Your proposed format uses a logical OR instead of AND between the classify rules. This has two problems:
a) iptables does not support a logical OR. Adding one through scripting makes things look ugly.
b) there's no clean way to do the old AND...

ahh, this makes much sense. I don't know why I didn't think of that. Forgive my slowness (I still think some documentation of all the options would be super helpful, but of course unnecessary until 1.0). When this hits 1.0, do you plan to pull it into the main openwrt release?

Really nice work nbd! I was able to implement all my modifications by simply tweaking the config file. A question though, if I remember correctly (I'm currently at work), when a packet is to big for a class (option maxsize), is it possible to set in which class it's being put into?

At the moment it checks the packet size directly after going through the 'classify' rules, which are connection-tracked and resets it to default, so the 'reclassify' and 'default' rules catch them as unmarked traffic.

Can we also implement time based rules?
When I am awake, 7:00am - 2/3am, I want my bandwidth, but when I am asleep, I would like to reprioritize a couple of my current settings.
Case in point, web traffic, I have it limited to normal, and my say port 5125 set to priority. I would like at 8:00am that to change to web at priority so my web pages get more avaliable speed. Make sense?
Also, would be nice to have timed block events for my customers.

I don't think you really need to change your rules based on the time. Even with lots of traffic your web pages should load reasonably fast.

i'm testing new release and I have some doubts:

1. is express class still suitable for VoIP traffic? (I see very diffrent packetsize and maxsize parameters in comparsion to 0.8 release). With new version I have some clicks in Skype outgoing direction even without uplink saturation.

2. Is that mean that xxxxxx_down classed are disabled in default?
3. Why now option ipp2p  "all" in config results in "ipp2p v0.8.1_rc1 --kazaa --gnu --edk --dc --bit MARK set 0x4" in iptables -L -v -t mangle?
4. how we define interface which is shaped?
5. how we can use metioned half-duplex for wifi and TCP ACK features?i

1. It worked for me. I experimented with the values, maybe they need some tweaking. If you have settings that work better, please let me know.
2. They are not real classes. These values modify the class settings of the normal classes for the downlink shaping. Same can be done the other way around with *_up
3. The documentation indicated that --bit was not part of --ipp2p, so I added all options marked as stable manually.
4. if you set config interface wan, it will use the wan device. You can override it with option device <devicename>
5. add 'option halfduplex 1' to the interface for wifi

Well, I ask becuase perhaps I have customers that would like to completely block all port 80 traffic at noon(lunchtime) or only allow remote to thier server after 8:00pm....

That's more a job for the firewalling scripts, then...

Ok, sounds great! Got any links to any ones or perhaps a how-to that would point me in the right direction?

I am going to test the QoS tonight with a massive download and playing some Ragnarok online and some counterstrike... see how good my latency still be
Btw, anyone have a l7 .pat for RO? One of these years I will learn how to right them, but for now, I am too uneducated in how to make l7 filters...
*sigh* one step at a time I guess.

cron is your friend.

http://wiki.openwrt.org/HowtoEnableCron

# kill http at lunch, restart at 1 pm
0 12 * * * /usr/sbin/iptables -A FORWARD -m tcp --dport 80 -j DROP
0 13 * * * /usr/sbin/iptables -D FORWARD -m tcp --dport 80 -j DROP

# allow ssh to router after 8 pm, kill at 7 am
0 20 * * * /usr/sbin/iptables -A input_rule -i $(nvram get wan_ifname) -p tcp --dport 22 -j ACCEPT
0 7 * * * /usr/sbin/iptables -D input_rule -i $(nvram get wan_ifname) -p tcp --dport 22 -j ACCEPT

Thanks Mark.. you are a friend and a scholor.

nbd, I must return your honor, my Skype problem was caused by trasient sound card problem, NOT your script and class parameters!

I've just noticed your mention about HFSC in ingress discipline! Thats awesome! I knew that is possible to implement it correctly in OpenWRT! Do you initially noticed some problems with download speed using HFSC that Rudy mentioned some time ago?

I've made comparsion of average CPU load (via RRDTool) for both 0.8 and 0.9 releases - its pretty similar and it never exceeds 30%, so HFSC isn't more effortful than HTB.
Other thing is transient CPU load which from time to time reach 100% (peak, with both algorithms), but my actual measurment tool (svggraph) is unsuitable for this porpose - it loads CPU of ~20% by itself....so i need some other tool like snmp but I can't find CPU load OID...

And another thing: maybe it will be good to use esfq insteed of sfq because actually user who uses many connections gets most of class bandwidth.

By the way, where we can find qos-wan.sh script - some time ago it was in /tmp but now I can't find it.

(Last edited by Marek on 5 May 2006, 16:51)

About HFSC on ingress: I noticed that my previous HTB version did not work well in some configurations and it always had problems with the bursting.
With the new version and some tweaks on the RED leaf qdisc, I still get a small latency peak when a new download starts, but it only lasts a second or two, even though the overall transfer rate is higher than before.

can we expect esfq (or even sfq/esfq select option in class definition) implementation in the future? or maybe it is too much for 200MHz cpu?

I think I'll implement it

Just run:

/usr/lib/qos.sh all

You'll get the configuration of all interfaces; I think you can use wan,wifi,lan instead of all... but I never tried it.

ciao

Wallace

Running the package even without changing the config returns following error messages:

iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Unfortuantly logread doesn't give any further info what went wrong - how could I see what went wrong?

@max-horvath: run /usr/lib/qos.sh all | sh -v

Alright:

insmod imq numdevs=1 >&- 2>&-
insmod cls_fw >&- 2>&-
insmod sch_hfsc >&- 2>&-
insmod sch_sfq >&- 2>&-
insmod sch_red >&- 2>&-
ifconfig vlan1 up txqueuelen 5 >&- 2>&-
tc qdisc del dev vlan1 root >&- 2>&-
tc qdisc add dev vlan1 root handle 1: hfsc default 30
tc class add dev vlan1 parent 1: classid 1:1 hfsc sc rate 115kbit ul rate 115kbit
tc class add dev vlan1 parent 1:1 classid 1:10 hfsc rt umax 300b dmax 30ms rate 46kbit ls umax 300b dmax 30ms rate 86kbit ul rate 115kbit
tc class add dev vlan1 parent 1:1 classid 1:20 hfsc rt umax 1300b dmax 105ms rate 34kbit ls umax 1300b dmax 105ms rate 92kbit ul rate 115kbit
tc class add dev vlan1 parent 1:1 classid 1:30 hfsc rt umax 1500b dmax 254ms rate 23kbit ls umax 1500b dmax 254ms rate 34kbit ul rate 115kbit
tc class add dev vlan1 parent 1:1 classid 1:40 hfsc ls umax 1500b dmax 604ms rate 11kbit ul rate 115kbit
tc qdisc add dev vlan1 parent 1:10 handle 100: sfq perturb 10 limit 9
tc qdisc add dev vlan1 parent 1:20 handle 200: sfq perturb 10 limit 8
tc qdisc add dev vlan1 parent 1:30 handle 300: sfq perturb 10 limit 7
tc qdisc add dev vlan1 parent 1:40 handle 400: sfq perturb 10 limit 6
tc filter add dev vlan1 parent 1: prio 1 protocol ip handle 1 fw flowid 1:10
tc filter add dev vlan1 parent 1: prio 2 protocol ip handle 2 fw flowid 1:20
tc filter add dev vlan1 parent 1: prio 3 protocol ip handle 3 fw flowid 1:30
tc filter add dev vlan1 parent 1: prio 4 protocol ip handle 4 fw flowid 1:40
ifconfig imq0 up txqueuelen 5 >&- 2>&-
tc qdisc del dev imq0 root >&- 2>&-
tc qdisc add dev imq0 root handle 1: hfsc default 30
tc class add dev imq0 parent 1: classid 1:1 hfsc sc rate 919kbit ul rate 919kbit
tc class add dev imq0 parent 1:1 classid 1:10 hfsc rt umax 1500b dmax 23ms rate 183kbit ls umax 1500b dmax 23ms rate 689kbit ul rate 919kbit
tc class add dev imq0 parent 1:1 classid 1:20 hfsc rt umax 1300b dmax 26ms rate 275kbit ls umax 1300b dmax 26ms rate 735kbit ul rate 919kbit
tc class add dev imq0 parent 1:1 classid 1:30 hfsc rt umax 1500b dmax 163ms rate 275kbit ls umax 1500b dmax 163ms rate 275kbit ul rate 919kbit
tc class add dev imq0 parent 1:1 classid 1:40 hfsc rt umax 1500b dmax 515ms rate 137kbit ls umax 1500b dmax 515ms rate 91kbit ul rate 781kbit
tc qdisc add dev imq0 parent 1:10 handle 100: sfq perturb 10 limit 116
tc qdisc add dev imq0 parent 1:20 handle 200: sfq perturb 10 limit 136
tc qdisc add dev imq0 parent 1:30 handle 300: red min 11763 max 59822 burst 23 avpkt 1200 limit 204000 probability 0.04 ecn
tc qdisc add dev imq0 parent 1:40 handle 400: red min 9996 max 43497 burst 17 avpkt 1200 limit 144000 probability 0.04 ecn
tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw flowid 1:10
tc filter add dev imq0 parent 1: prio 2 protocol ip handle 2 fw flowid 1:20
tc filter add dev imq0 parent 1: prio 3 protocol ip handle 3 fw flowid 1:30
tc filter add dev imq0 parent 1: prio 4 protocol ip handle 4 fw flowid 1:40

iptables -t mangle -F
iptables -t mangle -X
insmod ipt_multiport >&- 2>&-
insmod ipt_CONNMARK >&- 2>&-
insmod ipt_ipp2p >&- 2>&-
insmod ipt_layer7 >&- 2>&-
insmod ipt_length >&- 2>&-
insmod ipt_IMQ >&- 2>&-
iptables -t mangle -N Default >&- 2>&-
iptables -t mangle -N Default_ct >&- 2>&-
iptables -t mangle -A Default_ct -m mark --mark 0 -m ipp2p --edk --dc --kazaa --gnu --bit -j MARK --set-mark 4
iptables: No chain/target/match by that name
iptables -t mangle -A Default_ct -m mark --mark 0 -m layer7 --l7proto edonkey -j MARK --set-mark 4
iptables: No chain/target/match by that name
iptables -t mangle -A Default_ct -m mark --mark 0 -m layer7 --l7proto bittorrent -j MARK --set-mark 4
iptables: No chain/target/match by that name
iptables -t mangle -A Default_ct -m mark --mark 0 -m tcp -p tcp -m multiport --ports 22,53 -j MARK --set-mark 1
iptables -t mangle -A Default_ct -m mark --mark 0 -p udp -m udp -m multiport --ports 22,53 -j MARK --set-mark 1
iptables -t mangle -A Default_ct -m mark --mark 0 -p tcp -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -j MARK --set-mark 3
iptables -t mangle -A Default_ct -m mark --mark 0 -m tcp -p tcp -m multiport --ports 5190 -j MARK --set-mark 2
iptables -t mangle -A Default_ct -m mark --mark 0 -p udp -m udp -m multiport --ports 5190 -j MARK --set-mark 2
iptables -t mangle -A Default_ct -j CONNMARK --save-mark
iptables: No chain/target/match by that name
iptables -t mangle -A Default -j CONNMARK --restore-mark
iptables: No chain/target/match by that name
iptables -t mangle -A Default -m mark --mark 0 -j Default_ct
iptables -t mangle -A Default -m mark --mark 1 -m length --length 400: -j MARK --set-mark 0
iptables -t mangle -A Default -m mark --mark 2 -m length --length 800: -j MARK --set-mark 0
iptables -t mangle -A Default -m mark --mark 0 -p udp -m length --length :500 -j MARK --set-mark 2
iptables -t mangle -A Default -p icmp -j MARK --set-mark 1
iptables -t mangle -A Default -m mark --mark 0 -m tcp -p tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-mark 4
iptables -t mangle -A Default -m mark --mark 0 -p udp -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-mark 4
iptables -t mangle -A Default -p tcp -m length --length :128 -m mark ! --mark 4 -m tcp --tcp-flags ALL SYN -j MARK --set-mark 1
iptables -t mangle -A Default -p tcp -m length --length :128 -m mark ! --mark 4 -m tcp --tcp-flags ALL ACK -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o vlan1 -j Default
iptables -t mangle -A FORWARD -o vlan1 -j Default
iptables -t mangle -A PREROUTING -i vlan1 -j Default
iptables -t mangle -A PREROUTING -i vlan1 -j IMQ --todev 0

Seems to be related to ipp2p, layer7 and connmark ...

Are you running rc5?

Sure ... and all required (iptables) packages have been installed ...

I'm running the default RC5 (not self-compiled) + some added packages ...

What makes you wonder?

Normally all the missing packages should be installed automatically through the package dependencies. There doesn't seem to be an error in the code that qos.sh generates...

I checked and saw that ipt_CONNMARK, ipt_ipp2p and ipt_layer7 cannot be loaded ... in which packages are those modules?