[LARTC] IPSec Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all. I'm trying to migrate from FreeSwan IPSec to the native IPSec stack under Linux. So, I've got some questions: I'm trying to setup SAD entries, but the manual says that setkey will not refer to name2addr to resolve a domain name to an IP address. So, how would I setup a VPN link between two machines/nets that have dynamic IP addresses? I was thinking: setkey add 0.0.0.0/0 example.com ah 15700 "shared_secret" But, the result is: The result of line 1: Network is down. So, here are my questions: 1. What do I put instead of "0.0.0.0/0?" 2. How do I handle it when my IP address changes, as in example.com, here. Thanx in advance. - -- Mike gpg key: http://diehlnet.com/~mdiehl/mdiehl.asc 83AD D927 758D 4BFC A800 0277 4B26 75A4 F0D1 C7EB -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAV9kWSyZ1pPDRx+sRArCRAKCxUJ6DVYFILC4MW6DF7lZgWaiqJQCeLfae wgfdcbA+u1ZdbhBlKf6Dgjo= =6Tw7 -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Multiple tc filter rules
Guten Tag Arno > Well, I think it's easiest include the IP-Filtering into iptables like > this: > > iptables -t mangle -A -[d|s] -j MARK --set-mark 1 > > and then set up a filter with tc that directs the traffic to the right > class. That makes a lot of sense. I can see how to do it, it just means a lot of changes in my shell script. Another question, how big is the mark "variable" in bits ? 16, 32, 8 ? I will need a large number of rules and I obviously need the mark variable to be big enough to hold them all. At the TC end, can I share a class between many filter rules. For example: if A, B and C are all allocated each a seperate 64kbps connection, can they have a filter that points each of them (three filters) to one tc class set for a 64kbps maximum speed or do I need three tc classes set for 64kbps maximum speed ? > Regards, > > Arno. Jonathan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] SQUID + tc problems
I'm trying to limit bandwidth consumption of sites hosted behind a squid working as a reverse transparent proxy (squid 2.5.3 with Patrick McHardy tcp_outgoing_priority patch) but with traffic levels for a given site of 1Mbps, only about 1% of the traffic shows up in a tc -s -d. Anyone has experience working with this setup ? is there any alternative or special consideration when using Patrick's patch ? -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Multiple tc filter rules
Hi Jonathan, On Tue, 16 Mar 2004 11:09:31 + Jonathan Naylor <[EMAIL PROTECTED]> wrote: > I am in the position of needing to filter on two parameters, I need to filter > on IP address and I also need to filter on the value of a connection mark. I > understand the syntax of the tc filter command for each, but how can I > combine them ? Is it possible to put the two tc filter commands in series or > is there some syntax to do it in one tc filter command ? Well, I think it's easiest include the IP-Filtering into iptables like this: iptables -t mangle -A -[d|s] -j MARK --set-mark 1 and then set up a filter with tc that directs the traffic to the right class. Regards, Arno. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] split route questions
I am working on a split route and ShoreWall system. I reviewed the lartc documentation but have a few areas that I still need help on. Here is my network: 64.xxx.xxx.1/25 66.xxx.xxx.129/26 | | # # Eth2 64.xxx.xxx.2 eth0 66.xxx.xxx.130 # # eth2:1 64.xxx.xxx.3 eth0:1 66.xxx.xxx.131 # # eth1 192.168.xxx.1 # # 192.168.xxx.0/24 Here are the rules as referenced from the lartc split route section: These are added in /etc/iproute2/rt_tables ip route add 64.xxx.xxx.0/25 dev eth2 src 64.xxx.xxx.2 table T1 ip route add default via 64.xxx.xxx.1 table T1 ip route add 66.xxx.xxx.0/26 dev eth0 src 66.xxx.xxx.130 table T2 ip route add default via 66.xxx.xxx.129 table T2 main routing tables ip route add 64.xxx.xxx.0/25 dev eth2 src 64.xxx.xxx.2 ip route add 66.xxx.xxx.0/26 dev eth0 src 66.xxx.xxx.130 default route ip route add default via 64.xxx.xxx.1 routing rules ip rule add from 64.xxx.xxx.2 table T1 ip rule add from 64.xxx.xxx.130 table T2 ip route add 192.168.122.0/24 dev eth1 table T1 ip route add 66.xxx.xxx.0/26 dev eth0 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 192.168.xxx.0/24 dev eth1 table T2 ip route add 64.xxx.xxx.0/25 dev eth2 table T2 ip route add 127.0.0.0/8 dev lo table T2 I run web servers behind this firewall and will be using split route as a transition tool from old circuit to new circuits I also may keep eth0 network haven’t decided yet. Here are my questions: On each wan interface I am running alias’ as referenced in the above diagram eth2:1, eth2:2 and so on where do these need to be specified in my above rule set is there a way to just set the route via interface instead of specifying each ip? Do all of the rules in each section above go into rt_tables and if not where do they go respectively it doesn’t seem to be stated clearly in the lartc section on split routes? Is there anything I am missing? Thanks very much for your help.
[LARTC] Multiple tc filter rules
Hi I am in the position of needing to filter on two parameters, I need to filter on IP address and I also need to filter on the value of a connection mark. I understand the syntax of the tc filter command for each, but how can I combine them ? Is it possible to put the two tc filter commands in series or is there some syntax to do it in one tc filter command ? Thanks Jonathan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Doubt on dsmark flow
Dear stef, Thanks for your previous reply.I gone through the link that u mentioned in reply.I need some help from you.I am curious to know the exact flow of the packet i.e. where exactly "ds" will be set,where queuing will happen etc ? Let me describe my thing.I added some printk statements in some files of netfilter code and sch_dsmark.c file.I gave the following sequence of commands in my machine. $ ./tc qdisc add dev eth0 handle 1:0 root dsmark indices 4$ ./tc class change dev eth0 classid 1:1 dsmark mask 0x0 value 0x80$ ./tc class change dev eth0 classid 1:2 dsmark mask 0x0 value 0x40$ ./tc class change dev eth0 classid 1:3 dsmark mask 0x0 value 0x20 $ ./tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip src 172.30.180.43 flowid 1:1$ ./tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 172.30.180.100 flowid 1:2 After that i gave ping to machine 172.30.180.44 .On 172.30.180.44 i am capturing packets using tcpdump.In IP header,ds is set to 0x80 which is fine. From the printk statements on the console i understand the following things: -> First packet is going to iptables-> After that packet is coming to dsmark_enqueue-> Packet is coming to dsmark_dequeue -> Packet is coming to iptables again. I have seen the code of dsmark_enqueue and dsmark_dequeue functions.In dsmark_enqueue ds value is reading and in dsmark_dequeue ds value is setting with what we gave in command line.Let me clarify if anything wrong in this flow?Also tell me why packet is again going to iptables after queueing? If u know exact flow pls explain in brief.Anyhelp is appreciated. Thanks in advance,Aravind. Yahoo! India Promos: Win a trip for 2 to Britain. Click here.
RE: [LARTC] Bridge + TC
> I posted out on this problem some time ago and could never get 2.4.25 or > any 2.6 kernel to work with TC + Bridging. If anyone has this working > and has actually tested it (I am actually just doing IP based iptables > filtering from my bridge interface) please let us know what version of > iproute you used and what patches you applied and with which version of > the kernel. -Vanilla kernel 2.6.3 form kernel.org - no patches applied just ethernet bridging and Bridged IP/ARP packets filtering enabled in kernel config. -iptables snapshot v1.2.9-20040302 -as far as I remember tc is from the htb homepage http://luxik.cdi.cz/~devik/qos/htb/ Regards, -- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/