By the way, under Fedora Core 2, bridging + htb + tc filter works correctly BUT tc show does not report rates correctly. I tested htb with several subsidiary classes, each with ceil's and prio's and they all borrowed/allocated/etc rates correctly as measured from outside hosts. However, tc show did not seem to report sane values for bps/pps or total bytes sent except for the root qdisc. A. -----Original Message----- From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On Behalf Of Andrew Athan Sent: Thursday, July 08, 2004 10:05 PM To: lartc@xxxxxxxxxxxxxxx Subject: tc filter + bridging + htb -- works only if ip_forward = 0 I thought that the below email would be of interest to LARTC readers. I wasted quite a bit of time tracking down this "feature" (bug?). Any comments that shed light on this would be appreciated. In short, "tc filter" + htb + bridging works only with ip_forward off. Andrew Athan ----------------------------------------------------------------------- All: It seems that Fedora Core 2 (Linux Kernel 2.6) echo "1" > /proc/sys/net/ipv4/ip_forward will cause tc filter rules not to work. I am not sure if this is unique to cases of bridging or if turning ip forwarding on also breaks tc filter rules on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would assume it would but don't have time to test this case right now (i.e., this is probably not specific to bridging). A. -----Original Message----- Folks: I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1 or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in the htb. If I set a default class, all the traffic ends up in the default class. This leads me to believe that the u32 classifier simply never matches, although it probably gets the packets. Perhaps there is a wrong offset or mismatched struct somewhere? I'd be glad to investigate if pointed in the right direction, I will start by diffing cls_u32.c between linux-2.4.26 and linux-2.6.5 (people have reported there are no issues with packet classification + bridging under linux-2.4). A. # lspci 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory Controller Hub] (rev 03) 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset Graphics Controller] (rev 03) 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02) 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02) 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02) 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02) 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02) 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev 02) 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev 78) #!/bin/bash # # qos Add traffic shaping to eth0 # # chkconfig: 2345 86 14 # description: Add traffic shaping to eth0 # # processname: none WAN=br0 # external interface LAN=eth1 # internal interface TC=/usr/local/tc CMD="$1" if [ "$CMD" == "stop" ] then TCOP="del" IPTOP="-D" #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null $TC qdisc del dev ${WAN} root handle 1: htb fi if [ "$CMD" == "start" ] then brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 up ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255 up echo "1" > /proc/sys/net/ipv4/ip_forward route add default gw 10.100.82.1 sysctl -w net.core.rmem_max=8388608 sysctl -w net.core.wmem_max=8388608 sysctl -w net.core.rmem_default=65536 sysctl -w net.core.wmem_default=65536 sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608' sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608' sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' sysctl -w net.ipv4.route.flush=1 TCOP="add" IPTOP="-A" #iptables -t mangle -N MYSHAPER-OUT ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT # +---------+ # | root 1: | # +---------+ # | # +----------------------------+ # | class 1:1 | # +----------------------------+ # | | | # +----+ +----+ +----+ # |1:10| |1:20| |1:30| # +----+ +----+ +----+ # | # +--------+--------+ # | | | # +-----+ +-----+ +-----+ # |1:100| |1:101| |1:102| # +-----+ +-----+ +-----+ # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc) # 1:20 is for bulk traffic (htb, leaves use sfq) # 1:30 is the class that interactive traffic which must never get snuffed out completely goes to (sfq) # 1:20 is further split up into different kinds of bulk traffic: web, mail and # everything else. 1:100-102 fight amongst themselves for their slice of excess # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above their # minimum rates. # ceil is 90% of max rate (768kbps) # rate is 80% of max rate # we don't let it go to 100% because we don't want the WAN provider to buffer CEIL=4500kbit RATE1=1000kbit RATE2=3000kbit RATE3=500kbit APPRATE1=1500kbit APPRATE2=750kbit APPRATE3=250kbit $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL} ceil ${CEIL} $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1} ceil ${CEIL} prio 1 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2} ceil ${CEIL} prio 2 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3} ceil ${CEIL} prio 3 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate ${APPRATE1} ceil ${CEIL} prio 4 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate ${APPRATE2} ceil ${CEIL} prio 5 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate ${APPRATE3} ceil ${CEIL} prio 6 $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10 #--------------------------------------------------------------------------- #phones $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip dst 10.50.30.0/24 flowid 1:10 ##trading #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 207.251.101.0/24 flowid 1:100 ##non-critical #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 10.50.20.0/24 flowid 1:101 # # ##ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x10 0xff at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##SYN-ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x12 0x12 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##FIN #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x01 0x01 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##RST #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x04 0x04 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ## ICMP #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 1 0xff flowid 1:10 # ## DNS #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x11 0xff \ # match ip dport 53 0xffff \ # flowid 1:100 # ##telnet and AOL #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 5190 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 5190 0xffff flowid 1:30 # ##web #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 80 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 80 0xffff flowid 1:102 ##ftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 21 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 21 0xffff flowid 1:102 ##tftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 69 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 69 0xffff flowid 1:102 ##dhcp? ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 # #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw flowid 1:10 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100 fw flowid 1:100 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101 fw flowid 1:101 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102 fw flowid 1:102 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw flowid 1:30 # ##TOS min delay #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \ # match ip tos 0x10 0xff \ # flowid 1:30 # ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j MARK --set-mark 30 # aol instant messenger ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j MARK --set-mark 101 # Default for low port traffic ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j MARK --set-mark 101 # "" ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 102 # redundant- mark any unmarked packets as 26 (low prio) fi if [ "$CMD" = "status" ] then echo "[qdisc-$WAN]" $TC -s qdisc show dev $WAN echo "[class-$WAN]" $TC -s class show dev $WAN echo "[filter-$WAN]" $TC -s filter show dev $WAN echo "[iptables]" iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null exit fi _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
