tc filter problems

Hi,

I try to divide a linux router traffic into several classes and shape
them using iptables and tc fw filter. Below are my commands:

iptables:

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3
iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark


tc qdiscs and classes:

tc qdisc add dev eth0 root handle 1: htb default 14
tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps

tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil
300kbps prio 0
tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10

tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil
2mbps prio 1
tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10

tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil
2mbps prio 2
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10

tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil
2mbps prio 3
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10

tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil
2mbps prio 4
tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10


filters:

tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid 1:11
tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid 1:12
tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid 1:13
tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid 1:14


The result is all traffic doesn't respect tc filters and go only thru
class 1:14, the default one.

Can anybody please point out the issue in my commands?
Thanks a lot.

-Eric

Can anybody please help me on this? tc-filters manual is missing and I
googled and found little help. I tried adjusting prio values of classes
and filters, still doesn't work. iptables LOG target does show that
packages are properly marked.

Really appreciate if anyone with tc experience can give me a hint.

-Eric

"Eric Tao" <(E-Mail Removed)> wrote in message
news:i3qf8v$6li$(E-Mail Removed)...
> Can anybody please help me on this? tc-filters manual is missing and I
> googled and found little help. I tried adjusting prio values of classes
> and filters, still doesn't work. iptables LOG target does show that
> packages are properly marked.
>
> Really appreciate if anyone with tc experience can give me a hint.

Instead of using iptables to mark certain records, why not define the
conditionals in the tc filter section?

Eric Tao wrote:
> Hi,
>
> I try to divide a linux router traffic into several classes and shape
> them using iptables and tc fw filter. Below are my commands:

Not sure why it isn't working, maybe more info about the setup of the
router and what you are trying to achieve would help eg. why you need to
use connmark for what could probably be done without, what is eth0
connected to wan or lan, any nat rules anywhere.

Some general comments below - though they shouldn't affect your problem
as such.

>
> iptables:
>
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3
> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4
> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
>
>
> tc qdiscs and classes:
>
> tc qdisc add dev eth0 root handle 1: htb default 14

HTB default on eth will catch arp, which is not really desirable.

> tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps

Why ceil 3mbps, also incase you didn't know bps means bytes/sec in the
strange world of tc.

>
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil
> 300kbps prio 0
> tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10

No filter for this class.

>
> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil
> 2mbps prio 1
> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil
> 2mbps prio 2
> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil
> 2mbps prio 3
> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil
> 2mbps prio 4
> tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10
>
>
> filters:
>
> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid 1:11
> tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid 1:12
> tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid 1:13
> tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid 1:14
>
>
> The result is all traffic doesn't respect tc filters and go only thru
> class 1:14, the default one.

I haven't played with tc for ages now, but can't see anything wrong with
this as such. I've never used connmark - try without it and see if it
helps. My old home gateway/shaper box is quite out of date. I recently
put a new kernel on it but my tc/iptables rules stopped working. I just
reverted to the old kernel until I get around to seeing why.

Eric Tao <(E-Mail Removed)> wrote in
news:i3ov7h$j31$(E-Mail Removed):

> Hi,
>
> I try to divide a linux router traffic into several classes and
shape
> them using iptables and tc fw filter. Below are my commands:
>
> iptables:
>
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3
> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4
> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
>
>
> tc qdiscs and classes:
>
> tc qdisc add dev eth0 root handle 1: htb default 14
> tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil
3mbps
>
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil
> 300kbps prio 0
> tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil
> 2mbps prio 1
> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil
> 2mbps prio 2
> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil
> 2mbps prio 3
> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10
>
> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil
> 2mbps prio 4
> tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10

Set all these PRIOs to the same non-zero value (1 will do) and try
again.

I also recommend 2-digit values for HANDLEs.

I'm busy, so I can't promise a fast response, but I'll help more (if
you need more help) when I can,
--
buck

Eric Tao <(E-Mail Removed)> wrote in
news:i3ov7h$j31$(E-Mail Removed):

> Hi,
>
> I try to divide a linux router traffic into several classes and
shape
> them using iptables and tc fw filter. Below are my commands:
>
> iptables:

snip

> filters:
>
> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw
flowid
> 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw
> flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 4
handle
> 3 fw flowid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 5
> handle 4 fw flowid 1:14

Set all these PRIOs to the same value - perhaps 4. Use PROTOCOL all.

Make sure your firewall marks survive by setting up a rule with no
jump that matches the FW MARK value and then check packet counts.

> -Eric
--
buck

D. Stussy wrote:
> "Eric Tao" <(E-Mail Removed)> wrote in message
> news:i3qf8v$6li$(E-Mail Removed)...
>> Can anybody please help me on this? tc-filters manual is missing and I
>> googled and found little help. I tried adjusting prio values of classes
>> and filters, still doesn't work. iptables LOG target does show that
>> packages are properly marked.
>>
>> Really appreciate if anyone with tc experience can give me a hint.
>
> Instead of using iptables to mark certain records, why not define the
> conditionals in the tc filter section?
>
>

Thank you for your reply. I need to use iptables ipp2p match to pick out
p2p traffic. tc native filters doesn't support that.

Hi Andy, thank you for your reply. Finally I found what's wrong with my
setup. I am intended to shape traffic on a VPN router. While in my setup
all the packages I marked are on pppX link created by pppd, the htb
qdisc is actually on eth0. So the marked traffic never went into htb
classes.

I read from doc in iproute2 source that fw requires ipfwchains patch,
and later I found that's only true in the ipchains time. That's really
old docs. But glad that tc and filters does work after I adjust my setup.

Andy Furniss wrote:
> Eric Tao wrote:
>> Hi,
>>
>> I try to divide a linux router traffic into several classes and shape
>> them using iptables and tc fw filter. Below are my commands:
>
> Not sure why it isn't working, maybe more info about the setup of the
> router and what you are trying to achieve would help eg. why you need to
> use connmark for what could probably be done without, what is eth0
> connected to wan or lan, any nat rules anywhere.
>
> Some general comments below - though they shouldn't affect your problem
> as such.
>
>>
>> iptables:
>>
>> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
>> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
>> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1
>> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2
>> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3
>> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4
>> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
>>
>>
>> tc qdiscs and classes:
>>
>> tc qdisc add dev eth0 root handle 1: htb default 14
>
> HTB default on eth will catch arp, which is not really desirable.
>
>> tc class add dev eth0 parent 1: classid 1:1 htb rate 2mbps ceil 3mbps
>
> Why ceil 3mbps, also incase you didn't know bps means bytes/sec in the
> strange world of tc.
>
>>
>> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbps ceil
>> 300kbps prio 0
>> tc qdisc add dev eth0 parent 1:10 handle 110: sfq perturb 10
>
> No filter for this class.
>
>>
>> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbps ceil
>> 2mbps prio 1
>> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 10
>>
>> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 200kbps ceil
>> 2mbps prio 2
>> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 10
>>
>> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 500kbps ceil
>> 2mbps prio 3
>> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 10
>>
>> tc class add dev eth0 parent 1:1 classid 1:14 htb rate 600kbps ceil
>> 2mbps prio 4
>> tc qdisc add dev eth0 parent 1:14 handle 114: sfq perturb 10
>>
>>
>> filters:
>>
>> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw flowid
>> 1:11
>> tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw flowid
>> 1:12
>> tc filter add dev eth0 parent 1: protocol ip prio 4 handle 3 fw flowid
>> 1:13
>> tc filter add dev eth0 parent 1: protocol ip prio 5 handle 4 fw flowid
>> 1:14
>>
>>
>> The result is all traffic doesn't respect tc filters and go only thru
>> class 1:14, the default one.
>
> I haven't played with tc for ages now, but can't see anything wrong with
> this as such. I've never used connmark - try without it and see if it
> helps. My old home gateway/shaper box is quite out of date. I recently
> put a new kernel on it but my tc/iptables rules stopped working. I just
> reverted to the old kernel until I get around to seeing why.

Thanks for the reply. PRIOs are different for reasons. For classes it
can be 0, while for filters it should be larger than 0 from my experience.

buck wrote:
> Eric Tao <(E-Mail Removed)> wrote in
> news:i3ov7h$j31$(E-Mail Removed):
>
>> Hi,
>>
>> I try to divide a linux router traffic into several classes and
> shape
>> them using iptables and tc fw filter. Below are my commands:
>>
>> iptables:
>
> snip
>
>> filters:
>>
>> tc filter add dev eth0 parent 1: protocol ip prio 2 handle 1 fw
> flowid
>> 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 2 fw
>> flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 4
> handle
>> 3 fw flowid 1:13 tc filter add dev eth0 parent 1: protocol ip prio 5
>> handle 4 fw flowid 1:14
>
> Set all these PRIOs to the same value - perhaps 4. Use PROTOCOL all.
>
> Make sure your firewall marks survive by setting up a rule with no
> jump that matches the FW MARK value and then check packet counts.
>
>> -Eric
> --
> buck

"Eric Tao" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> D. Stussy wrote:
> > "Eric Tao" <(E-Mail Removed)> wrote in message
> > news:i3qf8v$6li$(E-Mail Removed)...
> >> Can anybody please help me on this? tc-filters manual is missing and I
> >> googled and found little help. I tried adjusting prio values of
classes
> >> and filters, still doesn't work. iptables LOG target does show that
> >> packages are properly marked.
> >>
> >> Really appreciate if anyone with tc experience can give me a hint.
> >
> > Instead of using iptables to mark certain records, why not define the
> > conditionals in the tc filter section?
>
> Thank you for your reply. I need to use iptables ipp2p match to pick out
> p2p traffic. tc native filters doesn't support that.

OK, but the rules you posted did not include such:

>> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
>> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
>> iptables -t mangle -A PREROUTING -s 10.1.0.0/16 -j MARK --set-mark 1
>> iptables -t mangle -A PREROUTING -s 10.2.0.0/16 -j MARK --set-mark 2
>> iptables -t mangle -A PREROUTING -s 10.3.0.0/16 -j MARK --set-mark 3
>> iptables -t mangle -A PREROUTING -s 10.4.0.0/16 -j MARK --set-mark 4
>> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

Nowhere is any reference to an application.