[LARTC] P2P shaping, won't work
Hello, its me again, I won't stop sending emails to this list, until I solve this problem, I've tried several apps to create the right htb rules (even made them my self), but I always get the same results, traffic gets shaped, but I can't use my bandwidth, and this is weird, because I should be able to, also I keep seeing download being limited too, and that shouldn't be happening, I don't think I'm the only one with this problem out there, so I will post here once again my configuration, to match p2p traffic and to shape it: ### ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7PRE iptables -t mangle -N lay7POST iptables -t mangle -N ipp2pPRE iptables -t mangle -N ipp2pPOST ### PREROUTING RULES ### iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A ipp2pPRE -p tcp -m ipp2p --ipp2p -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p udp -m ipp2p --bit -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p tcp -m mark --mark 3 -j CONNMARK --save-mark iptables -t mangle -A lay7PRE -m layer7 --l7proto smtp -j MARK --set-mark 1 iptables -t mangle -A lay7PRE -m layer7 --l7proto ssh -j MARK --set-mark 2 iptables -t mangle -A lay7PRE -m mark --mark 2 -j CONNMARK --save-mark ### POSTROUTING RULES ### iptables -t mangle -A ipp2pPOST -o eth1 -m mark --mark 3 -j CLASSIFY --set-class 1:30 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 1:20 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 1:10 ### ### iptables -t mangle -A PREROUTING -j lay7PRE iptables -t mangle -A POSTROUTING -j lay7POST iptables -t mangle -A PREROUTING -j ipp2pPRE iptables -t mangle -A POSTROUTING -j ipp2pPOST TC RULES tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 default_index 0 tc qdisc add dev eth1 handle 2:0 parent 1:0 htb tc class add dev eth1 parent 2:0 classid 2:1 htb rate 22000bps ceil 22000bps tc class add dev eth1 parent 2:1 classid 2:2 htb rate 3000bps ceil 5000bps prio 0 tc qdisc add dev eth1 handle 3:0 parent 2:2 sfq tc class add dev eth1 parent 2:1 classid 2:3 htb rate 5000bps ceil 6000bps prio 1 tc qdisc add dev eth1 handle 4:0 parent 2:3 sfq tc class add dev eth1 parent 2:1 classid 2:4 htb rate 8000bps ceil 8000bps prio 2 tc qdisc add dev eth1 handle 5:0 parent 2:4 sfq tc class add dev eth1 parent 2:1 classid 2:5 htb rate 1bps ceil 1bps burst 0 cburst 0 prio 3 quantum 1500 tc qdisc add dev eth1 handle 6:0 parent 2:5 sfq tc class add dev eth1 parent 2:1 classid 2:6 htb rate 1bps ceil 22000bps prio 1 tc qdisc add dev eth1 handle 7:0 parent 2:6 sfq tc filter add dev eth1 parent 2:0 protocol all prio 1 tcindex mask 0x7 shift 0 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 5 tcindex classid 2:6 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 4 tcindex classid 2:4 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 3 tcindex classid 2:5 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:3 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:2 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 match u16 0x0 0xffc0 at 2 classid 1:5 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 match u8 0x10 0x10 at 33 classid 1:4 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 classid 1:5 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:5 well, this rules are generated with tcng (tcc actually), and I see traffic going to the p2p rule (being 2:5), but still I'm not able to browse the web! nor chat nor anything, someone adviced me to create an interactive class and then leave the unmatched traffic go to a default class (and here'll go p2p traffic too), but then I'm running a squid server at home, and thus I don't know what port to specify to do this, anyway, I've tried already with normal http traffic, with layer7, I see the traffic going to the iptables chain, but yet it'll still won't work, p2p traffic keeps eating all my bandwidth, its ignoring all the priorities I have in my tc rules (being the 2:5 class the one with the lowest priority), I really need to get this working, and I know there's some ppl that has lots of more experience that me, and I'm sure you can help me. Thank you EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] HTB and bittorrent, won't work
You can classify kopete traffic using iptables rules. Depending on the im protocol you use. Yahoo messenger uses TCP ports 5050 and 5051 i think.. MSN uses TCP 1863... you can google for them. You also have to setup tcp_sport as the squid port in orded for the l7 http filter to work. And if that is not working classify using iptables as source your internal eth ip and source port your squid port. There is a slighter chance that some btclients will use the same ports as described in the iptables rules... but i don't think that will mess up your shaping that bad. Iosif Peterfi S.C. Forte Systems SRL http://www.fortesys.ro/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgar Sent: Thursday, July 07, 2005 11:35 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] HTB and bittorrent, won't work Thank you for your response, I will try to do what you told me, but I have a squid sever, and I don't know which port I should use for that, since the http layer7 protocol won't work, when I have that mark rule in iptables I don't see traffic going into that rule, it'll only work when I'm surfing the web without the squid cache; another problem I have is that the msn messenger I use (kopete for kde) isn't recognized by the layer7 protocol, so the question is this, can I do this specifying the ports in tcng ? EDGAR MERINO On Thursday 07 July 2005 06:36, Forte Systems - Iosif Peterfi wrote: I would suggest classifing interactive connections, and leave all the bulk traffic in the default class. This way, the bt,kazaa,emule traffic will go in the same class, without additional filtering. Also, using HFSC instead of HTB helps you increase the delay of the default class. This way bulk traffic will be sent every n ms, leaving priority to the interactive/web/mail traffic. Think about it. Iosif Peterfi S.C. Forte Systems SRL http://www.fortesys.ro/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Klaus Sent: Thursday, July 07, 2005 10:22 AM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] HTB and bittorrent, won't work ipp2p vs. l7 filter l7 uses regular expressions, so they are slower (some rules are EXTREME slow like fasttrack) and not so strong like the ipp2p rules (which can have for example packet length checks). ipp2p is specialized for p2p detection, so a many p2p packets are not detected by l7 (for example not all BitTorrent connections start with a 013h BitTorrent). The worst part is that l7 filter has some p2p rules which detect false positives: http://l7-filter.sourceforge.net/layer7-protocols/protocols/edonkey.pat ... This will match about 1% of streams with random data in them! ... If you drop p2p connection, one of hundred downloads / web pages will fail (and fail every time) ? I would recommend l7-filter for everything but not for p2p. It is a VERY nice filter, but if they would have something else than regexp, i would use it maybe too. Klaus, Maintainer of ipp2p Edgar wrote: Hi, thanks for your help and interest, someone told me about that already, so I did it, and this is the script I'm running to do it: #!/bin/sh ### ERASING RULES AND USER CREATED CHAINS ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7PRE iptables -t mangle -N lay7POST ### PREROUTING RULES ### iptables -t mangle -A lay7PRE -j CONNMARK --restore-mark iptables -t mangle -A lay7PRE -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A lay7PRE -m layer7 --l7proto bittorrent -j MARK --set-mark 1 iptables -t mangle -A lay7PRE -m layer7 --l7proto smtp -j MARK --set-mark 2 iptables -t mangle -A lay7PRE -m layer7 --l7proto http -j MARK --set-mark 3 iptables -t mangle -A lay7PRE -j CONNMARK --save-mark ### POSTROUTING RULES ### iptables -t mangle -A lay7POST -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:2 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 2:3 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 3 -j CLASSIFY --set-class 2:4 ### --- ### iptables -t mangle -A PREROUTING -j lay7PRE iptables -t mangle -A POSTROUTING -j lay7POST I'm trying this right now, and I believe its kind of working, but web surfing is very slow, I might say unusable, so this is not what I want, also I had to mark http traffic to make this work, give it a higher prio in htb, so I believe I'm missing something else? someone suggested to add a new class for ACK packets, I've done that already, but I've only noticed little difference... really don't know whats happening, if you don't have tcng I can show you my tc rules (showed by tc -s class show dev eth1). Thank you again EDGAR MERINO On Wednesday 06 July 2005 23:30, Jody Shumaker wrote: You need to use connection marking as well. --l7proto bittorrent will
Re: [LARTC] P2P shaping, won't work
Mensaje citado por Edgar [EMAIL PROTECTED]: Hello, its me again, I won't stop sending emails to this list, until I solve this problem, I've tried several apps to create the right htb rules (even made them my self), but I always get the same results, traffic gets shaped, but I can't use my bandwidth, and this is weird, because I should be able to, also I keep seeing download being limited too, and that shouldn't be happening, I don't think I'm the only one with this problem out there, so I will post here once again my configuration, to match p2p traffic and to shape it: ### ### iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N lay7PRE iptables -t mangle -N lay7POST iptables -t mangle -N ipp2pPRE iptables -t mangle -N ipp2pPOST ### PREROUTING RULES ### iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A ipp2pPRE -p tcp -m ipp2p --ipp2p -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p udp -m ipp2p --bit -j MARK --set-mark 3 iptables -t mangle -A ipp2pPRE -p tcp -m mark --mark 3 -j CONNMARK --save-mark iptables -t mangle -A lay7PRE -m layer7 --l7proto smtp -j MARK --set-mark 1 iptables -t mangle -A lay7PRE -m layer7 --l7proto ssh -j MARK --set-mark 2 iptables -t mangle -A lay7PRE -m mark --mark 2 -j CONNMARK --save-mark ### POSTROUTING RULES ### iptables -t mangle -A ipp2pPOST -o eth1 -m mark --mark 3 -j CLASSIFY --set-class 1:30 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 1:20 iptables -t mangle -A lay7POST -o eth1 -m mark --mark 2 -j CLASSIFY --set-class 1:10 ### ### iptables -t mangle -A PREROUTING -j lay7PRE iptables -t mangle -A POSTROUTING -j lay7POST iptables -t mangle -A PREROUTING -j ipp2pPRE iptables -t mangle -A POSTROUTING -j ipp2pPOST TC RULES tc qdisc add dev eth1 handle 1:0 root dsmark indices 8 default_index 0 tc qdisc add dev eth1 handle 2:0 parent 1:0 htb tc class add dev eth1 parent 2:0 classid 2:1 htb rate 22000bps ceil 22000bps tc class add dev eth1 parent 2:1 classid 2:2 htb rate 3000bps ceil 5000bps prio 0 tc qdisc add dev eth1 handle 3:0 parent 2:2 sfq tc class add dev eth1 parent 2:1 classid 2:3 htb rate 5000bps ceil 6000bps prio 1 tc qdisc add dev eth1 handle 4:0 parent 2:3 sfq tc class add dev eth1 parent 2:1 classid 2:4 htb rate 8000bps ceil 8000bps prio 2 tc qdisc add dev eth1 handle 5:0 parent 2:4 sfq tc class add dev eth1 parent 2:1 classid 2:5 htb rate 1bps ceil 1bps burst 0 cburst 0 prio 3 quantum 1500 tc qdisc add dev eth1 handle 6:0 parent 2:5 sfq tc class add dev eth1 parent 2:1 classid 2:6 htb rate 1bps ceil 22000bps prio 1 tc qdisc add dev eth1 handle 7:0 parent 2:6 sfq tc filter add dev eth1 parent 2:0 protocol all prio 1 tcindex mask 0x7 shift 0 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 5 tcindex classid 2:6 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 4 tcindex classid 2:4 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 3 tcindex classid 2:5 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:3 tc filter add dev eth1 parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:2 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 match u16 0x0 0xffc0 at 2 classid 1:5 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 match u8 0x10 0x10 at 33 classid 1:4 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 classid 1:5 tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:5 well, this rules are generated with tcng (tcc actually), and I see traffic going to the p2p rule (being 2:5), but still I'm not able to browse the web! nor chat nor anything, someone adviced me to create an interactive class and then leave the unmatched traffic go to a default class (and here'll go p2p traffic too), but then I'm running a squid server at home, and thus I don't know what port to specify to do this, anyway, I've tried already with normal http traffic, with layer7, I see the traffic going to the iptables chain, but yet it'll still won't work, p2p traffic keeps eating all my bandwidth, its ignoring all the priorities I have in my tc rules (being the 2:5 class the one with the lowest priority), I really need to get this working, and I know there's some ppl that has lots of more experience that me, and I'm sure you can help me. Thank you can != want != will You may have a problem with the rate units - bps != bit -, but i dont know the type or rate of your internet link. Post a detailed ascii diagram of your network. Which is the transfer rate of the internet link? IPP2P works very well for me. How did you test your iptables tc setup? In the real network or in a controlled
Re: [LARTC] HTB Rate and Prio
The priority effects the ratio in which extra bandwidth is shared. Something with a better priority doesn't automatically get all the bandwidth it wants before something with a worse priority, they share it on a ratio basis. You might be better off not using prio and instead just having the rate's for the classes set to the ratio you want. When prio isn't set htb uses the rate's as the ratio. Try removing the prio, and lowering the low-priority even further, say 1kbit instead of 50kbit, then when bandwidth is shared, the other classes will have 750:1 or 400:1 splitting of extra bandwidth. This way your LOWPRIO will also have to borrow for nearly all its bandwidth needs. In your example test case, LOWPRIO was using 500kbit, so borrowing 450kbit, and you say the 750kbit class was using only the remaining 1500kbit, borrowing 750kbit. The ratios of shared ammounts definately doesn't seem to fit with the 5:1 priority's ratio, but I'm no expert on how it determines all this. I just recommend not using the prio and try using a lower rate for the LOWPRIO subclass. - Jody On 7/8/05, Gael Mauleon [EMAIL PROTECTED] wrote: Hi, I wanted to implement some QOS on my Linux Box with HTB, but after some time spend on the configuration and tests, I still don't manage to have some correct results. Here are the details : -ROOT 2000 kbits -HIGHPRIO SUBCLASS 50 kbits prio 0 -SUBCLASS1 750 kbits prio 1 -SERVICE1 250 kbits prio 1 -SERVICE2 250 kbits prio 1 -SERVICE3 250 kbits prio 1 -SUBCLASS2 750 kbits prio 1 -SERVICE1 250 kbits prio 1 -SERVICE2 250 kbits prio 1 -SERVICE3 250 kbits prio 1 -SUBCLASS3 400 kbits prio 1 -SERVICE1 200 kbits prio 1 -SERVICE2 200 kbits prio 1 -LOWPRIO SUBCLASS 50 kbits prio 5 Here is the details of the implementation, I only wrote 1 on the subclass Cause they are all on the same template. tc qdisc add dev $QOSIN root handle 1:0 htb default 1000 tc class add dev $QOSIN parent 1:0 classid 1:1 htb rate 2000kbit ### SUBCLASS1 tc class add dev $QOSIN parent 1:1 classid 1:10 htb rate 750kbit ceil 2000kbit prio 1 tc class add dev $QOSIN parent 1:10 classid 1:101 htb rate 250kbit ceil 2000kbit prio 1 tc qdisc add dev $QOSIN parent 1:101 handle 101: pfifo limit 10 tc class add dev $QOSIN parent 1:10 classid 1:102 htb rate 250kbit ceil 2000kbit prio 1 tc qdisc add dev $QOSIN parent 1:102 handle 102: pfifo limit 10 tc class add dev $QOSIN parent 1:10 classid 1:103 htb rate 250kbit ceil 2000kbit prio 1 tc qdisc add dev $QOSIN parent 1:103 handle 103: pfifo limit 10 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPROD$MAIL fw flowid 1:101 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPROD$HTTP fw flowid 1:102 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPROD$FTP fw flowid 1:103 etc… ### HIGH PRIO ### tc class add dev $QOSIN parent 1:1 classid 1:50 htb rate 50kbit ceil 2000kbit prio 0 quantum 1500 tc qdisc add dev $QOSIN parent 1:50 handle 50: pfifo limit 10 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPROD$HIGHPRIO fw flowid 1:50 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPOSTPROD$HIGHPRIO fw flowid 1:50 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTDMZ$HIGHPRIO fw flowid 1:50 ### LOW PRIO ### tc class add dev $QOSIN parent 1:1 classid 1:60 htb rate 50kbit ceil 2000kbit prio 5 quantum 1500 tc qdisc add dev $QOSIN parent 1:60 handle 60: pfifo limit 10 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPROD$LOWPRIO fw flowid 1:60 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTPOSTPROD$LOWPRIO fw flowid 1:60 tc filter add dev $QOSIN parent 1:0 protocol ip handle $OUTDMZ$LOWPRIO fw flowid 1:60 Every traffic seems to go in the class it must go, the stats are good and if I change any of the ceil rate the associated traffic is caped to the right ceil I enter. Now with this configuration I expected that when one of the SUBCLASS class or SERVICE want more bandwith than its rate, she can borrow it from root and she had it before LOW PRIO and after HIGH PRIO. But it don't work at all, for exemple I tried only with 2 flow, I have 500 Kbits of LOW PRIO traffic that is currently going on, then I fire some SERVICE1 traffic from SUBCLASS1 that can theorically take 2000 kbits, and instead of taking it from LOW PRIO, it just take what is left… I surely miss something… Thanks for your help and don't hesitate to ask
Re: [LARTC] HTB Rate and Prio
I don't quite understand this problem with bit torrent. When I start bittorrent with it's max_upload_rate to a value less than my total up link bandwidth it doesn't get in the way of anything at all as far as I can tell. Kirk -- Kirk Reiser The Computer Braille Facility e-mail: [EMAIL PROTECTED] University of Western Ontario phone: (519) 661-3061 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] gre tunnel between networks with same subnet
/---\ | | |eth0 |eth0 |---| |---| | |eth1 eth1 | | A |___| B |- | |\ / | | || | | | | | | --- |___| switch What you see above is my setup. Box A is connected to Box B through a switch. Box A is connected to the Internet through eth0, same with Box B. The link that goes through the switch is not very reliable, so I want to connect the two boxes using their Internet link via a gre tunnel. The problem is that the boxes are on the same subnet (and I can't change that). I've read about proxy arp, about bridging, but things are still confused. Here are some numbers: eth1 on Box A is 192.168.1.1/24, eth1 on Box B is 192.168.1.31/24. On Box B there are 4 NICs, 3 of them (including eth1) are bridged, with the bridge interface being br0 (192.168.1.31 is actually assigned to br0, not eth1). I've read the lartc howto, so I created a tun0 interface on both boxes: ip tunnel add tun0 mode gre remote remote_ip_here local local_ip_here ttl 255; ip link set tun0 up. The problem is what do I do from here? Do I bridge tun0 and eth1 on Box A and add tun0 to br0 on Box B? Or do I just enable proxy_arp for eth1 and tun0 on Box A and for br0 and tun0 on B? Are there any routes neccesary (my guess is no, but I'm not very sure)? And about proxy_arp: what do I have to do to turn it on, just set /proc/sys/net/ipv4/conf/iface/proxy_arp to 1 and that's it? One last thing: http://leaf.sourceforge.net/doc/howto/proxyarp.html#id2805973 says proxy-arp is not bridging (agreed) so DO NOT CONFIGURE BRIDGE OPTIONS!!! Does this mean using bridging and doing proxy-arp on the same box is not possible? Thanks. (hope the ascii art comes out well) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] libnl api
HI .. :) Have u ever used libnl (http://people.suug.ch/~tgr/libnl/) for handling qdiscs? I have some questions and i want to know if there is an appropriate place for asking questions.. I dont know and please tell me if i can ask some questions also here... Thx a lot Sell on Yahoo! Auctions no fees. Bid on great items. http://auctions.yahoo.com/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] libnl api
* Alaios [EMAIL PROTECTED] 2005-07-08 13:19 Have u ever used libnl (http://people.suug.ch/~tgr/libnl/) for handling qdiscs? I have some questions and i want to know if there is an appropriate place for asking questions.. I dont know and please tell me if i can ask some questions also here... You may direct such questions to me, I'll be pleased to answer them. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] block p2p: ARES
Hi ! I've tried last the fantastic ipp2p kernel module. My results are that: Ares can be DROPED only Emule, Kazaa and EDonkey 2000 can be limited and/or Droped. And for this I have to use: . FW=/usr/local/sbin/iptables # If I don't put next rule, Ares are not marked: $FW -t mangle -A p2ptraffic -m ipp2p --ares -j DROP # next p2p rules $FW -t mangle -A p2ptraffic -p tcp -j CONNMARK --restore-mark $FW -t mangle -A p2ptraffic -p tcp -m mark ! --mark 0 -j ACCEPT $FW -t mangle -A p2ptraffic -p tcp -m ipp2p --ipp2p -j MARK --set-mark 10 $FW -t mangle -A p2ptraffic -p tcp -m mark --mark 10 -j CONNMARK --save-mark $FW -t mangle -A p2ptraffic -p udp -m ipp2p --ipp2p -j MARK --set-mark 10 . iptables-1.3.1 kernel-2.4.28 squid-cache - 2.5-STABLE10 Debian Stable. I hope this information can help for ipp2p module. thank you very much. andres. - -Mensaje original- - - Hi, - - there is a new version of ipp2p, which can detect ares connections now. - - just go to www.ipp2p.org and download this version. - - the parameter --ipp2p has changed, this is now ALL protocols - - please contact me if you find bugs... - - Klaus - - Klaus wrote: - I did a small test with the new ares version. - It seems they have switched their protocol and it is not - detected at the - moment. - - Lets see how difficult the new ares protocol is and how fast we can - integrate this into ipp2p. - - Klaus - - :: L i n u XK i D :: wrote: - - Hi - - I'm trying to setup a LAN router with P2P filter - but the problem is that can't catch Ares. - - There is a way to DROP ares p2p packets ? - - I've tried with last ipp2p snapshot without sucess... - - I've - Kernel 2.4.28 - iptables 1.3.0 - Various Patches from patch-o-matic-ng-20040621 - iproute2-ss020116 - IMQ Patch - Esfq Patch - Julian (route) Patch - Debian Woody - - - This is my MANGLE table... - - - Chain PREROUTING (policy ACCEPT 8557K packets, 2822M bytes) - pkts bytes target prot opt in out source - destination - 85574 24M p2ptraffic all -- * * 0.0.0.0/0 - 0.0.0.0/0 - . - - Chain p2ptraffic (1 references) - pkts bytes target prot opt in out source - destination - 11860 1620K CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --ipp2p CONNMARK set 0xa - 0 0 CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --bit CONNMARK set 0xa - 0 0 CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --apple CONNMARK set 0xa - 0 0 CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --winmx CONNMARK set 0xa - 157 CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --soul CONNMARK set 0xa - 0 0 DROP all -- * * 0.0.0.0/0 - 0.0.0.0/0 ipp2p v0.7.4 --ares - . - 54029 13M CONNMARK all -- * * 0.0.0.0/0 - 0.0.0.0/0 CONNMARK match 0xa CONNMARK restore - - - But... ARES Packet are not bloked at the momment - 0 0 DROP ipp2p v0.7.4 --ares - - :-( - - Somebody haves sucessfull blocking ARES ? - - regards... - Andres. - - ___ - LARTC mailing list - LARTC@mailman.ds9a.nl - http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc - - ___ - LARTC mailing list - LARTC@mailman.ds9a.nl - http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc - ___ - LARTC mailing list - LARTC@mailman.ds9a.nl - http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] izbalancing - a GNU/Linux Firewall/Router Bash Script feauturing Incoming/Outgoing MultiHomed/LoadBalanced Subsystem Management
Hello, i wrote a simple but useful (i hope) bash script featuring a easly and fastly configuration method for implementing a Linux Gateway feauturing Incoming/Outgoing MultiHomed/LoadBalanced Subsystem Management. I want share this little script. you can download a copy from the following address: http://www.initzero.it/products/opensource/izbalancing/download/izbalancing just save it in your hd and open it with a text editor (vi, emacs, gedit...) to configure the minimal variables. the file it self contains istructions... just read. don't forget to 'chmod 750 izbalancing' :-) Follow the readme contained in the script file: Best Regards ## # What is this? # = # This bash script allow you to easly and fastly configure a complex Load Balancing Multi Homed Internet Gateway # for inbound and outbound traffic # Key Features: # = # - Multiple Balanced Default Gateway Configuration # - Load Balanced outgoing connections from LAN to INTERNET connections # - Management of multiple incoming connection from many INTERNET ISP lines to DMZ/LAN Servers # - SystemV compliant script... you can run easly at boot up (like Red Hat, Fedora, SuSE, Mandrake, etc...) # - Automatically discover your local IP addresses... you can change your IP without reconfigure this script, just restart # - Start and Stop Cleanly your MultiHomed Configuration with simple command (izbalancing start|stop|restart) # - Adding new Internet Connections is very easy and fast # - You only must know the TABLE ID to assign to the new line, Ethernet Name of your NIC, and the Router IP Address # Requirements: # = # - GNU/Linux Firewall running Kernel =2.6.10 (with iptables module CONNMARK available) # - Bash Shell = 2.0 # - Standard GNU/Linux coreutils utilities (cat, echo, grep, if, etc...) # - GNU Version of awk and sed utilities # - GNU/Linux Netfilter user space utilities (iptables = 1.2.11) # - iproute2 utilities # - Two or more Internet connections (also from different ISPs and IP classes) # - An ethernet card for each ISP Router # Tested On: # == # - GNU/Linux Fedora Core 3 with 2 Internet Connections # - GNU/Linux Fedora Core 4 with 2 Internet Connections # Script Usage: # = # 1) Configure or add the following variables: #TABLEn = Table number of internet connection 'n' # IFn = The Ethernet Interface name of internet connection 'n' # GWn = The Router IP Address of Internet connection 'n' # 2) Add a line for any internet connection in the izbalancing function # 3) Modify the command ip route add default equalize nexthop via ... adding all ISP's Routers IP # 4) Comment out the iptables rules # 5) Save this file and execute it a boot time (for Red Hat systems you can copy this script in /etc/rc.d/init.d/ directory #and launch 'chkconfig --add izbalancing') # That's all... -- Ugo Viti Linux Red Hat Certified Engineer InitZero S.r.l. Via P. Calamandrei 24, 52100 Arezzo Tel. +39 0575 1822155 - Fax. +39 0575 1822156 WWW: http://www.initzero.it E-Mail: [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB Rate and Prio
Kirk Reiser wrote: I don't quite understand this problem with bit torrent. When I start bittorrent with it's max_upload_rate to a value less than my total up link bandwidth it doesn't get in the way of anything at all as far as I can tell. Kirk Not all network administrators have your luck. :-) The problem is when you can't control the workstations, and the users can use this kind of network-unfriendly software (that try to steal the other software or users bandwidth) I believe that it is important in a network the user's perception of the network speed, basically in all the interactive traffic. I dont know the existence of a framework to model the user perception, which will allow to take measures of this kind of parameters. I'm not talking about delays, jitter, etc, but about the user's perception, and how the user's perception can be enhanced. Regards, Francisco. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] P2P shaping working
Hello, it's me again, finally p2p traffic is getting shaped, but now I still have one problem: download seems to be affected when shaping the traffic, ack packets are in the interactive queue too, as someone adviced me, what fixed the problem was to change the rates, to match (the sum of all subclasses) the root class rate, and to give the p2p class a very low rate (1k actually) and 75% of the bandwidth for the ceiling. Well as I said this is working, but downloading seems to be affected to, I get pretty low rates (this doesn't happen when I'm not shaping the traffic, but then I can't do anything else but bittorrent). Does anyone have a clue on why's this happening? Thanks to everyone that help me, I really appreciate it. EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Question about TCNG
Hello, after compiling my tcng rules, I've noticed something weird, the tc filter rules it returns give a flowid differente than the classes it creates, for example, you have a class 2:3 and had defined some conditions, (eg. some ports) to go into that class, but when I compile the .tcc file it returns something like: tc filter add dev eth1 parent 1:0 protocol all prio 1 u32 match u8 0x5 0xf at 0 match u8 0x10 0x10 at 33 classid 1:2 it gives the same classid for all the matches I made (meaning for different classes) and that class doesn't even exist! can someone explain me this please? thank you EDGAR MERINO ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Interface bound routing
Hi, I'm sorry for novice-level question, but I hope your expert advice will save me many painful hours running after my own tail... Let assume I have Linux box with eth0, eth1 and eth2 interfaces. Each one has IP assigned from different network. By default, IP address associated with eth0 is chosen as default routing. My application creates thee TCP sockets and explicitly bound them one to each of ethX interfaces. However, due default gateway assigned to eth0 , all outgoing traffic is passing via interface eth0, regardless on what socket used to send it . QUESTION: How can I configure my routing in such way that outgoing traffic always exit the host by interface associated with transmitting socket ? ( I hear a little about source routing and ideas from http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE are helping, but I don't like idea to run ip rule add from each time my IP changed). I'm looking to some simple way to instruct routing engine to forward packets via associated interfaces. Regards Stas P.S. Sorry for posting my question again - didn't received any responses yet ;-( ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] RFC - bandwidth optimization idea
I'm interested in all of - opinions about why this is a good or bad idea - pointers to similar proposals or products that already exist - implementation suggestions This is meant for real time applications that have small available bandwidth and so they have to consider carefully what's the best way to use that bandwidth. I imagine that things happen that cause them to continually reevaluate what's the most important/urgent thing to send next. I want to make it possible for them to delay the choice until the OS is actually ready to send that next packet. The reason they can't do this now is that the OS enqueues packets. Suppose an application uses udp or tcp to tell the OS to send some data. It then discovers that data is obsolete. The old data might still be in the queue to be sent but it's too late to recall it. One way to avoid that is to always delay telling the OS to send something until the OS is almost ready to send the next packet from the queue that your data will enter. But that's not so easy to do, and there's a big penalty if you wait just a little too long. What I want, at least conceptually, is that the application maintains its own queue of data to be sent, ordered by priority. Whenever the OS is ready to send the next packet for that application, it removes the highest priority packet (if any) from the queue and sends it. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] RFC - bandwidth optimization idea
On Saturday 09 July 2005 05:55, Don Cohen wrote: What I want, at least conceptually, is that the application maintains its own queue of data to be sent, ordered by priority. Whenever the OS is ready to send the next packet for that application, it removes the highest priority packet (if any) from the queue and sends it. Doesn't every QDisc work that way? When the kernel wants to send a packet, it calls the appropriate dequeue() function in the QDisc. I'm not a kernel developer so this guess might be wrong. But still, I don't think that the queueing is the main problem with your idea... the main problem is, how do you decide what's important and what not, and what's obsolete? Andreas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] RFC - bandwidth optimization idea
On Fri, Jul 08, 2005 at 08:55:08PM -0700, Don Cohen wrote: I'm interested in all of - opinions about why this is a good or bad idea - pointers to similar proposals or products that already exist - implementation suggestions This is meant for real time applications that have small available bandwidth and so they have to consider carefully what's the best way to use that bandwidth. I imagine that things happen that cause them to continually reevaluate what's the most important/urgent thing to send next. I want to make it possible for them to delay the choice until the OS is actually ready to send that next packet. The reason they can't do this now is that the OS enqueues packets. Suppose an application uses udp or tcp to tell the OS to send some data. It then discovers that data is obsolete. The old data might still be in the queue to be sent but it's too late to recall it. One way to avoid that is to always delay telling the OS to send something until the OS is almost ready to send the next packet from the queue that your data will enter. But that's not so easy to do, and there's a big penalty if you wait just a little too long. What I want, at least conceptually, is that the application maintains its own queue of data to be sent, ordered by priority. Whenever the OS is ready to send the next packet for that application, it removes the highest priority packet (if any) from the queue and sends it. I believe the general solution to this is to use UDP, and make sure your source machine doesn't queue up packets locally (eg. ethernet network contention) and let the best-effort nature of UDP deal with dropping stuff that gets delayed. I'm not sure there's any way to have an 'I changed my mind about sending that' interface into your network stack... And generally it wouldn't be useful, data spends longer in transit than it does in your queues. -- Paul TBBle Hampson, on an alternate email client. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc