Re: Question about how TC enforces bandwidth limiting

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Martin A. Brown wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings again,

: So you are saying I have to not only do traffic shaping, but also : traffic policing on my internal device? Or do I have to do : traffic shaping on both devices and no traffic policing? In other : words, how much traffic shaping/policing do I need to put into : effect, and on which interfaces.

Be careful. Shaping and policing are two very different things. I probably could have chosen a word other than "policy" to make this clear. I'll restate this.

If you wish to shape upload traffic, then you must put your traffic control structures on the the device closest to the Internet. If you wish to shape download traffic, then you must put your traffic control structures on the device closest to the internal network(s). ( If you would like to see how you can break this basic rule, see some advanced traffic control structures called imq and ifb [*]. )
No need for advanced traffic controls for me. All I want to do is control how much band width gets out to the internet. Internally it doesn't matter as its all CAT5, so there is plenty of data pipe.
: I have no idea what that means. How do I vary the depth of the : FIFO to help control latency?

OK, in order to vary the exact depth of the fifo to suit your fancy, you'd need to use terminal FIFOs instead of using terminal SFQs:

  tc qdisc add dev $INTERFACE parent 10:1 handle 100:0 pfifo limit 10

Assuming your HTB tree has a leaf class of 10:1, into which you have classified some of your traffic, you now have a very short queue there. If a burst of traffic involving more than ten packets arrives, the traffic will tail drop. In heavily congested situations, this can be useful, although this still allows for a single dominating UDP flow, so I'd probably prefer the SFQ solution, and maybe I shouldn't have brought up this little trick.
I think I'll stick to htb...
: I ran both watch -n 1 tc -s class show dev eth0 and watch -n 1 tc : -s qdisc show eth0. (When I ran class show, i did not have enough : room to see classes 80 and 90. When I ran qdisc show, I was able : to see all the classes.) During my runs of tc in this manner, I : saw zero traffic going to class 100 when running, starting, or : stopping bit torrent.

If you expect that the torrential traffic to appear in class 100, and it does not, then you have done something wrong in your classifier. Look there.
By classifier I think you mean:
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10000:10000 -j CLASSIFY --set-class 1:100

And having looked at that, I see part of my problem. --dport should be --sport as I have no way to control what port the other client wishes to use, but I do have control over what ports I use to send my data stream.
: Almost all the traffic was going to class 10 and 90 (default) : with the exception of my ICMP and UDP traffic which was going to : class 70 and class 60 which I have set aside for IRC traffic. : Class 100 saw absolutely zero traffic. : : Is this a case where the default class (90) is getting all the : traffic because it can handle it as my LAN has very little : "other" traffic most of the time to deal with, so there is no : need to throttle it back? If so, how can I force a particular : class to be used regardless of the default, so that I can control : individual apps by them selves?

Try looking at your classifiers ("tc filter" statements) to determine where the problem is. If you can't figure it out, then send the list your classifiers and class structure (tc commands).
I ran "tc filter" on the command line, but received no output in return. I read the man page and it leads me to believe that it's not meant for viewing the filters. I also did some packet sniffing on my router PC. I am not 100% sure why yet, but, when I would filter out port 10000-10004, wireshark would return packets that had source ports other than the range I was looking for. While I cannot be sure as of yet, I think this is a result of the NAT process and the router box is using whatever port it has available while allowing my bit torrent client to send on the proper ports. (I am still learning about NAT, so I'm still confused about some things. To be honest, I would like to be able to NAT not only IPs, but ports as well so that I do not have to reconfigure things like SSH to run on non-standard ports. But thats for another mailing list. :P) One thing I did notice was, while I did see traffic in class 100 for the first time, my torrent client still showed outgoing bandwidth of more than 20kbit. Is this simply a function of the router actually limiting the traffic and the torrent client simply not knowing? Or (and I assume this is incorrect thinking) should the torrent client visibly indicate to me that
it can only send at X rate because its limited?

To make this much simpler, I will paste my tc rules and iptables rules (which classify my traffic) at the bottom of this e-mail. I hope you can find something (related specifically to bit torrent) that will allow me to limit torrent traffic without the need
to limit each client by hand.
I'd skip playing with terminal FIFOs at first (if ever). Try working on the following:

  * switch the units to kbit
  * fix the classifiers and verify that you are seeing all traffic
    in the class you want to see the traffic in
* turn the torrent client up to "insane" and watch how your IRC or ssh latency is very low
Already done the switch to kbit. Started seeing traffic in class 100 by changing my iptables rules. Set the torrent client to unlimited outgoing bandwidth and as usual things like SSH slowed down on sending (which is a bit perplexing). As soon as I set the torrent client back down to a 20kbit limit (in the client), SSH response came back to normal. As you can see below, this is probably because I have bulk SSH traffic set in the default class (90) which should allow SSH to use 2kbit to 360kbit of bandwidth. So I am at a total loss as to why (outgoing) SSH traffic would become so slow, because it has
access to more bandwidth than torrent (at least in my thinking).
Good luck,

- -Martin

 [*] IMQ, intermediate queuing device
     http://www.linuximq.net/
     IFB, intermediate functional block
     http://linux-net.osdl.org/index.php/IFB

- -- Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)

iD4DBQFG3L5sHEoZD1iZ+YcRAso6AJjnbMjcso8t4+GugFC6eHQOyqJQAJ9kpWbZ
sOS369AbZkPQ9rg3rhiawg==
=gvDh
-----END PGP SIGNATURE-----

Thanks again for all your help. Maybe you will be able to help me learn this and figure out what I've
been doing wrong. :)

Vadtec

--------------------------------------------------------------------------------------------------------

$IFext is of course eth0 (link to the modem)

# 360kbit traffic (1:10)
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10

# 256kbit traffic (1:20)
# interactive SSH traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m length --length 40:100 -j CLASSIFY --set-class 1:20 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10022 -m length --length 40:100 -j CLASSIFY --set-class 1:20

# 128kbit traffic (1:30)
# interactive mail or web traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp -m multiport --sport http,imap,https,imaps -j CLASSIFY --set-class 1:30
# dns lookups
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport domain -j CLASSIFY --set-class 1:30
# team speak
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 8767 -j CLASSIFY --set-class 1:30


# 64kbit traffic (1:40)

# 32kbit traffic (1:50)
# SSH
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m length --length 101: -j CLASSIFY --set-class 1:50

# NFS
#iptables -t mangle -A POSTROUTING -o ${IFext} -p udp --sport 2049 -j CLASSIFY --set-class 1:50 #iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 2049 -j CLASSIFY --set-class 1:50

# 20kbit traffic (1:60)
# default irc traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6660:6669 -j CLASSIFY --set-class 1:60 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6999 -j CLASSIFY --set-class 1:60 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 7000 -j CLASSIFY --set-class 1:60

# 16kbit traffic (1:70)
# ICMP, UDP
iptables -t mangle -A POSTROUTING -o ${IFext} -p udp -j CLASSIFY --set-class 1:70 iptables -t mangle -A POSTROUTING -o ${IFext} -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY -$

# 8kbit traffic (1:80)

# 2kbit traffic (1:90)
# bulk traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 25 -j CLASSIFY --set-class 1:90 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10000:10004 -j CLASSIFY --set-class 1:100 <=== this is the bit torrent classifier

--------------------------------------------------------------------------------------------------------

$IFext is of course eth0 (link to the modem), $QUANTUM is 1490 (due to, if I assume correctly, my MTU
being 1492, in the modem), $MAX_RATE is 360kbit (360kbps conventional talk)

   $TC qdisc add dev $IFext root handle 1: htb default 90
$TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbit ceil $MAX_RATE prio 0 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbit ceil $MAX_RATE prio 1 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbit ceil $MAX_RATE prio 2 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbit ceil $MAX_RATE prio 3 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbit ceil $MAX_RATE prio 4 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbit ceil $MAX_RATE prio 5 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbit ceil $MAX_RATE prio 6 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbit ceil $MAX_RATE prio 7 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbit ceil $MAX_RATE prio 8 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbit ceil 20kbit prio 9 quantum $QUANTUM
   $TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10
   $TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux