Gentoo Wiki ArchivesGentoo Wiki

QoS/Install

Contents

Kernel

Warning: (Not optimal) Most of the mentioned requirements are not actually required and are based on preferences and custom needs.

Compile your kernel, install and boot it.

Kernel 2.4

First get the latest 2.4 or 2.6 kernel and put it into /usr/src Then make the link /usr/src/linux point to it.

Next for a 2.4 kernel you must get the POM-patches from http://netfilter.org/ and patch the kernel. The password is: cvs. (Access via cvs doesn't work at the moment...)

 cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
 cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic co netfilter/userspace netfilter/patch-o-matic
 ./netfilter/patch-o-magic/runme extra

When patching is done you must enable some options in your kernel. If the options doesn't exist, run the POM-patch once again.

Linux Kernel Configuration: Kernel 2.4
Networking options  --->
  QoS and/or fair queueing  --->
    [*] QoS and/or fair queueing
    <M>   HTB packet scheduler
    <M>   SFQ queue
    [*]   QoS support
    [*]     Rate estimator
    [*]   Packet classifier API
    <M> Firewall based classifier
    [*] Traffic policing (needed for in/egress)
  IP: Netfilter Configuration  --->
    <M> Connection tracking (required for masq/NAT)
    <M> IP tables support (required for filtering/masq/NAT)
    <M>   limit match support
    <M>   MAC address match support
    <M>   Packet type match support
    <M>   netfilter MARK match support
    <M>   Multiple port match support
    <M>   TOS match support
    <M>   random match support
    <M>   recent match support
    <M>   ECN match support
    <M>   DSCP match support
    <M>   AH/ESP match support
    <M>   LENGTH match support
    <M>   TTL match support
    <M>   tcpmss match support
    <M>   Helper match support
    <M>   Connection state match support
    <M>   Connection mark match support
    <M>   Connection tracking match support
    <M>   Unclean match support (EXPERIMENTAL)
    <M>   Owner match support (EXPERIMENTAL)
    <M>   Packet filtering
    <M>     REJECT target support
    <M>     MIRROR target support (EXPERIMENTAL)
    <M>   Full NAT
    <M>     MASQUERADE target support
    <M>     REDIRECT target support
    <M>     Basic SNMP-ALG support (EXPERIMENTAL)
    <M>   Packet mangling
    <M>     TOS target support
    <M>     ECN target support
    <M>     DSCP target support
    <M>     MARK target support
    <M>   LOG target support
    <M>   CONNMARK target support
    <M>   ULOG target support
    <M>   TCPMSS target support
    <M> ARP tables support
    <M>   ARP packet filtering
    <M>   ARP payload mangling

Kernel 2.6

Linux Kernel Configuration: Kernel 2.6 (Ex. gentoo-sources 2.6.11-gentoo-r6)
Device Drivers  --->
  Networking support  --->
    Networking options  --->
      QoS and/or fair queueing  --->
        <M>   HTB packet scheduler
        <M>   SFQ queue
        [*]   QoS support
        [*]     Rate estimator
        [*]   Packet classifier API
        <M> Firewall based classifier
        [*] Traffic policing (needed for in/egress)
      [*] Network packet filtering (replaces ipchains)  --->
        IP: Netfilter Configuration  --->
          <*> Connection tracking (required for masq/NAT)
          <*> Userspace queueing via NETLINK
          <*> IP tables support (required for filtering/masq/NAT)
          <*>   limit match support
          <*>   IP range match support
          <*>   MAC address match support
          <*>   Packet type match support
          <*>   netfilter MARK match support
          <*>   Multiple port match support
          <*>   TOS match support
          <*>   recent match support
          <*>   ECN match support
          <*>   DSCP match support
          <*>   AH/ESP match support
          <*>   LENGTH match support
          <*>   TTL match support
          <*>   tcpmss match support
          <*>   Helper match support
          <*>   Connection state match support
          <*>   Connection tracking match support
          <*>   Owner match support
          <*>   Packet filtering
          <*>     REJECT target support
          <*>   LOG target support
          <*>   ULOG target support
          <*>   TCPMSS target support
          <*>   Full NAT
          <*>     MASQUERADE target support
          <*>     REDIRECT target support
          <*>     NETMAP target support
          <*>     SAME target support
          <*>   Packet mangling
          <*>     TOS target support
          <*>     ECN target support
          <*>     DSCP target support
          <*>     MARK target support
          <*>     CLASSIFY target support
          <M>   raw table support (required for NOTRACK/TRACE)
          <M>     NOTRACK target support
          <*> ARP tables support
          <*>   ARP packet filtering
          <*>   ARP payload mangling

Settings arranged a bit different. Here's how to enable it:

Linux Kernel Configuration: Kernel 2.6.14 (and above)
Networking  --->
  Networking options  --->
    [*] Network packet filtering (replaces ipchains)  --->
      IP: Netfilter Configuration  --->
        <*> Connection tracking (required for masq/NAT)
        <*> Userspace queueing via NETLINK
        <*> IP tables support (required for filtering/masq/NAT)
        <*>   limit match support
        <*>   IP range match support
        <*>   MAC address match support
        <*>   Packet type match support
        <*>   netfilter MARK match support
        <*>   Multiple port match support
        <*>   TOS match support
        <*>   recent match support
        <*>   ECN match support
        <*>   DSCP match support
        <*>   AH/ESP match support
        <*>   LENGTH match support
        <*>   TTL match support
        <*>   tcpmss match support
        <*>   Helper match support
        <*>   Connection state match support
        <*>   Connection tracking match support
        <*>   Owner match support
        <*>   Packet filtering
        <*>     REJECT target support
        <*>   LOG target support
        <*>   ULOG target support
        <*>   TCPMSS target support
        <*>   Full NAT
        <*>     MASQUERADE target support
        <*>     REDIRECT target support
        <*>     NETMAP target support
        <*>     SAME target support
        <*>   Packet mangling
        <*>     TOS target support
        <*>     ECN target support
        <*>     DSCP target support
        <*>     MARK target support
        <*>     CLASSIFY target support
        <M>   raw table support (required for NOTRACK/TRACE)
        <M>     NOTRACK target support
        <*> ARP tables support
        <*>   ARP packet filtering
        <*>   ARP payload mangling
    QoS and/or fair queueing  --->
      <M>   HTB packet scheduler
      <M>   SFQ queue
      [*]   QoS support
      [*]     Rate estimator
      [*]   Packet classifier API
    <M> Firewall based classifier
    [*] Traffic policing (needed for in/egress)

Iptables

It should come as no surprise that you need iptables: emerge -av net-firewall/iptables. We will use iptables to mark packets for shaping later on. However, we first should set up a basic NAT router. This setup is not secure at all, it is merely an example showing how to set up NAT:

File: insecure_firewall.sh
# Constants
LOCALNET="192.168.1.0/255.255.255.0"

# Setting policy (the default policy is ACCEPT so you don't really need
# this section unless you set the default policy to DROP; that policy is
# NOT recommended for other chains but the INPUT and FORWARD chains
# in the filter table, and SOMETIMES in the OUTPUT)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT

# Flushing all tables
iptables -t filter -F
iptables -t mangle -F
iptables -t nat    -F
iptables -t raw    -F # (optional)

# Masquerading
iptables -t nat -A POSTROUTING -s $LOCALNET -o eth1 -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -d $LOCALNET -j ACCEPT

# Enable kernel forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Again, you really should not be using the above script. It is included only for completeness. You should probably read Linux 2.4 Stateful Firewall design (good for 2.6 kernel's too) to aid you in creating a properly secured firewall. Shorewall is a package that configures iptables for you, and you should use that (or something like it) if you don't want to get knee-deep in iptable's syntax.

Next are the iptables rules used to mark packets a certain priority:

File: /etc/init.d/qos.iptables
#!/bin/bash
#  Created/Hacked together by Rudy Grigar.
#  2008-04-26
#
#     NOTE: This script only marks packets for queues (using iptables).
#            TC, SFQ, and HTB are all needed to shape the
#            marked packets. The U32 classifier from TC could also
#            be used to mark packets, but it's overly complex and iptables works fine.
#
#  SOURCES: http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/implementation.html
#           http://www.gentoo-wiki.info/HOWTO_Packet_Shaping
#           http://lartc.org/
#           http://lartc.org/wondershaper/wondershaper-1.1a.tar.gz 

## Device
# This is the interface we want to do shaping on
# (i.e. eth1 is directly connected to my cable modem)
DEV=eth1

## Allow us to view the status of our QoS setup quickly
# /etc/init.d/qos.iptables status
if [ "$1" = "status" ]
then
        echo "[iptables]"
        iptables -t mangle -L -v -x 2> /dev/null
        exit
fi

# Delete the mangle iptables rules
iptables -t mangle -F 2> /dev/null > /dev/null

## Exit if asked to stop, otherwise continue
if [ "$1" = "stop" ] 
then 
        echo "QoS iptables marking removed on $DEV."
        exit
fi

# Priority marks -
# just for cleanliness
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"

## Setting priority marks with iptables
## Prio 1
# icmp
iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
# ssh
iptables -t mangle -A INPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
# non tcp (this means games that use UDP will always be prio1)
iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1
### - End Priority 1


## Prio 2 - GAMES
# CS:S (appears to only care about udp traffic)
# WoW
iptables -t mangle -A FORWARD -p tcp --sport 3724 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A FORWARD -p tcp --dport 3724 -j MARK --set-mark $MARKPRIO2
# Warcraft III 
iptables -t mangle -A FORWARD -p tcp --dport 6112 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A FORWARD -p tcp --sport 6112 -j MARK --set-mark $MARKPRIO2
# note: this is a nonstandard wc3 port (used for hosting with more than 1 box)
iptables -t mangle -A FORWARD -p tcp --dport 6119 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A FORWARD -p tcp --sport 6119 -j MARK --set-mark $MARKPRIO2
### - End Priority 2


## Prio 3
# http
iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
# https
iptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3
# smtp
iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
### - End Priority 3


## Prio 4
# packets > 1024 bytes
iptables -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
# bittorrent - defaults
# these also double as the blizzard downloader ports
iptables -t mangle -A FORWARD -p tcp --sport 6881:6889 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A OUTPUT -p tcp --sport 6881:6889 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A FORWARD -p tcp --dport 6881:6889 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A OUTPUT -p tcp --dport 6881:6889 -j MARK --set-mark $MARKPRIO4

# bittorrent - network specific
# these are the ports used for bittorrent on MY network, unless you use the exact same
# ones, i recommend you change them.
iptables -t mangle -A FORWARD -p tcp --dport 53331 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A FORWARD -p tcp --dport 50002 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A FORWARD -p tcp --sport 53331 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A FORWARD -p tcp --sport 50002 -j MARK --set-mark $MARKPRIO4
# these are the bt ports used on the router (hence the INPUT chain)
iptables -t mangle -A INPUT -p tcp --dport 53341:53351 -j MARK --set-mark $MARKPRIO4
### - End Priority 4


## Remaining packets are marked according to TOS
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark $MARKPRIO4
### - End TOS

Explanation and notes

Alternate method: CLASSIFY target

Instead of using the MARK target in the FORWARD or OUTPUT chains, you can use the CLASSIFY target in the POSTROUTING chain. The following is an example of classifying outgoing ssh traffic (port 22) to HTB class 1:101 (high priority as you will see later in this howto):

iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:101

For more information on the CLASSIFY target: Iptables Tutorial: CLASSIFY Target

HTB/SFQ

To set up HTB you need iproute2: emerge -av sys-apps/iproute2. Actually you need the programme tc which is included in the iproute2 package.

Run this script to create the four qdiscs and set them up. It creates the HTB/SFQ and Ingress policies. It works well on my home (Comcast cable) connection and currently only limits egress/upload traffic.

File: /etc/init.d/qos.htb
#!/bin/bash
#  Created/Hacked together by Rudy Grigar.
#  2008-04-26
#
#     NOTE: This script needs kernel support for
#            SFQ, HTB, and tc from the iproute2 package.
#            This script doesn't mark packets, it only
#            shapes already marked traffic. See qos.iptables
#            for examples of marking traffic.
#
#  SOURCES: http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/implementation.html
#           http://www.gentoo-wiki.info/HOWTO_Packet_Shaping
#           http://lartc.org/
#           http://lartc.org/wondershaper/wondershaper-1.1a.tar.gz 

## Device
# This is the interface we want to do shaping on
# (i.e. ppp0 is directly connected to my cable modem)
DEV=ppp0

## Rates - Set these to match your set up!
# Note: ACTUAL rates almost always differ from advertised rates,
#        test your connection speed and tweak UPRATE and DOWNRATE
#        to your needs.
UPRATE="365kbit"    # This is the maximum ACTUAL upload rate available 
P2PRATE="215kbit"   # This is the maximum arbitrary ceiling used for priority 4 / p2p applications
PRIORATE1="155kbit" # Guarantee 160kbit to prio1 traffic
PRIORATE2="123kbit" # Guarantee 128kbit to prio2 traffic
PRIORATE3="60kbit"  # Guarantee 64kbit to prio3 traffic
PRIORATE4="27kbit"  # Guarantee 32kbit to prio4 traffic

# Note: DOWNRATE is only used if i can figure out a way to set it up 
#        without IMQ, since IMQ isn't in the kernel.  I have seen
#        a few ways to mimic IMQ with a dummy device that I'm still
#        working on adding to the script.
DOWNRATE="8500kbit" # This is the maximum ACTUAL download rate available
# Note: Since I'm too lazy to set up imq/dummy device ingress shaping
#        I will just use DOWNTHROTTLE to limit all downloads at a certain
#        speed. This appears to work fine for my home network, but it is
#        not an ideal solution since ingress UDP and ICMP traffic should 
#        have priority over ingress TCP. DOWNTHROTTLE should be *less* 
#        than actual DOWNRATE (1000kbit less works for me, your mileage
#        may vary).
DOWNTHROTTLE="7500kbit"

## Allow us to view the status of our QoS setup quickly
# /etc/init.d/qos.htb status
if [ "$1" = "status" ]
then
        echo "[qdisc]"
        tc -s qdisc show dev $DEV
        echo "[class]"
        tc -s class show dev $DEV
        echo "[filter]"
        tc -s filter show dev $DEV
        exit
fi

## Reset everything to a known state (cleared)
# Remove previous tc rules
tc qdisc del dev $DEV root	2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress	2> /dev/null > /dev/null

## Exit if asked to stop, otherwise continue
if [ "$1" = "stop" ] 
then 
        echo "HTB/QOS Shaping removed on $DEV."
        exit
fi

# Priority marks -
# just for cleanliness
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"

##############
## Don't mess with this stuff unless you know what you're doing...
## I've tried to explain it a little bit, though :)
##############
# Set queue length for DEV
ifconfig $DEV txqueuelen 512

## Set up the queue
# Note:  For a better explaination of how HTB works 
#        visit http://www.opalsoft.net/qos/DS-28.htm
#
#         .-  UPRATE  -.        - maximum ACTUAL uprate we specify (384k)
#        /    /    \    \     
#     PRIO1 PRIO2 PRIO3 PRIO4   - rates we specified for priorate{1-4}
#      160k  128k   64k   32k   - these are the guaranteed rates 
#     CEIL  CEIL  CEIL  CEIL    - if we aren't maxing out each priority 
#      384k  384k  384k  220k     we can borrow up to the ceil, but as
#                                 soon as a higher priority needs bandwidth
#                                 it will be able to 'steal' it back

# Specify queue discipline (HTB)
# http://www.docum.org/docum.org/faq/cache/10.html has some info on shaping
# rules, but so does google. "default 103" tells the root qdisc that
# unmarked traffic should be placed in the PRIO3 bucket.
tc qdisc add dev $DEV root handle 1: htb default 103

# Set root class
# Note:  This sets the top/root of the queue tree
tc class add dev $DEV parent 1: classid 1:1 htb rate $UPRATE ceil $UPRATE burst 8k
# Specify sub classes
# Note:  These are the prio{1-4} nodes from the diagram above
tc class add dev $DEV parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE burst 2k prio 0
tc class add dev $DEV parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE burst 2k prio 1
tc class add dev $DEV parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE burst 2k prio 2
tc class add dev $DEV parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE burst 2k prio 3

# Filter packets
# Note:  This puts the packets in the proper priority class
tc filter add dev $DEV parent 1: protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101
tc filter add dev $DEV parent 1: protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102
tc filter add dev $DEV parent 1: protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103
tc filter add dev $DEV parent 1: protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104

# Add queuing disciplines
tc qdisc add dev $DEV parent 1:101 handle 101: sfq 
tc qdisc add dev $DEV parent 1:102 handle 102: sfq
tc qdisc add dev $DEV parent 1:103 handle 103: sfq
tc qdisc add dev $DEV parent 1:104 handle 104: sfq

####
# Ingress shaping, not sure how well this actually works yet..
####

# Example iptables rule:
#  iptables -A PREROUTING -i $DEV -t mangle -p tcp --sport 80 -j MARK --set-mark 1
tc qdisc add dev $DEV handle ffff: ingress
# Match all traffic...
tc filter add dev $DEV parent ffff: protocol ip prio 5 u32 match ip src 0.0.0.0/0 police rate $DOWNTHROTTLE burst 32k drop flowid :1

echo "Outbound shaping added to $DEV.  Rate: ${UPRATE}/sec."
echo "                             P2P Rate: ${P2PRATE}/sec."
echo "                           PRIO1 Rate: ${PRIORATE1}/sec."
echo "                           PRIO2 Rate: ${PRIORATE2}/sec."
echo "                           PRIO3 Rate: ${PRIORATE3}/sec."
echo "                           PRIO4 Rate: ${PRIORATE4}/sec."

L7-filter

L7-filter attempts to be a more general classifier than ipp2p. See L7-filter for more information.

Retrieved from "http://www.gentoo-wiki.info/QoS/Install"

Last modified: Thu, 28 Aug 2008 15:38:00 +1000 Hits: 8,697

Created by NickStallman.net, Luxury Homes Australia
Real estate agents should list their apartments, townhouses and units in Australia.