The script below is being used to shape traffic on a transparent web cache that is accelerating for a bandwidth manager. If the cache is before the bandwidth manager, then it's hard to control its bandwidth except using a single IP address (meaning all customers get the same QOS). If it is after the bandwidth manager, then the cache itself is not managed ...
After this script was deployed, the perceived performance of the network has become much better. Does anyone have some experiences to share? Or improvements to make :-)
-- G.
# use 90% of kilobits speed for provider uplinks UPLINK=190
# rates for ACKnowledgement, SSH, WWW, UDP/ICMP/DNS, POP/IMAP, P2P traffic respectively
ACKR=4
SSHR=3
WWWR=85
UDPR=30
POPR=53
RSTR=15
# peak rates for ACKnowledgement, SSH, WWW, UDP/ICMP/DNS, POP/IMAP traffic respectively
ACKC=8
SSHC=16
WWWC=185
UDPC=64
POPC=185
RSTC=64
# clear previous settings tc qdisc del dev eth0 root
# create a root handle attached to eth0 using the HTB qdisc and classify packets as classid 70 by default
tc qdisc add dev eth0 root handle 1: htb default 70
# create a parent class using HTB with a maximum (capped) rate of 95 - 98 % of UPLINK kilobits/s
# the extra headroom is needed to shape properly ... ?
tc class add dev eth0 parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 2k
# create leafnode classes using HTB with a guaranteed minimum of XXXR kilobits/s and a
# maximum ceiling of XXXC kilobits/s prioritizing traffic from zero (highest - note that available
# bandwidth is offered in order of priority) to 5 (lowest)
tc class add dev eth0 parent 1:1 classid 1:10 htb rate ${ACKR}kbit ceil ${ACKC}kbit prio 0
tc class add dev eth0 parent 1:1 classid 1:20 htb rate ${SSHR}kbit ceil ${SSHC}kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:30 htb rate ${WWWR}kbit ceil ${WWWC}kbit prio 2
tc class add dev eth0 parent 1:1 classid 1:40 htb rate ${UDPR}kbit ceil ${UDPC}kbit prio 3
tc class add dev eth0 parent 1:1 classid 1:50 htb rate ${POPR}kbit ceil ${POPC}kbit prio 4
tc class add dev eth0 parent 1:1 classid 1:60 htb rate ${RSTR}kbit ceil ${RSTC}kbit prio 5
# use stochastic fair queing and every 5 seconds, change # which queues get sent (shake things around) tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev eth0 parent 1:40 handle 40: sfq perturb 10 tc qdisc add dev eth0 parent 1:50 handle 50: sfq perturb 10 tc qdisc add dev eth0 parent 1:60 handle 60: sfq perturb 10
# this section marks the packets into classes # OUTGOING TRAFFIC (UPLINK) # give "overhead" packets highest priority
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10
# interactive SSH traffic
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport ssh -m length --length 40:100 -j CLASSIFY --set-class 1:20
# interactive web traffic
iptables -t mangle -A POSTROUTING -o eth0 -p tcp -m multiport --sport http,https,8080,3128 -j CLASSIFY --set-class 1:30
iptables -t mangle -A POSTROUTING -o eth0 -p tcp -m multiport --dport http,https,8080,3128 -j CLASSIFY --set-class 1:30
# smtp traffic and ssh bulk traffic
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport 25 -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 25 -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --sport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport ssh -m length --length 101: -j CLASSIFY --set-class 1:50
# ICMP, UDP and DNS lookups
iptables -t mangle -A POSTROUTING -o eth0 -p icmp -m length --length 28:1500 -m limit --limit 3/s --limit-burst 4 -j CLASSIFY --set-class 1:40
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport domain -j CLASSIFY --set-class 1:40
iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport domain -j CLASSIFY --set-class 1:40
iptables -t mangle -A POSTROUTING -o eth0 -p udp -j CLASSIFY --set-class 1:40
# email traffic
iptables -t mangle -A POSTROUTING -o eth0 -p tcp -m multiport --sport pop3,pop3s,imap2,imap3,imaps -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p udp -m multiport --sport pop3,pop3s,imap2,imap3,imaps -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p tcp -m multiport --dport pop3,pop3s,imap2,imap3,imaps -j CLASSIFY --set-class 1:50
iptables -t mangle -A POSTROUTING -o eth0 -p udp -m multiport --dport pop3,pop3s,imap2,imap3,imaps -j CLASSIFY --set-class 1:50
# peer to peer traffic
iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1
iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:60
Mark Tinka wrote:
IMHO, an ISP can't provide hosting services *correctly* if the others are doing it cheaply (read: incorrectly). The problem is, doing it this way means you are probably providing a service at or above cost - when you start wondering where all your bandwidth is going each day, and can't find it, well, don't look too far.
This is going to become critical in light of the IXP and the efficient utilization of local bandwidth.
_______________________________________________ LUG mailing list [email protected] http://kym.net/mailman/listinfo/lug %LUG is generously hosted by INFOCOM http://www.infocom.co.ug/
