2005. augusztus 9. 14:32, "Martin G.H. Minkler" <[EMAIL PROTECTED]> -> Debian-Firewall <[email protected]>,LeVA: > Alohá! > > LeVA wrote: > > ------------###------------ > > # internet > > iptables -t mangle -A POSTROUTING -d ! 192.168.0.0/24 -j MARK --set-mark > > 1 # localnet > > iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 2 > > > > tc qdisc add dev eth0 root handle 1:0 htb default 1 > > > > tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit > > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit > > > > # mark 1, this is internet > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw classid > > 1:10 # mark 2, this is localnet > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 2 fw classid > > 1:1 > > > > ------------###------------ > > > > > > With this configuration, my upload speed is 128kbit/s, no matter what is > > the destination. It seems, that the filter for handle 2 is getting > > ignored, and I get 128kbit/s upload speed on my localnet too. > > Are the required kernel modules loaded or compiled in? The MARK-target > for iptables as well as all the QoS-modules (out of which so far You > don't seem to be using any but sch_prio.o) are separate modules that > either need to be included in modules.conf, modprobed by the script > itself or even statically compiled in the kernel (as I have done since > I'm trying to cope without Module support in my Kernels). I've checked and all modules are either compiled in, or loaded when running the script. > > Try running the scripts "undetached" and manually from Your console and > see what the output is (no news is good news). All the commands are valid, I get no error messages, and I can list the classes and the filters which I've added. > > Another thing: IIRC tc filter handles _flowids_ not _classids_. The > manpage of tc sure knows more about the syntax than me :-) It didn't give me an error message, so I think it could be right to use the classids, but I've also tried the flowid too, and still did not work. > > And finally: MARKing in POSTROUTING is probably not correct for packets > sourced from the machine itself since AFAIK tc works on the FILTER chain > in the OUTPUT table and never gets to see anything MARKed if You MARK > packets in the POSTROUTING table that is traversed _after_ OUTPUT. Now I'm adding the marking rules to the OUTPUT chain of the mangle table.
But I think something is _really_ wrong here: I've set up a test case which is the following. I have another machine here which is 192.168.0.11, and my ip is 192.168.0.3. I've added this rule: iptables -t mangle -A OUTPUT -d 192.168.0.11 -j MARK --set-mark 1 This will mark every packet which destination is 192.168.0.11 right? And here comes the iproute thing: tc qdisc add dev eth0 root handle 1:0 htb tc class add dev eth0 parent 1:0 classid 1:10 htb rate 128kbit tc filter add dev eth0 parent 1:1 protocol ip prio 0 handle 1 fw flowid 1:10 With this simple setup, if I upload to 192.168.0.11, then it must go with 128kbit/sec, because I am marking the packets, and the tc-filter is directing them to the 1:10 class, which has a 128kbit/sec rate limit. But this is not happening. The upload goes with 100mbit/sec, because somehow the filter rule won't get used. I tried it with both `flowid' and `classid' in the `tc filter add' command, but no success. What on earth could be the problem? Thanks! Daniel P.S.: please don't cc me -- LeVA
