No traffic shaping for input/download?

jfernandez · November 9, 2018, 8:49pm

NethServer Version: 7.5.1804 (final)
Module: FireQoS

I’m trying to understand how traffic shaping works, looking to:

/etc/firehol/fireqos.conf
/etc/squid/squid.conf

I found out that traffic shaping rules over web proxy (Squid) is done by marking packages for later processing by FireQoS class matching rules.

Acording to FireOS documentation matching rules can by checked by running:

// NS7 Input/Download
fireqos status red1-in

// NS7 Output/Upload
fireqos status red1-out

FireQoS traffic shaping is working for Upload

# fireqos status red1-out
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


red1-out: eth1 output => eth1, type: ethernet, overhead: 
Rate: 335Kbit/s, min: 12Kbit/s
Values in Kbit/s

 CLASS   high    low defaul 
CLASSI   1:11   1:12 1:8000 
COMMIT    167     33     12 
   MAX    301    301    335 

PRIORI      4      4      4 
 QDISC fq_cod fq_cod fq_cod 

 color code (packets):  backlog  |  dropped  |  delayed  |  requeued 
 Class Utilization on red1-out (eth1 output => eth1) - values in Kbit/s
 TOTAL   high    low defaul 
   255    177     76      1 
   208    130     76      2 
    99      3     95      2 
    77      -     77      - 
   161     48    108      4 
   142     29     96     16

However, same behavior is not seen for Download

# fireqos status red1-in
FireQOS 3.1.5
(C) 2013-2014 Costa Tsaousis, GPL


red1-in: eth1 input => eth1-ifb, type: ethernet, overhead: 
Rate: 1612Kbit/s, min: 16Kbit/s
Values in Kbit/s

 CLASS   high    low defaul 
CLASSI   1:11   1:12 1:8000 
COMMIT    806    161     16 
   MAX   1450    322   1612 

PRIORI      4      4      4 
 QDISC fq_cod fq_cod fq_cod 

 color code (packets):  backlog  |  dropped  |  delayed  |  requeued 
 Class Utilization on red1-in (eth1 input => eth1-ifb) - values in Kbit/s
 TOTAL   high    low defaul 
  1645      -      -   1645 
  1629      -      -   1629 
  1635      -      -   1635 
  1634      -      -   1634 
  1630      -      -   1630

Am I missing something? Is this normal?

filippo_carletti · November 9, 2018, 9:56pm

I see traffic in the high column for red1-in.
Maybe your config is missing priority rules or you looked when there was no high priority traffic.

jfernandez · November 9, 2018, 10:11pm

Where? I’m only seen lines (-) on high column. I’m curently downloading a pfSense video on youtube and the only column having traffic is default class.

Also, I have rules for web proxy stating that my IP should be marked for high class traffic shaping:

My IP is included on high-priority IP range

filippo_carletti · November 9, 2018, 10:59pm

Here’s the output from fireqos status red1-in in my firewall:

red1-in: en4 input => en4-ifb, type: ethernet, overhead: 
Rate: 85000Kbit/s, min: 850Kbit/s
Values in Kbit/s

  CLASS    high hotspot     low default 
CLASSID    1:11    1:12    1:13  1:8000 
 COMMIT    8500     850     850     850 
    MAX   85000   17000   76500   85000 

PRIORIT       4       4       4       4 
  QDISC fq_code fq_code fq_code fq_code 

 color code (packets):  backlog  |  dropped  |  delayed  |  requeued 
 Class Utilization on red1-in (en4 input => en4-ifb) - values in Kbit/s
  TOTAL    high hotspot     low default 
    220       -       -       -     220 
    561       -       -       -     561 
    574       -       -       1     573 
    262       1       -       -     261 
    489       1       -       -     488 
    345       -       -       -     345 
    200       2       -       -     199 
    598       2       -       -     597

I think that there may be some corner cases where traffic is not marked or marks are not set on connections. I’d start ruling out squid, temporarily disabling the web proxy.
I’ll try to reproduce the problem on Monday.

jfernandez · November 13, 2018, 1:13pm

I disabled web proxy and as expected FireQoS traffic shaping started to work as expected, but for web proxy, incoming traffic shaping is not working.

filippo_carletti · November 13, 2018, 4:39pm

Could you try adding the following line at the bottom of /etc/shorewall/mangle?

SAVE $FW

Then shorewall restart to activate the new configuration.

Thanks in advance.

jfernandez · November 13, 2018, 4:59pm

That fixed it, as for making this change permanet, I’m aware NS uses a template system, meaning that this change will be erased upon signaling:

nethserver-firewall-base-save
nethserver-firewall-base-update
Anything expanding a template within /etc/e-smith/templates/etc/shorewall/mangle or /etc/e-smith/templates-custom/etc/shorewall/mangle

Should I create a custom template in the mean time, or does this will be fixed on some upgrade?

jfernandez · November 13, 2018, 5:08pm

BTW this is currently the content inside /etc/shorewall/mangle

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
#
# Shorewall version 4 - Mangle File
#
# For information about entries in this file, type "man shorewall-mangle"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
####################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP
#                                                       PORT(S) PORT(S)
#
# 20ndpi
# All nDPI traffic is marked in forward chain
#

#
# 40priorities
# All priority rules are marked inside the post chain.
# If FW is the source, rules are moved to output chain.
#

#
# 60providers
#

#
# 90ndpi
# Restore all markers
#

SAVE $FW

SAVE $FW was entered manually using nano /etc/shorewall/mangle, I’m currently reading how can I create a template for making this change permanent.

mrmarkuz · November 13, 2018, 5:56pm

Create dir if not exist:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/mangle/

Create custom template:

nano /etc/e-smith/templates-custom/etc/shorewall/mangle/91savefw

with following content:

SAVE $FW

After signal-event firewall-adjust you should see the new line in /etc/shorewall/mangle

filippo_carletti · November 13, 2018, 6:30pm

I’ll ask you to test an update later. Meanwhile you could use a custom template (but you will have to remove it before installing the update).

jfernandez · November 13, 2018, 6:42pm

As usual thanks for helping out

jfernandez · November 13, 2018, 6:44pm

I’ll wait then

filippo_carletti · November 14, 2018, 3:35pm

The packages containing the fix are available in the testing repository.

yum --enablerepo=nethserver-testing update nethserver-firewall-base nethserver-firewall-base-ui

Details on github:

@jfernandez , please remember to remove the custom template before upgrading.
Thanks again.

jfernandez · November 14, 2018, 7:09pm

Just did the upgrade, it work quite well so far. Though I’m not having much on /etc/shorewall/mangle but rule from 80qos_fw template which is:

# 80qos_fw
# save priority packet marks for traffic from the firewall itself
SAVE          $FW               -               -     -       -       -       !0x00/0xff

According to Shorewall this rule will:
Move Squid marked packets to the connection mark which such packets are part of.

So far squid marks packets for the first two rules defined in traffic shaping, which is something that should be improved, but that is something for another post.

jfernandez · November 22, 2018, 2:51pm

The issue is solved in package nethserver-firewall-base-3.4.2-1.2.gc629858.ns7.noarch
Anyone else having this problem, just upgrade your NS7 machine.