Prioritizing on a Bridge doesn't seen to work correct, ingress does not functional

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

i tried to setup up a Linuxbridge for prioritize some interactive (Citrix / https) Traffic to 1.2.3.4 on my ADSL Link, but i think it work not correct.

Overview:

Router <->Linux Bridge<->internal Net
              eth1                  eth0

This is my Script (with friendly support from the Linux Advanced Routing & Traffic control Howto)

#!/bin/sh
#
# ADSL 1500/160kbit Down/Upload

UPLOAD=140
#DOWNLOAD=1130
DOWNLOAD=1330

## IP Adresses TKH = internal, SAD = external
# internel Host
TKH=1.2.3.4
# external Partner
SAD=5.6.7.8
## create QDISK
tc qdisc add dev eth1 root handle 1: htb default 11

## create UPload Class
tc class add dev eth1 parent 1: classid 1:1 htb rate ${UPLOAD}kbit ceil ${UPLOAD}kbit

# Upload Interaktive and "Connection beginn" Class
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 30kbit ceil ${UPLOAD}kbit prio 0 burst 4k quantum 6000

# Upload Webclass und Default
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 70kbit ceil 100kbit prio 1 burst 2k quantum 1500

# Upload SMTP Class
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbit ceil 100kbit prio 2 quantum 1500

#  Handle Mapping
tc qdisc add dev eth1 parent 1:11 handle 120: sfq perturb 10
tc qdisc add dev eth1 parent 1:12 handle 130: sfq perturb 10

#
## Einstellung der Prioritäten der einzelnen Klassen und für den Einsatz mit IP Tables
#

# Mark Mapping
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12

# Set Mark's to right Packes
# You can start marking packets adding rules to the PREROUTING chain in the mangle table.

iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN

#A good idea is to prioritize packets to begin tcp connections, those with SYN flag set:
iptables -t mangle -I PREROUTING -p tcp  -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp  -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

# We have done a -j RETURN so packets don't traverse all rules. Icmp packets won't match other rules below RETURN. Keep that in mind. Now we can start adding more rules, lets do proper TOS handling:
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Minimize-Cost -j MARK --set-mark 0x3
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Maximize-Throughput -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING  -p tcp -m tos --tos Maximize-Throughput -j RETURN

# high prio Citrix / https Connections

iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -d ${SAD} --sport 443 -j RETURN

# low SMTP Connections

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x3

#
# Dowloadbegrenzung
# extra qdisc
tc qdisc add dev eth1 handle ffff: ingress
# filtere/bremSE alles was zu schnell kommt
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNLOAD}kbit burst 10k drop flowid :1

So my Problems are:

1)  a big Download becomes  never more than ~ 100kbit (the most times it will be much lower). Why that ?
- Should it not have the speed of the Download Rate from the ingress qdisq ?
- The ingress qdisq counter show 0 Packets send. Why isn't this work ?

2) when the Download run break's interactivity on the Citrix Clients, can anybody explain me why ?
- Citrix Clients should have the highest Priority, and counter of the Classes 1:10, 1:11 and 1:12 show different Values.
So i think the mangling with iptables should work.

3) when big E-Mail's go out of our Network, it break's interactivity on the Citrix Clients, can anybody explain me why ?

Here some minor Infos:
- Debian Woody Backport Kernel 2.6.2
- htb Version 3.15

I think i do something wrong, but can please anybody point my to the right direction ?
Thank You
Thomas

 
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux