Le 30/07/2014 00:10, Roy Kidder a écrit :
I'm guessing this question has already been asked and answered, but
I've searched and couldn't find an example for what I'm trying to do.
My Linux firewall has eth0 on the outside, eth1 on the inside. I would
like to throttle two IPs on my internal network to a predetermined
bandwidth (say 80K) while using SFQ for everything else. I have the
SFQ part working with the following:
tc qdisc del dev eth1 root
tc qdisc add dev eth1 root handle 1: htb default 10
tc class add dev eth1 parent 1: classid 1:1 htb rate $UPRATE
tc class add dev eth1 parent 1:1 classid 1:10 htb rate $UPRATE ceil
$UPRATE mtu 1500
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
But I'm not quite sure how to go about rate limiting the two IPs in
question. From what I've read, CBQ is what I'd use, but can I use that
along with SFQ? If so, how?
I use this :
# Remove any existing qdisc on eth1
tc qdisc del dev eth1 root
# HTB
tc qdisc add dev eth1 root handle 1:0 htb default 0
# Define max line speed (the maximum speed that the network card is
capable of)
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1000kbps ceil
1000kbps prio 0
# Define limits
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbps ceil
80kbps prio 0
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbps ceil
80kbps prio 0
# SFQ
tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10
# You must then redirect the traffic to limit it, you have 2 choices :
# * using a simple "tc" filter and manage redirection with "iptables"
# * or only use "tc"
# using both at the same time may have unexpected behaviour
## 1) Filter traffic using IPTABLES ##
# Filter with FW MARK
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1080 fw
flowid 1:10
tc filter add dev eth1 parent 1:0 prio 0 protocol ip handle 1180 fw
flowid 1:11
# Use iptables' power to match IP/Port Source/Destination, etc.
iptables -t mangle -I FORWARD -d 192.168.0.24 -o eth1 -j MARK
--set-mark 1080
iptables -t mangle -I FORWARD -d 192.168.0.35 -o eth1 -j MARK
--set-mark 1180
# with table FORWARD you match only traffic coming from Internet, not
coming out from firewall
# if your firewal is also a proxy, then traffic is seen as outcoming,
not forwarded (because client computer is not connected to Internet but
to squid on firewall)
## 2) Filter traffic using TC ##
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src
192.168.0.24 flowid 1:10
tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src
192.168.0.35 flowid 1:10
Hope this helps.
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html