Re: [LARTC] I gave up.-...-.-.-.- :'(
On Saturday 01 October 2005 16:05, Guillermo Javier Nardoni wrote: > SOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR > GOING JUST FALLS ON 1:10 (DEFAULT LEAF) Check with iptables -L -v -n -t mangle to see if you the counters are incrementing like it should be. Also, classes and marks are in hex. So try "--set-mark 0x60" to force the number be interpreted as a hex number. And using iptables + tc works. I used in a few hundred scripts. Check out www.docum.org for working examples. Stef ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] need help on multiple isp routing
could someone take a fresh look at my configuration and then tell me where
from i took the wrong turn.
yes, outgoing packets take different routes/gateways based on a ip
fwmark/iptables mark. at least i believe they do. but when i run an iftop
session (one per each of ppp interfaces) i see that packets (with correct
outgoing ip) going out and get replies only on ppp0, while ppp1 only send
(outgoing ip'a also correct) and recieve but doesn't forward. some mistake i
did in filter input/forward nat prerouting, huh? i don't get it... should i
somehow mark incoming packets as well? i'm lost :( or drop packets from ppp0
on ppp1 and then ppp1 on ppp0?
#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`)
GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`
`ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`)
route del default
ip route flush table auxiliary
ip route show table main | grep -Ev ^default \
| while read ROUTE ; do
ip route add table auxiliary $ROUTE
done
ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]}
ip route add table main default via ${GATEWAY[0]} dev ${PPP[0]}
ip rule add fwmark 252 table auxiliary
ip rule add fwmark 254 table main
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 55000:55500 -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.62 -j MARK --set-mark 252
iptables -t mangle -A PREROUTING -s 192.168.0.16 -j MARK --set-mark 254
iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK
ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 0:128 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m
length --length 128: -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos
Minimize-Delay
iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos
Maximize-Throughput
iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos
Minimize-Delay
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j
DNAT --to 192.168.0.16:4662
iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4663 -j
DNAT --to 192.168.0.62:4663
iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j
DNAT --to 192.168.0.16:4672
iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4673 -j
DNAT --to 192.168.0.62:4673
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5000:5010 -j
DNAT --to 192.168.0.16:5000-5010
iptables -t nat -A PREROUTING -i ppp0 -p tcp -m t
[LARTC] heavy VBR traffic with HTB
Hello! I made a simple configuration with HTB, 10% http and 90% Video, where http can share the available bandwidth left from video. But :(... i think HTB it's not very fast and it can't adapt quickly to the great variation of the MPEG 4 VBR (700M film), and some times it jerks a bit in great variations of bandwidth. I'm making a download to have always 100% bandwidth utilization (or near). This setup is running on a controlled home lan. Have any one tried something like that? am i missing some thing? Please some one tell me something. thanks Tiago PS: sorry my English :( ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] imq + htb
Andy Furniss wrote: choros wrote: tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 3 fw classid 10:23 The filters need to be on the root - 10: or you need another filter on 10: to filter the packets to 10:2. Andy. thanks for your help . I did what you say and everything seems to be ok.. Jorge ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] I gave up.-...-.-.-.- :'(
Actually i gave up, i tried and tried and tried so many times, upgrading software falling back to an old version but it didn't work, that's it. i can't do work together tc with iptables and iproute2 when i mark a packet with iptables tc doesn't recognize them so it falls at the default leaf of the tc's tree what i like is to mark packets depending on their ip (the one who make a connetion into de linux (gateway) box) and port. i'll transcript my script because i really don't know what to do. p.d. so, what i like to do is just simple, i guess; everything comes from eth1 and goes to eth1 (lan users to linux box services) must be shapped by ipaddres + port (dport i guess INPUT/OUTPUT CHAIN?) and everything comes from ETH1 goes to ETH0 (Internet Access i guess PREROUTING/POSTROUTING/FORWARD chain) MUST BE SHAPPED BY PORT + IPADDRESS i have this situation on the linux server: eth0: (Out to internet) eth1: (LAN) configutarion: eth0 (network 200.123.166.72, broadcast: 200.123.166.79; (ip range: 200.123.166.73-77) eth0 ip: 200.123.166.73 eth0: gw: 200.123.166.78 eth0: netmask: 255.255.255.248 eth dns1: 200.123.166.73 eth0 dns2: 200.123.166.74 configuration: eth1 (network 172.16.0.0 broadcast: 172.16.0.255 (ip range: 172.16.0.1-254) eth1 ip: 172.16.0.1 eth1: gw: (none) eth1: netmask: 255.255.0.0 eth1: dns1: 200.123.166.73 eth1: dns2: 200.123.166.74 LINUX BOX SERVING THIS SERVICES: HTTP (PORT 80) SMTP (PORT 25) POP3 (PORT 110) SSH (PORT 22) FTP (PORT 20-21) SMB FS (PORT 136-139) IRC (PORT 6667) CONFIGURATION OF TC: tc=/sbin/tciptables=/sbin/iptables echo "Building tc Classes"IFACE="eth0 eth1" for i in $IFACE;do$tc qdisc add dev $i root handle 1: htb default 10$tc class add dev $i parent 1: classid 1:1 htb rate 2048mbit $tc class add dev $i parent 1:1 classid 1:10 htb rate 10kbit ceil 128kbit quantum 1514$tc class add dev $i parent 1:1 classid 1:20 htb rate 10kbit ceil 256kbit quantum 1514 $tc class add dev $i parent 1:1 classid 1:30 htb rate 10kbit ceil 512kbit quantum 1514 $tc class add dev $i parent 1:1 classid 1:40 htb rate 10kbit ceil 1024bit quantum 1514 $tc class add dev $i parent 1:1 classid 1:50 htb rate 10kbit ceil 2048bit quantum 1514 $tc class add dev $i parent 1:1 classid 1:60 htb rate 10kbit ceil 256kbit quantum 1514 # USED FOR HTTP/IRC $tc class add dev $i parent 1:1 classid 1:70 htb rate 10kbit ceil 128kbit quantum 1514 # USED FOR EMAIL (SMTP/POP3)$tc qdisc add dev $i parent 1:10 handle 10: sfq perturb 10$tc qdisc add dev $i parent 1:20 handle 20: sfq perturb 10$tc qdisc add dev $i parent 1:30 handle 30: sfq perturb 10$tc qdisc add dev $i parent 1:40 handle 40: sfq perturb 10$tc qdisc add dev $i parent 1:50 handle 50: sfq perturb 10 $tc qdisc add dev $i parent 1:60 handle 60: sfq perturb 10$tc qdisc add dev $i parent 1:70 handle 70: sfq perturb 10 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 10 fw flowid 1:10 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 20 fw flowid 1:20 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 30 fw flowid 1:30 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 40 fw flowid 1:40 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 50 fw flowid 1:50 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 60 fw flowid 1:60 $tc filter add dev $i parent 1:0 protocol ip prio 0 handle 70 fw flowid 1:70 PORTS="80 6667 20 21" #ANY IP MUST BE SHAPPED BY THESE PORTS TO THE 1:60 LEAF for i in $PORTS;do $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth1 -s 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth1 -d 172.16.0.0/16 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A INPUT -i eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p tcp --dport $i -j MARK --set-mark 60 $iptables -t mangle -A OUTPUT -o eth0 -d 200.123.166.72/30 -p udp --dport $i -j MARK --set-mark 60 done SOO WHAT AM I DOING WRONG, COUSE EVERY TRAFFIC COMMING OR GOING JUST FALLS ON 1:10 (DEFAULT LEAF) This is an extract from the script, so it show you the LOCAL PROCESS of information not PREROUTING PLEASE HELP ME I DON'T KNOW WHAT TO DO AND MY SYSTEM IS GOING DOWN FASTER.- MY CONFIGURATION IS: ip utility, iproute2-ss050330 tc utility, iproute2-ss050330iptables v1.3.3 kernel: 2.6.13 patch applied for kernel and iproute and iptables (esfq + wrr) hlp thank you so much Guillermo from Argentina ___ LARTC mailing list LARTC@mailman.d
Re: [LARTC] Hmmm... Weird results with HTB in kernel 2.6.11
Justin Schoeman wrote: Hi all, I have been getting some strange results with HTB in kernel 2.6.11, and was wondering if anybody could give me some advice. Also, if someone could direct me to the changelog for the recent versions so I can see if it is worth upgrading? Anyway, the problem can best be summed up by looking at the output of 'tc -s -d class show dev eth0'. Some of the relevant results are: class htb 1:1 root rate 1686Kbit ceil 1686Kbit burst 1809b/8 mpu 0b overhead 0b cburst 1809b/8 mpu 0b overhead 0b level 7 Sent 1964319339 bytes 2514673 pkt (dropped 0, overlimits 0 requeues 0) rate 1694Kbit 244pps backlog 0b 0p requeues 0 lended: 1257439 borrowed: 0 giants: 0 tokens: -29826 ctokens: -29826 class htb 1:8 parent 1:1 rate 32000bit ceil 1686Kbit burst 1603b/8 mpu 0b overhe ad 0b cburst 1809b/8 mpu 0b overhead 0b level 6 Sent 27361971 bytes 52043 pkt (dropped 0, overlimits 0 requeues 0) rate 32704bit 6pps backlog 0b 0p requeues 0 lended: 16076 borrowed: 2007 giants: 0 tokens: -1796566 ctokens: 16310 class htb 1:39 parent 1:1 rate 8000bit ceil 1686Kbit burst 1600b/8 mpu 0b overhe ad 0b cburst 1809b/8 mpu 0b overhead 0b level 6 Sent 258423850 bytes 281091 pkt (dropped 0, overlimits 0 requeues 0) rate 132152bit 19pps backlog 0b 0p requeues 0 lended: 5241 borrowed: 270604 giants: 0 tokens: -1073545 ctokens: 1525 As you can see, the parent class is pretty much maxxed out, which is fine, but two of the child classes are not OK... 1:8 with a target rate of 32kbit is getting 32kbit, while 1:39 with a target rate of 8kbit is getting 132kbit! Looking at the states, this seems to be the normal state while the link is saturated. Can anybody see something obvious wrong (perhaps an underflow, or something?), or is more info needed? If so, what info? Neither are backlogged - If several consecutive tc -s -d class show dev eth0 are the same then htb isn't limiting them at that time. 1:39 is allowed to borrow - but you say the link is full perhaps your ceil is too high and you are not fully in control, or you have attached queues to the leafs which are too short, or there is packet loss elsewhere. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Re: RE: Control Traffic
Hi Andreas! I mainly understand what you mean, I tried to fix something on the script, I don't know if I did it well. Can you take another look on it please and if is wrong to make the corrections directly on it so that I see where the mistake is... With this script I want to make limits for IP class 85.120.48.0/25 for international traffic in 256 KBps classes and for metropolitan traffic 100 MB or approximatively. Thank you! #!/bin/bash ### unitati de masura pt debit # kbps - kilobytes per second # mbps - megabytes per second # kbit - kilbits per second # mbit - megabits per second EXT_IF="eth0" INT_IF="eth1" TC=/sbin/tc IPTABLES=/sbin/iptables # RATE DOWNLOAD RAD_INET_ALL="1736kbit" RAD_INET_LOW="64kbit" RAD_INET_HIGH="256kbit" RAD_METRO_ALL="90mbit" RAD_METRO_LOW="70mbit" RAD_METRO_HIGH="80mbit" # RATE UPLOAD RUP_INET_ALL="1536kbit" RUP_INET="128kbit" RUP_METRO_ALL="90mbit" RUP_METRO="70mbit" # RATA INTRANET RATE_INTRA="80mbit" DEST="85.120.48.128/25 192.171.172.0/24 10.10.10.0/24 217.156.110.86/32 193.226.18.0/24" if [ "$1" = "status" ] then clear echo "* [ discipline interfata $EXT_IF ]" $TC qdisc show dev $EXT_IF echo "* [ disciplinele interfata $INT_IF ]" $TC qdisc show dev $INT_IF echo "* [ clase interfata $EXT_IF ]" $TC class show dev $EXT_IF echo "* [ clase interfata $INT_IF ]" $TC class show dev $INT_IF echo "* [ filtre interfata $EXT_IF ]" $TC filter show dev $EXT_IF $TC filter show dev $EXT_IF parent 1:20 $TC filter show dev $EXT_IF parent 1:30 echo "* [ filtre interfata $INT_IF ]" $TC filter show dev $INT_IF $TC filter show dev $INT_IF parent 1:20 $TC filter show dev $INT_IF parent 1:30 echo echo "* [ marcarea traficului ]" $IPTABLES -n -t mangle -L POSTROUTING exit fi $TC qdisc delete dev $EXT_IF root 2> /dev/null $TC qdisc delete dev $INT_IF root 2> /dev/null $TC qdisc delete dev $INT_IF ingress 2> /dev/null $IPTABLES -t mangle -F POSTROUTING if [ "$1" = "stop" ] then echo "[*] Managementul debitului este oprit." exit fi ### 1] Clasele pentru traficul metropolitan/internet pt ambele interfeþe: $TC qdisc add dev $EXT_IF root handle 1: htb default 30 $TC class add dev $EXT_IF parent 1: classid 1:1 htb rate 100mbit $TC class add dev $EXT_IF parent 1:1 classid 1:20 htb rate $RUP_METRO_ALL $TC class add dev $EXT_IF parent 1:1 classid 1:30 htb rate $RUP_INET_ALL $TC qdisc add dev $INT_IF root handle 1: htb default 30 $TC class add dev $INT_IF parent 1: classid 1:1 htb rate 100mbit $TC class add dev $INT_IF parent 1:1 classid 1:20 htb rate $RAD_METRO_ALL $TC class add dev $INT_IF parent 1:1 classid 1:30 htb rate $RAD_INET_ALL ### 2] Clasificarea explicita a traficului metropolitan for i in $DEST; do $TC filter add dev $EXT_IF parent 1: protocol ip u32 match ip dst $i flowid 1:20 $TC filter add dev $INT_IF parent 1: protocol ip u32 match ip src $i flowid 1:20 done ### Client 1 => #85.120.48.0/25 # class $TC class add dev $EXT_IF parent 1:20 classid 1:21 htb rate $RUP_METRO $TC class add dev $EXT_IF parent 1:30 classid 1:31 htb rate $RUP_INET $TC class add dev $INT_IF parent 1:20 classid 1:21 htb rate $RAD_METRO_LOW ceil $RAD_METRO_HIGH $TC class add dev $INT_IF parent 1:30 classid 1:31 htb rate $RAD_INET_LOW ceil $RAD_INET_HIGH # MARK $IPTABLES -t mangle -A POSTROUTING -o $EXT_IF -s 85.120.48.0/25 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o $INT_IF -d 85.120.48.0/25 -j MARK --set-mark 1 # clasificare $TC filter add dev $EXT_IF parent 1:20 protocol ip handle 1 fw flowid 1:21 $TC filter add dev $EXT_IF parent 1:30 protocol ip handle 1 fw flowid 1:31 $TC filter add dev $INT_IF parent 1:20 protocol ip handle 1 fw flowid 1:21 $TC filter add dev $INT_IF parent 1:30 protocol ip handle 1 fw flowid 1:31 echo "[*] Managementul debitului este activ."[EMAIL PROTECTED] wrote: Send LARTC mailing list submissions tolartc@mailman.ds9a.nlTo subscribe or unsubscribe via the World Wide Web, visithttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartcor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of LARTC digest..."Today's Topics:1. Re: Traffic Control (Andreas Klauer)2. Re: LARTC Digest, Vol 7, Issue 6 (Gobbledegeek)3. ip route add default mpath (rr| drr|random|wrandom)... (Krzysiek)--Message: 1Date: Sun, 25 Sep 2005 12:09:52 +0200From: Andreas Klauer <[EMAIL PROTECTED]>Subject: Re: [LARTC] Traffic ControlTo: lartc@mailman.ds9a.nlMessage-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset="iso-8859-15"On Sunday 25 September 2005 07:37, Daniel Phlander wrote:> I made a script as the attached one but it doesn't make any limit and I> can't figure out what the problem is.This is only a quick guess by glancing at your script, but it seems that your HTB class tree is messed u
Re: [LARTC] Dequeue
[EMAIL PROTECTED] wrote: Hi, Does the 'tc' tool show dequeue statistics? If so what switches does one use to see this. No it shows enqueue. If not which is the best way to see these statistics? tcpdump or Vincent Perriers monitoring tool at www.rawsoft.org Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] imq + htb
choros wrote: tc filter add dev imq0 parent 10:2 protocol ip prio 1 handle 3 fw classid 10:23 The filters need to be on the root - 10: or you need another filter on 10: to filter the packets to 10:2. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
