Re: SFQ + throttling to specific hosts

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 30/07/2014 00:10, Roy Kidder a écrit :
I'm guessing this question has already been asked and answered, but I've searched and couldn't find an example for what I'm trying to do.

My Linux firewall has eth0 on the outside, eth1 on the inside. I would like to throttle two IPs on my internal network to a predetermined bandwidth (say 80K) while using SFQ for everything else. I have the SFQ part working with the following:

  tc qdisc del dev eth1 root
  tc qdisc add dev eth1 root handle 1: htb default 10
  tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE
tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil $UPRATE mtu 1500
  tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10

But I'm not quite sure how to go about rate limiting the two IPs in question. From what I've read, CBQ is what I'd use, but can I use that along with SFQ? If so, how?

I use this :

# Remove any existing qdisc on eth1
tc qdisc del dev eth1 root
# HTB
tc qdisc add dev eth1 root handle 1:0 htb default 0
# Define max line speed (the maximum speed that the network card is capable of) tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000kbps ceil 1000kbps prio 0
# Define limits
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbps ceil 80kbps prio 0 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbps ceil 80kbps prio 0
# SFQ
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10


# You must then redirect the traffic to limit it, you have 2 choices :
# * using a simple "tc" filter and manage redirection with "iptables"
# * or only use "tc"
# using both at the same time may have unexpected behaviour

## 1) Filter traffic using IPTABLES ##
# Filter with FW MARK
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1080 fw flowid 1:10 tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1180 fw flowid 1:11
# Use iptables' power to match IP/Port Source/Destination, etc.
iptables -t mangle -I FORWARD -d 192.168.0.24 -o eth1 -j MARK --set-mark 1080 iptables -t mangle -I FORWARD -d 192.168.0.35 -o eth1 -j MARK --set-mark 1180 # with table FORWARD you match only traffic coming from Internet, not coming out from firewall # if your firewal is also a proxy, then traffic is seen as outcoming, not forwarded (because client computer is not connected to Internet but to squid on firewall)

## 2) Filter traffic using TC ##
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 192.168.0.24 flowid 1:10 tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 192.168.0.35 flowid 1:10



Hope this helps.


--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux