Hi,
Excuse the long first post but I thought I had better annotate the script I
have so far. I have been looking for a solution for keeping
my "interactive" browsing whilst people hammer my web-server (hosted inside
the dsl, port forwarded from the router). I've looked at scripts like the
wondershapper but I decided to roll my own as I'm already reasonably au-
fait with the iptables toolchain. The problem is it doesn't work as
expected but I may be missing something. Onwards with the config:
First I set-up iptables to mark outgoing packets (I don't bother with
incomming as ADSL is asymetric and its the upstream interface that
saturates)
# Setup POSTROUTING marking on dsl output
# needed for QoS type hacks
# 1 - outgoing interactive (ssh)
# 2 - outgoing file stuff (www)
# 3 - incomming interactive (ssh)
# 4 - incomming personal use (https, http-tunnel)
# 5 - incomming web
# 6 - incomming mail
# 7 - everything else
# create the to-dsl table (we can only shape outgoing traffic)
/sbin/iptables -t mangle -N to-dsl
# For outgoing packets we need to mark stuff
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1
/sbin/iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 3
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 443 -j MARK --set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 8890 -j MARK --set-mark 4
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 80 -j MARK --set-mark 5
/sbin/iptables -t mangle -A to-dsl -p tcp --sport 25 -j MARK --set-mark 6
# turn it on
/sbin/iptables -t mangle -A POSTROUTING -o ppp0 -j to-dsl
This bit works great. I can do "watch -n 1 -d iptables -t mangle -nvL" and
watch packets get marked to the different rules as I expect. Then I
configure the tc bits thusly:
# root qdisc, shape the upload bandwidth to 256kbits
tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 256kbit rate
240kbit
#create the prioitiser
tc qdisc add dev ppp0 parent 1:0 handle 2: prio bands 6 priomap 0 1 2 3 4 5
# create sfq's for each class
tc qdisc add dev ppp0 parent 2:1 handle 10: sfq
tc qdisc add dev ppp0 parent 2:2 handle 20: sfq
tc qdisc add dev ppp0 parent 2:3 handle 30: sfq
tc qdisc add dev ppp0 parent 2:4 handle 40: sfq
tc qdisc add dev ppp0 parent 2:5 handle 50: sfq
tc qdisc add dev ppp0 parent 2:6 handle 60: sfq
#and now the filters
tc filter add dev ppp0 parent 2:0 protocol ip prio 1 handle 1 fw flowid 10:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 2 handle 2 fw flowid 20:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 3 handle 3 fw flowid 30:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 4 handle 4 fw flowid 40:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 5 handle 5 fw flowid 50:0
tc filter add dev ppp0 parent 2:0 protocol ip prio 6 handle 6 fw flowid 60:0
But when I do a "tc -s -d qdisc ls"
qdisc sfq 60: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 50: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 40: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 30: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 20: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 10: dev ppp0 quantum 1478b limit 128p flows 128/1024
Sent 90818614 bytes 64922 pkts (dropped 0, overlimits 0)
qdisc prio 2: dev ppp0 bands 6 priomap 0 1 2 3 4 5 0 0 1 1 1 1 1 1 1 1
Sent 92824232 bytes 66370 pkts (dropped 0, overlimits 0)
qdisc cbq 1: dev ppp0 rate 240Kbit cell 8b (bounded,isolated) prio no-
transmit/8 weight 240Kbit allot 1478b
level 0 ewma 5 avpkt 1000b maxidle 1016us
Sent 94712662 bytes 67725 pkts (dropped 0, overlimits 0)
borrowed 0 overactions 0 avgidle 25026 undertime 0
I suspect the problem is due to me misunderstanding the way prio and
priomap work in relation to the filters. I've been looking for any good
examples that show iptables -j MARK, prio and filter being used together
but have yet to come up with any good ones. If I get this to work your
welcome to use it in the FAQ :-)
Alex
www.bennee.com/~alex/
