# comprehension about tc

## maxwellnina

Hi every body 

As I'm running as a small isp with around 200 clients with (7MB Download/2MB upload) and Megabyte Ethernet Network cards 

some clients are abusing others with dangerous usage of p2p programs ,then as I would like not to stop them downloading but prioritize so that 

my gentoo gateway/firewall can limit them with shaping ,i made some search and among solution i got this http://www.securityfocus.com/infocus/1285

So after reading this page 

talking about usage of tc for trafic shaping i tried to implement it in my gentoo case,but unfortunately i think i'm not

wise enough to get it work ,so please i would like you people to give me some help to understand what this exactly means 

```

The script should be started right after the firewall policy script during the initialization fase of the firewall. Depending on the distribution, put the two in /etc/rc.d/init.d and link to them from the runlevel directory of simply call the scripts from the /etc/rc.d/rc.local script.

The script will first create a root class and a class that defines a 64kbit link in the 10Mbit Ethernet link. Our four traffic classes are derived from that class by calling the script's add_class function. Note the last argument of the function. It can make the class 'bounded', which means that the class will not be able to borrow bandwidth from other classes. 
```

How probably how one can apply this example on gentoo

and why not suggest me a more cool thing i can apply   :Idea: 

                                                                                thanks in advance

----------

## ecroy

Whow! I'd suggest to stay away from that article as it seems a _bit_ outdated (ipchains was linux kernel 2.2). As you seem to be doing that stuff not only for your own private use I think it would be good to understand a bit of linux traffic control first - it's not that hard. Try reading chapter 9 of Linux Advanced Routing & Traffic Control for some basics. Admittedly it is rather old as well but the important concepts are well described therein. I further strongly suggest to use HTB as queuing discipline and do the filtering via the iptables CLASSIFY target. If you need further help I could give you a small example.

After you have some working script doing what you want it is trivial to get it started from the gentoo init system - you could either just put in the /etc/conf.d/local.start or (the more proper solution) write your own little init script, looking something like:

```
#!/sbin/runscript

depend() {

        need net

}

start() {

        ebegin "Starting traffic control"

        /path/to/your/tc/script

        eend $?

}
```

putting it for example into /etc/init.d/tc make it executable by 

```
chmod u+x /etc/init.d/tc
```

 and adding it to your default runlevel via 

```
rc-update add tc default
```

----------

## maxwellnina

thank you very much  ecroy to give me some help

I really appreciate and I will also very interested if you can provide me with some HTB examples

talking about this particular example i already have a  firewall script already running "/etc/init.d/firewall"  so i made the shaping one 

"/etc/init.d/tc" so according to  this manual 

The tc script should started right after the firewall policy script during the initialization fase of the firewall. so I was looking the way to make tc  start

after the firewall or it doesn't matter.

thanks in advance for your futher help

----------

## alex.blackbit

of course ecroy is right, understanding the basics is a good idea.

if you want some quick results, try e.g. shorewall, it's a quite nice frontend for iptables and tc, lately even with proper ipv6 support.

----------

## ecroy

You should check the fine gentoo initscript documentation

As for the HTB-example, here you go (assuming you have 200 clients, eth0 is your the interface to your upstream provider and eth1 the one to your clients):

```
# add qdiscs to both interfaces

tc qdisc add dev eth0 root handle 1: htb default 1000

tc qdisc add dev eth1 root handle 1: htb default 1000

# add root class

tc class add dev eth0 parent 1: classid 1:100 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit

tc class add dev eth1 parent 1: classid 1:100 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit

# add default class (should not get much traffic)

/sbin/tc class add dev eth0 parent 1:100 classid 1:1000 htb rate 128kbit ceil ${MAX_SPEED_UP}kbit prio 3 quantum 1500

/sbin/tc class add dev eth1 parent 1:100 classid 1:1000 htb rate 128kbit ceil ${MAX_SPEED_DOWN}kbit prio 3 quantum 1500

# add iptables chains for upstream and downstream traffic

iptables -t mangle -N classifyup

iptables -t mangle -N classifydown

iptables -t mangle -A POSTROUTING -o eth0 -j classifyup

iptables -t mangle -A POSTROUTING -o eth1 -j classifydown

# for each client add a class and an iptables filter

for ((i=0;i<200;i++)); do

   tc class add dev eth0 parent 1:100 classid 1:$((1001+i)) htb rate ${CLIENT_RATE_UP[i]}kbit ceil ${CLIENT_CEIL_UP[i]}kbit prio 3 quantum 1500

   tc class add dev eth1 parent 1:100 classid 1:$((1001+i)) htb rate ${CLIENT_RATE_DOWN[i]}kbit ceil ${CLIENT_CEIL_DOWN[i]}kbit prio 3 quantum 1500

   iptables -t mangle -A classifyup -s ${CLIENT_IP[i]} -j CLASSIFY --set-class 1:$((1001+i))

   iptables -t mangle -A classifyup -s ${CLIENT_IP[i]} -j RETURN

   iptables -t mangle -A classifydown -d ${CLIENT_IP[i]} -j CLASSIFY --set-class 1:$((1001+i))

   iptables -t mangle -A classifydown -d ${CLIENT_IP[i]} -j RETURN

done
```

The code above should get you going pretty well, of course you need the values for the variables from somewhere.

For MAX_SPEED_UP and MAX_SPEED_DOWN you should try about 95% of your rated bandwidth in kbit/s.

The client-specific arrays CLIENT_RATE_UP, CLIENT_RATE_DOWN should be some value which add up to not more than MAX_SPEED_UP respectively MAX_SPEED_DOWN but are not to low either - you could for example use just $((MAX_SPEED_UP/200)) and $((MAX_SPEED_DOWN/200)).

As for the CLIENT_CEIL_UP and CLIENT_CEIL_DOWN: those are the maximum speeds you want to assign to each customer.

Well and you can probably figure out what CLIENT_IP should be   :Wink: 

----------

## maxwellnina

Hi ecroy 

Seems to me "concerning to your script" that every client have the same bandwith (or maybe i'm wrong)  but in my case i have for example 5 types of services (upload/download in kb/s:64/64; 64/128; 64/256; 128/384 & 256/512)

so while reading lartc document http://www.linux-france.org/prj/inetdoc/ (french is my first language   :Rolling Eyes:  )

to understand more about shaping can you please give help me with more explanation and more examples taking in account my specific case

ha by the way concerning gentoo initscript documentation after reading i came up with this :

in my /etc/init.d/tc script seams ok for you if to start the script after the first firewall script (/etc/init.d/firewall)

i add this inside at top ?

```
#

!/sbin/runscript

depend() {

        use net

        after firewall

} 

start() {

        ebegin "Starting shaping"

```

or use the full path (stupid question but need to know)

```

!/sbin/runscript

depend() {

        use net

        after /etc/init.d/firewall

} 

start() {

        ebegin "Starting shaping"

```

thank you

----------

## ecroy

If you have a look at the script again you will notice that the rates and ceils for the clients are actually arrays, so for your case you would need something like

```
CLIENT_CEIL_UP[0]=64

CLIENT_CEIL_UP[1]=128

...

CLIENT_CEIL_DOWN[0]=64

CLIENT_CEIL_DOWN[1]=384

...
```

For every client the according speed values. As indicated in my last post you're probably ok setting the CLIENT_RATE values equal for all customers. You can further differentiate the service classes via the prio and quantum parameters (see lartc.org for documentation).

Of course - this is just a basic example to get you started - in reality you would probably make the whole thing database-driven so to fetch the speeds and IPs via some SQL-commands. Then again maybe bash is to cumbersome for that - just use whatever scripting language is most familiar to you.

As for the initscript dependencies I would say that "need net" would be better than "use net" because traffic control is not of much use without networking  :Smile:  The "after firewall" is probably ok and no, you don't have to specify full paths within the depend section of your initscript.

----------

## maxwellnina

thanks ecroy 

I will read more to master the thing in case of problem will come back with questions 

dont hesitate if you have more stuff wchich can give me some help

----------

## maxwellnina

Hi all

 after some read I came up with this script please I need your help to correct or improve it

hey ecroy please tell  me something

Here I assume that "eth1" is my interface to Internet & "eth0" interface to my clients

and with a total Bandwidth of 3Mbits/s Download and 1Mbits/s Upload

 Let go inside the script "/etc/init.d/shaping"

```
 

#!/sbin/runscript

# Copyright 1999-2009 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

depend() {

        need net

        after firewall

}

start() {

         ebegin "Starting shaping"

#!/bin/bash

# Author  Maxwell

##HTB Tree

#                       +-----------+

#                       | root   1: |

#                       +-----------+

#                             |

#               +---------------------------------------+

#               |          class 1:1                    |

#               +---------------------------------------+                                                       

#                |       |      |      |      |          

#               +----+ +----+ +----+ +----+ +----+

#               |1:10| |1:11| |1:12| |1:13| |1:14|

#               +----+ +----+ +----+ +----+ +----+

# Location of the commands

TC=/sbin/tc

# interfaces

IFCUSTOMER=eth0

IFINTERNET=eth1

#Maximum Speed UP & Down 

# Upload Ceil "MAX_SPEED_UP" 95% of Upload (1024kbits/s * 95% =973)

MAX_SPEED_UP=973

#Download Ceil  "MAX_SPEED_DOWN" 95% of Download (3072kbits/s * 95% =2920)

MAX_SPEED_DOWN=2920

#Flush existing rules

echo "flush existing rules";

$TC qdisc del dev $IFINTERNET root >/dev/null 2>&1

$TC qdisc del dev $IFINTERNET ingress >/dev/null 2>&1

$TC qdisc del dev $IFCUSTOMER root >/dev/null 2>&1

$TC qdisc del dev $IFCUSTOMER ingress >/dev/null 2>&1

echo "start classify";

#add qdisc to both interfaces

# On creer une qdisc racine sur les peripheriques eth0 & eth1 avec identifiant (handle) 1: qui utilise htb

#ainsi tout traffic non classe ira vers la classe ayant le numero mineur 14 (1:14) 

#Any classless traffic will automaticly bind  with the minor number 14 (1:14)

$TC qdisc add dev $IFCUSTOMER root handle 1: htb default 14

$TC qdisc add dev $IFINTERNET root handle 1: htb default 14

#Parent class wich contains others Classes

$TC qdisc add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit

$TC qdisc add dev $IFINTERNET parent 1: classid 1:1 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit

#class 1:10 with max prio 40% of bandwith [ssh,dns,http,https,Packets with bit SYN enable...]

$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:10 htb rate 384kbit ceil 640kbit prio 0

$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:10 htb rate 1168kbit ceil 1536kbit prio 0

#class 1:11 with 25% of bandwith [Sip,IAX & NAT Services ]

$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:11 htb rate 244kbit ceil ${MAX_SPEED_UP}kbit prio 1

$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:11 htb rate 730kbit ceil ${MAX_SPEED_DOWN}kbit prio 1

#class 1:12 with 20% of bandwith [pop3,smtp & TOS Minimize-cost] 

$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:12 htb rate 192kbit ceil ${MAX_SPEED_UP}kbit prio 2

$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:12 htb rate 584kbit ceil ${MAX_SPEED_DOWN}kbit prio 2

#class 1:13 with 10% of bandwith [TOS Maximize-Throughput & Internal Local Process...]

$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:13 htb rate 97kbit ceil ${MAX_SPEED_UP}kbit prio 3

$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:13 htb rate 292kbit ceil ${MAX_SPEED_DOWN}kbit prio 3

#class 1:14 with 5% of bandwith [P2P] 

$TC qdisc add dev $IFINTERNET parent 1:1 classid 1:14 htb rate 48kbit ceil ${MAX_SPEED_UP}kbit prio 4

$TC qdisc add dev $IFCUSTOMER parent 1:1 classid 1:14 htb rate 146kbit ceil ${MAX_SPEED_DOWN}kbit prio 4

##Some of these classes will have a sfq queue discipline attached to them to dispatch their packets

#IFINTERNET

$TC qdisc add dev $IFINTERNET parent 1:12 handle 120: sfq perturb 10

$TC qdisc add dev $IFINTERNET parent 1:13 handle 130: sfq perturb 10

$TC qdisc add dev $IFINTERNET parent 1:14 handle 140: sfq perturb 10

#IFCUSTOMER

$TC qdisc add dev $IFCUSTOMER parent 1:12 handle 120: sfq perturb 10

$TC qdisc add dev $IFCUSTOMER parent 1:13 handle 130: sfq perturb 10

$TC qdisc add dev $IFCUSTOMER parent 1:14 handle 140: sfq perturb 10

#Let classify packets

$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10

$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11

$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12

$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13

$TC filter add dev $IFCUSTOMER parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14

eend $?

}

stop() {

        ebegin "Stopping shaping"

        eend $?

}

```

and this is the part I pretend to add to my firewall script "/etc/init.d/firewall" on Mangle section

```

#!/sbin/runscript

# Copyright 1999-2009 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

depend() {

        need net

}

start() {

        ebegin "Starting firewall"

#!/bin/bash

# Author Maxwell

##Mangle Section

##We use RETURN to avoid packets to cross the entire rules

##PREROUTING

$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1

$IPTABLES -t mangle -A PREROUTING -p icmp -j RETURN

#TOS Marks

$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-delay -j MARK --set-mark 0x1

$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-delay -j RETURN

$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-cost -j MARK --set-mark 0x2

$IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-cost -j RETURN

$IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x3

$IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN

#ssh,dns,http,https

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j MARK --set-mark 0x1

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j RETURN

#dns udp

$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 53 -j MARK --set-mark 0x1

$IPTABLES -t mangle -A PREROUTING -p tcp -m udp --sport 53 -j RETURN

#Prioritize packets with SYN bit enable

$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1

$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

#Sip,IAX,H323

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j MARK --set-mark 0x2

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j RETURN

#POP3,SMTP,IMAP."ssl"...

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 25,110,143,993,995 -j MARK --set-mark 0x3

$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 25,110,143,993,995 -j RETURN

#P2P

$IPTABLES -t mangle -A PREROUTING -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j MARK --set-mark 0x5

$IPTABLES -t mangle -A PREROUTING -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN

$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark 0x5

##OUTPUT

$IPTABLES -t mangle -A OUTPUT -p icmp -j MARK --set-mark 0x1

$IPTABLES -t mangle -A OUTPUT -p icmp -j RETURN

#TOS Marks

$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-delay -j MARK --set-mark 0x1

$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-delay -j RETURN

$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-cost -j MARK --set-mark 0x2

$IPTABLES -t mangle -A OUTPUT -m tos --tos Minimize-cost -j RETURN

$IPTABLES -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark 0x3

$IPTABLES -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN

#ssh,dns,http,https

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 22,53,80,443 -j MARK --set-mark 0x1

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 22,53,80,443 -j RETURN

#dns udp

$IPTABLES -t mangle -A OUTPUT -p udp -m udp --dport 53 -j MARK --set-mark 0x1

$IPTABLES -t mangle -A OUTPUT -p tcp -m udp --dport 53 -j RETURN

#Prioritize packets with SYN bit enable

$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1

$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

#Sip,IAX,H323

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j MARK --set-mark 0x2

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 389,1503,1718,1719,1720,1721,4569,5004,5060,5061,7060,10000 -j RETURN

#POP3,SMTP,IMAP."ssl"...

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 25,110,143,993,995 -j MARK --set-mark 0x3

$IPTABLES -t mangle -A OUTPUT -p tcp -m multiport --dports 25,110,143,993,995 -j RETURN

#"P2P" As I were using ipp2p before will use it to mark p2p traffic

$IPTABLES -t mangle -A OUTPUT -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j MARK --set-mark 0x5

$IPTABLES -t mangle -A OUTPUT -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN

$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x5

.........

```

> very strange but is it normal to have default class on local interface (eth0) ? and what about Output stuff?

anyway let me know your comment ,analyse and add about this shaping script   :Embarassed: 

----------

## ecroy

I'd suggest using the iptables CLASSIFY target instead of MARK as it would simplify your setup a bit. With it you would not need the tc filters at all (which always were a bit cumbersome imho) and it's also more efficient. Of course you would need your iptables rules for both interfaces in that case, distinguishing between upstream and downstream traffic. If you want to keep using the fw MARK, I think you missed the tc filter commands for your $IFINTERNET.

I'm not sure I understood your question about the default class: qdiscs are interface specific and HTB uses a default class for all otherwise unclassified traffic - therefore you have one default class for every interface you are shaping on.

Oh, I just realized that you are using your iptables rules for the PREROUTING _and_ the OUTPUT chains. You should drop the stuff for the OUTPUT chain because this one is only for traffic originating from local processes and you surely won't be running kazaa on that machine   :Wink: . In other words: the traffic being forwarded through this machine passes the PREROUTING chain - and that's the only place you probably want your shaping to be in effect.

----------

## maxwellnina

Hi ecroy  you said :"If you want to keep using the fw MARK, I think you missed the tc filter commands for your $IFINTERNET."

can you please explain what is exactly wrong so i can avoid it in the future

Ok maybe was this :   :Rolling Eyes: 

```

#Let classify packets

$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10

$TC filter add dev $IFNTERNET parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11

$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12

$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 4 handle 4 fw classid 1:13

$TC filter add dev $IFINTERNET parent 1:0 protocol ip prio 5 handle 5 fw classid 1:14 

```

in the other hand I will follow you advice using CLASSIFY instead of MARK 

so fixme if I'm wrong ,i should remove all $TC filter add dev......

and just in any iptables rules have for example this one:

```

$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A PREROUTING -p tcp -m udp --sport 53 -j RETURN 

```

And finaly fixme again please :So in Simple word is not neccesary to use the OUTPUT 

and what about POSTROUTING ? because i was planing to add for example stuff like this :

```

##POSTROUTING exiting from IFCUSTOMER

$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --dports 22,53,80,443 -j RETURN

$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A POSTROUTING -p tcp -m multiport --sports 22,53,80,443 -j RETURN

##P2P with Layer7

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto edonkey -j RETURN

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto fasttrack -j RETURN

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j RETURN

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto audiogalaxy -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto gnutella -j RETURN

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto bittorrent -j RETURN

$IPTABLES -t mangle -A POSTROUTING -J MARK --set-class 1:15

```

Another thing tho test the whole thing I'am a bit perturb don't know exactly what to do I read about "tc-graph.pl and showl.pl" perl script

to visualize the shape have you ever use this kind of script? what do you suggest me and how to adapt any on my case?

Thanks for your help

----------

## ecroy

 *Quote:*   

> Ok maybe was this :

 

Yes, in your previous script you had the tc filter commands only for one of the interfaces.

 *Quote:*   

> so fixme if I'm wrong ,i should remove all $TC filter add dev...... 
> 
> and just in any iptables rules have for example this one: 

 Perfect!

 *Quote:*   

> because i was planing to add for example stuff like this : 

 

Looks good - assuming you actually add a class 1:15 (which was not there in your previous version). The last line (the one with -J MARK) is wrong/not needed. You normally won't need a 'catch-all' rule like this anyway because that's what the default parameter is for in the qdisc creation (all traffic not otherwise classified goes there).

Apart from that it should do what you want. If you are still uncertain about the difference between OUTPUT and POSTROUTING chan have a look at this picture to see how traffic traverses the different tables/chains.

As I don't use any of the visualization scripts you mentioned I cannot tell you much about them - but it is not difficult to set up some general purpose data logging/graphing package like rrdtool - in fact that's what I'm using. Although if you don't have more elaborate needs you could probably use one of the scripts you mentioned as well.

----------

## maxwellnina

hmm hmm

hi guys

very very strange i thought every thing was ok until when trying to implement the shaping script 

I came out with this error 

```

Unknown qdisc "classid", hence option "1:1" is unparsable

```

I'm sure that I forgot some thing during the kernel compile process but what ? I don't know so if you have an idea please just help me 

Thanks[/quote]

----------

## maxwellnina

he he he I think I got the trick 

I read the script once more and did a compare with example ecroy gave to me and then discover a fundamental difference 

before 

```

$TC qdisc add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit

```

ecroy example

```
tc class add dev eth0 parent 1: classid 1:100 htb rate ${MAX_SPEED_UP}kbit ceil ${MAX_SPEED_UP}kbit 
```

change I made 

```
$TC class add dev $IFCUSTOMER parent 1: classid 1:1 htb rate ${MAX_SPEED_DOWN}kbit ceil ${MAX_SPEED_DOWN}kbit
```

I now seems ok

 :Shocked:  strange strange 

every thing very nice but iptables came out with pain some all with PREROUTING

have for example this rule

```
#$IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10
```

iptables: Invalid argument

while the same rule just work nice with POSTROUTING

Any idea ?   :Rolling Eyes: 

----------

## ecroy

CLASSIFY only works in the mangle table and the POSTROUTING chain - if you think you really need it in the PREROUTING chain I'd say you misunderstood something and should think again (I didn't realize the mistake in your script the first time)

----------

## maxwellnina

You know what ecroy since your ideas allway get me out of problem 

I will try another thing base on your suggestion have a look and tell me somthing

```

# add iptables chains for upstream and downstream traffic

$IPTABLES -t mangle -N classifyup

$IPTABLES -t mangle -N classifydown

$IPTABLES -t mangle -A POSTROUTING -o eth1 -j classifyup

$IPTABLES -t mangle -A POSTROUTING -o eth0 -j classifydown 

#class and an iptables filter for each service

$IPTABLES -t mangle -A classifyup -p icmp -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p icmp -j RETURN

#TOS Marks

$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-delay -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-delay -j RETURN

$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-cost -j CLASSIFY --set-class 1:12

$IPTABLES -t mangle -A classifyup -m tos --tos Minimize-cost -j RETURN

$IPTABLES -t mangle -A classifyup -m tos --tos Maximize-Throughput -j CLASSIFY --set-class 1:13

$IPTABLES -t mangle -A classifyup -m tos --tos Maximize-Throughput -j RETURN

#ssh,dns,http,https

$IPTABLES -t mangle -A classifyup -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p tcp -m multiport --sports 22,53,80,443 -j RETURN

$IPTABLES -t mangle -A classifyup -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p tcp -m multiport --dports 22,53,80,443 -j RETURN

#dns udp

$IPTABLES -t mangle -A classifyup -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p udp -m udp --sport 53 -j RETURN

$IPTABLES -t mangle -A classifyup -p udp -m udp --dport 53 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p tcp -m udp --dport 53 -j RETURN

#Prioritize packets with SYN bit enable

$IPTABLES -t mangle -A classifyup -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifyup -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

#P2P

$IPTABLES -t mangle -A classifyup -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A classifyup -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN

........untill all i need......

#classyfydown this time

#ssh,dns,http,https

$IPTABLES -t mangle -A classifydown -p tcp -m multiport --sports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifydown -p tcp -m multiport --sports 22,53,80,443 -j RETURN

$IPTABLES -t mangle -A classifydown -p tcp -m multiport --dports 22,53,80,443 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifydown -p tcp -m multiport --dports 22,53,80,443 -j RETURN

#dns udp

$IPTABLES -t mangle -A classifydown -p udp -m udp --sport 53 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifydown -p udp -m udp --sport 53 -j RETURN

$IPTABLES -t mangle -A classifydown -p udp -m udp --dport 53 -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifydown -p tcp -m udp --dport 53 -j RETURN

#Prioritize packets with SYN bit enable

$IPTABLES -t mangle -A classifydown -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j CLASSIFY --set-class 1:10

$IPTABLES -t mangle -A classifydown -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN

#P2P

$IPTABLES -t mangle -A classifydown -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j CLASSIFY --set-class 1:15

$IPTABLES -t mangle -A classifydown -m ipp2p --kazaa --gnu --edk --dc --bit --apple --soul --winmx --ares -j RETURN

```

 :Embarassed:   :Embarassed: 

it's probably a mistake but dont have any others Ideas  any help will be appreciate

----------

