Couple of suggestions, a) Can you change the order of default and tos-maximize-throughput? b) If that doesn't work, separate classes for default and tos-maximize-throughput? c) Can you try with a tcrule for this? Using the TOS field. This requires an upgrade to 3.2.0 though.
If none of these work, post a copy of your tcrules here. Prasanna. On 10/11/06, Zachary Palmer <[EMAIL PROTECTED]> wrote: > Hello, all. I am led to understand that I might be able to post a dump > of my Shorewall configuration and ask for some assistance regarding a > QoS problem I've been having. I do hope I'm posting in the right place > and not violating any rules of etiquette; if I am, please let me know. :) > > The task at hand: differentiate between SSH packets and SCP packets > using Shorewall 3.0.7. I'm aware that both use the same protocol and > port and this is where the difficulty comes in. All of my other QoS > info is being handled by prioritizing certain ports on certain > machines. Those things which are deemed important (HTTP, SMTP, DNS, > etc.) should be passed to tcclass 3; everything else should go to > tcclass 5. Excepting my special rules for my VoIP phone (tcclass 1) and > ACK packets (tcclass 2), this is an accurate representation of how > things are working right now. My tcclasses file, for reference: > > eth0 1 100kbit 200kbit 1 > eth0 2 full/4 full 2 > tcp-ack > eth0 3 full/2 full 3 > eth0 4 50kbit 100kbit 4 > eth0 5 full/10 full*8/10 5 > default,tos-maximize-throughput > > It all works great except for the "tos-maximize-throughput" option. I > want packets with the Maximize Throughput TOS bit set to be routed to > tcclass 5 regardless of all other rules. That way, SCP (which has > Maximize Throughput set) will be lumped in with low priority batch > transfers while SSH (which does not) will be treated with dignity and > respect. I eventually hope to pass SCP to tcclass 4 so that it is > treated as slightly more important than things like FTP downloads but > still doesn't interfere with interactive connections. > > I've used wireshark to examine the incoming packets. SCP packets are > definitely TOS-flagged properly, as are the SSH packets. However, when > I use "watch tc -s qdisc" and perform an SCP transfer, it is very > apparent that the SCP packets have been sent to tcclass 3. The only > reason I can imagine this is happening is the set of rules I'm using to > prioritize SSH: > > 3 0.0.0.0/0 0.0.0.0/0 tcp 22 > 3 0.0.0.0/0 0.0.0.0/0 tcp - 22 > > However, the tcclasses documentation specifically says that packets > which match the TOS options on a tcclass are sent to that class > regardless of the mark on the packet. So I'm proceeding with the > assumption that that isn't what's happening. > > Looking at the end of my Shorewall dump, I see this: > > Traffic Filters > > Device eth0: > filter parent 1: protocol ip pref 10 u32 > filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht > 800 bkt 0 flowid 1:12 > match 00060000/00ff0000 at 8 > match 05000000/0f00ffc0 at 0 > match 00100000/00ff0000 at 32 > filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht > 800 bkt 0 flowid 1:15 > match 00080000/00080000 at 0 > > I'm not exactly a tc expert but that looks to me like that's the part of > the configuration which will distinguish between Maximize Throughput and > otherwise for me. However, I'm quite sure that it's not working right; > a friend of mine fetched a CD image from my machine using SCP earlier > and it purely crippled my connection. I've been hammering away at this > since with no success at all. > > Attached, you'll find my gzipped Shorewall dump (with the established > connections section snipped out for brevity). The firewall is a Debian > Etch machine (i686) running the stock Debian 2.6.17 kernel. I am > prepared to compile a custom kernel if necessary, but I didn't see > anything under the stock kernel config's netfilter section that wasn't > at least compiled as a module. I will, of course, provide any other > information which might illuminate the issue here. > > Thanks for reading! Any advice or suggestions are greatly appreciated. > Shorewall has thus far done a fantastic job of replacing my old custom > firewall script; this is pretty much the last hurdle I have to jump. > > Thanks again, > > Zachary Palmer > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
