On Saturday 25 October 2003 02:53, Paul J. Caritj wrote:
> Hello again,
> I am completely stumped. I have the following configuration bound to
> both the ingress and egress adapters of a firewall (the only difference
> between them being that the external interface matches by source ip, the
> internal by destination), the goal of which is to throttle traffic to
> and from the local network on a host-by-host basis. Now, with this
> configuration throttling works perfectly for uploading (ie host -> eth2
> -> eth1 -> *). However, downloading is not throttled at all *except*
> when the machine is uploading and downloading simultaneously; only then
> does the download throttle have any effect.
>
> I tested this using IPerf, with the throttle set to 256kbit both ways.
> Upload always yields the expected results. Download tops out at about
> 4.5Mbit - its a wireless link, ie no throttling evident. However, when
> the test machine is running iperf as a client and server simultaneously
> (ie uploading and downloading about the same amount of data
> simultaneously), both directions are throttled as they should be around
> 256kbit.
>
> "tc -s class show dev eth2" shows that no packets are being referred to
> this class; this is not the case for the same class on eth1.
>
> Let me know if you would like to see the setup for eth1 (external
> interface) as well; this is the setup on eth2 (internal interface).
>
> qdisc htb 1: r2q 10 default 0 direct_packets_stat 3
>
> class htb 1:fffe root prio 0 rate 256Kbit ceil 256Kbit burst 6Kb cburst
> 3565b
>
> filter parent 1: protocol ip pref 1 u32
> filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1
> filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256
> filter parent 1: protocol ip pref 1 u32 fh 2:fe:800 order 2048 key ht 2
> bkt fe flowid 1:fffe
> match 0a00fffe/ffffffff at 16
> filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht
> 800 bkt 0 link 2:
> match 0a000000/ffff0000 at 16
> hash mask 000000ff at 12
> filter parent 1: protocol ip pref 5 u32
> filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1
> filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256
> filter parent 1: protocol ip pref 5 u32 fh 2:fe:800 order 2048 key ht 2
> bkt fe flowid 1:fffe
> match 0a00fffe/ffffffff at 16
> filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1
> filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht
> 800 bkt 0 link 2:
> match 0a000000/ffff0000 at 16
> hash mask 000000ff at 12
>
> Please help; I am completely confused.
You are working on a a firewall. So the box is natting the packets. That
means that the source address of the packets you send to the internet is
rewritten. So you can't use the source address to classify the packets.
You can use iptables and the fw filtter to mark the packets and classify them
based on the source address.
Stef
--
stef.coene@xxxxxxxxx
"Using Linux as bandwidth manager"
http://www.docum.org/
#lartc @ irc.openprojects.net
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
