| View previous topic :: View next topic |
| Author |
Message |
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
 Posted: Tue May 30, 2006 7:02 pm Post subject: need help with htb |
 |
|
hello,
i've setup a htb control file
all seems to work fine(speed limiting is ok). but i have 2 problems:
1) how can i setup tc filter to accept destination ip AND source port(and perhaps list or range of ports)? (i've tried many combinations of u32 and match, but i cannot find a correct syntax[does something extra need to be compiled into the kernel for port match?])
and perhaps inversion? (NOT a port(list,range))
2) i've manually entered a command:
tc filter del dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.15 flowid 1:111 (intending to remove one ip from htb added with "tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.15 flowid 1:111")
but it acted as "tc filter del dev eth0" so it removed all hosts instead of only this one line
(tried also "tc filter remove dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.15 flowid 1:111" but remove doesn't seem to work with filters) -> Command "remove" is unknown, try "tc filter help"
so from help:
Usage: tc filter [ add | del | change | get ] dev STRING -> no idea how to remove a single filter
any ideas? |
|
| Back to top |
|
 |
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Tue May 30, 2006 9:38 pm Post subject: Re: need help with htb |
|
|
| salam wrote: | 1) how can i setup tc filter to accept destination ip AND source port(and perhaps list or range of ports)? (i've tried many combinations of u32 and match, but i cannot find a correct syntax[does something extra need to be compiled into the kernel for port match?])
and perhaps inversion? (NOT a port(list,range)) |
I have this is my scripts, and it doesn't complain: | Code: | tc filter add dev ppp0 parent 1: protocol ip prio 10 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x10 0xff at nexthdr+14 \
match u16 0x0000 0xffc0 at 2 \
flowid 1:12 |
So apparently, just specify multiple matches after eachother.
About the negative match: what about doing a postitive to the "wrong" class? I mean if you want everything not-port-80 to go is 1:10, just put port-80 in 1:11 and the rest in 1:10?
| salam wrote: | 2) i've manually entered a command:
tc filter del dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.15 flowid 1:111 (intending to remove one ip from htb added with "tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.15 flowid 1:111")
but it acted as "tc filter del dev eth0" so it removed all hosts instead of only this one line |
It's been a while, but I think the problem is the "parent 1:0" in the delete statement: He thinks you want to delete the parent (and all children). try to delete the filter with his handle |
|
| Back to top |
|
|
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
| Posted: Wed May 31, 2006 7:14 pm Post subject: |
|
|
this one works well:
tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.33.15 match ip sport 22 0xffff flowid 1:1111
so the problem 1 is(partially) solved. i think i'll have to use fwmarks to match multiple ports
i've been googling a bit about deleting tc filter rules and found out it is not possible to delete rules by one if they have same priority and that each filter rule should have different prio. i do not understand why, as i want same priority for all the hosts, but point them to different classes like:
| Code: | tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.121 flowid 1:114
tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.149 flowid 1:115
|
where 1:114 and 1:115 are configured:
| Code: | tc class add dev eth0 parent 1:1 classid 1:11 htb rate 2048kbit ceil 2300kbit burst 32b #main class
tc class add dev eth0 parent 1:11 classid 1:114 htb rate 256kbit ceil 2000kbit
tc class add dev eth0 parent 1:11 classid 1:115 htb rate 256kbit ceil 2000kbit |
so this way every member of the main class will have a minimum(own) and maximum(shared with others) limits
i'm not a htb guru but so far this worked well. i'm quite confused about priority parameter in tc filter and the same in tc class. is there any difference? |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Wed May 31, 2006 7:22 pm Post subject: |
|
|
| salam wrote: | i've been googling a bit about deleting tc filter rules and found out it is not possible to delete rules by one if they have same priority and that each filter rule should have different prio. i do not understand why, as i want same priority for all the hosts, but point them to different classes like:
| Code: | tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.121 flowid 1:114
tc filter add dev eth0 parent 1:0 protocol ip prio 2 u32 match ip dst 192.168.33.149 flowid 1:115
|
where 1:114 and 1:115 are configured:
| Code: | tc class add dev eth0 parent 1:1 classid 1:11 htb rate 2048kbit ceil 2300kbit burst 32b #main class
tc class add dev eth0 parent 1:11 classid 1:114 htb rate 256kbit ceil 2000kbit
tc class add dev eth0 parent 1:11 classid 1:115 htb rate 256kbit ceil 2000kbit |
so this way every member of the main class will have a minimum(own) and maximum(shared with others) limits
i'm not a htb guru but so far this worked well. i'm quite confused about priority parameter in tc filter and the same in tc class. is there any difference? |
I think that the filter priority is the way you apply filters: higher priorities are matched first.
Once the packet is in a class, the class priority selects how "quick" it gets out of there.
to delete filters: have you tried the handle-thing?
maybe a nice link: http://lartc.org/howto/ |
|
| Back to top |
|
|
salam
Apprentice
Joined: 29 Sep 2005
Posts: 226
|
| Posted: Thu Jun 01, 2006 4:47 am Post subject: |
|
|
tried also handle, but with no success.
i've been also thinking of using a patch for iptables "ipmark" which seems to be better than single marking each host
on the other side, there is also a "classify" patch and as i cannot use ip src on external iface to control upload(because of the source ip is nat-ed before it reaches the filter), i'll have to try one of these to see which one is better |
|
| Back to top |
|
|
|
Networking & Security
