RE: tc filter + bridging + htb -- works only if ip_forward = 0

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



By the way, under Fedora Core 2, bridging + htb + tc filter works correctly
BUT tc show does not report rates correctly.  I tested htb with several
subsidiary classes, each with ceil's and prio's and they all
borrowed/allocated/etc rates correctly as measured from outside hosts.
However, tc show did not seem to report sane values for bps/pps or total
bytes sent except for the root qdisc.

A.

-----Original Message-----
From: lartc-admin@xxxxxxxxxxxxxxx [mailto:lartc-admin@xxxxxxxxxxxxxxx]On
Behalf Of Andrew Athan
Sent: Thursday, July 08, 2004 10:05 PM
To: lartc@xxxxxxxxxxxxxxx
Subject:  tc filter + bridging + htb -- works only if ip_forward
= 0



I thought that the below email would be of interest to LARTC readers.  I
wasted quite a bit of time tracking down this "feature" (bug?).  Any
comments that shed light on this would be appreciated.  In short, "tc
filter" + htb + bridging works only with ip_forward off.

Andrew Athan


-----------------------------------------------------------------------
All:

It seems that Fedora Core 2 (Linux Kernel 2.6)

echo "1" > /proc/sys/net/ipv4/ip_forward

will cause tc filter rules not to work.  I am not sure if this is unique to
cases of bridging or if turning ip forwarding on also breaks tc filter rules
on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces.  I would
assume it would but don't have time to test this case right now (i.e., this
is probably not specific to bridging).

A.

-----Original Message-----

Folks:

I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a
bridge work.  See below.  Wether I set the tc filter's parent as 1: or 1:1
or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in
the htb.  If I set a default class, all the traffic ends up in the default
class.

This leads me to believe that the u32 classifier simply never matches,
although it probably gets the packets.  Perhaps there is a wrong offset or
mismatched struct somewhere?  I'd be glad to investigate if pointed in the
right direction, I will start by diffing cls_u32.c between linux-2.4.26 and
linux-2.6.5 (people have reported there are no issues with packet
classification + bridging under linux-2.4).

A.


# lspci
00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory
Controller Hub] (rev 03)
00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset
Graphics Controller] (rev 03)
00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02)
00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02)
00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02)
00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02)
00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02)
00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev
02)
01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20)
01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev
78)

#!/bin/bash
#
# qos Add traffic shaping to eth0
#
# chkconfig: 2345 86 14
# description: Add traffic shaping to eth0
#
# processname: none

WAN=br0       # external interface
LAN=eth1       # internal interface
TC=/usr/local/tc

CMD="$1"
if [ "$CMD" == "stop" ]
then
       TCOP="del"
       IPTOP="-D"
       #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2>
/dev/null > /dev/null
       #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
       #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
       $TC qdisc del dev ${WAN} root handle 1: htb
fi

if [ "$CMD" == "start" ]
then
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 eth1
    ifconfig eth0 0.0.0.0
    ifconfig eth1 0.0.0.0
    ifconfig br0 up
    ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255
up
    echo "1" > /proc/sys/net/ipv4/ip_forward
    route add default gw 10.100.82.1

    sysctl -w net.core.rmem_max=8388608
    sysctl -w net.core.wmem_max=8388608
    sysctl -w net.core.rmem_default=65536
    sysctl -w net.core.wmem_default=65536
    sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
    sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
    sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
    sysctl -w net.ipv4.route.flush=1

    TCOP="add"
    IPTOP="-A"
    #iptables -t mangle -N MYSHAPER-OUT
    ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT
    #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT


    #          +---------+
    #          | root 1: |
    #          +---------+
    #               |
    # +----------------------------+
    # |         class 1:1          |
    # +----------------------------+
    #   |           |           |
    # +----+      +----+      +----+
    # |1:10|      |1:20|      |1:30|
    # +----+      +----+      +----+
    #               |
    #      +--------+--------+
    #      |        |        |
    #   +-----+  +-----+  +-----+
    #   |1:100|  |1:101|  |1:102|
    #   +-----+  +-----+  +-----+

    # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc)
    # 1:20 is for bulk traffic (htb, leaves use sfq)
    # 1:30 is the class that interactive traffic which must never get
snuffed out completely goes to (sfq)

    # 1:20 is further split up into different kinds of bulk traffic: web,
mail and
    # everything else.  1:100-102 fight amongst themselves for their slice
of excess
    # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above
their
    # minimum rates.

    # ceil is 90% of max rate (768kbps)
    # rate is 80% of max rate
    # we don't let it go to 100% because we don't want the WAN provider to
buffer
    CEIL=4500kbit
    RATE1=1000kbit
    RATE2=3000kbit
    RATE3=500kbit
    APPRATE1=1500kbit
    APPRATE2=750kbit
    APPRATE3=250kbit

    $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb
    $TC class ${TCOP} dev ${WAN} parent 1:   classid 1:1 htb rate ${CEIL}
ceil ${CEIL}

    $TC class ${TCOP} dev ${WAN} parent 1:1  classid 1:10 htb rate ${RATE1}
ceil ${CEIL} prio 1
    $TC class ${TCOP} dev ${WAN} parent 1:1  classid 1:20 htb rate ${RATE2}
ceil ${CEIL} prio 2
    $TC class ${TCOP} dev ${WAN} parent 1:1  classid 1:30 htb rate ${RATE3}
ceil ${CEIL} prio 3

    $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate
${APPRATE1} ceil ${CEIL} prio 4
    $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate
${APPRATE2} ceil ${CEIL} prio 5
    $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate
${APPRATE3} ceil ${CEIL} prio 6

    $TC qdisc ${TCOP} dev ${WAN} parent 1:10  handle 10:  pfifo
    $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10
    $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10
    $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10
    $TC qdisc ${TCOP} dev ${WAN} parent 1:30  handle 30:  sfq perturb 10


#---------------------------------------------------------------------------

    #phones
    $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip
dst 10.50.30.0/24 flowid 1:10

    ##trading
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dst 207.251.101.0/24 flowid 1:100
    ##non-critical
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dst 10.50.20.0/24 flowid 1:101
    #
    #
    ##ACK
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #      match ip protocol 0x6 0xff \
    #      match u8 0x05 0x0f at 0 \
    #      match u8 0x10 0xff at 33 \
    #      match u16 0x0000 0xffc0 at 2 \
    #      flowid 1:10
    #
    ##SYN-ACK
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #      match ip protocol 0x6 0xff \
    #      match u8 0x05 0x0f at 0 \
    #      match u8 0x12 0x12 at 33 \
    #      match u16 0x0000 0xffc0 at 2 \
    #      flowid 1:10
    #
    ##FIN
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #      match ip protocol 0x6 0xff \
    #      match u8 0x05 0x0f at 0 \
    #      match u8 0x01 0x01 at 33 \
    #      match u16 0x0000 0xffc0 at 2 \
    #      flowid 1:10
    #
    ##RST
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #      match ip protocol 0x6 0xff \
    #      match u8 0x05 0x0f at 0 \
    #      match u8 0x04 0x04 at 33 \
    #      match u16 0x0000 0xffc0 at 2 \
    #      flowid 1:10
    #
    ## ICMP
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #   match ip protocol 1 0xff flowid 1:10
    #
    ## DNS
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
    #      match ip protocol 0x11 0xff \
    #      match ip dport 53 0xffff \
    #      flowid 1:100
    #
    ##telnet and AOL
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
sport 22 0xffff flowid 1:30
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dport 22 0xffff flowid 1:30
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
sport 5190 0xffff flowid 1:30
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dport 5190 0xffff flowid 1:30
    #
    ##web
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
sport 80 0xffff flowid 1:102
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dport 80 0xffff flowid 1:102
    ##ftp
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
sport 21 0xffff flowid 1:102
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dport 21 0xffff flowid 1:102
    ##tftp
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
sport 69 0xffff flowid 1:102
    #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
dport 69 0xffff flowid 1:102
    ##dhcp?
    ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match
ip dst 0.0.0.0/0 flowid 1:10
    ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match
ip dst 0.0.0.0/0 flowid 1:10
    #
    #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw
flowid 1:10
    #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100
fw flowid 1:100
    #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101
fw flowid 1:101
    #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102
fw flowid 1:102
    #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw
flowid 1:30
    #
    ##TOS min delay
    #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \
    #      match ip tos 0x10 0xff  \
    #      flowid 1:30
    #
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j
MARK --set-mark 30   # aol instant messenger
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j
MARK --set-mark 30    # secure shell
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j
MARK --set-mark 30    # secure shell
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j
MARK --set-mark 30    # secure shell
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j
MARK --set-mark 101 # Default for low port traffic
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j
MARK --set-mark 101 # ""
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j
MARK --set-mark 102   # Web
    ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j
MARK --set-mark 102   # Web
    ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark
102      # redundant- mark any unmarked packets as 26 (low prio)
fi

if [ "$CMD" = "status" ]
then
        echo "[qdisc-$WAN]"
        $TC -s qdisc show dev $WAN
        echo "[class-$WAN]"
        $TC -s class show dev $WAN
        echo "[filter-$WAN]"
        $TC -s filter show dev $WAN
        echo "[iptables]"
        iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null
        exit
fi




_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux