[LARTC] Ingress policing

[LARTC] Ingress policing

[Jan Coppens]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]

Hi all,

I'm working on a script that measures the incoming bandwidth and devides the traffic into different classes. First I mark all the incoming traffic with a firewall rule (fwmark = 1), then I use an ingress qdisc with some policers/filters to devide the traffic by setting the tc_index. I use the following script:

tc qdisc add dev eth1 handle ffff: ingress
tc filter add dev eth1 parent ffff: handle 1 protocol ip prio 1 estimator 1 2 fw police rate 0 burst 0 avrate 500bps continue flowid :28
tc filter add dev eth1 parent ffff: handle 1 protocol ip prio 2 estimator 1 2 fw police rate 0 burst 0 avrate 300bps continue flowid :30
tc filter add dev eth1 parent ffff: handle 1 protocol ip prio 3 estimator 1 2 fw police rate 0 burst 0 avrate 1bps drop flowid :50

This is the way I think it "should" work ;-) If the incoming traffic is below 500bps the tc_index gets the value 28. If the traffic is between 500bps and 800bps the tc_index gets the value of 30. Between 800bps and 801bps the tc_index is 50, above 801bps, all packets are dropped.

The policing works just fine, all packets are sent to the correct filters. The only thing that does not work is the tc_index stuff. The tc_index is allways 0 instead of 28, 30 or (in some cases) 50. What's going wrong here?

thx,
Jan

[-- Attachment #2: Type: text/html, Size: 2126 bytes --]

[LARTC] Ingress policing

[Radosław Łoboda]

Hi.

I've been trying to use "The Ultimate traffic Conditioner" described in
HOWTO and the two ingress rules at the end of the script didn't work. I've
upgraded iproute and kernel, but it didn't help. I tried other ways to
assume ingress policing, and i found that instead of this (not working):

# tc qdisc add dev eth0 handle ffff: ingress

i can issue:

# tc qdisc add dev eth0 handle 2: parent 1: ingress

which dos not produce any error. I don't know if this is all right. Please
help me with this.

Greetz.

-- 

##########################################
#           |       p0wer        |       #
#   __      |    GG#1877248      |       #
#  (oo)     | p0wer@bojko.eu.org |       #
# / \/ \ Go away or I will replace you   #
# `V__V' with a very small shell script. #
##########################################



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Ingress policing

[bert hubert]

On Wed, Mar 06, 2002 at 03:19:02PM +0100, Rados?aw ?oboda wrote:
> Hi.
> 
> I've been trying to use "The Ultimate traffic Conditioner" described in
> HOWTO and the two ingress rules at the end of the script didn't work. I've
> upgraded iproute and kernel, but it didn't help. I tried other ways to
> assume ingress policing, and i found that instead of this (not working):

So far everybody who upgraded to a newer iproute noted that the problem was
solved. Which version do you use? I've been specifically told that this
version works:

ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss010824.tar.gz

> # tc qdisc add dev eth0 handle ffff: ingress
> 
> i can issue:
> 
> # tc qdisc add dev eth0 handle 2: parent 1: ingress
> 
> which dos not produce any error. I don't know if this is all right. Please
> help me with this.

I don't think it will work either. Can you try again with the version
mentioned above?

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Ingress policing

[Radosław Łoboda]

On Wed, 6 Mar 2002, bert hubert wrote:

> On Wed, Mar 06, 2002 at 03:19:02PM +0100, Rados?aw ?oboda wrote:
> 
> So far everybody who upgraded to a newer iproute noted that the problem was
> solved. Which version do you use? I've been specifically told that this
> version works:
> 
> ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss010824.tar.gz

Thnx, it worked out, but i found that it was not the problem with version
(previously i compiled iproute-current dated february 2002) - to compile
iproute with ingress policing and some other stuff (diffserv) I needed to
change the value of TC_CONFIG_DIFFSERV in Config file to "y".

Greetz.

-- 

##########################################
#           |       p0wer        |       #
#   __      |    GG#1877248      |       #
#  (oo)     | p0wer@bojko.eu.org |       #
# / \/ \ Go away or I will replace you   #
# `V__V' with a very small shell script. #
##########################################



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Ingress policing

[Jan Coppens]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Hi all,

Currently, I'm experimenting with ingress policing. Is it possible to attach multiple u32 filters to the same policer or attach one policer to multiple u32 filters? I would like to define a shared meter, so the rate of the traffic that matches any u32 is accumulated. In the "Edge32-ca-u32" example, they also use a shared meter, but I don't quite understand how it's done. Can someone help me out?

thanks,
Jan

---
Jan Coppens
Ghent University - IMEC

Department of Information Technology (INTEC)
Broadband Communication Networks (IBCN)

Sint-Pietersnieuwstraat, 41
B-9000, Gent
Belgium

E-mail: Jan.Coppens@intec.rug.ac.be
Phone: +32 (0)9 267 35 90
Fax: +32 (0)9 267 35 99-ca-

[-- Attachment #2: Type: text/html, Size: 1500 bytes --]

Re: [LARTC] Ingress policing

[bert hubert]

On Fri, Apr 12, 2002 at 05:09:14PM +0200, Jan Coppens wrote:
> Hi all,
> 

> Currently, I'm experimenting with ingress policing. Is it possible to
> attach multiple u32 filters to the same policer or attach one policer to
> multiple u32 filters? I would like to define a shared meter, so the rate
> of the traffic that matches any u32 is accumulated. In the "Edge32-ca-u32"
> example, they also use a shared meter, but I don't quite understand how
> it's done. Can someone help me out?

I'm not sure if I really understand you. But I *can* tell you that you do
not attach policers to filters. The filter contains a policer.

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Ingress policing

[Jan Coppens]

----- Original Message -----
From: "bert hubert" <ahu@ds9a.nl>
To: <lartc@mailman.ds9a.nl>
Sent: Sunday, April 14, 2002 12:19 PM
Subject: Re: [LARTC] Ingress policing


> On Fri, Apr 12, 2002 at 05:09:14PM +0200, Jan Coppens wrote:
> > Hi all,
> >
>
> > Currently, I'm experimenting with ingress policing. Is it possible to
> > attach multiple u32 filters to the same policer or attach one policer to
> > multiple u32 filters? I would like to define a shared meter, so the rate
> > of the traffic that matches any u32 is accumulated. In the
"Edge32-ca-u32"
> > example, they also use a shared meter, but I don't quite understand how
> > it's done. Can someone help me out?
>
> I'm not sure if I really understand you. But I *can* tell you that you do
> not attach policers to filters. The filter contains a policer.

Yes I know, but can multiple filters share the same policer so you police
the traffic that matches those filters. For example, you have a u32 filter
that matches all traffic from host1 and another u32 that matches all traffic
from host2. Now I would like to police both traffic streams so if the sum of
the rates of both streams exceeds a certain rate, the all packets in both
streams are remarked/dropped. Is this possible?

Cheers,
Jan

>
> Regards,
>
> bert
>
> --
> http://www.PowerDNS.com          Versatile DNS Software & Services
> http://www.tk                              the dot in .tk
> http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] ingress policing

[lartc]

I am interested in policing outgoing traffic. (client--->[eth2][traffic shaper
box][eth0]--->The Internet).

What about ingress qdisc? Can i relay on it, say if it's used for 300 users? I
tested it on myself, but i have no idea how it is going to work with 300 users.
While testing on myself speed was shaped accuratly.

What about IMQ? As i understand it creates virtual interface through which i can
route cerrtain adresses, but what if i have 300 of them?!


P.Krumins
 ____________________________________________________________
 
 Sign up for your Apollo mail account www.e-apollo.lv
 
 www.apollo.lv

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] ingress policing

[Patrick McHardy]

Hi,

On Sat, 28 Dec 2002 lartc@e-apollo.lv wrote:

>
> I am interested in policing outgoing traffic. (client--->[eth2][traffic shaper
> box][eth0]--->The Internet).
>
> What about ingress qdisc? Can i relay on it, say if it's used for 300 users? I
> tested it on myself, but i have no idea how it is going to work with 300 users.
> While testing on myself speed was shaped accuratly.

It's accuracy doesn't depend on the number of users/ips/...

>
> What about IMQ? As i understand it creates virtual interface through which i can
> route cerrtain adresses, but what if i have 300 of them?!

As with the ingress policer, IMQ doesn't care much about the number of
users/ip as long as you don't want to create an IMQ device for each of
these users (in fact some people are running setups with >300 imqs,
but i don't know how well its working).

If you don't need features of "advanced qdiscs" like htb but only
want to slow down i would not use imq but the ingress policer since it
saves you one extra queue.

Bye,
Patrick

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] ingress policing

[Vinh Nguyen]

Hi,

I'm trying to police the incoming traffic by using ingress qdisc,this is what I have in my script

tc qdisc add dev eth0 handle ffff: ingress

tc filter add dev eth0 parent ffff: protocol ip prio 4 \
        handle 1: u32 divisor 1

tc filter add dev eth0 parent ffff: protocol ip prio 4 u32 \
        match ip dport 4001 0xffff \
        police rate 2000kbit burst 50k drop \
	flowid 1:1

I'm sending a 9Mb traffic using iperf but noticed that the bandwith at the receiving end is 4 MB instead of 2M. When Im changing the police rate to 3MB, the traffic at the receiving end is 6MB. Any ideas why does this happen? Your help is greatly appreciated.

Vince



UTS CRICOS Provider Code:  00099F

DISCLAIMER
====================================
This email message and any accompanying attachments may contain
confidential information.  If you are not the intended recipient, do not
read, use, disseminate, distribute or copy this message or attachments.
If you have received this message in error, please notify the sender
immediately and delete this message. Any views expressed in this message
are those of the individual sender, except where the sender expressly,
and with authority, states them to be the views the University of
Technology Sydney. Before opening any attachments, please check them for
viruses and defects.
====================================

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] ingress policing

[Andre Correa]

Hi Vinh, I've noticed the same thing some months ago and couldn't figure 
  out why. The workarround for this is to use half speed in your 
"upload" classes... It seens that it just happens to outgoing traffic 
(ingress or not).

Maybe somone else can explian it... I just figured out the same problem...

Andre



Vinh Nguyen wrote:
> Hi,
> 
> I'm trying to police the incoming traffic by using ingress qdisc,this is what I have in my script
> 
> tc qdisc add dev eth0 handle ffff: ingress
> 
> tc filter add dev eth0 parent ffff: protocol ip prio 4 \
>         handle 1: u32 divisor 1
> 
> tc filter add dev eth0 parent ffff: protocol ip prio 4 u32 \
>         match ip dport 4001 0xffff \
>         police rate 2000kbit burst 50k drop \
> 	flowid 1:1
> 
> I'm sending a 9Mb traffic using iperf but noticed that the bandwith at the receiving end is 4 MB instead of 2M. When Im changing the police rate to 3MB, the traffic at the receiving end is 6MB. Any ideas why does this happen? Your help is greatly appreciated.
> 
> Vince
> 
> 
> 
> UTS CRICOS Provider Code:  00099F
> 
> DISCLAIMER
> ====================================
> This email message and any accompanying attachments may contain
> confidential information.  If you are not the intended recipient, do not
> read, use, disseminate, distribute or copy this message or attachments.
> If you have received this message in error, please notify the sender
> immediately and delete this message. Any views expressed in this message
> are those of the individual sender, except where the sender expressly,
> and with authority, states them to be the views the University of
> Technology Sydney. Before opening any attachments, please check them for
> viruses and defects.
> ====================================
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/