Thank You Stef for Your cooperation. Now I will continue to mail in LARTC maillist.
So the question was why my script was not working.
> > The idea is that I would like to shape not in the manner like 1/4 of leased
> > channel for bursty www traffic, other 1/4 for ssh, telnet with higher prio,
> > etc. I guess the better idea is to create individual class for every
> > computer in club with limited rate and ceil in order to predict the amount
> > of traffic per period of time
> >
> > So I did. But my script works in a strange manner. So I created small test
> > script for one machine which is placed below.
> >
> > My configuration: border machine - linux with 2.4.22 kernel, tc binary from
> > Devik's site, three interfaces - eth0 - external, eth1 - internal NATed,
> > eth3 - another LAN. My task is to shape traffic from/to internet and to
> > pass at full speed (100 mbit) traffic to local server (192.168.0.1) and to
> > another LAN (10.1.0.0/16). Here it is small test script for machine with ip
> > 192.168.0.22.
Here is ascii chart of linux machine
+---------------+
eth3___ | | ____eth0 (to INTERNET)
10.1.0.0/16 | |
+--------------+
| eth1
192.168.0.0/24
I completely have rewritten script. Again I try to test at first with one machine and if everything is OK, then do for all machines
-----------------------------------------------------------------------------------------
#!/bin/bash
DEV="eth1"
IPTABLES="/usr/local/sbin/iptables"
TC="/usr/local/bin/tc"
IP="/sbin/ip"
# Download shaping on eth1 interface (LAN-club)
$TC qdisc del dev $DEV root 2> /dev/null > /dev/null
#Creating root qdisc - without default - so only my test machine will be shaped
$TC qdisc add dev $DEV root handle 1: htb r2q 1
$TC class add dev $DEV parent 1: classid 1:1 htb rate 100mbit
$TC class add dev $DEV parent 1:1 classid 1:2 htb rate 98mbit ceil 100mbit quantum 15000 prio 2
$TC class add dev $DEV parent 1:1 classid 1:3 htb rate 2mbit ceil 2mbit burst 120k
$TC class add dev $DEV parent 1:3 classid 1:22 htb rate 20kbit ceil 30kbit burst 100k
#Specifying leaf classes#####################################
# test machine
# Inbound UDP traffic - game traffic and other traffic like DNS
$TC class add dev $DEV parent 1:22 classid 1:220 htb rate 5kbit ceil 30kbit prio 1
# Inbound interactive (telnet, ssh, radmin) and low port traffic (for ssh)
$TC class add dev $DEV parent 1:22 classid 1:221 htb rate 5kbit ceil 16kbit prio 2
#Bursty inbound WWW-traffic
$TC class add dev $DEV parent 1:22 classid 1:222 htb rate 5kbit ceil 16kbit burst 80k prio 3
# Inbound SMTP & FTP traffic as well as chat traffic (ICQ & IRC)
$TC class add dev $DEV parent 1:22 classid 1:223 htb rate 5kbit ceil 16kbit prio 4
# DEFAULT CLASS - all unclassified traffic should go here :{}
#$TC class add dev $DEV parent 1:1 classid 1:500 htb rate 12kbit ceil 16kbit prio 5
################qdisc attached to leaf classes################
#qdisc for local servers and homenetwork
$TC qdisc add dev $DEV parent 1:2 handle 2: sfq perturb 10
# qdisc for test machine
$TC qdisc add dev $DEV parent 1:220 handle 220: pfifo limit 10
$TC qdisc add dev $DEV parent 1:221 handle 221: sfq perturb 10
$TC qdisc add dev $DEV parent 1:222 handle 222: sfq perturb 10
$TC qdisc add dev $DEV parent 1:223 handle 223: sfq perturb 10
# DEFAULT qdisc - all unclassified traffic should go here :{}
#$TC qdisc add dev $DEV parent 1:500 handle 500: sfq perturb 10
######FILTERS##########################################
$TC filter add dev $DEV parent 1:0 prio 0 protocol ip handle 2 fw classid 1:2
$TC filter add dev $DEV parent 1:0 prio 0 protocol ip handle 1 fw classid 1:3
# FILTERS FOR INTERMEDIATE CLASSES
$TC filter add dev $DEV parent 1:3 prio 1 protocol ip handle 22 fw classid 1:22
# FILTERS FOR LEAF CLASSES
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 220 fw classid 1:220
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 221 fw classid 1:221
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 222 fw classid 1:222
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 223 fw classid 1:223
#########PART FOR IPTABLES
#These lines are present in firewall script. Here they are present only for understanding
#All traffic from INTERNET to CLUB_LAN will get mark 1
#$IPTABLES -t mangle -A FORWARD -i eth0 -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 1
#All traffic from HOMENET to CLUB_LAN will get mark 2
#$IPTABLES -t mangle -A FORWARD -i eth3 -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 2
#All traffic from local server - 192.168.0.1 and 10.1.0.1 to CLUB_LAN will get mark 2 too
#$IPTABLES -t mangle -A OUTPUT -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 2
$IPTABLES -t mangle -N MYSHAPER-OUT
$IPTABLES -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT
$IPTABLES -t mangle -A MYSHAPER-OUT -d 192.168.0.22 -j MARK --set-mark 22
# Inbound UDP traffic - game traffic and other traffic like DNS
$IPTABLES -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 220
# Inbound interactive (telnet, ssh, radmin) and low port traffic (for ssh)
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 22,23,4899,4890 -j MARK --set-mark 221
#Bursty inbound WWW-traffic
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 80,81,82,83,88,3128,8000,8001,8002,8008,8080,8081 -j MARK --set-mark 222
# Inbound SMTP & FTP traffic as well as chat traffic (ICQ & IRC)
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 20,25,5190,6665,6666,6667,6668,6669,7000 -j MARK --set-mark 223
exit
--------------------------------------------------------------------------
I use filtering for intermediate classes. As You said, Stef in
" Shaping services and users (2nd time)" message "...You need a set of filters attached to the root qdisc so the traffic for the
different IP's are placed in the IPx class. Then you need a second set of
filters attached to the IPx classes and redirect all traffic to the different
sub classes."
So I did. Nevertheless the script does not work as it is necessary. Here are the results: (I cut some results so they are shorter)
---------------------------------------------------------------------------
[qdisc]
qdisc sfq 2: quantum 1514b limit 128p flows 128/1024 perturb 10sec
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0)
qdisc htb 1: r2q 1 default 0 direct_packets_stat 392462 ver 3.12
Sent 472451546 bytes 392795 pkts (dropped 0, overlimits 0)
[class]
class htb 1:22 parent 1:3 rate 20Kbit ceil 30Kbit burst 100Kb/8 mpu 0b cburst 1637b/8 mpu 0b level 5
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 32768000 ctokens: 349439
class htb 1:220 parent 1:22 leaf 220: prio 1 quantum 1000 rate 5Kbit ceil 30Kbit burst 1605b/8 mpu 0b cburst 1637b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 349439
class htb 1:1 root rate 100Mbit ceil 100Mbit burst 132644b/8 mpu 0b cburst 132644b/8 mpu 0b level 7
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0)
rate 229bps
lended: 0 borrowed: 0 giants: 0
tokens: 8156 ctokens: 8156
class htb 1:221 parent 1:22 leaf 221: prio 2 quantum 1000 rate 5Kbit ceil 16Kbit burst 1605b/8 mpu 0b cburst 1619b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 647999
class htb 1:2 parent 1:1 leaf 2: prio 2 quantum 15000 rate 98Mbit ceil 100Mbit burst 130030b/8 mpu 0b cburst 132644b/8 mpu 0b level 0
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0)
rate 210bps
lended: 333 borrowed: 0 giants: 0
tokens: 8156 ctokens: 8156
class htb 1:222 parent 1:22 leaf 222: prio 3 quantum 1000 rate 5Kbit ceil 16Kbit burst 80Kb/8 mpu 0b cburst 1619b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 104857600 ctokens: 647999
class htb 1:3 parent 1:1 rate 2Mbit ceil 2Mbit burst 120Kb/8 mpu 0b cburst 4220b/8 mpu 0b level 6
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 384000 ctokens: 13189
class htb 1:223 parent 1:22 leaf 223: prio 4 quantum 1000 rate 5Kbit ceil 16Kbit burst 1605b/8 mpu 0b cburst 1619b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 647999
[filter]
filter parent 1: protocol ip pref 49151 fw
filter parent 1: protocol ip pref 49151 fw handle 0x1 classid 1:3
filter parent 1: protocol ip pref 49152 fw
filter parent 1: protocol ip pref 49152 fw handle 0x2 classid 1:2
[iptables]
Chain FORWARD (policy ACCEPT 7760706 packets, 1980834427 bytes)
pkts bytes target prot opt in out source destination
584058 84004747 MARK all -- eth0 eth1 anywhere 192.168.0.0/24 MARK set 0x1
67 3478 MARK all -- eth3 eth1 anywhere 192.168.0.0/24 MARK set 0x2
Chain OUTPUT (policy ACCEPT 7316765 packets, 9448549850 bytes)
pkts bytes target prot opt in out source destination
383315 474163356 MARK all -- any eth1 anywhere 192.168.0.0/24 MARK set 0x2
Chain POSTROUTING (policy ACCEPT 15054846 packets, 11428089599 bytes)
pkts bytes target prot opt in out source destination
392683 466923052 MYSHAPER-OUT all -- any eth1 anywhere anywhere
Chain MYSHAPER-OUT (1 references)
pkts bytes target prot opt in out source destination
332377 457326272 MARK all -- any any anywhere ws12.lviv.farlep.net MARK set 0x16
56040 7053786 MARK udp -- any any anywhere anywhere MARK set 0xdc
10489 4955688 MARK tcp -- any any anywhere anywhere multiport sports ssh,telnet,4899,4890 MARK set 0xdd
325728 454732755 MARK tcp -- any any anywhere anywhere multiport sports http,81,82,83,kerberos,squid,8000,8001,8002,http-alt,webcache,tproxy MARK set 0xde
24 3918 MARK tcp -- any any anywhere anywhere multiport sports ftp-data,smtp,5190,6665,6666,ircd,6668,6669,afs3-fileserver MARK set 0xdf
---------------------------------------------------------------------------
As it is seen, all fwmarks in iptables work correctly. When I, e.g., download from 192.168.0.1, mark 2 is settled correctly, but nevertheless , instead of going through 1:2 class it goes directly as I planned for not classified traffic to other computers. I didn't put default intentionally.
Well, I will be very grateful to everybody who can point me my fault or suggest something.
Best regards,
Andrian
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/