Classifiers are the way by which the kernel decides which queue a packet should be placed into. There are various different classifiers, each of which can be used for different purposes.
Bases the decision on how the firewall has marked the packet.
Bases the decision on fields within the packet (i.e. source IP address, etc)
Bases the decision on which route the packet will be routed by.
Bases the decision on the target (destination,protocol) and optionally the source as well. (I think)
FIXME: Fill me in
Note that in general there are many ways in which you can classify packet and that it generally comes down to preference as to which system you wish to use.
Classifiers in general accept a few arguments in common. They are listed here for convenience:
The protocol this classifier will accept. Generally you will only be accepting only IP traffic. Required.
The handle this classifier is to be attached to. This handle must be an already existing class. Required.
The priority of this classifier. Higher numbers get tested first.
This handle means different things to different filters.
FIXME: Add more
All the following sections will assume you are trying to shape the traffic
going to HostA
. They will assume that the root class has been
configured on 1: and that the class you want to send the selected traffic to
is 1:1.
The "fw" classifier relies on the firewall tagging the packets to be shaped. So, first we will setup the firewall to tag them:
FIXME: Equivalent iptables command?
# iptables -I PREROUTING -t mangle -p tcp -d HostA \
-j MARK --set-mark 1
Now all packets to that machine are tagged with the mark 1. Now we build the packet shaping rules to actually shape the packets. Now we just need to indicate that we want the packets that are tagged with the mark 1 to go to class 1:1. This is accomplished with the command:
# tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:1
This should be fairly self-explanatory. Attach to the 1:0 class a filter with priority 1 to filter all packet marked with 1 in the firewall to class 1:1. Note how the handle here is used to indicate what the mark should be.
That's all there is to it! This is the (IMHO) easy way, the other ways are I think harder to understand. Note that you can apply the full power of the firewalling code with this classifier, including matching MAC addresses, user IDs and anything else the firewall can match.
The "u32" classifier is a filter that filters directly based on the contents of the packet. Thus it can filter based on source or destination addresses or ports. It can filter based on the TOS and other truly bizarre fields. It does this by taking a specification of the form [offset/mask/value] and applying that to all the packets. Fortunately you can use symbolic names much as with tcpdump.
# tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst HostA flowid 1:1
FIXME: What are the other possibilities?
That all there is to it.
FIXME: Doesn't work
This classifier filters based on the results of the routing tables. When a packet that is traversing through the classes reaches one that is marked with the "route" filter, it splits the packets up based on information in the routing table.
# tc filter add dev eth1 parent 1:0 protocol ip prio 100 route
Here we add a route classifier onto the parent node 1:0 with priority 100. When a packet reaches this node (which, since it is the root, will happen immediately) it will consult the routing table and if one matches will send it to the given class and give it a priority of 100. Then, to finally kick it into action, you add the appropriate routing entry:
# ip route add HostA via Gateway flow 1:1
[Strangely, though I think I've done everything in the example, this doesn't seem to work for me. I get an error that goes:
Error: either "to" is duplicate, or "flow" is a garbage.
Someone who knows will have to comment on this.]
FIXME: Fill me in
FIXME: Fill me in