[LARTC] Re: where is ipt_layer.h
Hi Mathew I was not understand is that what you saying I need to use any one of the Patch iptables-1.2.9-layer7-0.4.1.patch This above patch for Marking the Packets with Iptables right ? layer7-kernel2.4patch-qos-0.4.1b this Patch is for TC to work with layer 7 aplication so what did iam doing wrong ok take example, i re did my setup like below extract new kernel extract iptables source extract pom i have just patched only iptables with layer7 patch (iptables-1.2.9-layer7-0.4.1.patch) then i patched kernel with POM make mrproper make menuconfig -- here iam not able to see that optiond what mentioned in the docs ("Layer 7 match support" and "Child Level match support". ) make dep make bzImage make modules make modules_install make install rebooted with new kernel iam not able to mark pacjets using iptables iam getting the following error iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 1 iptables v1.2.9: Couldn't load match layer7':/usr/local/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory when i try to compile manually, iam geeting the ipt_layer7.h not found. cc -O2 -Wall -Wunused -I/usr/src/linux-2.4.22-1.2115.nptl/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.9\" -fPIC -o extensions/libipt_layer7_sh.o -c extensions/libipt_layer7.c extensions/libipt_layer7.c:21:45: linux/netfilter_ipv4/ipt_layer7.h: No such file or directory extensions/libipt_layer7.c:52: warning: `struct ipt_layer7_info' declared inside parameter list extensions/libipt_layer7.c:52: warning: its scope is only this definition or declaration, which is probably not what you want extensions/libipt_layer7.c: In function `parse_protocol_file': extensions/libipt_layer7.c:84: error: `MAX_PROTOCOL_LEN' undeclared (first use in this function) any suggestion or any proceedure iam doing correct me give me the right proceedure hare - Original Message - From: "Matthew Strait" <[EMAIL PROTECTED]> To: "hare ram" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, February 02, 2004 8:17 PM Subject: Re: where is ipt_layer.h > > i am using the following things > > > > iptables-1.2.9-layer7-0.4.1.patch > > layer7-kernel2.4patch-qos-0.4.1b > > You are using the QoS version of the kernel patch and the Netfilter > (iptables) version of the userspace patch. You need to either use QoS > with iproute2 or Netfilter with iptables. > > -matthew > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] layer7-filter with iptables problem
Hi thanks for the quick reply iam using the following things iptables-1.2.9-layer7-0.4.1.patch layer7-kernel2.4patch-qos-0.4.1b i did the proceedure [EMAIL PROTECTED] linux-2.4.22-1.2115.nptl]# patch -p1 < /root/update/layer7-kernel2.4patch-qos-0.4.1b patching file Documentation/Configure.help Hunk #1 succeeded at 10626 (offset 283 lines). patching file include/linux/netfilter_ipv4/ip_conntrack.h Hunk #1 succeeded at 190 (offset 1 line). patching file include/linux/pkt_cls.h patching file net/ipv4/netfilter/Config.in patching file net/sched/Config.in patching file net/sched/Makefile patching file net/sched/cls_api.c patching file net/sched/cls_layer7.c patching file net/sched/regexp/regerror.c patching file net/sched/regexp/regexp.c patching file net/sched/regexp/regexp.h patching file net/sched/regexp/regmagic.h patching file net/sched/regexp/regsub.c [EMAIL PROTECTED] linux-2.4.22-1.2115.nptl]# [EMAIL PROTECTED] linux-2.4.22-1.2115.nptl]# iptables patching [EMAIL PROTECTED] iptables-1.2.9]# patch -p1 < ../iptables-1.2.9-layer7-0.4.1.patch.1 patching file extensions/.childlevel-test patching file extensions/.layer7-test patching file extensions/libipt_childlevel.c patching file extensions/libipt_layer7.c patching file iptables.8 chmod +x extensions/.layer7-test extensions/.childlevel-test make KERNEL_DIR=/usr/src/linux-2.4.22-1.2115.nptl make install KERNEL_DIR=/usr/src/linux-2.4.22-1.2115.nptl iam not able to find the ipt_layer.h file and iam not able to see the menus in when i make .. make menuconfig hare - Original Message - From: "Nabil SEFRIOUI" <[EMAIL PROTECTED]> To: "hare ram" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, February 03, 2004 8:38 AM Subject: Re: [LARTC] layer7-filter with iptables problem try patching and installing kernel before iptables Le Lundi 02 Février 2004 07:05, hare ram a écrit : > Hi > > iam running FEDORA, > > i have installed Source of iptable 1.2.9 with the patch > layer7-iptables patch done with out any errors > > and i applied patch in kernel to the layer 7 patch > > and i have select the required option by doing > > make menyconfig > done > > make dep > make bzImage > make modules > make modules_install > make install > > and rebooted with customer kernel > > when i type > > iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j > MARK --set-mark 1 > iptables v1.2.9: Couldn't load match > `layer7':/usr/local/lib/iptables/libipt_layer7.so: cannot open shared > object file: No such file or directory > > > when i try to do manual compile, iam getting this error > > cc -O2 -Wall -Wunused -I/usr/src/linux-2.4.22-1.2115.nptl/include > -Iinclude/ -DIPTABLES_VERSION=\"1.2.9\" -fPIC -o > extensions/libipt_layer7_sh.o -c extensions/libipt_layer7.c > > > extensions/libipt_layer7.c:21:45: linux/netfilter_ipv4/ipt_layer7.h: > No such file or directory > extensions/libipt_layer7.c:52: warning: `struct ipt_layer7_info' > declared inside parameter list > extensions/libipt_layer7.c:52: warning: its scope is only this > definition or declaration, which is probably not what you want > extensions/libipt_layer7.c: In function `parse_protocol_file': > extensions/libipt_layer7.c:84: error: `MAX_PROTOCOL_LEN' undeclared > (first use in this function) > extensions/libipt_layer7.c:84: error: (Each undeclared identifier is > reported only once > extensions/libipt_layer7.c:84: error: for each function it appears > in.) extensions/libipt_layer7.c:87: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:87: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:87: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:93: error: `MAX_PATTERN_LEN' undeclared > (first use in this function) > extensions/libipt_layer7.c:95: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:95: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:95: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c: At top level: > extensions/libipt_layer7.c:219: warning: `struct ipt_layer7_info' > declared inside parameter list > extensions/libipt_layer7.c: In function `parse_layer7_protocol': > extensions/libipt_layer7.c:246: warning: passing arg 3 of > `parse_protocol_file' from incompatible pointer type > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:264: error: `MAX_PATTERN_LEN' undeclared > (first use in this function) > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > extensions/libipt_layer7.c:264: error: dereferencing pointer to > incomplete type > exte
[LARTC] wondershaper
Hi, I just installed wondershapper 1.1a on my ipcop firewall box. I have roadrunner cable with a ftp server setup. My download speed is 2mbit (I get 225 KBytes) and my upload is 384kbit (I send at 43 KBytes). What should the settings in wshaper? I can ping yahoo.com at 90msec with little traffic.and at around 220msec with full upload traffic. Mark ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Jim diGriz's QoS Script
Alexander Clouter wrote: Well its being maintained by me if that what you are asking :) However most of the people here 'poo-poo' it so do not expect much help from them :-/ So much for my contibution to the OSS worldpah...every man to themselves. How could they :-) To LinuX_Kid Re your imq post - if you use the patches in alexanders' binaries package you only have to change the first one slightly (IIRC) - anyway I'm using the first four on 2.4.24 now - I don't know about the p2p one. I don't use it as it needs connmark and I wanted to play with connbytes, and they don't get on. These work for me. www.jessingale.dsl.pipex.com/01_linux-2.4.24-imq-1.diff www.jessingale.dsl.pipex.com/02_netfilter-imq-patch-2.4.24.diff www.jessingale.dsl.pipex.com/03_linux-2.4.24-imq-nat-support.diff www.jessingale.dsl.pipex.com/04_linux-2.4.24-esfq.diff I think I only changed 01 so they are basically alexanders' with the numbers changed :-) I managed to get esfq to head drop - but that's the normal one, I am still waiting for mine to go bang, which it probably will soon. There's going to be an imq site and sf page soon, also roy has a rewritten version. There's a different patch for 2.4.24 here http://imq.hiperlinks.com.br/ I didn't have to do that much, which is a bit worrying :-) Andy. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Private Address Routing via Tunnels
On Monday, 02 February 2004, at 11:26:48 +, Alan Ford wrote: > They can route from the public to the private blocks, because they get to > the router and the router knows to send it down the IPIP tunnel. But how > can I configure the router at the other end to know to send responses > from the private block to the public block down the tunnel? I think that's > what I am needing to do here, does that make sense? > Traditional routing is always based solely on the destination IP address of packages arriving at a router. With Linux policy routing you can route based on both destination and source IP address, and based on more parameters, for example, any parameter selectable via iptables. The router on the other end already has a working routing table based on both information from IP addresses for each interface and static routes you should have added manually. If the router on the other end doesn't know how to route packets back to the other router , then the routing table on the distant router is not correct. As the two internal networks are far away and connected by a tunnel using public IP addressing, I guess what is missing in the remote router is a route that sends traffic directed to the other private network through the tunnel. Exactly the same you seem to have done on your "local" router to make traffic directed to the remote LAN be encapsulated through the IPIP tunnel. Just for completeness, in this setup I don't think policy routing (based on source IP addresses) is the correct way to handle the problem. Greetings. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.2-bk3) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Jim diGriz's QoS Script
Well its being maintained by me if that what you are asking :) However most of the people here 'poo-poo' it so do not expect much help from them :-/ So much for my contibution to the OSS worldpah...every man to themselves. /me goes back to his ppp-pipe have fun Alex On Feb 02, ThE LinuX_KiD wrote: > > Hi > > sombody know what is happen with > Jim diGriz's QoS Script Web Page ? > > www.digriz.org.uk/jdg-qos-script > > Regards > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- __ < Flee at once, all is discovered. > -- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || signature.asc Description: Digital signature
[LARTC] Jim diGriz's QoS Script
Hi sombody know what is happen with Jim diGriz's QoS Script Web Page ? www.digriz.org.uk/jdg-qos-script Regards ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
Interesante !! lo probaste con 2.4 ? o 2.6 ? -> -Mensaje original- -> De: Esteban Ribicic [mailto:[EMAIL PROTECTED] -> Enviado el: Lunes, 02 de Febrero de 2004 08:11 p.m. -> Para: 'ThE PhP_KiD' -> Asunto: RE: [LARTC] limiting p2p -> -> -> Probaste layering 7 matching? -> -> -> -Mensaje original- -> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En -> nombre de ThE PhP_KiD -> Enviado el: Monday, February 02, 2004 3:28 PM -> Para: lartc; Michal Kustosik -> Asunto: RE: [LARTC] limiting p2p -> -> -> Hi Michal. -> -> Now I'm testing ipt_ipp2p netfilter 3rd module -> You can reach it at: -> http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html -> -> At the momment I've not problems with it. -> (It's works well) -> -> But I haven't tested ipt_ipp2p module strongly -> with a large LAN -> -> regards -> -> Andres. -> -> -> -> ok ;) I have done the same some times ago ;) -> -> -> -> But I'm interesting what is wrong with ipt_p2p or someting, that icmp -> -> -> works bad when using ipt_p2p... Anybody known ?!? Have anybody run -> -> ipt_p2p with no problems ? -> -> -> -> best... -> -> -- -> -> michal -> -> ___ -> LARTC mailing list / [EMAIL PROTECTED] -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> -> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] IMQ update ?
Hello I'm trying the excelent IMQ patch for iptbles and kernel 2.4.21 and works very well... but, there is a IMQ patch for 2.4.24 ? I've tested IMQ for kernels > 2,4,21 but patch fails ! Best regards andres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] limiting p2p
Hi Michal. Now I'm testing ipt_ipp2p netfilter 3rd module You can reach it at: http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html At the momment I've not problems with it. (It's works well) But I haven't tested ipt_ipp2p module strongly with a large LAN regards Andres. -> ok ;) I have done the same some times ago ;) -> -> But I'm interesting what is wrong with ipt_p2p or someting, that -> icmp works bad when using ipt_p2p... Anybody known ?!? -> Have anybody run ipt_p2p with no problems ? -> -> best... -> -- -> michal ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] FW: QoS extension to Net-SNMP
Michal Charvat wrote: > But as I see yours output I have one question. Do you have x86 > platform? I didn't try that on other than x86 and there can be > problem with __u32 interpretation. No, it's all x86. Anyway, I think I've solved the problem - the numbers I've got out of SNMP and converted to major:minor values are in base 10, whereas tc apparently uses hexadecimal for class IDs. Of course, no-one bothered to tell me this when I was introduced to tc. :-) (Thanks to Stef Coene for unwittingly pointing this out to me via his scripts.) S. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB_Tool
Yes, it compiled OK for me on RH 7.3 Alexander Reelsen wrote: On Fri, Jan 30, 2004 at 10:34:52AM +0200, Adrian Coman wrote: The webpage is in Romanian ... but one can understand from the configuration examples avaiable on the webpage and in the http://sgi.rdscv.ro/~ionuts/htb-tools/htb_util-0.2.4-pre1_cv-1_quantum-1536-sin.tar.bz2 archive. Does it compile for you? I get some lex error which I can't debug due to time issues on my Debian sid workstation... MfG/Regards, Alexander ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Private Address Routing via Tunnels
On Sun, Feb 01, 2004 at 11:10:43PM +0100, Jose Luis Domingo Lopez wrote: > On Sunday, 01 February 2004, at 17:09:39 +, > Alan Ford wrote: > > > My problem is routing from *public* addresses on network A to *private* > > addresses on network B, or vice versa. (Private <-> private is fine). > > The routing table on both gateways apply to all traffic that arrives to > them, so if traffic from one gateway's private network can reach the > other remote private network correctly, I think the same should happen > to the public IP ranges from both networks. I've now done some packet sniffing to confirm what I suggested in my first mail. The packets get there OK, but responses don't come back. They can route from the public to the private blocks, because they get to the router and the router knows to send it down the IPIP tunnel. But how can I configure the router at the other end to know to send responses from the private block to the public block down the tunnel? I think that's what I am needing to do here, does that make sense? Thanks, Alan -- Alan Ford * [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] limiting p2p
On Mon, Feb 02, 2004 at 12:14:25PM +0200, Eddie wrote: > Ok > What I did was blocking all forwarding,in and out, traffic on my gateway > with iptables.Only allowing establish related traffic in and out ports > thy use,80,25,110 ens.This will stop it connecting to a weard port > Now the thing about kazaa is the after it tryed all 65XXX ports it > will try in port 80,this can take a while and the stoopid user will have > close it > Now what you do is setup a transparent proxy with iptables and squid.On > squid you create acl's to stop .mp3 and .wav ens. files > And .dat files,wat kazaa uses. > Now this worked for me. > ok ;) I have done the same some times ago ;) But I'm interesting what is wrong with ipt_p2p or someting, that icmp works bad when using ipt_p2p... Anybody known ?!? Have anybody run ipt_p2p with no problems ? best... -- michal > > On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote: > > *This message was transferred with a trial version of CommuniGate(tm) Pro* > > On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote: > > > Hi List ! > > > > > > I'm trying excelent module ipt_p2p from Filipe > > > Almeida in a Linux Box with several connections, > > > in order to block p2p traffic with next rule: > > > > > [...] > > > > > how ever, I've noted that after two days running, > > > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > > > - iptables 1.2.8 with String and ConnMark modules, > > > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > > > eth1 and eth2), > > > begins to drop others packets and a simple ping > > > look like this: > > > > > > > > > # ping 192.168.210.3(by example) > > > > > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > > > data. > > > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > ping: sendto: Operation not permitted > > > > > > > Hi! > > > > I have the same problem... Have you solved it? > > I can't see any answer for your email :( > > > > best > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] adsl on/off
Read the Nano-howto, yo might find some info...Thats only for multipath gateways, but... :) -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Eddie Enviado el: lunes, 02 de febrero de 2004 12:20 Para: lartc Asunto: [LARTC] adsl on/off Good day all Now I'm from South-Africa,here we have adsl router/modems You set the router to do the dialup and authentication and the set it as your gateways box's gateway.Now sometimes the links gets drop and is off for a while.Are there any way,for linux,my gateway of letting me now that the link was/is down.Note that the box is not dialing so there is no adsl-status. What I NEED to do it be able to know if the link is down,and if the link is down use a modem dialup and when the link get back up stop the modem.Any Ideas Thanks ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] adsl on/off
Good day all Now I'm from South-Africa,here we have adsl router/modems You set the router to do the dialup and authentication and the set it as your gateways box's gateway.Now sometimes the links gets drop and is off for a while.Are there any way,for linux,my gateway of letting me now that the link was/is down.Note that the box is not dialing so there is no adsl-status. What I NEED to do it be able to know if the link is down,and if the link is down use a modem dialup and when the link get back up stop the modem.Any Ideas Thanks ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] limiting p2p
Ok What I did was blocking all forwarding,in and out, traffic on my gateway with iptables.Only allowing establish related traffic in and out ports thy use,80,25,110 ens.This will stop it connecting to a weard port Now the thing about kazaa is the after it tryed all 65XXX ports it will try in port 80,this can take a while and the stoopid user will have close it Now what you do is setup a transparent proxy with iptables and squid.On squid you create acl's to stop .mp3 and .wav ens. files And .dat files,wat kazaa uses. Now this worked for me. On Mon, 2004-02-02 at 11:39, Michal Kustosik wrote: > *This message was transferred with a trial version of CommuniGate(tm) Pro* > On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote: > > Hi List ! > > > > I'm trying excelent module ipt_p2p from Filipe > > Almeida in a Linux Box with several connections, > > in order to block p2p traffic with next rule: > > > [...] > > > how ever, I've noted that after two days running, > > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > > - iptables 1.2.8 with String and ConnMark modules, > > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > > eth1 and eth2), > > begins to drop others packets and a simple ping > > look like this: > > > > > > # ping 192.168.210.3(by example) > > > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > > data. > > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > ping: sendto: Operation not permitted > > > > Hi! > > I have the same problem... Have you solved it? > I can't see any answer for your email :( > > best ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] configuration question
Hi ! I have working qos configuration made with htb, imq, imqnat, iptables, nat etc. I'm thinking over how to shape incoming and outgoing traffic, not using all not maintaind patches for kernel, iptables etc. What do You think about below conf.: INTERNET -- NAT_BOX -- QoS_BOX -- LAN On QoS_BOX - iptables marking, htb and IMQ Do You know some other solutions ? greetz boka ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Re: tc filter protocol arp question
On Feb 02, [EMAIL PROTECTED] wrote: > > Moment, DHCP is not arp packet. > and ARP is not DHCP. > however every dhcp request fires off a bunch of ARP requests. I am suggesting using DHCP-relay so you put the 'long distance' DHCP requests into a kind of IP tunnel (?). If this is not true then you could accomplish the same with IPSec/ssh tunnels. The idea of this is to shunt the DHCP (and related traffic) into something that is managable. > DHCP is always IP addressed /check via tcpdump/ > so you can mark these addresses with tc without any problems. > good point :) > ARP packets are low level packets of ethernet interconnectivity. > They will work always, unless your LAN is overloaded or somebody will do > nasty things like /arp poisoning/. > The only way you can increase your network performance for arp packets is > enabling broadcast storm control in layer-2 devices. > Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_... > etc) > You can neither set static arp from Server side /and client side too (more > complex)/ > I would still be keen on shunting things into a managable IP(Sec)/ssh tunnel, although it sounds overboard, if you are dealing with thousands of PC's (even hundreds) thats likely to cross several subnets. As I mentioned before it would give you the infrastructure to have 'maintainence' tunnel, you could put all the insecure telnet traffic in this tunnel to prevent it crossing the whole distance un-encrypted :) More so you can give it a high priority which would help you get access to machines when you need to during a crisis. Regards Alex -- __ / A likely impossibility is always \ | preferable to an unconvincing| | possibility. | | | \ -- Aristotle / -- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || signature.asc Description: Digital signature
Re: [LARTC] limiting p2p
On Fri, Nov 07, 2003 at 12:27:25PM -0300, ThE PhP_KiD wrote: > Hi List ! > > I'm trying excelent module ipt_p2p from Filipe > Almeida in a Linux Box with several connections, > in order to block p2p traffic with next rule: > [...] > how ever, I've noted that after two days running, > that Linux Box (RH 7,2 updated - Kernel 2.4.22 > - iptables 1.2.8 with String and ConnMark modules, > Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, > eth1 and eth2), > begins to drop others packets and a simple ping > look like this: > > > # ping 192.168.210.3(by example) > > PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of > data. > 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > ping: sendto: Operation not permitted > Hi! I have the same problem... Have you solved it? I can't see any answer for your email :( best -- michal ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Per Ip bandwidth
Claudiu Pruna wrote: 1) I have observed that if the user whois ip is going to class 1:11 has more threads, that that fro9m class 1:12 then, there is no more fairness in borrowing, so that user with 1:11 gets almost all the unused bandwidth from the parent ( going up to 96Kbit/s ). well htb isn't just for this case. i would make one class and atach wrr/esfq qdisc to it. they're made esspecialy for round-robin fairness. When i used wrr i've got absolute fairness (1 or 2 bytes difference :) 2) why do I get " qdisc pfifo_fast 0: [Unknown qdisc, optlen=20] " at tc qdisc ls dev eth0 right after booting the computer, without attaching yet any qdisc ?? because there is default qdisc which is simple pfifo. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Re: tc filter protocol arp question
> > ). There going dhcp conversation. If missed user start to > download, entire > > network lose dhcp server becouse of dropped packets. Moment, DHCP is not arp packet. and ARP is not DHCP. DHCP is always IP addressed /check via tcpdump/ so you can mark these addresses with tc without any problems. ARP packets are low level packets of ethernet interconnectivity. They will work always, unless your LAN is overloaded or somebody will do nasty things like /arp poisoning/. The only way you can increase your network performance for arp packets is enabling broadcast storm control in layer-2 devices. Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_... etc) You can neither set static arp from Server side /and client side too (more complex)/ Arkadiusz Binder ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] layer7-filter with iptables problem
Hello sorry continuation to the last mail when make menuconfig iam not able to see this options tooo "Layer 7 match support" and "Child Level match support". but i followed the proceedures mentioned in the docs but i could not find this option where did i went wrong.. iam not sure some one guide me hare - Original Message - From: "hare ram" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, February 02, 2004 12:35 PM Subject: [LARTC] layer7-filter with iptables problem > Hi > > iam running FEDORA, > > i have installed Source of iptable 1.2.9 with the patch layer7-iptables > patch done with out any errors > > and i applied patch in kernel to the layer 7 patch > > and i have select the required option by doing > > make menyconfig > done > > make dep > make bzImage > make modules > make modules_install > make install > > and rebooted with customer kernel > > when i type > > iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j > MARK --set-mark 1 > iptables v1.2.9: Couldn't load match > `layer7':/usr/local/lib/iptables/libipt_layer7.so: cannot open shared object > file: No such file or directory > > > when i try to do manual compile, iam getting this error > > cc -O2 -Wall -Wunused -I/usr/src/linux-2.4.22-1.2115.nptl/include -Iinclude/ > -DIPTABLES_VERSION=\"1.2.9\" -fPIC -o extensions/libipt_layer7_sh.o -c > extensions/libipt_layer7.c > > > extensions/libipt_layer7.c:21:45: linux/netfilter_ipv4/ipt_layer7.h: No such > file or directory > extensions/libipt_layer7.c:52: warning: `struct ipt_layer7_info' declared > inside parameter list > extensions/libipt_layer7.c:52: warning: its scope is only this definition or > declaration, which is probably not what you want > extensions/libipt_layer7.c: In function `parse_protocol_file': > extensions/libipt_layer7.c:84: error: `MAX_PROTOCOL_LEN' undeclared (first > use in this function) > extensions/libipt_layer7.c:84: error: (Each undeclared identifier is > reported only once > extensions/libipt_layer7.c:84: error: for each function it appears in.) > extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:93: error: `MAX_PATTERN_LEN' undeclared (first > use in this function) > extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c: At top level: > extensions/libipt_layer7.c:219: warning: `struct ipt_layer7_info' declared > inside parameter list > extensions/libipt_layer7.c: In function `parse_layer7_protocol': > extensions/libipt_layer7.c:246: warning: passing arg 3 of > `parse_protocol_file' from incompatible pointer type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: `MAX_PATTERN_LEN' undeclared (first > use in this function) > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c: In function `parse': > extensions/libipt_layer7.c:278: warning: passing arg 2 of > `parse_layer7_protocol' from incompatible pointer type > extensions/libipt_layer7.c:280: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c: In function `print': > extensions/libipt_layer7.c:325: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:326: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c: In function `save': > extensions/libipt_layer7.c:334: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c:334: error: dereferencing pointer to incomplete > type > extensions/libipt_layer7.c: At top level: > extensions/libipt_layer7.c:340: error: invalid application of `sizeof' to an > incomplete type > extensions/libipt_layer7.c:341: error: invalid application of `sizeof' to an > incomplete type > > > any help will be apprciate > > hare > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > ___ LARTC mailing list / [EMAIL PROTECT
[LARTC] layer7-filter with iptables problem
Hi iam running FEDORA, i have installed Source of iptable 1.2.9 with the patch layer7-iptables patch done with out any errors and i applied patch in kernel to the layer 7 patch and i have select the required option by doing make menyconfig done make dep make bzImage make modules make modules_install make install and rebooted with customer kernel when i type iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 1 iptables v1.2.9: Couldn't load match `layer7':/usr/local/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory when i try to do manual compile, iam getting this error cc -O2 -Wall -Wunused -I/usr/src/linux-2.4.22-1.2115.nptl/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.9\" -fPIC -o extensions/libipt_layer7_sh.o -c extensions/libipt_layer7.c extensions/libipt_layer7.c:21:45: linux/netfilter_ipv4/ipt_layer7.h: No such file or directory extensions/libipt_layer7.c:52: warning: `struct ipt_layer7_info' declared inside parameter list extensions/libipt_layer7.c:52: warning: its scope is only this definition or declaration, which is probably not what you want extensions/libipt_layer7.c: In function `parse_protocol_file': extensions/libipt_layer7.c:84: error: `MAX_PROTOCOL_LEN' undeclared (first use in this function) extensions/libipt_layer7.c:84: error: (Each undeclared identifier is reported only once extensions/libipt_layer7.c:84: error: for each function it appears in.) extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:87: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:93: error: `MAX_PATTERN_LEN' undeclared (first use in this function) extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:95: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c: At top level: extensions/libipt_layer7.c:219: warning: `struct ipt_layer7_info' declared inside parameter list extensions/libipt_layer7.c: In function `parse_layer7_protocol': extensions/libipt_layer7.c:246: warning: passing arg 3 of `parse_protocol_file' from incompatible pointer type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: `MAX_PATTERN_LEN' undeclared (first use in this function) extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:264: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c: In function `parse': extensions/libipt_layer7.c:278: warning: passing arg 2 of `parse_layer7_protocol' from incompatible pointer type extensions/libipt_layer7.c:280: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c: In function `print': extensions/libipt_layer7.c:325: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:326: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c: In function `save': extensions/libipt_layer7.c:334: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c:334: error: dereferencing pointer to incomplete type extensions/libipt_layer7.c: At top level: extensions/libipt_layer7.c:340: error: invalid application of `sizeof' to an incomplete type extensions/libipt_layer7.c:341: error: invalid application of `sizeof' to an incomplete type any help will be apprciate hare ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/