On Jan-26 2004, Mon, 22:14 -0500
jamal <hadi@xxxxxxxxxx> wrote:
> On Mon, 2004-01-26 at 10:24, Tomas Szepe wrote:
> > Actually, this is very much like what we're using IMQ for:
> > +-----------+ eth1 --- \
> > | shaper + eth2 ---
> > Internet --- eth0 + in bridge + . --- ... WAN (10 C's of customer IPs)
> > | setup + . ---
> > +-----------+ ethN --- /
> > We're shaping single IPs and groups of IPs, applying tariff rates
> > on the sum of inbound and outbound flow (this last point, I'm told,
> > is the primary reason for our use of IMQ).]
> This does not IMQ. I am going to type an example at the end of the
Thanks for your reply, Jamal. Unfortunately, we don't really understand
your example. Please see below.
> BTW, how are you going to do SNAT with bridging?
We aren't. :) We won't need bridging on those firewalls, it's only
necessary for the main shaper box. I apologize for not making that
clear in my previous post.
> The example below tries to show many things. Example sharing of
> policers across many flows within a device, and across devices.
> Also shows how to do it so that inbound and outbound are summed up.
What's the mechanism for matching the IPs? We need to insert
thousands of these rules and shape constant 20+ Mbit flow of
traffic. If it doesn't use a hash or similar, we're back to
where we started.
> # On the return path from internet to eth1, packets from
> # internet to 10.0.0.21 are forced to use policer index 1
> # and therefore ensuring that the bandwidth is allocated
> # is the sum of inbound and outbound for that flow ..
> #add ingress qdisc
> tc qdisc add dev eth1 ingress
> tc filter add dev eth1 parent ffff: protocol ip prio 1 \
> u32 match ip src 10.0.0.21/32 flowid 1:15 \
> # first give it a mark of 1
> action ipt -j mark --set-mark 1 index 2 \
> # ensure policer index 1 is used
> action police index 1 rate 1kbit burst 9k pipe \
> # exceeded flows bound rate ..
> action ipt -j mark --set-mark 2 \
> action police index 200 mtu 5000 rate 1kbit burst 10k pipe \
> action ipt -j mark --set-mark 3 \
> action police index 300 mtu 5000 rate 1kbit burst 90k drop
> # do something on eth0 with these firewall marks
> # example use them to send packets to different classes/queue
> # give priority to marks 1 then 2 then 3
> # now the return path to 10.0.0.21 ...
> tc qdisc add dev eth1 handle 1:0 root prio
> # note how exactly the same policer is used ("index 1")
> tc filter add dev eth1 parent 1:0 protocol ip prio 1 \
> u32 match ip dst 10.0.0.21/32 flowid 1:25 \
> action police index 1 rate 1kbit burst 9k pipe
Would you know of any real documentation on tc/ingress that
we could use to deconstruct this example and understand it?
At this moment we can only guess at what's happening. :(
Tomas Szepe <szepe@xxxxxxxxxxxxxxx>