[LARTC] RTNETLINK answers: File exists .. Network is unreachable

[Spam Dumpster]

I am a Linux novice.

I have set up a Linux Router that is running the 2.6.15-1.2054_FC5 
kernel.  I boot to an initial router state and then I experiment with 
various "tc" commands by executing them at the command prompt.  I 
reboot often to restore the initial state.  When I booted up the 
router today I got the following messages during the boot process:


Bringing up interface eth0:
RTNETLINK answers: File exists
RTNETLINK answers: Network is unreachable


Bringing up interface eth1:
RTNETLINK answers: File exists
RTNETLINK answers: Network is unreachable

Will someone please enlighten me as to what is kind of problem is 
being indicated by these messages?


Thanks,

Bob

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Handle limit in filter

[Raj Mathur]

> "Marek" == Marek Kierdelewicz <[EMAIL PROTECTED]> writes:

>> I've written a minimal sort of Perl module that dynamically
>> creates and destroys traffic control rules for specific IPs.
>> I'm currently using it for a user bandwidth control application
>> at a client site.

Marek> Been there, done that...

Marek> Better regenerate whole tc config and load it using "tc
Marek> -b". It's faster then many calls to tc binary (no context
Marek> switching overhead).

I don't really know what effect resetting the tc configuration every
few seconds would have on logged in users.  What happens to the
existing connections when the whole thing is reloaded?  Will they
jitter?  Or roll over and die, or just continue behaving as they were?

Wouldn't writing out commands for a few hundred connections into a
file and loading that file take a significant amount of time?

On the whole I'd prefer to do each connection as it comes up, so if
that's possible at all.

Regards,

-- Raju
-- 
Raj Mathur[EMAIL PROTECTED]  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
  It is the mind that moves
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] how to implement 802.1p QoS on Linux

[Richard Cai]

Hello everyone:

How to implement 802.1p Qos on linux?

Thanks


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost [SOLVED]

[Покотиленко Костик]

I've found the answer in [EMAIL PROTECTED]

First:

I'm sorry, there was a typo while writing message. The correct subnets
are 10.10.101.0/24 and 10.10.100.0/24, not 10.10.100.101/24 and
10.10.100.100/24.

The solution is:

# ip rule add dev lo table Servers

as Pascal Hambourg <[EMAIL PROTECTED]> advised, I'll quote:

> > So, the question is: how does the routing of packets comming from
> > localhost is being accomplished?
> 
> In the same way as the routing of forwarded packets. From "ip rule" 
> point of view, locally generated traffic is selected with "iif
lo" (see 
> iproute manual). Be aware that when the local source address is not 
> explicitly specified by the sending application, none of your custom 
> rules will match, so the "main" table will be used. But it contains
no 
> default route.



В Птн, 18/08/2006 в 14:31 +0300, Покотиленко Костик пишет:
> Hi.
> 
> The task:
> 
> 1. There 3 servers and a router with 2 PPPoE connections (let call them:
> ppp0, ppp1).
> 2. There are several groups of Inet-clients to be served (Servers,
> Clients and Club).
> 3. The task is:
>- to route Club through the ppp1;
>- to Servers and Clients through ppp0;
> 
> (Next is reproduced from memory and may be slightly incorrect)
> 
> router # netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags   MSS Window  irtt
> Iface
> 192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0
> eth0
> a1.a2.a3.a4 0.0.0.0 255.255.255.255 U 0 0  0
> ppp0
> b1.b2.b3.b4 0.0.0.0 255.255.255.255 U 0 0  0
> ppp1
> 
> router # cat /etc/iproute2/rt_tables
> #
> # reserved values
> #
> 255 local
> 254 main
> 253 default
> 0   unspec
> #
> # local
> #
> #1  inr.ruhep
> 200 Servers
> 201 Clients
> 202 Club
> 
> router # ip rule ls
> 0:  from all lookup local
> 32763:  from 10.10.100.101/24 lookup Club
> 32764:  from 10.10.100.100/24 lookup Clients
> 32765:  from 192.168.1.0/24 lookup Servers
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> router # ip route ls table Clients
> default via a1.a2.a3.a4 dev ppp0
> 
> router # ip route ls table Servers
> default via a1.a2.a3.a4 dev ppp0
> 
> router # ip route ls table Club
> default via b1.b2.b3.b4 dev ppp1
> 
> 
> 
> So, to summarize, the is no default route in main routing table. Each
> group of clients is to be routed through its respective connection, and,
> when its connection is down it is not to be routed.
> 
> This scheme works almost fine, 10.10.100.100/24 addresses are really
> being routed through ppp0, 10.10.100.101/24 through ppp1 and
> 192.168.1.0/24 (3 Servers) through ppp0. BUT the router itself
> (192.168.1.4) has no route to any host. I get "network is unreachable"
> to any connectiion attempt from 192.168.1.4. And I can't connect to this
> router from outside, because the packets have no route to be sent back.
> 
> I thought that there is different routing politics for localhost and
> added default route to "local" table. 192.168.1.4 has started to have
> the route, but the rest of the scheme started to work incorrectly.
> 
> So, the question is: how does the routing of packets comming from
> localhost is being accomplished?
> 
> As to me there is a kind of "vicious circle" situation, because to enter
> alternative routing table there should already be "source address", but
> for localhost which have many source addresses it should decide which
> route it needs to have the corresponding "source address" be set.
> 
-- 
Покотиленко Костик <[EMAIL PROTECTED]>

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Handle limit in filter

[Marek Kierdelewicz]

> Hi,

Hi there!
> 
> I've written a minimal sort of Perl module that dynamically creates
> and destroys traffic control rules for specific IPs.  I'm currently
> using it for a user bandwidth control application at a client site.

Been there, done that...

Better regenerate whole tc config and load it using "tc -b". It's
faster then many calls to tc binary (no context switching overhead).

cheers
-- 
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: [EMAIL PROTECTED]
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] How to bypass traffic control for one IP

[Nikolay Kichukov]

Okay,
the following may or may not work:

on the interface of the router that is connected to the adsl add an
engress HTB qdisc.

Then add classes accordingly. The first one with highest priority will
be for the 4Mbit traffic.
The classes after this one will be dependent on your likely.

Add some tc filters. The first one will match if dst ip is $IP_OF_ADSL
or dst port is $THE_BROADCAST_PORT_OF_THE_ADSL and it will use htb class
with highest priority.

Packets not having destination the adsl will be matched in the filters
afterwords, thus shaped and so.

However, I am not sure, if all of the packets will not go under that htb
class, because in their destination header they all have the adsl IP(the
default gateway).

Maybe someone on the list will englight me on that topic.

-nik


On Fri, 2006-08-18 at 12:47 +0200, Yves BLUSSEAU wrote:
> The adsl modem has two functions: it give me access to internet (max 80ko/s 
> upload) et it is use to broadcast video stream at more than 4Mo/s.
> I can't manage the modem.
> My PC, the firewall and the modem are locally connected at 100Mbits Full 
> Duplex.
> Like I said i want to shape the upload to internet and only to internet.
> So do you know a good configuration to shape all but not the traffic 
> directly send to the modem (to it's IP) ?
> 
> Yves
> 
> - Original Message - 
> From: "Nikolay Kichukov hijacker-at-oldum.net |Linux Advanced Routing & 
> Traffic Control project/1.0-Allow|" <...>
> To: <..>
> Sent: Friday, August 18, 2006 12:22 PM
> Subject: Re: [LARTC] How to bypass traffic control for one IP
> 
> 
> You surely do need to send the video stream at full speed, but what is
> the point of doing so if the adsl modem(router) will still shape the
> upload at the speed that your ISP gives to you?
> 
> That will only saturate the link.
> 
> -nik
> 
> On Thu, 2006-08-17 at 21:05 +0200, Yves  wrote:
> > Because my asl modem is also a router and it is used to send broadcast 
> > video
> > to another network and so i need to send video stream at full speed to the
> > modem.
> > - Original Message - 
> > From: "nikolay hijacker-at-oldum.net |Linux Advanced Routing & Traffic
> > Control project/1.0-Allow|" <...>
> > To: <..>
> > Sent: Thursday, August 17, 2006 12:32 PM
> > Subject: Re: [LARTC] How to bypass traffic control for one IP
> >
> >
> > > why would you want to "access" the adsl modem at 100Mbps?
> > >
> > > What is the speed your ISP provides to the adsl modem?
> > >
> > > -nik
> > > - Original Message - 
> > > From: "Yves " <[EMAIL PROTECTED]>
> > > To: 
> > > Sent: Wednesday, August 16, 2006 6:16 PM
> > > Subject: [LARTC] How to bypass traffic control for one IP
> > >
> > >
> > > Hi all,
> > >
> > > i have a problem: i have an adsl modem that is connected to internet. I
> > > can't manage this modem.
> > > Between my PC and the modem i have a linux firewall that make the NAT 
> > > and
> > > the traffic shapping.
> > > I have create a script that limit the bandwidth of the "external"
> > > interface of the firewall so i can manage my bandwidth for my internet
> > > application.
> > > The problem is that i need to access the adsl modem at full bandwith
> > > (100mbits) from my PC (through the linux firewall).
> > > So i need a configuration where all the internet IP are limited by the
> > > traffic control and where the IP of the modem is not slowdown by traffic
> > > shapping.
> > >
> > > Who have an idea for such configuration ?
> > >
> > > Thanks in advance.
> > >
> > > Yves
> > >
> > >
> > > 
> > >
> > >
> > >> ___
> > >> LARTC mailing list
> > >> LARTC@mailman.ds9a.nl
> > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >>
> > >
> > >
> >
-- 
Когато сме щастливи, сме добри.
Но когато сме добри, не винаги сме щастливи...
-Оскар Уайлд

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Handle limit in filter

[Raj Mathur]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I've written a minimal sort of Perl module that dynamically creates
and destroys traffic control rules for specific IPs.  I'm currently
using it for a user bandwidth control application at a client site.

The module essentially gets Ethernet device(s), IP address and in/out
speeds as input and dynamically creates classes, queues and filters
for controlling speeds on the incoming and outgoing interfaces.  It
calls /sbin/tc internally to make the rules.  Similarly, when the user
is logged out, the module deletes the rules that it made earlier.

There are two issues I'm facing:

1. Is there any way remove filter rules without knowing the handle?
I'd like to be able to remove the filter rule using the same set of
data that I used to create it, but there doesn't seem to be any way to
do that.  Currently I'm parsing the whole ``tc filter show'' output to
find out the handle of the rule I'm interested in, then using that
handle in the ``tc remove'' command to delete the rule.  Inelegant and
inefficient, to say the least.

2. Can one have filter rules with handles > 800:fff?  After the
program has run for a while, the filter handle hits 800:fff, and then
I can not delete any of the new rules at all.  I'd be interested in
knowing how to make tc reuse handles; failing that, increasing the
number of unique handles would at least prevent my client from having
to reboot the server every day.

I'll be releasing the module under GPL once I've cleaned up the code
and documented the methods a bit.  Help on doing that appreciated.

Regards,

- -- Raju
- -- 
Raj Mathur[EMAIL PROTECTED]  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
  It is the mind that moves
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iD8DBQFE5b66yWjQ78xo0X8RAvNpAJ9kfvotl0Ife92qoyBPlqxC5G+cYACeNvAG
rJT3lU8kd46ymbYcJwhb7e0=
=oJKh
-END PGP SIGNATURE-
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost

[Покотиленко Костик]

В Птн, 18/08/2006 в 14:52 +0200, Marek Kierdelewicz пишет:
> > Hi.
> 
> Hi
> 
> > router # cat /etc/iproute2/rt_tables
> > #
> > # reserved values
> > #
> > 255 local
> > 254 main
> > 253 default
> > 0   unspec
> > #
> 
> Add default route to the "default" table .. it gets hit after your
> custom tables as you can see here:
> 
> router # ip rule ls
> 0:  from all lookup local
> 32763:  from 10.10.100.101/24 lookup Club
> 32764:  from 10.10.100.100/24 lookup Clients
> 32765:  from 192.168.1.0/24 lookup Servers
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> This should allow your router to connect out and receive connections.

Would 10.10.100.101/24 and 10.10.100.100/24 hit that table too? That's
not desirable because 10.10.100.101/24 should have no route if there is
no one in Club table, and 10.10.100.100/24 should have no route if there
no one in Clients table.

-- 
Покотиленко Костик <[EMAIL PROTECTED]>

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] iproute2, alternative tables, no default route: routing trouble for localhost

[Marek Kierdelewicz]

> Hi.

Hi

> router # cat /etc/iproute2/rt_tables
> #
> # reserved values
> #
> 255 local
> 254 main
> 253 default
> 0   unspec
> #

Add default route to the "default" table .. it gets hit after your
custom tables as you can see here:

router # ip rule ls
0:  from all lookup local
32763:  from 10.10.100.101/24 lookup Club
32764:  from 10.10.100.100/24 lookup Clients
32765:  from 192.168.1.0/24 lookup Servers
32766:  from all lookup main
32767:  from all lookup default

This should allow your router to connect out and receive connections.

cheers
-- 
Marek Kierdelewicz
Kierownik Dzia?u Systemów Sieciowych, KoBa
Manager of Network Systems Department, KoBa
tel. (85) 7406466; fax. (85) 7406467
e-mail: [EMAIL PROTECTED]
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Info about IFB

[Andy Furniss]

ArcosCom Linux User wrote:

I use IMQ to incomming traffic shaping (using u32 to match the
source/destination MACs)

With IMQ I use:

iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0

(for example)

To enqueue packets into IMQ device and then shapping.

With IMQ I can use modprobe to set the device count I need and so on.

I really only want to replace IMQ scripts code with IFB, but, at least for
now, I don't stand fine the packet flow using IFB.


IFB on ingress will hook the packets before netfilter, so you can't use 
iptables to mark or get the denatted addresses like you can with IMQ - 
so it's not a total replacement. There may be a way to do it in the future.




I stand now how to initialice ifbX with your example, good!!

Now some aditional question about your example:
   With this line:

tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k

   You are initializing the qdisc for ibf in the same manner you could do
with imq?


Yes, you set up queues/filters the same as on imq.



   With this lines:
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent : protocol arp prio 1 u32 match u32 0
0 flowid 1:1 action mirred egress redirect dev ifb19

   Are those analogous as this (my imq0 device as your ifb19 device):
iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0


tc qdisc add dev  $if_wan0 ingress
tc filter add dev $if_wan0 parent : protocol ip ...

would be the same - iptables only sees ip, with ingress filter you can 
do others aswell if you want - all, arp, 8021q or any ethertype protocol 
number (FWIW you need a different prio number for each different 
ethertype filter).




?

   The last, Do I only need add clases and qdiscs to ifb19 as if it where
my imq0 device?


You'll need to filter aswell - on egress you can use iptables + marks (I 
don't think classify will work). But on ingress you can't use iptables 
because ifb is before netfilter.


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] iproute2, alternative tables, no default route: routing trouble for localhost

[Покотиленко Костик]

Hi.

The task:

1. There 3 servers and a router with 2 PPPoE connections (let call them:
ppp0, ppp1).
2. There are several groups of Inet-clients to be served (Servers,
Clients and Club).
3. The task is:
   - to route Club through the ppp1;
   - to Servers and Clients through ppp0;

(Next is reproduced from memory and may be slightly incorrect)

router # netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt
Iface
192.168.1.0 0.0.0.0 255.255.255.0   U 0 0  0
eth0
a1.a2.a3.a4 0.0.0.0 255.255.255.255 U 0 0  0
ppp0
b1.b2.b3.b4 0.0.0.0 255.255.255.255 U 0 0  0
ppp1

router # cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
200 Servers
201 Clients
202 Club

router # ip rule ls
0:  from all lookup local
32763:  from 10.10.100.101/24 lookup Club
32764:  from 10.10.100.100/24 lookup Clients
32765:  from 192.168.1.0/24 lookup Servers
32766:  from all lookup main
32767:  from all lookup default

router # ip route ls table Clients
default via a1.a2.a3.a4 dev ppp0

router # ip route ls table Servers
default via a1.a2.a3.a4 dev ppp0

router # ip route ls table Club
default via b1.b2.b3.b4 dev ppp1



So, to summarize, the is no default route in main routing table. Each
group of clients is to be routed through its respective connection, and,
when its connection is down it is not to be routed.

This scheme works almost fine, 10.10.100.100/24 addresses are really
being routed through ppp0, 10.10.100.101/24 through ppp1 and
192.168.1.0/24 (3 Servers) through ppp0. BUT the router itself
(192.168.1.4) has no route to any host. I get "network is unreachable"
to any connectiion attempt from 192.168.1.4. And I can't connect to this
router from outside, because the packets have no route to be sent back.

I thought that there is different routing politics for localhost and
added default route to "local" table. 192.168.1.4 has started to have
the route, but the rest of the scheme started to work incorrectly.

So, the question is: how does the routing of packets comming from
localhost is being accomplished?

As to me there is a kind of "vicious circle" situation, because to enter
alternative routing table there should already be "source address", but
for localhost which have many source addresses it should decide which
route it needs to have the corresponding "source address" be set.

-- 
Покотиленко Костик <[EMAIL PROTECTED]>

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Info about IFB

[ArcosCom Linux User]

I use IMQ to incomming traffic shaping (using u32 to match the
source/destination MACs)

With IMQ I use:

iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0

(for example)

To enqueue packets into IMQ device and then shapping.

With IMQ I can use modprobe to set the device count I need and so on.

I really only want to replace IMQ scripts code with IFB, but, at least for
now, I don't stand fine the packet flow using IFB.

I stand now how to initialice ifbX with your example, good!!

Now some aditional question about your example:
   With this line:

tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k

   You are initializing the qdisc for ibf in the same manner you could do
with imq?

   With this lines:
tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent : protocol arp prio 1 u32 match u32 0
0 flowid 1:1 action mirred egress redirect dev ifb19

   Are those analogous as this (my imq0 device as your ifb19 device):
iptables -t mangle -A PREROUTING -i $if_wan0 -j IMQ --to-dev 0

?

   The last, Do I only need add clases and qdiscs to ifb19 as if it where
my imq0 device?


Thanks and sorry for my english.



El Vie, 18 de Agosto de 2006, 11:41, Andy Furniss escribió:
> Samuel Díaz García wrote:
>> Hi, I'm looking for info about IFB devices and how I can use it to
>> incomming traffic shapping.
>>
>> Has IFB any web about it?
>> Do any body known where I can find more info about it?
>>
>> I found this:
>> http://linux-net.osdl.org/index.php/IFB
>>
>> But I can't stand fine how to use it to allow many ifb's devices or how
>> to use it with "tc actions".
>>
>> Any help?
>>
>> Thanks
>>
>
> To use many you'll need to specify the number with modprobe -
>
> modprobe ifb numifbs=20
>
> ip link ls should show them all - you need to ip link set up dev ifbXX
> aswell.
>
> to send arp coming in on eth0 to ifb19 which has a tbf on it (just to
> see counters - would be silly to really limit arp)
>
> ip link set up ifb19
> tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k
>
> tc qdisc add dev eth0 ingress
> tc filter add dev eth0 parent : protocol arp prio 1 u32 match u32 0
> 0 flowid 1:1 action mirred egress redirect dev ifb19
>
> The flowid 1:1 is what the classification will be when the packet
> returns from the ifb - unless you are shaping again (on a real dev - you
> can't chain ifbs) it doesn't really matter what you put, but you do need
> one as wothout it the rule will be accepted, but won't work (apart from
> as a counter)
>
> look at counters with -
>
> tc -s qdisc ls dev ifb19
> tc -s filter ls dev eth0 parent :
>
> If you want to do the same sort of thing on egress you need to put
> something classfull on the interface rather than the default pfifo_fast
>   prio will do.
>
> Some examples show using marks aswell, it's not needed as such and
> doesn't always work as the netfilter bits keep getting out of sync with
>   ifb.
>
> Andy.
>
>
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] enable p2p to some host (ipp2p)

[linux]

In theory, for all p2p traffic matched by ipp2p you only need "--ipp2p"
parameter, not the rest you put.

You could use this:

#FIRST allow your net p2p traffic:
iptables -A FORWARD -d mynet -m ipp2p --ipp2p -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --ipp2p -j ACCEPT

#Next, drop not your net p2p traffic:
iptables -A FORWARD -m ipp2p --ipp2p -j DROP

If these don't works (I remember some months ago I test it and don't works
fine), you'll need many rules, one per p2p type of traffic, as this:

iptables -A FORWARD -d mynet -m ipp2p --bit -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --bit -j ACCEPT
iptables -A FORWARD -m ipp2p --bit -j DROP

iptables -A FORWARD -d mynet -m ipp2p --apple -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --apple -j ACCEPT
iptables -A FORWARD -m ipp2p --apple -j DROP

...

iptables -A FORWARD -d mynet -m ipp2p --soul -j ACCEPT
iptables -A FORWARD -s mynet -m ipp2p --soul -j ACCEPT
iptables -A FORWARD -m ipp2p --soul -j DROP


Or if you don't want to write much, you can use:

export p2p_list="bit apple ... soul"
for i in ${p2p_list}; do
   iptables -A FORWARD -d mynet -m ipp2p --$i -j ACCEPT
   iptables -A FORWARD -s mynet -m ipp2p --$i -j ACCEPT
   iptables -A FORWARD -m ipp2p --$i -j DROP
done;

> Roberto Pereyra wrote:
>> Hi
>>
>> I using ipp2p to block p2p traffic.
>>
>> How to enable to use p2p to me host in my net ?
>>
>> I using this setup:
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares
>> -j DROP
>>
>>
>> This setup:
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
>> --ares -d ! mynet -j DROP
>>
>> iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
>> --ares -s ! mynet -j DROP
>>
>>
>> not works 
>
> Don't know really as I don't use ipp2p - but you could just match and
> return/accept mynet traffic before the ipp2p rules are hit.
>
> Andy.
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ingress and flowid

[Andy Furniss]

Andrés Ghigliazza wrote:

Hi there,

I am trying to understand our router / firewall, that was configured
by another person. It is a Debian GNU/Linux with several
configurations with tc and iptables.

I have a question about flowid in ingress qdisc. As fas as I know,
this qdisc is a dummy one, and flowid is just used with :1 because the
traffic have to be redirected to something.

However, in our router, there are some filters of ingress qdisc, that
have differents flowids (:1, :2 and :5). Does that have any sense?


If they are before the mirred egress redirect dev dummyX then they will 
not affect the shaping/classification on the dummy setup, but will be 
restored when the packets leave dummy - so you can shape again if say 
you were doing it on egress (you can't filter redirected packets twice 
to avoid loops). I don't know whether they carry over to egress when 
it's done on ingress.


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] enable p2p to some host (ipp2p)

[Andy Furniss]

Roberto Pereyra wrote:

Hi

I using ipp2p to block p2p traffic.

How to enable to use p2p to me host in my net ?

I using this setup:

iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul --ares 
-j DROP



This setup:

iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
--ares -d ! mynet -j DROP

iptables -A FORWARD -m ipp2p --ipp2p --bit --apple --winmx --soul
--ares -s ! mynet -j DROP


not works 


Don't know really as I don't use ipp2p - but you could just match and 
return/accept mynet traffic before the ipp2p rules are hit.


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Re: tc filter

[Andy Furniss]

Jarek Poplawski wrote:


Should be:
# tc filter add dev eth0 parent 1: proto ip pref 100 \
u32 match ip dst 192.168.1.222 flowid 1: police \  
conform-exceed drop/drop


Looks a bit iffy but I haven't tried it - I thought that would be drop 
whether under or over - if it's valid at all without action/ a police rate.


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] howto reduce the ping?

[Andy Furniss]

Julius Junghans wrote:

Hi,

with the attached config my gaming ping is still +20ms, even if the line isn't  
saturated..can anybody give me a hint how to get a better response time? 
my line: 1024/128kbit


Does not saturated mean no other traffic - I mean if you really have 
128kbit up eg. dsl then the bitrate latency of a 1500 byte packet is 
about 90ms so that's the best jitter you can get. Without tweaking and 
recompiling htb it's likely to be 2x that.


You also have to consider overheads (you can patch for dsl/atm 
overheads), and with htb it's better to have your game class with a high 
rate and the lesser classes can just borrow the spare.


You shouldn't see any difference in latency with/without htb on the 
interface - as long as there is no other traffic.


If I had 128kbit up I would consider reducing mtu on ppp0 or using 
netfilter to mss clamp so that outbound bulk packets were smaller.


For the ingress shaping to work you need to sacrifice bandwidth - quite 
alot for some traffic. you also need short queues so you drop packets.


If you do not specify htb/hfsc will pickup queue lengths from the 
interface defaults - 3 for ppp, 32 for imq, 1000 for eth - not always 
what you want.


Use counters to verify your classification is working -

iptables -L -v -n

tc -s class ls dev ppp0 etc


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Info about IFB

[Andy Furniss]

Samuel Díaz García wrote:
Hi, I'm looking for info about IFB devices and how I can use it to 
incomming traffic shapping.


Has IFB any web about it?
Do any body known where I can find more info about it?

I found this:
http://linux-net.osdl.org/index.php/IFB

But I can't stand fine how to use it to allow many ifb's devices or how 
to use it with "tc actions".


Any help?

Thanks



To use many you'll need to specify the number with modprobe -

modprobe ifb numifbs=20

ip link ls should show them all - you need to ip link set up dev ifbXX 
aswell.


to send arp coming in on eth0 to ifb19 which has a tbf on it (just to 
see counters - would be silly to really limit arp)


ip link set up ifb19
tc qdisc add dev ifb19 root tbf limit 2k rate 20kbit buffer 2k

tc qdisc add dev eth0 ingress
tc filter add dev eth0 parent : protocol arp prio 1 u32 match u32 0 
0 flowid 1:1 action mirred egress redirect dev ifb19


The flowid 1:1 is what the classification will be when the packet 
returns from the ifb - unless you are shaping again (on a real dev - you 
can't chain ifbs) it doesn't really matter what you put, but you do need 
one as wothout it the rule will be accepted, but won't work (apart from 
as a counter)


look at counters with -

tc -s qdisc ls dev ifb19
tc -s filter ls dev eth0 parent :

If you want to do the same sort of thing on egress you need to put 
something classfull on the interface rather than the default pfifo_fast 
 prio will do.


Some examples show using marks aswell, it's not needed as such and 
doesn't always work as the netfilter bits keep getting out of sync with 
 ifb.


Andy.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc