Re: [LARTC] HTB and bittorrent, won't work
Hi, thanks for your help and interest, someone told me about that already, so I did it, and this is the script I'm running to do it: #!/bin/sh ### ERASING RULES AND USER CREATED CHAINS ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7PRE iptables -t mangle -N lay7POST ### PREROUTING RULES ### iptables -t mangle -A lay7PRE -j CONNMARK --restore-mark iptables -t mangle -A lay7PRE -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A lay7PRE -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7PRE -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7PRE -m layer7 --l7proto http -j MARK --set-mark 3 iptables -t mangle -A lay7PRE -j CONNMARK --save-mark ### POSTROUTING RULES ### iptables -t mangle -A lay7POST -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 3 -j CLASSIFY --set-class 2:4 ### --- ### iptables -t mangle -A PREROUTING -j lay7PRE iptables -t mangle -A POSTROUTING -j lay7POST I'm trying this right now, and I believe its kind of working, but web surfing is very slow, I might say unusable, so this is not what I want, also I had to mark http traffic to make this work, give it a higher prio in htb, so I believe I'm missing something else? someone suggested to add a new class for ACK packets, I've done that already, but I've only noticed little difference... really don't know whats happening, if you don't have tcng I can show you my tc rules (showed by tc -s class show dev eth1). Thank you again EDGAR MERINO On Wednesday 06 July 2005 23:30, Jody Shumaker wrote: > You need to use connection marking as well. --l7proto bittorrent will > only recognize the first packet in a bittorrent stream, you need to save > a mark on the whole tcp connection, and restore the mark for all future > packets if you want the entire connection to be classified. > > iptables -t mangle -A lay7 -p tcp -j CONNMARK --restore-mark > iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK > --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j > CLASSIFY --set-class 2:2 iptables -t mangle -A lay7 -m layer7 --l7proto > smtp -j MARK --set-mark 2 iptables -t mangle -A lay7 -o eth1 -m mark --mark > 2 -j CLASSIFY --set-class 2:3 iptables -t mangle -A lay7 -p tcp -m mark ! > --mark 0 -j CONNMARK --save-mark > > > If you're marking ever gets more complex, it might take a little more work > ( -j accepts for matching already classified connections after the > --restore-mark) but the above should help get the full bittorrent > connection classified, not just the first packet. > > - Jody > > Edgar wrote: > >Hello, > > > >I've been trying to shape the bittorrent traffic (on my external > > interface, upload), but without luck, for this I'm using layer7 filter > > right now, but I've also tried ipp2p, with the same results, I might say > > that this is not a problem with this packet classifiers, the problem is > > with HTB, here's why. When I open azureus (the bittorrent client I use) I > > see upload traffic getting shapped, but also I see that my download > > traffic won't go up if I'm shaping on the upload interface, if I stop > > shaping on that interface then upload ( as expected) will increase, and > > so the download rate, this happens to me using the default bittorrent > > client (classic), so its not a client problem. Ok, the problem here is > > that when using bittorrent, although I see the traffic is shaped I can't > > surf web pages, nor chat in msn messenger, nor do anything at all, and > > merely that's all I want to do, shape p2p traffic to be able to use my > > bandwidth fairly, maybe its a bittorrent problem, because with the > > edonkey protocol I have no problem at all, traffic get shaped and I can > > use the rest of my bandwidth, I'll post my iptables rules for marking the > > bittorrent packets and the htb rules I use (using tcng): > > > >### IPTABLES RULES ### > >iptables -t mangle -F > >iptables -t mangle -X > >iptables -t mangle -N lay7 > >iptables -t mangle -A POSTROUTING -j lay7 > >iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK > > --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j > > CLASSIFY --set-class 2:2 > >iptables -t mangle -A lay7 -m layer7 --l7proto smtp -j MARK --set-mark 2 > >iptables -t mangle -A lay7 -o eth1 -m mark --mark 2 -j CLASSIFY > > --set-class 2:3 > > > >### HTB RULES ### > > > >#define UPLOAD eth1 > >#define UPRATE 25kBps > >#define P2P 10kBps > > > >dev UPLOAD { > > egress { > >class ( <$emule> ) ; > >class ( <$smtp> ) ; > >class ( <$ssh> ) if tcp_dport == 8080 ; /*Changed port from 22 to 8080 > > */ class ( <$otro> ) if 1 ; > > > >htb () { > > class ( rate UPRATE, ceil UPRATE ) { > >$emule = class ( prio 8, rate 6kBps, ce
Re: [LARTC] Frustrating problem with natsemi (DP83815) ethernet devices
Hi. Damjan wrote: > Now about the problem: > The network interfaces seem to NOT transmit anything when the interface > is autonegotiated at 100Mbit-FD. I've forced the interfaces to > half-duplex with mii-tool still nothing. Several questions... Is it really absolutely the same kernel on both distros? Which one is it? Did you try another cable? Did you try another switch? Did you try a cross-cable to connect two of the four interfaces on the same host? NSC brought out a completely new driver some weeks ago, which can be found here: http://www.national.com/appinfo/networks/files/dp8381x_linux_ver_1.0.tgz In case you've a 2.4 kernel let me know, I have yet another driver you could try out. Bye, Mike ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB and bittorrent, won't work
First of all thank you for answering to my email, I will answer to all the questions you ask: > On Wednesday 06 July 2005 23:23, Edgar wrote: > > I've been trying to shape the bittorrent traffic (on my external > > interface, upload), but without luck, for this I'm using layer7 filter > > right now, but I've also tried ipp2p, with the same results > > I don't have any problems with BT shaping... if you want to have a look at > my script, it's this one: http://www.metamorpher.de/fairnat/ > It uses IPP2P, but should work about the same way with layer7. > > The main difference between my iptables rules and yours seems to be that > you are not using CONNMARK to mark BT connections permamently - IIRC you > can't do without because the filters only match one of the first few > packets of a connection. > In the layer7 filter the examples don't use CONNMARK like with ipp2p, but I will try to add CONNMARK to my rules, and see what happens. > Have you checked your class statistics with tc, somehow I doubt that all BT > packets go into your P2P class in your current setup. > I've checked this with tc -s class show dev eth1, and I see almost all the traffic going to the p2p class, right now I will add a new ACK rule, to match ack packets, since someone told me that might be the problem. > > I hope someone can help me out with this, maybe it not ok to use tcng > > with iptables? thank you in advance > > Well, I'm not familiar with tcng syntax at all. I think this kind of setup > is weird; in the tcng part no class ids seem to be specified, yet you have > to use them in iptables to classify your packets. How can you be sure that > you got the right class... When the tcng code gets compiled, it returns tc commands, and then I can see them, and I know those are the classes I need for iptables =) Thanks for your interest, I'll check your rules right now, to see if that helps. > > HTH > Andreas > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Server and router on the same box
On Wednesday 06 July 2005 22:53, [EMAIL PROTECTED] wrote: > it will be nice that when the web-server is not using any upstream, LAN > clients will enjoy full bandwidth. Somehow I doubt that traffic shaping is the right approach here; after all, we're talking about traffic on two different interfaces. There is no need to do shaping in that situation, because there is no way that traffic on interface A interferes with traffic on interface B (unless one is a virtual interface that actually uses the other to transfer). Even if you put HTB on interface A, this qdisc has no way of knowing how much load there is on another interface. To shape multiple interfaces at once, you'd have to cheat by using IMQ or something like that. If the fast transfer rates of the LAN puts too much load on your web server, the only thing you could do with traffic shaping here is to limit these transfer rates to a lower value at all times. A better method would be to configure this in the webserver; tell the webserver that internet clients are more important than LAN clients. Depending on which webserver you use, this might be possible or not. HTH Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB and bittorrent, won't work
You need to use connection marking as well. --l7proto bittorrent will only recognize the first packet in a bittorrent stream, you need to save a mark on the whole tcp connection, and restore the mark for all future packets if you want the entire connection to be classified. iptables -t mangle -A lay7 -p tcp -j CONNMARK --restore-mark iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7 -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7 -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 iptables -t mangle -A lay7 -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark If you're marking ever gets more complex, it might take a little more work ( -j accepts for matching already classified connections after the --restore-mark) but the above should help get the full bittorrent connection classified, not just the first packet. - Jody Edgar wrote: Hello, I've been trying to shape the bittorrent traffic (on my external interface, upload), but without luck, for this I'm using layer7 filter right now, but I've also tried ipp2p, with the same results, I might say that this is not a problem with this packet classifiers, the problem is with HTB, here's why. When I open azureus (the bittorrent client I use) I see upload traffic getting shapped, but also I see that my download traffic won't go up if I'm shaping on the upload interface, if I stop shaping on that interface then upload ( as expected) will increase, and so the download rate, this happens to me using the default bittorrent client (classic), so its not a client problem. Ok, the problem here is that when using bittorrent, although I see the traffic is shaped I can't surf web pages, nor chat in msn messenger, nor do anything at all, and merely that's all I want to do, shape p2p traffic to be able to use my bandwidth fairly, maybe its a bittorrent problem, because with the edonkey protocol I have no problem at all, traffic get shaped and I can use the rest of my bandwidth, I'll post my iptables rules for marking the bittorrent packets and the htb rules I use (using tcng): ### IPTABLES RULES ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7 iptables -t mangle -A POSTROUTING -j lay7 iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7 -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7 -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 ### HTB RULES ### #define UPLOAD eth1 #define UPRATE 25kBps #define P2P 10kBps dev UPLOAD { egress { class ( <$emule> ) ; class ( <$smtp> ) ; class ( <$ssh> ) if tcp_dport == 8080 ; /*Changed port from 22 to 8080 */ class ( <$otro> ) if 1 ; htb () { class ( rate UPRATE, ceil UPRATE ) { $emule = class ( prio 8, rate 6kBps, ceil P2P ) { sfq; } ; $smtp = class ( prio 1, rate 6kBps, ceil 12kBps ) { sfq; } ; $ssh = class ( prio 0, rate 3kBps, ceil 5kBps) { sfq; } ; $otro = class ( prio 1, rate 8kBps, ceil UPRATE ) { sfq; } ; } } } } Also, given the priorities it's expected to let me surf the web or chat in msn messenger rather than take my whole bandwidth. I hope someone can help me out with this, maybe it not ok to use tcng with iptables? thank you in advance EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Please: "judge" this script
- Original Message - From: "Andreas Klauer" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 06, 2005 12:38 PM Subject: Re: [LARTC] Please: "judge" this script class altogether have a guaranteed rate of 810kbit, whereas the parent only has 768kbit. Oh Yes... thanks for your "judgment" so detailed... that went an error, when increasing one of the values I forgot to reduce it to the other class. After this correction the rate raised vertiginously. Of 4kbit of download in emule, now is 30 to 35 kb! In addition the load of www pages and pop3 works much more fast. Another problem could probably be that you are using a lot of SFQ qdiscs. If every single one of them can queue 128 packets, it might be too much. I reduced the SFQ queue length to 16 on my system for that reason. I also had a lot of weird thing happening due to the prio parameter of HTB. I think it's best not to use it in the beginning and only start experimenting with that parameter when you really need it. You think that it would be necessary to make these changes now? Are you shaping upload traffic at all? You don't really have much influence on download traffic (all HTB can do is drop packets). A shaping setup without upload shaping makes hardly any sense. In this case what would have to add I to script? I imagine that I would have to apply all the same rules, equal these, but with the CEIL value upload (256 kbit) and pointing at the NIC eth0 (to ISP)... This is well? And the rules of iptables would be equal? That is: - t mangle PREROUTING pointing to the ports of destination (dport instead of sport)? Also, in your setup you limit eth1 to 768kbit in total. That's fine as long as there is no LAN traffic on that machine. However, that's hardly ever the case - as soon as you SSH on your machine, or use some kind of proxy (DNS caching, squid, ...), this LAN traffic will have to use the same classes as your internet download traffic, thus interfering with download speeds. Is a router Debian (kernel to 2,4,25) that only does NAT and firewall with iptables (its "runs" in a 486 DX4100 with 96MB RAM and two HD of 1GB each one... ;-). Not squid, not samba, not bind... Nothing except router of Inet and NAT. What would have to do? Best regards Ricardo ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB and bittorrent, won't work
On Wednesday 06 July 2005 23:23, Edgar wrote: > I've been trying to shape the bittorrent traffic (on my external > interface, upload), but without luck, for this I'm using layer7 filter > right now, but I've also tried ipp2p, with the same results I don't have any problems with BT shaping... if you want to have a look at my script, it's this one: http://www.metamorpher.de/fairnat/ It uses IPP2P, but should work about the same way with layer7. The main difference between my iptables rules and yours seems to be that you are not using CONNMARK to mark BT connections permamently - IIRC you can't do without because the filters only match one of the first few packets of a connection. Have you checked your class statistics with tc, somehow I doubt that all BT packets go into your P2P class in your current setup. > I hope someone can help me out with this, maybe it not ok to use tcng > with iptables? thank you in advance Well, I'm not familiar with tcng syntax at all. I think this kind of setup is weird; in the tcng part no class ids seem to be specified, yet you have to use them in iptables to classify your packets. How can you be sure that you got the right class... HTH Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Frustrating problem with natsemi (DP83815) ethernet devices
Damjan wrote: > > [Sorry if this is off-topic for this list, please advise me if there's a > better place to ask this] > > I have an embeded motherboard with 4 natsemi (DP8315) ethernet chips. > I'm running a 2.6.9 kernel (I've tried 2.6.11 too) and a very minimal > Slackware distribution. > > Now about the problem: > The network interfaces seem to NOT transmit anything when the interface > is autonegotiated at 100Mbit-FD. I've forced the interfaces to > half-duplex with mii-tool still nothing. > > I see, with tcpdump, that packets are comming in (broadcasts and multicasts) > and I see the packets that are supposed to go out of the interface. But > nothing is recevied on the other side. I've tried to put the interfaces > in a switch and with a cross-over cable to another PC. > > I've also tried to mannually fix the MAC <-> IP address with "arp -s", > thinking that maybe ARP is not working, still nothing - I see icmp > requests enter the interface I see icmp replies go out of the interface, > but nothing gets to the other side (PC). > > I've tried all of the interfaces, I've tried enabling and disabling > ACPI. The only modules I'have loaded are uhci-hcd and usbhid (since the > computer doesn't have ps2 ports). 3 of the 4 interfaces don't share an > IRQ with anything (cat /proc/interrupts). > > If I force the interface to 10Mbit (either FD or HD) then everything works. > > Now the stangest thing, I got the motherboard with some kind of > basterized Debian installed on it. I couldn't understand it, so I backuped > it up and installed my mini Slackware. I used the same kernel from the > original distribution which has the ethernet driver compiled in. The > original distribution is not setting any extra parameters in lilo.conf. > And with that distribution hte interfaces work even at 100mbit. > > I just can't find what that distribution does to make the interfaces work > at 100mbit. Its not the kernel, I use the same one. Its not some > parameters to the driver... I don't know what could be the problem. > > So, any ideas??? > > -- > damjan | дамÑан > This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! What have you tried? What is the working distro _EXACTLY_? "some kind of basterized Debian" is not enough. What does dmesg say about the DP8315? Have you looked at the Debian ifconfig? Is the same cable being used? Same cable path? I found a 10 Mb hub in a customer setup that was hidden behind the next desk where the Bad Boy computer plugged in. The computer thought the connection was 100Mb but it would only work at 10. Sorry, gotta go. Google the distro and DP8315. -- gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB and bittorrent, won't work
Hello, I've been trying to shape the bittorrent traffic (on my external interface, upload), but without luck, for this I'm using layer7 filter right now, but I've also tried ipp2p, with the same results, I might say that this is not a problem with this packet classifiers, the problem is with HTB, here's why. When I open azureus (the bittorrent client I use) I see upload traffic getting shapped, but also I see that my download traffic won't go up if I'm shaping on the upload interface, if I stop shaping on that interface then upload ( as expected) will increase, and so the download rate, this happens to me using the default bittorrent client (classic), so its not a client problem. Ok, the problem here is that when using bittorrent, although I see the traffic is shaped I can't surf web pages, nor chat in msn messenger, nor do anything at all, and merely that's all I want to do, shape p2p traffic to be able to use my bandwidth fairly, maybe its a bittorrent problem, because with the edonkey protocol I have no problem at all, traffic get shaped and I can use the rest of my bandwidth, I'll post my iptables rules for marking the bittorrent packets and the htb rules I use (using tcng): ### IPTABLES RULES ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7 iptables -t mangle -A POSTROUTING -j lay7 iptables -t mangle -A lay7 -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7 -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7 -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7 -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 ### HTB RULES ### #define UPLOAD eth1 #define UPRATE 25kBps #define P2P 10kBps dev UPLOAD { egress { class ( <$emule> ) ; class ( <$smtp> ) ; class ( <$ssh> ) if tcp_dport == 8080 ; /*Changed port from 22 to 8080 */ class ( <$otro> ) if 1 ; htb () { class ( rate UPRATE, ceil UPRATE ) { $emule = class ( prio 8, rate 6kBps, ceil P2P ) { sfq; } ; $smtp = class ( prio 1, rate 6kBps, ceil 12kBps ) { sfq; } ; $ssh = class ( prio 0, rate 3kBps, ceil 5kBps) { sfq; } ; $otro = class ( prio 1, rate 8kBps, ceil UPRATE ) { sfq; } ; } } } } Also, given the priorities it's expected to let me surf the web or chat in msn messenger rather than take my whole bandwidth. I hope someone can help me out with this, maybe it not ok to use tcng with iptables? thank you in advance EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Server and router on the same box
Hello list. I'm trying to set up traffic shaping on a (web) server which is also a router(NAT) for my LAN. It is connected to the LAN via Ethernet and also has PPP Internet connection on another interface. I need traffic shaping to make sure that the upstream is fully available to the web-server when it's active so when a LAN client is bulk downloading the web-server clients won't wait for hours. Its kind giving high priority to the upstream and lowering the downstream. it will be nice that when the web-server is not using any upstream, LAN clients will enjoy full bandwidth. I've found lots of information on how to ensure downloading while uploading. but not on the reverse way. Any idea for such a setup ? Thanks. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Mark all traffic except browsing
On Wednesday 06 July 2005 18:31, Eduardo Bejar wrote: > Should I use three rules for my purpose? Two should suffice; just set all packets from $IP_ADDRESS to 10 first and afterwards set all packets for port 80 to 11. I think this only makes sense if you have two classes per source IP, though, because otherwise you could just use one tc filter rule to put port 80 packets into one class and let the rest go into the default class. HTH Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HFSC default upper-limit trouble
Hello, I'm having such problem with HFSC with following config: + tc qdisc del dev eth3 root + tc qdisc add dev eth3 root handle 1: hfsc default 2 + tc class add dev eth3 parent 1: classid 1:1 hfsc ls rate 512kbit ul rate 512kbit + tc class add dev eth3 parent 1:1 classid 1:2 hfsc ls rate 2kbit ul rate 400kbit + tc class add dev eth3 parent 1:1 classid 1:3 hfsc ls rate 32kbit ul rate 32kbit + tc class add dev eth3 parent 1:1 classid 1:4 hfsc ls rate 300kbit ul rate 300kbit Let's say i start to upload thru 1:3. the upper-limit applies, traffic doesn't do up more than 4kb/s. The 1:4 is still functional, but 1:2, the default class starts backlogging and dropping as hell: class hfsc 1: root Sent 0 bytes 0 pkts (dropped 0, overlimits 0) period 0 level 2 class hfsc 1:1 parent 1: ls m1 0bit d 0us m2 512000bit ul m1 0bit d 0us m2 512000bit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) <-- This is weird too ^_^ period 2643 work 821712 bytes level 1 class hfsc 1:2 parent 1:1 ls m1 0bit d 0us m2 2000bit ul m1 0bit d 0us m2 40bit Sent 477205 bytes 3874 pkts (dropped 0, overlimits 0) backlog 201p <-- HUH? (it goes even to 800p..1000p then it starts dropping) period 2494 work 456595 bytes level 0 class hfsc 1:3 parent 1:1 ls m1 0bit d 0us m2 32000bit ul m1 0bit d 0us m2 32000bit Sent 350599 bytes 558 pkts (dropped 0, overlimits 0) backlog 11p period 70 work 342761 bytes level 0 class hfsc 1:4 parent 1:1 ls m1 0bit d 0us m2 30bit ul m1 0bit d 0us m2 30bit Sent 22356 bytes 214 pkts (dropped 0, overlimits 0) period 212 work 22356 bytes level 0 The 1:1 shows no packets sent as you see.. Is this desirable behavior? The default class kinda becomes unusable. Can someone explain me such behavior? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Mark all traffic except browsing
Hi, I´d like to create two classes for HTB, one of them to limit traffic for everything except browsing and the other to limit traffic only for browsing. How can I mark all traffic except the one related to browsing with iptables? Currently I mark all traffic related to one IP with: iptables -A PREROUTING -i eth2 -t mangle -p tcp -s $IP_ADDRESS -j MARK --set-mark 10 Should I use three rules for my purpose? iptables -A PREROUTING -i eth2 -t mangle -p tcp -s $IP_ADDRESS --dport 1:79 -j MARK --set-mark 10 iptables -A PREROUTING -i eth2 -t mangle -p tcp -s $IP_ADDRESS --dport 81:65535 -j MARK --set-mark 10 iptables -A PREROUTING -i eth2 -t mangle -p tcp -s $IP_ADDRESS --dport 80 -j MARK --set-mark 11 Please tell me if this is correct, Regards, Edo ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Trying the configuration in nano.txt
UF. Sorry. I answered stupidly to your email. You replied about the Julian's patches... I've sent a big amount of email, and not only about a single configuration. I don't know why, but now the patches work. I swear I haven't changed anything in my configuration; simply, after rebooting, some minutes without changing anything, everything worked. Strange, strange. So, it works. Thanks! - Wow, I've learnt a lot about netfilter and policy routing... On 7/6/05, Lluís Batlle <[EMAIL PROTECTED]> wrote: > On 7/6/05, Vinay <[EMAIL PROTECTED]> wrote: > > Hi, > > I had 3 cards, eth0 and eth1 connecting to 2 isps and eth2 > > connecting to lan. First i setup the address configuration for these > > cards without the gateway option. So i specified only Ip address and > > netmask. Then i gave the masquerade option for both the network cards > > and made necessary chnages in the firewall. Next I executed the > > script which i got from > > http://mailman.ds9a.nl/pipermail/lartc/2003q4/010372.html. After > > running the script the system was using both the connections . But > > since i hadnt use the patch, it was not able to detect the dead > > gateway. So if one of the link goes down, it creates problem. > I tried that way, and routing works _only for local connections_. It > doesn't work for NAT connections. So, the result is the same, as the > configuration I was trying is the same, which is set in the script you > gave. :) > > > > > Can u please explain how u have applied the patch . > I have not applied the patch in the configuration I'm trying to get > working :) So, by now, I don't use that patch. I explain howI think > the multipath routing + NAT doesn't work, in a mail I just sent. :) > But as there I explained how I understand that nothing may work > without patches (in the mail sent to the list, before this one), I'll > start trying with the patches applied. I applied them to a vanilla > kernel by: > cd /usr/src/linux > patch -p1 < the_patch.diff > > This results in changing some files, as expected. So the patching > should be well done. > > Thanks! > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Please: "judge" this script
On Wednesday 06 July 2005 16:05, Ricardo Chamorro wrote: > CEIL=768 [...] > tc class add dev eth1 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil > ${CEIL}kbit I don't know if it's the cause of your problems, but the children of this class altogether have a guaranteed rate of 810kbit, whereas the parent only has 768kbit. It's hard to tell what HTB does in this case, so you should make sure that the children's rates add up to the parent's rate. Another problem could probably be that you are using a lot of SFQ qdiscs. If every single one of them can queue 128 packets, it might be too much. I reduced the SFQ queue length to 16 on my system for that reason. I also had a lot of weird thing happening due to the prio parameter of HTB. I think it's best not to use it in the beginning and only start experimenting with that parameter when you really need it. Are you shaping upload traffic at all? You don't really have much influence on download traffic (all HTB can do is drop packets). A shaping setup without upload shaping makes hardly any sense. Also, in your setup you limit eth1 to 768kbit in total. That's fine as long as there is no LAN traffic on that machine. However, that's hardly ever the case - as soon as you SSH on your machine, or use some kind of proxy (DNS caching, squid, ...), this LAN traffic will have to use the same classes as your internet download traffic, thus interfering with download speeds. HTH Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] can't figure out nat'ing by port
Hello folks: This may have been discussed many times before but I have not been able to find it. I have also not been able to resolve it myself so I am asking here with hope that someone can straighten me out. I am using ip to do multisource policy routing or two connections to the internet. I have a linksys wrt54gs route which connects two machines by wire through the switch and three computers through wireless. For the most part his portion of the set-up works fine. One of the boxes attached to the router by 10base-t also has a second interface card which attaches to an adsl modem using pppoe. My problem is on that second machine. I cannot figure out how to forward packets by incoming or destination port to the first machine for some services which it handles such as mail/dns/ftp I have read through quite a few docs such as Matt Marsh's policy routing and the lartc how-to on nat'ing and so forth. After reading these I think I understand what is going on until I try to do it myself and then I either get errors or it just doesn't work. I have tried using iptables and route/rule nat with no luck so far. It seems to me this should be a FAQ but nothing seems to quite match. I will try to draw how I invision the lay-out of the network but apologize because I'm a blink and am not sure I can get the drawing just right. internetinternet | | wrt54gs dsl-mdm / \ / host-a host-b 2 nics I am not sure whether to put here what I have tried and hope someone can point out my mistakes or just hope someone will give me a nice little script! 'grin' Okay, okay, here are the iptables lines I tried first: iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 25 -j DNAT --to 10.10.10.10 iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 -j MASQUERADE I have tried both eth0 and ppp0 in the -o flag above. I have also tried adding ppp0 with the ip addr add 10.10.10.10/32 dev ppp0 table 1 without much affect. Does it sound like I'm confused? I also tried using the fwmark with ip rule but run up against a brick wall which appears to be that one cannot do ip route add nat 69.63.33.227/32 via 10.10.10.10/32 table natit. It seems that tables are not aloud in the route nat or something. I'm also not quite sure how the nat 0 works in the ip rule statement so yes I am confused in a big way! I will include my policy route script below so you can see the bit I do have working. Any help or pointers will certainly be appreciated. Kirk #!/bin/bash IF1=eth0 IP1=10.10.10.15 P1=10.10.10.1 P1_NET=10.10.10.0 IF2=ppp0 IP2=69.63.33.227 P2=209.183.132.10 P2_NET=69.0.0.0 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #ip route append $P1_NET dev $IF1 src $IP1 #ip route append $P2_NET dev $IF2 src $IP2 #ip route append default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 -- Kirk Reiser The Computer Braille Facility e-mail: [EMAIL PROTECTED] University of Western Ontario phone: (519) 661-3061 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Diffserv using HTB or PRIO qdiscs as basis for EF phb
Im experimenting with using a Linux machine with 3 interfaces to operate as a core router. All links and network interfaces are 100mbit. Below is a ascii diagram of the network. (network A) edge router -->core router>edge router (network C) ^ | | edge router (network B) I have tried two setups to support the Expedited forwarding PHB on the core router using the HTB qdisc and PRIO qdisc. The core router is a P4 2.8ghz, 512mb RAM running fedora core 3 with the 2.6 kernel. The Voip traffic is marked with the EF codepoint. Im using a local stratum 1 ntp server to synchronise time. The config I used for each setup is included at the bottom. When there is just voice traffic passing through (350 kbit) the delay of the voice traffic in travelling between network A and network C is 0.25ms (milliseconds) for both setups (using htb and PRIO). When TCP Traffic + VoIP traffic( 350 Kbit ) are sent from network A to network C. TCP traffic from network B is sent to network C. A bottleneck is created at the 3rd interface of the core network. Between the two network interfaces from network A and network B TCP traffic is coming in at a rate faster than 100 Mbit. As a result the delay is 30ms for both setups (using htb and PRIO) There is 0% loss of EF traffic. When i used a plain first in first out queue and saturated the link with tcp traffic the delay of the voice traffic was 160ms with 5% loss of voip traffic. Why is this delay so high when the link is saturated and Im using either PRIO or HTB to apply the EF PHB to VoIP traffic Is it operating system ? Has anyone else had similar experiences ? Jonathan The following are the configurations I have used for the core router Config 1 using htb tc qdisc add dev $1 handle 1:0 root dsmark indices 64 set_tc_index tc filter add dev $1 parent 1:0 protocol ip prio 1 tcindex mask 0xfc shift 2 Main htb qdisc & class tc qdisc add dev $1 parent 1:0 handle 2:0 htb tc class add dev $1 parent 2:0 classid 2:1 htb rate 100Mbit ceil 100Mbit EF Class (2:10) tc class add dev $1 parent 2:1 classid 2:10 htb rate 1500Kbit ceil 100Mbit tc qdisc add dev $1 parent 2:10 pfifo limit 5 tc filter add dev $1 parent 2:0 protocol ip prio 1 handle 0x2e tcindex classid 2:10 pass_on BE Class (2:20) tc class add dev $1 parent 2:1 classid 2:20 htb rate 5Mbit ceil 100Mbit tc qdisc add dev $1 parent 2:20 red limit 60KB min 15KB max 45KB burst 20 avpkt 1000 bandwidth 100Mbit probability 0.4 tc filter add dev $1 parent 2:0 protocol ip prio 2 handle 0 tcindex mask 0 classid 2:20 pass_on Config 2 using PRIO Main dsmark & classifier tc qdisc add dev $1 handle 1:0 root dsmark indices 64 set_tc_index tc filter add dev $1 parent 1:0 protocol ip prio 1 tcindex mask 0xfc shift 2 Main prio queue tc qdisc add dev $1 parent 1:0 handle 2:0 prio tc qdisc add dev $1 parent 2:1 tbf rate 1.5Mbit burst 1.5kB limit 1.6kB tc filter add dev $1 parent 2:0 protocol ip prio 1 handle 0x2e tcindex classid 2:1 pass_on BE class(2:2) tc qdisc add dev $1 parent 2:2 red limit 60KB min 15KB max 45KB burst 20 avpkt 1000 bandwidth 100Mbit probability 0.4 tc filter add dev $1 parent 2:0 protocol ip prio 2 handle 0 tcindex mask 0 classid 2:2 pass_on ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Frustrating problem with natsemi (DP83815) ethernet devices
[Sorry if this is off-topic for this list, please advise me if there's a better place to ask this] I have an embeded motherboard with 4 natsemi (DP8315) ethernet chips. I'm running a 2.6.9 kernel (I've tried 2.6.11 too) and a very minimal Slackware distribution. Now about the problem: The network interfaces seem to NOT transmit anything when the interface is autonegotiated at 100Mbit-FD. I've forced the interfaces to half-duplex with mii-tool still nothing. I see, with tcpdump, that packets are comming in (broadcasts and multicasts) and I see the packets that are supposed to go out of the interface. But nothing is recevied on the other side. I've tried to put the interfaces in a switch and with a cross-over cable to another PC. I've also tried to mannually fix the MAC <-> IP address with "arp -s", thinking that maybe ARP is not working, still nothing - I see icmp requests enter the interface I see icmp replies go out of the interface, but nothing gets to the other side (PC). I've tried all of the interfaces, I've tried enabling and disabling ACPI. The only modules I'have loaded are uhci-hcd and usbhid (since the computer doesn't have ps2 ports). 3 of the 4 interfaces don't share an IRQ with anything (cat /proc/interrupts). If I force the interface to 10Mbit (either FD or HD) then everything works. Now the stangest thing, I got the motherboard with some kind of basterized Debian installed on it. I couldn't understand it, so I backuped it up and installed my mini Slackware. I used the same kernel from the original distribution which has the ethernet driver compiled in. The original distribution is not setting any extra parameters in lilo.conf. And with that distribution hte interfaces work even at 100mbit. I just can't find what that distribution does to make the interfaces work at 100mbit. Its not the kernel, I use the same one. Its not some parameters to the driver... I don't know what could be the problem. So, any ideas??? -- damjan | дамјан This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Please: "judge" this script
I copied and tried to adapt to my necessities the excellent script of Pedro Larroy, but I am inexperienced in QoS and I have doubts. I have cablemodem to Internet 1024kbit down and 256kbit up, through eth0. The LAN has eth1 and NAT. I formed the band so that shaping goes by the eth1 (of the LAN) with bandwidth maximum CEIL=768. But I observe that the traffic sometimes accelerates and other moments stops. Please, you they could say to me what is bad of script that I paste below??? (iptables mangle mark ports 54xxx is for emule) Thanks for its patience. --paste script- CEIL=768 #Primero borrar todas las bandas que pudiera haber tc qdisc del dev eth1 root #Se crea la banda principal root 1, cuyos paquetes por defecto van a la banda 1 tc qdisc add dev eth1 root handle 1: htb default 15 tc class add dev eth1 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 270kbit ceil 270kbit prio 0 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 270kbit ceil ${CEIL}kbit prio 1 tc class add dev eth1 parent 1:1 classid 1:12 htb rate 68kbit ceil ${CEIL}kbit prio 2 tc class add dev eth1 parent 1:1 classid 1:13 htb rate 68kbit ceil ${CEIL}kbit prio 2 tc class add dev eth1 parent 1:1 classid 1:14 htb rate 34kbit ceil ${CEIL}kbit prio 3 tc class add dev eth1 parent 1:1 classid 1:15 htb rate 100kbit ceil ${CEIL}kbit prio 1 #Se asocia la cola sfq con la banda hija tc qdisc add dev eth1 parent 1:11 handle 110: sfq perturb 10 tc qdisc add dev eth1 parent 1:12 handle 120: sfq perturb 10 tc qdisc add dev eth1 parent 1:13 handle 130: sfq perturb 10 tc qdisc add dev eth1 parent 1:14 handle 140: sfq perturb 10 tc qdisc add dev eth1 parent 1:15 handle 150: sfq perturb 10 #Se asocian las marcas que hubiera en iptables mangle con las bandas respectivas tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10 tc filter add dev eth1 protocol ip parent 1:0 prio 2 handle 2 fw classid 1:11 tc filter add dev eth1 protocol ip parent 1:0 prio 3 handle 3 fw classid 1:12 tc filter add dev eth1 protocol ip parent 1:0 prio 4 handle 4 fw classid 1:13 tc filter add dev eth1 protocol ip parent 1:0 prio 5 handle 5 fw classid 1:14 tc filter add dev eth1 protocol ip parent 1:0 prio 6 handle 6 fw classid 1:15 #Se dan las reglas iptables para marcar lo que nos interesa $IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 $IPTABLES -t mangle -A PREROUTING -p icmp -j RETURN $IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1 $IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN $IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 0x5 $IPTABLES -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN $IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x6 $IPTABLES -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN #Esto prioriza paquetes del puerto seteado $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 80 -j MARK --set-mark 0x2$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 80 -j RETURN$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54661 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54661 -j RETURN$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54662 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54662 -j RETURN$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 56881 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 56881 -j RETURN$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54711 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --sport 54711 -j RETURN$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 54665 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 54665 -j RETURN$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 54672 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 54672 -j RETURN$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 56881 -j MARK --set-mark 0x6$IPTABLES -t mangle -A PREROUTING -p udp -m udp --sport 56881 -j RETURN #Esto prioriza paquetes al comienzo de conexiones tcp con SYN flag $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN #Cierra reglas de la tabla prerouting mangle $IPTABLES -t mangle -A PREROUTING -j MARK --set-mark 0x6 #Todo lo mismo que lo anterior, pero en OUTPUT, para trafico g
Re: [LARTC] Classid limit at 10000
Michał Margula wrote: > > > Class ID is hex, and can go up to , which is 65535. I think it is > quite enough for everyone :-). It won't accept 1 because it is not > legal 4 byte word written in hex. > 2 byte word of course, sorry. -- Michał Margula, [EMAIL PROTECTED], http://alchemyx.uznam.net.pl/ "W życiu piękne są tylko chwile" [Ryszard Riedel] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Classid limit at 10000
Martin Schiøtz wrote: > Hi > > I'm setting up shaping using HTB and hashkey. It seems like there is a > limit on the number of classid's at 1? > How can I go higher than 1? > Class ID is hex, and can go up to , which is 65535. I think it is quite enough for everyone :-). It won't accept 1 because it is not legal 4 byte word written in hex. -- Michał Margula, [EMAIL PROTECTED], http://alchemyx.uznam.net.pl/ "W życiu piękne są tylko chwile" [Ryszard Riedel] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Classid limit at 10000
Hi I'm setting up shaping using HTB and hashkey. It seems like there is a limit on the number of classid's at 1? How can I go higher than 1? This is what my output say when I reach classid number 1: ... ... /sbin/tc class add dev eth0 parent 2:6 classid 2:9998 htb prio 5 rate 768kbit ceil 768kbit burst 0 cburst 0 /sbin/tc qdisc add dev eth0 parent 2:9998 handle 9998: sfq perturb 4 /sbin/tc filter add dev eth0 protocol ip prio 5 parent 2:6 u32 ht 12:93: match ip dst 10.50.157.147 flowid 2:9998 /sbin/tc class add dev eth0 parent 2:6 classid 2:1 htb prio 5 rate 768kbit ceil 768kbit burst 0 cburst 0 Error: argument "invalid class ID" is wrong: 2:1 /sbin/tc qdisc add dev eth0 parent 2:1 handle 1: sfq perturb 4 Error: argument "invalid parent ID" is wrong: 2:1 /sbin/tc filter add dev eth0 protocol ip prio 5 parent 2:6 u32 ht 12:94: match ip dst 10.50.157.148 flowid 2:1 Illegal "classid" Best regards, Martin ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Fwd: [LARTC] Trying the configuration in nano.txt
On 7/6/05, Vinay <[EMAIL PROTECTED]> wrote: > Hi, > I had 3 cards, eth0 and eth1 connecting to 2 isps and eth2 > connecting to lan. First i setup the address configuration for these > cards without the gateway option. So i specified only Ip address and > netmask. Then i gave the masquerade option for both the network cards > and made necessary chnages in the firewall. Next I executed the > script which i got from > http://mailman.ds9a.nl/pipermail/lartc/2003q4/010372.html. After > running the script the system was using both the connections . But > since i hadnt use the patch, it was not able to detect the dead > gateway. So if one of the link goes down, it creates problem. I tried that way, and routing works _only for local connections_. It doesn't work for NAT connections. So, the result is the same, as the configuration I was trying is the same, which is set in the script you gave. :) > > Can u please explain how u have applied the patch . I have not applied the patch in the configuration I'm trying to get working :) So, by now, I don't use that patch. I explain howI think the multipath routing + NAT doesn't work, in a mail I just sent. :) But as there I explained how I understand that nothing may work without patches (in the mail sent to the list, before this one), I'll start trying with the patches applied. I applied them to a vanilla kernel by: cd /usr/src/linux patch -p1 < the_patch.diff This results in changing some files, as expected. So the patching should be well done. Thanks! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] More on conntrack + NAT + mangle/nat tables
I already understood that a packet enters chains in the 'nat' table only if it is the _first_ packet of a connection. In that case, we may do SNAT in the POSTROUTING chain of the 'nat' table. So, the packets arrive to the POSTROUTING chain of the 'mangle' table with the source IP address changed (if it's said by the rules of the 'nat' table). BUT, for the rest of the packets (not the first ones) of a connection, packets enter the POSTROUTING chain of the 'mangle' table _without_ a changed source IP address. Is this the expected behaviour of netfilter/conntrack? To me, it's quite strange. - I'm learning about the whole netfilter/policy router these days :) So I write a lot about that, which sounds strange to me. I hope I'm not annoying to the list. Thanks a lot. - Lluís ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] About routing, nat, the FORWARD chain, and a bit of Julian's patches
Hi! I'm still trying to solve the problem, about which I already posted in these lists... I've been trying to understand where packet routing and NAT is being done. The schemes are quite clear, when it's about the _first_ packet of a NAT connection (when it enters the NAT table). But it isn't that clear about the packets NAT'ed by the connection tracker. Concretely about tcp connections, I've noticed that: 1. _no_ packet matches any chain of the 'nat' table, unless it's a SYN tcp packet (start of connection). For the rest of the packets, they don't match any chain of the 'nat' table. 2. The routing is done _before_ applying the rules of the FORWARD chain. So, logging NAT connections (already made), shows that the packets already have an output device. Example: "iptables -A FORWARD -j LOG -o eth2", with example result: Jul 6 10:18:29 thecrow IN=eth0 OUT=eth2 SRC=192.168.4.20 DST=62.57.136.215 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=46487 DF PROTO=TCP SPT=33967 DPT=80 WINDOW=63712 RES=0x00 ACK URGP=0 3. The NAT applied by the connection tracker (not by 'nat' table) is done _after_ the FORWARD chain of the filter table. I SNAT all starting connections packets (table nat, chain POSTROUTING) to 192.168.16.1/24 or 192.168.17.1/24, and you may see in the last example that the source address still is that of the LAN (192.168.4.4/20). 4. I can say the same as in the third point about the chain FORWARD of the 'mangle' table. So I don't know how people do "multihop routing + NAT" without Julian's patches. It's obvious that: 1. The connection tracker doesn't keep information about the devices involved in the connection. 2. The routing policy database is asked BEFORE the FORWARD or POSTROUTING chains. In fact, that's why the 'nat'/POSTROUTING chains know to which IP change the source address (that is, according to the selected output device by, for instance, the 'equalize' of a multihop route). May someone clarify, how people do that kind of multihop routing + NAT without any patch? I've read that some people does that. IMO, those configurations don't work fine. Can someone suggest any patch, in order to get routing _after_ the connection tracking NAT is made? Am I wrong in something? Thanks in advance! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc