# SOLVED: Traffic control / shaping / tc filter

## DerReisende

Hi everybody,

I'm trying to do some traffic control on a network interface but after two days full of Google I'm really stuck.

Interface eth1 leads to a VPN appliance which is connected to internet by 1 MBit/sec sync. DSL.

This is what's on my mind:

1. Traffic to appliance itself is not to be limited (internal webserver for configuration)

2. Traffic to VPN is to be sent before traffic to appliance itself

3. Certain packets on VPN (especially Citrix) are to be sent before other VPN packets

At this time my script looks like this:

```
if=eth1

tc qdisc del dev $if root

tc qdisc add dev $if root handle 1: prio # default goes to handle 3:, which is intended

tc qdisc add dev $if parent 1:1 handle 2: htb # VPN

tc qdisc add dev $if parent 1:2 handle 3: sfq perturb 10 # Other traffic

tc class add dev $if parent 2: classid 2:1 htb rate 1000kbit burst 1400b # Limit VPN traffic to 1 MBit (slightly decreased)

tc qdisc add dev $if parent 2:1 handle 4: prio # Some packets shall go out first

tc qdisc add dev $if parent 4:1 handle 5: sfq perturb 10 # Citrix or whatsoever

tc qdisc add dev $if parent 4:2 handle 6: sfq perturb 10 # Other traffic

tc qdisc add dev $if parent 4:3 handle 7: sfq perturb 10 # Even less valuable traffic

```

Packets are being marked by iptables, which works fine.

My problem is: I can't figure out how to get my marked packets into qdisc 4:1. Are my classes/qdiscs correct? What would the tc filter command has to look like for correct class assignment?

When using "tc filter add dev eth1 pref 1 parent 1: protocol ip handle 0x457 fw flowid 4:1", packet appear in "class prio 1:1 parent 1: leaf 2:" instead of "class prio 4:1 parent 4: leaf 5:" (tc -s class show dev eth1)

Any help would be very appreciated!

Best wishes from GermanyLast edited by DerReisende on Mon Mar 03, 2008 9:37 am; edited 1 time in total

----------

## frostschutz

It's usually a bad idea to not put the rate limiting scheduler at the top. How can HTB guarantee a rate of 1000kbit if it does not control everything, i.e. there is other traffic that can take away bandwidth? Having a prio inside a prio again is questionable, without additional code it does not even have an effect because it will end up all in the same prio band. Then assigning SFQ to every child is dangerous; every SFQ is a queue by itself, by default it holds 128 packets, with three sfq queues you will hold up to 384 packets (read: in worst case 1 packet has to wait for 383 other packets to be sent first), introducing lag. You can limit the queue size with the limit parameter, but SFQ is always a fairness / lag tradeoff.

tc filters always go to the qdisc. So if you have a qdisc that is a child of a class of another qdisc, you need a filter for each qdisc. In other words, a filter of qdisc A can not put packets into a class of qdisc B. Instead A puts them in the class that has B assigned and then B puts it into its own class with its own filter. In other words, your parent 1: flowid 4: is wrong.

----------

## DerReisende

Using multiple tc filter commands for each qdisc, traffic control finally works fine for several days now. Latency improvement and connection reliability exceed all expectations.

For those who are interested in the final configuration:

```
if=eth1

tc qdisc del dev $if root

tc qdisc add dev $if root handle 1: prio priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

tc qdisc add dev $if parent 1:1 handle 2: htb default 1 # Alles außer Sonicwall

tc qdisc add dev $if parent 1:2 handle 3: sfq perturb 10 # Sonicwall

tc class add dev $if parent 2: classid 2:1 htb rate 900kbit burst 1b # Alles außer Sonicwall

tc qdisc add dev $if parent 2:1 handle 4: prio priomap 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

tc qdisc add dev $if parent 4:1 handle 5: sfq perturb 10

tc qdisc add dev $if parent 4:2 handle 6: sfq perturb 10

tc qdisc add dev $if parent 4:3 handle 7: sfq perturb 10

tc filter add dev eth1 parent 1: pref 1 protocol ip handle 1 fw classid 1:1

tc filter add dev eth1 parent 2: pref 2 protocol ip handle 1 fw classid 2:1

tc filter add dev eth1 parent 4: pref 3 protocol ip handle 1 fw classid 4:1

tc filter add dev eth1 parent 1: pref 4 protocol ip handle 2 fw classid 1:2
```

Thanks for the reply!

----------

