On Mon, 04 Apr 2011 17:50:04 -0700, Tom Eastep <[email protected]> wrote :
> I'm concerned that there is a web site somewhere that is
> leading people to mis-configure Shorewall's TC. This is the
> second very similar configuration that I've seen today. Did you
> find this on some web site other than shorewall.net?
Tom,
And so did I pursue this further today, time allowing. I started
with a TC configuration from the Shorewall web site, that I
modified only slightly. Then I ran this on a router unit, under
the same traffic load, using two different shorewall versions.
With one version (the older one) it works pretty much as
expected, with the other version no traffic ever goes into the TC
classes 2 and 3. I made 'shorewall dump's of both system at two
moments during the 2 simultaneous 324 MB HTTP transfers. I'm
including here only one dump, from the system showing the
problem.
Despite holes in my knwoledge about TC, the test here shows two
very different results using the same config. Of course, what
matters is the newest Shorewall version.
The test consisted as before of two HTTP transfers made on ports
80 and 3000, made from a laptop using two instances of wget. The
idea for the test is to restrict traffic from the HTTP server,
coming out of the router's eth2, going to the laptop.
laptop eth0 <-> eth2 router eth1 <-> eth1 HTTP server
Transfer1 is made using port 80, transfer2 is made using port
3000. Transfer averages are provided by wget.
TC CONFIGURATION for both tests:
tcdevices
#NUMBER IN-BANDWITH OUT-BANDWIDTH
eth2 100mbit 75mbit
tcclasses
#INTERFACE MARK RATE: CEIL PRIORITY OPTIONS
eth2 1 1*full/10 full 1 default
eth2 2 8*full/10 9*full/10 10
eth2 3 1*full/10 8*full/10 20
tcrules
#MARK SOURCE DEST PROTO DEST SOURCE
2 0.0.0.0/0 192.168.2.2 tcp - 80
3 0.0.0.0/0 192.168.2.2 tcp - 3000
TEST # 1 - WORKS FINE
shorewall 4.0.15
linux 2.6.26-15
iptables 1.3.6.0
transfer 1: 3.20 MB/s
transfer 2: 2.63 MB/s
excerpt tc shows that traffic is hitting classes 2 and 3:
class htb 1:13 parent 1:1 leaf 13: prio 7 quantum 2500 rate
7500Kbit ceil 60000Kbit burst 2535b/8 mpu 0b overhead 0b cburst
9090b/8 mpu 0b overhead 0b level 0
Sent 31539119 bytes 20850 pkt (dropped 127, overlimits 0 requeues 0)
rate 10814Kbit 894pps backlog 0b 16p requeues 0
lended: 4949 borrowed: 15885 giants: 0
tokens: -328 ctokens: -106
class htb 1:12 parent 1:1 leaf 12: prio 7 quantum 20000 rate
60000Kbit ceil 67500Kbit burst 9090b/8 mpu 0b overhead 0b cburst
10023b/8 mpu 0b overhead 0b level 0
Sent 35101925 bytes 23189 pkt (dropped 95, overlimits 0 requeues 0)
rate 13689Kbit 1130pps backlog 0b 0p requeues 0
lended: 21536 borrowed: 1653 giants: 0
tokens: -132 ctokens: 241
Some of these were also seen with tc:
class sfq 12:2b1 parent 12:
(dropped 0, overlimits 0 requeues 0)
backlog 0b 16p requeues 0
class sfq 13:1c2 parent 13:
(dropped 0, overlimits 0 requeues 0)
backlog 0b 41p requeues 0
TEST # 2 - DOES NOT WORK
shorewall 4.4.11.6
linux 2.6.26-26
iptables 1.4.2
transfer 1: 2.82 MB/s
transfer 2: 2.86 MB/s
excerpt tc shows that traffic is *not* hitting classes 2 and 3:
class htb 1:13 parent 1:1 leaf 4: prio 7 quantum 2500 rate 7500Kbit
ceil 60000Kbit burst 2535b/8 mpu 0b overhead 0b cburst 9090b/8 mpu 0b
overhead 0b level 0
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 2642 ctokens: 1184
class htb 1:12 parent 1:1 leaf 3: prio 7 quantum 20000 rate 60000Kbit
ceil 67500Kbit burst 9090b/8 mpu 0b overhead 0b cburst 10023b/8 mpu 0b
overhead 0b level 0
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 0 borrowed: 0 giants: 0
tokens: 1184 ctokens: 1161
No sfq classes were observed during this test.
Unfortunately I do not have at the moment the tc versions for
these two tests.
Attached is a compressed dump from test # 2
Thanks for taking a look into this.
dump.15.2.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
