Re: [LARTC] SNAT based on MAC before routing
On Thu, 2002-11-21 at 10:08, Eduard Calvo (B-teljpa) EXP JAN 03 wrote: > > Hi Ramin, > > Thanks for your answer. But this solution is not suitable to me. This would > be a good solution if the only thing I had to do is to route packets based on > MAC. The problem is that I have to SNAT before routing. > > The reason is that I have to capture http traffic and redirect it through a > local Apache Server that I have in my Linux box. The server has to be able to > distinguish over hosts, and if I do SNAT in postrouting it will see the real > ip address of the packet, and not the NAT'ed address. I wonder if maybe Apache > has access to fields of the ip header (like TOS), because I would use these > fields to make Apache distinguish clients. > Hi Eduard, You will never get SNAT in PREROUTING in iptables/netfilter, because it would seriously mess up filtering and connection tracking :-) However, you should talk to Henrik Nordström of Squid proxy fame. Here is his homepage with contact email address on it: http://devel.squid-cache.org/hno/ Here's the reason: for a very long time in the 2.4 series, it was impossible to do DNAT in the OUPUT chain (was a TODO item for the netfilter developers). Henrik had a patch he wrote that allowed DNAT in the OUTPUT chain and SNAT in the INPUT chain. This would allow you to solve your problem. However, apparently the SNAT part of the patch was quite intrusive, and IIRC had issues with conntrack/nat helpers. At 2.4.19-pre time, the "DNAT in OUTPUT" part of the patch was aacepted by the netfilter coreteam and merged, but the "SNAT in INPUT" part of the patch got rejected. There was some discussion, and part of why it didn't get merged was that there weren't enough real-world scenario's people could come up with to convince the coreteam to accept this (the intrusiveness of the patch probably being another major reason :-)). I guess Henrik, being a Squid lead developer, could see the usefulness of this patch at the time. I think an obsolete version of the patch is still in the netfilter patch-o-matic. It will almost certainly not apply to 2.4.20-pre/rc/final because of the newnat merge. Henrik's a very nice and helpful guy, so you may try emailing him about your problem - he may offer some help or additional insight. It would be nice to subscribe to the netfilter-devel list for your problem and include the netfilter developers in the mailloop. The information I am presenting you is many months old so there may be stuff I am missing and people may have new insights into the problem... Regards, Filip ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] burst per connection or filter on packet numbers
On Sat, 23 Nov 2002, Marcus Blomenkamp wrote: > You could try the WRR (weighted-round-robin) scheduler. It's not yet included > into the standard kernel sources, so you've got to patch them. Google should > help. Thanks for the hint! I'll have a look at it. FYI, it is referenced for the lartc howto (found by Google ;-) too: http://lartc.org/howto/lartc.adv-qdisc.wrr.html Walter ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] burst per connection or filter on packet numbers
Am Freitag, 22. November 2002 23:36 schrieb Walter Haidinger: > > I'd like to favour beginning connections (not just the starting packets, > but the first, say, 100 packets) _while_ there already established > connections which prevent recharging of the htb bursts. > > I've already experimented with different burst/cburst settings but it did > not give me desired behaviour. Greetings. You could try the WRR (weighted-round-robin) scheduler. It's not yet included into the standard kernel sources, so you've got to patch them. Google should help. AFAIK: WRR automatically classifies packets either by their MAC addresses or by IP-TCP,UDP streams. On each turn every stream gets a chance to send a number of packets proportional to its current priority/weight. And thats the clue: WRR allows the streams to start with a higher priority and decrease it's priority automatically by the amount of traffic processed. Marcus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Kernel config for HTB
On Fri, Nov 22, 2002 at 06:39:09PM +0100, Stef Coene wrote: > Have you patched tc so you have htb support? I don't know if the tc command > that comes with debian has htb support. The tc command that comes with debian woody (the current stable distribution) has htb support, but unfortunately it is for the old htb version. It seems unlikely that this will change soon (new version are normally not introduced in stable). This has allready been reported: http://bugs.debian.org/167149 The unstable distribution could include an updated version in the near future (but as far as I can tell, this isn't the case yet). Greetings, Ivo De Decker ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute2 with new kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 21 November 2002 09:20 am, Tomas Bonnedahl wrote: > well, does it matter _which_ kernel include files you include in the makefile for iproute2? > (or, does the term "correct" mean the old or just a bootable/normal kernel?) > > -tomas > > On Thu, Nov 21, 2002 at 11:02:02AM -0300, Esteban Ribicic wrote: > > from iproute2 tarball > > > > How to compile this. > > > > 1. Look at start of Makefile and set correct values for: > > KERNEL_INCLUDE should point to correct linux kernel include directory. > > > > blah blah blah > > > > greets! > > > > > > On Thu, 2002-11-21 at 10:47, Stef Coene wrote: > > > On Thursday 21 November 2002 13:40, Tomas Bonnedahl wrote: > > > > hello, is it necessary to recompile iproute2 when you add a new kernel, and > > > > hence move the link /usr/src/linux to point on a different kernel? > > > I'm not sure, but iproute uses some kernel files, so I think you better > > > recompile. > > > > > > Stef > > > hi, what about the iproute2 installed as a package (say RPM) and then later the kernel was compiled for newer kernel versions. I keep compiling the kernel as newer versions become available, but had installed iproute2 when I installed Redhat 7.3 and have not yet upgraded iproute2 which works fine even after kernel compilations. so compiling the iproute2 after a kernel compile would be for safety?? thanks, ashok -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE93z9DRhXpVty0Ty4RAoSsAJ4rEjQOjnO6PKXTgIhGRR4HHUumLACeL90N qgapHdgcYAQNNkqbyk0J7X4= =GrKN -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Two Ethernet DSL mdems
On Saturday 23 November 2002 07:34, Wayne Fallows wrote: > Hi, > > Is it possible to connect two or more Ethernet DSL modems to a Hub and > connect to them with one Linux router computer? It's better to put them directky to the linux router so you can do load balancing. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/