Re: Question about wondershaper

To: debian-firewall@lists.debian.org
Subject: Re: Question about wondershaper
From: Andre Majorel <aym-naibed@teaser.fr>
Date: Fri, 3 Dec 2004 14:50:10 +0100
Message-id: <[🔎] 20041203135010.GB18358@teaser.fr>
In-reply-to: <41AA23B6.2040708@wanadoo.fr>
References: <41AA23B6.2040708@wanadoo.fr>
On 2004-11-28 19:15 +0000, Jean-Michel Hiver wrote:

> I'm toying around with wondershaper but can't get it to work very well.
> 
> I am on a fairly crappy ISDN connection (64 kbps up, 64kbps down) - top 
> download @ about 7.7 ko/sec. I run it on a debian box with a 2.6 kernel 
> which acts as gateway / nat server.
> 
> Whenever there is a download on my home network, pings to say, 
> google.com skyrocket to 6000+ms as opposed to 300-400ms (I live in 
> Reunion and I am on a fairly crappy ISDN connection=> high ping anyways).
> 
> I have tried various parameters (wondershaper 64 64, wondershaper 60 60, 
> wondershaper 56 56, etc) and it doesn't seem to do much at all.
> 
> Only when I put ridiculous values (such as wondershaper 8 8) I get a 
> "decent" ping, but then of course the download goes right down to 2 ko/sec.
> 
> Any ideas?

I can't help you with wondershaper specifically, but I use a
similar script, based on myshaper, which is itself based on
wondershaper. My experience is that, from behind an ADSL modem
running in bridge mode, you have to cap the upload rate to 90 kbps
(for a 128 kbps connection) or 180 kbps (for a 256 kbps
connection). I.e. for the upload throttle to be effective, it has
to be about 70% of the nominal upload bandwidth.

If you go above that, it may work most of the time, but you will
still have latency spikes under certain circumstances.

The "interesting" part of my script follows :

----------------------------------------------------------------
#
#	cmd_reset - reset everything to a known state
#
cmd_reset ()
{
  (
    set +e				# Errors occur the first time
    tc qdisc del dev $DEV root
    tc qdisc del dev imq0 root
    iptables -t mangle -D POSTROUTING -o $DEV -j MYSHAPER-OUT
    iptables -t mangle -F MYSHAPER-OUT
    iptables -t mangle -X MYSHAPER-OUT
    iptables -t mangle -D PREROUTING -i $DEV -j MYSHAPER-IN
    iptables -t mangle -F MYSHAPER-IN
    iptables -t mangle -X MYSHAPER-IN
    ip link set imq0 down
    rmmod imq
    true
  )
}


#
#	cmd_startout - outbound Shaping (limits total bandwidth to RATEUP)
#
cmd_startout ()
{
  # set queue size to give latency of about 2 seconds on low-prio packets
  ip link set dev $DEV qlen 30

  # changes mtu on the outbound device.  Lowering the mtu will result
  # in lower latency but will also cause slightly lower throughput due
  # to IP and TCP protocol overhead.
  #ip link set dev $DEV mtu 1000

  # add HTB root qdisc
  tc qdisc add dev $DEV root handle 1: htb default 26

  # add main rate limit classes
  tc class add dev $DEV parent 1: classid 1:1 htb rate ${RATEUP}kbit

  # add leaf classes
  (
    cmd2 ()
    {
      if expr "$2" : '[0-9]\+%$' >/dev/null
      then
        rate=$[RATEUP * ${2%\%}00 / 10000]
	if [ $rate = 0 ]
	then
	  rate=1
	fi
      else
        rate="$2"
      fi
      tc class add dev $DEV parent 1:1 classid 1:2$1 htb		\
	rate "${rate}kbit"						\
	ceil ${RATEUP}kbit						\
	prio $1
    }

    # Usage: cmd2 prio guaranteed-bandwidth-percentage%

    cmd2 0  5%	# 20 - Ping (ICMP)
    cmd2 1 18%	# 21 - UDP + small SSH/Telnet packets
    cmd2 2 50%	# 22 - big SSH/Telnet packets
    cmd2 3 15%	# 23 - small packets
    cmd2 4 10%	# 24 - interactive services for small documents (HTTP)
    cmd2 5  1%	# 25 - interactive services for bulk data (FTP)
    cmd2 6  1%	# 26 - lowest priority, the equivalent of nice -20.
		#      Used for non-interactive background services such
		#      as $P2P_PROTOCOL.
  )

  # attach qdisc to leaf classes
  #
  # here we at SFQ to each priority class.  SFQ insures that within each
  # class connections will be treated (almost) fairly.
  tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
  tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 10
  tc qdisc add dev $DEV parent 1:22 handle 22: sfq perturb 10
  tc qdisc add dev $DEV parent 1:23 handle 23: sfq perturb 10
  tc qdisc add dev $DEV parent 1:24 handle 24: sfq perturb 10
  tc qdisc add dev $DEV parent 1:25 handle 25: sfq perturb 10
  tc qdisc add dev $DEV parent 1:26 handle 26: sfq perturb 10

  # filter traffic into classes by fwmark
  #
  # here we direct traffic into priority class according to the fwmark set
  # on the packet (we set fwmark with iptables later).  Note that above
  # we've set the default priority class to 1:26 so unmarked packets (or
  # packets marked with unfamiliar IDs) will be defaulted to the lowest
  # priority class.
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 24 fw flowid 1:24
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 25 fw flowid 1:25
  tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 26 fw flowid 1:26

  # add MYSHAPER-OUT chain to the mangle table in iptables
  #
  # this sets up the table we'll use to filter and mark packets.
  iptables -t mangle -N MYSHAPER-OUT
  iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT

  # add fwmark entries to classify different types of traffic
  #
  # Set fwmark from 20-26 according to desired class. 20 is highest prio.
  (
    cmd2 ()
    {
      mark="$1"
      shift
      iptables -t mangle -A MYSHAPER-OUT $* -j MARK --set-mark "$mark"
    }

    cmd2 23 -p tcp --sport 0:1023	# Default for low port traffic
    cmd2 23 -p tcp --dport 0:1023	# ""
    cmd2 26 -p tcp --dport 20		# ftp-data port, low prio
    cmd2 20 -p icmp			# ICMP (ping) - high prio, impress
					# friends
    cmd2 21 -p udp			# DNS name resolution (small packets)

    # SSH is split between two classes. This is so that transfering bulk
    # data over SSH doesn't prevent you from using interative SSH.
    cmd2 22 -p tcp --dport ssh
    cmd2 22 -p tcp --sport ssh
    cmd2 21 -p tcp --dport ssh -m length --length :999
    cmd2 21 -p tcp --sport ssh -m length --length :999

    cmd2 22 -p tcp --dport telnet
    cmd2 22 -p tcp --sport telnet
    cmd2 21 -p tcp --dport telnet -m length --length :999
    cmd2 21 -p tcp --sport telnet -m length --length :999

    cmd2 24 -p tcp --sport http		# Local web server
    cmd2 25 -p tcp --sport 20		# Local FTP server
    cmd2 26 -p tcp --sport $P2P_PORT	# Local $P2P_PROTOCOL server
    cmd2 26 -p tcp --dport $P2P_PORT	# Remote $P2P_PROTOCOL server
    # Was 21
    cmd2 23 -p tcp -m length --length :64 # small packets (probably just ACKs)
    cmd2 26 -m mark --mark 0		# redundant- mark any unmarked packets
					# as 26 (low prio)
  )

  echo "Outbound shaping added to $DEV.  Rate: ${RATEUP}kbit/sec."
}
----------------------------------------------------------------

Note that one issue with this script is that it does not
distinguish between uploads initiated by you, and uploads
resulting from other machines on the net wanting to download from
your machine. Because of this, uploading a file to an FTP server
is slow.

-- 
André Majorel <URL:http://www.teaser.fr/~amajorel/>
Do not use this account for regular correspondence.
See the URL above for contact information.
Reply to:
Follow-Ups:
- Re: Question about wondershaper
  - From: Mike Mestnik <cheako911@yahoo.com>
Prev by Date: Re: Firewall Debian vs SUSE
Next by Date: Re: Question about wondershaper
Previous by thread: Re: Question about wondershaper
Next by thread: Re: Question about wondershaper
Index(es):
- Date
- Thread