Ingress question with sub classes

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I wanted to configure the following :

1. VPN + some other special connections (TCP 82,8282,23,22 and ICMP) to have priority over the rest
2. special upstream for our updating system on port 4000
3. within the VPN tunnels citrix traffic ( TCP 1494, 2598) + icmp has priority


I need this for both incoming and outgoing traffic as it is the bandwith managment config on a central system from which 5 vpn tunnels are configured to small offices and for which also mail , surf ,... traffic exists.

I started from a working config file implementing 1. and 2.

As I understood it is possible to make a distinction within a class for different subclasses thus allowing me to implement 3. . Therefore I added the lines with '===>>' .

I clearly did something wrong cause it doesn't compile :( Can anyone explain me how to implement 3. ?


kind regards, Pieter


$intDev = "adsl0";

// in bps (bits per second)
$maxUpstream        = 2048000;
$maxDownstream        = 2048000;

// Internet device
dev $intDev {
   // outgoing traffic
   egress {
       /* classification */
       // very interactive
       class (<$group1>)
           //VPN Protocols
           if ip_proto == 50
           if ip_proto == 47

           // Known very interactive
           if tcp_dport == 23

           // Our interactive sessions
           if tcp_dport == 82
           if tcp_dport == 8282
           // voorlopig omdat 'combined' spullen precies niet meer werken
           // op kernel 2.4.24-axs-1
           if tcp_dport == 22 && ip_tos_delay == 1

           // ICMP
           if ip_proto == 1;

       // update server
       class (<$group2>)
           if tcp_sport == 4000;

       // default
       class (<$rest>)
           if 1;

/* Queueing */
htb ( ) {
/* rate is what they normally get, ceil is the maximum they can get when borrowing from the parent */
/* this is the surrounding class. limit the upstream here to something just below the
real limit. this is to avoid that the next device (maybe cable modem), will queue which will
result in having us no control ... */
class ( rate $maxUpstream bps, ceil $maxUpstream bps, quantum 1 sec) {
$group1 = class ( rate ($maxUpstream / 8 *3) bps, ceil ($maxUpstream / 4) bps ){
==========>> // special citrix applications
==========>> class (<$vpn_prior>)
==========>> if tcp_dport == 1494
==========>> if tcp_dport == 2598
==========>> if ip_proto == 1;
==========>> // default
==========>> class (<$rest>)
==========>> if 1;


==========>> /* Queueing */
==========>> htb ( ) {
==========>> $vpn_prior = class ( rate ($maxUpstream / 8 *3) bps, ceil ($maxUpstream / 4) bps );
==========>> $rest = class ( rate ($maxUpstream / 8) bps, ceil ($maxUpstream / 4) bps ) ;
==========>> }
==========>> }
$group2 = class ( rate ($maxUpstream / 2) bps, ceil ($maxUpstream / 8 * 7) bps ) ;
$rest = class ( rate ($maxUpstream / 8) bps, ceil ($maxUpstream / 4) bps ) ;
}
}
}


   // incoming traffic
   ingress {
       // speeds
       $veryhigh_cir    = $maxDownstream / 4;
       $veryhigh_pir    = $maxDownstream / 4 * 3;

       $low_cir        = $maxDownstream / 4;
       $low_pir        = $maxDownstream / 4;

// variables to make categories
$is_veryhigh = (tcp_sport == PORT_SSH && ip_tos_delay == 1) || (ip_proto == 50) || (ip_proto == 47);
$is_low = 1;



// Double Leaky Buckets
$is_veryhigh_pol = DLB(cir $veryhigh_cir bps,cbs 20kB,pir $veryhigh_pir bps,pbs 5kB) {
==========>> class (<$vpn_prior>)
==========>> if tcp_dport == 1494
==========>> if tcp_dport == 2598
==========>> if ip_proto == 1;
==========>> // default
==========>> class (<$rest>)
==========>> if 1;
==========>> prio {
==========>> $vpn_prior= class {}
==========>> $rest = class {}
==========>> ==========>> }
==========>> };
$is_low_pol = DLB(cir $low_cir bps,cbs 20kB,pir $low_pir bps,pbs 5kB);


       // do the policing
       class (<>)
           if $is_veryhigh && DLB_else_drop($is_veryhigh_pol);

       class (<>)
           if $is_low && DLB_else_drop($is_low_pol);

   }
}
--
**********************************************
NEW ADDRESS as of 20/12/2004:
Dellingstraat 28b
2800 Mechelen
**********************************************

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux