Re: question about shaping

[pasika11@xxxxxxxxxxxxxxx]

Hello everybody, Hello Stef
Thank You Stef for Your cooperation. Now I will continue to mail in LARTC  maillist.

So the question was why my script was not working.
> > The idea is that I would like to shape not in the manner like 1/4 of leased
> > channel for bursty www traffic, other 1/4 for ssh, telnet with higher prio,
> > etc. I guess the better idea is to create individual class for every
> > computer in club with limited rate and ceil in order to predict the amount
> > of traffic per period of time
> >
> > So I did. But my script works in a strange manner. So I created small test
> > script for one machine which is placed below.
> >
> > My configuration: border machine - linux with 2.4.22 kernel, tc binary from
> > Devik's site, three interfaces - eth0 - external, eth1 - internal NATed,
> > eth3 - another LAN. My task is to shape traffic from/to internet and to
> > pass at full speed (100 mbit) traffic to local server (192.168.0.1) and to
> > another LAN (10.1.0.0/16). Here it is small test script for machine with ip
> > 192.168.0.22.

Here is ascii chart of linux machine
+---------------+
eth3___ |                | ____eth0 (to INTERNET)
10.1.0.0/16            |                | 
+--------------+
| eth1
192.168.0.0/24



I completely have rewritten script. Again I try to test at first with one machine  and if everything is OK, then do for all machines
-----------------------------------------------------------------------------------------
#!/bin/bash
DEV="eth1"
IPTABLES="/usr/local/sbin/iptables"
TC="/usr/local/bin/tc"
IP="/sbin/ip"
# Download shaping on eth1 interface (LAN-club)

$TC qdisc del dev $DEV root 2> /dev/null > /dev/null

#Creating root qdisc - without default - so only my test machine will be shaped
$TC qdisc add dev $DEV root handle 1: htb r2q 1
$TC class add dev $DEV parent 1: classid 1:1 htb rate 100mbit
$TC class add dev $DEV parent 1:1 classid 1:2 htb rate 98mbit ceil 100mbit quantum 15000 prio 2
$TC class add dev $DEV parent 1:1 classid 1:3 htb rate 2mbit ceil 2mbit burst 120k
$TC class add dev $DEV parent 1:3 classid 1:22 htb rate 20kbit ceil 30kbit burst 100k
#Specifying leaf classes#####################################
# test machine
# Inbound UDP traffic - game traffic and other traffic like DNS
$TC class add dev $DEV parent 1:22 classid 1:220 htb rate 5kbit ceil 30kbit prio 1
# Inbound interactive (telnet, ssh, radmin) and low port traffic (for ssh)
$TC class add dev $DEV parent 1:22 classid 1:221 htb rate 5kbit ceil 16kbit prio 2
#Bursty inbound WWW-traffic
$TC class add dev $DEV parent 1:22 classid 1:222 htb rate 5kbit ceil 16kbit burst 80k prio 3
# Inbound SMTP & FTP traffic as well as chat traffic (ICQ & IRC) 
$TC class add dev $DEV parent 1:22 classid 1:223 htb rate 5kbit ceil 16kbit prio 4
# DEFAULT CLASS - all unclassified traffic should go here :{}
#$TC class add dev $DEV parent 1:1 classid 1:500 htb rate 12kbit ceil 16kbit prio 5
################qdisc attached to leaf classes################
#qdisc for local servers and homenetwork
$TC qdisc add dev $DEV parent 1:2 handle 2: sfq perturb 10

#  qdisc for test machine 
$TC qdisc add dev $DEV parent 1:220 handle 220: pfifo limit 10
$TC qdisc add dev $DEV parent 1:221 handle 221: sfq perturb 10
$TC qdisc add dev $DEV parent 1:222 handle 222: sfq perturb 10
$TC qdisc add dev $DEV parent 1:223 handle 223: sfq perturb 10

# DEFAULT qdisc - all unclassified traffic should go here :{}
#$TC qdisc add dev $DEV parent 1:500 handle 500: sfq perturb 10

######FILTERS##########################################
$TC filter add dev $DEV parent 1:0 prio 0 protocol ip handle 2 fw classid 1:2
$TC filter add dev $DEV parent 1:0 prio 0 protocol ip handle 1 fw classid 1:3

# FILTERS FOR INTERMEDIATE CLASSES
$TC filter add dev $DEV parent 1:3 prio 1 protocol ip handle 22 fw classid 1:22

# FILTERS FOR LEAF CLASSES
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 220 fw classid 1:220
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 221 fw classid 1:221
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 222 fw classid 1:222
$TC filter add dev $DEV parent 1:22 prio 2 protocol ip handle 223 fw classid 1:223

#########PART FOR IPTABLES
#These lines are present in firewall script. Here they are present only for understanding
#All traffic from INTERNET to CLUB_LAN will get mark 1
#$IPTABLES -t mangle -A FORWARD -i eth0 -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 1
#All traffic from HOMENET to CLUB_LAN will get mark 2
#$IPTABLES -t mangle -A FORWARD -i eth3 -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 2
#All traffic from local server - 192.168.0.1 and 10.1.0.1 to CLUB_LAN will get mark 2 too
#$IPTABLES -t mangle -A OUTPUT -o eth1 -d 192.168.0.0/24 -j MARK --set-mark 2

$IPTABLES -t mangle -N MYSHAPER-OUT
$IPTABLES -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT
$IPTABLES -t mangle -A MYSHAPER-OUT -d 192.168.0.22 -j MARK --set-mark 22
# Inbound UDP traffic - game traffic and other traffic like DNS
$IPTABLES -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 220
# Inbound interactive (telnet, ssh, radmin) and low port traffic (for ssh)
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 22,23,4899,4890 -j MARK --set-mark 221
#Bursty inbound WWW-traffic
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 80,81,82,83,88,3128,8000,8001,8002,8008,8080,8081 -j MARK --set-mark 222
# Inbound SMTP & FTP traffic as well as chat traffic (ICQ & IRC) 
$IPTABLES -t mangle -A MYSHAPER-OUT -p tcp -m multiport --sport 20,25,5190,6665,6666,6667,6668,6669,7000 -j MARK --set-mark 223
exit
--------------------------------------------------------------------------
I use filtering for intermediate classes. As You said, Stef in  
" Shaping services and users (2nd time)" message "...You need a set  of filters attached to the root qdisc so the traffic for the 
different IP's are placed in the IPx class.  Then you need a second set of 
filters attached to the IPx classes and redirect all traffic to the different 
sub classes."

So I did. Nevertheless the script does not work as it is necessary. Here are the  results: (I cut some results so they are shorter)
---------------------------------------------------------------------------
[qdisc]
qdisc sfq 2: quantum 1514b limit 128p flows 128/1024 perturb 10sec 
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0) 

qdisc htb 1: r2q 1 default 0 direct_packets_stat 392462 ver 3.12
Sent 472451546 bytes 392795 pkts (dropped 0, overlimits 0) 

[class]
class htb 1:22 parent 1:3 rate 20Kbit ceil 30Kbit burst 100Kb/8 mpu 0b cburst 1637b/8 mpu 0b level 5 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 32768000 ctokens: 349439

class htb 1:220 parent 1:22 leaf 220: prio 1 quantum 1000 rate 5Kbit ceil 30Kbit burst 1605b/8 mpu 0b cburst 1637b/8 mpu 0b level 0 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 349439

class htb 1:1 root rate 100Mbit ceil 100Mbit burst 132644b/8 mpu 0b cburst 132644b/8 mpu 0b level 7 
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0) 
rate 229bps 
lended: 0 borrowed: 0 giants: 0
tokens: 8156 ctokens: 8156

class htb 1:221 parent 1:22 leaf 221: prio 2 quantum 1000 rate 5Kbit ceil 16Kbit burst 1605b/8 mpu 0b cburst 1619b/8 mpu 0b level 0 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 647999

class htb 1:2 parent 1:1 leaf 2: prio 2 quantum 15000 rate 98Mbit ceil 100Mbit burst 130030b/8 mpu 0b cburst 132644b/8 mpu 0b level 0 
Sent 177478 bytes 333 pkts (dropped 0, overlimits 0) 
rate 210bps 
lended: 333 borrowed: 0 giants: 0
tokens: 8156 ctokens: 8156

class htb 1:222 parent 1:22 leaf 222: prio 3 quantum 1000 rate 5Kbit ceil 16Kbit burst 80Kb/8 mpu 0b cburst 1619b/8 mpu 0b level 0 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 104857600 ctokens: 647999

class htb 1:3 parent 1:1 rate 2Mbit ceil 2Mbit burst 120Kb/8 mpu 0b cburst 4220b/8 mpu 0b level 6 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 384000 ctokens: 13189

class htb 1:223 parent 1:22 leaf 223: prio 4 quantum 1000 rate 5Kbit ceil 16Kbit burst 1605b/8 mpu 0b cburst 1619b/8 mpu 0b level 0 
Sent 0 bytes 0 pkts (dropped 0, overlimits 0) 
lended: 0 borrowed: 0 giants: 0
tokens: 2055680 ctokens: 647999

[filter]
filter parent 1: protocol ip pref 49151 fw 
filter parent 1: protocol ip pref 49151 fw handle 0x1 classid 1:3 
filter parent 1: protocol ip pref 49152 fw 
filter parent 1: protocol ip pref 49152 fw handle 0x2 classid 1:2 
[iptables]

Chain FORWARD (policy ACCEPT 7760706 packets, 1980834427 bytes)
pkts      bytes target     prot opt in     out     source               destination         
584058 84004747 MARK       all  --  eth0   eth1    anywhere             192.168.0.0/24      MARK set 0x1 
67     3478 MARK       all  --  eth3   eth1    anywhere             192.168.0.0/24      MARK set 0x2 

Chain OUTPUT (policy ACCEPT 7316765 packets, 9448549850 bytes)
pkts      bytes target     prot opt in     out     source               destination         
383315 474163356 MARK       all  --  any    eth1    anywhere             192.168.0.0/24      MARK set 0x2 

Chain POSTROUTING (policy ACCEPT 15054846 packets, 11428089599 bytes)
pkts      bytes target     prot opt in     out     source               destination         
392683 466923052 MYSHAPER-OUT  all  --  any    eth1    anywhere             anywhere            

Chain MYSHAPER-OUT (1 references)
pkts      bytes target     prot opt in     out     source               destination         
332377 457326272 MARK       all  --  any    any     anywhere             ws12.lviv.farlep.net MARK set 0x16 
56040  7053786 MARK       udp  --  any    any     anywhere             anywhere            MARK set 0xdc 
10489  4955688 MARK       tcp  --  any    any     anywhere             anywhere            multiport sports ssh,telnet,4899,4890 MARK set 0xdd 
325728 454732755 MARK       tcp  --  any    any     anywhere             anywhere            multiport sports http,81,82,83,kerberos,squid,8000,8001,8002,http-alt,webcache,tproxy MARK set 0xde 
24     3918 MARK       tcp  --  any    any     anywhere             anywhere            multiport sports ftp-data,smtp,5190,6665,6666,ircd,6668,6669,afs3-fileserver MARK set 0xdf 
---------------------------------------------------------------------------
As it is seen, all fwmarks in iptables work correctly. When I, e.g., download  from 192.168.0.1, mark 2 is settled correctly, but nevertheless , instead of  going through 1:2 class it goes directly as I planned for not classified traffic to  other computers. I didn't put default intentionally.

Well, I will be very grateful to everybody who can point me my fault or suggest  something.

Best regards,

Andrian

_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/