Hello
I've build a traffic shapper base on debian lenny with 2.6.24 customised
kernel.
I'm not sure that the netfilter list is appropiate for get an answer
so I will post this on LARTC mailing list.
I'm searching more information about CLASSIFY and MARK and CONNMARK.
I'm not sure to understand everything !
I've got various doubts :
- What achieve exactly CLASSIFY vs MARK. Because seems that you can
have "-j CLASSIFY --set-mark" or "-j CLASSIFY --set-class" ? isn't it ?
So What is the exact difference between CLASSIFY and MARK ? CLASSIFY
target can "classify" and "mark" and MARK just "mark" ?
- Should I use CONNMARK to optimise matching on an heavy loaded traffic
shapper ?
- In the example code bellow I've classified VoIP traffic using another
custom chain (QOS_out_voip ...) and p2p directly. Which method give
best performance ?
Make a jump through another custom chain may slowdown matching ? I
will prefer to use a custom chain but performance is the first ... My
traffic shapper must
support 90Mbits of bandwith with 20000 packets/s
- I would like to limit to 4096 P2P connection foreach IP. Does it
relevant to use a rule like this : ... --connlimit-mask 32
--connlimit-above 4096 --jump drop ?
Please take a look to my example and give me some feedback.
MY SCENARIO
1) My box is setup as transparent bridge as this
eth0/LAN ------------------- eth1/WAN
-------------- | SHAPPER | -------------
-------------------
br0
2) I've setup various HTB qdisc and classes to matches my need :
for eth0 (download)
1: root
1:10 main
1:100 icmp
1:200 interactive
1:300 voip
1:400 web
1:500 bulk
... and for eth1 (upload)
2: root
2:10 main
2:100 icmp
...
2) I've created two CUSTOM chains to get outgoing traffic (egress) of
each interfaces
IPTABLES=/usr/local/sbin/iptables
${IPTABLES} --table mangle --new QOS_in
${IPTABLES} --table mangle --append POSTROUTING --out-interface br0 --match physdev --physdev-out eth0 --jump QOS_in
...
${IPTABLES} --table mangle --new QOS_out
${IPTABLES} --table mangle --append POSTROUTING --out-interface br0 --match physdev --physdev-out eth1 --jump QOS_out
...
3) I'm trying to use CONNMARK to
${IPTABLES} --table mangle --append QOS_in --jump CONNMARK --restore-mark
${IPTABLES} --table mangle --append QOS_in --match mark ! --mark 0 -j RETURN
...
#voIP
#(1st way with another custom chain)
${IPTABLES} --table mangle --new QOS_out_voip
${IPTABLES} --table mangle --append QOS_out_voip --jump CLASSIFY --set-class 1:300
${IPTABLES} --table mangle --append QOS_out_voip --jump RETURN
${IPTABLES} --table mangle --append QOS_in --match mark --mark 300 --jump QOS_out_voip
${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 300 --match helper --helper sip
${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 300 --proto tcp --sport 5060
#p2p
#(2nd way without use custom chain)
${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --m connlimit --connlimit-above 4096 --connlimit-mask 32 --jump DROP
${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --jump CLASSIFY --set-class 1:500
${IPTABLES} --table mangle --append QOS_in --match mark --mark 500 --jump RETURN
${IPTABLES} --table mangle --append QOS_in --match mark --mark 0 --jump MARK --set-mark 500 --match ipp2p --ipp2p
...
${IPTABLES} --table mangle --append QOS_in --jump CONNMARK --save-mark
Thank you for your help
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
