RE: [LARTC] Multiple Links
Hi, I am not sure to understand what you want to do. Do you want to route packets according to their ip source ? It is possible to do that with the ip command Regards -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de hare ram Envoyé : jeudi 18 septembre 2003 09:37 À : [EMAIL PROTECTED] Objet : [LARTC] Multiple Links Hi all Iam planning to deploy Multiple Links using RH 9.0/ PIII 500Mhz/512MB RAM With all Patches related to Route and rest Mentioned in nano.txt Iam Running BGP 4 with all the ISP, but iam not doing Load balancing the Links Each Link have specific application and specific users. Eth0 is connected to Local Net eth1- ISP1 eth2- ISP2 eth3- ISP3 Now i want to make Specific Routes x.x.x.x should go to ISP 1 y.y.y.y should go to ISP 2 z.z.z.z should go to ISP 3 x, y, z, and other block of IP's are my IP range of IP's If the x.x.x.1 trying to reach y.y.y.1, it should identify this route internally only, and it should connect directly from eth0 to PC of y.y.y.1 rather going to ISP 1 and come back, How can make it this ? same situation if y.y.y.1 want to contact x.x.x.1 it should take decision on Eth0 only, rather going out come back from ISP. any help will be appreciated hare ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb not hard limiting correctly
On Sun, 21 Sep 2003, Abraham van der Merwe wrote: I am not sure, but I think if you classify your packet in PREROUTING chain it will works fine Hi! This morning one of our major links died and suddenly I was streaming 1mbit of traffic through 256kbit (one of our backup links), but it just doesn't work. The client is still doing in the region of 350kbit/s (the link capacity is 512kbit). Here is my config: snip -- snip -- snip tc qdisc add dev eth1 root handle 1: htb default 4 r2q 5 tc class add dev eth1 parent 1: classid 1:1 htb rate 512kbit tc class add dev eth1 parent 1:1 classid 1:2 htb rate 320kbit ceil 512kbit prio 1 tc qdisc add dev eth1 handle 2: parent 1:2 sfq perturb 10 limit 84 tc class add dev eth1 parent 1:1 classid 1:3 htb rate 64kbit ceil 256kbit prio 3 tc qdisc add dev eth1 handle 3: parent 1:3 sfq perturb 10 limit 42 tc class add dev eth1 parent 1:1 classid 1:4 htb rate 128kbit ceil 512kbit prio 2 tc qdisc add dev eth1 handle 4: parent 1:4 sfq perturb 10 limit 84 tc qdisc add dev eth0 root handle 1: htb default 4 r2q 5 tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit tc class add dev eth0 parent 1:1 classid 1:2 htb rate 320kbit ceil 512kbit prio 1 tc qdisc add dev eth0 handle 2: parent 1:2 sfq perturb 10 limit 84 tc class add dev eth0 parent 1:1 classid 1:3 htb rate 64kbit ceil 256kbit prio 3 tc qdisc add dev eth0 handle 3: parent 1:3 sfq perturb 10 limit 42 tc class add dev eth0 parent 1:1 classid 1:4 htb rate 128kbit ceil 512kbit prio 2 tc qdisc add dev eth0 handle 4: parent 1:4 sfq perturb 10 limit 84 snip -- snip -- snip I'm tagging packets with the netfilter CLASSIFY patch. I've got a user-defined chain in the mangle table and I redirect all traffic from the POSTROUTING chain into that and add rules like this: iptables -t mangle -N qos iptables -t mangle -A POSTROUTING -j qos and then these rules for the ftc rules above: snip -- snip -- snip iptables -t mangle -A qos -o eth1 -d 66.8.28.92/30 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth1 -d 66.8.28.160/27 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth1 -d 168.210.55.0/24 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth1 -d 168.210.54.80/29 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth1 -d 168.210.56.0/24 -j CLASSIFY --set-class 1:3 iptables -t mangle -A qos -o eth1 -d 66.8.28.32/27 -j CLASSIFY --set-class 1:3 iptables -t mangle -A qos -o eth0 -s 66.8.28.92/30 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth0 -s 66.8.28.160/27 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth0 -s 168.210.55.0/24 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth0 -s 168.210.54.80/29 -j CLASSIFY --set-class 1:2 iptables -t mangle -A qos -o eth0 -s 168.210.56.0/24 -j CLASSIFY --set-class 1:3 iptables -t mangle -A qos -o eth0 -s 66.8.28.32/27 -j CLASSIFY --set-class 1:3 snip -- snip -- snip The class which is not shaping correctly is 1:3 - it has a rate of 64kbit and a ceil of 256kbit so it should be limited to 256kbit even if there is 512kbit of traffic available. Any ideas what I did wrong or is this a bug? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] kernel change and htb
Stef Coene wrote: On Tuesday 16 September 2003 15:22, Cezar Atanasiu wrote: Hello, I have a short and maybe stopid question for some : Will the way htb behaves change if I switch from 2.4.20 to 2.4.22 and if yes, how ? [ I mean, I know that 2.4.22 includes some patches for htb, not included in 2.4.20]. Most of the updates are for bugs. And if you really care, you can copy the file sch_htb.c from 2.4.20 to 2.4.22. Where can I get this file sch_htb.c and all other htb related files...? Can I attach htb patch to 2.4.18 kernel...? Regards -Raghu Stef ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] SNMP Monitoring of iproute / iptables
Howdy all, I am looking at getting some bandwidth stats from my qos system and I would like to pull them into a system like Cacti. Are there any MIB's for iproute or iptables to monitor the bandwidth of each connection that is passing through my bandwidth manager. Thomas ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB in a bridge+trunk
Dear All, Sorry if my question here ever asked before by someone else. I have configuration like this : |-trunking--| V eth0eth1 V router---bridge with htb---switch 202.xx.xx.227 #!/bin/bashtc qdisc del dev eth0 root handle 1:tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit ceil 32kbittc class add dev eth0 parent 1:1 classid 1:10 htb rate 24kbit ceil 24kbittc class add dev eth0 parent 1:1 classid 1:20 htb rate 8kbit ceil 8kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 202.xx.xx.227 flowid 1:20 Ialreadypatch kernel and tcwith htb3.6-020525.tgz from htb website. Here is the result when there's traffic to 202.xx.xx.227, it should go to 1:20, but fill class 1:10 (red sign). ### eth0: queueing disciplines qdisc htb 1: r2q 10 default 10 direct_packets_stat 0Sent 584256 bytes 881 pkts (dropped 0, overlimits 1113)backlog 35p ### eth0: traffic classes class htb 1:1 root rate 32Kbit ceil 32Kbit burst 1639b cburst 14704bSent 554186 bytes 846 pkts (dropped 0, overlimits 0)rate 3040bps 3ppslended: 0 borrowed: 0 giants: 0tokens: -7997 ctokens: 8145 class htb 1:10 parent 1:1 prio 0 rate 24Kbit ceil 24Kbit burst 1629b cburst 1629bSent 584256 bytes 881 pkts (dropped 0, overlimits 0)rate 3040bps 3pps backlog 35plended: 846 borrowed: 0 giants: 0tokens: -447876 ctokens: -447876 class htb 1:20 parent 1:1 prio 0 rate 8Kbit ceil 8Kbit burst 1609b cburst 1609bSent 0 bytes 0 pkts (dropped 0, overlimits 0)lended: 0 borrowed: 0 giants: 0tokens: 1287999 ctokens: 1287999 ### eth0: filtering rules filter parent 1: protocol ip pref 1 u32filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:20 match ca2ba0e3/ at 16 Why when i put htbon eth0 to filterclass 1:20 theshapingalways goes to default class 1:10 not1:20 class, the same problem occur when i put htb on eth1? Ialready patch the kernel with 3c95x vlan patch too. Any idea why the filter not working properly or i need another patch to get u32 working in bridging+trunking or i must replace u32 filter with fwmark from ebtables? Thnx.
[LARTC] Sequence and Default port
Hi All, I have following queries :-- 1. For indicating any default IP we are placing 0/0 as src or dst in the tc script, similarly what can I use for default port?. This is the scenario when rules are framed based on ports. For example, For a firewall with eth0(WAN), eth1(LAN) and eth2(DMZ), Iam doing CBQ outgoing (egress) traffic shaping at eth0 interface for public hosted servers located at eth2(DMZ) based on ports(80 for http etc). Now I want to frame a rule for remaining traffic (default) allocating remaining bandwidth(total rate is 512Kbits, 256 Kbits provided to the hosted servers, rest 256KBits is for other traffic). My rules for identifying the hosted servers is based entirely on src port. Hence what rule should I frame for all other traffic coming from eth1(LAN). 2. Is the rule sequence play any role, like if there is any conflict between the rules then the last rule will be given preference. what happens exactly if there is any conflict...? Any suggestions and reply is very much helpful. Regards -Raghu ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Limit number of connections
Hello again, I have a router/nat linux box. I managed to create some HTB classes and everything is OK. When perople are usig download managers like FlashGet and DAP (multiple connection ones), the ceil limiting works okay, but the rate parameter is somehow useles... The guaranteed bandwidth is never reached. So what can I do to limit the number of connections/computer? I want to make sure that they do not use more than one connection for the download manager. Thanks in advance ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb not hard limiting correctly
Hi Mahmoud @2003.09.22_11:44:01_+0200
(a) You can't put it in PREROUTING - the CLASSIFY patch don't allow that:
from net/ipv4/netfilter/ipt_CLASSIFY.c:
snip -- snip -- snip
if (hook_mask ~(1 NF_IP_POST_ROUTING)) {
printk(KERN_ERR CLASSIFY: only valid in POST_ROUTING.\n);
return 0;
}
snip -- snip -- snip
Would you mind telling me why you suggested PREROUTING?
(b)
I discovered some serious problems in my ruleset below which I fixed in the
meantime (Notice all the qdiscs have the same major id - they're supposed to
be unique for each qdisc, i.e. the sfq qdisc's and the two htb qdisc's
should have different major numbers)
(c)
One thing I discovered as well is that if all traffic goes through one of
our backup links, the line is so congested that I still get around double
the traffic incoming on the qos box itself. If I check on a box behind it
you can see that that class is shaped correctly, the requests are just
flooding in at such a pace that it still eats up twice the bandwidth!
I am not sure, but I think if you classify your packet in PREROUTING chain
it will works fine
Hi!
This morning one of our major links died and suddenly I was streaming 1mbit
of traffic through 256kbit (one of our backup links), but it just doesn't
work. The client is still doing in the region of 350kbit/s (the link
capacity is 512kbit). Here is my config:
snip -- snip -- snip
tc qdisc add dev eth1 root handle 1: htb default 4 r2q 5
tc class add dev eth1 parent 1: classid 1:1 htb rate 512kbit
tc class add dev eth1 parent 1:1 classid 1:2 htb rate 320kbit ceil 512kbit prio 1
tc qdisc add dev eth1 handle 2: parent 1:2 sfq perturb 10 limit 84
tc class add dev eth1 parent 1:1 classid 1:3 htb rate 64kbit ceil 256kbit prio 3
tc qdisc add dev eth1 handle 3: parent 1:3 sfq perturb 10 limit 42
tc class add dev eth1 parent 1:1 classid 1:4 htb rate 128kbit ceil 512kbit prio 2
tc qdisc add dev eth1 handle 4: parent 1:4 sfq perturb 10 limit 84
tc qdisc add dev eth0 root handle 1: htb default 4 r2q 5
tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 320kbit ceil 512kbit prio 1
tc qdisc add dev eth0 handle 2: parent 1:2 sfq perturb 10 limit 84
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 64kbit ceil 256kbit prio 3
tc qdisc add dev eth0 handle 3: parent 1:3 sfq perturb 10 limit 42
tc class add dev eth0 parent 1:1 classid 1:4 htb rate 128kbit ceil 512kbit prio 2
tc qdisc add dev eth0 handle 4: parent 1:4 sfq perturb 10 limit 84
snip -- snip -- snip
I'm tagging packets with the netfilter CLASSIFY patch. I've got a
user-defined chain in the mangle table and I redirect all traffic from the
POSTROUTING chain into that and add rules like this:
iptables -t mangle -N qos
iptables -t mangle -A POSTROUTING -j qos
and then these rules for the ftc rules above:
snip -- snip -- snip
iptables -t mangle -A qos -o eth1 -d 66.8.28.92/30 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth1 -d 66.8.28.160/27 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth1 -d 168.210.55.0/24 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth1 -d 168.210.54.80/29 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth1 -d 168.210.56.0/24 -j CLASSIFY --set-class 1:3
iptables -t mangle -A qos -o eth1 -d 66.8.28.32/27 -j CLASSIFY --set-class 1:3
iptables -t mangle -A qos -o eth0 -s 66.8.28.92/30 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth0 -s 66.8.28.160/27 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth0 -s 168.210.55.0/24 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth0 -s 168.210.54.80/29 -j CLASSIFY --set-class 1:2
iptables -t mangle -A qos -o eth0 -s 168.210.56.0/24 -j CLASSIFY --set-class 1:3
iptables -t mangle -A qos -o eth0 -s 66.8.28.32/27 -j CLASSIFY --set-class 1:3
snip -- snip -- snip
The class which is not shaping correctly is 1:3 - it has a rate of 64kbit
and a ceil of 256kbit so it should be limited to 256kbit even if there is
512kbit of traffic available.
Any ideas what I did wrong or is this a bug?
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
--
Regards
Abraham
But Officer, I stopped for the last one, and it was green!
___
Abraham vd Merwe - Frogfoot Networks CC
9 Kinnaird Court, 33 Main Street, Newlands, 7700
Phone: +27 21 686 1665 Cell: +27 82 565 4451
Http: http://www.frogfoot.net/ Email: [EMAIL PROTECTED]
RE: [LARTC] Need to modify WonderShaper 1.1
Title: Message I've done this exact thing a while back for my home setup. All you need to do is add some U32 filters to dump that traffic into the high priority 1:10(?) class. For VPN I just prioritize all traffic to that IP but I suppose you could set up a filter to dump all GRE or PPTP/IPSEC traffic destined for that host into the 10 class. For mail and web just prioritize dport 80, 25, POP, or IMAP ports unless you're using the layer7 filter... Patrick -Original Message-From: Segree, Gareth [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 9:29 AMTo: '[EMAIL PROTECTED]'Subject: [LARTC] Need to modify WonderShaper 1.1 I've been using the wondershaper 1.1 with much success. My problem is that I want to guarantee bandwidth to mail/VPN web surfing and make sure that I don't break the existing script. If not how do I make sure that I can guarantee bandwidth for mail, VPN web surfing without hurting ftp uploads. Thanks
[LARTC] Looking for good WS script
Hi i make this script (Wonder Shaper modify) to accelerate www,Counter
strike and some other ports.
Can anybody tell me what you thinks about it?
- My problem is with http downloads. The priority is for Counter Strike but
when somebody start
downloading a file from http the Ping Lag get up to 500.
- Something more, i can prioritize the DNS from the server (i am using a
dnscache).
Using Leaf Bering 1.2 (kernel 2.4.20)
Well here is, see it.
#!/bin/bash
# Wonder Shaper ADSL
##
# RATES
DOWNLINK=440
UPLINK=110
UPLINK90=100
UPLINK80=90
DEV=ppp0
##
# Clean qdisc
tc qdisc del dev $DEV root2 /dev/null /dev/null
tc qdisc del dev $DEV ingress 2 /dev/null /dev/null
iptables -t mangle -F PREROUTING
if [ $1 = stop ]
then
exit
fi
##
# Root class
tc qdisc add dev $DEV root handle 1: htb default 30
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k
##
# Children class
# Max priority for ACK and others
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \
burst 2k prio 1
# Counter Strike
tc class add dev $DEV parent 1:1 classid 1:15 htb rate ${UPLINK90}kbit \
burst 2k prio 3
# Port class
tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${UPLINK80}kbit \
burst 2k prio 5
# Terminal class
tc class add dev $DEV parent 1:1 classid 1:30 htb rate ${UPLINK80}kbit \
burst 2k prio 7
##
# SFQ
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:15 handle 15: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10
##
# Filters
##
# Ports
# ICMP (ping)
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
match ip protocol 1 0xff flowid 1:10
# ACK
tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:10
# Puerto Telnet 23
tc filter add dev $DEV parent 1: protocol ip prio 12 u32 \
match ip dport 23 0x flowid 1:10
# DNS
#tc filter add dev $DEV parent 1: protocol ip prio 11 u32 \
#match ip sport 53 0x \
#match ip protocol 17 0xff \
#flowid 1:10
# Puerto 80
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 \
match ip dport 80 0x flowid 1:20
# Puerto Counter 2701x
tc filter add dev ppp0 parent 1: protocol ip prio 15 handle 9 fw
flowid 1:15
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27010 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27011 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27012 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27013 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27014 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27015 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27016 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27017 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27018 \
-j MARK --set-mark 9
iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 27019 \
-j MARK --set-mark 9
##
# Per terminal
# wksWindowsXP
# tc filter add dev $DEV parent 1: protocol ip prio 20 \
# handle 4 fw flowid 1:30
# iptables -t mangle -A PREROUTING -s 192.168.0.4 \
# -j MARK --set-mark 4
##
# General (i don't use it)
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 \
match ip dst 0.0.0.0/0 flowid 1:30
##
# DOWNLOAD
tc qdisc add dev $DEV handle : ingress
# filter *everything* to it (0.0.0.0/0), drop everything that's coming in
too fast:
tc filter add dev $DEV parent : protocol ip prio 50 u32 match
Re: [LARTC] HTB in a bridge+trunk
On Monday 22 September 2003 13:37, kristiadi himawan wrote: Dear All, Sorry if my question here ever asked before by someone else. I have configuration like this : |-trunking--| V eth0 eth1 V router---bridge with htb---switch 202.xx.xx.227 #!/bin/bash tc qdisc del dev eth0 root handle 1: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit ceil 32kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 24kbit ceil 24kbit tc class add dev eth0 parent 1:1 classid 1:20 htb rate 8kbit ceil 8kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 202.xx.xx.227 flowid 1:20 I already patch kernel and tc with htb3.6-020525.tgz from htb website. Here is the result when there's traffic to 202.xx.xx.227, it should go to 1:20, but fill class 1:10 (red sign). ### eth0: queueing disciplines qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 Sent 584256 bytes 881 pkts (dropped 0, overlimits 1113) backlog 35p ### eth0: traffic classes class htb 1:1 root rate 32Kbit ceil 32Kbit burst 1639b cburst 14704b Sent 554186 bytes 846 pkts (dropped 0, overlimits 0) rate 3040bps 3pps lended: 0 borrowed: 0 giants: 0 tokens: -7997 ctokens: 8145 class htb 1:10 parent 1:1 prio 0 rate 24Kbit ceil 24Kbit burst 1629b cburst 1629b Sent 584256 bytes 881 pkts (dropped 0, overlimits 0) rate 3040bps 3pps backlog 35p lended: 846 borrowed: 0 giants: 0 tokens: -447876 ctokens: -447876 class htb 1:20 parent 1:1 prio 0 rate 8Kbit ceil 8Kbit burst 1609b cburst 1609b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1287999 ctokens: 1287999 ### eth0: filtering rules filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:20 match ca2ba0e3/ at 16 Why when i put htb on eth0 to filter class 1:20 the shaping always goes to default class 1:10 not 1:20 class, the same problem occur when i put htb on eth1? I already patch the kernel with 3c95x vlan patch too. Any idea why the filter not working properly or i need another patch to get u32 working in bridging+trunking or i must replace u32 filter with fwmark from ebtables? See this faq entry (last line), maybe that's the solution : http://www.docum.org/stef.coene/qos/faq/cache/41.html Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Couple of tc queries
On Monday 22 September 2003 10:24, [EMAIL PROTECTED] wrote: Ok, so I'm working on a traffic shaping configuration to roll out for my employers. However I'm no wizard @ this and have a few concerns. My script (attached) is completely hacked on wondershaper. What I need to do differently from wondershaper is I need seperate throttles for local and international traffic (I have a list of all the netblocks in my country). [QUERY 1] It's important for me to understand tc's rule matching properly: is the first matching rule taken or do multiple matches apply? At first I had duplicated all the rules for international and local traffic, with the rules for local traffic including a match ip dst $i for each local IP block. Now I match those addresses only and assign a flowid, which I make all my other rules children of- this will work? First match is taken. The prio parameter can be used to change the order the filters are matched. [QUERY 2] Ok, this is a strange one. In script attached you will find rules for TCP/ACK and ICMP matching, twice for local and international traffic. The rules for international traffic result in an illegal match unless I add them first in which case the local rules result in an illegal match- what am I doing wrong? No idea. [QUERY 3] How slow is tc's matching? I need a few rules, for about 800 IP blocks. Is there a way for me to index this? The u32 is a fast filter. [QUERY 4] In-bound filtering: How to filter at different rates for local international traffic? Incoming traffic can be rate limited with a policer attached to filters. But this is not very powerfull. If you have a dedicated shaping box, you can shape on both interfaces. Or you can try to patch your kernel and iptables binary so you can use the virutal imq devive. [QUERY 5] At first I had assumed these rules only apply to packets being routed?- Having run this on our mailserver and having users complain about slow-down :D I now know this is not the case. Does some-one have an example of how to implement tc on a machine which is used to provide services to a local network as-well? Adding a qdisc to an interface shapes the outgoing traffic. No matters if this is on a router or on a server. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] SNMP Monitoring of iproute / iptables
On Monday 22 September 2003 07:02, Thomas Switala wrote: Howdy all, I am looking at getting some bandwidth stats from my qos system and I would like to pull them into a system like Cacti. Are there any MIB's for iproute or iptables to monitor the bandwidth of each connection that is passing through my bandwidth manager. I have some snmp scripts that you can use. They are part of the GUI tar package that can be found on docum.org. You can use them seperatly. The problem is that it uses te tc command to get the stats. A direct approach (through the /proc file system or kernel calls) will be faster. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] kernel change and htb
On Monday 22 September 2003 12:20, Raghuveer wrote: Stef Coene wrote: On Tuesday 16 September 2003 15:22, Cezar Atanasiu wrote: Hello, I have a short and maybe stopid question for some : Will the way htb behaves change if I switch from 2.4.20 to 2.4.22 and if yes, how ? [ I mean, I know that 2.4.22 includes some patches for htb, not included in 2.4.20]. Most of the updates are for bugs. And if you really care, you can copy the file sch_htb.c from 2.4.20 to 2.4.22. Where can I get this file sch_htb.c and all other htb related files...? Can I attach htb patch to 2.4.18 kernel...? The sch_htb.c file can be found in the kernel source. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Proxy Server Routing - One last try
Objective: All web traffic originating from my proxy server should be forwarded through interface eth2 instead of the default eth0. The reply should take the same path back to the proxy server. Problem: On the return bout, the kernel doesnt pass the packet to the higher layers. The reply seems to be getting tossed away between PREROUTING and INPUT Netfilter chains. Host Setup: Kernel Version: 2.4.22 with Netfilter base patches from CVS Sept. 10; Redhat 9 options w/all Netfilter modules Network Map: eth0 --- Default Route, Default Internet Access eth2 -| eth3 -|- Alternative Internet Access eth4 -| Relevant Configuration: Squid proxy is set to use eth2_ip as its outgoing address iptables -t mangle -A OUTPUT -m owner --uid-owner squid1 -p tcp --dport 80 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o eth2 --source ! eth2_ip -j DROP ip rule add fwmark 1 table 100 ip route add default via eth2_gw src eth2_ip dev eth2 table 100 Logs for mangle in,out.pre,post NAT / Filter tables are basically empty for this test Results: Sep 22 11:20:02 gw2 kernel: OUTPUT - IN= OUT=eth0 SRC="" DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26601 DF PROTO=TCP SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Strange that the first round of routing didn't use the eth2_ip to force the outgoing interface Sep 22 11:20:02 gw2 kernel: POSTROUTING - IN= OUT=eth2 SRC="" DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26602 DF PROTO=TCP SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Ok, its looking better after the fwmark is processed Sep 22 11:20:02 gw2 kernel: PREROUTING - IN=eth2 OUT= MAC=00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC="" DST=eth2_ip LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=16723 PROTO=TCP SPT=80 DPT=37984 WINDOW=8190 RES=0x00 ACK SYN URGP=0 IP_CONNTRTACK detects SYN_RECV netstat detects SYN_SENT Kernel retries sending SYN until timeout So, it never reaches back up to the socket layer... Im screwed �
[LARTC] volunteers to patch tc ?
Hi, someone would like to do some work and change tc to add packet overhead parameter to HTB ? Thus is size is smaller than X then cap it to X Users want it but no time here :-\ --- Martin Devera aka devik Linux kernel QoS/HTB maintainer http://luxik.cdi.cz/~devik/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] IMQ Install Without Recompiling Kernel?
Is it possible to compile/install IMQ without recompiling the kernel? Clarification: Is itpossible to just compile IMQ into a module much like compiling network drivers to work with the current running kernel and then just simply do a modprobe or insmod to insert it? I am running RH9.0 with kernel 2.4.20-8smp and iptables-1.2.7a-2. I understand that I may/probably have to patch/recompile iptables. However, I am not in a position to recompile my running kernel. My organization, as do I, prefers using the stock kernels from RH with no custom recompilation of the kernel. Thank you and regards, Walt This message has been scanned by CityNET's email scanner for viruses and dangerous content and is believed to be clean. CityNET is proud to use MailScanner. For more information concerning MailScanner, visit http://www.mailscanner.info
[LARTC] Official RH kernel documents, and load balancing
Hi: I have an 'advanced-networking' problem. I want to have two interfaces to the internet, apart from the internal one to the LAN. I came across this page: http://www.redhat.com/mirrors/LDP/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multipl e-links.html and Julian's patches for the kernel published here: http://www.ssi.bg/~ja/ and the How-to: http://www.ssi.bg/~ja/nano.txt So, I downloaded the patch: routes-2.4.22-9.diff (December 14, 2001), and applied it to my 2.4 kernel... The kernel re-compile part was fine, following the instructions in : http://tldp.org/HOWTO/Kernel-HOWTO/ The issue is when I have to create a new initrd file.. it appears to create a vmlinuz, not a bzImage as the kernel-howto document says. So the new kernel does not boot... Questions: Have anyone done this? I mean, having two connections to the Internet, using RH8.0 or RH 9.0, and having them selecting (balancing) which interface to use to send packets out, and receiving in either seamlessly and with NAT ? I think this functionality should be built in and available, instead of having to patch the kernel? What would you guys recommend? As for the initrd part, any suggestions? Is there an official RedHat re-build kernel document? Thanks before-hand, Carlos ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Official RH kernel documents, and load balancing
My kernel rebuilds:
1. Redhat Kernel Sources
# rpm -i kernel-source-versionsrc.rpm
# cd /usr/src/linux-version
# cp /boot/config-oldversion ./.config
# edit Makefile
Change extra version to the kernel version of your choice. If building
on the existing kernel, sue the extra version defined for the
distribution. I highly discourage doing this unless you are only
compiling new modules into an existing kernel.
# make menuconfig
selectr your options
# make dep; make bzImage; make modules; make modules_install
# cp arch/your arch/boot/bzImage /boot/vmlinuz-version
Modify your boot loader include the new kernel. For EXT3 kernels, you
need an extra step described below. RH8/9 {/boot/grub/grub.conf}
2. Kernel.org Sources
Same as above, but the first two steps are replaced with getting the
kernel.org sources into that directory (pretty simple)
Making EXT3 support:
cd /boot/
mkdir tmp
cp init-olderversion.img init-version.gz
gunzip init-version.gz
mount -o loop init-version tmp
cd tmp/lib/
cp -f /lib/modules/version/kernel/fs/ext3/ext3.o .
cp -f /lib/modules/version/kernel/fs/jbd/jbd.o .
cd /boot
umount tmp
gzip init-version
mv init-version.gz init-version.img (you can leave this
as .gz as long as you change /boot/grub/grub.conf to look for the .gz
instead of the .img)
Alex wrote:
I'm not sure what the document says, but after make bzImage make modules
make modules_install you can do a "make bzlilo" if you are using lilo as
your boot loader and it will copy vmlinuz in /boot or just copy
/usr/src/linux/arch/i386/boot/bzImage to /boot and then configure lilo or
grub, whatever you have.
btw, if you do "make bzlilo" it will work even if you have grub installed
instead of lilo ( it will copy the thing to /boot but you will also see a
error about lilo.conf, but nothing to worry about )
Alex
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 23, 2003 12:09 AM
Subject: [LARTC] Official RH kernel documents, and load balancing
Hi:
I have an 'advanced-networking' problem. I want to have two interfaces to
the internet, apart from the internal one to the LAN.
I came across this page:
http://www.redhat.com/mirrors/LDP/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multipl
e-links.html
and Julian's patches for the kernel published here:
http://www.ssi.bg/~ja/
and the How-to: http://www.ssi.bg/~ja/nano.txt
So, I downloaded the patch:
routes-2.4.22-9.diff (December 14, 2001), and applied it to my 2.4
kernel...
The kernel re-compile part was fine, following the instructions in :
http://tldp.org/HOWTO/Kernel-HOWTO/
The issue is when I have to create a new initrd file.. it appears to
create
a vmlinuz, not a bzImage as the kernel-howto document says.
So the new kernel does not boot...
Questions:
Have anyone done this?
I mean, having two connections to the Internet, using RH8.0 or RH 9.0, and
having them selecting (balancing) which interface to use to send packets
out, and receiving in either seamlessly and with NAT ?
I think this functionality should be built in and available, instead of
having to patch the kernel?
What would you guys recommend?
As for the initrd part, any suggestions? Is there an official RedHat
"re-build kernel" document?
Thanks before-hand,
Carlos
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB in a bridge+trunk
On Monday 22 September 2003 18:37, kristiadi himawan wrote: Dear All, Sorry if my question here ever asked before by someone else. I have configuration like this : |-trunking--| V eth0 eth1 V router---bridge with htb---switch 202.xx.xx.227 #!/bin/bash tc qdisc del dev eth0 root handle 1: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 32kbit ceil 32kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 24kbit ceil 24kbit Watch out the default parameter, from your script it goes to classid 1:10 My suggestion, perhaps this is not right according to masters in this list (: set the default to 0 (zero) until all settings correct and your bandwidth manager operates successfully then define the default to class you have set for unclassified traffic. CMIW Salam dari Bandung, Rio Martin. -- NOC Itenas-net. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re[2]: [LARTC] Limit number of connections
Hello Rio, Tuesday, September 23, 2003, 5:42:03 AM, you wrote: Or you can use patch-o-matic connlimit + MARK. This adds CONFIG_IP_NF_MATCH_CONNLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT But i am not sure, it is perfomant solution. RM On Monday 22 September 2003 21:21, Mihai Vlad wrote: Hello again, I have a router/nat linux box. I managed to create some HTB classes and everything is OK. When perople are usig download managers like FlashGet and DAP (multiple connection ones), the ceil limiting works okay, but the rate parameter is somehow useles... The guaranteed bandwidth is never reached. So what can I do to limit the number of connections/computer? I want to make sure that they do not use more than one connection for the download manager. Thanks in advance RM Actually this is not Bandwidth Limiter task, RM this is could be handled by your proxy, like Squid. Check the configuration RM and enable maxconn ACL for file types: .exe .tar.gz .zip .iso .. etc .. RM - Rio.Martin - RM ___ RM LARTC mailing list / [EMAIL PROTECTED] RM http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Best regards, Denismailto:[EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] cbq
On Sunday 21 September 2003 12:50, Paras pradhan wrote: hi : On one of my severs i have a shoutcast audio streaming server running at ports 8000 and 8001. Now my cbq rule in my gateway is as: DEVICE=eth1,100Mbit,10Mbit BOUNDED=yes ISOLATED=yes PRIO=5 RATE=2Kbit WEIGHT=2Kbit RULE=:8000,x.x.x.3 RULE=:8001,x.x.x.3 -- Now my question is, do the ppl from internet cannot cross the limit 2Kbit of my uplink. What i want is: for example: I don't want the streaming eat my uplink bandwidth more than 2Kbit. What i have do? 2kbit is too low to shape. Is eth1 your uplink? And you use the cbq.init script. This is not the mailing list for the cbq.init script. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
