Thx a lot for help , I finally managed to rebuild my firewall script, for people who have same problem as I had, I can say that the problem lies in propper packet marking (iptables) , sample lines from my firewall script : iptables -t mangle -I PREROUTING -i eth0 -p tcp --dport 21 -j MARK --set-mark 2 iptables -t mangle -I PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 3 it's ofcourse not the only way to mark them, http://www.docum.org/stef.coene/qos/kptd/ is very useful with that. regards, Ratel <ratel@xxxxxxxx> ----- Original Message ----- From: "Stef Coene" <stef.coene@xxxxxxxxx> To: "Ratel" <ratel@xxxxxxxx>; <lartc@xxxxxxxxxxxxxxx> Sent: Thursday, June 12, 2003 9:35 PM Subject: Re: [LARTC] htb problem > On Thursday 12 June 2003 21:21, Ratel wrote: > > Hi, > > > > I have some interesting problem with htb , I set up root class and > > sub-classess: > > > > $TC qdisc add dev eth0 root handle 1: htb > > $TC class add dev eth0 parent 1: classid 1:1 htb rate 1990kbit ceil > > 2000kbit $TC class add dev eth0 parent 1:1 classid 1:10 htb rate 190kbit > > ceil 200kbit $TC class add dev eth0 parent 1:1 classid 1:11 htb rate > > 1400kbit ceil 1600kbit > > $TC class add dev eth0 parent 1:1 classid 1:12 htb rate 1000kbit ceil > > 1500kbit > > $TC class add dev eth0 parent 1:1 classid 1:13 htb rate 1000kbit ceil > > 1500kbit > > $TC class add dev eth0 parent 1:1 classid 1:14 htb rate 1000kbit ceil > > 1200kbit > The sum of the rates of the childs should be <= rate of parent. In your case > 1400 + 1000 + 1000 + 1000 = 4400 and your parent rate is 1990. It's not > needed, but I recommend it. > > > , filters and queuing disciplines : > > #filter > > $TC filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw flowid > > 1:10 classid 1:10 > > $TC filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw flowid > > 1:11 classid 1:11 > > $TC filter add dev eth0 protocol ip parent 1:0 prio 2 handle 4 fw flowid > > 1:12 classid 1:12 > > $TC filter add dev eth0 protocol ip parent 1:0 prio 3 handle 5 fw flowid > > 1:13 classid 1:13 > > $TC filter add dev eth0 protocol ip parent 1:0 prio 1 handle 6 fw flowid > > 1:14 classid 1:14 > > (note the packet marking classifier) > And I also note the different prios. That's not needed. Prio determines the > order the filters are checked. In your case it doesn't matter. > > > adequate lines from firewall script : > > [...] > > # ftp > > $IPTABLES -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 21 -m state --state > > NEW,ESTABLISHED -t mangle -j MARK --set-mark 3 > > # ssh > > $$IPTABLES -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 22 -m state --state > > NEW,ESTABLISHED -t mangle -j MARK --set-mark 2 > > # smtp > > $IPTABLES -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 25 -m state --state > > NEW,ESTABLISHED -t mangle -j MARK --set-mark 4 > > [...] > Mhh. Can you check with iptables -L -v -n that your packets are marked? And > can you tell us what's your setup ? I mean wich nic is connected to the > internet, what do you want to shape, is this also a firewall? And try > marking in the PREROUTING tables. > > > Stef > > -- > > stef.coene@xxxxxxxxx > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >
