On 2/16/21 6:42 PM, Dave Taht wrote:
> Me being me, I'd just turn on fq_codel as the qdisc, and anything
> interactive, not just ssh, would be automatically prioritized, no need
> for any further classification usually.
How would that be done? I've been picking away at the problem over
time. Below is the current state of my attempt at it.
> Or, if you want something that respects dscp markings, try cake, which
> is basically a one liner on the up and 4 on the down. I don't think
> you have a working tc mired line for shaping inbound above.
>
> To achieve basically everything you did above, if you have sch_cake (openwrt and
> linux 4.19 and after)
>
> tc qdisc add dev eth0 root cake bandwidth 800kbit ack-filter
> {docsis/dsl/ethernet)
>
> (cake also supports the connmark facility)
>
>
> I too am very interested in seeing ipfs perform well, and would be
> very interested in your results. However at 800kbit, oy... and you
> really need to shape inbound too.
The 800kbit cap is necessary because the shaping has to occur on a node
on the LAN not the LAN's router itself. Above that rate, it gets in the
way of the other devices.
What I have below mostly seems to keep IPFS under control, but
establishing new SSH connections involves a very, very long delay while
IPFS is running full blast. So I am welcoming any and all corrections.
/Lars
(Apologies for using iptables instead of nftables in this iteration.)
#!/bin/sh
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
if=wlan0
# remove all existing qdiscs, classes and filters from interface
tc qdisc del dev $if ingress 2>/dev/null
tc qdisc del dev $if root 2>/dev/null
# respect dscp markings using cake
tc qdisc add dev $if root cake bandwidth 800kbit ack-filter
# set default class for all unclassified traffic
tc qdisc replace dev $if root handle 1: htb default 30
# top level class with handle 1:1
# tc class add dev $if parent 1: classid 1:1 htb rate 800kbit
# Class 1:10 is highest priority path, outgoing SSH/SFTP
# Class 1:20 is outgoing SSH/SFTP bulk transfers
# Class 1:30 is next highest priority path, HTTP/HTTPS traffic
# Class 1:40 is default with next lowest priority
# Class 1:50 is lowest priority but highest total bandwidth, IPFS
tc class add dev $if parent 1:1 classid 1:10 htb \
rate 600kbit ceil 1mbit prio 1
tc class add dev $if parent 1:1 classid 1:20 htb \
rate 600kbit ceil 1mbit prio 2
tc class add dev $if parent 1:1 classid 1:30 htb \
rate 100kbit ceil 1mbit prio 3
tc class add dev $if parent 1:1 classid 1:40 htb \
rate 600kbit ceil 1mbit prio 4
tc class add dev $if parent 1:1 classid 1:50 htb \
rate 790kbit prio 5
# leaf qdisc to each child class
tc qdisc add dev $if parent 1:10 fq_codel
tc qdisc add dev $if parent 1:20 fq_codel
tc qdisc add dev $if parent 1:30 fq_codel
tc qdisc add dev $if parent 1:40 fq_codel
tc qdisc add dev $if parent 1:50 fq_codel
# add filters to prioritize traffic
tc filter add dev $if parent 1: handle 100 fw classid 1:10
tc filter add dev $if parent 1: handle 200 fw classid 1:20
tc filter add dev $if parent 1: handle 400 fw classid 1:40
tc filter add dev $if parent 1: handle 500 fw classid 1:50
# drop whatever comes in too fast
tc qdisc add dev $if handle ffff: ingress
tc filter add dev $if parent ffff: protocol ip prio 50 u32 \
match ip src 0.0.0.0/0 police rate 9mbit burst 9mbit drop flowid :1
# clear chains if possible
iptables -Z; # zero counters
iptables -t mangle -F; # flush (delete) rules
iptables -t mangle -X; # delete all extra chains
# label outgoing traffic
iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --sports 22 \
-m dscp --dscp 0x04 -m comment --comment sshinteractive \
-j MARK --set-mark 100
iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --sports 22 \
-m dscp --dscp 0x02 -m comment --comment sshbulk \
-j MARK --set-mark 200
iptables -t mangle -A OUTPUT -p tcp --match multiport \
--sports 80,443,1965 \
-j MARK --set-mark 400
iptables -t mangle -A OUTPUT -p tcp --match multiport --sports 4001 \
-j MARK --set-mark 500
