QoS non fonctionnelle

Bonjour,

Ma gateway/firewall tourne sous une Linux Fedora 10 tout ce qu'il y a de plus standard (noyau 2.6.27.9-159.fc10.i686 de série).
Cette machine dispose de trois interfaces réseau :
- eth0 connecté à la box ADSL,
- eth1 connecté au LAN,
- eth2 connecté à la DMZ.

Je souhaite mettre en oeuvre sur la gateway une politique de QoS pour améliorer la réactivité de ma principale machine (présente sur le LAN), notamment en ce qui concerne les jeux en lignes, la navigation sur Internet, etc.

J'ai écrit le script ci-dessous après avoir lu diverses documentations.
Ce script créé une qdisc de type PRIO à huit bandes avec les filtres associés pour le LAN, la DMZ et la gateway.

Evidement, je n'obtiens aucun résultat.
Le script s'exécute sans erreur, les qdisc et filtres sont bien créés mais ces derniers ne fonctionnent pas (sauf, étrangement, ceux des classes 1:2 et 1:8).

Je poste ma demande d'aide sur ce forum car la liste de diffusion LARTC ne semble plus maintenue. Je n'ai d'ailleurs reçu aucune réponse à ma demande d'inscription.
Je n'ai pas eu de réponses également sur le newsgroup "f.c.o.l.configuration".

Voici mon script, suivi de la sortie des commandes :
tc -d -s qdisc show dev eth0
tc -d -s class show dev eth0
tc -d -s filter show dev eth0

Merci d'avance pour vos suggestions.

#!/bin/sh

# Path.
IFCONFIG="/sbin/ifconfig"
ROUTE="/sbin/route"
TC="/sbin/tc"

#######################################################################
# Setting of interfaces and IP address
#######################################################################

#----------------------------------------------------------------------
# Gateway
#----------------------------------------------------------------------

INET_NIC="eth0"

INET_GATEWAY="`$IFCONFIG $INET_NIC | grep inet | grep -v inet6 | cut -d ":" -f 2 | cut -d " " -f 1`/32"

#----------------------------------------------------------------------
# LAN
#----------------------------------------------------------------------

LAN_NIC="eth1"

LAN="`$ROUTE | grep $LAN_NIC | cut -d " " -f 1`/24"

#----------------------------------------------------------------------
# DMZ
#----------------------------------------------------------------------

DMZ_NIC="eth2"

DMZ="`$ROUTE | grep $DMZ_NIC | cut -d " " -f 1`/24"

#----------------------------------------------------------------------
# Ports and protocols
#----------------------------------------------------------------------

PROTOCOL="0xff"
PORT="0xffff"

ICMP="1"
TCP="6"
UDP="17"

BLIZWOW="3724"
DNS="53"
FTP_CONTROL="21"
HTTP="80"
HTTPS="443"
NTP="123"
VPN="4005"

TC_QDISC=" $TC qdisc add dev $INET_NIC"
TC_FILTER="$TC filter add dev $INET_NIC parent 1: protocol ip"

#######################################################################
# qdisc and classes
#######################################################################

# Erase existing qdisc and classes.
$TC qdisc del dev $INET_NIC root 2> /dev/null > /dev/null

# Install PRIO.
$TC_QDISC root handle 1: prio bands 8

# Attach the qdisc.
$TC_QDISC parent 1:1 handle 10: pfifo
$TC_QDISC parent 1:2 handle 20: pfifo
$TC_QDISC parent 1:3 handle 30: pfifo
$TC_QDISC parent 1:4 handle 40: sfq perturb 10
$TC_QDISC parent 1:5 handle 50: sfq perturb 10
$TC_QDISC parent 1:6 handle 60: pfifo
$TC_QDISC parent 1:7 handle 70: sfq perturb 10
$TC_QDISC parent 1:8 handle 80: sfq perturb 10

#######################################################################
# LAN -> INET
#######################################################################

#----------------------------------------------------------------------
# Priority 01
#----------------------------------------------------------------------

# World of Warcraft.
$TC_FILTER prio 1 u32 match ip protocol $TCP $PROTOCOL match ip src $LAN match ip dport $BLIZWOW $PORT flowid 1:1

#----------------------------------------------------------------------
# Priority 02
#----------------------------------------------------------------------

# DNS.
$TC_FILTER prio 2 u32 match ip protocol $UDP $PROTOCOL match ip src $LAN match ip dport $DNS $PORT flowid 1:2

# ICMP.
$TC_FILTER prio 2 u32 match ip protocol $ICMP $PROTOCOL match ip src $LAN flowid 1:2

# NTP.
$TC_FILTER prio 2 u32 match ip protocol $UDP $PROTOCOL match ip src $LAN match ip dport $NTP $PORT flowid 1:2

#----------------------------------------------------------------------
# Priority 03
#----------------------------------------------------------------------

# VPN.
$TC_FILTER prio 3 u32 match ip protocol $TCP $PROTOCOL match ip src $LAN match ip dport $VPN $PORT flowid 1:3

#----------------------------------------------------------------------
# Priority 04
#----------------------------------------------------------------------

# FTP Control.
$TC_FILTER prio 4 u32 match ip protocol $TCP $PROTOCOL match ip src $LAN match ip dport $FTP_CONTROL $PORT flowid 1:4

# HTTP.
$TC_FILTER prio 4 u32 match ip protocol $TCP $PROTOCOL match ip src $LAN match ip dport $HTTP $PORT flowid 1:4

# HTTPS.
$TC_FILTER prio 4 u32 match ip protocol $TCP $PROTOCOL match ip src $LAN match ip dport $HTTPS $PORT flowid 1:4

#----------------------------------------------------------------------
# Priority 05
#----------------------------------------------------------------------

# Default traffic.
$TC_FILTER prio 5 u32 match ip src $LAN flowid 1:5

#######################################################################
# DMZ -> INET
#######################################################################

#----------------------------------------------------------------------
# Priority 06
#----------------------------------------------------------------------

# DNS.
$TC_FILTER prio 6 u32 match ip protocol $UDP $PROTOCOL match ip src $DMZ match ip dport $DNS $PORT flowid 1:6

# NTP.
$TC_FILTER prio 6 u32 match ip protocol $UDP $PROTOCOL match ip src $DMZ match ip dport $NTP $PORT flowid 1:6

#----------------------------------------------------------------------
# Priority 07
#----------------------------------------------------------------------

# HTTP.
$TC_FILTER prio 7 u32 match ip protocol $TCP $PROTOCOL match ip src $DMZ match ip dport $HTTP $PORT flowid 1:7

# HTTPS.
$TC_FILTER prio 7 u32 match ip protocol $TCP $PROTOCOL match ip src $DMZ match ip dport $HTTPS $PORT flowid 1:7

#----------------------------------------------------------------------
# Priority 08
#----------------------------------------------------------------------

# Default traffic.
$TC_FILTER prio 8 u32 match ip src $DMZ flowid 1:8

#######################################################################
# Gateway -> INET
#######################################################################

#----------------------------------------------------------------------
# Priority 02
#----------------------------------------------------------------------

# DNS.
$TC_FILTER prio 2 u32 match ip protocol $UDP $PROTOCOL match ip src $INET_GATEWAY match ip dport $DNS $PORT flowid 1:2

# ICMP.
$TC_FILTER prio 2 u32 match ip protocol $ICMP $PROTOCOL match ip src $INET_GATEWAY flowid 1:2

# NTP.
$TC_FILTER prio 2 u32 match ip protocol $UDP $PROTOCOL match ip src $INET_GATEWAY match ip dport $NTP $PORT flowid 1:2

#----------------------------------------------------------------------
# Priority 08
#----------------------------------------------------------------------

# Default traffic.
$TC_FILTER prio 8 u32 match ip src $INET_GATEWAY flowid 1:8

##############
# QDISC
##############

qdisc prio 1: root bands 8 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 269258646 bytes 224756 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc pfifo 10: parent 1:1 limit 1000p
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc pfifo 20: parent 1:2 limit 1000p
Sent 20791 bytes 126 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc pfifo 30: parent 1:3 limit 1000p
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 40: parent 1:4 limit 127p quantum 1514b flows 127/1024 perturb 10sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 50: parent 1:5 limit 127p quantum 1514b flows 127/1024 perturb 10sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc pfifo 60: parent 1:6 limit 1000p
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 70: parent 1:7 limit 127p quantum 1514b flows 127/1024 perturb 10sec
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

qdisc sfq 80: parent 1:8 limit 127p quantum 1514b flows 127/1024 perturb 10sec
Sent 269233762 bytes 224627 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0

##############
# CLASS
##############

class prio 1:1 parent 1: leaf 10:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:2 parent 1: leaf 20:
Sent 20791 bytes 126 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:3 parent 1: leaf 30:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:4 parent 1: leaf 40:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:5 parent 1: leaf 50:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:6 parent 1: leaf 60:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:7 parent 1: leaf 70:
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

class prio 1:8 parent 1: leaf 80:
Sent 269233762 bytes 224627 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

##############
# FILTER
##############

filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 (rule hit 224672 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80000/ffffff00 at 12 (success 0 )
match 00000e8c/0000ffff at 20 (success 0 )

filter parent 1: protocol ip pref 2 u32
filter parent 1: protocol ip pref 2 u32 fh 801: ht divisor 1
filter parent 1: protocol ip pref 2 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:2 (rule hit 224672 success 0)
match 00110000/00ff0000 at 8 (success 43159 )
match c0a80000/ffffff00 at 12 (success 0 )
match 00000035/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 2 u32 fh 801::801 order 2049 key ht 801 bkt 0 flowid 1:2 (rule hit 224672 success 0)
match 00010000/00ff0000 at 8 (success 0 )
match c0a80000/ffffff00 at 12 (success 0 )
filter parent 1: protocol ip pref 2 u32 fh 801::802 order 2050 key ht 801 bkt 0 flowid 1:2 (rule hit 224672 success 0)
match 00110000/00ff0000 at 8 (success 43159 )
match c0a80000/ffffff00 at 12 (success 0 )
match 0000007b/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 2 u32 fh 801::803 order 2051 key ht 801 bkt 0 flowid 1:2 (rule hit 224668 success 21)
match 00110000/00ff0000 at 8 (success 43157 )
match 52f0e6c5/ffffffff at 12 (success 43157 )
match 00000035/0000ffff at 20 (success 21 )
filter parent 1: protocol ip pref 2 u32 fh 801::804 order 2052 key ht 801 bkt 0 flowid 1:2 (rule hit 224646 success 0)
match 00010000/00ff0000 at 8 (success 0 )
match 52f0e6c5/ffffffff at 12 (success 0 )
filter parent 1: protocol ip pref 2 u32 fh 801::805 order 2053 key ht 801 bkt 0 flowid 1:2 (rule hit 224646 success 13)
match 00110000/00ff0000 at 8 (success 43136 )
match 52f0e6c5/ffffffff at 12 (success 43136 )
match 0000007b/0000ffff at 20 (success 13 )

filter parent 1: protocol ip pref 3 u32
filter parent 1: protocol ip pref 3 u32 fh 802: ht divisor 1
filter parent 1: protocol ip pref 3 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:3 (rule hit 224638 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80000/ffffff00 at 12 (success 0 )
match 00000fa5/0000ffff at 20 (success 0 )

filter parent 1: protocol ip pref 4 u32
filter parent 1: protocol ip pref 4 u32 fh 803: ht divisor 1
filter parent 1: protocol ip pref 4 u32 fh 803::800 order 2048 key ht 803 bkt 0 flowid 1:4 (rule hit 224638 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80000/ffffff00 at 12 (success 0 )
match 00000015/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 4 u32 fh 803::801 order 2049 key ht 803 bkt 0 flowid 1:4 (rule hit 224637 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80000/ffffff00 at 12 (success 0 )
match 00000050/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 4 u32 fh 803::802 order 2050 key ht 803 bkt 0 flowid 1:4 (rule hit 224637 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80000/ffffff00 at 12 (success 0 )
match 000001bb/0000ffff at 20 (success 0 )

filter parent 1: protocol ip pref 5 u32
filter parent 1: protocol ip pref 5 u32 fh 804: ht divisor 1
filter parent 1: protocol ip pref 5 u32 fh 804::800 order 2048 key ht 804 bkt 0 flowid 1:5 (rule hit 224636 success 0)
match c0a80000/ffffff00 at 12 (success 0 )

filter parent 1: protocol ip pref 6 u32
filter parent 1: protocol ip pref 6 u32 fh 805: ht divisor 1
filter parent 1: protocol ip pref 6 u32 fh 805::800 order 2048 key ht 805 bkt 0 flowid 1:6 (rule hit 224636 success 0)
match 00110000/00ff0000 at 8 (success 43123 )
match c0a80100/ffffff00 at 12 (success 0 )
match 00000035/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 6 u32 fh 805::801 order 2049 key ht 805 bkt 0 flowid 1:6 (rule hit 224636 success 0)
match 00110000/00ff0000 at 8 (success 43123 )
match c0a80100/ffffff00 at 12 (success 0 )
match 0000007b/0000ffff at 20 (success 0 )

filter parent 1: protocol ip pref 7 u32
filter parent 1: protocol ip pref 7 u32 fh 806: ht divisor 1
filter parent 1: protocol ip pref 7 u32 fh 806::800 order 2048 key ht 806 bkt 0 flowid 1:7 (rule hit 224636 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80100/ffffff00 at 12 (success 0 )
match 00000050/0000ffff at 20 (success 0 )
filter parent 1: protocol ip pref 7 u32 fh 806::801 order 2049 key ht 806 bkt 0 flowid 1:7 (rule hit 224636 success 0)
match 00060000/00ff0000 at 8 (success 181513 )
match c0a80100/ffffff00 at 12 (success 0 )
match 000001bb/0000ffff at 20 (success 0 )

filter parent 1: protocol ip pref 8 u32
filter parent 1: protocol ip pref 8 u32 fh 807: ht divisor 1
filter parent 1: protocol ip pref 8 u32 fh 807::800 order 2048 key ht 807 bkt 0 flowid 1:8 (rule hit 224636 success 0)
match c0a80100/ffffff00 at 12 (success 0 )
filter parent 1: protocol ip pref 8 u32 fh 807::801 order 2049 key ht 807 bkt 0 flowid 1:8 (rule hit 224633 success 224633)
match 52f0e6c5/ffffffff at 12 (success 224633 )

# Bug ?

Posté par Zomcom le 16 mars 2009 à 15:17. Évalué à 2.

Je viens de trouver l'origine du problème : la présence d'un match sur l'adresse IP source dans un filtre désactive l'ensemble des match de ce filtre. Ceci s'appliquant uniquement quand l'adresse IP source est différente de celle de ma gateway.

Il en résulte qu'il ne m'est possible de classer le traffic que selon les ports et protocoles utilisés :-(

Est ce un comportement normal de l'outil tc ?

Suivre le flux des commentaires

Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.

# Bug ?