* u32 filter not matching
@ 2014-07-24 21:00 Joe Rhodes
2014-07-24 21:15 ` Mike Schmidt
2014-07-25 2:24 ` Joe Rhodes
0 siblings, 2 replies; 3+ messages in thread
From: Joe Rhodes @ 2014-07-24 21:00 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1933 bytes --]
I’ve got a CentOS 6.4 box (64bit) that’s acting as a router and firewall. It has two ethernet interfaces, and it’s connected to a cable modem. I’m attempting to do some bandwidth management. I’ve got:
TBF with an upload rate limit of 4000kbit
a PRIO qdisc hanging off of that with 3 bands
an SFQ qdisc hanging off each of the bands of the PRIO qdisc
The problem I’m running into is I cannot get outgoing packets to hit the high priority queue using the u32 filter. I can seem to get it to work if I use iptables to mark the packets and then filter based on the firewall mark.
Setup commands look this this:
$EXT is my external ethernet interface
$UPLD is 4000kbit
$TC qdisc add dev $EXT root handle 1: tbf rate $UPLD burst 100k latency 15ms mtu 100kb
$TC qdisc add dev $EXT parent 1: handle 30: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0
$TC qdisc add dev $EXT parent 30:1 handle 100: sfq perturb 10
$TC qdisc add dev $EXT parent 30:2 handle 200: sfq perturb 10
$TC qdisc add dev $EXT parent 30:3 handle 300: sfq perturb 10
# Filter that doesn’t work. All traffic ends up in flow 30:3
$TC filter add dev $EXT parent 30: prio 1 u32 match ip dst 208.100.39.00/24 flowid 20:1
# (That IP is my VoIP host that I want to which I want to prioritize traffic.)
If I use the following:
$TC filter add dev $EXT parent 30: prio 1 protocol ip handle 1 fw flowid 30:1
iptables -t mangle -A PREROUTING -d 208.100.39.00/24 -j MARK --set-mark 0x1
Then traffic goes to flow 30:1 as I’d expect.
I’ve got to be missing something pretty obvious, but I can’t figure out what. Can anyone enlighten me?
I’m also doing ingress shaping (using ifb) and that’s working fine using a similar filter:
$TC filter add dev ifb0 protocol ip parent 20: prio 1 u32 match ip src 208.100.39.0/24 flowid 20:1
Incoming packets match the filter and get put into flowid 20:1.
Thanks!
-Joe Rhodes
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4139 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: u32 filter not matching
2014-07-24 21:00 u32 filter not matching Joe Rhodes
@ 2014-07-24 21:15 ` Mike Schmidt
2014-07-25 2:24 ` Joe Rhodes
1 sibling, 0 replies; 3+ messages in thread
From: Mike Schmidt @ 2014-07-24 21:15 UTC (permalink / raw)
To: lartc
I always put my filters on qdisc 1:, I've noticed that in some cases,
unless you have filters at the top level, nothing makes it to the
lower levels. I use IFB for devices and HFSC instead of tbf, so it
may be different for you.
> On Thu, Jul 24, 2014 at 5:00 PM, Joe Rhodes <lists@joerhodes.com> wrote:
>>
>> I’ve got a CentOS 6.4 box (64bit) that’s acting as a router and firewall.
>> It has two ethernet interfaces, and it’s connected to a cable modem. I’m
>> attempting to do some bandwidth management. I’ve got:
>>
>> TBF with an upload rate limit of 4000kbit
>> a PRIO qdisc hanging off of that with 3 bands
>> an SFQ qdisc hanging off each of the bands of the PRIO qdisc
>>
>> The problem I’m running into is I cannot get outgoing packets to hit the
>> high priority queue using the u32 filter. I can seem to get it to work if I
>> use iptables to mark the packets and then filter based on the firewall mark.
>>
>> Setup commands look this this:
>>
>> $EXT is my external ethernet interface
>> $UPLD is 4000kbit
>>
>> $TC qdisc add dev $EXT root handle 1: tbf rate $UPLD burst 100k latency
>> 15ms mtu 100kb
>> $TC qdisc add dev $EXT parent 1: handle 30: prio priomap 2 2 2 2 2 2 2 2 1
>> 1 1 1 1 1 1 0
>> $TC qdisc add dev $EXT parent 30:1 handle 100: sfq perturb 10
>> $TC qdisc add dev $EXT parent 30:2 handle 200: sfq perturb 10
>> $TC qdisc add dev $EXT parent 30:3 handle 300: sfq perturb 10
>>
>> # Filter that doesn’t work. All traffic ends up in flow 30:3
>> $TC filter add dev $EXT parent 30: prio 1 u32 match ip dst
>> 208.100.39.00/24 flowid 20:1
>>
>> # (That IP is my VoIP host that I want to which I want to prioritize
>> traffic.)
>>
>>
>> If I use the following:
>>
>> $TC filter add dev $EXT parent 30: prio 1 protocol ip handle 1 fw flowid
>> 30:1
>> iptables -t mangle -A PREROUTING -d 208.100.39.00/24 -j MARK --set-mark
>> 0x1
>>
>> Then traffic goes to flow 30:1 as I’d expect.
>>
>> I’ve got to be missing something pretty obvious, but I can’t figure out
>> what. Can anyone enlighten me?
>>
>> I’m also doing ingress shaping (using ifb) and that’s working fine using a
>> similar filter:
>>
>> $TC filter add dev ifb0 protocol ip parent 20: prio 1 u32 match ip src
>> 208.100.39.0/24 flowid 20:1
>>
>> Incoming packets match the filter and get put into flowid 20:1.
>>
>>
>> Thanks!
>> -Joe Rhodes
>>
--
Mike SCHMIDT
CTO
Intello Technologies Inc.
mike.schmidt@intello.com
Canada: 1-888-404-6261 x320
USA: 1-888-404-6268 x320
Mobile: 514-409-6898
www.intello.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: u32 filter not matching
2014-07-24 21:00 u32 filter not matching Joe Rhodes
2014-07-24 21:15 ` Mike Schmidt
@ 2014-07-25 2:24 ` Joe Rhodes
1 sibling, 0 replies; 3+ messages in thread
From: Joe Rhodes @ 2014-07-25 2:24 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 4006 bytes --]
Thanks Mike. Unfortunately, I can’t seem to add a filer at 1: probably because I’m using a classless qdisc there (tbf). I had tried it using HTB instead of TBF and I got the same result.
This still doesn’t explain why I can successfully filter using an iptables fw mark at this same location (30:)
By the way, there was a typo in my original email. This part:
# Filter that doesn’t work. All traffic ends up in flow 30:3
$TC filter add dev $EXT parent 30: prio 1 u32 match ip dst 208.100.39.00/24 flowid 20:1
Should actually have been:
# Filter that doesn’t work. All traffic ends up in flow 30:3
$TC filter add dev $EXT parent 30: prio 1 u32 match ip dst 208.100.39.00/24 flowid 30:1
Just be clear, this was a typo in my e-mail and not in my configuration. So this doesn’t change the fact that the u32 filter doesn’t seem to be matching as expected.
It’s a simple enough to work around this using the fw mark. I just want to know why the u32 match isn’t working.
Cheers!
-Joe Rhodes
On Jul 24, 2014, at 5:15 PM, Mike Schmidt <mike.schmidt@intello.com> wrote:
> I always put my filters on qdisc 1:, I've noticed that in some cases,
> unless you have filters at the top level, nothing makes it to the
> lower levels. I use IFB for devices and HFSC instead of tbf, so it
> may be different for you.
>
>> On Thu, Jul 24, 2014 at 5:00 PM, Joe Rhodes <lists@joerhodes.com> wrote:
>>>
>>> I’ve got a CentOS 6.4 box (64bit) that’s acting as a router and firewall.
>>> It has two ethernet interfaces, and it’s connected to a cable modem. I’m
>>> attempting to do some bandwidth management. I’ve got:
>>>
>>> TBF with an upload rate limit of 4000kbit
>>> a PRIO qdisc hanging off of that with 3 bands
>>> an SFQ qdisc hanging off each of the bands of the PRIO qdisc
>>>
>>> The problem I’m running into is I cannot get outgoing packets to hit the
>>> high priority queue using the u32 filter. I can seem to get it to work if I
>>> use iptables to mark the packets and then filter based on the firewall mark.
>>>
>>> Setup commands look this this:
>>>
>>> $EXT is my external ethernet interface
>>> $UPLD is 4000kbit
>>>
>>> $TC qdisc add dev $EXT root handle 1: tbf rate $UPLD burst 100k latency
>>> 15ms mtu 100kb
>>> $TC qdisc add dev $EXT parent 1: handle 30: prio priomap 2 2 2 2 2 2 2 2 1
>>> 1 1 1 1 1 1 0
>>> $TC qdisc add dev $EXT parent 30:1 handle 100: sfq perturb 10
>>> $TC qdisc add dev $EXT parent 30:2 handle 200: sfq perturb 10
>>> $TC qdisc add dev $EXT parent 30:3 handle 300: sfq perturb 10
>>>
>>> # Filter that doesn’t work. All traffic ends up in flow 30:3
>>> $TC filter add dev $EXT parent 30: prio 1 u32 match ip dst
>>> 208.100.39.00/24 flowid 20:1
>>>
>>> # (That IP is my VoIP host that I want to which I want to prioritize
>>> traffic.)
>>>
>>>
>>> If I use the following:
>>>
>>> $TC filter add dev $EXT parent 30: prio 1 protocol ip handle 1 fw flowid
>>> 30:1
>>> iptables -t mangle -A PREROUTING -d 208.100.39.00/24 -j MARK --set-mark
>>> 0x1
>>>
>>> Then traffic goes to flow 30:1 as I’d expect.
>>>
>>> I’ve got to be missing something pretty obvious, but I can’t figure out
>>> what. Can anyone enlighten me?
>>>
>>> I’m also doing ingress shaping (using ifb) and that’s working fine using a
>>> similar filter:
>>>
>>> $TC filter add dev ifb0 protocol ip parent 20: prio 1 u32 match ip src
>>> 208.100.39.0/24 flowid 20:1
>>>
>>> Incoming packets match the filter and get put into flowid 20:1.
>>>
>>>
>>> Thanks!
>>> -Joe Rhodes
>>>
>
> --
> Mike SCHMIDT
> CTO
> Intello Technologies Inc.
> mike.schmidt@intello.com
> Canada: 1-888-404-6261 x320
> USA: 1-888-404-6268 x320
> Mobile: 514-409-6898
> www.intello.com
> --
> To unsubscribe from this list: send the line "unsubscribe lartc" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 4139 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-25 2:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-24 21:00 u32 filter not matching Joe Rhodes
2014-07-24 21:15 ` Mike Schmidt
2014-07-25 2:24 ` Joe Rhodes
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.