You are not logged in.

Pages: 1

#1 2019-07-06 17:21:23

v.mazurenko
Member
Registered: 2019-07-06
Posts: 2

ingress traffic shaping with SNAT

Trying to set up tc using that guide Advanced traffic control

by default all package is placed in 3:30 classid if comment value default 30 packages does not reach any classid I mean classify is not working also for mark traffic 192.168.0.235

tc config script

# - tc
# - iptables-mod-ipopt
# - kmod-sched
# - kmod-sched-connmark
# - kmod-ipt-conntrack - 4.9.152-1
# - kmod-ipt-conntrack-extra - 4.9.152-1
# - kmod-nf-conntrack - 4.9.152-1


# Maximum allowed downlink. Set to 90% of the achievable downlink in kbits/s
DOWNLINK=1000

# Interface facing the Internet
EXTDEV="eth0.2"


start() {

ip link set dev ifb0 up
root@OpenWrt:~# cat /etc/tc_htb.sh
# - tc
# - iptables-mod-ipopt
# - kmod-sched
# - kmod-sched-connmark
# - kmod-ipt-conntrack - 4.9.152-1
# - kmod-ipt-conntrack-extra - 4.9.152-1
# - kmod-nf-conntrack - 4.9.152-1


# Maximum allowed downlink. Set to 90% of the achievable downlink in kbits/s
DOWNLINK=1000

# Interface facing the Internet
EXTDEV="eth0.2"


start() {

ip link set dev ifb0 up

# HTB classes on IFB with rate limiting
tc qdisc add dev ifb0 root handle 3: htb   #default 30
tc class add dev ifb0 parent 3: classid 3:3 htb rate ${DOWNLINK}kbit
tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 500kbit ceil ${DOWNLINK}kbit
tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 500kbit ceil ${DOWNLINK}kbit

# Packets marked with "3" on IFB flow through class 3:33

tc filter add dev ifb0 parent 3:0 protocol ip handle 3 fw flowid 3:33

# Outgoing traffic from 192.168.1.0/24 is marked with "3"
iptables -t mangle -N QOS
iptables -t mangle -A FORWARD -o $EXTDEV -j QOS
iptables -t mangle -A OUTPUT -o $EXTDEV -j QOS
iptables -t mangle -A QOS -j CONNMARK --restore-mark
iptables -t mangle -A QOS -s 192.168.0.235 -m mark --mark 0 -j MARK --set-mark 3
iptables -t mangle -A QOS -j CONNMARK --save-mark

# Forward all ingress traffic on internet interface to the IFB device
tc qdisc add dev $EXTDEV ingress handle ffff:
tc filter add dev $EXTDEV parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0 action connmark flowid ffff:1

}


stop() {
tc qdisc del dev $EXTDEV root    2> /dev/null > /dev/null
tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null
tc qdisc del dev ifb0 root       2> /dev/null > /dev/null
tc qdisc del dev ifb0 ingress    2> /dev/null > /dev/null
iptables -t mangle -F
iptables -t mangle -X QOS
ip link set down ifb0
}


case $1 in
  start)
    start
    ;;
  stop)
    stop
    ;;
  *)
    echo "Usage: $0 start|stop"
    ;;
esac.

IPTABLES

Chain PREROUTING (policy ACCEPT 46475 packets, 27M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 3425 packets, 349K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 43036 packets, 27M bytes)
 pkts bytes target     prot opt in     out     source               destination
17892 3520K QOS        all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4202 packets, 500K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1455  113K QOS        all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 47238 packets, 27M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain QOS (2 references)
 pkts bytes target     prot opt in     out     source               destination
19347 3632K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
  300 15600 MARK       all  --  *      *       192.168.0.235        0.0.0.0/0            mark match 0x0 MARK set 0x3
19347 3632K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

tc output after some test


root@OpenWrt:~# tc -s -d qdisc show dev ifb0
qdisc htb 3: root refcnt 2 r2q 10 default 0 direct_packets_stat 26915 ver 3.17 direct_qlen 32
 Sent 23878408 bytes 26915 pkt (dropped 0, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
root@OpenWrt:~# tc -s -d class show dev ifb0
class htb 3:33 parent 3:3 prio quantum rate 500Kbit ceil 1Mbit linklayer ethernet burst 1600b/1 mpu 0b cburst 1600b/1 mpu 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps
 rate 0bit 0ppsbacklog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 400000 ctokens: 200000

class htb 3:30 parent 3:3 prio quantum rate 500Kbit ceil 1Mbit linklayer ethernet burst 1600b/1 mpu 0b cburst 1600b/1 mpu 0b level 0
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps
 rate 0bit 0ppsbacklog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 400000 ctokens: 200000

class htb 3:3 root rate 1Mbit ceil 1Mbit linklayer ethernet burst 1600b/1 mpu 0b cburst 1600b/1 mpu 0b level 7
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps
 rate 0bit 0ppsbacklog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 200000 ctokens: 200000

root@OpenWrt:~# tc -s -d filter show dev ifb0
filter parent 3: protocol ip pref 49152 fw
filter parent 3: protocol ip pref 49152 fw handle 0x3 classid 3:33

Last edited by v.mazurenko (2019-07-06 17:26:51)

Offline

#2 2019-07-06 18:07:25

v.mazurenko
Member
Registered: 2019-07-06
Posts: 2

Re: ingress traffic shaping with SNAT

i found my mistake, that was a pipe action sequence :

tc filter add dev $EXTDEV parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev ifb0 action connmark flowid ffff:1

right is :

tc filter add dev $EXTDEV parent ffff: protocol ip u32 match u32 0 0 action connmark  action mirred egress redirect dev ifb0 flowid ffff:1

Offline

Pages: 1

Board footer

Powered by FluxBB