Re: [LARTC] A tc htb/iptables rate control script for ADSL
Hello Devik! and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 Oh an and I forgot to ask: Is there any other improvement exept for having a shorter script? It is a bit faster and simpler to maintain. We are using Ipchains. I guess that makes no difference. At the moment we do the following: For Example (all rules for the same device): 1. filter ACKs by using u32 2. filter a specific IP by using ipchains -m (because we masquarade) with its own tc fw 3. filter ToS by using u32 4. filter by another IP with ipchains -m with its own tc fw With only one tc fw per device (and using 8bit values with ipchains -m to specifie the targetclass) i guess the order like shown above could not be maintained. It would look like 2. 4. 1. 3. or 1. 2. 4. 3. depending on the positon of the tc fw filter. The same order like in the example can not be achieved. Am I right with that assumption? Is it possible to have more than one of these global tc fw filters for one device? Greetings Nils ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
We are using Ipchains. I guess that makes no difference. At the moment we do the following: For Example (all rules for the same device): 1. filter ACKs by using u32 2. filter a specific IP by using ipchains -m (because we masquarade) with its own tc fw 3. filter ToS by using u32 4. filter by another IP with ipchains -m with its own tc fw With only one tc fw per device (and using 8bit values with ipchains -m to specifie the targetclass) i guess the order like shown above could not be maintained. It would look like 2. 4. 1. 3. or 1. 2. 4. 3. depending on the positon of the tc fw filter. The same order like in the example can not be achieved. Am I right with that assumption? unfortunately, you are right Is it possible to have more than one of these global tc fw filters for one device? probapbly yes but the first one will match all. But you can filter acks with ipchains too (-y). devik ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 Oh an and I forgot to ask: Is there any other improvement exept for having a shorter script? It is a bit faster and simpler to maintain. devik ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Hi, I'm happy that HTB gained so much popularity ;) Only one hint for you - you can completely avoid all these tc filter add fw ... You can use only one tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 and so on .. devik On 17 Apr 2002, alex wrote: /sbin/iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1 /sbin/iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2 /sbin/tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10 /sbin/tc filter add dev ppp0 parent 1: protocol ip prio 2 handle 2 fw classid 1:20 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Martin Devera said: Hi, I'm happy that HTB gained so much popularity ;) Only one hint for you - you can completely avoid all these tc filter add fw ... You can use only one tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 and so on .. devik Thanks for that it should make my script a bit less cumbersome. I have also realised that at the moment the bandwidth is being shared out in proportion to allocated bandwidths which is not quite what I was after. Having re-read your manual pages I've now added prio statements to each htb class so that if I'm downloading from inside I get all the bandwidth I need at the expense of the uploads, rather tha a 2:1 split. I got it the second time, the first time I wasn't sure if prio 0 was the highest or lowest priority. The other thing that is current sub-optimal is the division of long uploads vs short uploads. I've attempted to ensure that normal webpages are downloaded as fast as possible with the burst parameter but if someone is downloading a large file from my website all other web users suffer. I've got to do some more reading but my current plan involves the iptable connection tracking. I'm not sure if iptables does this already but if I can match and tag a packet based on the time of the connection I can still allow new connections to get priority of long lived downloads. This may involve writting a new kernel module as a netfilter extension but it would be the iceing on the cake to my setup :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
The other thing that is current sub-optimal is the division of long uploads vs short uploads. I've attempted to ensure that normal webpages are downloaded as fast as possible with the burst parameter but if someone is downloading a large file from my website all other web users suffer. I've got to do some more reading but my current plan involves the iptable connection tracking. I'm not sure if iptables does this already but if I can match and tag a packet based on the time of the connection I can still allow new connections to get priority of long lived downloads. This may involve writting a new kernel module as a netfilter extension but it would be the Hi I was already planing it ;) To add netfilter match to STATUS module which would allow --conn-traffic from:to to select only connection whose transfered bytes value is in given range. Then you can have different classes for long and short downloads .. devik ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
- Original Message - From: alex [EMAIL PROTECTED] # For outgoing packets we need to mark stuff /sbin/iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1 /sbin/iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2 I'd also do like this: iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1 iptables -t mangle -A to-dsl -p tcp --dport 22 -j RETURN iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A to-dsl -p tcp --dport 80 -j RETURN etc... Otherwise iptables will do the whole to-dsl list for every packet. In your case ot wouldn't matter except for some extra CPU usage. But if you would like to mark port 80 as bulk-traffic and ACK's as interactive traffic, then those port 80 ACK's could be marked as bulk which you wouldn't want it to. Which brings me to another subject :) If your DSL-connection have different bandwidth like 1mbit/128kbit then your download speed could be destroyed by huge queues in your uplink. I'd guess this would do the trick. # Set ACK as prioritized traffic (ACK's are less than 100 bytes) $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j MARK --set-mark 1 $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j RETURN (You could probably mark ACK's with --tcp-flags SYN,FIN,RST ACK. But I have not tested that yet.) They also mention this here: http://lartc.org/wondershaper/ /Jonas ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Hello there! I'd also do like this: iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1 iptables -t mangle -A to-dsl -p tcp --dport 22 -j RETURN iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A to-dsl -p tcp --dport 80 -j RETURN etc... Otherwise iptables will do the whole to-dsl list for every packet. In your case ot wouldn't matter except for some extra CPU usage. But if you would like to mark port 80 as bulk-traffic and ACK's as interactive traffic, then those port 80 ACK's could be marked as bulk which you wouldn't want it to. Does this behavior also occure when using ipchains? Greetings Nils ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Otherwise iptables will do the whole to-dsl list for every packet. In your case ot wouldn't matter except for some extra CPU usage. But if you would like to mark port 80 as bulk-traffic and ACK's as interactive traffic, then those port 80 ACK's could be marked as bulk which you wouldn't want it to. Does this behavior also occure when using ipchains? yes ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Hi there! I'm happy that HTB gained so much popularity ;) Oh yes, its realy popular already, not only among people who now a lot about linux, they just don't know they are using it. - www.fli4l.de Only one hint for you - you can completely avoid all these tc filter add fw ... You can use only one tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 Is this also possible with the -m option in ipchains? Greetings Nils ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Hello again! Only one hint for you - you can completely avoid all these tc filter add fw ... You can use only one tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw and set classid directly in iptables like: iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 Oh an and I forgot to ask: Is there any other improvement exept for having a shorter script? Greetings Nils ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/