Re: htb traffic control misfunction

[LeVA <leva@az.isten.hu>]

2005. augusztus 9. 14:32,
"Martin G.H. Minkler" <dukeofnukem@gmx.net>
-> Debian-Firewall <debian-firewall@lists.debian.org>,LeVA:
> Alohá!
>
> LeVA wrote:
> > ------------###------------
> > # internet
> > iptables -t mangle -A POSTROUTING -d ! 192.168.0.0/24 -j MARK --set-mark
> > 1 # localnet
> > iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 2
> >
> > tc qdisc add dev eth0 root handle 1:0 htb default 1
> >
> > tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit
> > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit
> >
> > # mark 1, this is internet
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw classid
> > 1:10 # mark 2, this is localnet
> > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 2 fw classid
> > 1:1
> >
> > ------------###------------
> >
> >
> > With this configuration, my upload speed is 128kbit/s, no matter what is
> > the destination. It seems, that the filter for handle 2 is getting
> > ignored, and I get 128kbit/s upload speed on my localnet too.
>
> Are the required kernel modules loaded or compiled in? The MARK-target
> for iptables as well as all the QoS-modules (out of which so far You
> don't seem to be using any but sch_prio.o) are separate modules that
> either need to be included in modules.conf, modprobed by the script
> itself or even statically compiled in the kernel (as I have done since
> I'm trying to cope without Module support in my Kernels).
I've checked and all modules are either compiled in, or loaded when running 
the script.
>
> Try running the scripts "undetached" and manually from Your console and
> see what the output is (no news is good news).
All the commands are valid, I get no error messages, and I can list the 
classes and the filters which I've added.
>
> Another thing: IIRC tc filter handles _flowids_ not _classids_. The
> manpage of tc sure knows more about the syntax than me :-)
It didn't give me an error message, so I think it could be right to use the 
classids, but I've also tried the flowid too, and still did not work.
>
> And finally: MARKing in POSTROUTING is probably not correct for packets
> sourced from the machine itself since AFAIK tc works on the FILTER chain
> in the OUTPUT table and never gets to see anything MARKed if You MARK
> packets in the POSTROUTING table that is traversed _after_ OUTPUT.
Now I'm adding the marking rules to the OUTPUT chain of the mangle table.

But I think something is _really_ wrong here:

I've set up a test case which is the following.

I have another machine here which is 192.168.0.11, and my ip is 192.168.0.3.
I've added this rule:

  iptables -t mangle -A OUTPUT -d 192.168.0.11 -j MARK --set-mark 1

This will mark every packet which destination is 192.168.0.11 right?
And here comes the iproute thing:

  tc qdisc add dev eth0 root handle 1:0 htb

  tc class add dev eth0 parent 1:0 classid 1:10 htb rate 128kbit

  tc filter add dev eth0 parent 1:1 protocol ip prio 0 handle 1 fw flowid 1:10

With this simple setup, if I upload to 192.168.0.11, then it must go with 
128kbit/sec, because I am marking the packets, and the tc-filter is directing 
them to the 1:10 class, which has a 128kbit/sec rate limit. But this is not 
happening. The upload goes with 100mbit/sec, because somehow the filter rule 
won't get used. I tried it with both `flowid' and `classid' in the `tc filter 
add' command, but no success.

What on earth could be the problem?

Thanks!

Daniel


P.S.: please don't cc me

-- 
LeVA