How to filter ingress traffic going through IFB?

omarmohamd · June 16, 2020, 2:16pm

I have spent the whole day trying to make my script to control ingress traffic and here's what I have done.

#!/bin/sh
EXT='pppoe-wan'
IFB='ifb0'
MAX_UP='1520kbit'
MAX_DOWN='20480kbit'
# clear old qdiscs
for qdisc in root ingress; do
    for dev in ${IFB} ${EXT}; do
        tc qdisc del dev ${dev} ${qdisc} >/dev/null 2>&1
    done
done
# manage ingress
tc qdisc add dev ${EXT} handle ffff: ingress
# make sure ifb is up
ip link set ${IFB} up
# forward ingress traffic to ifb
tc filter add dev ${EXT} parent ffff: protocol ip u32 match u8 0 0 \
    action connmark action mirred egress redirect dev ${IFB} flowid ffff:1
#########################
# shape ingress traffic #
#########################
# root qdisc
tc qdisc add dev ${IFB} root handle 1: htb default 11 r2q 4
# classes
tc class add dev ${IFB} parent 1:  classid 1:1  htb rate ${MAX_DOWN}
tc class add dev ${IFB} parent 1:1 classid 1:11 htb rate 1024kbit
tc class add dev ${IFB} parent 1:1 classid 1:12 htb rate 6144kbit
tc class add dev ${IFB} parent 1:12 classid 1:121 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:122 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:123 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:124 htb rate 1024kbit ceil 2048kbit
tc class add dev ${IFB} parent 1:12 classid 1:125 htb rate 1024kbit ceil 3072kbit
tc class add dev ${IFB} parent 1:1 classid 1:13 htb rate 13312kbit ceil ${MAX_DOWN}
# leaf qdiscs
tc qdisc add dev ${IFB} parent 1:11 sfq
# commented qdiscs are used by one ip so default qdisc is ok
#tc qdisc add dev ${IFB} parent 1:121 sfq
#tc qdisc add dev ${IFB} parent 1:122 sfq
#tc qdisc add dev ${IFB} parent 1:123 sfq
#tc qdisc add dev ${IFB} parent 1:124 sfq
tc qdisc add dev ${IFB} parent 1:125 sfq
tc qdisc add dev ${IFB} parent 1:13 sfq
########################
# shape egress traffic #
########################
# root qdisc
tc qdisc add dev ${EXT} root handle 1: htb default 11 r2q 4
# classes
tc class add dev ${EXT} parent 1: classid 1:1 htb rate ${MAX_UP}
tc class add dev ${EXT} parent 1:1 classid 1:11 htb rate  70kbit
tc class add dev ${EXT} parent 1:1 classid 1:12 htb rate 420kbit
tc class add dev ${EXT} parent 1:12 classid 1:121 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:122 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:123 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:124 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:125 htb rate 140kbit ceil 420kbit
tc class add dev ${EXT} parent 1:1 classid 1:13 htb rate 1030kbit ceil ${MAX_UP}
# leaf qdiscs
tc qdisc add dev ${EXT} parent 1:11 sfq
tc qdisc add dev ${EXT} parent 1:125 sfq
tc qdisc add dev ${EXT} parent 1:13 sfq
#####################################
# filter packets marked by iptables #
#####################################
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1121 fw flowid 1:121
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1122 fw flowid 1:122
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1123 fw flowid 1:123
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1124 fw flowid 1:124
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1125 fw flowid 1:125
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 113 fw flowid 1:13
iptables -t mangle -N QOS
iptables -t mangle -o ${EXT} -A FORWARD -j QOS
iptables -t mangle -A QOS -j CONNMARK --restore-mark
iptables -t mangle -A QOS -s 192.168.1.2 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.3 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.4 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.5 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.6 -j MARK --set-mark 1121
iptables -t mangle -A QOS -s 192.168.1.7 -j MARK --set-mark 1122
iptables -t mangle -A QOS -s 192.168.1.8 -j MARK --set-mark 1123
iptables -t mangle -A QOS -s 192.168.1.9 -j MARK --set-mark 1124
iptables -t mangle -A QOS -s 192.168.1.10 -j MARK --set-mark 1125
iptables -t mangle -A QOS -s 192.168.1.11 -j MARK --set-mark 1125
iptables -t mangle -A QOS -s 192.168.1.12 -j MARK --set-mark 1125
iptables -t mangle -A QOS -j CONNMARK --save-mark

Basically I mirror ingress traffic from ${EXT} interface to ${IFB} so I have the same control on egress traffic.
Everything was working fine until I added this section.

#####################################
# filter packets marked by iptables #
#####################################

Before I map IPs to their classes I was changing the default class when creating the root qdisc like that.

tc qdisc add dev ${IFB} root handle 1: htb default 11
tc qdisc add dev ${IFB} root handle 1: htb default 12
tc qdisc add dev ${IFB} root handle 1: htb default 13

Download speeds were between 19Mbits to 20Mbits which is very good, but after adding that section downloading speeds are between 2.5Mbits and 5Mbits.
Can someone please explain to me what is wrong here.
Router: TL-WDR 3500
kernel: Linux OpenWrt 4.14.180
firmware: openwrt-19.07.3-ath79-generic-tplink_tl-wdr3500-v1.bin

omarmohamd · June 16, 2020, 4:32pm

This was hard to find but simply I was applying a 70kbit maximum egress traffic on any IP.
HOW?
In the following section:

#####################################
# filter packets marked by iptables #
#####################################

I have defined filters to ${IFB} only and any egress traffic going through the ${EXT} interface is handled by the default class.

tc qdisc add dev ${EXT} root handle 1: htb default 11 r2q 4

which means the whole network is limited to 70kbit for egress traffic.
FIX?
just more 6 lines to filter egress traffic.

tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1121 fw flowid 1:121
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1122 fw flowid 1:122
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1123 fw flowid 1:123
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1124 fw flowid 1:124
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1125 fw flowid 1:125
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 113  fw flowid 1:13

and the final working script:

#!/bin/sh
EXT='pppoe-wan'
IFB='ifb0'
MAX_UP='1520kbit'
MAX_DOWN='20480kbit'
# clear old qdiscs
for qdisc in root ingress; do
    for dev in ${IFB} ${EXT}; do
        tc qdisc del dev ${dev} ${qdisc} >/dev/null 2>&1
    done
done
# manage ingress
tc qdisc add dev ${EXT} handle ffff: ingress
# make sure ifb is up
ip link set ${IFB} up
# forward ingress traffic to ifb
tc filter add dev ${EXT} parent ffff: protocol ip u32 match u8 0 0 \
    action connmark action mirred egress redirect dev ${IFB}
#########################
# shape ingress traffic #
#########################
# root qdisc
tc qdisc add dev ${IFB} root handle 1: htb default 11 r2q 4
# classes
tc class add dev ${IFB} parent 1:  classid 1:1  htb rate ${MAX_DOWN}
tc class add dev ${IFB} parent 1:1 classid 1:11 htb rate 1024kbit
tc class add dev ${IFB} parent 1:1 classid 1:12 htb rate 6144kbit
tc class add dev ${IFB} parent 1:12 classid 1:121 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:122 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:123 htb rate 1024kbit
tc class add dev ${IFB} parent 1:12 classid 1:124 htb rate 1024kbit ceil 2048kbit
tc class add dev ${IFB} parent 1:12 classid 1:125 htb rate 1024kbit ceil 3072kbit
tc class add dev ${IFB} parent 1:1 classid 1:13 htb rate 13312kbit ceil ${MAX_DOWN}
# leaf qdiscs
tc qdisc add dev ${IFB} parent 1:11 sfq
# commented qdiscs are used by one ip so default qdisc is ok
#tc qdisc add dev ${IFB} parent 1:121 sfq
#tc qdisc add dev ${IFB} parent 1:122 sfq
#tc qdisc add dev ${IFB} parent 1:123 sfq
#tc qdisc add dev ${IFB} parent 1:124 sfq
tc qdisc add dev ${IFB} parent 1:125 sfq
tc qdisc add dev ${IFB} parent 1:13 sfq
########################
# shape egress traffic #
########################
# root qdisc
tc qdisc add dev ${EXT} root handle 1: htb default 11 r2q 4
# classes
tc class add dev ${EXT} parent 1: classid 1:1 htb rate ${MAX_UP}
tc class add dev ${EXT} parent 1:1 classid 1:11 htb rate  70kbit
tc class add dev ${EXT} parent 1:1 classid 1:12 htb rate 420kbit
tc class add dev ${EXT} parent 1:12 classid 1:121 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:122 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:123 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:124 htb rate  70kbit
tc class add dev ${EXT} parent 1:12 classid 1:125 htb rate 140kbit ceil 420kbit
tc class add dev ${EXT} parent 1:1 classid 1:13 htb rate 1030kbit ceil ${MAX_UP}
# leaf qdiscs
tc qdisc add dev ${EXT} parent 1:11 sfq
tc qdisc add dev ${EXT} parent 1:125 sfq
tc qdisc add dev ${EXT} parent 1:13 sfq
#####################################
# filter packets marked by iptables #
#####################################
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1121 fw flowid 1:121
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1122 fw flowid 1:122
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1123 fw flowid 1:123
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1124 fw flowid 1:124
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 1125 fw flowid 1:125
tc filter add dev ${IFB} protocol all prio 1 parent 1: handle 113  fw flowid 1:13
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1121 fw flowid 1:121
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1122 fw flowid 1:122
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1123 fw flowid 1:123
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1124 fw flowid 1:124
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 1125 fw flowid 1:125
tc filter add dev ${EXT} protocol all prio 1 parent 1: handle 113  fw flowid 1:13
iptables -t mangle -N QOS
iptables -t mangle -o ${EXT} -A FORWARD -j QOS
iptables -t mangle -A QOS -j CONNMARK --restore-mark
iptables -t mangle -A QOS -s 192.168.1.2 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.3 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.4 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.5 -j MARK --set-mark 113
iptables -t mangle -A QOS -s 192.168.1.6 -j MARK --set-mark 1121
iptables -t mangle -A QOS -s 192.168.1.7 -j MARK --set-mark 1122
iptables -t mangle -A QOS -s 192.168.1.8 -j MARK --set-mark 1123
iptables -t mangle -A QOS -s 192.168.1.9 -j MARK --set-mark 1124
iptables -t mangle -A QOS -s 192.168.1.10 -j MARK --set-mark 1125
iptables -t mangle -A QOS -s 192.168.1.11 -j MARK --set-mark 1125
iptables -t mangle -A QOS -s 192.168.1.12 -j MARK --set-mark 1125
iptables -t mangle -A QOS -j CONNMARK --save-mark

Although I'm not an expert in Linux networking, I hope this will help someone oneday.

system · June 26, 2020, 4:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.