Martin A. Brown wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings again,
: So you are saying I have to not only do traffic shaping, but also
: traffic policing on my internal device? Or do I have to do
: traffic shaping on both devices and no traffic policing? In other
: words, how much traffic shaping/policing do I need to put into
: effect, and on which interfaces.
Be careful. Shaping and policing are two very different things. I
probably could have chosen a word other than "policy" to make this
clear. I'll restate this.
If you wish to shape upload traffic, then you must put your traffic
control structures on the the device closest to the Internet. If
you wish to shape download traffic, then you must put your traffic
control structures on the device closest to the internal network(s).
( If you would like to see how you can break this basic rule, see
some advanced traffic control structures called imq and ifb [*]. )
No need for advanced traffic controls for me. All I want to do is
control how much band width
gets out to the internet. Internally it doesn't matter as its all CAT5,
so there is plenty of data pipe.
: I have no idea what that means. How do I vary the depth of the
: FIFO to help control latency?
OK, in order to vary the exact depth of the fifo to suit your fancy,
you'd need to use terminal FIFOs instead of using terminal SFQs:
tc qdisc add dev $INTERFACE parent 10:1 handle 100:0 pfifo limit 10
Assuming your HTB tree has a leaf class of 10:1, into which you have
classified some of your traffic, you now have a very short queue
there. If a burst of traffic involving more than ten packets
arrives, the traffic will tail drop. In heavily congested
situations, this can be useful, although this still allows for a
single dominating UDP flow, so I'd probably prefer the SFQ solution,
and maybe I shouldn't have brought up this little trick.
I think I'll stick to htb...
: I ran both watch -n 1 tc -s class show dev eth0 and watch -n 1 tc
: -s qdisc show eth0. (When I ran class show, i did not have enough
: room to see classes 80 and 90. When I ran qdisc show, I was able
: to see all the classes.) During my runs of tc in this manner, I
: saw zero traffic going to class 100 when running, starting, or
: stopping bit torrent.
If you expect that the torrential traffic to appear in class 100,
and it does not, then you have done something wrong in your
classifier. Look there.
By classifier I think you mean:
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10000:10000
-j CLASSIFY --set-class 1:100
And having looked at that, I see part of my problem. --dport should be
--sport as I have no way to control what port
the other client wishes to use, but I do have control over what ports I
use to send my data stream.
: Almost all the traffic was going to class 10 and 90 (default)
: with the exception of my ICMP and UDP traffic which was going to
: class 70 and class 60 which I have set aside for IRC traffic.
: Class 100 saw absolutely zero traffic.
:
: Is this a case where the default class (90) is getting all the
: traffic because it can handle it as my LAN has very little
: "other" traffic most of the time to deal with, so there is no
: need to throttle it back? If so, how can I force a particular
: class to be used regardless of the default, so that I can control
: individual apps by them selves?
Try looking at your classifiers ("tc filter" statements) to
determine where the problem is. If you can't figure it out, then
send the list your classifiers and class structure (tc commands).
I ran "tc filter" on the command line, but received no output in return.
I read the man page and it leads me to believe
that it's not meant for viewing the filters. I also did some packet
sniffing on my router PC. I am not 100% sure why yet,
but, when I would filter out port 10000-10004, wireshark would return
packets that had source ports other than the
range I was looking for. While I cannot be sure as of yet, I think this
is a result of the NAT process and the router box
is using whatever port it has available while allowing my bit torrent
client to send on the proper ports. (I am still learning
about NAT, so I'm still confused about some things. To be honest, I
would like to be able to NAT not only IPs, but
ports as well so that I do not have to reconfigure things like SSH to
run on non-standard ports. But thats for another
mailing list. :P) One thing I did notice was, while I did see traffic in
class 100 for the first time, my torrent client still showed
outgoing bandwidth of more than 20kbit. Is this simply a function of the
router actually limiting the traffic and the torrent
client simply not knowing? Or (and I assume this is incorrect thinking)
should the torrent client visibly indicate to me that
it can only send at X rate because its limited?
To make this much simpler, I will paste my tc rules and iptables rules
(which classify my traffic) at the bottom of this e-mail.
I hope you can find something (related specifically to bit torrent) that
will allow me to limit torrent traffic without the need
to limit each client by hand.
I'd skip playing with terminal FIFOs at first (if ever). Try
working on the following:
* switch the units to kbit
* fix the classifiers and verify that you are seeing all traffic
in the class you want to see the traffic in
* turn the torrent client up to "insane" and watch how your IRC or
ssh latency is very low
Already done the switch to kbit. Started seeing traffic in class 100 by
changing my iptables rules. Set the torrent client to
unlimited outgoing bandwidth and as usual things like SSH slowed down on
sending (which is a bit perplexing). As soon
as I set the torrent client back down to a 20kbit limit (in the client),
SSH response came back to normal. As you can see
below, this is probably because I have bulk SSH traffic set in the
default class (90) which should allow SSH to use 2kbit
to 360kbit of bandwidth. So I am at a total loss as to why (outgoing)
SSH traffic would become so slow, because it has
access to more bandwidth than torrent (at least in my thinking).
Good luck,
- -Martin
[*] IMQ, intermediate queuing device
http://www.linuximq.net/
IFB, intermediate functional block
http://linux-net.osdl.org/index.php/IFB
- --
Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)
iD4DBQFG3L5sHEoZD1iZ+YcRAso6AJjnbMjcso8t4+GugFC6eHQOyqJQAJ9kpWbZ
sOS369AbZkPQ9rg3rhiawg==
=gvDh
-----END PGP SIGNATURE-----
Thanks again for all your help. Maybe you will be able to help me learn
this and figure out what I've
been doing wrong. :)
Vadtec
--------------------------------------------------------------------------------------------------------
$IFext is of course eth0 (link to the modem)
# 360kbit traffic (1:10)
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --syn -m length
--length 40:68 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL
SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK
-m length --length 40:100 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL RST
-j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL
ACK,RST -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL
ACK,FIN -j CLASSIFY --set-class 1:10
# 256kbit traffic (1:20)
# interactive SSH traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m
length --length 40:100 -j CLASSIFY --set-class 1:20
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10022 -m
length --length 40:100 -j CLASSIFY --set-class 1:20
# 128kbit traffic (1:30)
# interactive mail or web traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp -m multiport
--sport http,imap,https,imaps -j CLASSIFY --set-class 1:30
# dns lookups
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport domain -j
CLASSIFY --set-class 1:30
# team speak
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 8767 -j
CLASSIFY --set-class 1:30
# 64kbit traffic (1:40)
# 32kbit traffic (1:50)
# SSH
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m
length --length 101: -j CLASSIFY --set-class 1:50
# NFS
#iptables -t mangle -A POSTROUTING -o ${IFext} -p udp --sport 2049 -j
CLASSIFY --set-class 1:50
#iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 2049 -j
CLASSIFY --set-class 1:50
# 20kbit traffic (1:60)
# default irc traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6660:6669
-j CLASSIFY --set-class 1:60
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6999 -j
CLASSIFY --set-class 1:60
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 7000 -j
CLASSIFY --set-class 1:60
# 16kbit traffic (1:70)
# ICMP, UDP
iptables -t mangle -A POSTROUTING -o ${IFext} -p udp -j CLASSIFY
--set-class 1:70
iptables -t mangle -A POSTROUTING -o ${IFext} -p icmp -m length --length
28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY -$
# 8kbit traffic (1:80)
# 2kbit traffic (1:90)
# bulk traffic
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 25 -j
CLASSIFY --set-class 1:90
iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10000:10004
-j CLASSIFY --set-class 1:100 <=== this is the bit torrent classifier
--------------------------------------------------------------------------------------------------------
$IFext is of course eth0 (link to the modem), $QUANTUM is 1490 (due to,
if I assume correctly, my MTU
being 1492, in the modem), $MAX_RATE is 360kbit (360kbps conventional talk)
$TC qdisc add dev $IFext root handle 1: htb default 90
$TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE
quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbit
ceil $MAX_RATE prio 0 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbit
ceil $MAX_RATE prio 1 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbit
ceil $MAX_RATE prio 2 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbit
ceil $MAX_RATE prio 3 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbit
ceil $MAX_RATE prio 4 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbit
ceil $MAX_RATE prio 5 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbit
ceil $MAX_RATE prio 6 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbit ceil
$MAX_RATE prio 7 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbit ceil
$MAX_RATE prio 8 quantum $QUANTUM
$TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbit
ceil 20kbit prio 9 quantum $QUANTUM
$TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10
$TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10
$TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10
$TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10
$TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10
$TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10
$TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10
$TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10
$TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
