[ale] iptables traffic mgmt
JK
jknapka at kneuro.net
Fri Mar 2 18:07:03 EST 2007
Jim Popovitch wrote:
> Every now and then (while working on too many things at the same time) I
> suddenly need to do something over the internet that has (IMO) a higher
> priority than anything else I am working on. The important task could
> be anything from ssh to vpn related to ssh. I want to develop a script
> that would take all existing connections and use iptables to
> de-prioritize them (not necessarily QoS) by reducing their network
> bandwidth utilization so that my new important (temporary) task can
> proceed. For instance, right now, I am patching a win2k host with MS
> Office patches and backing up my laptop to a remote host over a vpn.
> But now I need to connect to a remote system and do some quick tests. I
> don't want to stop the office update, nor the backup, I'd just like to
> slow down their network utilization so that my remote session (VNC over
> a vpn) isn't majorly affected. Ideally I'd run a script that built a
> list of "top" connections, then used iptables to throttle them somehow
> without breaking those connections. Any ideas on how to go about doing
> this?
First draft of a sketch of an idea:
You don't need to do anything to the old connections, you just
need to give the new connection a kick in the pants.
Using a heirarchical-token-bucket with two buckets, make one
bucket "high priority" and another "everything else". Any
existing QoS or throttling rules get applied to the
"everything else" bucket. Only packets marked with a particular
mark go in the "high priority" bucket. Give the high-priority
bucket the lion's share of the HTB's token capacity.
Normally, nothing will have the "high-priority" mark set. You
than have a script that, when run, turns the "high-priority"
mark on for a particular host:port destination. When you run
that script like so:
make-high-priority.sh google.com 80
it adds iptables rules that turn on the "high priority" mark
for packets destined for google.com:80, which then go in the
"high-priority" bucket and get preferential treatment.
Another script can turn the mark off by deleting the new
rules.
Much rooting around at http://www.lartc.org will be necessary
to flesh this out :-) And there might be better approaches.
-- JK
More information about the Ale
mailing list