Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

Simple prio qdisc not working

Hi,

I have applied the below tc rules but they aren't doing what i want and I'm not sure why.

With the below setup, from a client connected behind the br1 interface i ping google.com and i can see the traffic hit the iptables mangle chain and with tcpdump i can see that it's TOS field has been updated but for some reason the qdisc doesn't reflect this and all traffic appears to get dumped in the normal-services TOS band which is class 2:2 below. Nothing goes into the Minimize-Delay class which the iptables rule should place icmp traffic in to.

Can anyone see anything I've done wrong ?

tc qdisc del dev br1 root

tc qdisc add dev br1 root handle 2: prio                        
tc qdisc add dev br1 parent 2:1 handle 10: sfq perturb 10 #Band 1 - class fast minimize delay traffic
tc qdisc add dev br1 parent 2:2 handle 20: sfq perturb 10 #Band 2 - class Normal-Service
tc qdisc add dev br1 parent 2:3 handle 30: sfq perturb 10 #Band 3 - class Maximize-Throughput

iptables -t mangle -F
iptables -t mangle -A PREROUTING -i br1 -m tos --tos ! Normal-Service -j RETURN
iptables -t mangle -A PREROUTING -i br1 -p ALL -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -i br1 -p icmp -j TOS --set-tos Minimize-Delay


iptables -t mangle -L -v -n

Chain PREROUTING (policy ACCEPT 61201 packets, 8325K bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 RETURN     0    --  br1    *       0.0.0.0/0            0.0.0.0/0           TOS match !0x00
   11  2208 TOS        0    --  br1    *       0.0.0.0/0            0.0.0.0/0           TOS set 0x08
    2   120 TOS        icmp --  br1    *       0.0.0.0/0            0.0.0.0/0           TOS set 0x10

tc -s qdisc ls dev br1

qdisc prio 2: bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 2134 bytes 13 pkts (dropped 0, overlimits 0)
qdisc sfq 10: parent 2:1 limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
qdisc sfq 20: parent 2:2 limit 128p quantum 1514b perturb 10sec
 Sent 2134 bytes 13 pkts (dropped 0, overlimits 0)
qdisc sfq 30: parent 2:3 limit 128p quantum 1514b perturb 10sec
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)


Many thanks
Scott

0
fourlightson
Asked:
fourlightson
  • 4
  • 2
1 Solution
 
NopiusCommented:
http://lartc.org/howto/lartc.qdisc.filters.html
Yes, you have queue disciplines, but you have no traffic filters on tc, like this (icmp example):
tc filter add dev br0 parent 2:0 protocol ip prio 10 u32 match ip tos 0x10 0xff  flowid 2:3
0
 
fourlightsonAuthor Commented:
i was misunderstanding the egress/ingress direction of traffic, the above does work OK.
0
 
NopiusCommented:
So it's your new question? :-)
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
NopiusCommented:
fourlightson, could you confirm that suggested solution was correct or incorrect?

If you have fixed the problem yourself before I started to work, it would be better to make a note here and provide your solution, so everyone could read it and I would not waste my time.

Thank you.
0
 
fourlightsonAuthor Commented:
since this is a dual NIC device i needed to apply the TOS updates to traffic coming in on the internet facing interface so when traffic hit br1 it was able to correctly classify it into one of the three PRIO bands. So the iptables rule would be updated as below and it works OK.

You don't need to use tc filters since the PRIO qdisc automatically honors the TOS field and will put traffic into one of the 3 bands which are created. And this TOS adjustment was done via the iptables rules.

iptables -t mangle -i vlan1 -d 192.168.2.0/24 -A PREROUTING -p udp --sport 53 -j TOS --set-tos Normal-Service
0
 
NopiusCommented:
Hello, fourlightson.

> You don't need to use tc filters since the PRIO qdisc automatically honors the TOS field and will put traffic into one of the 3 bands which are created.

I agree with your solution partially. PRIO uses predefined band selection without filters according to priomap.
http://securepoint.com/lists/html/LARTC/2007-06/msg00271.html

But this selection is kernel version specific. So, to be sure on TC's choice one should use filters :-)

This link might also be helpful for someone who will read your post: http://tldp.org/HOWTO/Traffic-Control-HOWTO/components.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now