[LARTC] Precedence of iptables chain, local routing table and newly created routing table
Hi, I been trying on ip rule fwmark and iptables MARK. I will show my testing in detail, but my ultimate question is why ONLY marking in Mangle OUTPUT tables works, but not others? Network Diagram 192.168.250.197 eth0 LINUX ROUTER eth1 192.168.8.88 -- 192.168.8.112 eth0 Windows XP Client Steps (performed on LINUX ROUTER) (1) Delete route to 192.168.8.0 from local routing table on (2) Add route to 192.168.8.0 at table test2 (3) Mark packet with --set-mark 3 at MANGLE OUTPUT table (4) Forward all packet marked 3 to table test2 using ip rule fwmark (5) Do a ip ro flush cache (6) Ping from 192.168.8.112 to 192.168.8.88 is successful [EMAIL PROTECTED] webauth]# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo0.0.0.0 192.168.250.254 0.0.0.0 UG 0 0 0 eth0 [EMAIL PROTECTED] webauth]# ip route show table test2192.168.8.0/24 via 192.168.8.88 dev br0 [EMAIL PROTECTED] webauth]# iptables -t mangle -LChain OUTPUT (policy ACCEPT)target prot opt source destinationMARK all -- anywhere anywhere MARK set 0x3 [EMAIL PROTECTED] webauth]# ip ru0: from all lookup local32764: from all fwmark 3 lookup test232766: from all lookup main32767: from all lookup 253 I wish to know why is that ONLY marking at OUTPUT table works? The network setup is for testing purpose, I wish to know the precedenceof iptables chains, local routing table and newly created table (e.g. test2) Looking at the iptables chain diagram, my guess is MARKING at mangle INPUT or mangle PREROUTING should work as well. When packet comes off from wire, I mark it with 3 at mangle PREROUTING. Since it is a ping to 192.168.8.88, it should be a local process. Then the ping is successful. But from my testing, no. Another possiblity is packet is route to test2 routing table after mangle OUTPUT and before mandle POSTROUTING. I am getting confuse :) Please advice. Thank you Kaiwen
[LARTC] Problems while mixing protocols
Hello, I'm trying to shape traffic by IP addresses and by 802.1q vlans. But when I add 802.1q filter filters output looks strange. Maybe I'm missing some options to TC? Thanks, Mindaugas # ./bin/tc -s -d filter show dev eth0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 match d5e2b800/fe00 at 12 filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:11 match d5e28af0/fff8 at 12 filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:11 match d5e28af8/fffc at 12 filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:200 match d5e2a020/fffc at 12 filter parent 1: protocol ip pref 1 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:300 match d5e2a024/fffc at 12 # ./bin/tc filter add dev eth0 parent 1: protocol 802.1Q u32 match u16 5 0x0fff flowid 1:500 # ./bin/tc -s -d filter show dev eth0 filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:500 match 0005/0fff at 0 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 match d5e2b800/fe00 at 12 filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:11 match d5e28af0/fff8 at 12 filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:11 match d5e28af8/fffc at 12 filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:200 match d5e2a020/fffc at 12 filter parent 1: protocol ip pref 1 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:300 match d5e2a024/fffc at 12 filter parent 1: protocol 802.1Q pref 49152 u32 filter parent 1: protocol 802.1Q pref 49152 u32 fh 801: ht divisor 1 filter parent 1: protocol 802.1Q pref 49152 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:500 match 0005/0fff at 0 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800: ht divisor 1 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 match d5e2b800/fe00 at 12 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:11 match d5e28af0/fff8 at 12 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:11 match d5e28af8/fffc at 12 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:200 match d5e2a020/fffc at 12 filter parent 1: protocol 802.1Q pref 49152 u32 fh 800::804 order 2052 key ht 800 bkt 0 flowid 1:300 match d5e2a024/fffc at 12 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwith Aggregation
I forgot to mention that I'm running Debian Sid, with kernel 2.6.1 patched with NANO patchs and iproute2 with HTB support (but by now I'm not interested on clasiffiying traffic, that will be later) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bridge + leased line + tc
On Tuesday 13 January 2004 4:15 pm, Wouter Coppens wrote: Hi, I can't get traffic shaping working. This is my situation: -- Net1 - |router| | TC | --- Net2 leased line -- eth1eth0 We use the leased line for normal traffic but also for synchronisation between 2 servers. The leased line is 2mbit. The synchronisation generates too much traffic and uses completely the 2mbit capacity of the leased line. This is no problem during night, but we want to limit the synchronisation traffic during day (or in other words: the sync-traffic should get the lowest priority and the other traffic can use up to 2mbit). According to the documentation, you can only shape outgoing traffic. We took a PC (named TC) and put the network interfaces in bridge mode. The synchronisation happens from Net1 to Net2, so TC is after the leased line. Normally you would shape the outgoing traffic on eth0, but this doesn't work. We even tried to limit eth0 to 20kbit, but the synch-traffic completely fills the leased line and no other traffic gets through. We found a temporary fix by using IMQ with iptables: /sbin/tc qdisc del root dev imq0 /sbin/tc qdisc add dev imq0 root handle 1: htb default 20 /sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 2Mbit burst 6k /sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 787kbit /sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 2Mbit /sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10 /sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10 /sbin/tc filter add dev imq0 parent 1: protocol ip prio 18 u32 match ip dst 10.10.10.10 flowid 1:10 (10.10.10.10 is ip of server in Net2). Is there a better way to give the sync-traffic the lowest priority? If somybody starts a download it should get 2mbit and the sync-traffichttp should get the rest (if any). We would like to upgrade to 2.6, but imq is not maintained. Any help? IMQ has been ported to 2.6 http://www.digriz.org.uk/jdg-qos-script/ Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] public subnet routing
Witaj PSC, W Twoim licie datowanym 14 stycznia 2004 (06:37:53) mona przeczyta: P Just wondering if someone could answer this question for me. P I would like to route public addresses only. Their will be no firewall P but maybe a few rules to deny certain types of traffic. Here is the P configuration of the router. P My provider gave a me a /30 link to their router P also they gave me a /25 network for my customers public ip's P Their cisco router has static route entrys for my public subnet P The router has been configured as follows P eth0 has been configured with : P 205.95.67.102/30 P eth1 is configured as P 209.95.45.1/25 and is the gateway for my customers. just set properly your router default route :) (guessing the gateway ip :) ip ro add default via 205.95.67.103 dev eth0 and should work :) (works for me :) P Beside ip_forwarding being enabled is their anything that I need to do P so my customers can access the ouside and the public to access their P ip's. P Thanks in advance for the help P ___ P LARTC mailing list / [EMAIL PROTECTED] P http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Pozdrowienia, Robertmailto:[EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] imq-patch for 2.4.24 kernel
Hi, is there an IMQ-patch available for kernel version 2.4.24? If so, where can I get it? greetz cord ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] question about major:minor numbers
Hi, the documentation says [the major number of a class] must be unique within a egress or ingress setup. The minor number must be unique within a qdisc and his classes. What is meant by setup? Does that include all qdiscs attached to any network device? Ie, if I have a qdisc attached to eth0 and another attached to eth1, do the major numbers I use have to be different at all or could I use the same number structure in eth0 and eth1? Short example to explain: tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps... tc class add dev eth0 parent 1:1 classid 1:10 htb rate... ... tc qdisc add dev eth1 root handle 1: htb default 13 tc class add dev eth1 parent 1: classid 1:1 htb rate 100kbps... tc class add dev eth1 parent 1:1 classid 1:10 htb rate... ... Is this valid? Or do I have to use 2: instead of 1: in the second part? thanx cb ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] question about major:minor numbers
Cord, you can use the same major numbers in diferent devices, no problem. You cannot have repeated minor numbers in the same device, but in diferent devices it is OK. Note that sometimes using diferent major numbers may be a good idea, for example, when you are scripting this may help... Andre Cord Buhlert wrote: Hi, the documentation says [the major number of a class] must be unique within a egress or ingress setup. The minor number must be unique within a qdisc and his classes. What is meant by setup? Does that include all qdiscs attached to any network device? Ie, if I have a qdisc attached to eth0 and another attached to eth1, do the major numbers I use have to be different at all or could I use the same number structure in eth0 and eth1? Short example to explain: tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps... tc class add dev eth0 parent 1:1 classid 1:10 htb rate... ... tc qdisc add dev eth1 root handle 1: htb default 13 tc class add dev eth1 parent 1: classid 1:1 htb rate 100kbps... tc class add dev eth1 parent 1:1 classid 1:10 htb rate... ... Is this valid? Or do I have to use 2: instead of 1: in the second part? thanx cb ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ingress policing
Hi Vinh, I've noticed the same thing some months ago and couldn't figure out why. The workarround for this is to use half speed in your upload classes... It seens that it just happens to outgoing traffic (ingress or not). Maybe somone else can explian it... I just figured out the same problem... Andre Vinh Nguyen wrote: Hi, I'm trying to police the incoming traffic by using ingress qdisc,this is what I have in my script tc qdisc add dev eth0 handle : ingress tc filter add dev eth0 parent : protocol ip prio 4 \ handle 1: u32 divisor 1 tc filter add dev eth0 parent : protocol ip prio 4 u32 \ match ip dport 4001 0x \ police rate 2000kbit burst 50k drop \ flowid 1:1 I'm sending a 9Mb traffic using iperf but noticed that the bandwith at the receiving end is 4 MB instead of 2M. When Im changing the police rate to 3MB, the traffic at the receiving end is 6MB. Any ideas why does this happen? Your help is greatly appreciated. Vince UTS CRICOS Provider Code: 00099F DISCLAIMER This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] brige conf
Hi i'm using a bridge for traffic control and now i have 300 user the problem is there is a large script for tc for incomming and outgoing traffic about 1300 lines. Evrithing is fine but it seams i lost 2ms on bridge . I ping from my machine (linux gateway) to the my internet gateway an ATI router, my conncetion is at 100Mbit from my machine to the ATI. Wen i'm not using bridge evrything is fine i have 0.400ms. I read something about HZ=100 but i don't understanding wath i need to do ! Any sugestio is wellcome! Thx Guy's ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb+redhat7.3
Hi there: The original kernel included in RedHat 7.3 does *not* include htb support. You have to patch that kernel if you want to use htb. Visit http://luxik.cdi.cz/~devik/qos/htb/ for further instrucctions. Good luck. Ricardo Soria. _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] wich tools
Hello I have two DSL modems witch are connected to my isp, in future my boss want to buy another connection via DSL modem. Then i will have 3 DSL modems. With every DSL modem i get 3x8 IP`s (netmask 248) from my ISP, now i have question how to configure gateway wich tools should i use. Because ip route and next hop via. wich i use now makes his work fine but with new kernels there is an error in syslog route sent us somewhere else, and i think that with 3 DSL`s i will have problem (there can be situation when 1DSL is busy and 2DSL aren`t). Greetings Michal Witkowski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Any NISTNet alternative or fix ?
Hi, I need to simulate (with a certain degree of control) common WAN problems like packet loss/duplication, delay and conditions of limited bandwidth. I found that NISTNet is what i need, but it seems the package has not been updated since October, 2000. This is not really a problem as I found NISTNet runs perfectly with Linux kernels up to 2.4.23 (officially 2.4.18 is the latest mentioned in documentation). What then am I complaining about ? Well, it seems that NISTNet is intercepting IP packets before the conntrack can do its job in the PREROUTING phase. So if you are doing SNAT or DNAT on the same machine where NISTNet is running, you can not use the de-NATed IP addresses to build rules. I certainly can find solution to this problem by altering my test topology and tweaking a little bit network configuration, but still the question remains: Is there any fresh substitute for what NISTNet does ? ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re[2]: [LARTC] Bandwith Aggregation
Witaj Ral, W Twoim licie datowanym 14 stycznia 2004 (10:35:01) mona przeczyta: RABS El Martes, 13 de Enero de 2004 19:36, Robert Kurjata escribi: For the start read my posting from 15th Oct 03 as an working example. RABS I have just a question about your script (I found it on the archives)... RABS I have 3 DSL lines, linke you, but all of them are conected to a switch and RABS then to my eth1 interface on wich I have 3 public ip's and 2 public ip's RABS ranges, let me try to draw it. RABS DMZ Zone RABS | RABS eth3 RABS DSL1\ | RABS DSL2 - - Switch - eth1 [Linux Box] - eth0 -Switch - LAN RABS DSL3 / | RABSeth2 RABS | RABS LDMS RABS What I need is to send all SMTP/POP3 traffic throught DSL1, and the rest of RABS traffict througth a load balancing between DSL2 and DSL3 giving preference RABS on DSL3 over DSL2 (moreover because DSL3 it's a 2Mbits simetric line with the RABS local cable company, and DSL2 it's a ADSL 256Kbit), but if DSL1 fails, the RABS SMTP/POP3 traffic should go out by any of the other interfaces, also if DSL2 RABS or DLS3 get out, rest of traffic should go by DSL1. RABS The LDMS link its used only for IPSec tunnels and should never be user for RABS nomal traffic. DSL1 - ADSL 256 with a /30 public range on the ethernet side. DSL2 - ADSL 256 in bridge mode, so I have it's public IP on my side. DSL3 - Cable 2Mbit with a /30 public range on the ethernet side. RABS By now I only have setup a simple link with it's gateway using DSL1 for all RABS traffic, and I'm been unable to do that if a ssh conection (for example) RABS reach eth1 by DSL3 or reach eth2 by LDMS and get answered by the same link. Multipath with load balancing is in my script. If you use it (just try to adopt to 3 links) your host will be reachable at all adresses. Adding special rules with firewall mark and dedicated routing tables for classified traffic will give you what you want. But later you will have a problem when you go to the traffic shaping (and I thing sooner or later you will) TC does not accept aliases on interfaces :( RABS May someone give me a hit on what I'm doing wrong or what must I do to get it RABS working. RABS Best regards RABS ___ RABS LARTC mailing list / [EMAIL PROTECTED] RABS http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Pozdrowienia, Robert ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] wich tools
Witaj Micha, W Twoim licie datowanym 14 stycznia 2004 (20:42:22) mona przeczyta: MW Hello MW I have two DSL modems witch are connected to my isp, in future my boss MW want to buy another connection via DSL modem. Then i will have 3 DSL MW modems. With every DSL modem i get 3x8 IP`s (netmask 248) from my ISP, MW now i have question how to configure gateway wich tools should i use. MW Because ip route and next hop via. wich i use now makes his work fine MW but with new kernels there is an error in syslog route sent us MW somewhere else, and i think that with 3 DSL`s i will have problem MW (there can be situation when 1DSL is busy and 2DSL aren`t). MW Greetings MW Michal Witkowski I have 3 uplinks, kernel 2.4.22+patch-o-matic+htb+esfq+julian's routes patch working load balancing and have no problems :) Classic configuration. Maybe something with missing patches? MW ___ MW LARTC mailing list / [EMAIL PROTECTED] MW http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Pozdrowienia, Robert ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] sum of child rates exceeds parent rate
On Tuesday 13 January 2004 23:58, [EMAIL PROTECTED] wrote: Wow wow, wait ! Ok :) you can have 100 child classess in a sum of 100Megs, root class equal 10Megs. the sum of all child classes will be 10Megs, and no more (if you ceil root rate to 10Megs it at htb) Wrong. The configured rate of a class is _always_ satisfied. If you have a 100M link, a parent class ceiled to 10M and 100 classes with rate = 1M, each class will get 1M. So together they will get 100M. And even if that is more the the ceil of the parent. So you can overlimit a parent class. Well, i must practice that. I've always thougght that root/parent queue tell lower queues to start dropping packets. It's the other way around. The class needs a token to send a packet. As long as the class has tokens, it can send packets. If the class has used all his tokens, it asks the parent if he has tokens left. Sure, you must be right, the queues will be told to drop packets, but they will not do it unless they get their typed rate. Think about a bucket with tokens, not rate: bucket size = burst rate of new token entering bucket = rate 1 token = 1 packet (this is for rate and ceil) So if any of my 100 queues have 1Mbit traffic, then lower queues will start to drop anything that is above 1Mbit for each queue individually. Yes. So we overlimit 10Mbit celi about 10 times (in special case). Yes. Stef -- [EMAIL PROTECTED] Using Linux as bandwidth manager http://www.docum.org/ #lartc @ irc.openprojects.net ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re:[LARTC] simple(?!?) source routing
Hi all, This is easy. First let ppp0 as your default gateway and use iproute to create a table call any name you want and then you put ppp1 default route inside that table. After that you have to create a rule to put the host you would like insede it and dont forget to put a rule in the iptables saying that everything going out via ppp1 SNAT - -to IP_PPP1_EXTERNAL. ;) []´s Anderson Hi, I've set up a Linux box with redhat on to act as an int ernet gateway and I'm running into a few problems. Its g ot two adsl modems connected to it, both connected to sep erate 512kbs lines. Now I've followed the simple source routing in the advanced routing howto to the letter but i t doesnt work. I've got it autoconnecting on startup and redhat puts p pp1 as the default gateway, this is then setup for masque rading for the entire network. Therefore I've tried sett ing up ppp0 as the deafult gateway for only one computer (10.0.0.11), as it says at http://lartc.org/howto/lartc.r pdb.html#LARTC.RPDB.SIMPLE I've done everything it says t here and im 99% sure I've put the right ip addreses in et c. When Ive gone through it that computer is no longer a ble to access the net (the rest of the network is unaffec ted). I'm pretty sure its the way ppp0 is configured, if I se t it up so 10.0.0.11 uses ppp1 instead of ppp0 (ip rule a dd default via xxx.xxx.xxx.xxx dev ppp1 table chris) it w orks fine but obviously thers no point in that. Hope all this makes sence to someone, it baerly does ti me. May thanks in advance. Chris __ Acabe com aquelas janelinhas que pulam na sua tela. AntiPop-up UOL - É grátis! http://antipopup.uol.com.br/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
