[LARTC] Re: tc filter not work, why?
Does the tc and the linux kernel net/sched/ version must match exactly? or the kernel configuration miss some modules? I have compiled in all the Qos and/or fair queueing. thank you for your help. On 7/26/07, 吴明津 [EMAIL PROTECTED] wrote: I try to use tc on mips with linux-2.4.18 but the u32 filter dosn't work I added htb qdisc to linux-2.4.18 and use it to limit the speed in LAN, it only work well on the default class, for example tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2000kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 500kbit ceil 500kbit tc calss add dev eth0 parent 1:1 classid 1:11 htb rate 300kbit ceil 300kbit tc filter add dev eth0 protocol ip u32 match ip dst 192.168.18.100 flowid 1:11 the host 192.168.18.100 have a speed of 500kbit rather than 300kbit. if I don't set the default 10 class, all this dosn't have any effect. why? thank you. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: tc filter matches ip fileds inside pppoe frames
From: Ming-Ching Tiew To: lartc@mailman.ds9a.nl Sent: Monday, February 05, 2007 9:28 AM Subject: tc filter matches ip fileds inside pppoe frames I have a requirement which I guess it is not too unusually, however I haven't quite figured out how to do it and couldn't find any examples which handle that. I have made myself a Linux-based bridge, eth0 bridged with eth1 to form br0. In this bridge, I run 'tc' script to handle QoS. So far nothing unusual. However, what's different is that this bridge is sitted in between a pppoe client and pppoe server, ie pppoe frames are bridge between the Linux bridge, and I am interested to perform QoS on the pppoe frames, based on the ip tos setting of the ppp packets ( encapsulated inside the pppoe frames ). For example, normal tc script :- tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip tos 0x10 0xff \ flowid 1:4 This will work on a ppp0 device because the ppp0 has ip packets flowing through it. Now in my bridge, there is no such device, I only have access to eth0 or eth1, how could I perform the same thing on devices such as eth0 or eth1, but matching the ip TOS setting inside the pppoe frame ? Perhaps this will be one step closer to matching ip TOS inside the PPPOE frame :- # tc filter add dev vlan0 parent 1:0 protocol 0x8864 prio 10 u32 \ match u32 0x0010 0x00ff at \ flowid 1:4 Protocol 0x8864 refers to PPP_SES. But the question where is the location of the TOS filed in the ip header encapsulated inside the PPP frame ? What if the IP header is compressed inside the ppp frame ? Cheers ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: tc filter matches ip fileds inside pppoe frames
Resent using text insted of html. - Original Message - From: Ming-Ching Tiew To: lartc@mailman.ds9a.nl Sent: Monday, February 05, 2007 9:28 AM Subject: tc filter matches ip fileds inside pppoe frames I have a requirement which I guess it is not too unusually, however I haven't quite figured out how to do it and couldn't find any examples which handle that. I have made myself a Linux-based bridge, eth0 bridged with eth1 to form br0. In this bridge, I run 'tc' script to handle QoS. So far nothing unusual. However, what's different is that this bridge is sitted in between a pppoe client and pppoe server, ie pppoe frames are bridge between the Linux bridge, and I am interested to perform QoS on the pppoe frames, based on the ip tos setting of the ppp packets ( encapsulated inside the pppoe frames ). For example, normal tc script :- tc filter add dev ppp0 parent 1:0 prio 10 u32 \ match ip tos 0x10 0xff \ flowid 1:4 This will work on a ppp0 device because the ppp0 has ip packets flowing through it. Now in my bridge, there is no such device, I only have access to eth0 or eth1, how could I perform the same thing on devices such as eth0 or eth1, but matching the ip TOS setting inside the pppoe frame ? Best regards. ** Message from InterScan E-Mail VirusWall NT ** ** No virus found in attached file noname.htm ** No virus found in attached file noname.htm This mail has been scanned by InterScan. * End of message *** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: tc filter
On 18-08-2006 12:28, Andy Furniss wrote: Jarek Poplawski wrote: Should be: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: police \ conform-exceed drop/drop Looks a bit iffy but I haven't tried it - I thought that would be drop whether under or over - if it's valid at all without action/ a police rate. Maybe I should have written: Should be with a fairly current iproute2 and kernel:. It's so called New syntax (Old syntax didn't work for me), to add exceed action for zero rate. According to help rate and burst should be included, but it works anyway. Jarek P. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: tc filter
Jarek Poplawski wrote: Should be: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: police \ conform-exceed drop/drop Looks a bit iffy but I haven't tried it - I thought that would be drop whether under or over - if it's valid at all without action/ a police rate. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: tc filter
On 10-08-2006 15:38, Jarek Poplawski wrote: ... # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 police drop Should be: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: police \ conform-exceed drop/drop or: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 flowid 1: action drop Jarek P. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: tc filter
On 03-08-2006 18:06, doudouyam wrote: Hi, Is it possible to make a filter with tc which exclude an IP like iptables ?? ex: iptable -t mangle -A PREROUTING -i eth0 -d ! 192.168.1.222 http://192.168.1.222 -j MARK ... Maybe there is something like this, I don't know, but you can try two filters in turn e.g.: # tc filter add dev eth0 parent 1: proto ip pref 100 \ u32 match ip dst 192.168.1.222 police drop (or some other flowid 1:xx instead of police drop) # tc filter add dev eth0 parent 1: proto ip pref 101 \ u32 match ip dst 192.168.1.0/24 flowid 1:99 Jarek P. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] RE: tc filter information
Hi!When I googled some time ago for more resources, apart from lartc about tc, I've found:http://opalsoft.net/qos/So, if still looking for resources, this might help. Or not :) Anyway the guy is cool.Ferenc Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: tc filter protocol arp question
On Feb 02, [EMAIL PROTECTED] wrote: Moment, DHCP is not arp packet. and ARP is not DHCP. however every dhcp request fires off a bunch of ARP requests. I am suggesting using DHCP-relay so you put the 'long distance' DHCP requests into a kind of IP tunnel (?). If this is not true then you could accomplish the same with IPSec/ssh tunnels. The idea of this is to shunt the DHCP (and related traffic) into something that is managable. DHCP is always IP addressed /check via tcpdump/ so you can mark these addresses with tc without any problems. good point :) ARP packets are low level packets of ethernet interconnectivity. They will work always, unless your LAN is overloaded or somebody will do nasty things like /arp poisoning/. The only way you can increase your network performance for arp packets is enabling broadcast storm control in layer-2 devices. Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_... etc) You can neither set static arp from Server side /and client side too (more complex)/ I would still be keen on shunting things into a managable IP(Sec)/ssh tunnel, although it sounds overboard, if you are dealing with thousands of PC's (even hundreds) thats likely to cross several subnets. As I mentioned before it would give you the infrastructure to have 'maintainence' tunnel, you could put all the insecure telnet traffic in this tunnel to prevent it crossing the whole distance un-encrypted :) More so you can give it a high priority which would help you get access to machines when you need to during a crisis. Regards Alex -- __ / A likely impossibility is always \ | preferable to an unconvincing| | possibility. | | | \ -- Aristotle / -- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || signature.asc Description: Digital signature
[LARTC] Re: tc filter protocol arp question
Alexander Clouter writes: On Jan 31, [EMAIL PROTECTED] wrote: Hello, I try to shape dhcp requests, but filter rule don't work. My script is: [snipped] I really think you have other problems if you need to shape DHCP requests and their responses. If we overlook the logistical part (QoS under linux only see's IP packets iirc, and so ARP packets are invisible) and look at what you are trying to achieve. QoS you should seen as a way of saying this group of packets can arrive 'later' without really any effect or these packets should arrive as soon as possible. DHCP does not have realtime requirements, hell I could not care if it takes 2 seconds to renew my DHCP lease or 10 seconds. If you do worry about things then consider a large lease time or better still look at what traffic is on your network and reduce it; Windoze NetBIOS is a common thing that can affect large networks. I am unsure why _anyone_ would want to prioritise DHCP traffic, it operates over an unreliable protocol and is built to try to obtain an IP address over a period of 30 seconds; if you cannot get a DHCP lease in that time (even on a congested network) then you have other problems which should probably be addressed in manner other than QoS. Obviously we would like to help, but we are unsure why you would want to do such a thing, Its damn right crazy man! :) Regards Alex -- ___ All's well that ends. --- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || I manage lan network with more that 1000 home users. Every user have iptables/tc pairs for marking packets/traffic limiting. Entire network operate via dhcp. If I miss only one user from shaper then his traffic going to default class. This class must have very low rate ( abount 1Kbit ). There going dhcp conversation. If missed user start to download, entire network lose dhcp server becouse of dropped packets. So I really need to give dhcp server priority. I thing that 512Kbit is over that enough to satisfy about 500 winbozes, powered on in ten minutes period. ( This is not a joke, I see that nightmare every evening... ) Such a rule 'tc filter add dev eth0 protocol arp flowid ... ' i see in lartc.org and somewhere in mailing list. But this don't work on my linux ( RedHat Advanced Server 3 ). -- Svetozar ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Re: tc filter protocol arp question
On Jan 31, [EMAIL PROTECTED] wrote: I manage lan network with more that 1000 home users. Every user have iptables/tc pairs for marking packets/traffic limiting. Entire network operate via dhcp. If I miss only one user from shaper then his traffic going to default class. This class must have very low rate ( abount 1Kbit ). There going dhcp conversation. If missed user start to download, entire network lose dhcp server becouse of dropped packets. I know see your needs, however could I offer an alternative solution. DHCP relays, put them on certain IP addresses and then mark their IP's for high priority traffic, this can be put in the same band along with ssh traffic and classed as 'core network traffic' or something fancy. This probably would help you no end and give you the flexiblilty to do other things later down the road. So I really need to give dhcp server priority. I thing that 512Kbit is over that enough to satisfy about 500 winbozes, powered on in ten minutes period. ( This is not a joke, I see that nightmare every evening... ) hm tasty :) Such a rule 'tc filter add dev eth0 protocol arp flowid ... ' i see in lartc.org and somewhere in mailing list. But this don't work on my linux ( RedHat Advanced Server 3 ). well after my comment about shaping ARP packets, I was looking for things on a completed unrelated note and stumbled across something in the FAQ[1]. [1] http://www.docum.org/stef.coene/qos/faq/cache/63.html have fun Alex -- / You may be marching to the beat of a \ | different drummer, but you're still in | \ the parade./ \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || signature.asc Description: Digital signature
