[LARTC] A question in tcng
this my tcng code.
when converting tcng to tc code, i get in the tc code for the (ipproto
"skip") =>(ipproto 57). sure, it's taken from the mapping
/etc/protocols . ipproto is the protocol value.
what kind of "ipproto" integer value should it be to mean (ipproto "any"
) or (ipproto "whatever" ) or (ipproto "don't_care" )? i'll replace the
string value later from my /etc/protocols . however, i think it's zero.
i know i could have not inserted the option (ipproto), but it's
complaining about it.
rsvp is not working as rsvp() (without parameters, i mean). the
documetation says it can be without parameters.
ingress {
// can be also rsvp(ipproto "tcp") or whatever in /etc/protocols
according to requirements
rsvp(ipproto "skip") {
// example on using the on() function
/*
on ( src 192.168.2.1 ,sport 30, dst 192.168.2.1, dport 21)
police(rate 5kBps,burst 5kB) drop ;
*/
class(1)
on ( src 192.168.2.2 , dst 192.168.2.1)
police(rate 5kBps,burst 50kB) drop ; //,mtu 1510B
} // end rsvp
} // end ingress
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
Hello, Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit : > Some times, I fail to access some HTTPS URLs or MSN service > if you (dlink or router) miss manipulate mtu Did you try the TCPMSS netfilter target ? For instance : -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss \ 1400:1536 -j TCPMSS --clamp-mss-to-pmtu -A POSTROUTING -o ppp0 -j MASQUERADE As you are probably using pppoe on the telephon loop, the maximum transmit unit cannot reach its maximum 1500 bytes. The pppoe header takes 4 bytes. You should also let some icmp packets get in in order to have pmtu discovery effective. HTH, > > andres > > > -> > -> Hi, > -> > -> > try next: > -> > - Put d-link ADSL as "modem" > -> > - Make PPPoE call under Linux > -> > -> Yes I've already tried this - that's my current configuration since one > -> week;) > -> > -> But I want to understand why it's not possible to use the D-Link as a > -> router, and for what kind of problem the tcpdump results stand for. > -> > -> Ralph > -> > -> > > -> > > -> > > -> > -> > -> > -> Hi, > -> > -> > -> > -> I have the shown (end of this post) net work configuration. > -> > -> > -> > -> In a "few" words: My Debian Sarge server is connected to a > -> D-Link ADSL > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP > -> on the Router. > -> > -> > -> > -> My Linux server has two NIC's. > -> > -> ethlan = internal Net > -> > -> ethdsl = external -> D-Link > -> > -> > -> > -> My Linux server is configured to make NAT via iptables. > -> > -> > -> > -> Current state - what's working: > -> > -> - Access from internal LAN to Internet is working (http, > -> https, ftp, etc) > -> > -> - Access inside the LAN is working > -> > -> - Access inside the LAN to the linux server is working (http, > https, -> > -> IMAP and SSH) > -> > -> - Access from outside the LAN (from internet) to the Linux server > is -> > -> working for https, IMAP and SSH > -> > -> > -> > -> ***BUT***: > -> > -> Same Problem simular for SSH, https and IMAP: > -> > -> On an internet browser inside the lan I can't access the > -> webserver on > -> > -> the Linux Server when I enter the external URL of the Linux server > -> > -> (dynDNS domain name). > -> > -> The https-page won't be opened. A simple ping to the linux > -> server with > -> > -> the same dynDSN domain name works. Trying to enter the > -> external IP of > -> > -> the linux server in the browser also won't work. > -> > -> The page won't be opened in the browser. > -> > -> > -> > -> Die Seite wird im Browser dann nicht geöffnet. > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. > -> > -> > -> > -> iptables schould log dropped pakets. But there aren't any > -> > -> dropped packets. > -> > -> Ifconfig also does not show any errors (dropped packets) > -> for ethlan / > -> > -> ethdsl. > -> > -> > -> > -> So I've tried to understand what tcpdumd shows for port 443. But > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. > -> > -> Here's what tcpdump shows: > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> Not working access from inside the lan to the servers > -> external Name / > -> > -> the servers external IP: > -> > -> => no connection > -> > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> WORKING access from inside the lan to the servers INTERNAL > -> Name / the > -> > -> servers INTERNAL IP: > -> > -> => Successful connection > -> > -> > -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: S > -> > -> 1505679381:1505679381(0) win 65535 > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > > -> lp-java.linkpool.3492: S > -> > -> 189223170:189223170(0) ack 1505679382 win 5840 -> 1460,nop,nop,sackOK> > -> > -> 18:45:38.774062 IP lp-java.linkpool
RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
Some times, I fail to access some HTTPS URLs or MSN service if you (dlink or router) miss manipulate mtu andres -> -> Hi, -> -> > try next: -> > - Put d-link ADSL as "modem" -> > - Make PPPoE call under Linux -> -> Yes I've already tried this - that's my current configuration since one -> week;) -> -> But I want to understand why it's not possible to use the D-Link as a -> router, and for what kind of problem the tcpdump results stand for. -> -> Ralph -> -> > -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> I have the shown (end of this post) net work configuration. -> > -> -> > -> In a "few" words: My Debian Sarge server is connected to a -> D-Link ADSL -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> on the Router. -> > -> -> > -> My Linux server has two NIC's. -> > -> ethlan = internal Net -> > -> ethdsl = external -> D-Link -> > -> -> > -> My Linux server is configured to make NAT via iptables. -> > -> -> > -> Current state - what's working: -> > -> - Access from internal LAN to Internet is working (http, -> https, ftp, etc) -> > -> - Access inside the LAN is working -> > -> - Access inside the LAN to the linux server is working (http, https, -> > -> IMAP and SSH) -> > -> - Access from outside the LAN (from internet) to the Linux server is -> > -> working for https, IMAP and SSH -> > -> -> > -> ***BUT***: -> > -> Same Problem simular for SSH, https and IMAP: -> > -> On an internet browser inside the lan I can't access the -> webserver on -> > -> the Linux Server when I enter the external URL of the Linux server -> > -> (dynDNS domain name). -> > -> The https-page won't be opened. A simple ping to the linux -> server with -> > -> the same dynDSN domain name works. Trying to enter the -> external IP of -> > -> the linux server in the browser also won't work. -> > -> The page won't be opened in the browser. -> > -> -> > -> Die Seite wird im Browser dann nicht geöffnet. -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> -> > -> iptables schould log dropped pakets. But there aren't any -> > -> dropped packets. -> > -> Ifconfig also does not show any errors (dropped packets) -> for ethlan / -> > -> ethdsl. -> > -> -> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> Here's what tcpdump shows: -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> Not working access from inside the lan to the servers -> external Name / -> > -> the servers external IP: -> > -> => no connection -> > -> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> WORKING access from inside the lan to the servers INTERNAL -> Name / the -> > -> servers INTERNAL IP: -> > -> => Successful connection -> > -> -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: S -> > -> 1505679381:1505679381(0) win 65535 -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: S -> > -> 189223170:189223170(0) ack 1505679382 win 5840 1460,nop,nop,sackOK> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1 win 65535 -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: P -> > -> 1:106(105) ack 1 win 65535 -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: . -> > -> ack 106 win 5840 -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: P -> > -> 1:1055(1054) ack 106 win 5840 -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1055 win 64481 -> > -> -> > -> Is there any one who can interpret those results? Are these enough -> > -> informations to see where the problem may ve? -> > -> Wrong Routing? Linux server iptables problem? Problem -> inside the D-Link -> > -> Router? -> > ->
Re: [LARTC] About ip route 2 prio at tables
Nataniel Klug wrote: My question is: wich one will get hit first? Like, when a package comes and look for a gateway it will start looking in lower prio or higher prio tables? If it looks in lower, then my rule is right. The other way I will have to rewrite it. You're doing it right. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] About ip route 2 prio at tables
Hello, I am looking for an answer. I am doind some thing like a loadshare betwen two backbones. To one of them I send all p2p, msn and irc packages and to the other one I send the rest I have. The problem I am facing is about prio at tables: ip rule add fwmark 1 table 201 prio 202 This is the rule I make. This is, I thinbk, working fine. The default gateway is set into table 222 just like this: ip route add default table 222 $GWE1 dev $IFE1 My question is: wich one will get hit first? Like, when a package comes and look for a gateway it will start looking in lower prio or higher prio tables? If it looks in lower, then my rule is right. The other way I will have to rewrite it. Att, Nataniel Klug ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] prio test results
Hi, below are some test results from implementing a prio qdisc 'that is also below'.The qdisc is attacted to a vlan interface for my external network. Both tests were runat the same time.The links are policed at 6.0M 'by our provider'. 192.168.70.1 --> 192.168.30.1 My question is: If using a prio qdisc should'nt the iperf run with a tos of b8have the majority of the bandwidth? thx jason ./iperf -c 192.168.30.1 -t 20 -i 5 --tos 0xb8 [dscp 46] ef [ 5] local 192.168.70.1 port 33483 connected with 192.168.30.1 port 5001[ ID] Interval Transfer Bandwidth[ 5] 0.0- 5.0 sec 2.80 MBytes 4.69 Mbits/sec[ 5] 5.0-10.0 sec 968 KBytes 1.59 Mbits/sec[ 5] 10.0-15.0 sec 1.73 MBytes 2.90 Mbits/sec[ 5] 15.0-20.0 sec 2.05 MBytes 3.45 Mbits/sec[ 5] 0.0-20.2 sec 7.53 MBytes 3.13 Mbits/sec ./iperf -c 192.168.30.1 -t 20 -i 5 --tos 0x28 [dscp 10] af11 [ 5] local 192.168.70.1 port 33484 connected with 192.168.30.1 port 5001[ ID] Interval Transfer Bandwidth[ 5] 0.0- 5.0 sec 2.13 MBytes 3.58 Mbits/sec[ 5] 5.0-10.0 sec 2.37 MBytes 3.97 Mbits/sec[ 5] 10.0-15.0 sec 2.20 MBytes 3.68 Mbits/sec[ 5] 15.0-20.0 sec 1.75 MBytes 2.94 Mbits/sec[ 5] 0.0-20.3 sec 8.45 MBytes 3.49 Mbits/sec #!/bin/sh tc qdisc del dev eth0.2 root tc qdisc add dev eth0.2 root handle 1: prio tc filter add dev eth0.2 parent 1:0 prio 1 protocol ip u32 \ match ip tos 0xb8 0xfc flowid 1:1 tc filter add dev eth0.2 parent 1:0 prio 2 protocol ip u32 \ match ip tos 0x68 0xfc flowid 1:2 tc filter add dev eth0.2 parent 1:0 prio 3 protocol ip u32 \ match ip tos 0x28 0xfc flowid 1:3 tc filter add dev eth0.2 parent 1:0 prio 3 protocol ip u32 \ match ip tos 0x00 0xfc flowid 1:3 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] failover routing
Your script could have the backup router take on the IP Address of the primary after it loses its heartbeat. You'll run into a problem with ARP caches. I saw some code floating around earlier that allowed one box to listen to the MAC address of another and respond to its ARP requests. You would need to incorporate something like this in any solution. And this all assumes routers A and B are in parallel; all clients and both routers are on the same LAN. So you have a separate NIC between routers A and B for heartbeat. Each router has a NIC on the LAN side, and each has a NIC connecting to the Internet. - Greg Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jandre Olivier Sent: Wednesday, February 01, 2006 5:52 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] failover routing Hi Guys, I would just like to have advice and pointers of the best way would be, Someting like BGP or OSPF? I have 2 internet connections at diffrent locations. let say connection A and B 1.) router A has a fast internet connection and a seperate interface for clients using /lan/pppoe/ipsec etc and another ethernet interface going to router B 2.) router B has similiar setup as router A and also a seperate ether interface for clients and one going to router A 3.) all clients gets masqueraded as there is limited amount of internet routable ips Now my first thought was to write some perl/bash scripts to just ping your internet gateway address of Router A and if its down, just change your default route to router B and everyone and vice versa and u can still get access. This way for me is not very clean though as Im the one writing the scripts as something like zebra might do this perfectly? just a basic idea of what my setup is. What would be my best way of doing this.? -- /*-* / __ _ -- / / (_)__ __ __ - --- / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ -- [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] failover routing
Hi Guys, I would just like to have advice and pointers of the best way would be, Someting like BGP or OSPF? I have 2 internet connections at diffrent locations. let say connection A and B 1.) router A has a fast internet connection and a seperate interface for clients using /lan/pppoe/ipsec etc and another ethernet interface going to router B 2.) router B has similiar setup as router A and also a seperate ether interface for clients and one going to router A 3.) all clients gets masqueraded as there is limited amount of internet routable ips Now my first thought was to write some perl/bash scripts to just ping your internet gateway address of Router A and if its down, just change your default route to router B and everyone and vice versa and u can still get access. This way for me is not very clean though as Im the one writing the scripts as something like zebra might do this perfectly? just a basic idea of what my setup is. What would be my best way of doing this.? -- /*-*/ __ _ -- / / (_)__ __ __ - --- / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ -- [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] QOS server droping packets 4% loss
Hi all, I have a problem with htb and wonder if anybody has encountered this. On my LAN I have more than 1000 clients, and I am using htb to shape the incoming trafic. The problem is that I am experiencing packet loss (about 4%) in the qos server. The server is droping packets even if my trafic is relatively moderate. I tried everithing estimator, senting the quantum etc etc but it doesn't seem to improve. my script is relatively simple: tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 10 #root class tc class add dev eth0 parent 1:0 classid 1:1 htb rate 5kbit ceil 5kbit #default class tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit ceil 512kbit #and each client IP has a class asocieted tc class add dev eth0 parent 1:1 classid 1:$COUNTER htb rate 5kbit ceil 400kbit tc filter add dev eth0protocol ip parent 1:0 prio 2 u32 match ip dst $IP flowid 1:$COUNTER # and counter increments by 1 for each rule added What could I do ? Are there some kernel parameters that I could modify in order to obtain a better performance ? Thanks Yahoo! Autos. Looking for a sweet ride? Get pricing, reviews, & more on new and used cars.___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
