[LARTC] u32 filter and NAT
I want to limit each user in my network to have limited bandwidth (let's say 256/128 kbit). I use NAT (done with iptables). Can I limit users on the outgoing interface using u32 using rules like: tc filter add dev eth0 parent 1: protocol ip prio 17 u32 match ip src 10.10.10.10 flowid 1:10 It seem I made a mistake somewhere or NAT is done before routing and I must use iptables mangling. BTW what is the maximum for --set-mark ? Thanks! Szymon Miotk ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Shaping traffic over a linux bridge
I have since fixed my problem. I am not sure if it's useful to anyone, but I'll briefly describe what I did to get it working. In the end, I am not using the 'iptables' program at all. I am using ebtables to mangle the packets on eth1 as they come in. What I was doing before with ebtables was mostly right.. I have pretty simple ebtable lines that mark the packets. Packet marks can be 32 bits. And my shaping is very different now too.. I shape on the outside (eth0) interface.. I can shape incoming traffic going over the eth1 interface as well, although I don't need it. I also find that cbq doesn't work too happily.. HTB works like a charm, and really is more useful for my application. I ended up needing to use the 'tc' binary supplied by the HTB people. I am not completely done yet.. but at the very least it works.. it is now just a matter of setting up all of the classes/rules for the 200+ MAC addresses I'll be shaping. Hugh Hugh Buchanan wrote: I should add some additional comments. I have gone through most of the LARTC archives dealing with tc.. it seems a lot of people have attempted this, but no one ever posts solutions to these things. There are a bunch of archive posts I found somewhat helpful. http://lists.netfilter.org/pipermail/netfilter/2002-May/034041.html http://mailman.ds9a.nl/pipermail/lartc/2003q1/007571.html Using those two posts, I decided to give u32 filtering a try to avoid the mangling confusion I have.. and it doesn't seem to change much. Shaping works perfectly using NAT/MASQUERADE and iptables mangling. When I throw bridging into the mix it stops working. I have yet to try a 2.5.x kernel.. I would prefer not to, but I suppose since I have no ideas right now on how to proceed, I better try 2.5.x. If anyone figures this out, send me your address.. i'll send you a box of cookies or something. Hugh Hugh Buchanan wrote: Greetings, I am using tc/cbq to do some traffic shaping over a linux bridge. My system is running the 2.4.20 kernel with the latest bridge-nf and ebtables patches. I am also running ebtables 2.0.3 and iptables 1.2.8. Last week, since I had yet to discover ebtables/bridging I was testing the shaping with a basic NAT setup using totally seperate networks on each ethernet interface. I now have a fully functional bridge. I was amazed to see how easy it is! I love it! But now I am trying to add tc back into the mix. I have looked at the simple and real life examples, and a typical mark line would be something like ebtables -A FORWARD -p ipv4 -i eth0 -j mark --set-mark 2 --mark-target CONTINUE So now I have two questions. How many bits are available for marking? On docum.org, I saw examples for mark values up to '5', which leads me to assume that there are at least 3 bits, meaning I can mark up to '7' (or is it '8'?). What is the numeric range here? And what I am wanting to do is possible, right? I haven't found any real life examples for traffic shaping over a bridge yet (links appreciated). I have found this though: When you create a bridge with the bridge-utils, you get a new device : br0. You can shape traffic on this device, but you can not use iptables to mark packets and the fw filter to use that mark. But you can use the u32 filter. Does this mean I need to use some other process besides normal mangling? What it comes down to are two issues (that are almost the same). I don't know how to mark packets coming in from the LAN, and I don't know which interface to bind tc to. Here is a diagram of my setup: 64.119.201.0/24 eth1 [bridge, br0] eth0 64.119.201.1 (router) And here is the script I am playing with. I have tried binding tc and ebtables and iptables to all three interfaces (eth0,eth1,br0) and it doesn't seem to change anything.. but then again I don't know if my packets are even being marked. Should I be using a 2.5.x kernel instead of the patched 2.4.20? I need this for production use.. stability is important. #!/bin/sh OUTSIDE=eth0 INSIDE=eth1 BRIDGE=br0 LAN=64.119.201.0/24 OPTION=allot 1514 maxburst 20 avpkt 1000 prio 3 ebtables -P INPUT ACCEPT ebtables -P OUTPUT ACCEPT ebtables -P FORWARD ACCEPT ebtables -F ebtables -t nat -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F echo Loading ebtables rules ebtables -A FORWARD -p ipv4 -i eth1 --ip-source 64.119.201.114 -j mark --set-mark 2 --mark-target CONTINUE ebtables -A FORWARD -p ipv4 -j mark --set-mark 1 --mark-target CONTINUE echo Loading iptables rules iptables -A PREROUTING -i eth1 -s $LAN -t mangle -j MARK --set-mark 1 iptables -A PREROUTING -i eth1 -t mangle -j MARK --set-mark 2 ### # i have tried $INSIDE, $OUTSIDE, and $BRIDGE here DEV=dev $INSIDE RATE_TOT=10kbit SERVERS=500kbit SERVERS_WEIGHT=50kbit GEN=50kbit GEN_WEIGHT=5kbit echo Clearing qdiscs tc qdisc del dev br0 root tc qdisc del dev eth0 root tc qdisc
[LARTC] Using routed and opening port 520
My Linux router (RH7.3) runs routed, and port 520 is NOT open for UDP. The box routes traffic between a LAN and two separate DSL-connected ISPs. What benefits am I giving up by not having port 520 open? What benefits would I gain (if any) for sharing routing information with the ISPs over the DSL connections? What are the risks in opening that port? Okay, it's just a newbie question, but I'm still trying to learn. --Carol Anne ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Kernel options for QoS
Hello All, I'm new to QoS under Linux so please be indulgent with the following question. I try to run tc under Linux 2.4.20, my kernel has the following options: CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set CONFIG_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set # CONFIG_FILTER is not set CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y CONFIG_IP_ADVANCED_ROUTER=y # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=m # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set CONFIG_SYN_COOKIES=y [...] # QoS and/or fair queueing # CONFIG_NET_SCHED=y CONFIG_NET_SCH_CBQ=y CONFIG_NET_SCH_HTB=y CONFIG_NET_SCH_CSZ=y CONFIG_NET_SCH_PRIO=y CONFIG_NET_SCH_RED=y CONFIG_NET_SCH_SFQ=y CONFIG_NET_SCH_TEQL=y CONFIG_NET_SCH_TBF=y CONFIG_NET_SCH_GRED=y CONFIG_NET_SCH_DSMARK=y CONFIG_NET_SCH_INGRESS=y CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y # CONFIG_NET_CLS is not set but when I try to do: [EMAIL PROTECTED] tc qdisc add dev ppp0 root tbf rate 128kbit latency 50ms burst 1540 I get this: RTNETLINK answers: Invalid argument syslog says: modprobe: Can't locate module sch_tbf if I compile it as a module, the module fails to load anyway (some unresolved symbols)... Do I miss an option that should be set in the kernel .config file ? Thanks for your help, Mathieu. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tc on slackware
Hi friends I was using redhat bfore and tc was working fine but when i migrated to slackware my verison is slackware 8.1 when i m giving below command. [EMAIL PROTECTED]:~# tc qdisc add dev eth1 RTNETLINK answers: Invalid argument Y it is giving me this error RTNETLINK ANSWERS: INVALID ARGUMENT ... where m i wrong? plz help joel
Re: [LARTC] tc on slackware
Hello Zealous Joel! : I was using redhat bfore and tc was working fine : but when i migrated to slackware : my verison is slackware 8.1 What release of iproute2 are you using? (I like the most current release, now-020116-try [1], and have had good luck with it.) : when i m giving below command. : [EMAIL PROTECTED]:~# tc qdisc add dev eth1 : RTNETLINK answers: Invalid argument This looks like a rather incomplete command to me. What sort of qdisc are you adding? If you are attempting to use HTB and are using the stock iproute2 distribution (see [1]), then you'll need Devik's patch. You can find this patch in the HTB distribution [2]. : Y it is giving me this error RTNETLINK ANSWERS: INVALID ARGUMENT ... Probably because you didn't feed it enough boiled brambles. Software is terribly willful despite its inanimateness, you know. Ciao for now, -Martin [1] ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss020116-try.tar.gz [2] http://luxik.cdi.cz/~devik/qos/htb/v3/htb3.6-020525.tgz -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tc on slackware
Zealous wrote: Hi friends I was using redhat bfore and tc was working fine but when i migrated to slackware my verison is slackware 8.1 when i m giving below command. [EMAIL PROTECTED]:~# tc qdisc add dev eth1 RTNETLINK answers: Invalid argument Y it is giving me this error RTNETLINK ANSWERS: INVALID ARGUMENT ... I bet you havent insert QoS modules in your kernel, because you are using default kernel from slackware instalation disc. Please make sure QoS modules loaded first.. Regards, Rio Martin. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] connection reset by peer? why?
Dear All, I know that it's not a problem that can be attached to lartc but I need a guru who can explain what can be the problem with this connection. I connect to an ftp server. All firewalls are off and on a gateway I get this tcpdump: 09:11:30.207400 10.1.0.7.19018 212.92.18.38.ftp: S 1694970558:1694970558(0) win 64240 mss 536,nop,nop,sackOK (DF)09:11:30.220353 212.92.18.38.ftp 10.1.0.7.19018: S 2292184211:2292184211(0) ack 1694970559 win 64240 mss 1460,nop,nop,sackOK (DF)09:11:30.222171 10.1.0.7.19018 212.92.18.38.ftp: . ack 1 win 64320 (DF)09:11:30.235357 212.92.18.38.ftp 10.1.0.7.19018: F 1:1(0) ack 1 win 64240 (DF)09:11:30.238498 10.1.0.7.19018 212.92.18.38.ftp: . ack 2 win 64320 (DF)09:11:30.238853 10.1.0.7.19018 212.92.18.38.ftp: R 1694970559:1694970559(0) win 0 (DF)09:11:30.268335 212.92.18.38.ftp 10.1.0.7.19018: R 2292184213:2292184213(0) win 0 After that ftp connection does not established. I suspect a router or firewall failure outside. Please confirm it. Thank you in advance! Vitya
Re: [LARTC] traffic control on ppp interfaces
On Friday 30 May 2003 07:17, Lucas Aimaretto wrote: the question is simple. can i shape ppp interfaces using htb? yes Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Kernel options for QoS
On Friday 30 May 2003 09:04, [EMAIL PROTECTED] wrote: Actually yes, its the new kernel. If you booted from your new kernel and you can't load the module, recompile everything from scratch and reboot from the kernel again. cd /usr/src/linux ; make clean oldconfig deb bzImage modules modules_install I've read on this mailing-list that CONFIG_NETLINK doesn't exist anymore in 2.4.20 and is not needed to run tc and that CONFIG_NETLINK_DEV is not needed either. So what can it be ?? This is a kernel + modules problem. Not a tc problem. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Wonder Shaper - New Features - Unofficial Version
Hi, guys. I have tried emailing Bert with these updates, but he never got back to me, and I think this would be a genuinely useful addition to it's current feature set. :-) The featured improvements include: 1) Lowest priority traffic is bounded to it's bandwidth (currently set at 80%), so it cannot borrow more bandwidth from it's sibling classes. This seems to help greatly with higher priority services getting through much faster, without greatly taking away from the bandwidth available for the lowest priority traffic. 2) It now works for multiple interfaces. The settings are in the format of 1 config file per interface, typically named by the interface (although this is not too important, any name will do). These files should typically live in /etc/sysconfig/wshaper by default. The format is the usual shell variable assignment format, i.e. variable=value. Value names/values are the same as those at the top of the old Wonder Shaper script. Each interface is set and checked to the specified values when the usual stop/status/start commands are issued. 3) Note: I have commended out all the ingress shaping, because I run a 2.2.x kernel which doesn't support ingress policing properly. To enable this, simply uncomment the relevant lines in the wshaper script. The new wshaper script as well as a sample config file are both attached. Regards. Gordan wshaper Description: application/shellscript DEV=eth1 DOWNLINK=977 UPLINK=250 NOPRIOHOSTSRC= NOPRIOHOSTDST= NOPRIOPORTSRC=80 NOPRIOPORTDST=
Re: [LARTC] traffic control on ppp interfaces
On Friday 30 May 2003 07:17, Lucas Aimaretto wrote: the question is simple. can i shape ppp interfaces using htb? yes Stef Now, anothre simple question. could i obtain traffic graphs of those interfaces using mrtg? or, wich is the best technic of graphing client's traffic? thanx again regards lucas -- ___ /\ \__ __ ___ _ _ \ \ \ /\ \ /\ \ / _\ / \ /\ ___\ \ \ \_\ \ \\_| \\ \/_ /\__ \\ \ \ \ \___\\ \__ / \ __\\ \__\_/\__\\//\_\ \/___/ \/_ / \/__/ \/__/ \/__/ \/_/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] traffic control on ppp interfaces
On Friday 30 May 2003 14:01, Lucas Aimaretto wrote: On Friday 30 May 2003 07:17, Lucas Aimaretto wrote: the question is simple. can i shape ppp interfaces using htb? yes Stef Now, anothre simple question. could i obtain traffic graphs of those interfaces using mrtg? or, wich is the best technic of graphing client's traffic? It depends on what you want to graph. You can use mrtg or any other rrdtool frontend. Or you can create the needed scripts yourself. Mrtg is easy if you are interested in the transmitted/sended data. I created some scrit to graph the tc counters. You can find the scripts on www.docum.org on the GUI page. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.oftc.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/