Re: do I need to iptables mark in this scenario?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mer 27 avril 2005 16:36, Ron McKown a écrit :
> Hello,
> really new to advanced linux routing, but I have managed to setup
something that sort of works for my needs.
>
> I have a linux box with this configuration:
>
> Internet - eth0 - eth1 - many users
>
> I'm using a NAT to allow my users Internet access.
>
> On some users, I wish to shape their download speeds as to not overload
our outside connection.
>
> Here is what I do to shape them at 64k down: (only two users shown in
this example(but I have hundreds that will be shaped))
> SIXFOUR=64
> DEV=eth1
> # clean up qdiscs
> tc qdisc del dev $DEV root 2> /dev/null > /dev/null
> tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 50mbit
>
> # DELL
> tc class add dev $DEV parent 1: classid 1:1 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.199 flowid 1:1
> tc qdisc add dev $DEV parent 1:1 sfq perturb 10
>
> # TYR
> tc class add dev $DEV parent 1: classid 1:2 cbq rate ${SIXFOUR}kbit
allot 1500 prio 5 bounded isolated
> tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst
192.168.0.133 flowid 1:2
> tc qdisc add dev $DEV parent 1:2 sfq perturb 10
>
> each user gets their own section.
> This works great for downspeed only, but I also want to shape them at
64k up as well.  I can't shape them on eth0, because by the time their
packets get to that interface, they've already been NAT'd to a different
address.
>
> After lots of reading on the mailing list archive, it appears the best
way to handle this is to mark packets from each user, then on eth0 have
HTB or CBQ (really unsure which to use) shape each marked packet
accordingly.  Currently, I'm matching by IP (u32?), so should I match by
fwmark instead?
>
> Any help is really appreciated or even a sample script concept would
make the operation more clear!
>
> Ron


http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2241

tc qdisc add dev $DEV handle ffff: ingress
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1

This means you can limit bandwidth for incoming packets too.
I think you can shape your users' UL on eth1 with "ingress" without having
to mark packets...

Regards,

Sylvain



_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux