[LARTC] u32 filter and NAT

2003-05-30 Thread Szymon Miotk 
I want to limit each user in my network to have limited bandwidth (let's 
 say 256/128 kbit).
I use NAT (done with iptables).
Can I limit users on the outgoing interface using u32 using rules like:

tc filter add dev eth0 parent 1: protocol ip prio 17 u32 match ip src 
10.10.10.10 flowid 1:10

It seem I made a mistake somewhere or NAT is done before routing and I 
must use iptables mangling. BTW what is the maximum for --set-mark ?

Thanks!

Szymon Miotk

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Shaping traffic over a linux bridge

2003-05-30 Thread Hugh Buchanan 
I have since fixed my problem.  I am not sure if it's useful to anyone, 
but I'll briefly describe what I did to get it working.

In the end, I am not using the 'iptables' program at all.  I am using 
ebtables to mangle the packets on eth1 as they come in.  What I was 
doing before with ebtables was mostly right.. I have pretty simple 
ebtable lines that mark the packets.  Packet marks can be 32 bits.

And my shaping is very different now too.. I shape on the outside (eth0) 
interface.. I can shape incoming traffic going over the eth1 interface 
as well, although I don't need it.

I also find that cbq doesn't work too happily.. HTB works like a charm, 
and really is more useful for my application.  I ended up needing to use 
the 'tc' binary supplied by the HTB people.

I am not completely done yet.. but at the very least it works.. it is 
now just a matter of setting up all of the classes/rules for the 200+ 
MAC addresses I'll be shaping.

Hugh

Hugh Buchanan wrote:

I should add some additional comments.

I have gone through most of the LARTC archives dealing with tc.. it 
seems a lot of people have attempted this, but no one ever posts 
solutions to these things.

There are a bunch of archive posts I found somewhat helpful.
http://lists.netfilter.org/pipermail/netfilter/2002-May/034041.html
http://mailman.ds9a.nl/pipermail/lartc/2003q1/007571.html
Using those two posts, I decided to give u32 filtering a try to avoid 
the mangling confusion I have.. and it doesn't seem to change much.

Shaping works perfectly using NAT/MASQUERADE and iptables mangling.  
When I throw bridging into the mix it stops working.

I have yet to try a 2.5.x kernel.. I would prefer not to, but I 
suppose since I have no ideas right now on how to proceed, I better 
try 2.5.x.

If anyone figures this out, send me your address.. i'll send you a box 
of cookies or something.

Hugh

Hugh Buchanan wrote:

Greetings,

I am using tc/cbq to do some traffic shaping over a linux bridge.  My
system is running the 2.4.20 kernel with the latest bridge-nf and
ebtables patches.  I am also running ebtables 2.0.3 and iptables 1.2.8.
Last week, since I had yet to discover ebtables/bridging I was testing
the shaping with a basic NAT setup using totally seperate networks on
each ethernet interface.
I now have a fully functional bridge.  I was amazed to see how easy it
is!  I love it!
But now I am trying to add tc back into the mix.  I have looked at the
simple and real life examples, and a typical mark line would be
something like
ebtables -A FORWARD -p ipv4 -i eth0 -j mark --set-mark 2 --mark-target
CONTINUE
So now I have two questions.

How many bits are available for marking?  On docum.org, I saw examples
for mark values up to '5', which leads me to assume that there are at
least 3 bits, meaning I can mark up to '7' (or is it '8'?).  What is the
numeric range here?
And what I am wanting to do is possible, right?  I haven't found any
real life examples for traffic shaping over a bridge yet (links
appreciated).  I have found this though:
When you create a bridge with the bridge-utils, you get a new device :
br0. You can shape traffic on this device, but you can not use iptables
to mark packets and the fw filter to use that mark. But you can use the
u32 filter.
Does this mean I need to use some other process besides normal mangling?

What it comes down to are two issues (that are almost the same).  I
don't know how to mark packets coming in from the LAN, and I don't know
which interface to bind tc to.
Here is a diagram of my setup:

64.119.201.0/24  eth1 [bridge, br0] eth0  64.119.201.1 (router)

And here is the script I am playing with.  I have tried binding tc and
ebtables and iptables to all three interfaces (eth0,eth1,br0) and it
doesn't seem to change anything.. but then again I don't know if my
packets are even being marked.  Should I be using a 2.5.x kernel instead
of the patched 2.4.20?  I need this for production use.. stability is
important.
#!/bin/sh
OUTSIDE=eth0
INSIDE=eth1
BRIDGE=br0
LAN=64.119.201.0/24
OPTION=allot 1514 maxburst 20 avpkt 1000 prio 3
ebtables -P INPUT ACCEPT
ebtables -P OUTPUT ACCEPT
ebtables -P FORWARD ACCEPT
ebtables -F
ebtables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
echo Loading ebtables rules
ebtables -A FORWARD -p ipv4 -i eth1 --ip-source 64.119.201.114 -j mark
--set-mark 2 --mark-target CONTINUE
ebtables -A FORWARD -p ipv4 -j mark --set-mark 1 --mark-target CONTINUE
echo Loading iptables rules
iptables -A PREROUTING -i eth1 -s $LAN -t mangle -j MARK --set-mark 1
iptables -A PREROUTING -i eth1 -t mangle -j MARK --set-mark 2
###
# i have tried $INSIDE, $OUTSIDE, and $BRIDGE here
DEV=dev $INSIDE
RATE_TOT=10kbit
SERVERS=500kbit
SERVERS_WEIGHT=50kbit
GEN=50kbit
GEN_WEIGHT=5kbit
echo Clearing qdiscs
tc qdisc del dev br0 root
tc qdisc del dev eth0 root
tc qdisc

[LARTC] Using routed and opening port 520

2003-05-30 Thread Carol Anne Ogdin 

My Linux router (RH7.3) runs routed, and port 520 is NOT open for UDP.  The
box routes traffic between a LAN and two separate DSL-connected ISPs.

What benefits am I giving up by not having port 520 open?  What benefits
would I gain (if any) for sharing routing information with the ISPs over
the DSL connections?  What are the risks in opening that port?

Okay, it's just a newbie question, but I'm still trying to learn.

--Carol Anne


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Kernel options for QoS

2003-05-30 Thread Mathieu MALAISE 
Hello All, 

I'm new to QoS under Linux so please be indulgent 
with the following question.

I try to run tc under Linux 2.4.20, my kernel has the
following options:

CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set 
CONFIG_NETLINK=y
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_FILTER is not set
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
# CONFIG_IP_PNP is not set   
CONFIG_NET_IPIP=m
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
CONFIG_SYN_COOKIES=y
[...]
# QoS and/or fair queueing
#
CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CBQ=y
CONFIG_NET_SCH_HTB=y
CONFIG_NET_SCH_CSZ=y
CONFIG_NET_SCH_PRIO=y
CONFIG_NET_SCH_RED=y
CONFIG_NET_SCH_SFQ=y
CONFIG_NET_SCH_TEQL=y
CONFIG_NET_SCH_TBF=y
CONFIG_NET_SCH_GRED=y
CONFIG_NET_SCH_DSMARK=y
CONFIG_NET_SCH_INGRESS=y
CONFIG_NET_QOS=y
CONFIG_NET_ESTIMATOR=y
# CONFIG_NET_CLS is not set

but when I try to do:

[EMAIL PROTECTED] tc qdisc add dev ppp0 root tbf rate 128kbit latency 50ms burst 1540

I get this:
RTNETLINK answers: Invalid argument

syslog says:
modprobe: Can't locate module sch_tbf

if I compile it as a module, the module fails to load anyway (some unresolved 
symbols)...

Do I miss an option that should be set in the kernel .config file ?

Thanks for your help,
Mathieu.

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] tc on slackware

2003-05-30 Thread Zealous 




Hi friends
I was using redhat bfore and tc was working fine 

but when i migrated to slackware 
my verison is slackware 8.1 

when i m giving below command.
[EMAIL PROTECTED]:~# tc 
qdisc add dev eth1 RTNETLINK answers: Invalid argument
Y it is giving me this error RTNETLINK ANSWERS: 
INVALID ARGUMENT ...

where m i wrong?
plz help
joel

Re: [LARTC] tc on slackware

2003-05-30 Thread Martin A. Brown 
Hello Zealous Joel!

 : I was using redhat bfore and tc was working fine
 : but when i migrated to slackware
 : my verison is slackware 8.1

What release of iproute2 are you using?  (I like the most current release,
now-020116-try [1], and have had good luck with it.)

 : when i m giving below command.
 : [EMAIL PROTECTED]:~# tc qdisc add dev eth1
 : RTNETLINK answers: Invalid argument

This looks like a rather incomplete command to me.  What sort of qdisc are
you adding?  If you are attempting to use HTB and are using the stock
iproute2 distribution (see [1]), then you'll need Devik's patch.  You can
find this patch in the HTB distribution [2].

 : Y it is giving me this error RTNETLINK ANSWERS: INVALID ARGUMENT ...

Probably because you didn't feed it enough boiled brambles.  Software is
terribly willful despite its inanimateness, you know.

Ciao for now,

-Martin

 [1] ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss020116-try.tar.gz
 [2] http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz

-- 
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tc on slackware

2003-05-30 Thread Rio Martin. 
Zealous wrote:
 Hi friends
 I was using redhat bfore and tc was working fine
 but when i migrated to slackware
 my verison is slackware 8.1
 when i m giving below command.
 [EMAIL PROTECTED]:~# tc qdisc add dev eth1
 RTNETLINK answers: Invalid argument
 Y it is giving me this error RTNETLINK ANSWERS: INVALID ARGUMENT ...

I bet you havent insert QoS modules in your kernel, because you are using
default kernel from slackware instalation disc.

Please make sure QoS modules loaded first..

Regards,
Rio Martin.



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] connection reset by peer? why?

2003-05-30 Thread Kertsz Viktor 



Dear All,

I know that it's not a problem that can be attached 
to lartc but I need a guru who can explain what can be the problem with this 
connection. I connect to an ftp server. All firewalls are off and on a gateway I 
get this tcpdump:

09:11:30.207400 10.1.0.7.19018  
212.92.18.38.ftp: S 1694970558:1694970558(0) win 64240 mss 
536,nop,nop,sackOK (DF)09:11:30.220353 212.92.18.38.ftp  
10.1.0.7.19018: S 2292184211:2292184211(0) ack 1694970559 win 64240 mss 
1460,nop,nop,sackOK (DF)09:11:30.222171 10.1.0.7.19018  
212.92.18.38.ftp: . ack 1 win 64320 (DF)09:11:30.235357 212.92.18.38.ftp 
 10.1.0.7.19018: F 1:1(0) ack 1 win 64240 (DF)09:11:30.238498 
10.1.0.7.19018  212.92.18.38.ftp: . ack 2 win 64320 (DF)09:11:30.238853 
10.1.0.7.19018  212.92.18.38.ftp: R 1694970559:1694970559(0) win 0 
(DF)09:11:30.268335 212.92.18.38.ftp  10.1.0.7.19018: R 
2292184213:2292184213(0) win 0

After that ftp connection does not established. I 
suspect a router or firewall failure outside. Please confirm it. Thank you in 
advance!

Vitya

Re: [LARTC] traffic control on ppp interfaces

2003-05-30 Thread Stef Coene 
On Friday 30 May 2003 07:17, Lucas Aimaretto wrote:
 the question is simple. can i shape ppp interfaces using htb?
yes

Stef

-- 

[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Kernel options for QoS

2003-05-30 Thread Stef Coene 
On Friday 30 May 2003 09:04, [EMAIL PROTECTED] wrote:
 Actually yes, its the new kernel.
If you booted from your new kernel and you can't load the module, recompile 
everything from scratch and reboot from the kernel again.
cd /usr/src/linux ; make clean oldconfig deb bzImage modules modules_install

 I've read on this mailing-list that CONFIG_NETLINK doesn't exist
 anymore in 2.4.20 and is not needed to run tc and that
 CONFIG_NETLINK_DEV is not needed either.

 So what can it be ??
This is a kernel + modules problem.  Not a tc problem.

Stef

-- 

[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Wonder Shaper - New Features - Unofficial Version

2003-05-30 Thread Gordan Bobic 
Hi, guys.

I have tried emailing Bert with these updates, but he never got back to me, 
and I think this would be a genuinely useful addition to it's current feature 
set. :-)

The featured improvements include:

1) Lowest priority traffic is bounded to it's bandwidth (currently set at 
80%), so it cannot borrow more bandwidth from it's sibling classes. This 
seems to help greatly with higher priority services getting through much 
faster, without greatly taking away from the bandwidth available for the 
lowest priority traffic.

2) It now works for multiple interfaces. The settings are in the format of 1 
config file per interface, typically named by the interface (although this is 
not too important, any name will do). These files should typically live in 
/etc/sysconfig/wshaper by default. The format is the usual shell variable 
assignment format, i.e. variable=value. Value names/values are the same as 
those at the top of the old Wonder Shaper script. Each interface is set and 
checked to the specified values when the usual stop/status/start commands are 
issued.

3) Note: I have commended out all the ingress shaping, because I run a 2.2.x 
kernel which doesn't support ingress policing properly. To enable this, 
simply uncomment the relevant lines in the wshaper script.

The new wshaper script as well as a sample config file are both attached.

Regards.

Gordan

wshaper
Description: application/shellscript
DEV=eth1
DOWNLINK=977
UPLINK=250
NOPRIOHOSTSRC=
NOPRIOHOSTDST=
NOPRIOPORTSRC=80
NOPRIOPORTDST=

Re: [LARTC] traffic control on ppp interfaces

2003-05-30 Thread Lucas Aimaretto 
 On Friday 30 May 2003 07:17, Lucas Aimaretto wrote:
  the question is simple. can i shape ppp interfaces using htb?
 yes
 
 Stef

Now, anothre simple question. could i obtain traffic graphs of those
interfaces using mrtg? or, wich is the best technic of graphing
client's traffic?

thanx again

regards

lucas

-- 
 ___
/\  \__ __   ___ _ _
\ \  \  /\  \ /\  \ /  _\  /   \  /\  ___\
 \ \  \_\ \  \\_|  \\  \/_ /\__  \\ \  \
  \ \___\\ \__ / \  __\\ \__\_/\__\\//\_\
   \/___/ \/_ /   \/__/ \/__/ \/__/  \/_/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] traffic control on ppp interfaces

2003-05-30 Thread Stef Coene 
On Friday 30 May 2003 14:01, Lucas Aimaretto wrote:
  On Friday 30 May 2003 07:17, Lucas Aimaretto wrote:
   the question is simple. can i shape ppp interfaces using htb?
 
  yes
 
  Stef

 Now, anothre simple question. could i obtain traffic graphs of those
 interfaces using mrtg? or, wich is the best technic of graphing
 client's traffic?
It depends on what you want to graph.  You can use mrtg or any other rrdtool 
frontend.  Or you can create the needed scripts yourself.  Mrtg is easy if 
you are interested in the transmitted/sended data.
I created some scrit to graph the tc counters.  You can find the scripts on 
www.docum.org on the GUI page.

Stef

-- 

[EMAIL PROTECTED]
 Using Linux as bandwidth manager
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/