tc filter problems
in [Linux Networking]
|
Prev: I am looking to buy the below Cisco models.I also buy networking and telecom equipment from Nortel, Brocade, Juniper, Extreme, Foundry, IBM, HP, Companq and more.
Next: Pinging problem with 2 NICs
From: Eric Tao on 11 Aug 2010 08:28 Hi Andy, thank you for your reply. Finally I found what's wrong with my setup. I am intended to shape traffic on a VPN router. While in my setup all the packages I marked are on pppX link created by pppd, the htb qdisc is actually on eth0. So the marked traffic never went into htb classes. I read from doc in iproute2 source that fw requires ipfwchains patch, and later I found that's only true in the ipchains time. That's really old docs. But glad that tc and filters does work after I adjust my setup. Andy Furniss wrote: > Eric Tao wrote: >> Hi, >> >> I try to divide a linux router traffic into several classes and shape >> them using iptables and tc fw filter. Below are my commands: > > Not sure why it isn't working, maybe more info about the setup of the > router and what you are trying to achieve would help eg. why you need to > use connmark for what could probably be done without, what is eth0 > connected to wan or lan, any nat rules anywhere. > > Some general comments below - though they shouldn't affect your problem > as such. > >> >> iptables: >> >> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark >> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT >> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 >> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 >> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 >> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 >> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark >> >> >> tc qdiscs and classes: >> >> tc qdisc add dev eth0 root handle 1: htb default 14 > > HTB default on eth will catch arp, which is not really desirable. > >> tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps > > Why ceil 3mbps, also incase you didn't know bps means bytes/sec in the > strange world of tc. > >> >> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil >> 300kbps prio 0 >> tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10 > > No filter for this class. > >> >> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil >> 2mbps prio 1 >> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil >> 2mbps prio 2 >> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil >> 2mbps prio 3 >> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10 >> >> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil >> 2mbps prio 4 >> tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10 >> >> >> filters: >> >> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid >> 1:11 >> tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid >> 1:12 >> tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid >> 1:13 >> tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid >> 1:14 >> >> >> The result is all traffic doesn't respect tc filters and go only thru >> class 1:14, the default one. > > I haven't played with tc for ages now, but can't see anything wrong with > this as such. I've never used connmark - try without it and see if it > helps. My old home gateway/shaper box is quite out of date. I recently > put a new kernel on it but my tc/iptables rules stopped working. I just > reverted to the old kernel until I get around to seeing why. |