My goal is to limit bandwidth per system user with tc, IMQ interfaces and iptables. Right now i have problem with bulk downloads (i.e. scp) that is creating lag on interactive programs such as ssh server.
This is my config:
# UPLOAD # OUTBOUND #
tc qdisc add dev imq0 root handle 1:0 htb default 11
tc class add dev imq0 parent 1:0 classid 1:1 htb rate 700kbit ceil 700kbit
tc class add dev imq0 parent 1:1 classid 1:10 htb rate 450kbit ceil 700kbit prio 0
tc class add dev imq0 parent 1:1 classid 1:11 htb rate 250kbit ceil 250kbit prio 1
tc filter add dev imq0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
tc filter add dev imq0 parent 1:0 prio 1 protocol ip handle 11 fw flowid 1:11
# DOWNLOAD # INBOUND #
tc qdisc add dev imq1 root handle 2:0 htb default 11
tc class add dev imq1 parent 2:0 classid 2:2 htb rate 7000kbit ceil 7000kbit
tc class add dev imq1 parent 2:1 classid 2:10 htb rate 4500kbit ceil 7000kbit prio 0
tc class add dev imq1 parent 2:1 classid 2:11 htb rate 2500kbit ceil 2500kbit prio 1
tc filter add dev imq1 parent 2:0 prio 0 protocol ip handle 10 fw flowid 2:10
tc filter add dev imq1 parent 2:0 prio 1 protocol ip handle 11 fw flowid 2:11
iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -N IMQ-OUT
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ-OUT
iptables -t mangle -A IMQ-OUT -p tcp -m length --length :64 -j MARK --set-mark 10
iptables -t mangle -A IMQ-OUT -p tcp -m length --length :64 -j RETURN
iptables -t mangle -A IMQ-OUT -m owner --uid-owner root -j MARK --set-mark 10
iptables -t mangle -A IMQ-OUT -m owner --uid-owner root -j RETURN
iptables -t mangle -A IMQ-OUT -m owner --uid-owner test1 -j MARK --set-mark 11
iptables -t mangle -A IMQ-OUT -m owner --uid-owner test1 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
Class and filter after executing config:
tc class show dev imq0
class htb 1:11 parent 1:1 prio 1 rate 250000bit ceil 700000bit burst 1599b cburst 1599b
class htb 1:10 parent 1:1 prio 0 rate 450000bit ceil 700000bit burst 1600b cburst 1599b
class htb 1:1 root rate 700Kbit ceil 700Kbit burst 1600b cburst 1600b
tc filter show dev imq0
filter parent 1: protocol ip pref 1 fw
filter parent 1: protocol ip pref 1 fw handle 0xb classid 1:11
filter parent 1: protocol ip pref 49152 fw
filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10
Was trying to add qdisc with sfq like this
# tc qdisc add dev imq0 parent 1:10 handle 10:0 sfq perturb 10
# tc qdisc add dev imq0 parent 1:11 handle 11:0 sfq perturb 10
# tc qdisc add dev imq1 parent 2:10 handle 10:0 sfq perturb 10
# tc qdisc add dev imq1 parent 2:11 handle 11:0 sfq perturb 10
but what it does is freezing my computer (reboot needed).
I'm new to this topic, any help appreciated.
You can use the connbytes tc option. It will count the total amount of bytes of the connection, upload and download.
For example, the scp issue would be solved this way :
Place the above lines in place of this one :
Although, you will need to take care with the "restore-mark" and "save-mark", you don't want the TCP/22 10 mark to be restored, you want the connbyte to count and take a decision before marking.
You can then change this line this way :
Becomes :
I was digging around the problem so:
i had to add another tc class to download and upload, lets call them interactive classes and add filters
and changed to lower priority
Now non bulk traffic goes to up1:12 down2:12, no more problems with lagging.