Re: bug report and future request

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



One more update 

I try to make rule for limiter in offload mode :

table inet nft-qos-static {
        set limit_ul {
                typeof ip saddr
                flags dynamic
        }
        set limit_dl {
                typeof ip daddr
                flags dynamic
        }

        chain upload {
                type filter hook prerouting priority filter ; policy accept;
                ip saddr @limit_ul drop;
        }

        chain download {
                type filter hook postrouting priority filter; policy accept;
                ip daddr @limit_dl drop;

        }
        flowtable fastnat {
                hook ingress priority filter; devices = { eth0, eth1 };
        }
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip protocol { tcp , udp } flow offload @fastnat;
        }
}



its not work perfect only upload limit work , download get full channel 

in test i set 100mbit up/down  upload is stay on ~100mbit , but download up to 250-300mbit (i have this limit be my isp).

the problem is limiter work only for Upload , is it posible to make work on download rule ?

Martin

> On 24 Mar 2022, at 9:52, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
> 
> HI all
> 
> One more after switch to all rule and use only nft (remove qdisc from kernel config, and remove all iptables tables) in perf top see nft_do_chain is up to 3-4% on all core and if isolate with perf top -C X i see on one core is up to 10-15% :
> 
>  31.26%  [pppoe]                  [k] pppoe_rcv
>     3.19%  [nf_tables]              [k] nft_do_chain
>     2.46%  [kernel]                 [k] __netif_receive_skb_core.constprop.0
>     2.18%  [kernel]                 [k] fib_table_lookup
>     2.07%  [i40e]                   [k] i40e_clean_rx_irq
>     1.51%  [kernel]                 [k] __dev_queue_xmit
>     1.23%  [kernel]                 [k] dev_queue_xmit_nit
>     1.23%  [nf_conntrack]           [k] __nf_conntrack_find_get.isra.0
>     1.20%  [kernel]                 [k] __copy_skb_header
>     1.19%  [kernel]                 [k] kmem_cache_free
>     1.17%  [kernel]                 [k] skb_release_data
>     1.06%  [nf_tables]              [k] nft_rhash_lookup 
> 
> 
> Is have options to optimize work of nft rule set.
> 
> and for second question is it posible to make work this limiter in flow table rule set : 
> 
> #table inet filter {
> #        flowtable fastnat {
> #                hook ingress priority 0; devices = { eth0, eth1 };
> #        }
> #
> #        chain forward {
> #                type filter hook forward priority 0; policy accept;
> #                ip protocol { tcp , udp } flow offload @fastnat;
> #        }
> #}
> 
> Like this and if have options to make devices list dynamic to add device automatic or to add device with * 
> If limiter work in flow table will make offload traffic and reduce cpu load
> 
> Martin
> 
>> On 23 Mar 2022, at 0:55, Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>> 
>> Hi Florian
>> 
>> yes now work perfect
>> i will test with 1-4k ips to see performance vs qdisc or iptables.
>> 
>> for second offload question:
>> 
>> is it possible to make limiter work in offload mode and ia it posible to add dynamic interface like ppp* or vlan* or other type.
>> 
>> 
>> 
>> P.S.
>> 
>> thanks for fast reply for first part!
>> 
>> P.S.2 
>> 
>> resend mail to netfilter group
>> 
>> Martin
>> 
>>> On 22 Mar 2022, at 12:32, Florian Westphal <fw@xxxxxxxxx> wrote:
>>> 
>>> Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>>>> Hi Florian
>>>> 
>>>> Look good this config but not work after set user not limit by speed.
>>> 
>>> Works for me.  Before:
>>> [ ID] Interval           Transfer     Bitrate         Retr
>>> [  5]   0.00-10.00  sec  5.09 GBytes  4.37 Gbits/sec    0 sender
>>> [  5]   0.00-10.00  sec  5.08 GBytes  4.36 Gbits/sec receiver
>>> 
>>> After:
>>> [  5]   0.00-10.00  sec  62.9 MBytes  52.7 Mbits/sec    0 sender
>>> [  5]   0.00-10.00  sec  59.8 MBytes  50.1 Mbits/sec receiver
>>> 
>>>> table inet nft-qos-static {
>>>>      set limit_ul {
>>>>              typeof ip saddr
>>>>              flags dynamic
>>>>              elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>>      }
>>>> 		set limit_dl {
>>>>              typeof ip saddr
>>>>              flags dynamic
>>>>              elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
>>>>     }
>>>> 
>>>>      chain upload {
>>>> 			type filter hook postrouting priority filter; policy accept;
>>>> 			ip saddr @limit_ul drop
>>>>      }
>>>> 		chain download {
>>>> 			type filter hook prerouting priority filter; policy accept;
>>>> 			ip saddr @limit_dl drop
>>>> 		}
>>> 
>>> daddr?
>>> 
>>>> With this config user with ip 10.0.0.1 not limited to 5 mbytes , 
>>> 
>>>> When back to this config :
>>>> 
>>>> table inet nft-qos-static {
>>>> 	chain upload {
>>>> 		type filter hook postrouting priority filter; policy accept;
>>>> 		ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>>> 	}
>>>> 
>>>> 	chain download {
>>>> 		type filter hook prerouting priority filter; policy accept;
>>>> 		ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
>>> 	           ~~~~~
>> 
> 





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux