lartc.org FAQ :
iptables + tc shaping tricks
ACK packets are usually very small, so putting them into a high-priority class is no problem. However, ACK packets can also cary a payload, and some indeed do so. Especially uploads in Kazaa tend to be all large ACK packets.
To counter this problem, I assign a TOS on every outgoing ACK packet. I leave ACKs which already have TOS alone.
$IPTABLES -t mangle -N chkack $IPTABLES -t mangle -A chkack -m tos --tos ! Normal-Service -j RETURN $IPTABLES -t mangle -A chkack -p tcp -m length --length 0:128 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A chkack -p tcp -m length --length 128: -j TOS --set-tos Maximize-Throughput $IPTABLES -t mangle -A chkack -j RETURN $IPTABLES -t mangle -A qos -p tcp -m tcp -tcp-flags SYN,RST,ACK ACK -j chkack(I'm using the chain qos to mark all outgoing packets for QoS).
Another problem I encounter, is that the TOS isn't always correct. For instance, when doing rsync over ssh, the packets are marked with TOS minimize-delay.
I've tried setting the TOS of packets larger than a magic value to maximize-throughput, but occasionally legitimate large packets with TOS minimize-delay leave the network. Think: top over ssh.
So, I'm using the limit module in order to let through two large packets per second.
$IPTABLES -t mangle -N chktos $IPTABLES -t mangle -A chktos -p tcp -m length --length 0:512 -j RETURN $IPTABLES -t mangle -A chktos -m limit --limit 2/s --limit-burst 10 -j RETURN $IPTABLES -t mangle -A chktos -j TOS --set-tos Maximize-Throughput $IPTABLES -t mangle -A chktos -j RETURN $IPTABLES -t mangle -A qos -m tos --tos Minimize-Delay -j chktosThis code isn't perfect though: all users still suffer somewhat from a rsync-over-ssh stream.
stef.coene@docum.org
. Use a different port when transfering bulk data using ssh (e.g. I use 2222). . Patch ssh so that it only marks packets which should be urgent as urgent (patches welcome ;-).
tim@buttersideup.com
Shaping on a firewall