On my server I'm attempting to set up traffic shaping, and if I'm doing it for either IPv4 or IPv6, things are just fine: All filter rules for that particular protocol are installed. However, when attempting to shape both, I'm getting errors, and some of the filter rules are rejected with the following error message:
Error: Filter with specified priority/protocol not found.
We have an error talking to the kernel, -1
Doing a little bit of tinkering with the tc rules I found the following peculiarity: When I have just either IPv4 or IPv6 shaping active, I can enable the filter with the highest priority of the other protocol, and it still works, but as soon as I attempt to add more, the ones of a lower priority are rejected with aforementioned error message.
So figuring that this could be some obscure limit on the number of filters that can be attached, I commented out the two rules with the lowest priorities for each protocol and left the two with the highest priorities enabled, but that didn't help, either. Only the rule with the highest priority in the other block (which is IPv6, because the rules for IPv4 are installed first) is installed, the one with the lower priority gets rejected.
Then I attempted to do it the other way round, uncommented all rules for one of the protocols and commented out everything for the other protocol except the rule with the lowest priority, but that got rejected as well.
TL;DR: Attempting to shape network traffic on both IPv4 and IPv6 is met with failure, because attempting to install several filters with different handles and priorities obviously provokes some sort of collision that only allows the filter with the highest priority to be installed.
The relevant part of the script is this:
/sbin/tc qdisc add dev eth0 root handle 1:0 htb default 16
/sbin/tc class add dev eth0 parent 1:0 classid 1:20 htb rate 102000kbit ceil 102000kbit
/sbin/tc class add dev eth0 parent 1:20 classid 1:1 htb rate 25kbit ceil 102000kbit prio 0 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:2 htb rate 25kbit ceil 102000kbit prio 1 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:3 htb rate 10200kbit ceil 102000kbit prio 2 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:4 htb rate 20400kbit ceil 102000kbit prio 3 quantum 3000
/sbin/tc class add dev eth0 parent 1:20 classid 1:16 htb rate 71350kbit ceil 102000kbit prio 4 quantum 3000
/sbin/tc qdisc add dev eth0 parent 1:4 hhf
/sbin/tc qdisc add dev eth0 parent 1:16 hhf
/sbin/tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 1/0xF fw flowid 1:1
/sbin/tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 2/0xF fw flowid 1:2
/sbin/tc filter add dev eth0 parent 1:0 prio 2 protocol ip handle 3/0xF fw flowid 1:3
/sbin/tc filter add dev eth0 parent 1:0 prio 3 protocol ip handle 4/0xF fw flowid 1:4
/sbin/tc filter add dev eth0 parent 1:0 prio 0 protocol ipv6 handle 1/0xF fw flowid 1:1
/sbin/tc filter add dev eth0 parent 1:0 prio 1 protocol ipv6 handle 2/0xF fw flowid 1:2
/sbin/tc filter add dev eth0 parent 1:0 prio 2 protocol ipv6 handle 3/0xF fw flowid 1:3
/sbin/tc filter add dev eth0 parent 1:0 prio 3 protocol ipv6 handle 4/0xF fw flowid 1:4
I'm using iptables to mark the network packets appropriately for the filters.
- Priority 0: Small packets (up to 128 bytes in size) and DNS (also ICMP for IPv6 NDP)
- Priority 1: Interactive SSH
- Priority 2: Portmapper/NFS
- Priority 3: IPsec
- Bulk traffic doesn't have a dedicated filter and gets the lowest priority.
Right now I'm at a loss what could be going wrong here. If I've made a mistake here, I currently don't see the forest for the trees.
