[LARTC] HTB and filters on many levels

[Daniel Brahneborg <basic@xxxxxxxxx>]

Hi all,

I'm using HTB with Linux 2.4.21, and have gotten a little problem
that I don't quite understand.  I'd be very glad if any of you
could help me tell what's wrong.

My setup is like this:

  ISP - [ eth0  'firewall machine'  eth1 ] - LAN

I'd like to split the traffic evenly between the firewall and the LAN,
and then prioritize traffic within those classes, similarly to the
example in the HTB User Guide.  I want something like this:

 qdisc root 1: htb default 2
	1:9 htb rate 240
		1:1 htb rate 120 ceil 240
			1:11 htb rate 20 ceil 80 prio 1
				filter: ssh, ack, etc
				11: pfifo
			1:12 htb rate 60 ceil 200 prio 2
				no filter
				12: pfifo
			1:13 htb rate 20 ceil 80 prio 3
				filter: direct connect
				13: pfifo
		1:2 htb rate 120 ceil 240
			1:21 htb rate 20 ceil 80 prio 1
				21: pfifo
			1:22 htb rate 60 ceil 200 prio 2
				22: pfifo
			1:23 htb rate 20 ceil 80 prio 3
				23: pfifo

I then use iptables -j MARK to set a '1' if the traffic comes from
eth1.  If not, it should end up in 1:2, and 1:1 and 1:2 should be able
to borrow from each other.

If I only have 1:1 and 1:2 and no filters at all, locally generated
traffic correctly ends up in 1:2.  Then I added these 7 lines, and
expected traffic to move down to 1:22.  However, when I run
'tc -s qdisc show dev eth0' I see that traffic runs through 1:0, but
'tc -s class show dev eth0' shows nothing.

tc class add dev eth0 parent 1:2 classid 1:21 htb rate 20kbit ceil 100kbit prio 1
tc class add dev eth0 parent 1:2 classid 1:22 htb rate 60kbit ceil 200kbit prio 2
tc class add dev eth0 parent 1:2 classid 1:23 htb rate 20kbit ceil 60kbit  prio 3
tc qdisc add dev eth0 parent 1:21 handle 121: pfifo limit 2
tc qdisc add dev eth0 parent 1:22 handle 122: sfq perturb 10
tc qdisc add dev eth0 parent 1:23 handle 123: sfq perturb 10
tc filter add dev eth0 parent 1:2 protocol ip u32 match ip dst 0.0.0.0/0 flowid 1:22

I have another setup which is almost identical to the example in the
User Guide, and that works great.  The kids got really happy that they
could play counterstrike while I was using direct connect.  Super!
I really want to split the bandwidth more evenly between the machines
though, which is why I created this two level setup.

What have I done wrong?  Why doesn't the filter on 1:2 move the
packets to 1:22?

Lots of thanks in advance!

My complete script looks like this.

#!/bin/sh

tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null

tc qdisc add dev eth0 root handle 1: htb default 9

tc class add dev eth0 parent 1:0 classid 1:9  htb rate 200kbit ceil 200kbit

tc class add dev eth0 parent 1:9 classid 1:1  htb rate 120kbit ceil 200kbit
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 20kbit ceil 80kbit  prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 60kbit ceil 200kbit prio 2
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 20kbit ceil 80kbit  prio 3

tc qdisc add dev eth0 parent 1:11 handle 111: pfifo limit 2
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10

tc class add dev eth0 parent 1:9 classid 1:2  htb rate 120kbit ceil 200kbit prio 0
tc class add dev eth0 parent 1:2 classid 1:21 htb rate 20kbit ceil 100kbit prio 1
tc class add dev eth0 parent 1:2 classid 1:22 htb rate 60kbit ceil 200kbit prio 2
tc class add dev eth0 parent 1:2 classid 1:23 htb rate 20kbit ceil 60kbit  prio 3

tc qdisc add dev eth0 parent 1:2 handle 120: pfifo limit 2
tc qdisc add dev eth0 parent 1:21 handle 121: pfifo limit 2
tc qdisc add dev eth0 parent 1:22 handle 122: sfq perturb 10
tc qdisc add dev eth0 parent 1:23 handle 123: sfq perturb 10

# To the firewall or LAN?
tc filter add dev eth0 parent 1:9 protocol ip prio 1 handle 1 fw classid 1:1
tc filter add dev eth0 parent 1:9 protocol ip prio 1 handle 2 fw classid 1:2


# To LAN

# TOS Minimum Delay (ssh, NOT scp) in 1:10:
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:10

# CS
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
      match ip dport 27015 0xffff  flowid 1:10

# Diablo
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
      match ip dport 6112 0xffff  flowid 1:10
tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
      match ip dport 4000 0xffff  flowid 1:10

tc filter add dev eth0 parent 1:1 protocol ip prio 10 u32 \
      match ip dport 22 0xffff  flowid 1:10

tc filter add dev eth0 parent 1:1 protocol ip prio 11 u32 \
	match ip protocol 1 0xff flowid 1:10

tc filter add dev eth0 parent 1:1 protocol ip prio 12 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:10

tc filter add dev eth0 parent 1:1 protocol ip prio 12 u32 \
      match ip dport 411 0xfffe  flowid 1:13

tc filter add dev eth0 parent 1: protocol ip prio 13 u32 \
   match ip dst 0.0.0.0/0 flowid 1:12


# To the firewall

# TOS Minimum Delay (ssh, NOT scp) in 1:21:
tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:21

tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
      match ip dport 22 0xffff  flowid 1:21
tc filter add dev eth0 parent 1:2 protocol ip prio 10 u32 \
      match ip sport 22 0xffff  flowid 1:21

tc filter add dev eth0 parent 1:2 protocol ip prio 11 u32 \
	match ip protocol 1 0xff flowid 1:21

tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:21

tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
      match ip dport 411 0xfffe  flowid 1:23

tc filter add dev eth0 parent 1:2 protocol ip prio 12 u32 \
   match ip dst 0.0.0.0/0 flowid 1:22

/Basic