[LARTC] use hashing with tcng?
Is it possible to use filter hashing with tcng? As far as I can tell tcng generates a straight chain of filters. PS: Can the list admin kick wilson off the list please? That compromised machine is probably collecting addresses to spam. I started getting spam after I posted to this list. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] filter ingress policy based on nfmark
On Thursday 02 June 2005 00:31, you wrote: On 2.6 whether policer sees marks or not depends on your kernel config. If you don't select classifier actions then you get the 2.4 behavior. Andy. Many thanks. -- Best Regards, Martin Vassilev NetSurf.net Ltd. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] how to configure linux in production line
I am new in linux world,basically I'm using red hat 9 kernel 2.4.20-8. I need to build a trusted gateway. my linux box will be the gateway for several machine PCs to go to the desired server. there will be several subnets under the linux box, I've already assigned static IPs for the PCs . Now my problem is I only need 2 PCs from each subnets to connect to certain servers, and those 2 PCs can only have transaction(open) to the specified servers, for others it will drop(firewalled). for other PCs, they can't log on to the outside world. should I use only iptable rules or with the help of squid(ACL) as well ? please add up the commands as well. Thanks. __ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] CBQ throughput and efficiency question
Hello all, I am testing CBQ and HTB these days and I got a lots problem which needs your help. It is a little long text :) Thank you! (All my test is based on Redhat Linux9.0) 1.Is isolated of CBQ working? I have read Mr. stef word that he never made cbq isolated work. 2. I have setup an environment to test cbq: one tcp flow which I should protectand a noisy udp flow who will eat much of the bandwith.when only tcp flow is run, the result is good, the tcp rate is controlled with the acceptable deviation.But if the nosiy udp runs up(it is not classed into the same class as tcp's)the tcp rate will increase almost to the double.Why increased???Actually, I thought that tcp rate would decrease for impolite UDP flow, but the fact is on the contrary. Whatever I set "isolated" or not to the tcp rate.The below is the script I set in a computer running redhat9, and this linux also produces tcp flow to 200.200.200.229 and udp flow to 200.200.200.121 by iperf1.7.0. --tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 100Mbit weight 10Mbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 boundedtc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 480Kbit weight 48Kbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 10Mbit weight 1Mbit prio 1 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded isolatedtc qdisc add dev eth0 parent 1:3 handle 30: sfqtc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 200.200.200.121 match ip dport 5001 0x flowid 1:2tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 200.200.200.229 match ip dport 5001 0x flowid 1:3--3. I have watched that cbq throughput is mostly 18M in redhat9. Although I wirte a script increase "cbq bandwidth 100Mbit rate xxx" to be a larger and larger rate, but the iperf reports only 18.5M or so. But HTB is very goodat it.Thanks!- Original Message - From: "Stef Coene" [EMAIL PROTECTED]To: "cai" [EMAIL PROTECTED]Sent: Wednesday, June 01, 2005 7:15 PMSubject: Re: cbq question On Wednesday 01 June 2005 12:51, you wrote: hello, stef, I saw your assertion that cbq is not working in isolated mode: http://mailman.ds9a.nl/pipermail/lartc/2002q3/004782.html "Btw, I never could get isolated working with cbq." Is this true in all linux kernel version or only some specific. It's a long time since I tested it, but I never could get it working. The cbq code has not changed much, so I think it's stil not working. Stef ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how to configure linux in production line
Gonn Star wrote: I am new in linux world,basically I'm using red hat 9 kernel 2.4.20-8. I need to build a trusted gateway. my Whoa! You are starting out with something very old and bug-ridden. You should scrap that and switch to a current release, whatever distro you may choose. Quite a few of those old bugs can bite very hard, including root compromises. Being new, did you know how to update for security? Sure, there's Fedora Legacy which may or may not be supporting the old stuff with updates, but that is intended for people who have long-running stable servers ... not to entice new users to RH 9. linux box will be the gateway for several machine PCs to go to the desired server. there will be several subnets under the linux box, I've already assigned static IPs for the PCs . Now my problem is I only need 2 PCs from each subnets to connect to certain servers, and those 2 PCs can only have transaction(open) to the specified servers, for others it will drop(firewalled). for other PCs, they can't log on to the outside world. should I use only iptable rules or with the help of squid(ACL) as well ? You do not seem to understand that HTTP is just one of many TCP/IP protocols, and yet you want to set up complex networking controls. Anyone who knows more than you do would likely find it a trivial task to get around your controls. please add up the commands as well. Thanks. Specific questions which show that you have tried will tend to be better-received than generalised requests for spoonfeeding. I do things like this for a living, and I do not have time to earn your living as well. You mention production which implies that this is needed in a business setting. If so it's probably worth it to the business owners to pay for expertise. You can't learn everything you need to know, overnight. For you, I would recommend starting with the basics. There are good HOWTOs at netfilter.org which might help. -- mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iproute + xml
Hello there, i am continuing with the development of the iproute GUI. I was wondering if there is a xml parser for the set up of the queues. I have been searching but i cant find any... anyone? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB on loopback gives a bit rate multiplied by 8
Kiruthika Selvamani wrote: Hi Andy, Thanks for the suggestion. I changed the MTU to 1500 and it started working. Is this because HTB shapes traffic based on packet rate rather than bit rate? How does it use the rate lookup tables? It's not based on packet rate as such, the lookup tables are for the time delay for different packet lengths at the different rates. There is one for each rate and ceil pre calculated for efficiency. Each table has 256 slots so the mtu is needed to fill it efficiently, with normal mtu each slot is 8 bytes apart. If you had told htb the mtu of lo (16436) then each slot would have been calculated to cover a bigger range of bytes. I suppose the giants counter is a warning that these packets are not being shaped properly as they are too big. I suppose devik decided to do this in preference to calculating the delay for every giant so it didn't slow things down too much. Personally I am glad he didn't just use the interface mtu, as my dsl ppp0 gets one of 32k - it never sees a packet bigger than 1500 though, so if htb used 32k the shaping of small packets would be too innacurate. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] How many (htb) tc classes and qdiscs are too many?
We have a Linux box that is acting as the gateway to the internet for about 400 people, typically there are not more then 50 of them using the internet at any given time. We would like to provide different levels of access to different users. For example 128kbps to some users and 256kbps to others. We have considered creating a class and qdisc for each user (using htb) however we don't know how much overhead creating 50-200 classes and qdiscs would involve, would this put too much strain on the Linux box? Is it better to create fewer classes and qdisc and assign multiple users to each? I haven't been able to find any test on maximum effect number of qdiscs, but it could be I have just been looking in the wrong place. If any one has any ideas or could point me in the right direction it would be greatly appreciated. Spencer ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: [PATCH] Support module autoloading in iproute2
Use module aliases and the kernel will do the autoloading. Most distros add something like: alias eth0 e100 to /etc/modprobe.conf ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] How many (htb) tc classes and qdiscs are too many?
Spencer wrote: Is it better to create fewer classes and qdisc and assign multiple users to each? I haven't been able to find any test on maximum effect number of qdiscs, but it could be I have just been looking in the wrong place. If any one has any ideas or could point me in the right direction it would be greatly appreciated. Spencer You're not the first person to ask this. AFAIK there is no benchmark. People just do it. I suggest googling this ML for hash, internet cafe, pyshaper, PaceMaker and whatever else that leads to. IIRC hotel may also be a good search word. Tomasz Paszkowski runs a HUGE script for his HFSC setup. The short answer is that, if you can create a hash that matches, you can reduce the volume of entries; but that is more a convenience than something necessary for efficiency. It takes a HELL of a lot to make Linux groan under the load. I once spent 1 hour loading ~32K filters, but when the script finished, I could not tell they were there based on the performance of my AMD Duron 1400 CPU, 256Mb RAM equipped Linux box. The following is probably the most useful single site you'll find: http://digriz.org.uk/ -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] iproute + xml
Let us look back on the archives: On 12 Jul 2001 17:41:42 -0500, Nikolai Vladychevski wrote: But what I am trying to do is to release it for production where the end users would point click for filter creation bandwidth definition, so I think it will be an adventure, but I am accepting the risks... after all it's free code I've been working on an XML format for describing a traffic control configuration in-house. We're working on a good way to describe the rules and its not too hard since most of the settings are hierarchial. We've eliminated the need for specifying parents by the inherentness of nesting classes under cbq queues and queues under classes, but have a few more things to iron out. I'll be posting what we come up with and some code to turn it into TC statements when its more stable unless there's outside interest in working on it. Offering users a point-and-click QoS+TC environment was on our minds when we realised that what we needed was a good configuration file format to save the settings in. -- Michael T. Babcock http://www.fibrespeed.net/~mbabcock/ __ It seems there have been many attempts to what you want to do, as many people seen the oportunity of simple point-and-click aproach to tc. The difficult part is not implementing it, but maintaing it and convincing people to use it. In the end, it seems to me that this is all like an editor battle, where people tend to use a lot of programs, but in the end everybody has to learn vi sometimes because his/her editor is not installed on a clients machine. If you want, you can contact Michael Babcock to see if he did something with the XML parsing library. __ Hello there, i am continuing with the development of the iproute GUI. I was wondering if there is a xml parser for the set up of the queues. I have been searching but i cant find any... anyone? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc