Jonathan Gazeley wrote:
Dear all,
I am trying to set up multi-user traffic control. In short, I want each
user (each IP) to be hard limited to 128kbit download and 64kbit upload.
On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc)
to be prioritised to minimise latency. It sounds like it ought to be
done with a classful qdisc but I don't really know what I'm doing. I
think I want something like the following:
root class (global limit 100mbit)
|
+ 192.168.0.1 class - limit 128kbit
| + priority 0: SSH, ICMP, ACK, etc
| + priority 1: all other traffic
|
+ 192.168.0.2 class - limit 128kbit
| + etc
... and similarly for the uplink, but with a per-IP limit of 64kbit.
I'm not sure if it's good to have ~250 classes for the IP addresses, and
sub classes within those for the different priorities, or if all the
traffic should be rate-limited by IP first, and then sorted into a
handful of shared classes, to be dequeued.
I am not sure how well htb will behave with 250 classes when they are
all active - but I don't think the second option will work as if you
rate limit first then you will have already delayed the interactive.
Also you can't easily double queue traffic anyway.
I have taken advice from this list for the past couple of weeks and I
have a semi functional script now. However the latency suddenly jumps to
>4000ms as soon as the user starts downloading.
That sounds like your classification is failing to separate the traffic
properly. What does the script look like.
Also my script uses
police rate to limit upload speed - but this is not particularly
effective and also not really required, as the box is able to shape
traffic in both directions. It is also a NAT box.
Policing could be an option both ways - each user may see a bit of loss
on interactive when downloading, but unless they have loads of bulk
connections open there shouldn't be too much, and policing doesn't add
latency.
Related, not but strictly to do with tc, is there any way of concisely
and effectively logging connections between NATd users and external IPs?
I need to be able to maintain a log which tells me that a certain user
was connected to a certain remote host on a certain port at a certain
time and date, for legal reasons.
Not sure really - would just dumping the conntrack table periodically be
enough? maybe not as you could miss some I suppose.
You could try asking on the netfilter users list, there are libs/user
space daemons that can log/process packets from netfilter, but I don't
know the detail.
netfilter@xxxxxxxxxxxxxxxxxxx
Andy.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc