Re: [LARTC] linux bridging vlans?
Andraz Sraka wrote: but still no data is forwarded from one interface to another? Is there any sysctl stuff, that I need to set up like 'ip_forwarding' when doing routing? Is there something bridging parameter for forwarding or am I misconfigured things above? I think that the bridge device don't support vlan. The attached patch could add that support (mind that I haven't compiled nor tested the patch). Let me know if it works. -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** --- linux-source-2.6.16/net/bridge/br_device.c 2006-03-20 06:53:29.0 +0100 +++ linux-source-2.6.16/net/bridge/br_device.c.new 2006-03-30 10:53:25.0 +0200 @@ -186,5 +186,7 @@ dev-priv_flags = IFF_EBRIDGE; dev-features = NETIF_F_SG | NETIF_F_FRAGLIST - | NETIF_F_HIGHDMA | NETIF_F_TSO | NETIF_F_IP_CSUM; + | NETIF_F_HIGHDMA | NETIF_F_TSO | NETIF_F_IP_CSUM + | NETIF_F_HW_VLAN_FILTER | NETIF_F_HW_VLAN_RX + | NETIF_F_HW_VLAN_TX | NETIF_F_VLAN_CHALLENGED; } ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] packet marking: only a ratio, not all
Hi all! In short: Anybody wrote a patch for DSMARK to make it capable of marking only a ratio (a given arg to the tc command) of the packets it gets? Say, 20%? Or, do I have to hack into the source? Alternatives, like a filter spitting packets to 2 different DSMARK based on this ratio? In long: I'm a hungarian univ student involved in a project (RMD-QoS stuff) which needs the following: \ This node has 3 ingress and 1 egress link, all have for ex. 10 Mbit \ limit to their traffic. \ --- node - Suppose ingress traffic is: 8 + 3 +5 = 16 while the egress / link will be congested with 10. Because this node is a simple, / intradomain router, we would like to notify the downstream / edge node about this congestion, to tear down some of the flows causing it. (Congestion occured via for. ex. a net failure) What the protocol (draft) says, is that the edge will be notified of the level of the congestion, which will be calculated by this proportional data packet marking method, to avoid additional signaling. Say, if 16 would go on a link with 10 capacity, congested core-node will mark 60% of the packets it sends to the output of the link to another DSCP. I thought about DSMARK first, but that is incapable of doing this stuff. (or I think so :) Ideas? PS: I did not check the archives rigorously, so sorry if I am asking trivial things. PS2: Since I checked not to get mails from this list, please send your answer to [EMAIL PROTECTED] Thanks in advance, Ferenc New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] rule fwmark desn't work for local packets (output chain)
Witam wszystkich After few days with yours help I've succeeded with setup of load-balancing. Now I have problem with next step. I want to mark some packets and than put them to the one of the routing tables to force them going via only one interface with only one ip. Easy?? Ofcourse, but not for me :(. I'm NOT using NAT. Chain OUTPUT (policy ACCEPT 71 packets, 24227 bytes) pkts bytes target prot opt in out sourcedestination 352940 MARK all -- * * 0.0.0.0/0 217.17.45.128/27 MARK set 0x32 lucy ~ # ip rule 0: from all lookup local 10: from all lookup main 34: from all fwmark 50 lookup zew 50: from 80.48.56.70 lookup zew 60: from 192.168.200.10 lookup wew 100:from all lookup brama 32766: from all lookup main 32767: from all lookup default it should working fine but it's not with this sets of rouls all is ok. lucy ~ # ip rule 0: from all lookup local 10: from all lookup main 34: from all to 217.17.45.128/27 lookup zew 50: from 80.48.56.70 lookup zew 60: from 192.168.200.10 lookup wew 100:from all lookup brama 32766: from all lookup main 32767: from all lookup default When I use fwmark packets are send with wrong src ip via eth0 (table zew) they have ip of eth1 and the wrong gw addres but they are send via eth0. So the rule is working (packets goes to zew table) but they have wrong src ip. When I use ip rule add to... insted of fwmark all is ok. So what is the difference between iptable marking and ip rule add to... for the kernel. Does packet arrive to the mangle table of output chain after or before routing. According this http://www.docum.org/docum.org/kptd/ packet is after routing My question is how to change his src ip without using NAT if there is any?? Or maby any other ideas how to solve my problem. lucy ~ # ip rout show table zew 127.0.0.0/8 dev lo scope link default via 80.48.56.65 dev eth0 proto static src 80.48.56.70 prohibit default proto static metric 1 lucy ~ # ip rout show table wew 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 proto static src 192.168.200.10 prohibit default proto static metric 1 lucy ~ # ip rout show table brama default proto static nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via 80.48.56.65 dev eth0 weight 1 lucy ~ # ip rout show table main 80.48.56.128/26 dev eth0 proto kernel scope link src 80.48.56.70 80.48.56.64/26 dev eth0 proto kernel scope link src 80.48.56.70 192.168.0.0/16 dev eth1 proto kernel scope link src 192.168.200.10 127.0.0.0/8 dev lo scope link Pozdrawiam -- Auto kontra pociag: efekt konfrontacji! http://link.interia.pl/f1921 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ULOGD and Snort Inline
Hi All, I am facing a problem when using ULOG daemon and SNORT (inline mode) with iptables. My set up is like this. 1. I need ULOG daemon to log firewall logs to MYSQL database. 2. I need SNORT in inline mode for intrusion prevention. Both can work fine induvidually with iptables. But ULOG daemon cannot work when SNORT is also running. Probably the reason is that snort also hooks to netfilter along with ULOG. So the packet does not come to ULOG. Is it so? Does anybody have such a setup up and running ?? Can somebody please help me with some suggestions as to how to run snort inline and ULOGD together ? Thanks a lot. Regards Navaneeth ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tcsim
hi! I can't answer to your question but I have another question on it. Why do you write I know that tcng is old ? I'm studying tcng, I'm loosing my time? Is there a better tool? Thanks, Fabio On Friday 31 March 2006 01:11, Larry Brigman wrote: I know that tcng is old but I have a question about it. Was there ever a way to inject real traffic into the simulation, something like the output of tcpreplay? Thanks, Larry ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax+39 - 0871- 571594 Email [EMAIL PROTECTED] Indirizzo Viale B. Croce 573 66013 Chieti Scalo (CH) GNU/Linux registered user #400424 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc