You are not logged in.

#1 2008-09-21 08:10:46

Rasi
Member
From: Germany
Registered: 2007-08-14
Posts: 1,857
Website

Easy Traffic Shaping?

Hi.. i am looking for an easy traffic shaping solution (kinda like cfos does it, without worrying)

i dont need any fancy firewall setups with 1000's of rules, i just want to have constant bandwith while torrenting/downloading... smile

Any suggestions?


He hoped and prayed that there wasn't an afterlife. Then he realized there was a contradiction involved here and merely hoped that there wasn't an afterlife.

Douglas Adams

Offline

#2 2008-09-21 08:38:26

Farbror.Fainted
Member
Registered: 2008-09-21
Posts: 7

Re: Easy Traffic Shaping?

Hi..

I am using ipp2p to do traffic shaping for outbound torrent traffic through my router. (Sadly running ubuntu, it was before I knew of Arch sad )
It marks p2p packages in mangle table and sets a priority mark (as low as possible)

It looks like this. And I am running this script alongside shorewall..

ipp2p is in AUR http://aur.archlinux.org/packages.php?ID=19426


#!/bin/bash

# Chains
FORWARD=FORWARD
OUTPUT=OUTPUT
PREROUTING=PREROUTING
POSTROUTING=POSTROUTING
ETHOUT=ppp0

# Define speeds in kbps (kilobyte/s)
set -x
tc qdisc del dev $ETHOUT root

tc qdisc add dev $ETHOUT root handle 1: htb default 102 r2q 1

#
# here you set for parent 1:  approx 90% maximum upload capacity
# the first rate is the speed the class always should want, Next is maximum it can get.
#

tc class add dev $ETHOUT parent 1: classid 1:1 htb rate 60kbps ceil 60kbps
tc class add dev $ETHOUT parent 1:1 classid 1:101 htb rate 40kbps ceil 40kbps prio 0
tc class add dev $ETHOUT parent 1:1 classid 1:102 htb rate 30kbps ceil 40kbps prio 1
tc class add dev $ETHOUT parent 1:1 classid 1:103 htb rate 30kbps ceil 40kbps prio 2
tc class add dev $ETHOUT parent 1:1 classid 1:104 htb rate 5kbps ceil 40kbps prio 3


tc filter add dev $ETHOUT parent 1:0 protocol ip prio 0 handle 1 fw classid 1:101
tc filter add dev $ETHOUT parent 1:0 protocol ip prio 1 handle 2 fw classid 1:102
tc filter add dev $ETHOUT parent 1:0 protocol ip prio 2 handle 3 fw classid 1:103
tc filter add dev $ETHOUT parent 1:0 protocol ip prio 3 handle 4 fw classid 1:104

tc qdisc add dev $ETHOUT parent 1:101 sfq perturb 16
tc qdisc add dev $ETHOUT parent 1:102 sfq perturb 16
tc qdisc add dev $ETHOUT parent 1:103 sfq perturb 16
tc qdisc add dev $ETHOUT parent 1:104 sfq perturb 16


MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"

# Setting priority marks

# Bittorrent BEGIN

# tcpre (PREROUTING)
iptables -t mangle -A $PREROUTING -p tcp -j CONNMARK --restore-mark
iptables -t mangle -A $PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
iptables -t mangle -A $PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 4
iptables -t mangle -A $PREROUTING -p tcp -m mark --mark 4 -j CONNMARK --save-mar
k


# tcpost (POSTROUTING)
iptables -t mangle -A $POSTROUTING -o $ETHOUT -m mark --mark 4 -j CLASSIFY --set-class 1:104

# Bittorrent END

# Prio 1
# icmp
iptables -t mangle -A $FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A $OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
# ssh
iptables -t mangle -A $FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A $OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
# non tcp
iptables -t mangle -A $FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A $OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1

# Prio 2

# Prio 3

# http
iptables -t mangle -A $FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A $OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
# https
iptables -t mangle -A $FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A $OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3
# smtp
iptables -t mangle -A $FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A $OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
# ftp high prio 2
iptables -t mangle -A $FORWARD -p tcp --sport 21 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A $OUTPUT -p tcp --sport 21 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A $FORWARD -p tcp --dport 21 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A $OUTPUT -p tcp --dport 21 -j MARK --set-mark $MARKPRIO2


# Prio 4
# packets > 1024 bytes
iptables -t mangle -A $FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4

# Remaining packets are marked according to TOS
iptables -t mangle -A $FORWARD -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A $FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A $FORWARD -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark $MARKPRIO4

Last edited by Farbror.Fainted (2008-09-21 08:40:00)

Offline

#3 2009-03-05 19:47:24

Dinth
Member
From: London
Registered: 2009-03-02
Posts: 224

Re: Easy Traffic Shaping?

I use this:

#!/bin/bash

# drop all tc queue stuff
tc qdisc del dev wlan0 root

# Flushing all tables
iptables -F

### filter
# I only filter INPUT OUTPUT and FORWARD are accepted by default

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

# allow local loopback connections
iptables -t filter -A INPUT -i lo -j ACCEPT

# allow PocketPC connections
iptables -I FORWARD 1 -s 192.168.131.0/24 -d 192.168.131.0/24 -j ACCEPT
iptables -I OUTPUT 1 -s 192.168.131.0/24 -d 192.168.131.0/24 -j ACCEPT
iptables -I INPUT 1 -s 192.168.131.0/24 -d 192.168.131.0/24 -j ACCEPT

# drop INVALID connections
iptables -t filter -A INPUT   -m state --state INVALID -j DROP
iptables -t filter -A OUTPUT  -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -m state --state INVALID -j DROP

# allow all established and related
iptables -t filter -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connections to my ISP's DNS servers
iptables -t filter -A INPUT -s 192.168.1.1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
iptables -t filter -A INPUT -s 192.168.1.1 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 194.204.159.1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 194.204.159.1 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 194.204.152.34 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 194.204.152.34 -p udp -j ACCEPT 

# the only ICMP that's accepted is ping but there's a rate limit to prevent DDOS
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT

# open ports at the internet gateway. 
# replace tcp by udp for udp traffic
# 22=ssh
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 

# all incoming connections from lan are accepted
# WARNING only uncomment these if you trust you lan. otherwhise comment these lines
iptables -t filter -A INPUT -s 10.0.0.0/255.255.255.0 -p tcp -m tcp -j ACCEPT 
iptables -t filter -A INPUT -s 10.0.0.0/255.255.255.0 -p udp -m udp -j ACCEPT 

# log all other attempted in going connections. uncomment it if you wish to use it.
# iptables -t filter -A INPUT -j LOG

### nat

# set up IP forwarding and nat
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT


# set up ports to forward
# 10.0.0.1 = gateway
# 10.0.0.50 = some machine in network to forward some stuff to. replace 10.0.0.50 by the machine you want to forward to
#
# msn filetransfers,video,msn voice :
# iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 6890:6901 -j DNAT --to-destination 10.0.0.50:6890-6901 
# iptables -t nat -A PREROUTING -i wlan0 -p udp -m udp --dport 6890:6901 -j DNAT --to-destination 10.0.0.50:6890-6901 
#
# bittorrent :
#iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 10.0.0.50:6881-6889 
#iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

#class 1:10 prio 1 DNS,ping,icmp
#class 1:11 prio 2 ACK,SYN,ssh (small packets)
#class 1:12 prio 3 ET (specific games)
#class 1:13 prio 4 udp, TOS minimize delay
#class 1:14 prio 5 HTTP,SMTP,AIM,msn messenger,freenx,irc 
#class 1:15 prio 6 max throughput,rest, big packets
#class 1:16 prio 7 bittorrent

# Constants
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"
MARKPRIO7="7"

######### mangle
# The most general rule always wins, so list specific rules _LAST_

# set some tos bits if they are not set (some misbehaving app):
iptables -A OUTPUT -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay

iptables -t mangle -N tosfix
iptables -t mangle -A tosfix -p tcp -m length --length 0:512 -j RETURN
iptables -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j RETURN
iptables -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A tosfix -j RETURN

iptables -t mangle -N ack
iptables -t mangle -A ack -m tos ! --tos Normal-Service -j RETURN
iptables -t mangle -A ack -p tcp -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A ack -p tcp -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A ack -j RETURN

# Is our TOS broken? Fix it for TCP ACK and OpenSSH.
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -j ack
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Minimize-Delay -j tosfix

 # Remaining packets are marked according to TOS
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark $MARKPRIO6

# Here we deal with ACK, SYN, and RST packets

# Match SYN and RST packets
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tcp --tcp-flags ! SYN,RST,ACK ACK -j MARK --set-mark $MARKPRIO2

# Match ACK packets
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length :128 -m tos --tos Minimize-Delay -j MARK --set-mark $MARKPRIO2

# ICMP (ping)

iptables -t mangle -A POSTROUTING -o wlan0 -p icmp -j MARK --set-mark $MARKPRIO1

# Outbound client requests for SMTP,HTTP, HTTPS,IRC msn and AIM (dport matches)

iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 25 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 80 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 443 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 6667 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 5190 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 1863 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 5000 -j MARK --set-mark $MARKPRIO5
# poczta w nazwie
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 995 -j MARK --set-mark $MARKPRIO5
# mms 
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 1755 -j MARK --set-mark $MARKPRIO5
iptables -t mangle -A POSTROUTING -o wlan0 -p udp --dport 1755 -j MARK --set-mark $MARKPRIO5

#radio
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 8000 -j MARK --set-mark $MARKPRIO5

# UDP
iptables -t mangle -A POSTROUTING -o wlan0 -p udp -j MARK --set-mark $MARKPRIO4

# Enemy Territory (UDP, realtime gaming packets)
#iptables -t mangle -A POSTROUTING -o wlan0 -p udp --dport 27960:28000 -j MARK --set-mark $MARKPRIO3

# SSH
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 22 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --sport 22 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Maximize-Throughput --dport 22 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m tos --tos Maximize-Throughput --sport 22 -j MARK --set-mark $MARKPRIO6

# packets > 1024 bytes
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO6

# bittorent
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --dport 6881:6889 -j MARK --set-mark $MARKPRIO7
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp --sport 6881:6889 -j MARK --set-mark $MARKPRIO7
iptables -t mangle -A POSTROUTING -o wlan0 -p tcp -m length --length 19 -j MARK --set-mark $MARKPRIO7


########## tc
# replace 910 by 0.88 * total_upload_bandwith_in_kbit
# for example 0.88 * 1024 kbit (1 mbit) = 910 kbit
# let's call this number limited_upload

# you can tweak this 0.88 for your own situation. 
# It probably should be somewhere between 0.85 and 0.90 unless your ISP deliverers less upload than they promised

# replace 130 by limited_upload / 7 (number of classes)

ifconfig wlan0 txqueuelen 16 

tc qdisc add dev wlan0 root handle 1: htb default 60
tc class add dev wlan0 parent 1: classid 1:1 htb rate 225kbit
tc class add dev wlan0 parent 1:1 classid 1:10 htb rate 32kbit ceil 225kbit prio 0 
tc class add dev wlan0 parent 1:1 classid 1:11 htb rate 32kbit ceil 225kbit prio 1 
tc class add dev wlan0 parent 1:1 classid 1:12 htb rate 32kbit ceil 225kbit prio 2 
tc class add dev wlan0 parent 1:1 classid 1:13 htb rate 32kbit ceil 225kbit prio 3 
tc class add dev wlan0 parent 1:1 classid 1:14 htb rate 32kbit ceil 225kbit prio 4 
tc class add dev wlan0 parent 1:1 classid 1:15 htb rate 32kbit ceil 225kbit prio 5 
tc class add dev wlan0 parent 1:1 classid 1:16 htb rate 32kbit ceil 255kbit prio 6 

tc filter add dev wlan0 parent 1:0 prio 0 protocol ip handle 1 fw flowid 1:10
tc filter add dev wlan0 parent 1:0 prio 1 protocol ip handle 2 fw flowid 1:11
tc filter add dev wlan0 parent 1:0 prio 2 protocol ip handle 3 fw flowid 1:12
tc filter add dev wlan0 parent 1:0 prio 3 protocol ip handle 4 fw flowid 1:13
tc filter add dev wlan0 parent 1:0 prio 3 protocol ip handle 5 fw flowid 1:14
tc filter add dev wlan0 parent 1:0 prio 3 protocol ip handle 6 fw flowid 1:15
tc filter add dev wlan0 parent 1:0 prio 3 protocol ip handle 7 fw flowid 1:16

But even this isn't real competitor to Cfos in traffic shapping. Any suggestions ?

PS. Sory for lame question, but where the hell can i find "tc" in archlinux ? smile

Last edited by Dinth (2009-03-05 19:50:27)

Offline

#4 2009-03-05 20:21:21

bluewind
Administrator
From: Austria
Registered: 2008-07-13
Posts: 168
Website

Re: Easy Traffic Shaping?

I'm using this http://flo.xssn.at/~flo/hfsc_shaper.sh
HFSC is much better than HTB in terms of latency btw.

Last edited by bluewind (2009-03-05 20:22:29)


"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

Offline

#5 2009-03-11 11:33:27

Dinth
Member
From: London
Registered: 2009-03-02
Posts: 224

Re: Easy Traffic Shaping?

Ok. But where can i find "tc" under Arch? I know that this is very lame question, but ive looked for it in all iptables related packages, and also googled and still i dont know which package i must install to have it.

Offline

#6 2009-03-11 13:04:07

bluewind
Administrator
From: Austria
Registered: 2008-07-13
Posts: 168
Website

Re: Easy Traffic Shaping?

core/iproute2


"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

Offline

#7 2009-03-11 13:06:48

brazzmonkey
Member
From: between keyboard and chair
Registered: 2006-03-16
Posts: 818
Website

Re: Easy Traffic Shaping?

trickle in community repo.


what goes up must come down

Offline

#8 2009-03-13 12:26:40

bitsuid
Member
Registered: 2007-11-06
Posts: 3

Re: Easy Traffic Shaping?

try CLASSIFY target is the recommended way
---

tc qdisc add dev $WANIF root handle 1: htb default 30 r2q 1
tc class add dev $WANIF parent 1: classid 1:1 htb rate 200000bit
tc class add dev $WANIF parent 1:1 classid 1:10 htb rate 100000bit ceil 200000bit prio 0
tc class add dev $WANIF parent 1:1 classid 1:20 htb rate 70000bit ceil 200000bit prio 1
tc class add dev $WANIF parent 1:1 classid 1:30 htb rate 30000bit ceil 200000bit prio 2
ts qdisc add dev $WANIF parent 1:10 handle 10: sfq perturb 10
ts qdisc add dev $WANIF parent 1:20 handle 20: sfq perturb 10
ts qdisc add dev $WANIF parent 1:30 handle 30: sfq perturb 10

iptables -A POSTROUTING -o $WANIF -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp --sport 22 -j CLASSIFY --set-class 1:10
iptables  POSTROUTING -o $WANIF -p tcp -m multiport --sport 80,443 -j CLASSIFY --set-class 1:20
iptables  POSTROUTING -o $WANIF -p tcp -m multiport --sport 25,110 -j CLASSIFY --set-class 1:30

---
greetings

Offline

#9 2009-03-14 15:17:14

Fackamato
Member
Registered: 2006-03-31
Posts: 575

Re: Easy Traffic Shaping?

Have you guys benchmarked these different solutions? Like pinging a server while downloading something.

It would be interesting to see the results.

Offline

#10 2009-03-14 16:23:58

Dinth
Member
From: London
Registered: 2009-03-02
Posts: 224

Re: Easy Traffic Shaping?

Yeah, i hope that somebody will do this kind of benchmarking in the future. I cannot do it by myself, because i have very weak wifi signal so results could be random.

Offline

#11 2009-03-14 16:38:12

bluewind
Administrator
From: Austria
Registered: 2008-07-13
Posts: 168
Website

Re: Easy Traffic Shaping?

Pings when uploading torrents at 100% upstream:
with shaper: 26ms
without: ~1000ms
while not uploading: 24ms

Downloading will cause more problems because your ISP won't shape the traffic for you -> your downlink is full.


"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

Offline

Board footer

Powered by FluxBB