Re: Classful queuing solution

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonathan Gazeley wrote:
Dear all,

I am trying to set up multi-user traffic control. In short, I want each user (each IP) to be hard limited to 128kbit download and 64kbit upload. On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) to be prioritised to minimise latency. It sounds like it ought to be done with a classful qdisc but I don't really know what I'm doing. I think I want something like the following:

root class (global limit 100mbit)
|
+ 192.168.0.1 class - limit 128kbit
|   + priority 0: SSH, ICMP, ACK, etc
|   + priority 1: all other traffic
|
+ 192.168.0.2 class - limit 128kbit
|   + etc

... and similarly for the uplink, but with a per-IP limit of 64kbit.

I'm not sure if it's good to have ~250 classes for the IP addresses, and sub classes within those for the different priorities, or if all the traffic should be rate-limited by IP first, and then sorted into a handful of shared classes, to be dequeued.

I am not sure how well htb will behave with 250 classes when they are all active - but I don't think the second option will work as if you rate limit first then you will have already delayed the interactive. Also you can't easily double queue traffic anyway.


I have taken advice from this list for the past couple of weeks and I have a semi functional script now. However the latency suddenly jumps to >4000ms as soon as the user starts downloading.

That sounds like your classification is failing to separate the traffic properly. What does the script look like.

 Also my script uses
police rate to limit upload speed - but this is not particularly effective and also not really required, as the box is able to shape traffic in both directions. It is also a NAT box.

Policing could be an option both ways - each user may see a bit of loss on interactive when downloading, but unless they have loads of bulk connections open there shouldn't be too much, and policing doesn't add latency.


Related, not but strictly to do with tc, is there any way of concisely and effectively logging connections between NATd users and external IPs? I need to be able to maintain a log which tells me that a certain user was connected to a certain remote host on a certain port at a certain time and date, for legal reasons.

Not sure really - would just dumping the conntrack table periodically be enough? maybe not as you could miss some I suppose.

You could try asking on the netfilter users list, there are libs/user space daemons that can log/process packets from netfilter, but I don't know the detail.

netfilter@xxxxxxxxxxxxxxxxxxx

Andy.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux