Andrew Athan (aathan-lartc-15280@xxxxxxxxxxxxx) wrote:
>
> I thought that the below email would be of interest to LARTC readers. I
> wasted quite a bit of time tracking down this "feature" (bug?). Any
> comments that shed light on this would be appreciated. In short, "tc
> filter" + htb + bridging works only with ip_forward off.
>
> Andrew Athan
tc filter + class + shape htb + sfq works fine for me, but I'm matching
packets on bridge - br0 interface and build htb classes for input and output on
eth0 and eth1 interfaces. And, I agree, tc doesn't show correct statistics in some
cases. I'm still unable to find out, why.
> -----------------------------------------------------------------------
> All:
>
> It seems that Fedora Core 2 (Linux Kernel 2.6)
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> will cause tc filter rules not to work. I am not sure if this is unique to
> cases of bridging or if turning ip forwarding on also breaks tc filter rules
> on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would
> assume it would but don't have time to test this case right now (i.e., this
> is probably not specific to bridging).
>
> A.
>
> -----Original Message-----
>
> Folks:
>
> I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a
> bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1
> or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in
> the htb. If I set a default class, all the traffic ends up in the default
> class.
>
> This leads me to believe that the u32 classifier simply never matches,
> although it probably gets the packets. Perhaps there is a wrong offset or
> mismatched struct somewhere? I'd be glad to investigate if pointed in the
> right direction, I will start by diffing cls_u32.c between linux-2.4.26 and
> linux-2.6.5 (people have reported there are no issues with packet
> classification + bridging under linux-2.4).
>
> A.
>
>
> # lspci
> 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory
> Controller Hub] (rev 03)
> 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset
> Graphics Controller] (rev 03)
> 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02)
> 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02)
> 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02)
> 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02)
> 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02)
> 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev
> 02)
> 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20)
> 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev
> 78)
>
> #!/bin/bash
> #
> # qos Add traffic shaping to eth0
> #
> # chkconfig: 2345 86 14
> # description: Add traffic shaping to eth0
> #
> # processname: none
>
> WAN=br0 # external interface
> LAN=eth1 # internal interface
> TC=/usr/local/tc
>
> CMD="$1"
> if [ "$CMD" == "stop" ]
> then
> TCOP="del"
> IPTOP="-D"
> #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2>
> /dev/null > /dev/null
> #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null
> #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null
> $TC qdisc del dev ${WAN} root handle 1: htb
> fi
>
> if [ "$CMD" == "start" ]
> then
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig eth0 0.0.0.0
> ifconfig eth1 0.0.0.0
> ifconfig br0 up
> ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255
> up
> echo "1" > /proc/sys/net/ipv4/ip_forward
> route add default gw 10.100.82.1
>
> sysctl -w net.core.rmem_max=8388608
> sysctl -w net.core.wmem_max=8388608
> sysctl -w net.core.rmem_default=65536
> sysctl -w net.core.wmem_default=65536
> sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
> sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
> sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
> sysctl -w net.ipv4.route.flush=1
>
> TCOP="add"
> IPTOP="-A"
> #iptables -t mangle -N MYSHAPER-OUT
> ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT
> #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT
>
>
> # +---------+
> # | root 1: |
> # +---------+
> # |
> # +----------------------------+
> # | class 1:1 |
> # +----------------------------+
> # | | |
> # +----+ +----+ +----+
> # |1:10| |1:20| |1:30|
> # +----+ +----+ +----+
> # |
> # +--------+--------+
> # | | |
> # +-----+ +-----+ +-----+
> # |1:100| |1:101| |1:102|
> # +-----+ +-----+ +-----+
>
> # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc)
> # 1:20 is for bulk traffic (htb, leaves use sfq)
> # 1:30 is the class that interactive traffic which must never get
> snuffed out completely goes to (sfq)
>
> # 1:20 is further split up into different kinds of bulk traffic: web,
> mail and
> # everything else. 1:100-102 fight amongst themselves for their slice
> of excess
> # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above
> their
> # minimum rates.
>
> # ceil is 90% of max rate (768kbps)
> # rate is 80% of max rate
> # we don't let it go to 100% because we don't want the WAN provider to
> buffer
> CEIL=4500kbit
> RATE1=1000kbit
> RATE2=3000kbit
> RATE3=500kbit
> APPRATE1=1500kbit
> APPRATE2=750kbit
> APPRATE3=250kbit
>
> $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb
> $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL}
> ceil ${CEIL}
>
> $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1}
> ceil ${CEIL} prio 1
> $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2}
> ceil ${CEIL} prio 2
> $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3}
> ceil ${CEIL} prio 3
>
> $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate
> ${APPRATE1} ceil ${CEIL} prio 4
> $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate
> ${APPRATE2} ceil ${CEIL} prio 5
> $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate
> ${APPRATE3} ceil ${CEIL} prio 6
>
> $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo
> $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10
> $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10
> $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10
> $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10
>
>
> #---------------------------------------------------------------------------
>
> #phones
> $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip
> dst 10.50.30.0/24 flowid 1:10
>
> ##trading
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dst 207.251.101.0/24 flowid 1:100
> ##non-critical
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dst 10.50.20.0/24 flowid 1:101
> #
> #
> ##ACK
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 0x6 0xff \
> # match u8 0x05 0x0f at 0 \
> # match u8 0x10 0xff at 33 \
> # match u16 0x0000 0xffc0 at 2 \
> # flowid 1:10
> #
> ##SYN-ACK
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 0x6 0xff \
> # match u8 0x05 0x0f at 0 \
> # match u8 0x12 0x12 at 33 \
> # match u16 0x0000 0xffc0 at 2 \
> # flowid 1:10
> #
> ##FIN
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 0x6 0xff \
> # match u8 0x05 0x0f at 0 \
> # match u8 0x01 0x01 at 33 \
> # match u16 0x0000 0xffc0 at 2 \
> # flowid 1:10
> #
> ##RST
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 0x6 0xff \
> # match u8 0x05 0x0f at 0 \
> # match u8 0x04 0x04 at 33 \
> # match u16 0x0000 0xffc0 at 2 \
> # flowid 1:10
> #
> ## ICMP
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 1 0xff flowid 1:10
> #
> ## DNS
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \
> # match ip protocol 0x11 0xff \
> # match ip dport 53 0xffff \
> # flowid 1:100
> #
> ##telnet and AOL
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> sport 22 0xffff flowid 1:30
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dport 22 0xffff flowid 1:30
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> sport 5190 0xffff flowid 1:30
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dport 5190 0xffff flowid 1:30
> #
> ##web
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> sport 80 0xffff flowid 1:102
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dport 80 0xffff flowid 1:102
> ##ftp
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> sport 21 0xffff flowid 1:102
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dport 21 0xffff flowid 1:102
> ##tftp
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> sport 69 0xffff flowid 1:102
> #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip
> dport 69 0xffff flowid 1:102
> ##dhcp?
> ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match
> ip dst 0.0.0.0/0 flowid 1:10
> ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match
> ip dst 0.0.0.0/0 flowid 1:10
> #
> #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw
> flowid 1:10
> #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100
> fw flowid 1:100
> #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101
> fw flowid 1:101
> #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102
> fw flowid 1:102
> #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw
> flowid 1:30
> #
> ##TOS min delay
> #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \
> # match ip tos 0x10 0xff \
> # flowid 1:30
> #
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j
> MARK --set-mark 30 # aol instant messenger
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j
> MARK --set-mark 30 # secure shell
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j
> MARK --set-mark 30 # secure shell
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j
> MARK --set-mark 30 # secure shell
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j
> MARK --set-mark 101 # Default for low port traffic
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j
> MARK --set-mark 101 # ""
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j
> MARK --set-mark 102 # Web
> ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j
> MARK --set-mark 102 # Web
> ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark
> 102 # redundant- mark any unmarked packets as 26 (low prio)
> fi
>
> if [ "$CMD" = "status" ]
> then
> echo "[qdisc-$WAN]"
> $TC -s qdisc show dev $WAN
> echo "[class-$WAN]"
> $TC -s class show dev $WAN
> echo "[filter-$WAN]"
> $TC -s filter show dev $WAN
> echo "[iptables]"
> iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null
> exit
> fi
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--
Michael Vasilenko
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
