[LARTC] LARTC and TUN/TAP interface
Hello, Can traffic control and shaping be applied on TUN/TAP interfaces? (I use TUN/TAP for VPN) I tried once on a TAP interface and it completely crashed my system. (I was not in front of it to see log-messages) Does anybody have experience with this? Thanks and regards. Francois. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb limiting trouble: no overlimit or dropped packets
On Thu, 17 Oct 2002, Nickola Kolev wrote: > On Thu, 17 Oct 2002 00:33:05 +0200 (CEST) > Walter Haidinger <[EMAIL PROTECTED]> wrote: > > [ cut ] > > tc qdisc add dev eth1 root handle 1: htb default 20 > > tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbit ceil 64kbit burst 5k > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit burst 5k > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 57kbit ceil 64kbit burst 5k > > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 51kbit ceil 64kbit burst 5k > > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 6kbit burst 0 > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > > > [ cut ] > > Can you give us the exact commands you issued? F.e. what are the filters? Above are all commands issued. I have no filters attached because bandwidth limiting does not even work for the default class, i.e. unclassified traffic. I had filters assigned to the root class 1: like the one below in an attempt to catch all packets. tc filter add dev eth1 parent 1: protocol ip \ prio 20 u32 match ip dst 0.0.0.0/0 flowid 1:20 Didn't make any difference, though. Walter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb limiting trouble: no overlimit or dropped packets
On Thu, 17 Oct 2002, Stephane Ouellette wrote: >I'm giving a try on this one, I'm not familiar with HTB at all... Thanks, I appreciate that! >I think that your only problem is: all classes can borrow bandwidth > from other classes !! So there is no bandwidth control ! Yes, but there is a ceiling of 64 kbit/s set for each class. Yet this is exceeded and traffic flows with full 512 kbit/s. Besides, if you have a look at the class statistics you'll find that the borrowed packet counts remain at a value of zero. >You should add the "bounded" modifier to classes that should be limited. AFAIK there is no bounded (or isolated, borrow, etc like in CBQ) option with htb. From the htb manpage: tc class ... dev dev parent major:[minor] [ classid major:minor ] htb rate rate [ ceil rate ] burst bytes [ cburst bytes ] [ prio priority ] Regards, Walter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb limiting trouble: no overlimit or dropped packets
Walter Haidinger wrote: > Hi! > > I'm trying to limit the uplink bandwidth using htb but no packets are > overlimit or dropped. :-( > > My router config: > * Linux kernel 2.4.20-pre10 (htb v3.7) with everything built as > modules in QoS, iptables in use. > * tc binary from htb3.6-020525.tgz > * external interface eth0: Internet access, 512 kbit/s uplink speed > * internal interface eth1: internal LAN, 100 Mbit/s > > The hosts in the internal lan should be bandwidth limited and are > masqueraded by the router. > > Q: Must the versions of the kernel module and the tc utility match? > > Below are my commands to create the qdiscs and classes: > > tc qdisc add dev eth1 root handle 1: htb default 20 > tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbit ceil 64kbit burst 5k > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit burst 5k > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 57kbit ceil 64kbit burst 5k > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 51kbit ceil 64kbit burst 5k > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 6kbit burst 0 > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > > Notes: > * No errors from the tc utility > * All filters are scrapped for testing purposes, leaving only > unclassified packets which go the default class (this works) > * Bandwidths are really low for testing > * There are four classes with 100%, 90%, 80% and 10% bandwidth > > Next I tried an FTP upload from a machine on the internal LAN to the > internet, creating the following qdisc and class statistics: > > qdisc sfq 40: quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 30: quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 20: quantum 1514b perturb 10sec > Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) > > qdisc sfq 10: quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 > Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 13422) > > class htb 1:1 root rate 64Kbit ceil 64Kbit burst 1023b cburst 1680b > Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) > rate 35bps > lended: 1136 borrowed: 0 giants: 0 > tokens: 51202 ctokens: 116901 > > class htb 1:10 parent 1:1 leaf 10: prio 0 rate 64Kbit ceil 64Kbit burst > 1023b cburst 1680b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 102400 ctokens: 168099 > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 57Kbit ceil 64Kbit burst > 1671b cburst 1680b > Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) > rate 35bps > lended: 11297 borrowed: 1136 giants: 0 > tokens: 130246 ctokens: 116901 > > class htb 1:30 parent 1:1 leaf 30: prio 0 rate 51Kbit ceil 64Kbit burst > 1664b cburst 1680b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 208941 ctokens: 168099 > > class htb 1:40 parent 1:1 leaf 40: prio 0 rate 6Kbit ceil 6Kbit burst > 1606b cburst 1606b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 1714132 ctokens: 1714132 > > Well, everything goes to the default class 1:20 which is OK. > However, the traffic is *not* limited! No packets overlimit or dropped! > The FTP upload succeeded with full uplink speed (512 kbit/s). > > Q: What am I missing here? Why isn't the traffic limited by HTB? > > I've read the LARTC Howto, the required manpages, the docs at Martin > Devera's Homepage and had a look at the Wondershaper. Unfortunately I'm > still unable to find the bug. :-( Any hints would be appreciated! > > Thanks, Walter > > PS: I've also tried using filters u32 and fwmark but traffic was > never limited. I guess there is something wrong with my > class/qdisc setup in general, right? > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > Walter, I'm giving a try on this one, I'm not familiar with HTB at all... I think that your only problem is: all classes can borrow bandwidth from other classes !! So there is no bandwidth control ! You should add the "bounded" modifier to classes that should be limited. Regards, Stephane. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] flowid - classid ?
[EMAIL PROTECTED] wrote: > The qdiscs and classes are set up correctly. I've forgot to add the filter I want to >use > (htb). After I added this option, tc segfaults: > > root@Delta:/sbin# tc filter add dev ppp0 htb parent 1:1 flowid 1:5 protocol ip prio >1 u32 > match ip dport 4662 0x > Segmentation fault > > I tried this twice with the original tc binary and with the one coming with the htb >kernel > patch. > > Am 16 Oct 2002 um 13:28 hat Stephane Ouellette geschrieben: > Christoph, HTB is not a filter. Examples of filters are : u32, fw, route, rsvp, etc. HTB is a queue discipline :-) A filter is used to select desired trafic and put it in classes. Stephane. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb limiting trouble: no overlimit or dropped packets
Hi! I'm trying to limit the uplink bandwidth using htb but no packets are overlimit or dropped. :-( My router config: * Linux kernel 2.4.20-pre10 (htb v3.7) with everything built as modules in QoS, iptables in use. * tc binary from htb3.6-020525.tgz * external interface eth0: Internet access, 512 kbit/s uplink speed * internal interface eth1: internal LAN, 100 Mbit/s The hosts in the internal lan should be bandwidth limited and are masqueraded by the router. Q: Must the versions of the kernel module and the tc utility match? Below are my commands to create the qdiscs and classes: tc qdisc add dev eth1 root handle 1: htb default 20 tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbit ceil 64kbit burst 5k tc class add dev eth1 parent 1:1 classid 1:10 htb rate 64kbit ceil 64kbit burst 5k tc class add dev eth1 parent 1:1 classid 1:20 htb rate 57kbit ceil 64kbit burst 5k tc class add dev eth1 parent 1:1 classid 1:30 htb rate 51kbit ceil 64kbit burst 5k tc class add dev eth1 parent 1:1 classid 1:40 htb rate 6kbit burst 0 tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 Notes: * No errors from the tc utility * All filters are scrapped for testing purposes, leaving only unclassified packets which go the default class (this works) * Bandwidths are really low for testing * There are four classes with 100%, 90%, 80% and 10% bandwidth Next I tried an FTP upload from a machine on the internal LAN to the internet, creating the following qdisc and class statistics: qdisc sfq 40: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 30: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 1514b perturb 10sec Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) qdisc sfq 10: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 13422) class htb 1:1 root rate 64Kbit ceil 64Kbit burst 1023b cburst 1680b Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) rate 35bps lended: 1136 borrowed: 0 giants: 0 tokens: 51202 ctokens: 116901 class htb 1:10 parent 1:1 leaf 10: prio 0 rate 64Kbit ceil 64Kbit burst 1023b cburst 1680b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 102400 ctokens: 168099 class htb 1:20 parent 1:1 leaf 20: prio 0 rate 57Kbit ceil 64Kbit burst 1671b cburst 1680b Sent 13408020 bytes 12433 pkts (dropped 0, overlimits 0) rate 35bps lended: 11297 borrowed: 1136 giants: 0 tokens: 130246 ctokens: 116901 class htb 1:30 parent 1:1 leaf 30: prio 0 rate 51Kbit ceil 64Kbit burst 1664b cburst 1680b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 208941 ctokens: 168099 class htb 1:40 parent 1:1 leaf 40: prio 0 rate 6Kbit ceil 6Kbit burst 1606b cburst 1606b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1714132 ctokens: 1714132 Well, everything goes to the default class 1:20 which is OK. However, the traffic is *not* limited! No packets overlimit or dropped! The FTP upload succeeded with full uplink speed (512 kbit/s). Q: What am I missing here? Why isn't the traffic limited by HTB? I've read the LARTC Howto, the required manpages, the docs at Martin Devera's Homepage and had a look at the Wondershaper. Unfortunately I'm still unable to find the bug. :-( Any hints would be appreciated! Thanks, Walter PS: I've also tried using filters u32 and fwmark but traffic was never limited. I guess there is something wrong with my class/qdisc setup in general, right? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] How save rules and routes ?
Fabien, To my knowledge, there exists no such tool. You'll need to do the latter--write a script to put the rules and routes into place. -Martin : I search if it possible to save rules an routes I configured. ( Or I : must write a script to launch ip route and rule command at each reboot ) : Fabien : : ___ : LARTC mailing list / [EMAIL PROTECTED] : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] How save rules and routes ?
Dear All I search if it possible to save rules an routes I configured. ( Or I must write a script to launch ip route and rule command at each reboot ) Fabien ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] What value to set to Hz ?
On Wed, Oct 16, 2002 at 12:17:39PM -0400, raptor wrote: > hi, > > I was always setting HZ to 1000 when I compiled QoS kernel ... i knowed it shedules >tasks more often and that was my presumtion that this way qos channel polices will be >enforced better (of cource will have greater sheduling overhead) but now u can >get much better picture if u read this : > > http://kerneltrap.org/node.php?id=464 > > hope it is interesting > > raptor > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ It's better to change /usr/src/linux/include/net/pkt_sched.h PSCHED_CLOCK_SOURCE to PSCHED_CPU if you have a cpu with timestamp counter (TSC) that will give you Mhz timer granularity. Regards. -- ... ___ ... | /| |\ | | /-| Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr |-\ | | /--|No MS-Office attachments please. |--\ | o-|--| e-mail: [EMAIL PROTECTED]|--|-o | \-|finger [EMAIL PROTECTED] for public key and info |-/ | |...\|_|/...| ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] flowid - classid ?
[EMAIL PROTECTED] wrote: > root@Delta:~# tc filter add dev ppp0 parent 1:1 flowid 1:5 protocol ip > Unknown filter "flowid", hence option "1:5" is unparsable > > root@Delta:~# tc filter add dev ppp0 parent 1:1 classid 1:5 protocol ip > Unknown filter "classid", hence option "1:5" is unparsable > > > I don't understand why it does not work. Can anybody explain me this problem? > Christoph, it seems that you haven't created classes and queue disciplines. Classes are used to divide the available bandwidth of a device. Queue disciplines are algorithms that decide which packet to send first in a given class. Filters are used to identify which packets belong to a given class. Regards, Stephane. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux Advanced Routing & Traffic Control
> Grant, > >First of all, locally-generated trafic doesn't go through the > MANGLE/PREROUTING table. It goes through the tables using the following > order : MANGLE/OUTPUT, NAT/OUTPUT, FILTER/OUTPUT, MANGLE/POSTROUTING and > NAT/POSTROUTING. See http://www.docum.org/stef.coene/qos/kptd/ for an overview. >I've been trying to use the fwmark as a routing key for > locally-generated trafic and never succeeded. The reason is that the > routing decision is taken BEFORE the packet is sent to the MANGLE/OUTPUT > table. On the other hand, I can use the fwmark as a routing key for > forwarded trafic. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] flowid - classid ?
On Wednesday 16 October 2002 17:49, [EMAIL PROTECTED] wrote: > root@Delta:~# tc filter add dev ppp0 parent 1:1 flowid 1:5 protocol ip > Unknown filter "flowid", hence option "1:5" is unparsable > > root@Delta:~# tc filter add dev ppp0 parent 1:1 classid 1:5 protocol ip > Unknown filter "classid", hence option "1:5" is unparsable > > > I don't understand why it does not work. Can anybody explain me this > problem? You miss the filter you want to use. See the manpages and the howto on www.lartc.org. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iptables + pcanywhere
Marco Hainaut wrote: > hello , > > I'm newbee with iptables and firewalling and my question is : > > How can I do to authorise access to a workstation in a local network > with pcanywhere from the outside trough my "routing-firewalling' red hat > 8 box newly installed from scratch ? > > eth0 = external if ( 212.145.X.X ) > eth1 = local if (192.168.0.2) > used ports : 5631 (tcp) & 5632 (udp) > > > Is there somebody can help me to write the correct script to make it > working ? > > regards, > > Marco Hainaut > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > Marco, suppose the IP address of your PC/Anywhere workstation is $PCANY. Then you need at least the following rules: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5631 -j DNAT --to-destination $PCANY iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5632 -j DNAT --to-destination $PCANY iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # If you need to nat all outgoing trafic... iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE Regards, Stephane. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux Advanced Routing & Traffic Control
Grant Furick wrote: > I am trying to use netfilter (iptables) to mark packets bound for port > 25 on the internal interface and then using iproute2 to route those > marked packets over the DSL. Everything seems to work as intended > except that email traffic is going out over the internal ip (thru cable) > and not the DSL. So it doesn't seem like the marking and routing that I > have setup is working right. > > My scenario is: > 1 Redhat 7.3 Linux machine (kernel 2.4.18-3) > 1 network appliance > 1 dsl router > 1 cable modem > > The linux machine has: > 2 nics (1 static ip DSL, 2nd ip is internal 192.168.0.10 goes through > network appliance via nat out cable modem) > > I want all traffic coming in over DSL to go out over DSL and all traffic > coming in to the internal IP to go out the internal IP. There are > actually other internal ip lan clients but they are separate from this > scenario. The one caveat would be to have all outgoing smtp traffic go > over the DSL. Sendmail runs on all interfaces. I need all outbound > email to go out over DSL because some email servers > (earthlink/mindspring) are blocking mail servers coming from certain > cable modem ips. The last caveat is that I want the default route of > traffic, or all originating traffic that is non smtp, to go out over the > cable modem to take advantage of the fast download speed of cable as > compared to the slower DSL. > > Here is the script I am running out of rc.local at boot. Can anyone > suggest changes to make it work? > > #!/bin/sh > > P1_NET=65.X.X.208 > P2_NET=192.168.0.0 > # DSL > IF1=eth0 > # Internal nat'd to cable > IF2=eth1 > IP1=65.X.X.210 > IP2=192.168.0.10 > P1=65.X.X.209 > P2=192.168.0.1 > > ip route add $P1_NET dev $IF1 src $IP1 table DSL > ip route add default via $P1 table DSL > ip route add $P2_NET dev $IF2 src $IP2 table CABLE > ip route add default via $P2 table CABLE > ip route add $P1_NET dev $IF1 src $IP1 > ip route add $P2_NET dev $IF2 src $IP2 > ip route add default via $P2 > ip route add default via $P1 dev $IF1 table MAIL.OUT > ip rule add fwmark 1 table MAIL.OUT prio 220 > ip rule add from $IP1 table DSL prio 230 > ip rule add from $IP2 table CABLE prio 240 > ip route flush cache > > # End of script > > This is the iptables cmd I ran and is restored on reboot by iptables: > iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 25 -j MARK > --set-mark 1 > > Here is the rt_tables file: > # > # reserved values > # > #255local > #254main > #253default > #0 unspec > > # > # local > # > #1 inr.ruhep > 200 DSL > 201 CABLE > 202 MAIL.OUT > > I appreciate any help or direction. I have kind of merged two scripts > from > http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.ht > ml > And > http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html > > Do I need to enable ip forwarding or turn off the reverse path filer? > > Grant Furick > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > Grant, First of all, locally-generated trafic doesn't go through the MANGLE/PREROUTING table. It goes through the tables using the following order : MANGLE/OUTPUT, NAT/OUTPUT, FILTER/OUTPUT, MANGLE/POSTROUTING and NAT/POSTROUTING. I've been trying to use the fwmark as a routing key for locally-generated trafic and never succeeded. The reason is that the routing decision is taken BEFORE the packet is sent to the MANGLE/OUTPUT table. On the other hand, I can use the fwmark as a routing key for forwarded trafic. I'm no expert in sendmail, but I suggest that you modify its configuration to achieve your goal, which is selecting the output interface. To answer your last questions, you don't need to enable forwarding nor disable the reverse path filtering. Regards, Stephane. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] flowid - classid ?
root@Delta:~# tc filter add dev ppp0 parent 1:1 flowid 1:5 protocol ip Unknown filter "flowid", hence option "1:5" is unparsable root@Delta:~# tc filter add dev ppp0 parent 1:1 classid 1:5 protocol ip Unknown filter "classid", hence option "1:5" is unparsable I don't understand why it does not work. Can anybody explain me this problem? -- Christoph Kling -- Christoph Kling [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] [tcng] exceeding child bandwith only in special cases ?
raptor wrote:
> i.e only when class1 bandwith is exausted and the traffic is destinated
> to proxy give another 64kb/s. (if not exhausted use it, if exausted but
> not destinated to proxy then sorry)
First of all, this has not all that much to do with classes,
because metering receives no feedback from queuing. But you
can of course try to build a system without feedback.
> I know that it can possibly be achieved with the Metering
> primitives, but can figure it out yet.. could u help me..
For tcc, that's pretty straightforward, e.g. something like
this:
$low = bucket(rate 64kbps,burst 30kB);
$high = bucket(rate 128kbps,burst 30kB);
$cond = ip_src == 192.168.0.1;
$is_proxy = ip_dst == 192.168.0.15;
egress {
class (<$good>)
if $cond && $is_proxy &&
conform $high && count $low && count $high;
class (<$bad>)
if $cond && $is_proxy;
class (<$good>)
if $cond &&
conform $low && count $low && count $high;
class (<$bad>)
if $cond;
class (<$bad>) if 1;
prio {
$good = class;
$bad = class;
}
}
(For real-life use, you'd probably want to put these meters
in macros, like trTCM and friends.)
Now, this is a metering configuration tcc doesn't understand
yet, so you need to add the following rules to if_u32.c:map:
/* raptor's VIP band */
{ "n0t0t1c2c3", "p0uc3 p1uc2 c2" },
{ "n0t1t0c2c3", "p0uc3 p1uc2 c2" },
{ "n0t0t1c2d", "p0ud p1uc2 c2" },
{ "n0t1t0c2d", "p0ud p1uc2 c2" },
(You need the last two if you want to drop instead of using
a "bad" class. And, BTW, why "... p1c2c2" instead of
"... p1uc2 c2" wouldn't work is left as an exercise to the
reader :-)
All this is, of course, completely untested.
> One other question in this case should classes be parent and child i.e.:
There's only one class for both types of traffic :-)
- Werner
--
_
/ Werner Almesberger, Buenos Aires, Argentina [EMAIL PROTECTED] /
/_http://www.almesberger.net//
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] unscribe
___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] [tcng] exceeding child bandwith only in special cases ?
I was rereading tcng docs... and think i found a possible solution to a scenario i
want to implement...i.e.
I want to create channel with rate 64kb/s but be able to jump to 128kb/s if the
traffic is destinated to the proxy server... (all other traffic must not exceed
64kb/s)... pseudo-code :
{...
if src == 192.168.0.1 {
if dst == 192.168.0.15 and class1 has-no-bandwith-available
{ class1(rate 64kbps) }
else{ class2(rate 64kbps) }
} else class1(rate 64kbps)
...
}
i.e only when class1 bandwith is exausted and the traffic is destinated to proxy give
another 64kb/s. (if not exhausted use it, if exausted but not destinated to proxy then
sorry)
I know that it can possibly be achieved with the Metering primitives, but can figure
it out yet.. could u help me..
One other question in this case should classes be parent and child i.e.:
class2(rate 128) {
class1(rate 64)
}
or siblings :
class1(rate 64) {}
class2(rate 64) {}
which seems more apropriate for the case...
Thanx alot
raptor
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] what is the TTL on transit packets ?
hi, I was wondering can I inpect in some easy way what is the current TTL value of a packet i.e. say I have the following config : comp1 -> router ---> router2 > myMacine ---> router ---> internet comp2 ---| etc Now the user at the computer1 or comp2 is browsing or pinging and I want to know/inpect what is the value of TTL on all his packets w/o ever going to manualy ping from its computer Does all OSes use same start TTL value or different on different protocols or connection ? After I see his TTL i would add iptable rule to do some things based on this, so i want to be sure it is a constant value ? thanx in advance raptor ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Shaping outgoing traffic over multiple devices
On Wednesday 16 October 2002 15:11, raptor wrote: > |Yes, the imq device. This is a virtual device (you can have more then > | one) and you can add a qdisc to it. You can redirect packets to it with > | iptables and this can be done on each interface and for in and outgoin > | packets. In your case you have to create 1 imq device and redirect all > | outgoin packets to it and shape the imq device. > |More info http://trash.net/~kaber/imq/ > > ]- does later packets go to the device they was directed in the > begining i.e. if packet has to go out trought eth1 but i redirect it to > imq, the flow is shaped to the desired bandwith but after that it continues > its normal path i.e. flow become from this : > > eth0 <> eht1 > > this : > > eth0 <--> imq <--> eth1 I's more like eth0 -> imq0 -> forwarding -> eth1 eth1 -> imq0 -> forwarding -> eth0 You can even do eth0 -> imq0 -> forwarding -> imq0 -> eth1 One of the disadvantage is the delays. The packet will travel thru 2 queues. So shaping on imq AND ethx is not such a good idea. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] What value to set to Hz ?
hi, I was always setting HZ to 1000 when I compiled QoS kernel ... i knowed it shedules tasks more often and that was my presumtion that this way qos channel polices will be enforced better (of cource will have greater sheduling overhead) but now u can get much better picture if u read this : http://kerneltrap.org/node.php?id=464 hope it is interesting raptor ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] question re: longer-period fair sharing
Hi, Try a VPN solution with RADIUS accounting for amount of bytes each user had transmit over the network.Radius protocol can do accounting bytes (octects actually) as well 'online' time.In that way,You can have multiple business policies for clients,one for kids,one for family,one for guests,etc... This solution maybe enters some delay in TCP/IP protocol,but guarantee You secure connections (no more sniffing:),and You won't have possible trouble about filtering MAC addresses of malicius clients trying to forge their IP numbers if You have 'layer 3 accounting solution' :) When they exceed the payed amount of bytes,simply that account won't be in use anymore :) Hope this help :) f2zubac On Wed, 16 Oct 2002, Thomas Vander Stichele wrote: > Hi, > > I've been asked something I couldn't really give an answer to out of the > box. Someone I know wants to do fair bandwidth sharing over long periods. > The period would be related to the provider's capping period ;) > So, for example, if five people share one connection, and the ISP allows > 10 GB per month of traffic, each person could only use 2 GB per month, and > be effectively turned off when passing that limit. > > Now, my question is - has anyone done anything similar ? I'd think that > this application would lean more to an approach that just does accounting > by the hour,, for example, and turn off net access through firewall rules > based on those values. Also, it would probably have to store intermediate > accounting values to disk instead of keep everything in memory. > > What do you guys think ? > > Thomas > > > -- > > The Dave/Dina Project : future TV today ! - http://davedina.apestaart.org/ > <-*- -*-> > You think I'm scared of girls well maybe > but I'm not afraid of you > You want to scare me then you'll > cling to me no matter what I do > <-*- [EMAIL PROTECTED] -*-> > URGent, the best radio on the Internet - 24/7 ! - http://urgent.rug.ac.be/ > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] question re: longer-period fair sharing
Try using the iptables quota extension (works just fine here with iptables-1.2.6a). On Wed, 16 Oct 2002, Thomas Vander Stichele wrote: > Hi, > > I've been asked something I couldn't really give an answer to out of the > box. Someone I know wants to do fair bandwidth sharing over long periods. > The period would be related to the provider's capping period ;) > So, for example, if five people share one connection, and the ISP allows > 10 GB per month of traffic, each person could only use 2 GB per month, and > be effectively turned off when passing that limit. > > Now, my question is - has anyone done anything similar ? I'd think that > this application would lean more to an approach that just does accounting > by the hour,, for example, and turn off net access through firewall rules > based on those values. Also, it would probably have to store intermediate > accounting values to disk instead of keep everything in memory. > > What do you guys think ? > > Thomas > > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] question re: longer-period fair sharing
Hi, I've been asked something I couldn't really give an answer to out of the box. Someone I know wants to do fair bandwidth sharing over long periods. The period would be related to the provider's capping period ;) So, for example, if five people share one connection, and the ISP allows 10 GB per month of traffic, each person could only use 2 GB per month, and be effectively turned off when passing that limit. Now, my question is - has anyone done anything similar ? I'd think that this application would lean more to an approach that just does accounting by the hour,, for example, and turn off net access through firewall rules based on those values. Also, it would probably have to store intermediate accounting values to disk instead of keep everything in memory. What do you guys think ? Thomas -- The Dave/Dina Project : future TV today ! - http://davedina.apestaart.org/ <-*- -*-> You think I'm scared of girls well maybe but I'm not afraid of you You want to scare me then you'll cling to me no matter what I do <-*- [EMAIL PROTECTED] -*-> URGent, the best radio on the Internet - 24/7 ! - http://urgent.rug.ac.be/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
