[LARTC] TC Filter matching all
Hello! I was always using default in HTB to choose default class, but now I need to do it with filters. Tried following command: # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 Unknown filter flowid, hence option 10:2 is unparsable It is from example in LARTC Howto. My question is then - how to make a filter matching all without eating too much CPU cycles? Thanks -- Michał Margula, [EMAIL PROTECTED], http://alchemyx.uznam.net.pl/ W życiu piękne są tylko chwile [Ryszard Riedel] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] TC Filter matching all
I use this one for match anything http://mailman.ds9a.nl/pipermail/lartc/2005q3/016774.html Andreas Quoting Michał Margula [EMAIL PROTECTED]: Hello! I was always using default in HTB to choose default class, but now I need to do it with filters. Tried following command: # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 Unknown filter flowid, hence option 10:2 is unparsable It is from example in LARTC Howto. My question is then - how to make a filter matching all without eating too much CPU cycles? Thanks -- Michał Margula, [EMAIL PROTECTED], http://alchemyx.uznam.net.pl/ W życiu piękne są tylko chwile [Ryszard Riedel] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] [NET]: Fix fib_rules compatibility breakage
Based on Patrick's patch: The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with from all or to all, iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf [EMAIL PROTECTED] Index: net-2.6/include/net/fib_rules.h === --- net-2.6.orig/include/net/fib_rules.h2007-03-20 15:38:19.0 +0100 +++ net-2.6/include/net/fib_rules.h 2007-03-20 16:01:31.0 +0100 @@ -34,6 +34,7 @@ struct fib_rules_ops int family; struct list_headlist; int rule_size; + int addr_size; int (*action)(struct fib_rule *, struct flowi *, int, Index: net-2.6/net/core/fib_rules.c === --- net-2.6.orig/net/core/fib_rules.c 2007-03-20 15:37:39.0 +0100 +++ net-2.6/net/core/fib_rules.c2007-03-20 15:56:59.0 +0100 @@ -173,6 +173,19 @@ int fib_nl_newrule(struct sk_buff *skb, if (err 0) goto errout; + err = -EINVAL; + if (frh-src_len) + if (tb[FRA_SRC] == NULL || + frh-src_len (ops-addr_size * 8) || + nla_len(tb[FRA_SRC]) != ops-addr_size) + goto errout; + + if (frh-dst_len) + if (tb[FRA_DST] == NULL || + frh-dst_len (ops-addr_size * 8) || + nla_len(tb[FRA_DST]) != ops-addr_size) + goto errout; + rule = kzalloc(ops-rule_size, GFP_KERNEL); if (rule == NULL) { err = -ENOMEM; Index: net-2.6/net/decnet/dn_rules.c === --- net-2.6.orig/net/decnet/dn_rules.c 2007-03-20 15:35:26.0 +0100 +++ net-2.6/net/decnet/dn_rules.c 2007-03-20 15:58:29.0 +0100 @@ -109,8 +109,6 @@ errout: static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U16 }, - [FRA_DST] = { .type = NLA_U16 }, }; static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) @@ -133,7 +131,7 @@ static int dn_fib_rule_configure(struct int err = -EINVAL; struct dn_fib_rule *r = (struct dn_fib_rule *)rule; - if (frh-src_len 16 || frh-dst_len 16 || frh-tos) + if (frh-tos) goto errout; if (rule-table == RT_TABLE_UNSPEC) { @@ -150,10 +148,10 @@ static int dn_fib_rule_configure(struct } } - if (tb[FRA_SRC]) + if (frh-src_len) r-src = nla_get_le16(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh-dst_len) r-dst = nla_get_le16(tb[FRA_DST]); r-src_len = frh-src_len; @@ -176,10 +174,10 @@ static int dn_fib_rule_compare(struct fi if (frh-dst_len (r-dst_len != frh-dst_len)) return 0; - if (tb[FRA_SRC] (r-src != nla_get_le16(tb[FRA_SRC]))) + if (frh-src_len (r-src != nla_get_le16(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] (r-dst != nla_get_le16(tb[FRA_DST]))) + if (frh-dst_len (r-dst != nla_get_le16(tb[FRA_DST]))) return 0; return 1; @@ -249,6 +247,7 @@ int dn_fib_dump_rules(struct sk_buff *sk static struct fib_rules_ops dn_fib_rules_ops = { .family = AF_DECnet, .rule_size = sizeof(struct dn_fib_rule), + .addr_size = sizeof(u16), .action = dn_fib_rule_action, .match = dn_fib_rule_match, .configure = dn_fib_rule_configure, Index: net-2.6/net/ipv4/fib_rules.c === --- net-2.6.orig/net/ipv4/fib_rules.c 2007-03-20 15:46:16.0 +0100 +++ net-2.6/net/ipv4/fib_rules.c2007-03-20 15:55:08.0 +0100 @@ -171,8 +171,6 @@ static struct fib_table *fib_empty_table static struct nla_policy fib4_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U32 }, - [FRA_DST] = { .type = NLA_U32 }, [FRA_FLOW] = { .type = NLA_U32 }, }; @@ -183,8 +181,7 @@ static int fib4_rule_configure(struct fi int err =
[LARTC] Re: [NET]: Fix fib_rules compatibility breakage
Thomas Graf wrote: @@ -242,10 +239,10 @@ static int fib4_rule_compare(struct fib_ return 0; #endif - if (tb[FRA_SRC] (rule4-src != nla_get_be32(tb[FRA_SRC]))) + if (frh-src_len (rule4-src != nla_get_be32(tb[FRA_SRC]))) return 0; - if (tb[FRA_DST] (rule4-dst != nla_get_be32(tb[FRA_DST]))) + if (frh-dst_len (rule4-dst != nla_get_be32(tb[FRA_DST]))) return 0; The presence of the attributes when src_len/dst_len is non-zero is only verified in fib_newrule, so this looks like it might crash when something broken sets src_len/dst_len to a non-zero value without actually adding the attributes. Other than that it looks fine. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Fairness queuing across a range of IP addresses
I have a block of IP addresses (2048) used for ADSL connections to customers. In order to provide a fair slice of available bandwidth on the contended services I would like to be able to set up some kind of SFQ filter, but using a hash of the destination IP address rather than the the full source and destination ip and port. This would be done at the Internet side gateway for traffic being sent towards the customer's IP address. Can anybody suggest how this could be done with qdiscs? TIA Derek ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] [NET]: Fix fib_rules compatibility breakage
* Patrick McHardy [EMAIL PROTECTED] 2007-03-20 17:59 The presence of the attributes when src_len/dst_len is non-zero is only verified in fib_newrule, so this looks like it might crash when something broken sets src_len/dst_len to a non-zero value without actually adding the attributes. You're right, we need to validate in fib_nl_delrule() as well. Based on Patrick's patch: The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with from all or to all, iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf [EMAIL PROTECTED] Index: net-2.6/include/net/fib_rules.h === --- net-2.6.orig/include/net/fib_rules.h2007-03-20 16:49:06.0 +0100 +++ net-2.6/include/net/fib_rules.h 2007-03-20 17:22:35.0 +0100 @@ -34,6 +34,7 @@ struct fib_rules_ops int family; struct list_headlist; int rule_size; + int addr_size; int (*action)(struct fib_rule *, struct flowi *, int, Index: net-2.6/net/core/fib_rules.c === --- net-2.6.orig/net/core/fib_rules.c 2007-03-20 16:49:06.0 +0100 +++ net-2.6/net/core/fib_rules.c2007-03-20 19:09:52.0 +0100 @@ -152,6 +152,28 @@ out: EXPORT_SYMBOL_GPL(fib_rules_lookup); +static int validate_rulemsg(struct fib_rule_hdr *frh, struct nlattr **tb, + struct fib_rules_ops *ops) +{ + int err = -EINVAL; + + if (frh-src_len) + if (tb[FRA_SRC] == NULL || + frh-src_len (ops-addr_size * 8) || + nla_len(tb[FRA_SRC]) != ops-addr_size) + goto errout; + + if (frh-dst_len) + if (tb[FRA_DST] == NULL || + frh-dst_len (ops-addr_size * 8) || + nla_len(tb[FRA_DST]) != ops-addr_size) + goto errout; + + err = 0; +errout: + return err; +} + int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) { struct fib_rule_hdr *frh = nlmsg_data(nlh); @@ -173,6 +195,10 @@ int fib_nl_newrule(struct sk_buff *skb, if (err 0) goto errout; + err = validate_rulemsg(frh, tb, ops); + if (err 0) + goto errout; + rule = kzalloc(ops-rule_size, GFP_KERNEL); if (rule == NULL) { err = -ENOMEM; @@ -260,6 +286,10 @@ int fib_nl_delrule(struct sk_buff *skb, if (err 0) goto errout; + err = validate_rulemsg(frh, tb, ops); + if (err 0) + goto errout; + list_for_each_entry(rule, ops-rules_list, list) { if (frh-action (frh-action != rule-action)) continue; Index: net-2.6/net/decnet/dn_rules.c === --- net-2.6.orig/net/decnet/dn_rules.c 2007-03-20 16:49:06.0 +0100 +++ net-2.6/net/decnet/dn_rules.c 2007-03-20 17:22:35.0 +0100 @@ -109,8 +109,6 @@ errout: static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = { FRA_GENERIC_POLICY, - [FRA_SRC] = { .type = NLA_U16 }, - [FRA_DST] = { .type = NLA_U16 }, }; static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) @@ -133,7 +131,7 @@ static int dn_fib_rule_configure(struct int err = -EINVAL; struct dn_fib_rule *r = (struct dn_fib_rule *)rule; - if (frh-src_len 16 || frh-dst_len 16 || frh-tos) + if (frh-tos) goto errout; if (rule-table == RT_TABLE_UNSPEC) { @@ -150,10 +148,10 @@ static int dn_fib_rule_configure(struct } } - if (tb[FRA_SRC]) + if (frh-src_len) r-src = nla_get_le16(tb[FRA_SRC]); - if (tb[FRA_DST]) + if (frh-dst_len) r-dst = nla_get_le16(tb[FRA_DST]); r-src_len = frh-src_len; @@ -176,10 +174,10 @@ static int dn_fib_rule_compare(struct fi if (frh-dst_len (r-dst_len != frh-dst_len)) return 0; - if (tb[FRA_SRC] (r-src != nla_get_le16(tb[FRA_SRC]))) + if (frh-src_len (r-src != nla_get_le16(tb[FRA_SRC]))) return 0;
Re: [LARTC] Fairness queuing across a range of IP addresses
Derek Sims wrote: I have a block of IP addresses (2048) used for ADSL connections to customers. In order to provide a fair slice of available bandwidth on the contended services I would like to be able to set up some kind of SFQ filter, but using a hash of the destination IP address rather than the the full source and destination ip and port. This would be done at the Internet side gateway for traffic being sent towards the customer's IP address. Can anybody suggest how this could be done with qdiscs? TIA Derek Hi Derek, if i understand what you wanna do then i think you are looking for ESFQ. With ESFQ you can choose hash type from classic, dest IP or src IP. /ak ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] SIP and RTP QoS rules
Sébastien CRAMATTE wrote: Hello, I've setuped a QoS bridge under debian. I would like to know If anyone have got some ressources about how setup perfectly VoIP (SIP/RTP) QoS with Asterisk Might be I should use TOS ? Regards ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc Hi, I'm not using asterisk but i do SIP/RTP shaping on a gateway and you should definitely use HFSC. I've spent a lot of time trying to set up PRIO and HTB, but i've got best results with HFSC. You should start here http://linux-ip.net/articles/hfsc.en and some theory http://trash.net/~kaber/hfsc/SIGCOM97.pdf /ak ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Fairness queuing across a range of IP addresses
On Tue, 2007-03-20 at 20:09 +0100, Ales Klok wrote: Derek Sims wrote: I have a block of IP addresses (2048) used for ADSL connections to customers. In order to provide a fair slice of available bandwidth on the contended services I would like to be able to set up some kind of SFQ filter, but using a hash of the destination IP address rather than the the full source and destination ip and port. This would be done at the Internet side gateway for traffic being sent towards the customer's IP address. Can anybody suggest how this could be done with qdiscs? TIA Derek Hi Derek, if i understand what you wanna do then i think you are looking for ESFQ. With ESFQ you can choose hash type from classic, dest IP or src IP. /ak As an ISP with 800 clients I found the hashs difficult to manage after time. Also when dealing with clients who want subnet /29 mapping back to a billing entry was hard. I wrote some PHP so other could use web front end and used ipset (both hash and net sets) and combining with marks to do the traffic control for different levels of service. As the client requirements grew changed this ended in allot of panic PHP. So i use 3rd party vendor device. My advice would be to use 2 devices 1 to mark traffic and do access control and use ds_shed to control traffic on other device. I think I went wrong in trying to do all on one device. Hope helps. ___ LARTC mailing list [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: [NET]: Fix fib_rules compatibility breakage
Thomas Graf wrote: * Patrick McHardy [EMAIL PROTECTED] 2007-03-20 17:59 The presence of the attributes when src_len/dst_len is non-zero is only verified in fib_newrule, so this looks like it might crash when something broken sets src_len/dst_len to a non-zero value without actually adding the attributes. You're right, we need to validate in fib_nl_delrule() as well. Based on Patrick's patch: The fib_rules netlink attribute policy introduced in 2.6.19 broke userspace compatibilty. When specifying a rule with from all or to all, iproute adds a zero byte long netlink attribute, but the policy requires all addresses to have a size equal to sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a validation error. Check attribute length of FRA_SRC/FRA_DST in the generic framework by letting the family specific rules implementation provide the length of an address. Report an error if address length is non zero but no address attribute is provided. Fix actual bug by checking address length for non-zero instead of relying on availability of attribute. Signed-off-by: Thomas Graf [EMAIL PROTECTED] This looks good, thanks. Signed-off-by: Patrick McHardy [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Divide bandwidth between 4 groups of ip with the same rate
Hello, I have begun to use the tc scripts since 2 weeks ago, so I am beginner. I am trying to divide my bandwidth in 4 independent ones. Each of these sub-bandwidths is assigned to 4 different groups of ip. Bandwidth sharing is allowed. I put a Linux with two Ethernet card between the router and the LAN. Eth1 is the card connected to the router and eth0 is the one connected to the LAN. My ISP provides 3 mbit upload and 300 kbit download. I define 4 classes for download with a rate of 300kbit and a ceil of 2700 kbit (1:10 to 1:40, parent 1:12). In the same way, I define 4 classes for upload with a rate of 72kbit and a ceil of 200kbit (2:10 to 2:40, parent 2.12). Everything looks work fine, nevertheless when traffic through one of these classes are near to its ceil (200kbit), the http traffic through the rest of the classes becomes slow, and I do not understand whit the free 56 kbit is not used by these traffic. Whatever, htb should decrease the rate of the abusive class, should not? Thank you in advance for your teaching. The script that I am using is: #Shaping in eth0 for download traffic tc qdisc add dev eth0 root handle 1: htb default 50 tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80mbit ceil 100mbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 2700kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:10 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:20 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:30 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:40 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:50 htb rate 30kbit ceil 270kbit prio 7 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.0/26 flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.64/26 flowid 1:20 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.128/26 flowid 1:30 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.192/26 flowid 1:40 #Shaping in eth1 for upload traffic marking packets at mangle tc qdisc add dev eth1 root handle 2: htb default 50 tc class add dev eth1 parent 2: classid 2:1 htb rate 10mbit tc class add dev eth1 parent 2:1 classid 2:11 htb rate 8mbit ceil 10mbit tc class add dev eth1 parent 2:1 classid 2:12 htb rate 256kbit tc class add dev eth1 parent 2:12 classid 2:10 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:20 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:30 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:40 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:50 htb rate 10kbit prio 7 tc qdisc add dev eth1 parent 2:10 handle 210: sfq perturb 10 tc qdisc add dev eth1 parent 2:20 handle 220: sfq perturb 10 tc qdisc add dev eth1 parent 2:30 handle 230: sfq perturb 10 tc qdisc add dev eth1 parent 2:40 handle 240: sfq perturb 10 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.0/26 --set-mark 1 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.64/26 --set-mark 2 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.128/26 --set-mark 3 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.192/26 --set-mark 4 tc filter add dev eth1 protocol ip parent 2:0 handle 1 prio 16 fw flowid 2:10 tc filter add dev eth1 protocol ip parent 2:0 handle 2 prio 16 fw flowid 2:20 tc filter add dev eth1 protocol ip parent 2:0 handle 3 prio 16 fw flowid 2:30 tc filter add dev eth1 protocol ip parent 2:0 handle 4 prio 16 fw flowid 2:40 TERRA -- ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] how can i compile tc
Hi, i'm just new here, i'm searching for how to compile tc (if i've understood correctly, i must compile the whole iproute2 thing). So i did like the read me file said: -- 1. Look at start of Makefile and set correct values for: KERNEL_INCLUDE - i did that, and then i doesn't understand a damn thing about the reste of the the 1st step about ADDLIB and LDLIBS. so when i type the make command, the compiling process fail and end before compiling ip. Could someone give me better indications than this read me file perhaps ? Thank you. Vincent. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc