tc traffic limiting/shaping/throttling/policing in linux ipv6 issues

Question

I managed to discover an interesting issue: I'm not getting proper limiting with ipv4 traffic, but instead it works perfectly with ipv6.

This doesn't make much sense to me since I read this article: http://lartc.org/howto/lartc.adv-filter.ipv6.html

I've simplified down to the following bash script to do my throttling:

#!/bin/bash
set -x

DOWNLINK=375
UPLINK=375
DEV=eth0

# clean existing down- and uplink qdiscs
tc qdisc del dev $DEV root
tc qdisc del dev $DEV ingress

###### uplink
tc qdisc add dev $DEV root handle 1: htb default 20

# Add the classes
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbps ceil ${UPLINK}kbps
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbps ceil ${UPLINK}kbps prio 1
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbps ceil ${UPLINK}kbps prio 2

# both get Stochastic Fairness:
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10

# TOS Minimum Delay gets higher prio (interactive traffic, ie ssh)
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:10

# ICMP (ip protocol 1) in the interactive class 1:10 so we 
# can do measurements & impress our friends:
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
    match ip protocol 1 0xff flowid 1:10

# Add ack packets to the prio queue
tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:10

########## downlink #############
# attach ingress policer:
tc qdisc add dev $DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbps burst 10k drop flowid :1

Here's the original script I was working with and I couldn't get it to work right: #!/bin/bash set -x

#start over
tc qdisc del dev eth0 handle ffff: ingress
tc qdisc del dev eth0 root

tc qdisc add dev eth0 root handle 1: htb default 30

tc class add dev eth0 parent 1: classid 1:1 htb rate 375kbps ceil 375kbps

#This is for ports 22, 80, 873 and 3400
tc class add dev eth0 parent 1:1 classid 1:22 htb rate 50kbps
tc class add dev eth0 parent 1:1 classid 1:80 htb rate 1kbps ceil 50kbps
tc class add dev eth0 parent 1:1 classid 1:873 htb rate 1kbps ceil 50kbps
tc class add dev eth0 parent 1:1 classid 1:3400 htb rate 25kbps ceil 50kbps

# My default
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 25kbps ceil 25kbps

tc qdisc add dev eth0 parent 1:22 handle 22: sfq perturb 10
tc qdisc add dev eth0 parent 1:80 handle 80: sfq perturb 10
tc qdisc add dev eth0 parent 1:873 handle 873: sfq perturb 10
tc qdisc add dev eth0 parent 1:3400 handle 3400: sfq perturb 10
tc qdisc add dev eth0 parent 1:30 handle 40: sfq perturb 10


# Port 80, 873, 3400 and 22 traffic
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 80 0xffff flowid 1:80
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 873 0xffff flowid 1:873
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 3400 0xffff flowid 1:3400
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:22

tc qdisc add dev eth0 handle ffff: ingress
tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 375kbps burst 10k drop flowid :1

Interestingly enough, I discovered that they both work correctly FOR IPv6 CONNECTIONS ONLY IPv4 continues to be UNTHROTTLED.

Interestingly enough, IPv4 traffic shows up in tc -s -d qdisc show dev eth0 it just doesn't shape or rate limit it. (Except ingress traffic, that rate limits perfectly)

I just want to make that clear, as most people have the opposite problem.

Linux myserver.com 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

I am running dual stack with both IPv4 and IPv6, and require both to be active.

Any suggestions or help on how to get this working in at least ipv4 (prefer both)?

score 1 · Answer 1 · edited Aug 23 '11 at 14:36

1

tc -s -d -r filter show dev eth0 may say more about what filters match.

edited Aug 23 '11 at 14:36

Ben Pilbrow

11,995
5
35
57

answered Aug 23 '11 at 09:08

Catalin M. BOIE

21
2

tc traffic limiting/shaping/throttling/policing in linux ipv6 issues

1 Answers1