mbps prio 4 >> tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10 >> >> >> filters: >> >> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid >> 1:11 >> tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid >> 1:12 >> tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid >> 1:13 >> tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid >> 1:14 >> >> >> The result is all traffic doesn't respect tc filters and go only thru >> class 1:14, the default one. > > I haven't played with tc for ages now, but can't see anything wrong with > this as such. I've never used connmark - try without it and see if it > helps. My old home gateway/shaper box is quite out of date. I recently > put a new kernel on it but my tc/iptables rules stopped working. I just > reverted to the old kernel until I get around to seeing why.
From: Eric Tao on 11 Aug 2010 02:25 Thanks for the reply. PRIOs are different for reasons. For classes it can be 0, while for filters it should be larger than 0 from my experience. buck wrote: > Eric Tao <cong818(a)gmail.com> wrote in > news:i3ov7h$j31$1(a)speranza.aioe.org: > >> Hi, >> >> I try to divide a linux router traffic into several classes and > shape >> them using iptables and tc fw filter. Below are my commands: >> >> iptables: > > snip > >> filters: >> >> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw > flowid >> 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw >> flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 4 > handle >> 3 fw flowid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 5 >> handle 4 fw flowid 1:14 > > Set all these PRIOs to the same value - perhaps 4. Use PROTOCOL all. > > Make sure your firewall marks survive by setting up a rule with no > jump that matches the FW MARK value and then check packet counts. > >> -Eric > -- > buck
From: D. Stussy on 11 Aug 2010 03:02
"Eric Tao" <cong818(a)gmail.com> wrote in message news:4C623CFA.2020903(a)gmail.com... > D. Stussy wrote: > > "Eric Tao" <cong818(a)gmail.com> wrote in message > > news:i3qf8v$6li$1(a)speranza.aioe.org... > >> Can anybody please help me on this? tc-filters manual is missing and I > >> googled and found little help. I tried adjusting prio values of classes > >> and filters, still doesn't work. iptables LOG target does show that > >> packages are properly marked. > >> > >> Really appreciate if anyone with tc experience can give me a hint. > > > > Instead of using iptables to mark certain records, why not define the > > conditionals in the tc filter section? > > Thank you for your reply. I need to use iptables ipp2p match to pick out > p2p traffic. tc native filters doesn't support that. OK, but the rules you posted did not include such: >> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark >> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT >> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 >> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 >> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 >> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 >> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark Nowhere is any reference to an application. |