tc filter problems
in [Linux Networking]
|
Prev: I am looking to buy the below Cisco models.I also buy networking and telecom equipment from Nortel, Brocade, Juniper, Extreme, Foundry, IBM, HP, Companq and more.
Next: Pinging problem with 2 NICs
From: Eric Tao on 9 Aug 2010 09:18 Hi, I try to divide a linux router traffic into several classes and shape them using iptables and tc fw filter. Below are my commands: iptables: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 iptables -t mangle -A PREROUTING -j CONNMARK --save-mark tc qdiscs and classes: tc qdisc add dev eth0 root handle 1: htb default 14 tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil 300kbps prio 0 tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil 2mbps prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil 2mbps prio 2 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil 2mbps prio 3 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10 tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil 2mbps prio 4 tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10 filters: tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid 1:14 The result is all traffic doesn't respect tc filters and go only thru class 1:14, the default one. Can anybody please point out the issue in my commands? Thanks a lot. -Eric
From: Eric Tao on 9 Aug 2010 22:58 Can anybody please help me on this? tc-filters manual is missing and I googled and found little help. I tried adjusting prio values of classes and filters, still doesn't work. iptables LOG target does show that packages are properly marked. Really appreciate if anyone with tc experience can give me a hint. -Eric
From: D. Stussy on 10 Aug 2010 02:48 "Eric Tao" <cong818(a)gmail.com> wrote in message news:i3qf8v$6li$1(a)speranza.aioe.org... > Can anybody please help me on this? tc-filters manual is missing and I > googled and found little help. I tried adjusting prio values of classes > and filters, still doesn't work. iptables LOG target does show that > packages are properly marked. > > Really appreciate if anyone with tc experience can give me a hint. Instead of using iptables to mark certain records, why not define the conditionals in the tc filter section?
From: Andy Furniss on 10 Aug 2010 06:17 Eric Tao wrote: > Hi, > > I try to divide a linux router traffic into several classes and shape > them using iptables and tc fw filter. Below are my commands: Not sure why it isn't working, maybe more info about the setup of the router and what you are trying to achieve would help eg. why you need to use connmark for what could probably be done without, what is eth0 connected to wan or lan, any nat rules anywhere. Some general comments below - though they shouldn't affect your problem as such. > > iptables: > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT > iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 > iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 > iptables -t mangle -A PREROUTING -j CONNMARK --save-mark > > > tc qdiscs and classes: > > tc qdisc add dev eth0 root handle 1: htb default 14 HTB default on eth will catch arp, which is not really desirable. > tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps Why ceil 3mbps, also incase you didn't know bps means bytes/sec in the strange world of tc. > > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil > 300kbps prio 0 > tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10 No filter for this class. > > tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil > 2mbps prio 1 > tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil > 2mbps prio 2 > tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil > 2mbps prio 3 > tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil > 2mbps prio 4 > tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10 > > > filters: > > tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid 1:11 > tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid 1:12 > tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid 1:13 > tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid 1:14 > > > The result is all traffic doesn't respect tc filters and go only thru > class 1:14, the default one. I haven't played with tc for ages now, but can't see anything wrong with this as such. I've never used connmark - try without it and see if it helps. My old home gateway/shaper box is quite out of date. I recently put a new kernel on it but my tc/iptables rules stopped working. I just reverted to the old kernel until I get around to seeing why.
From: buck on 10 Aug 2010 13:21
Eric Tao <cong818(a)gmail.com> wrote in news:i3ov7h$j31$1(a)speranza.aioe.org: > Hi, > > I try to divide a linux router traffic into several classes and shape > them using iptables and tc fw filter. Below are my commands: > > iptables: > > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT > iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3 > iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4 > iptables -t mangle -A PREROUTING -j CONNMARK --save-mark > > > tc qdiscs and classes: > > tc qdisc add dev eth0 root handle 1: htb default 14 > tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps > > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil > 300kbps prio 0 > tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil > 2mbps prio 1 > tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil > 2mbps prio 2 > tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil > 2mbps prio 3 > tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10 > > tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil > 2mbps prio 4 > tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10 Set all these PRIOs to the same non-zero value (1 will do) and try again. I also recommend 2-digit values for HANDLEs. I'm busy, so I can't promise a fast response, but I'll help more (if you need more help) when I can, -- buck |