lartc.org : Linux Advanced Routing & Traffic Control
(Answer) (Category) lartc.org FAQ :
iptables + tc shaping tricks
From: Erik Hensema
ACK packets are usually very small, so putting them into a high-priority class is no problem. However, ACK packets can also cary a payload, and some indeed do so. Especially uploads in Kazaa tend to be all large ACK packets.

To counter this problem, I assign a TOS on every outgoing ACK packet. I leave ACKs which already have TOS alone.

$IPTABLES -t mangle -N chkack
$IPTABLES -t mangle -A chkack -m tos --tos ! Normal-Service -j RETURN
$IPTABLES -t mangle -A chkack -p tcp -m length --length 0:128 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A chkack -p tcp -m length --length 128: -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A chkack -j RETURN

$IPTABLES -t mangle -A qos -p tcp -m tcp -tcp-flags SYN,RST,ACK ACK -j chkack
(I'm using the chain qos to mark all outgoing packets for QoS).
Another problem I encounter, is that the TOS isn't always correct. For instance, when doing rsync over ssh, the packets are marked with TOS minimize-delay.
I've tried setting the TOS of packets larger than a magic value to maximize-throughput, but occasionally legitimate large packets with TOS minimize-delay leave the network. Think: top over ssh.

So, I'm using the limit module in order to let through two large packets per second.

$IPTABLES -t mangle -N chktos
$IPTABLES -t mangle -A chktos -p tcp -m length --length 0:512 -j RETURN
$IPTABLES -t mangle -A chktos -m limit --limit 2/s --limit-burst 10 -j RETURN
$IPTABLES -t mangle -A chktos -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A chktos -j RETURN

$IPTABLES -t mangle -A qos -m tos --tos Minimize-Delay -j chktos
This code isn't perfect though: all users still suffer somewhat from a rsync-over-ssh stream.
stef.coene@docum.org
Other solutions to this:
. Use a different port when transfering bulk data using ssh (e.g. I use 2222). . Patch ssh so that it only marks packets which should be urgent as urgent (patches welcome ;-).
tim@buttersideup.com
[Append to This Answer]
Previous: (Answer) Shaping on a firewall
Next: (Answer) Bug in TBF if you use a big buffer
This document is: http://qos.dyndns.org:3389/cgi-bin/fom?file=49
[Search] [Appearance]
This is a Faq-O-Matic 2.719.