[LARTC] IPTables script
Hi All, I've been playing with QOS for a short while now and have worked out how to do what I want using HTB. Great queuing discipline btw. My problem is the tc filters I want to setup aren't working because iptables is getting to the packets first and mangling the src address. The iptables script I am using is MonMotha's Firewall 2.3.8 and it includes lots of nice goodies like syn flood rate limiting. The extra bits like this are why I'm using it rather than figuring the iptables configuration out myself. My network configuration is trivial, adsl router connected to linux box connected to two networks, LAN and WLAN. I like having these iptables features but MonMotha's Firewall isn't designed with QOS in mind. My question for this list, is there a recommended iptables router script that everyone here uses designed with QOS in mind or have you all written your own ? Thanks in Advance Lee ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Multiple Internet links - routing traffic to the correct one.
On Wed, May 11, 2005 at 08:00:30AM +0200, Hamish Whittal wrote:
> Hi all,
> I have the following configuration:
> ___
> ++/
> diginet link || |
> +-+ Provider 1 +---
> __ | || /
> ___/ \_ +--+---+ ++|
> _/\__(eth0)| eth1 (stat) | /
> / \ 254| | |
> | Local network -+ Linux router | | Internet
> \192.168.1.x __/| | |
>\__ __/ | eth2 (dyn) | \
> \___/ +--+---+ ++|
>254| |ppp0 || \
> (eth3)| +-+ Telecomms +---
> | adsl link| ADSL | |
>___ | ++ \
> _/ \__ |
> __/\___ |
> / \+
> | Local Network |
> \__172.16.1.x__/
> \__ ___/
>\_/
>
> In words:
> Two local LAN's (172.16.1.x) and (192.168.1.x). They service different
> parts of the organisation. The point is, the client does not want
> traffic from the 172.16.1.x network going over the ADSL link otherwise
> the cap will be reached in hours (iterally). The Router is also the mail
> server, so mail is delivered to the eth1 interface via a static IP
> address (eth1 in the diagram) - it is a 196.xx.xx.xx address.
> The ADSL is not a static address - 165.146.yy.yy.
> The LAN interface from the 192.168.1.x network on the router is
> 192.168.1.254. The LAN interface on the other network is 172.16.1.254.
> The 10.x.x.x network is an IP I have assigned to the eth2 interface to
> ensure that I can still talk to my adsl router, but the ppp0 link is a
> pppoe connection to the telecomms provider.
>
> So, with some assistance, I have set up the following:
> Table main:
> 165.146.128.1 dev ppp0 proto kernel scope link src 165.146.yy.yy
> 196.xx.xx.xx/nn dev eth1 proto kernel scope link src 196.xx.xx.xx
> 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254
> default via 196.xx.xx.xx dev eth1
> (the default route here is going out through the diginet link -
> 196.xx.xx.xx in this table)
>
> table adsl:
> 10.0.0.0/24 dev eth2 scope link
> 192.168.1.0/24 dev eth0 scope link
> 127.0.0.0/8 dev lo scope link
> default via 165.146.yy.yy dev ppp0
>
> the rules:
> 0: from all lookup local
> 90: from all to 192.168.1.0/24 lookup main
> 100:from 192.168.1.0/24 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
You need to have another rule
100:from {adsladdress}/32 lookup adsl
because your packets is getting MASQ and then rehitting the routing
table, which says roue out the default link which is actually the digi
link, most isp don;t allow asym routing of packets (ie will not allow
you to send a packet with a source address not in their address space),
it will probably still have the 172 address on it (not sure)
You should be able to confirm this by tcpdump'ing on eth1
>
> ip route add default via 165.146.yy.yy dev ppp0 table adsl
> Now here it croaks. When I add this route, the continuous ping to a host
> on the internet from a machine on the Local Network (192) stops, which
> tells me it cannot get out via the ADSL link. In order to check whether
> the ADSL was working, I tried swapping the routes around so that the
> default traffic uses to ADSL link, and this worked - so it's not a
> problem with the physical ADSL link to the Internet.
>
> I have tested the following:
> 1) From a PC on the 192 net, I can ping the Telcomms ADSL gateway on the
> remote side (in my case, this is 165.146.128.1), but not further.
> 2) From the Linux router, I can ping to the 165.146.128.1 and beyond.
> 3) I know the firewall rules are not blocking traffic since I am logging
> any traffic that is blocked by the firewall and nothing is showing up in
> the logs.
>
> My NAT firewall rules are as follows:
>
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source
> 196.xx.xx.xx
>
> So, what's so hard about that! And yet, the minute I add a default route
> to the adsl table, things go pear shaped. Take that out, and the people
> on the LAN (192 net) can talk to everything on the Internet.
>
> So, what am I doing wrong here? I hope this is sufficient information to
> assist me in my routing woes.
> Any help.yadda yadda.
> Cheers
> H
>
>
Re: [LARTC] Packets going to default class iam having still the problem
Hi i have looked at this Classify its say This target is only valid in the POST_ROUTING chain of the mangle table. Usage: iptables -t mangle -A POSTROUTING .. -j CLASSIFY --set-class MAJOR:MINOR how about forward ?? hare - Original Message - From: "Andy Furniss" <[EMAIL PROTECTED]> To: "hareram" <[EMAIL PROTECTED]> Cc: Sent: Thursday, May 12, 2005 3:03 AM Subject: Re: [LARTC] Packets going to default class iam having still the problem hareram wrote: Hi all Its been long time i have sending this message to this news group but i could not get proper responce from the authors or any experts that, is that bug or only the problem with my ssytem iam tryin this config with FC iptable 1.3.0 and latest TC tc utility, iproute2-ss050330 htb 3.17 iam trying past 2 weeks and digging all googles but could not able to come to conclusion whats wrong could some one guide me right direction whats wrong wit my config help will be appriciated Did you try CLASSIFY instead of mark. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] wanted A tool to measure bandwidth....
U can configure MRTG to measure traffic counted by iptables FORWARD chain. This way u will measure how much each host is taking without installing snmp. On 5/12/05, KartheeK <[EMAIL PROTECTED]> wrote: Hello Everybody, I have configured a Linux box that does traffic shaping. Its working wonderfully fine, just as expected...Now i want to measure the bandwidth consumed by each of my hostsBut I dont want SNMP to run on all the hosts[as required by MRTG] I used iptraf on my linux box, but it only measures the bandwidth on interface basis only I tried installing traffic-vis, its not working properly and there is know documentation of how to get it running. I also tried ntop, it installs, but dosent work. I have been scratching my head for the past one week So my problem: I am in search of a tool that measures bandwidth consumed by each host on my LAN without requiring SNMP to run on the hosts... Now, is there any tool Any input regarding the matter is a welcome. Infinite Thanx in Advance. Regards KartheeK Yahoo! India Matrimony: Find your life partner online. ___LARTC mailing listLARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc-- Miłego DniaKrystian Antoni ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] wanted A tool to measure bandwidth....
Hello Everybody, I have configured a Linux box that does traffic shaping. Its working wonderfully fine, just as expected...Now i want to measure the bandwidth consumed by each of my hostsBut I dont want SNMP to run on all the hosts[as required by MRTG] I used iptraf on my linux box, but it only measures the bandwidth on interface basis only I tried installing traffic-vis, its not working properly and there is know documentation of how to get it running. I also tried ntop, it installs, but dosent work. I have been scratching my head for the past one week So my problem: I am in search of a tool that measures bandwidth consumed by each host on my LAN without requiring SNMP to run on the hosts... Now, is there any tool Any input regarding the matter is a welcome. Infinite Thanx in Advance. Regards KartheeK Yahoo! India Matrimony: Find your life partner online.___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Broken filters?
On Wed, 11 May 2005 23:39:35 +0100 Andy Furniss <[EMAIL PROTECTED]> wrote: > Pan'ko Alexzender wrote: > > Hi! > > By iptables I set marking (-j MARK) just before -j IMQ. > > There are only three marks. Exectly all of them are ditected to 1:20 > > What are the rules. There was three tables. At the end of each placed such rules: iptables -t mangle -A IMQ_MARK1 -j MARK --set-mark 106 iptables -t mangle -A IMQ_MARK1 -j IMQ --todev 0 iptables -t mangle -A IMQ_MARK2 -j MARK --set-mark 107 iptables -t mangle -A IMQ_MARK2 -j IMQ --todev 0 iptables -t mangle -A IMQ_MARK2 -j MARK --set-mark 108 iptables -t mangle -A IMQ_MARK2 -j IMQ --todev 0 > > > > > Why I see 3 pkts in default 1:30? > > How explain it? > > Maybe there was traffic flowing when you ran the script. No. Than it rizes. I recive too answears from: gypsy <[EMAIL PROTECTED]> "Most likeley the packets in 1:30 are not TCP. They are probably UDP or ARP or ICMP." Marcin Ka_u_a <[EMAIL PROTECTED]> "These are ARP packets. See Andy's reply to my question from 03 May in the archives" I think they are right. But now I have mach more bigger problems, that makes me forgot this :). I think it is problems of new kernel 2.6.11. There are configuration that makes karnel panic. And IMQ not realy shapting (rate is not limited realy)... Now I testing this all... Now I am wating for kernel pathes and trying lastest normal and test relises. -- With best regards, Pan'ko Alexzender. [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Setting up split access
Hi, I have a question concerning the configuration of multiple uplinks as described in the lartc howto, chapter 4.2: I have a scenario as described in the lartc in Chapter 4.2 (Routing for multiple uplinks/providers), i.e. one linux router with two uplinks: * 2 Mbps low delay DSL connection on device eth0 * 256 kbps higher delay DSL connection on device ppp0 I'm routing packages according to the service: * http, VoIP and ssh over eth0 (priority traffic) * everything else over ppp0 (non-priority traffic) I do also require some non-priority traffic to use the route over eth0. So I set up netfilter rules to mark the traffic accordingly: * no mark for default/non-priority traffic to be routed over ppp0 * -j MARK 1 for priority traffic to be routed over eth0 * -j MARK 2 for traffic always over eth0 Then I set up the following additional routing tables: * 201 for priority traffic: 'default via dev eth0 * 202 for traffic static over eth0 'default via dev eth0 I left the default routing table (254) unchanged except for the default route: 'default via dev ppp0 As described in an earlier post in this list, the rp_filter has to be disabled and the traffic for eth0 has to be SNATed to the IP of the interface as the kernel uses the IP of the ppp0 interface as source IP of every package. However, I do not require to set up any other fancy routing entries described in the lartc howto to make the whole thing to work. The question is, am I missing an important point here? Furthermore, I don't get how the routing entries as described in the howto ensure that traffic is routed out over the same interface as it was originally comming in. I only see rules that match outgoing traffic, but none that matches incomming traffic. Maybe someone has a spare minute to enlighten me ;) thanks in advance christoph -- Christoph Georgi - email. [EMAIL PROTECTED] fon.+64 (0)9 815 8259 registered linux user #380268 ubuntu 5.04 (ubuntu.com) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how to guarantee 1/numflows bandwidth to each flow dynamically
Scott Mcdermott wrote: I am looking for a simple way to guarantee to each flow going through my traffic control point 1/numflows of bandwidth. I thought using SFQ would do this effectively but it appears to be quite unfair: a very high speed download that fills the pipe easily starves smaller flows to the point where it becomes unusable (especially if they are at all interactive) If you are shaping from the "wrong" end of the bottleneck then you need to back off from link speed to get control - and it still won't be perfect. It's best to priorotise interactive traffic and not mix it with bulk traffic. Andy. Because numflows is dynamic, I'm not sure how I would have the bandwidth allocated to each flow change dynamically and automatically as flows are added and removed. Anyone have an idea how to implement this? Thanks. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Broken filters?
Pan'ko Alexzender wrote: Hi! By iptables I set marking (-j MARK) just before -j IMQ. There are only three marks. Exectly all of them are ditected to 1:20 What are the rules. Why I see 3 pkts in default 1:30? How explain it? Maybe there was traffic flowing when you ran the script. Andy. ### imq0: queueing disciplines qdisc htb 1: r2q 10 default 30 direct_packets_stat 0 Sent 631429 bytes 1812 pkts (dropped 0, overlimits 20) ### imq0: traffic classes class htb 1:20 root prio 0 rate 100Kbit ceil 100Kbit burst 15Kb cburst 1727b Sent 630596 bytes 1809 pkts (dropped 0, overlimits 0) rate 3921bps 10pps lended: 1809 borrowed: 0 giants: 0 tokens: 1121920 ctokens: 31360 class htb 1:30 root prio 7 rate 10Kbit ceil 80Kbit burst 1611b cburst 1701b Sent 833 bytes 3 pkts (dropped 0, overlimits 0) rate 2bps lended: 3 borrowed: 0 giants: 0 tokens: 1244800 ctokens: 164600 ### imq0: filtering rules filter parent 1: protocol ip pref 100 fw filter parent 1: protocol ip pref 100 fw handle 0x6a classid 1:20 filter parent 1: protocol ip pref 100 fw handle 0x6b classid 1:20 filter parent 1: protocol ip pref 100 fw handle 0x6c classid 1:20 Thanks for the attantion. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc/htb QoS script
Ulrich Pöschl wrote: hello folks, this is my first post to that list. so I hope I am not completely OT here :-) reading the (excellent!) lartc and then writing my own qos-script I have still some open questions which I will try to formulate now: - "Now we can optionally attach queuing disciplines to the leaf classes. If none is specified the default is pfifo." - I can't find info about Pfifo. is it the same as pfifo_fast? what happenes when I do not add queuing disciplines to the leaf classes? only the filters? pfifo = packet fifo it's just a first in first out not as clever as pfifo fast. If you don't add a queue to a leaf you get a long pfifo - limit set by htb rather than you. - can a class burst above the ceil-parameter when there is NO other traffic on the line at that moment? You can specify burst and cburst for htb in your scipt if you want - if you don't htb chooses them for you from rate/ceil. See them with tc -s -d class ls devX. - what happens when a packet passing trough the filters can be matched by two filters? f.e. I have a "general" type of WWW-port 80 filter and another WWW-port 80 filter to a certain subnet. is it like a cisco ACL? the first hit is applied? Yes use prio to order filters and remember 1 is highest not 0. - is hardware a criteria? i want to shape a pretty full 2048/2048 line and use an old server with 2 NICs at the moment. 128 MB ram, but gnome running.. :) could I create a bottleneck by doing so? Probably be OK as long as you don't have thousands of tests per packet. - question concerning the script (below): it is quite simple. I want to filter any traffic going to an "SAP" subnet. (where we have the SAP-system) and WWW as well as email i apply it to interface eth0 and eth1 (which are part of an ethernet bridge br0). as there are all servers on one side of the bridge and I want it to be "plug and play"-like I apply the same script to both interfaces. The setup is like this: [Manchester] (~250 Clients) ---> Transparent QoS-Bridge > ROUTER FR WAN 2 Mbit --> [AT/Vienna] (Mailserver, Proxy, SAP) - and: will my script work as expected with that setup? :) thanks in advance and kind regards, Ulrich #!/bin/sh # Configuration part ## DEVICE=$1 # interface (eth0 / eth1) Bandwidth=2048kbit # rate of WAN - line / remember you can't ceil this or you'll experience latency. 75-80% of ceil is a good place to start. Your rates and ceils seem to ignore this comment :-) Remember rates are guaranteed prio only affects sharing of what's spare. Rest looks OK but I often miss things - test, test, test is the best way. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] vlan traffic shaping.
Robert Denier wrote: I couldn't find anyone who had actually made it work via google so I guess I'll ask here. My setup is a VPN point to point link. The VPN is a modified version of Openvpn where I'm using zlib compression to improve the compression a bit. The goal is to shape traffic coming from a routing server through the vpn to the endpoint of the vpn and in such a way maximize the usefulness of a limited bandwidth connection. You can shape the vpn tunnel just fine, but that has a problem since you shape the traffic _before_ any of it is compressed and thus cannot really deal with compression in an ideal manner. The ideal thing to do is to shape traffic after the VPN software processes it and sends it to the real interface. Of course, now that I'm taking the time to explain the problem, an answer becomes somewhat obvious and that is to add shaping just on the source/dest path used by vpn packets on the real interface. What I was trying to do was to create a vlan interface like eth0.5 and then use that interface to run the VPN link, and thus have a nice intermediate point where I can do all the shaping. Unfortunately when one actually tries to do this, the shaping seems to set itself up normally, but in fact does absolutely nothing with the vlan interface. I suppose some more analysis of my idea is in order. I may be a little wrong on some things so feel free to correct me. 1) You can shape all traffic correctly on the VPN link, except compressible traffic which changes in size after leaving the VPN software. It would be nice if a netfilter mark would carry over from before to after VPN - maybe the software could be hacked to do this. Then you could classify/mark traffic before encapsulation and shape it on eth0 - I have never tried, but don't think shaping on virtual eth0.x will work. 2) You could shape raw VPN packets based on source/dest type marking. Now what does this mean for the shaping in 1)? If this particular path is at its max rate and the queue is full then a packet will be sent to that interface but ultimately dropped. VPN packets are UDP, so the recovery would have to be in the VPN software. Double shaping is not going to be Ideal. If you just shape after encapsulation I think the fact udp is used to encapsulate is irrelevant. If it is tcp that is being carried then the sender should react normally to drops. Andy. It would seem if I'm understanding this correctly that even if I got vlan to do what I thought I wanted it to do, it might not help anything. Of course you might get around this by using TCP for vpn packets. I'm a little uncertain of some things in the last couple paragraphs so I'll probably just try it. At any rate, one way for compression to still be useful is to allow web pages to burst above the maximum bandwidth by around 100KB. This covers most of the cases where compression is useful. Anything low priority like ftp transfers must of course be hard capped below the links capacity and set to a low priority.. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Incorrect params
S.Mehdi Sheikhalishahi wrote: Does tc understand irregular configurations? For example in a configuration that parent class has ceil and rate parameters less than child classes? How can I limit output traffic of an interface? I test it by limiting parent class traffic but it does not work. I think this should work if you use htb. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] individual connections
richard lucassen wrote: Is it possible (one way or another) to guarantee or to limit bandwidth of 1 session? E.g.: RDP: 750kbit rate, 1Mbit ceil default: 250kbit rate, 1Mbit ceil max bw per RDP connection: 100kbit guaranteed bw per RDP session: 20kbit R. If you can't make a rule to match each connection. there may be a way using netfilter patch-o-matic-ng patch connlimit or Wang Jian posted a perflow queue patch recently - http://mailman.ds9a.nl/pipermail/lartc/2005q2/015381.html Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Waiting queue size
PRETI wrote: Hi everybody, My config is two RED waiting queues and I would like to know if it is possible to have the size of the waiting queue in real time with the tc command or whatever. tc -s qdisc ls dev eth0 or whatever dev you shape on will give a packet count as backlog. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Help with PRIO qdisc and filters
Pavan Kumar wrote: Hi, Sorry to bother you all. I have a typical problem sharing DSL upstream bandwidth with users. I have 3 types of traffic high-priority, medium-priority and low priority. My upstream rate is 960kbits. Traffic (any priority) can vary in bandwidth from 0 to 960kbits. I have a test setup where I can pump 600kbit of high priority sustained and I have 400kbit of low priority traffic sustained. I expect after the 600kbit high-priority traffic, the remaining 360kbit should be allocated to the medium and low priority. Since I do not have medium-priority everything should go to low-priority traffic. However, I do not see that behavior with the following tc script I have --- Begin Script - # delete any existing qdiscs tc qdisc del dev ppp0 root # setup PRIO qdisc with 3 bands tc qdisc add dev ppp0 root handle 1: prio band 3 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # filter traffic for high priority based on TOS field tc filter add dev ppp0 parent 1:0 prio 1 protocol ip u32 match ip tos 0x28 0xff flowid 1:1 tc filter add dev ppp0 parent 1:0 prio 1 protocol ip u32 match ip tos 0x48 0xff flowid 1:2 tc filter add dev ppp0 parent 1:0 prio 1 protocol ip u32 match ip tos 0x58 0xff flowid 1:3 # use ebtables to set the TOS field. First flush the rules ebtables -t broute -F ebtables -t broute -I BROUTING 1 -j ftos --set-ftos 0x28 -p IPv4 --ip-src 192.168.1.151/32 ebtables -t broute -I BROUTING 2 -j ftos --set-ftos 0x48 -p IPv4 --ip-src 192.168.1.152/32 ebtables -t broute -I BROUTING 3 -j ftos --set-ftos 0x58 -p IPv4 --ip-src 192.168.1.153/32 --- End Script -- What I see is the high priority traffic is leaving at 600kbits as I measure it on my test equipment. However, I do not see any low-priority or medium-priority traffic coming out of the box. I would appreciate if you folks can please give me a hint as to what is happening and also any possible solutions. I need hard PRIO but the unused bandwidth should be shared by the other traffic. I am using Linux kernel 2.6.8.1 and iproute2 (iproute2-2.6.8-ss040730.tar.gz). You need to have prio as an htb class as it doesn't rate limit otherwise . You'll also need to back off from your dsl rate to allow for overheads as they can be significant especially with lots of small packets. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Packets going to default class iam having still the problem
hareram wrote: Hi all Its been long time i have sending this message to this news group but i could not get proper responce from the authors or any experts that, is that bug or only the problem with my ssytem iam tryin this config with FC iptable 1.3.0 and latest TC tc utility, iproute2-ss050330 htb 3.17 iam trying past 2 weeks and digging all googles but could not able to come to conclusion whats wrong could some one guide me right direction whats wrong wit my config help will be appriciated Did you try CLASSIFY instead of mark. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] I'm leaving this list ....
Stef Coene wrote: Hi, I'm subscribed to this mailing list for a long time. During that time, I enjoyed reading all posts and try to understand them :) LARTC started as a something I could use to impress my boss. After a while it became clear to me that my boss was not impressed ;(, but I kept following this list because it was fun. I also placed a lot documentation online on http://www.docum.org/docum.org/. But right now, I don't have the time anymore to do this. So I'm leaving this list. I will keep my pages online on docum.org. If someone has questions about the pages on docum.org, feel free to pass them my email address. So, goodbye and happy shaping ;) That's a shame I'll miss your input. Good luck for the future and may you one day have a more easily impressed boss :-) Andu. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Starting from scratch w/ multiple uplinks
Am Dienstag, 10. Mai 2005 14:56 schrieb Markus Schulz: > Am Dienstag, 10. Mai 2005 09:33 schrieb Rafael A Barrero: > > Thanks for the link! > > > > At the beginning of the document it states that it will not work > > with two modem connections. What if both my ADSL lines are pppoe? > > Will this still work? > > it works fine. if i'm at home i can post my script. okay, here is the important part of my script: #!/bin/sh set -x PTP=`ifconfig ppp0 | grep P-t-P | sed 's/.*P-t-P:\([^ ]*\).*/\1/g'` IP1=`ifconfig ppp0 | grep addr | sed 's/.*addr:\([^ ]*\).*/\1/g'` IP2=`ifconfig ppp1 | grep addr | sed 's/.*addr:\([^ ]*\).*/\1/g'` echo 1 > /proc/sys/net/ipv4/ip_forward #del all routes from table 201 (search for better way to do this) for route in `ip rule list | grep ^201 | sed 's/^201:.*from \([^ ]*\) lookup 201/\1/'`; do ip rule del prio 201 from $route table 201 done #del all routes from table 202 (search for better way to do this) for route in `ip rule list | grep ^202 | sed 's/^202:.*from \([^ ]*\) lookup 202/\1/'`; do ip rule del prio 202 from $route table 202 done ip rule del prio 50 table main ip rule add prio 50 table main ip route del default table main #ppp0 ip rule add prio 201 from $IP1 table 201 #next two lines is for testing purpose ip rule del fwmark 0x20 table 201 ip rule add fwmark 0x20 table 201 ip route add default via $PTP dev ppp0 src $IP1 proto static table 201 ip route append prohibit default table 201 metric 1 proto static #ppp1 ip rule add prio 202 from $IP2 table 202 ip route add default via $PTP dev ppp1 src $IP2 proto static table 202 ip route append prohibit default table 202 metric 1 proto static #multipath route. ip rule del prio 222 table 222 ip rule add prio 222 table 222 ip route add default table 222 proto static \ nexthop via $PTP dev ppp0 \ nexthop via $PTP dev ppp1 #skipped all other firewall iptables rules except the two needed snat iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -I POSTROUTING -o ppp0 -j SNAT --to-source $IP1 iptables -t nat -I POSTROUTING -o ppp1 -j SNAT --to-source $IP2 if you have some improvements, then let me a note. -- Markus Schulz ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] I'm leaving this list ....
Hi, I'm subscribed to this mailing list for a long time. During that time, I enjoyed reading all posts and try to understand them :) LARTC started as a something I could use to impress my boss. After a while it became clear to me that my boss was not impressed ;(, but I kept following this list because it was fun. I also placed a lot documentation online on http://www.docum.org/docum.org/. But right now, I don't have the time anymore to do this. So I'm leaving this list. I will keep my pages online on docum.org. If someone has questions about the pages on docum.org, feel free to pass them my email address. So, goodbye and happy shaping ;) Stef ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Qdisc stops responding
Naturally I forgot to attach the code, as I was rushing to get to lunch.
R.harper
p.s why do my messages end up as a reply to someone else's message in the
archive?
_
Log på MSN Messenger direkte fra nettet http://webmessenger.msn.com/
/*
Flow based Qdisc scheduler
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define LATENCY 10
#define LIMIT 50
#define HASH_SIZE 20
#define FLOW_LIFETIME (10*HZ)
/* Protects conntrack->proto.tcp*/
//static DECLARE_RWLOCK(tcp_lock);
struct flow_sched_data {
u32 latency;
u32 limit;
u32 qlen;
struct sk_buff_head qs[HASH_SIZE];
u32 is_used[HASH_SIZE];
psched_time_t last_pkt_sent[HASH_SIZE];
psched_time_t next_send_time[HASH_SIZE];
psched_time_t interval[HASH_SIZE];
struct timer_list remove_timer[HASH_SIZE];
struct timer_list timer;
struct sk_buff_head fasttrack;
};
static __inline__ u32 get_hash(struct sk_buff *skb)
{
if (skb->protocol == __constant_htons(ETH_P_IP) ){
struct iphdr *iph = skb->nh.iph;
if (iph->protocol == 6){
struct tcphdr *tcph = (void *)iph + (iph->ihl*4);
return jhash_3words(iph->saddr^iph->protocol, iph->daddr,
(tcph->dest << 16 | tcph->source), 0x543298ff);
}
else{
return jhash_3words(iph->saddr, iph->daddr, iph->protocol, 0x543298ff);
}
}
return 0;
}
static __inline__ short flow_hash(struct sk_buff *skb, struct Qdisc *sch)
{
int i = 0;
u32 hash;
short index;
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
struct flow_sched_data *q = qdisc_priv(sch);
ct = ip_conntrack_get(skb, &ctinfo);
//if (ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED)
hash = get_hash(skb);
index = hash % HASH_SIZE;
if (q->is_used[index] == hash){
//printk("Correct flow found, hash: %u, index: %i \n", hash, index);
//Found correct flow
return index;
}
else if (q->is_used[index] == 0){
psched_time_t next_send;
PSCHED_GET_TIME(next_send);
//bucket unused, lets use this one
printk("New flow, hash: %u, index: %i \n", hash, index);
q->is_used[index] = hash;
//seting the dequeue time!
//READ_LOCK(&tcp_lock);
//q->next_send_time[index] = PSCHED_TADD(next_send, PSCHED_JIFFIE2US(ct->proto.tcp.rate));
//READ_UNLOCK(&tcp_lock);
q->next_send_time[index] = PSCHED_TADD(next_send, q->interval[index]);
return index;
}
else{
//Must search the whole table to see if this is an
//established connection,
for(i = 0; i < HASH_SIZE; i++){
if (q->is_used[(index+i)%HASH_SIZE] == hash){
//found the right slot in the table;
return (index+i)%HASH_SIZE;
}
}
//Ok didn't find an established connection
//This *must* be a new connection
for(i = 0; i < HASH_SIZE; i++){
if (q->is_used[(index+i)%HASH_SIZE] == 0){
psched_time_t next_send;
PSCHED_GET_TIME(next_send);
//found unused slot in the hash table.
q->is_used[(index+i)%HASH_SIZE] = hash;
//READ_LOCK(&tcp_lock);
//q->next_send_time[(index+i)%HASH_SIZE] = PSCHED_TADD(next_send, PSCHED_JIFFIE2US(ct->proto.tcp.rate));
//READ_UNLOCK(&tcp_lock);
q->next_send_time[(index+i)%HASH_SIZE] = PSCHED_TADD(next_send, q->interval[(index+i)%HASH_SIZE]);
return (index+i)%HASH_SIZE;
}
}
//Nothing found, strange!
//Must be an error
printk(KERN_WARNING "No hash bucket found!\n");
return -1;
}
}
static __inline__ int flow_is_valid(struct sk_buff *skb){
struct iphdr *iph = skb->nh.iph;
enum ip_conntrack_info ctinfo;
struct tcphdr *tcph = (void *)iph + (iph->ihl*4);
if (skb->protocol != __constant_htons(ETH_P_IP) )
return 0;
if (iph->protocol != IPPROTO_TCP)
return 0;
ip_conntrack_get(skb, &ctinfo);
if (!tcph->ack)
return 0;
if (ctinfo != IP_CT_ESTABLISHED)
return 0;
return 1;
}
static int flow_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{
struct flow_sched_data *q = qdisc_priv(sch);
short hash;
if (flow_is_valid(skb) == 1)
hash = flow_hash(skb, sch);
else
hash = 0;
if (!skb->nfmark)
goto drop;
if (q->qlen && sch->q.qlen >= q->qlen){
printk("Dropping packet, queue full\n");
goto drop;
}
if (hash == -1)
goto drop;
//printk("flow_enqueue hash %u skb=%p @%lu\n", hash, skb, jiffies);
//printk("qs len pre: %i \n", q->qs[hash].qlen);
__skb_queue_tail(&q->qs[hash], skb);
//printk("qs len post: %i \n", q->qs[hash].qlen);
q->remove_timer[hash].expires = jiffies + FLOW_LIFETIME;
add_timer(&q->remove_timer[hash]);
if (++sch->q.qlen < q->limit-1){
sch->stats.bytes += skb->len;
sch->stats.packets++;
return NET_XMIT_SUCCESS;
}
drop:
sch->stats.drops++;
kfree_skb(skb);
r
[LARTC] Qdisc stops responding
Hello lartc I wrote a scheduling qdisc that works on a per-flow basis. It dequeue packets according to a flow interval. But as it turns out there is a problem with it. The qdisc loads just fine and is working correctly. The problem is that if the qdisc is removed and loaded again, it stops responding. By that I mean it stops to enqueue packets to the underlying Qdisc. "tc -d qdisc show" shows that the packets get backloged in the qdisc and never leave. I was hoping that someone has the time so take a quick look at the *bad* code and see if you can spot an obvious error. I know the code is probably not up to your standards since this is my first qdisc, and my pet hamster did all the coding;) Hoping for response R.harper _ Undgå pop-ups med MSN Toolbar - http://toolbar.msn.dk hent den gratis! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
