Hi,,
i think I can say there is definitively something broken in the Bandwidth manager in ClearOS Community release 6.5.0 (Final) - app version 1.5.18-1.
I just tried to fresh install both 5.2 and 6.5 on virtual box and tried to make a very simple rule on both 5.2 and 6.5 limiting the http traffic to 1Mbps. I tested using another virtual box machine connected to the internet through COS using the "Internal Network" feature.
It works like a charm in 5.2 but doesn't throttle anything in 6.5.
Even worst, on our production machine, the Bandwidth manager is somewhat erratic, sometimes blocking everything, sometime doing nothing at all.
Here are maybe some useful debugging information taken from the 6.5 machine. Maybe someone will be able to help or at least confirm this.
thanks
Matthieu
i think I can say there is definitively something broken in the Bandwidth manager in ClearOS Community release 6.5.0 (Final) - app version 1.5.18-1.
I just tried to fresh install both 5.2 and 6.5 on virtual box and tried to make a very simple rule on both 5.2 and 6.5 limiting the http traffic to 1Mbps. I tested using another virtual box machine connected to the internet through COS using the "Internal Network" feature.
It works like a charm in 5.2 but doesn't throttle anything in 6.5.
Even worst, on our production machine, the Bandwidth manager is somewhat erratic, sometimes blocking everything, sometime doing nothing at all.
Here are maybe some useful debugging information taken from the 6.5 machine. Maybe someone will be able to help or at least confirm this.
thanks
Matthieu
[root@gateway ~]# cat /etc/clearos/firewall.conf
###############################################################################
#
# Use the web-based administration tool to change the firewall configuration.
#
###############################################################################
# Squid configuration
#--------------------
SQUID_TRANSPARENT="on"
# VPN configuration
#------------------
IPSEC_SERVER="off"
PPTP_SERVER="off"
# Egress mode
#------------
EGRESS_FILTERING="off"
# Webconfig rules
#----------------
# WARNING:
# The firewall script will not perform further validation on the rules below.
# Use the web-based administration tool to change the firewall configuration.
#
# Name|Group|Flags|Protocol|Address|Port|Parameter
#
# -Name and Group are symbolic names which only have meaning within the
# web-based administration tool (webconfig).
# -Flags are OR combined to produce a 4-byte bitmask. This needs to be
# explained in full detail somewhere. Reading the source to IsValidFlags()
# within the firewallrule.class file is the best documentation about this
# at the moment.
# -Protocol is an integer ID listed in /etc/protocols.
# -Address is an IPv4, IPv6, or MAC/HW address depending on the rule's flags.
# -Port is a TCP/UDP service address depending on the rule's flags and
# protocol.
# -Parameter can contain additional rule criteria depending on the rule's
# flags and/or protocol.
#
# NOTE: If editing these by hand, do not add spaces between fields.
RULES="\
bw_basic_http_qS71G||0x10105000|0|0.0.0.0|80|eth0:0:0:3:1000:1000:1000:1000 \
ssh_server||0x10000001|6||22| \
webconfig||0x10000001|6||81| \
"
# vim: ts=4 syntax=sh
[root@gateway ~]# cat /etc/clearos/bandwidth.conf
BANDWIDTH_QOS="on"
BANDWIDTH_UPSTREAM="eth0:3000"
BANDWIDTH_DOWNSTREAM="eth0:30000"
[root@gateway ~]# modprobe -r nfnetlink_queue
[root@gateway ~]# lsmod | grep net
[root@gateway ~]# lsmod
Module Size Used by
imq 4615 0
xt_state 1492 6
cls_u32 6894 2
sch_sfq 5795 4
sch_prio 4672 2
sch_htb 15063 2
nf_nat_tftp 987 0
nf_conntrack_tftp 4878 1 nf_nat_tftp
nf_nat_h323 8830 0
nf_conntrack_h323 67696 1 nf_nat_h323
nf_nat_pptp 4653 0
nf_nat_proto_gre 3028 1 nf_nat_pptp
nf_nat_irc 1883 0
nf_nat_ftp 3507 0
ipt_MASQUERADE 2466 1
xt_IMQ 1350 2
nf_conntrack_pptp 12166 1 nf_nat_pptp
nf_conntrack_proto_gre 7003 1 nf_conntrack_pptp
arc4 1475 0
ecb 2209 0
ppp_mppe 6174 0
ppp_generic 25123 1 ppp_mppe
slhc 5805 1 ppp_generic
nf_conntrack_irc 5530 1 nf_nat_irc
nf_conntrack_ftp 12913 1 nf_nat_ftp
ipt_REJECT 2351 1
ipt_LOG 5845 0
iptable_nat 6190 1
nf_nat 22759 8 nf_nat_tftp,nf_nat_h323,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 9506 9 iptable_nat,nf_nat
nf_conntrack 79758 16 xt_state,nf_nat_tftp,nf_conntrack_tftp,nf_nat_h323,nf_conntrack_h323,nf_nat_pptp,nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_irc,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1483 1 nf_conntrack_ipv4
iptable_mangle 3349 1
iptable_filter 2793 1
ip_tables 17831 3 iptable_nat,iptable_mangle,iptable_filter
ipv6 317756 16
ppdev 8537 0
parport_pc 22690 0
parport 36209 2 ppdev,parport_pc
i2c_piix4 12608 0
i2c_core 31084 1 i2c_piix4
e1000 170710 0
sg 29350 0
ext4 374902 2
jbd2 93427 1 ext4
mbcache 8193 1 ext4
sd_mod 39069 3
crc_t10dif 1541 1 sd_mod
sr_mod 15177 0
cdrom 39085 1 sr_mod
ahci 42215 2
pata_acpi 3701 0
ata_generic 3837 0
ata_piix 24601 0
dm_mirror 14384 0
dm_region_hash 12085 1 dm_mirror
dm_log 9930 2 dm_mirror,dm_region_hash
dm_mod 84209 8 dm_mirror,dm_log
[root@gateway ~]# modprobe -r nfnetlink_queue
[root@gateway ~]# firewall-start -d
firewall: Starting firewall...
firewall: Loading environment
firewall: FW_MODE=gateway
firewall: WANIF=eth0
firewall: LANIF=eth1
firewall: SYSWATCH_WANIF=eth0
firewall: WIFIF=
firewall: BANDWIDTH_QOS=on
firewall: QOS_ENGINE=internal
firewall: SQUID_USER_AUTHENTICATION=off
firewall: SQUID_TRANSPARENT=on
firewall: IPSEC_SERVER=off
firewall: PPTP_SERVER=off
firewall: ONE_TO_ONE_NAT_MODE=type2
firewall: RULES=bw_basic_http_qS71G||0x10105000|0|0.0.0.0|80|eth0:0:0:3:1000:1000:1000:1000
firewall: RULES=ssh_server||0x10000001|6||22|
firewall: RULES=webconfig||0x10000001|6||81|
firewall: FW_DROP=DROP
firewall: FW_ACCEPT=ACCEPT
firewall: IPBIN=/sbin/ip
firewall: TCBIN=/sbin/tc
firewall: MODPROBE=/sbin/modprobe
firewall: RMMOD=/sbin/rmmod
firewall: SYSCTL=/sbin/sysctl
firewall: IFCONFIG=/sbin/ifconfig
firewall: PPTP_PASSTHROUGH_FORCE=no
firewall: EGRESS_FILTERING=off
firewall: PROTOCOL_FILTERING=off
firewall: Detected WAN role for interface: eth0
firewall: Detected LAN role for interface: eth1
firewall: Setting kernel parameters
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh1=256 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh2=1024 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh3=2048 >/dev/null = 0
firewall: /sbin/sysctl -w net.netfilter.nf_conntrack_max=524288 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.ip_forward=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.tcp_syncookies=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.log_martians=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 >/dev/null = 0
firewall: Detected WAN info - eth0 10.0.1.36 on network 10.0.1.0/24
firewall: Detected LAN info - eth1 10.0.2.1 on network 10.0.2.0/24
firewall: Using gateway mode
firewall: Loading kernel modules
firewall: /sbin/modprobe ipt_LOG >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ipt_REJECT >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_irc >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ppp_generic >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ppp_mppe >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_proto_gre >/dev/null 2>&1 = 256
firewall: /sbin/modprobe ip_conntrack_pptp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ipt_IMQ >/dev/null 2>&1 = 0
firewall: Loading kernel modules for NAT
firewall: /sbin/modprobe ipt_MASQUERADE >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_ftp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_irc >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_proto_gre >/dev/null 2>&1 = 256
firewall: /sbin/modprobe ip_nat_pptp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_h323 >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_tftp >/dev/null 2>&1 = 0
firewall: Setting default policy to DROP
firewall: Defining custom chains
firewall: iptables -t filter -A drop-lan -j DROP
firewall: Running blocked external rules
firewall: Running custom rules
firewall: Running common rules
firewall: iptables -t filter -A INPUT -m state --state INVALID -j DROP
firewall: iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
firewall: iptables -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
firewall: iptables -t filter -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
firewall: iptables -t filter -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
firewall: iptables -t filter -A INPUT -i lo -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o lo -j ACCEPT
firewall: iptables -t filter -A INPUT -i pptp+ -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o pptp+ -j ACCEPT
firewall: iptables -t filter -A INPUT -i tun+ -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o tun+ -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth1 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type 0 -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o eth0 -p icmp -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p udp --dport bootpc --sport bootps -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p tcp --dport bootpc --sport bootps -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o eth0 -p udp --sport bootpc --dport bootps -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o eth0 -p tcp --sport bootpc --dport bootps -j ACCEPT
firewall: Running incoming denied rules
firewall: Running user-defined incoming rules
firewall: Allowing incoming tcp port/range 22
firewall: iptables -t filter -A INPUT -p 6 -d 10.0.1.36 --dport 22 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -p 6 -o eth0 -s 10.0.1.36 --sport 22 -j ACCEPT
firewall: Allowing incoming tcp port/range 81
firewall: iptables -t filter -A INPUT -p 6 -d 10.0.1.36 --dport 81 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -p 6 -o eth0 -s 10.0.1.36 --sport 81 -j ACCEPT
firewall: iptables -t nat -A POSTROUTING -o tun+ -j ACCEPT
firewall: Running default incoming allowed rules
firewall: iptables -t filter -A OUTPUT -o eth0 -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: iptables -t filter -A INPUT -i eth0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: Running user-defined port forward rules
firewall: /sbin/ip link set imq0 down 2>/dev/null = 0
firewall: /sbin/ip link set imq1 down 2>/dev/null = 0
firewall: /sbin/rmmod imq 2>/dev/null = 0
firewall: /sbin/tc qdisc del dev eth0 root >/dev/null 2>&1 = 512
firewall: Initializing bandwidth manager
firewall: Creating 2 IMQ interface(s)...
firewall: /sbin/modprobe imq numdevs=2 >/dev/null 2>&1 = 0
firewall: iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 0
firewall: Upstream WAN => IMQ interface map:
firewall: 0: eth0 => imq0
firewall: iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 1
firewall: Downstream WAN => IMQ interface map:
firewall: 0: eth0 => imq1
firewall: /sbin/ip link set imq0 up 2>/dev/null = 0
firewall: /sbin/tc qdisc del dev imq0 root handle 1: htb >/dev/null 2>&1 = 512
firewall: /sbin/tc qdisc add dev imq0 root handle 1: htb default 2 = 0
firewall: /sbin/ip link set imq1 up 2>/dev/null = 0
firewall: /sbin/tc qdisc del dev imq1 root handle 1: htb >/dev/null 2>&1 = 512
firewall: /sbin/tc qdisc add dev imq1 root handle 1: htb default 2 = 0
firewall: /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 3000kbit prio 0 = 0
firewall: /sbin/tc class add dev imq1 parent 1: classid 1:1 htb rate 30000kbit prio 0 = 0
firewall: /sbin/tc class add dev imq0 parent 1:1 classid 1:2 htb rate 375kbit ceil 3000kbit prio 7 = 0
firewall: /sbin/tc class add dev imq1 parent 1:1 classid 1:2 htb rate 3750kbit ceil 30000kbit prio 7 = 0
firewall: /sbin/tc qdisc add dev imq0 parent 1:2 handle 10: prio = 0
firewall: /sbin/tc qdisc add dev imq1 parent 1:2 handle 10: prio = 0
firewall: /sbin/tc qdisc add dev imq0 parent 10:1 handle 100: pfifo = 0
firewall: /sbin/tc qdisc add dev imq0 parent 10:2 handle 200: sfq perturb 10 = 0
firewall: /sbin/tc qdisc add dev imq0 parent 10:3 handle 300: sfq perturb 10 = 0
firewall: /sbin/tc qdisc add dev imq1 parent 10:1 handle 100: pfifo = 0
firewall: /sbin/tc qdisc add dev imq1 parent 10:2 handle 200: sfq perturb 10 = 0
firewall: /sbin/tc qdisc add dev imq1 parent 10:3 handle 300: sfq perturb 10 = 0
firewall: HTB Class 1:10, priority: 3, rate: 1000kbit, ceil: 1000kbit, interface: imq0
firewall: /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 1000kbit ceil 1000kbit prio 3 = 0
firewall: HTB Class 1:10, source address: 10.0.2.0/24:80, destination address: NONE
firewall: /sbin/tc filter add dev imq0 protocol ip parent 1: pref 1 u32 match ip src 10.0.2.0/24 match ip sport 80 0xffff flowid 1:10 = 0
firewall: HTB Class 1:10, priority: 3, rate: 1000kbit, ceil: 1000kbit, interface: imq1
firewall: /sbin/tc class add dev imq1 parent 1:1 classid 1:10 htb rate 1000kbit ceil 1000kbit prio 3 = 0
firewall: HTB Class 1:10, source address: NONE, destination address: 10.0.2.0/24:80
firewall: /sbin/tc filter add dev imq1 protocol ip parent 1: pref 1 u32 match ip dst 10.0.2.0/24 match ip dport 80 0xffff flowid 1:10 = 0
firewall: Running 1-to-1 NAT rules
firewall: Running user-defined proxy rules
firewall: Content filter is offline
firewall: Web proxy is offline
firewall: Running multipath
firewall: /sbin/ip rule | grep -Ev '(local|main|default)' | while read PRIO RULE; do /sbin/ip rule del prio ${PRIO%%:*} 2>/dev/null; done = 0
firewall: /sbin/ip rule | grep -Ev '(local|main|default)' | while read PRIO RULE; do /sbin/ip rule del $RULE prio ${PRIO%%:*} 2>/dev/null; done = 0
firewall: /sbin/ip route flush table 50 = 0
firewall: /sbin/ip route flush cache = 0
firewall: Enabling NAT on WAN interface eth0
firewall: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
firewall: Running user-defined outgoing block rules
firewall: Running default forwarding rules
firewall: iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: iptables -t filter -A FORWARD -i eth1 -j ACCEPT
firewall: iptables -t filter -A FORWARD -i pptp+ -j ACCEPT
firewall: iptables -t filter -A FORWARD -i tun+ -j ACCEPT
firewall: Execution time: 1.525s
Share this post:
Responses (4)
-
Accepted Answer
Tim, I think I understood what was wrong. It looks like the labels "Flowing to the network" and " Flowing from the network" are reversed. Or at least if I'm correct when I understand "the network" as the WAN side....
(5 minutes later)
Which is wrong actually
I read the doc *again*, and discovered that I misunderstood those labels. Sorry.... Everything works now... Newbie mistake, except that those labels are not so clear IMHO. A schema would be probably easier to understand.
Matthieu -
Accepted Answer
-
Accepted Answer
Hi matthieu, I did some testing and reported a bug with rules defined for local IP / subnets. The technical issue is that the kernel filtering for the virtual IMQ devices occurs before the NAT and so only matches WAN IP traffic
http://tracker.clearfoundation.com/view.php?id=155
Did you try with generic port 80 rules (without the LAN IP?)
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »