Shaping p2p programs

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there, i am going to explain you my setup and post you my scripts in
case they are of any help to anybody :)
This mail is a little long, but i think the only way you can undestandme
is writing you my whole code..

1.- I have to ADSL connections connected through ehternet cards eth0 and
eth1 to the routers
	-Both ADSL are 2Mbit downsteam / 300kbit upstream
    	-eth2 goes to my 200 users LAN.

2.- I am doing load balancing (that works great)

3.- I have a mail and web server redirected to eth0's ADSL.

4.- My QoS setup attached to eth0 and eth1
	1 Qdisc for high-priority traffic 	(mark 1)
	1 Qdisc for low-priority traffic 	(mark 2)
	1 Qdisc for SYN,ACK traffic	 	(mark 3)
	1 Qdisc for ICMP traffic		(mark 4)
	1 Qdisc for Web-server traffic	(mark 5)
		->Scripts below

5.- Since i am doing load balancing i have a stateful firewall as
explained in Nano HOWTO
		->Firewall scripts below

6.- Use the mangle table to mark packets and redirect them to the Qdisc
	Let me explain my reasoning: 
	  	I want to mark interactive traffic like HTTP,SMTP,etc to
mark 1
		Mark DNS traffic and MSN Messenger(dport 1863) to
interactive High priority mark 1
		
		Mark p2p programs with the ipp2p module to mark p2p
programs to mark 2
			(dport 1214 is Imesh)
		In order to make sure ACKS and SYN traffic is going out
propperly i have an special qdisc
		If any traffic is unmarked, mark it as low-priority
		->Mangle setup below


---->PROBLEM:
  The problem comes after having this setup running for an hour or so,
when interactive traffic has VERY HIGH latency, or nearly dIES.
  Anybody having mor or less a similar setup, because i am driving mad
here! 
  Any suggestions are welcome :) Thank you very much!!!!!

  My BOX is an athlon 900MHz with 1GB ram:
	cat /proc/sys/net/ipv4/ip_conntrack_max
	57336

	txqueuelen on all eth cards is 100.

	
----> SCRIPTS
 
IPTABLES MANGLE Table

  iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark
     iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT

     iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4
     iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2

     iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient'
-j MARK --set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK
--set-mark 1
     iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK
--set-mark 2
     iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK
--set-mark 1
  iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

  iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN
-j MARK --set-mark 3
  iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags
SYN,RST,ACK ACK -j chkack
  iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK
--set-mark 2


Script for QoS attached to eth0
	#!/bin/bash
	DEV=eth0

	tc qdisc add dev ${DEV} handle 1: root htb default 10
	tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit
	
	######################################
	## Interactive traffic
	tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
	tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw
flowid 1:10	

	#######################################
	# Non Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit
ceil 200kbit  quantum 1500
	tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw
flowid 1:20

	########################################
	## SYN,ACK Traffic
	tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit
ceil 250kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30

	########################################
	## ICMP Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
	tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40

	########################################
	## Web-Server Traffic 
	tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit
ceil 200kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst
perturb 10 depth 15
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw
flowid 1:50

Script for 	QoS attached to eth1
	#!/bin/bash
	DEV=eth1

	tc qdisc add dev ${DEV} handle 1: root htb default 10
	tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit

	########################################
	## Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit
ceil 250kbit
	tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo
	tc filter add dev ${DEV} protocol ip  parent 1:0 handle 1 fw
flowid 1:10

	#######################################
	# Non Interactive Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit
ceil 200kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10
depth 15
	tc filter add dev ${DEV} protocol ip  parent 1:0 handle 2 fw
flowid 1:20

	########################################
	## SYN,ACK Traffic
	tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit
ceil 250kbit quantum 1500
	tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw
flowid 1:30
	#tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip
protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8
0x10 0xff at 33 flowid 1:30

	########################################
	## ICMP Traffic 
	tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit
quantum 1500
	tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo
	tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw
flowid 1:40


Firewall setup

####################################################
##  Stateful Firewall
##
##
##

        iptables -t filter -N keep_state
        iptables -t filter -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t filter -A keep_state -j RETURN

        iptables -t nat -N keep_state
        iptables -t nat -A keep_state -m state --state
RELATED,ESTABLISHED -j ACCEPT
        iptables -t nat -A keep_state -j RETURN

        iptables -t nat -A PREROUTING -j keep_state
        iptables -t nat -A POSTROUTING -j keep_state
        iptables -t nat -A OUTPUT -j keep_state

        iptables -t filter -A INPUT -j keep_state
        iptables -t filter -A OUTPUT -j keep_state
        iptables -t filter -A FORWARD -j keep_state

        iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP
        iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP
        iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP


_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux