Re: [LARTC] Count no of hosts
On Friday 07 February 2003 08:35, CLS Prasad wrote: > Is there any way to dynamically measure the no of concurrent internal hosts > (IP's) utilising the linux NAT Gateway/forwarding box. > The idea is to measure the no of hosts actively using the gateway. I do not > want to measure the no of TCP connections which iptraf does because it does > not give the actual no of hosts. :) On slashdot was an article about the same subject. It can be done if you really want to do so. http://slashdot.org/article.pl?sid=03/02/05/2129218&mode=thread&tid=95 Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] API using cbq / tc ?
On Friday 07 February 2003 05:25, Srikanth wrote: > Our GUI developers are using X based (Qt) only, not web based. I prefer web based. Most of the time, the qos is installed on a router with no display and a limit connection (for instance behind a firewall). So if you have a https server, you can configure it without problems. For a qt based application, you need a monitor or you have to login and use a remove display. This is more complicated (and less secure) then a web based gui. But if you have good GUI developers, they can create a set of library's so you can use different front ends to access these library's. So people can choose how to configure the box. Just wondering, will the software be released under the GPL ? Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Measuring throughput
On Thursday 06 February 2003 21:41, Esteban Ribicic wrote: > Another way may be using iptables accounting..for example: > > iptables -N udp-out > iptables -A udp-out -j accept > > iptables -N udp-in > iptables -A udp-in -j accept > > iptables -A input -p udp -j udp-in > iptables -A output -p udp -j udp-out > > you can see this with: > iptables -L -n -v -x > > ..i have some perl scripts to show that in graphs (rrdtool, gnuplot, > etc)... I also have some scripts. They are integrated in a bigger set of scripts. You can download it from www.docum.org on the gui page. If you are interested in the rrd scripts, you need the get_snmp.pl : it updates the rrd files and the tcrrd.pl script : it generates the graphics on the fly in a web browser. The get_snmp.pl creates also a html page to view the graph. Maybe you can use these scripts as an example to create your own. I started with the larrd extension for BigBrother (bb4.com). I used the larrd.pl script as an example to create my own set of scripts. Once you know how it works, it's easy to graph whatever you want. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Count no of hosts
Is there any way to dynamically measure the no of concurrent internal hosts (IP's) utilising the linux NAT Gateway/forwarding box. The idea is to measure the no of hosts actively using the gateway. I do not want to measure the no of TCP connections which iptraf does because it does not give the actual no of hosts. _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] API using cbq / tc ?
Our GUI developers are using X based (Qt) only, not web based. thanks & reg, Srikanth. On Friday 07 February 2003 07:46 am, you wrote: > First is better as it will not involve changing package if tc changes or > some changes are made to tc. Is your GUI X based or web based? > > Mohan > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > On Behalf Of Srikanth > Sent: Thursday, February 06, 2003 6:38 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [LARTC] API using cbq / tc ? > > > Hi! > > I'm developing some API functions using cbq / tc (for GUI based BW > Management) > > By two approches i can do this, > > 1. By excuting cbq.init script (which is executable) using some system > calls > like execv etc. > Are there any problems by doing so? > > OR > > 2. Directly using iproute2/tc source code with slight modifications. > > So, Which option is better? > > Are there any other solutions, please welcome. > > thanks & regards, > Srikanth. > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] API using cbq / tc ?
First is better as it will not involve changing package if tc changes or some changes are made to tc. Is your GUI X based or web based? Mohan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Srikanth Sent: Thursday, February 06, 2003 6:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [LARTC] API using cbq / tc ? Hi! I'm developing some API functions using cbq / tc (for GUI based BW Management) By two approches i can do this, 1. By excuting cbq.init script (which is executable) using some system calls like execv etc. Are there any problems by doing so? OR 2. Directly using iproute2/tc source code with slight modifications. So, Which option is better? Are there any other solutions, please welcome. thanks & regards, Srikanth. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] messed up (policy)routing
Hi there, I've got to manage Internet Traffic, Extranet Traffic and LAN in all directions and variants. And now I am at a point where I realize that I got too complex for my amount of sleep. The issue is simple: I can't connect to Extranet machines from localhost (NAT-Router). No ping, no TCP-connections, but traceroute. >From LAN-Machines I can connect and it is NATted correctly. I have put the iptables script, tcpdump output and the output of 'route' and ip route|rule on http://robtone.mine.nu/hm.html Thanks if someone could give me a little hint or anything which would bring me to the right track. I'm not sure whether I do wrong policy routing or maybe i forgot some rules in the iptables script. I really don't know where the packets get lost. Best regards, Robert Felber ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Measuring throughput
I personally like using rrdtool with snmp. Its a bit more difficult to setup than some tool like iptraf, but it gives you a nice graph of whats going on. It also keeps a set history of data so you can view trends, etc. Jay - Original Message - From: "Kenneth Porter" <[EMAIL PROTECTED]> To: "LARTC List" <[EMAIL PROTECTED]> Sent: Thursday, February 06, 2003 1:29 PM Subject: [LARTC] Measuring throughput > I'm running a game server which uses a lot of UDP traffic on a 4 Mbps > connection. I'd like to figure out how much of that I'm really using > (inbound vs. outbound) and I'd like to verify my bandwidth cap. > > The host also runs a web and FTP server and I'm running wshaper to keep > those from hurting game traffic. But I'm concerned that it might be > artificially capping my bandwidth and that I might need to tweak it. > > I've got ntop running (http://matureasskickers.net:3000/) and it tells me > that in a massive game last night (50 players) I used 2.2 Mbps, but I don't > know whether that's inbound, outbound, or the sum of both. Is there another > tool better for this measurement? > > I'd like to simulate lots of game traffic by flooding UDP packets out of > the box (say, to my home system) to verify the bandwidth cap. What tool > would be good for doing that? (The Slapper worm doesn't count! ;)) > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Measuring throughput
> iptables -N udp-out > iptables -A udp-out -j accept Unless you really want to accept the packets, leave -j ACCEPT out (assuing you have a rule that accepts the traffic later or your default policy is set to ACCEPT). The packet and bytecounters will still increase. > iptables -N udp-in > iptables -A udp-in -j accept Same here. > iptables -A input -p udp -j udp-in > iptables -A output -p udp -j udp-out > > you can see this with: > iptables -L -n -v -x iptables -nvxL udp-in Would give you incoming udptraffic while iptables -nvxL udp-out would give you egress udptraffic. > saludos > Esteban. > -- > Esteban Ribicic > Network Operation Center > UOL-Sinectis S.A. > > Florida 537 Piso 6, Buenos Aires, Argentina > +54-11-4321-9110 ext 2503 > +54-11-4321-9107 Directo > [EMAIL PROTECTED] > www.uolsinectis.com -- Sincerely, Patrik Hildingsson KurD@EFnet/linknet, kurdel@DALnet +46 709 285 445 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Measuring throughput
Another way may be using iptables accounting..for example: iptables -N udp-out iptables -A udp-out -j accept iptables -N udp-in iptables -A udp-in -j accept iptables -A input -p udp -j udp-in iptables -A output -p udp -j udp-out you can see this with: iptables -L -n -v -x ..i have some perl scripts to show that in graphs (rrdtool, gnuplot, etc)... saludos Esteban. On Thu, 2003-02-06 at 16:04, Patrick Nehls wrote: > Install a program called nload or iptraf. Nload very simply gives you the > current in and out of whatever interface your specify along with an average. > Here's the command I use: > nload -i 2048 -o 384 -s 9 -t 1000 -u k -U m eth0 eth1 > This tells to set the incoming graph at 2Mbit max, outgoing graph at 384kbit > max, -s 9 smoother average bandwidth number, -u is traffic number units > (bit/s, kbit/s, mbit/s, gbit/s), and -U is the units for the amount of data > in/out. The m lets me see rates for eth0 and eth1 (multiple interfaces). > > Iptraf is much more of a full featured network monitoring program and I > highly recommend it as well as nload. Iptraf can give you the basic in/out > stats of your network along with much more. I use iptraf when I want to > monitor the bandwidth usage of a specific connection and nload when I want > the overall picture of how much data is being transferred in and out. > > Patrick > > -Original Message- > From: Kenneth Porter [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 06, 2003 10:30 AM > To: LARTC List > Subject: [LARTC] Measuring throughput > > > I'm running a game server which uses a lot of UDP traffic on a 4 Mbps > connection. I'd like to figure out how much of that I'm really using > (inbound vs. outbound) and I'd like to verify my bandwidth cap. > > The host also runs a web and FTP server and I'm running wshaper to keep > those from hurting game traffic. But I'm concerned that it might be > artificially capping my bandwidth and that I might need to tweak it. > > I've got ntop running (http://matureasskickers.net:3000/) and it tells me > that in a massive game last night (50 players) I used 2.2 Mbps, but I don't > know whether that's inbound, outbound, or the sum of both. Is there another > tool better for this measurement? > > I'd like to simulate lots of game traffic by flooding UDP packets out of the > box (say, to my home system) to verify the bandwidth cap. What tool would be > good for doing that? (The Slapper worm doesn't count! ;)) > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Esteban Ribicic Network Operation Center UOL-Sinectis S.A. Florida 537 Piso 6, Buenos Aires, Argentina +54-11-4321-9110 ext 2503 +54-11-4321-9107 Directo [EMAIL PROTECTED] www.uolsinectis.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Measuring throughput
Install a program called nload or iptraf. Nload very simply gives you the current in and out of whatever interface your specify along with an average. Here's the command I use: nload -i 2048 -o 384 -s 9 -t 1000 -u k -U m eth0 eth1 This tells to set the incoming graph at 2Mbit max, outgoing graph at 384kbit max, -s 9 smoother average bandwidth number, -u is traffic number units (bit/s, kbit/s, mbit/s, gbit/s), and -U is the units for the amount of data in/out. The m lets me see rates for eth0 and eth1 (multiple interfaces). Iptraf is much more of a full featured network monitoring program and I highly recommend it as well as nload. Iptraf can give you the basic in/out stats of your network along with much more. I use iptraf when I want to monitor the bandwidth usage of a specific connection and nload when I want the overall picture of how much data is being transferred in and out. Patrick -Original Message- From: Kenneth Porter [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 06, 2003 10:30 AM To: LARTC List Subject: [LARTC] Measuring throughput I'm running a game server which uses a lot of UDP traffic on a 4 Mbps connection. I'd like to figure out how much of that I'm really using (inbound vs. outbound) and I'd like to verify my bandwidth cap. The host also runs a web and FTP server and I'm running wshaper to keep those from hurting game traffic. But I'm concerned that it might be artificially capping my bandwidth and that I might need to tweak it. I've got ntop running (http://matureasskickers.net:3000/) and it tells me that in a massive game last night (50 players) I used 2.2 Mbps, but I don't know whether that's inbound, outbound, or the sum of both. Is there another tool better for this measurement? I'd like to simulate lots of game traffic by flooding UDP packets out of the box (say, to my home system) to verify the bandwidth cap. What tool would be good for doing that? (The Slapper worm doesn't count! ;)) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Strange routing limitations and workaroud
On Thu, Feb 06, 2003 at 02:07:57PM +0100, Szymon Miotk wrote: > Hi! > > I got some strange problem with routing loadbalancing. > I cannot get the full speed from my ISPs until I get some big files from > close ftp server. > I have server with one connection to internal network and 3 to ISPs: > > >__ > | eth1| ISP1 > | | > internal--|eth0 eth2| ISP2 > net | | > (~300 | eth3| ISP3 > hosts|_| > > I have done everything as described in LARTC, chapter 4.2 > > The main rule looks like that (the weight reflects link speed/100): > ip route add default scope global \ >nexthop via $ISP1_GATEWAY dev eth1 weight 12 \ >nexthop via $ISP2_GATEWAY dev eth2 weight 10 \ >nexthop via $ISP3_SPRINT_GATEWAY dev eth3 weight 20 > > Total bandwidth available is 4.2 Mbit. > After I restart the server I can get 2.0Mbit maximum, with first link 5% > utilized, and the second link and the third about 50%. > When I get some big files from close ftp server (4 x linux kernel = > ~80MB) the links start to work normal, reaching 75-100% utilization. All > those big files go via the first link. > > Can someone possibly explain that and teach me how to get full speed > without such shamanism? > > Szymon Miotk "This balancing will not be perfect." Try this: www.linuxvirtualserver.org/~julian/nano.txt should be better. -- GPG-Key: http://www.bartek.bicom.pl/public_key.txt pub 1024D/948DE45D 2002-12-12 Bartek Krajnik <[EMAIL PROTECTED]> Primary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D E45D ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Measuring throughput
I'm running a game server which uses a lot of UDP traffic on a 4 Mbps connection. I'd like to figure out how much of that I'm really using (inbound vs. outbound) and I'd like to verify my bandwidth cap. The host also runs a web and FTP server and I'm running wshaper to keep those from hurting game traffic. But I'm concerned that it might be artificially capping my bandwidth and that I might need to tweak it. I've got ntop running (http://matureasskickers.net:3000/) and it tells me that in a massive game last night (50 players) I used 2.2 Mbps, but I don't know whether that's inbound, outbound, or the sum of both. Is there another tool better for this measurement? I'd like to simulate lots of game traffic by flooding UDP packets out of the box (say, to my home system) to verify the bandwidth cap. What tool would be good for doing that? (The Slapper worm doesn't count! ;)) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] imq problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 February 2003 18:23, Robert Penz wrote: argh, found my mistake, I've forgotten the "IMQ target support" - -- Regards, Robert - Robert Penz robert.penz AT outertech.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Qp538tTsQqJDUBMRAplUAKCiMFEZPNyOKvm6SC/R1HDwVxeMhQCeNdPp GcC6g4BOhV3EDuCsjBXkMbg= =08Sq -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Re: API using cbq / tc ?
On Thursday 06 February 2003 14:08, Srikanth wrote: > Hi! > > I'm developing some API functions using cbq / tc (for GUI based BW > Management) > > By two approches i can do this, > > 1. By excuting cbq.init script (which is executable) using some system > calls like execv etc. > Are there any problems by doing so? > > OR > > 2. Directly using iproute2/tc source code with slight modifications. > > So, Which option is better? > > Are there any other solutions, please welcome. tcng ? http://tcng.sourceforge.net/ Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
i dont really see your reasoning here. of course my isp has no "control" of the data that other people is sending me, but if the sending party could do egress filtering on their nearest router on the path to reach me, my isp should be able to do the same? the difference between my isp doing egress filtering and if i were to do egress filtering is that if the isp would do it, the data is yet to enter the bottlneck in the path and could be buffred their. was this what you meant? thanks, tomas On Thu, Feb 06, 2003 at 06:22:04PM +0100, Stef Coene wrote: > On Thursday 06 February 2003 18:11, Tomas Bonnedahl wrote: > > hm, the only way i see how to really get a hold on downloads is egress > > filtering on the isp side. > Even that's too late. The isp has no control on the data that people is > sending to you. > > > ingress filtering here is just waste of time? partly because, what stef > > also said, the data is already reveived, so i can get the same effect with > > egress filtering on the internal interface of the fw, and partly because > > ingress filtering in linux is not well functioning? > You can get the same effect. And ingress shaing is works, but it's not so > powerfull. > > Stef > > -- > > [EMAIL PROTECTED] > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] imq problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I've running imq on some servers and it works everywhere except the new machine I just try to set up. on that machine I get that tsunami:/usr/src# iptables -t mangle -A PREROUTING -i eth0 -j IMQ iptables: No chain/target/match by that name for testing I've added an 1 and get that tsunami:/usr/src# iptables -t mangle -A PREROUTING -i eth0 -j IMQ1 iptables v1.2.6a: Couldn't load target `IMQ1':/lib/iptables/libipt_IMQ1.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. here what I've done plus an strace, I don't have a clue what I did wrong, works on an other debian woody machine so it can't a dist. problem. tsunami:/usr/src# tar xvzf libipt_IMQ-1.2.6a.tar.gz -C /lib/iptables libip6t_IMQ.so libipt_IMQ.so tsunami:/usr/src# strace iptables -t mangle -A PREROUTING -i eth0 -j IMQ execve("/sbin/iptables", ["iptables", "-t", "mangle", "-A", "PREROUTING", "-i", "eth0", "-j", "IMQ"], [/* 16 vars */]) = 0 uname({sys="Linux", node="tsunami", ...}) = 0 brk(0) = 0x8056a5c open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=7340, ...}) = 0 old_mmap(NULL, 7340, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000 close(3)= 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0T\27\0\000"..., 1024) = 1024 fstat64(3, {st_mode=S_IFREG|0644, st_size=8008, ...}) = 0 old_mmap(NULL, 11004, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40016000 mprotect(0x40018000, 2812, PROT_NONE) = 0 old_mmap(0x40018000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x40018000 close(3)= 0 open("/lib/libc.so.6", O_RDONLY)= 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\30\222"..., 1024) = 1024 fstat64(3, {st_mode=S_IFREG|0755, st_size=1153784, ...}) = 0 old_mmap(NULL, 1166560, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000 mprotect(0x4012c000, 40160, PROT_NONE) = 0 old_mmap(0x4012c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x113000) = 0x4012c000 old_mmap(0x40132000, 15584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40132000 close(3)= 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40136000 munmap(0x40014000, 7340)= 0 brk(0) = 0x8056a5c brk(0x8056a8c) = 0x8056a8c brk(0x8057000) = 0x8057000 open("/lib/iptables/libipt_IMQ.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\4\0\000"..., 1024) = 1024 fstat64(3, {st_mode=S_IFREG|0775, st_size=3815, ...}) = 0 old_mmap(NULL, 6076, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40014000 mprotect(0x40015000, 1980, PROT_NONE) = 0 old_mmap(0x40015000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x40015000 close(3)= 0 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3 getsockopt(3, SOL_IP, 0x40 /* IP_??? */, [1735287149], [84]) = 0 brk(0x8058000) = 0x8058000 getsockopt(3, SOL_IP, 0x41 /* IP_??? */, [1735287149], [2340]) = 0 brk(0x8059000) = 0x8059000 setsockopt(3, SOL_IP, 0x40 /* IP_??? */, [1735287149], 2544) = -1 ENOSYS (Function not implemented) setsockopt(3, SOL_IP, 0x40 /* IP_??? */, [1735287149], 2544) = -1 ENOSYS (Function not implemented) setsockopt(3, SOL_IP, 0x40 /* IP_??? */, [1735287149], 2544) = -1 ENOENT (No such file or directory) write(2, "iptables: No chain/target/match "..., 45iptables: No chain/target/match by that name ) = 45 _exit(1)= ? and the module is loaded tsunami:/usr/src# lsmod Module Size Used byNot tainted ipt_limit960 1 (autoclean) ipt_REJECT 2816 1 (autoclean) ipt_mac 672 1 (autoclean) ipt_LOG 3168 2 (autoclean) ipt_state608 7 (autoclean) ipt_MARK 800 2 (autoclean) iptable_mangle 2208 1 (autoclean) iptable_nat13876 0 (autoclean) (unused) iptable_filter 1728 1 (autoclean) imq 1880 1 ip_conntrack_ftp3776 0 (unused) ip_conntrack 16652 3 [ipt_state iptable_nat ip_conntrack_ftp] ip_tables 10400 11 [ipt_limit ipt_REJECT ipt_mac ipt_LOG ipt_state ipt_MARK iptable_mangle iptable_nat iptable_filter] cls_fw 2016 2 (autoclean) sch_sfq 3424 4 (autoclean) sch_htb18080 2 (autoclean) system data: debian woody with an 2.4.20 patched with imq-2.4.18.diff-10 AND (= tried both) imq-2.4.18.diff-combo-6 (extracted the source for each patch
Re: [LARTC] most out of qos
On Thursday 06 February 2003 18:11, Tomas Bonnedahl wrote: > hm, the only way i see how to really get a hold on downloads is egress > filtering on the isp side. Even that's too late. The isp has no control on the data that people is sending to you. > ingress filtering here is just waste of time? partly because, what stef > also said, the data is already reveived, so i can get the same effect with > egress filtering on the internal interface of the fw, and partly because > ingress filtering in linux is not well functioning? You can get the same effect. And ingress shaing is works, but it's not so powerfull. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
hm, the only way i see how to really get a hold on downloads is egress filtering on the isp side. ingress filtering here is just waste of time? partly because, what stef also said, the data is already reveived, so i can get the same effect with egress filtering on the internal interface of the fw, and partly because ingress filtering in linux is not well functioning? thanks, tomas On Thu, Feb 06, 2003 at 11:01:08AM -0600, Martin A. Brown wrote: > : > I'd suggest that Tomas throttles his bandwidth on transmit to the internal > : > network. It is a router, so very little traffic will be initiated from > : > the router itself. > : > Why not perform traffic control on packets transmitted to the Internet on > : > the outward facing NIC. > : > Then perform traffic control on packets received from the Internet on the > : > inward facing NIC. > : > What's wrong with this? > : Euh nothing :) > : But you have the same problem. You are controlling already received data. So > : you can only hope that the other end of the link stops sending data if you > : drop packets. > > Well, slap me with a wet fish! That's pretty obvious. > > (Martin, neophyte with traffic control, returns to routing.) > > Thanks, Stef, > > -Martin > > -- > Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
: > I'd suggest that Tomas throttles his bandwidth on transmit to the internal : > network. It is a router, so very little traffic will be initiated from : > the router itself. : > Why not perform traffic control on packets transmitted to the Internet on : > the outward facing NIC. : > Then perform traffic control on packets received from the Internet on the : > inward facing NIC. : > What's wrong with this? : Euh nothing :) : But you have the same problem. You are controlling already received data. So : you can only hope that the other end of the link stops sending data if you : drop packets. Well, slap me with a wet fish! That's pretty obvious. (Martin, neophyte with traffic control, returns to routing.) Thanks, Stef, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Thursday 06 February 2003 17:49, Martin A. Brown wrote: > Stef, > > Am I overlooking something obvious? > > I'd suggest that Tomas throttles his bandwidth on transmit to the internal > network. It is a router, so very little traffic will be initiated from > the router itself. > > Why not perform traffic control on packets transmitted to the Internet on > the outward facing NIC. > > Then perform traffic control on packets received from the Internet on the > inward facing NIC. > > What's wrong with this? Euh nothing :) But you have the same problem. You are controlling already received data. So you can only hope that the other end of the link stops sending data if you drop packets. Stef > > -Martin > > : > well, if tcp throttles down at the point where packets are dropped is > : > of course good, but still, when a download is peaking at the maximum > : > speed minus a couple kbits, the delay is terrible, that's what i want > : > to change. any idea? > : > : You can give the download 98% of the link so there is always 2% > : available for something else. It also helps to throttle down _all_ > : incoming bandwidth to 99% of your link so _you_ are shaping and not your > : router. > : > : Stef > : > : > > > it is a 2mbit fiber stub network which looks pretty much like > : > > > this: > : > > > > : > > > lan - router - fw - isp - internet > : > > > > : > > > the egress qos is at the moment at the router which pretty much > : > > > says "prioritize interactive sessions". -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
Stef, Am I overlooking something obvious? I'd suggest that Tomas throttles his bandwidth on transmit to the internal network. It is a router, so very little traffic will be initiated from the router itself. Why not perform traffic control on packets transmitted to the Internet on the outward facing NIC. Then perform traffic control on packets received from the Internet on the inward facing NIC. What's wrong with this? -Martin : > well, if tcp throttles down at the point where packets are dropped is of : > course good, but still, when a download is peaking at the maximum speed : > minus a couple kbits, the delay is terrible, that's what i want to change. : > any idea? : You can give the download 98% of the link so there is always 2% available for : something else. It also helps to throttle down _all_ incoming bandwidth to : 99% of your link so _you_ are shaping and not your router. : : Stef : : > > > it is a 2mbit fiber stub network which looks pretty much like this: : > > > : > > > lan - router - fw - isp - internet : > > > : > > > the egress qos is at the moment at the router which pretty much says : > > > "prioritize interactive sessions". -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Thursday 06 February 2003 17:29, Tomas Bonnedahl wrote: > ok, thanks, one question though, you mean that i should use "regular" > ingress qos? > > this could rise some problems since i want to shape both traffic entering > at a physical interface and traffic entering at a virtual ipsec interface. > do you have any experiance from this particular sitaution? No Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
ok, thanks, one question though, you mean that i should use "regular" ingress qos? this could rise some problems since i want to shape both traffic entering at a physical interface and traffic entering at a virtual ipsec interface. do you have any experiance from this particular sitaution? thanks, tomas On Thu, Feb 06, 2003 at 05:23:27PM +0100, Stef Coene wrote: > On Wednesday 05 February 2003 22:28, Tomas Bonnedahl wrote: > > well, if tcp throttles down at the point where packets are dropped is of > > course good, but still, when a download is peaking at the maximum speed > > minus a couple kbits, the delay is terrible, that's what i want to change. > > any idea? > You can give the download 98% of the link so there is always 2% available for > something else. It also helps to throttle down _all_ incoming bandwidth to > 99% of your link so _you_ are shaping and not your router. > > Stef > > > > > regards, > > > > tomas bonnedahl > > > > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: > > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: > > > > to get most out of qos in general, would the best thing be to set up > > > > qos on both ends of a bottleneck with both ingress and egress > > > > filtering? the reason for asking is because we have a 2mbit connection > > > > with egress filtering qos, the problem is that we experience most > > > > downloads compared to uploades and therefor the egress filtering doesnt > > > > provide much help. > > > > > > > > what we could do is to get ingress filtering on our side here, but i > > > > dont know how much that would help really, the data has already passed > > > > the bottleneck in the path. so, my question, would i experience any > > > > different delay if adding ingress filtering? > > > > > > Yes. A tcp connection will throttle down if you drop packets. But this > > > is not the same as egress shaping. > > > > > > > it is a 2mbit fiber stub network which looks pretty much like this: > > > > > > > > lan - router - fw - isp - internet > > > > > > > > the egress qos is at the moment at the router which pretty much says > > > > "prioritize interactive sessions". > > > > > > > > > > > > since the filtering for qos is rather simple, just telnet/ssh to a > > > > certain host, should i contact my isp and ask them to set some egress > > > > qos going to our network on the cisco router that is at their place? > > > > btw, anyone know how good the qos is on cisco 2600? > > > > > > I have no idea how the qos works on cisco router. > > > Just give it a try and se what happens. > > > > > > Stef > > > > > > -- > > > > > > [EMAIL PROTECTED] > > > "Using Linux as bandwidth manager" > > > http://www.docum.org/ > > > #lartc @ irc.oftc.net > > > > ___ > > LARTC mailing list / [EMAIL PROTECTED] > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > -- > > [EMAIL PROTECTED] > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] load balancing without NAT
On Thursday 06 February 2003 12:03, Bartek Krajnik wrote: > I have eth0 (isp1, internet), eth1 (isp2, internet) and eth2 for my LAN > > eth0 (isp1) >\ > Linux - eth2 (LAN) >/ > eth1 (isp2) > > I need for every connection (not packet) load balancing - TCP sessions must > be kept. For example: first connection from LAN goes through eth0, second > through eth1, third through eth0 ... I can't change anything on the other > site of eth0 and eth1. > > This explains idea (but is with NAT - I need without): > http://www.linuxvirtualserver.org/~julian/nano.txt As far as I know, you need NAT. So you are out of luck. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
On Wednesday 05 February 2003 22:28, Tomas Bonnedahl wrote: > well, if tcp throttles down at the point where packets are dropped is of > course good, but still, when a download is peaking at the maximum speed > minus a couple kbits, the delay is terrible, that's what i want to change. > any idea? You can give the download 98% of the link so there is always 2% available for something else. It also helps to throttle down _all_ incoming bandwidth to 99% of your link so _you_ are shaping and not your router. Stef > > regards, > > tomas bonnedahl > > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: > > > to get most out of qos in general, would the best thing be to set up > > > qos on both ends of a bottleneck with both ingress and egress > > > filtering? the reason for asking is because we have a 2mbit connection > > > with egress filtering qos, the problem is that we experience most > > > downloads compared to uploades and therefor the egress filtering doesnt > > > provide much help. > > > > > > what we could do is to get ingress filtering on our side here, but i > > > dont know how much that would help really, the data has already passed > > > the bottleneck in the path. so, my question, would i experience any > > > different delay if adding ingress filtering? > > > > Yes. A tcp connection will throttle down if you drop packets. But this > > is not the same as egress shaping. > > > > > it is a 2mbit fiber stub network which looks pretty much like this: > > > > > > lan - router - fw - isp - internet > > > > > > the egress qos is at the moment at the router which pretty much says > > > "prioritize interactive sessions". > > > > > > > > > since the filtering for qos is rather simple, just telnet/ssh to a > > > certain host, should i contact my isp and ask them to set some egress > > > qos going to our network on the cisco router that is at their place? > > > btw, anyone know how good the qos is on cisco 2600? > > > > I have no idea how the qos works on cisco router. > > Just give it a try and se what happens. > > > > Stef > > > > -- > > > > [EMAIL PROTECTED] > > "Using Linux as bandwidth manager" > > http://www.docum.org/ > > #lartc @ irc.oftc.net > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] interface level b/w capping using HTB
On Wednesday 05 February 2003 10:09, hm wrote: > hi all > >the following is the setup i have done. > > eth0globals ip > eth1 internal ip 10.1.1.0/24 --->>>shd be capped to max 256Kbit > linux 8.0 with htb 3.6 Cool. Linux 8.0. Where can I download it? I thought they are working on getting 2.5.x stable and now they already is 8.0 :) > tc qdisc add dev eth1 root handle 1:0 htb default 2 > tc class add dev eth1 parent 1:0 classid 1:1 htb rate 250Kbit ceil 250Kbit > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 128Kbit ceil 250Kbit Why rate = 158 Kbit ?? > then i created leaves from 1:5 to 1:50 each getting 16Kbit and ceil 20Kbit > a range of 50 ipes > e.g. > tc class add dev eth1 parent 1:2 classid 1:5 htb rate 16Kbit ceil 20Kbit > tc filter add dev eth1 parent 1:0 protocol ip pref 5 u32 match dst > 10.1.1.5/32 flowid 1:5 > > like that > > although for sometime this setup works fine but suddenly it goes totally > unbouded. i have gone thru the pages at docum.org and found out that if sum > of child calsses exceed parent rate then parent rate is not respected. > > then what shd i do if i have to cap outgoing b/w on eth1 stricktly to > 256Kbit only. hope to get an early response. Solution is easy. Make sure sum of child rates = parent rates. So if you have 45 classes (from 1:5 to 1:50) and a total rate of 256kbit, then use rate = 256kbit/45. Stef -- [EMAIL PROTECTED] "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] to classify non-IP packet???
I have successfully classified QRoute packet from IP packet by adding {0x8000, "qroute"} to /iproute2/lib/ll_protocol.c, and make iproute2 again,then use: "tc filter add dev eth0 parent 1: prio 5 protocol qroute u32 match u8 0x00 0x00 at 0 flowid 1:10". It will classify the all the qroute packet to flow 1:10. Now I want to further classify QRoute packet according to the first 2 bytes of the packet, I have tried to use tc filter add dev eth0 parent 1: prio 6 protocol qroute u32 match u8 0x40 0xff at 0 flowid 1:20", but it doesn't work! anyone know how to do it? - Original Message - From: "Liu Zhiyong" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 05, 2003 11:24 AM Subject: [LARTC] to classify non-IP packet??? > I implemented a new network protocol(called QRoute), the Eth protocol code > is 0x8000(for unicast) and 0x8001(for multicast), and there are 2 kind of > QRoute packets: data packet( the first 2 bytes is 0x40), and control > packet(the fist 2 bytes is 0x00, 0x10,0x20 or 0x30). There are 3 kinds of > packets in the network: IP packets, Qroute(including unicast and > multicast) data packets, and Qroute control packet. I want to classify > these 3 kinds of packets, how can I do it? I tried to use: "tc filter add > dev eth0 parent 1:0 protocol ip prio 1 u32 match u16 0x8000 0x at -2 > flowid 1:10" to classfiy the Qroute unicast packet, but it doesn't work. > There is a protocol called "802.1Q" whose Eth protocol code is 0x8001(It > can be found in "iproute2/lib/lI_proto.c"), so I tried to use "tc filter > add dev eth0 parent 1:0 protocol 802.1Q prio 1 u32 match u16 0x8000 0x > at -2 flowid 1:10", and it works. but it can't further classify the > packets according to the first 2 bytes! And I tried to add protocol > {0x8000, "QRoute"} in "iproute2/lib/lI_proto.c and compiled the iproute2 > packet again, then tried " tc filter add dev eth0 parent 1:0 protocol > QRoute prio 1 u32 match u16 0x8000 0x at -2 flowid 1:10", it still > doesn't work! anyone can help me ? Thanks very much > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] to classify non-IP packet???
I have successfully classified QRoute packet from IP packet by adding {0x8000, "qroute"} to /iproute2/lib/ll_protocol.c, and make iproute2 again,then use: "tc filter add dev eth0 parent 1: prio 5 protocol qroute u32 match u8 0x00 0x00 at 0 flowid 1:10". It will classify the all the qroute packet to flow 1:10. Now I want to further classify QRoute packet according to the first 2 bytes of the packet, I have tried to use tc filter add dev eth0 parent 1: prio 6 protocol qroute u32 match u8 0x40 0xff at 0 flowid 1:20", but it doesn't work! anyone know how to do it? - Original Message - From: "Liu Zhiyong" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 05, 2003 11:24 AM Subject: [LARTC] to classify non-IP packet??? > I implemented a new network protocol(called QRoute), the Eth protocol code > is 0x8000(for unicast) and 0x8001(for multicast), and there are 2 kind of > QRoute packets: data packet( the first 2 bytes is 0x40), and control > packet(the fist 2 bytes is 0x00, 0x10,0x20 or 0x30). There are 3 kinds of > packets in the network: IP packets, Qroute(including unicast and > multicast) data packets, and Qroute control packet. I want to classify > these 3 kinds of packets, how can I do it? I tried to use: "tc filter add > dev eth0 parent 1:0 protocol ip prio 1 u32 match u16 0x8000 0x at -2 > flowid 1:10" to classfiy the Qroute unicast packet, but it doesn't work. > There is a protocol called "802.1Q" whose Eth protocol code is 0x8001(It > can be found in "iproute2/lib/lI_proto.c"), so I tried to use "tc filter > add dev eth0 parent 1:0 protocol 802.1Q prio 1 u32 match u16 0x8000 0x > at -2 flowid 1:10", and it works. but it can't further classify the > packets according to the first 2 bytes! And I tried to add protocol > {0x8000, "QRoute"} in "iproute2/lib/lI_proto.c and compiled the iproute2 > packet again, then tried " tc filter add dev eth0 parent 1:0 protocol > QRoute prio 1 u32 match u16 0x8000 0x at -2 flowid 1:10", it still > doesn't work! anyone can help me ? Thanks very much > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iptables : Incoming mail and ping problem
Diff between File I ( iptablesRC ) and File II (iptablesRC.2). File I works for incoming mail. File II does not for incoming mail, neither does pinging to this server to its external interface NIC IP. I could not figure out what the difference in these port allowing, reject or accept commands which are keeping the in-coming mail from coming on a RH Linux 7.3. Please help. Thanks. -- [shossain@mohican shossain]$ diff /home/admin/firewall/iptablesRC /home/admin/firewall/iptablesRC.2 | more162c162< $IPTABLES -A allowed -p TCP -j REJECT---> $IPTABLES -A allowed -p TCP -j DROP185,187c185,187< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1503 -j allowed< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed< $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5001:65535 -j allowed---> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1500:65535 -j allowed192,200c192,200< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 22 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 25 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 42 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 80 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 113 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 143 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 174 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 443 -j ACCEPT< $IPTABLES -A tcp_packets -p TCP -s 0/0 --source-port 5001:65535 -j ACCEPT---> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 22 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 25 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 42 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 80 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 113 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 143 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 174 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 443 -j ACCEPT> $IPTABLES -A tcp_packets -p TCP -s 0/0 --sport 1500:65535 -j ACCEPT262d261<268d266<
Re: [LARTC] cbq.init for one port on a subnet
Hi! I've tried with the config. file DEVICE=eth0,10Mbit,1Mbit RATE=100Kbit WEIGHT=10Kbit PRIO=5 RULE=192.168.0.160/27:6699 only, It's works fine for me, Find the stats for the same hereunder, # ./cbq.init-v0.7.1 start 192.168.0.160/27:6699: match ip dst 192.168.0.160/27 match ip dport 6699 0x # ./cbq.init-v0.7.1 stats ### eth0: queueing disciplines qdisc tbf 5: rate 100Kbit burst 10Kb lat 488.3ms Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit Sent 1924 bytes 28 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 ### eth0: traffic classes class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit Sent 1924 bytes 28 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:5 parent 1: leaf 5: rate 100Kbit (bounded) prio 5 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 1.79878e+06 undertime 0 ### eth0: filtering rules filter parent 1: protocol ip pref 100 u32 filter parent 1: protocol ip pref 100 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 100 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:5 match c0a800a0/ffe0 at 16 match 1a2b/ at 20 reg, Srikanth. On Wednesday 05 February 2003 09:30 pm, you wrote: > Hi, Thanks for the quick reply. I tried that and got an error message > when I started cbq. > - > What is "ff"? > Usage: ... u32 [ match SELECTOR ... ] [ link HTID ] [ classid CLASSID ] >[ police POLICE_SPEC ] [ offset OFFSET_SPEC ] >[ ht HTID ] [ hashkey HASHKEY_SPEC ] >[ sample SAMPLE ] > or u32 divisor DIVISOR > > Where: SELECTOR := SAMPLE SAMPLE ... >SAMPLE := { ip | ip6 | udp | tcp | icmp | u{32|16|8} } SAMPLE_ARGS >FILTERID := X:Y:Z > -- > > If you can help me I'd really appreciate it. > > Thanks again, > > Scott > > > Sub:[LARTC] cbq init for one port on a subnet > > > > Hello, > > > > We use cbq.init to limit bandwidth. It works great on a per-user basis. > > Now I'd like to limit traffic from a netblock to the Internet on port > > 6699. > > > > Network is 192.168.0.160 mask 255.255.255.224 > > eth0 is the gateway > > eth1 connects the netblock in question > > > > Is this the proper syntax; > > > > DEVICE=eth0,10Mbit,1Mbit > > RATE=100Kbit > > WEIGHT=10Kbit > > PRIO=5 > > RULE=6699 192.168.0.160/27, > > > > > > Thanks! > > > > Scott > > > > Hi! Scott, > > > > Your Config. file s'd be > > > > DEVICE=eth0,10Mbit,1Mbit > > RATE=100Kbit > > WEIGHT=10Kbit > > PRIO=5 > > RULE=192.168.0.160/27:6699 > > > > like this & try. > > > > Good Luck. > > > > Srikanth. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] API using cbq / tc ?
Hi! I'm developing some API functions using cbq / tc (for GUI based BW Management) By two approches i can do this, 1. By excuting cbq.init script (which is executable) using some system calls like execv etc. Are there any problems by doing so? OR 2. Directly using iproute2/tc source code with slight modifications. So, Which option is better? Are there any other solutions, please welcome. thanks & regards, Srikanth. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Strange routing limitations and workaroud
Hi! I got some strange problem with routing loadbalancing. I cannot get the full speed from my ISPs until I get some big files from close ftp server. I have server with one connection to internal network and 3 to ISPs: __ | eth1| ISP1 | | internal--|eth0 eth2| ISP2 net | | (~300 | eth3| ISP3 hosts|_| I have done everything as described in LARTC, chapter 4.2 The main rule looks like that (the weight reflects link speed/100): ip route add default scope global \ nexthop via $ISP1_GATEWAY dev eth1 weight 12 \ nexthop via $ISP2_GATEWAY dev eth2 weight 10 \ nexthop via $ISP3_SPRINT_GATEWAY dev eth3 weight 20 Total bandwidth available is 4.2 Mbit. After I restart the server I can get 2.0Mbit maximum, with first link 5% utilized, and the second link and the third about 50%. When I get some big files from close ftp server (4 x linux kernel = ~80MB) the links start to work normal, reaching 75-100% utilization. All those big files go via the first link. Can someone possibly explain that and teach me how to get full speed without such shamanism? Szymon Miotk ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB with two interfaces ??
Venci wrote: > Hi all > I have linux 2.4.20 with 3 NIC. > eth0 is the internet interface (10Mbit full duplex) > eth1 the internal interface (100Mbit full duplex) > eth2 the internal interface (100Mbit full duplex) > > How to shape the network? > i want unused bandwidth from one internal interface to > be shared to the other one. > For example some CEIL value for the two interface ? Hi, there, Personally I'm not aware of any way to combine queues of two or more interfaces. Maybe you can use IMQ device on the eth0 interface, thus shaping only Internet traffic, and then - everything else based on src/dst address? Start here: http://luxik.cdi.cz/~patrick/imq/ Hth, Nickola msg03914/pgp0.pgp Description: PGP signature
Re: [LARTC] Complicated Route Statement
On Wed, 5 Feb 2003, Mike Nielsen wrote: On Lan A type route add -net 198.185.204.0 netmask 255.255.255.0 gw 192.168.24.1 On Lan B type route add -net 198.185.204.0 netmask 255.255.255.0 gw 192.168.24.2 On the Cisco type ip route 192.168.24.128 255.255.255.192 192.168.24.1 > > > Hi there. > > > I am having trouble coming up with a routing statement for the following > > > > Lan A is connected to LAn B via a Freeswan site to site VPN > > On lab B there is a cisco router which is handles traffic for an IP address. > > I need to find a way to have traffic to this Other machine routed through the > IPsec tunnel, to the Cisco. > > Here's a crppy ascii art diagram to help explain > > > >Lan A >192.168.24.128/26 >192.168.24.130 iproute2 Firewall and VPN machine > | > | IPsec Tunnel > | > Lan B > 192.168.24.1 Iproute2 Firewall and VPN machine > 192.168.24.0/26 --- 192.168.24.2 Cisco Router <--> 198.185.204.0/24 > > So basically I need a route statement that says > > route any traffic to 198.185.204.0/24 to 192.168.24.2 Via 192.168.24.2 > > ?? > > Any help you all could give would be greatly appreciate > > -- -- Matthew S. Crocker Vice President / Internet Division Email: [EMAIL PROTECTED] Crocker Communications Phone: (413) 746-2760 PO BOX 710 Fax: (413) 746-3704 Greenfield, MA 01302-0710 http://www.crocker.com -- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB with two interfaces ??
Hi all I have linux 2.4.20 with 3 NIC. eth0 is the internet interface (10Mbit full duplex) eth1 the internal interface (100Mbit full duplex) eth2 the internal interface (100Mbit full duplex) How to shape the network? i want unused bandwidth from one internal interface to be shared to the other one. For example some CEIL value for the two interface ? __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] load balancing without NAT
I have eth0 (isp1, internet), eth1 (isp2, internet) and eth2 for my LAN eth0 (isp1) \ Linux - eth2 (LAN) / eth1 (isp2) I need for every connection (not packet) load balancing - TCP sessions must be kept. For example: first connection from LAN goes through eth0, second through eth1, third through eth0 ... I can't change anything on the other site of eth0 and eth1. This explains idea (but is with NAT - I need without): http://www.linuxvirtualserver.org/~julian/nano.txt -- GPG-Key: http://www.bartek.bicom.pl/public_key.txt pub 1024D/948DE45D 2002-12-12 Bartek Krajnik <[EMAIL PROTECTED]> Primary key fingerprint: 95E9 8E2D 1801 7864 2244 6EAA 03E5 764D 948D E45D ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] most out of qos
yes, thanks for the idea, the reason i did not think of implementing this is that i cannot see how it would help, the data has already passed the bottleneck with no particular qos with regard to interactive sessions, which should mean, if i did egress on the fws internal interface, that the ssh/telnet data would come in bursts from the fw to the host. what i mean is this, i will try to illustrate it, (this is if the egress on the fw would be implemented); data (most bulk traffic, some interactive session too) from the isp -> fw (buffer the bulk traffic, prioritize the session traffic) -> router and lan this in turn would mean that after sending the session traffic the fw would send the bulk traffic in its buffer. meanwhile the fw have received additional session and bulk traffic, and so on. maybe im missing something here? thanks, tomas On Thu, Feb 06, 2003 at 09:55:37AM +0100, Rob Rankin wrote: > Stick an egress filter on the LAN side of the firewall, and use it to > control the *inbound* data from your ISP (downloads pass through the > firewall and become *outbound* traffic on the LAN side / interface). > > Old style Ingress filtering in Linux is horrible. Its a blanket rule > stating "if the bw gets above X, drop packets" with no real filtering > capability. > > Using an egress filter on the opposite side of the firewall from the > traffic flow does actually work, although I'm not entirely sure its a > "supported" configuration. For what its worth, I have it setup exactly > as I am suggesting on my firewalls, and it does actually work. Peak > downloads are slowed down, interactive sessions do get higher priority, > etc. > > The other alternative would be to use the IMQ logical network device, > which allows the use of HTB for both ingress and egress filtering. I > plan on moving to this type of setup as soon as I have a maintenance > window long enough to drop the firewalls and bring them up to date with > the new tools / patches necessary. > > Cheers, hope this was of some help. > > On Wed, 2003-02-05 at 22:28, Tomas Bonnedahl wrote: > > well, if tcp throttles down at the point where packets are dropped is of course >good, but still, when a download is peaking at the maximum speed > > minus a couple kbits, the delay is terrible, that's what i want to change. any >idea? > > > > regards, > > > > tomas bonnedahl > > > > On Wed, Feb 05, 2003 at 10:13:27PM +0100, Stef Coene wrote: > > > On Wednesday 05 February 2003 16:44, Tomas Bonnedahl wrote: > > > > to get most out of qos in general, would the best thing be to set up qos on > > > > both ends of a bottleneck with both ingress and egress filtering? the > > > > reason for asking is because we have a 2mbit connection with egress > > > > filtering qos, the problem is that we experience most downloads compared to > > > > uploades and therefor the egress filtering doesnt provide much help. > > > > > > > > what we could do is to get ingress filtering on our side here, but i dont > > > > know how much that would help really, the data has already passed the > > > > bottleneck in the path. so, my question, would i experience any different > > > > delay if adding ingress filtering? > > > Yes. A tcp connection will throttle down if you drop packets. But this is > > > not the same as egress shaping. > > > > > > > it is a 2mbit fiber stub network which looks pretty much like this: > > > > > > > > lan - router - fw - isp - internet > > > > > > > > the egress qos is at the moment at the router which pretty much says > > > > "prioritize interactive sessions". > > > > > > > > > > > > since the filtering for qos is rather simple, just telnet/ssh to a certain > > > > host, should i contact my isp and ask them to set some egress qos going to > > > > our network on the cisco router that is at their place? btw, anyone know > > > > how good the qos is on cisco 2600? > > > I have no idea how the qos works on cisco router. > > > Just give it a try and se what happens. > > > > > > Stef > > > > > > -- > > > > > > [EMAIL PROTECTED] > > > "Using Linux as bandwidth manager" > > > http://www.docum.org/ > > > #lartc @ irc.oftc.net > > > > > > > > ___ > > LARTC mailing list / [EMAIL PROTECTED] > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- > Rob Rankin > [EMAIL PROTECTED] > http://undertow.ca > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/