--OXfL5xGRrasGEqWY
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
hi all,
so you know that i have been thrown into this shaping business out of
nowhere, and i must admit, well, it's slightly above my head. i think
i am starting to understand it, but i am not sure.
let me please use this forum to propose my theory and the
implementation, so that i have the chance to receive comments from
anyone who knows this stuff better than i do.
let's simply the scenario: we have a router with three legs, eth0
being the internet (dynamic IP), eth1 the DMZ, and eth2 the LAN. we
have 96kbps downstream and 16kbps upstream. the LAN should be
guaranteed 32kbps down- and 5kpbs upstream. the DMZ should get 64kbps
down- and 11kbps upstream.
within the DMZ, there's an FTP server, which should be guaranteed
16kbps downstream (PUT) and 5kbps upstream (GET). let the ascii art do
the magic:
LAN
|
32k ^|v 5k
|
>-- 96k --> |eth2 >-- 64k --> =20
internet ------------------------ X -------------------+---- DMZ
<-- 16k --< eth0 eth1 <-- 11k --< |
|
6k ^|v 16k
|
FTP
so i basically want to create a hierarchy as follows, after having
combined eth1 and eth2 into an imq [1] and used the iptables IMQX
target [2] to exclude eth0 from imq, as well as eth1<->eth2 traffic.
1. http://luxik.cdi.cz/~devik/qos/imq.htm
2. http://luxik.cdi.cz/~patrick
so i effectively have a traffic shaper with eth0 leaving the machine
upstream and the imq interface leaving the machine downstream.
so here's the qdisc hierarchy i have in mind (applicable to both
interfaces, and both rooted at a htb qdisc with handle 1:):
+---- class htb 1:12 --- qdisc sfq 12:
|
+---- class htb 1:10
| |
| |
| +---- class htb 1:11 --- qdisc sfq 11:
class htb 1:1
|
+---- class htb 1:99 --- qdisc sfq 99:
because of NAT, i decided to employ FWMARK with the iptables
mangle/MARK target. i will thus combine iptables rules and tc filters
to categorize traffic as follows:
LAN <--> DMZ flowid 1:50
FTP <--> internet flowid 1:11
DMZ <--> internet flowid 1:12
default flowid 1:99
what's the difference between using flowid and classid as the target
of a tc filter? the HOWTO [3] shows filters with "classid" down at the
bottom (search for "1.2.0.0 classid 1:1")
3. http://www.linuxdoc.org/HOWWTO/Adv-Routinh-HOWTO-12.html
and the following values for rate/ceil:
upstream downstream
1:1 16k/16k 96k/96k
1:10 11k/16k 64k/96k
1:11 5k/16k 16k/96k
1:12 6k/16k 48k/96k
1:99 5k/16k 32k/96k
does this look right so far? i think that much i can translate into
a command sequence by myself.
i am a little lost with the filters, aside from the flowid/classid
difference i asked above. basically it's just one question:
say i create a tc filter for the FTP server:
iptables -t mangle -A PREROUTING -s 1.2.3.4/32 -j MARK --set-mark 123
=20
which class do i "drop" it in?
tc filter add dev eth0 parent 1:0 protocol ip prio 1 \
handle 123 fw classid 1:11
is this right? i shouldn't classify it as 11:, right?
anyway, any thoughts appreciated, and sorry for the lengthy post!
--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
=20
"alas, i am dying beyond my means."
-- oscar wilde
--OXfL5xGRrasGEqWY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjykldMACgkQIgvIgzMMSnXorQCaAo1ZcvGBbFo4wp/mmCacuo0I
e0QAnjGDKsr3zPj7PK9NzvviiGV3q9Ve
=hucS
-----END PGP SIGNATURE-----
--OXfL5xGRrasGEqWY--
