date:20061112

[LARTC] Why did I need strange ceiling settings? (full version)

2006-11-12 Thread Philipp Leusmann

Sorry I pressed the wrong key and sent the message too early...

 -Ursprüngliche Nachricht-
 Von: Philipp Leusmann [mailto:[EMAIL PROTECTED]
 Gesendet: Mittwoch, 8. November 2006 12:53
 An: 'lartc@mailman.ds9a.nl'
 Betreff: Why did I need strange ceiling settings?
 
 Hi all,
 
 I recently installed traffic shaping on my ADSL line with a nominal upload
 rate of 1MBit. My Modem says it has an upload bitrate of 843 kbits.
 So I thought, to use a ceiling of 800kbit for the root qdisc is a good
 idea.
 But with that setting I only achieved upload rates of around 300kbits
 whereas I reached around 650 kbits without traffic shaping.
 Yesterday I played a little with the ceiling value and found that
 increasing it to 175kBps did the job.
 Could anybody please explain this strange behaviour?
 
 My shaping script looks as follows:

UPRATE=175kbps
P2PRATE=20kbps
PRIORATE1=80kbps
PRIORATE2=50kbps
PRIORATE3=40kbps
PRIORATE4=5kbps 

MTU=`/sbin/ifconfig $EXTIF | grep 'MTU' | awk '{print $6}' | sed -e
's/.*://'`

# Quantum
QUANTUM1=$(($MTU*4))
QUANTUM2=$(($MTU*3))
QUANTUM3=$(($MTU*2))
QUANTUM4=$MTU

# Burst
## removed bursts
#BURST1=6k
#BURST2=4k
#BURST3=2k
#BURST4=0k
#CBURST1=3k
#CBURST2=2k
#CBURST3=1k
#CBURST4=0k

echo Set queue length for IFACE
# Set queue length for IFACE
ifconfig $IFACE txqueuelen 16

echo Trying to delete old ruleset. Will give error if it does not exist
tc qdisc del dev $IFACE root 

echo Specify queue discipline
# Specify queue discipline
tc qdisc add dev $IFACE root handle 1:0 htb default 103

echo Set root class
# Set root class
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE
echo Specify sub classes
# Specify sub classes
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil
$UPRATE quantum $QUANTUM1 prio 0
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil
$UPRATE quantum $QUANTUM2 prio 1
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil
$UPRATE quantum $QUANTUM3 prio 2
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil
$P2PRATE quantum $QUANTUM4 prio 3

echo Filter packets
# Filter packets
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw
classid 1:101
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw
classid 1:102
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw
classid 1:103
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw
classid 1:104

UPRATE=175kbps
P2PRATE=20kbps
PRIORATE1=80kbps
PRIORATE2=50kbps
PRIORATE3=40kbps
PRIORATE4=5kbps 

MTU=`/sbin/ifconfig $EXTIF | grep 'MTU' | awk '{print $6}' | sed -e
's/.*://'`

# Quantum
QUANTUM1=$(($MTU*4))
QUANTUM2=$(($MTU*3))
QUANTUM3=$(($MTU*2))
QUANTUM4=$MTU

# Burst
## removed bursts
#BURST1=6k
#BURST2=4k
#BURST3=2k
#BURST4=0k
#CBURST1=3k
#CBURST2=2k
#CBURST3=1k
#CBURST4=0k

echo Set queue length for IFACE
# Set queue length for IFACE
ifconfig $IFACE txqueuelen 16

echo Trying to delete old ruleset. Will give error if it does not exist
tc qdisc del dev $IFACE root 

echo Specify queue discipline
# Specify queue discipline
tc qdisc add dev $IFACE root handle 1:0 htb default 103

echo Set root class
# Set root class
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE
echo Specify sub classes
# Specify sub classes
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil
$UPRATE quantum $QUANTUM1 prio 0
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil
$UPRATE quantum $QUANTUM2 prio 1
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil
$UPRATE quantum $QUANTUM3 prio 2
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil
$P2PRATE quantum $QUANTUM4 prio 3

echo Filter packets
# Filter packets
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw
classid 1:101
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw
classid 1:102
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw
classid 1:103
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw
classid 1:104




Thanks in advance and sorry for the incomplete posting.

Greetings,
 Philipp


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Script for get bandwidth statistic from iptable

2006-11-12 Thread Thossapron Apinyapanha

isearch a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 but i don't know which script for getting it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A POSTROUTING -p udp --sport  -j CLASSIFY --set-class 1:11 iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 iptables -t mangle -A POSTROUTING -m layer7 --l7proto ftp ftp-data -j CLASSIFY --set-class 1:14 iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j CLASSIFY
 --set-class 1:15 please advise me about perl script
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] bridge stops bridging

2006-11-12 Thread Andy Furniss


I recently upgraded my gateway to a pIII 600 with a zyxel 4 port nic
(tulip) and bridge eth0 and eth1, eth0 is a crossover cable to my PC
eth1 a switch.

I don't have ifconfig on this box (LFS) and couldn't find any examples
of bridging using ip - maybe this is relevant maybe not - I've tried a
few combinations of different orders of setting things up. Is there a
magic one?

There is normally no traffic across the bridge - it is all to/from br0
(It's still needed though, for games that use ipx/same subnet and I
multicast out of br0 (Don't know how to add a mcast route to more than 
one if).


I expected things to just bridge, but this does not always happen (maybe 
timeout) eg
pinging a box on the switch from box on eth0 fails at ip level - arp 
passes eth0 both ways, but I can't see any ip with tcpdump on eth0, 
pinging from a box on the switch  however doesn't get arp replies from eth0.


I can fix it by running a script on the bridge box to toggle eth0
down/up, which forces learning and all is then OK.

brctl showmacs br0 looks no different whether it's working or not - all 
macs are shown and traffic to/from br0 always works.


Kernel (tainted by dsl modem) is 2.6.17.11, iproute2-ss060323,
bridge-utils 1.1.

STP off (turning on doesn't fix)


Andy.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Why did I need strange ceiling settings? (full version)

2006-11-12 Thread Andy Furniss


Philipp Leusmann wrote:

You will need to back off from the rates more and use kbit of course.


tc qdisc add dev $IFACE root handle 1:0 htb default 103


default is bad if $IFACE is eth your arp will go here, also if eth 
Quantum should be set to ip mtu + 14.




echo Set root class
# Set root class
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE ceil $UPRATE
echo Specify sub classes
# Specify sub classes
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil
$UPRATE quantum $QUANTUM1 prio 0
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil
$UPRATE quantum $QUANTUM2 prio 1
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil
$UPRATE quantum $QUANTUM3 prio 2
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil
$P2PRATE quantum $QUANTUM4 prio 3


Using different quantums makes more sense if classes have the same prio 
- like this the higher prio classes get all spare anyway if they need it.




echo Filter packets
# Filter packets
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw
classid 1:101
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw
classid 1:102
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw
classid 1:103
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw
classid 1:104


Makes no difference as such in this case, but highest prio for filters is 1.

Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Lartc documentation version?

2006-11-12 Thread Andy Furniss


Hans du Plooy wrote:

Hi guys,

I'm just lurking and learning.  Went to the lartc web page to read the
howto.  The page says the current version is 1.0.0 but in the pdf, on
page 2 it says Revision: 1.43  - Which is it?

Also, the instructions for cvs checkout gives me this:

Logging in to :pserver:[EMAIL PROTECTED]:2401/var/cvsroot
CVS password:
cvs [login aborted]: connect to outpost.ds9a.nl(213.244.168.210):2401
failed: Connection refused

I'm using the password suggested on the page.


LARTC hasn't been updated for ages AFAIK - there was talk of setting up 
a wiki on linux-net.osdl.org but bert said he would do one himself


Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Script for get bandwidth statistic from iptable

2006-11-12 Thread Andy Furniss


Thossapron Apinyapanha wrote:
i search a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 

but i don't know which script for getting it in log file and use data after get it for plotting graph later 

my IPTABLES command like this 

iptables -t mangle -N all 
iptables -t mangle -A POSTROUTING -j all 
iptables -t mangle -A POSTROUTING -p udp --sport  -j CLASSIFY --set-class 1:11 
iptables -t mangle -A POSTROUTING -m layer7 --l7proto mms -j CLASSIFY --set-class 1:12 
iptables -t mangle -A POSTROUTING -m layer7 --l7proto telnet -j CLASSIFY --set-class 1:13 
iptables -t mangle -A POSTROUTING -m layer7 --l7proto ftp ftp-data -j CLASSIFY --set-class 1:14 
iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j CLASSIFY --set-class 1:15 



please advise me about perl script


Don't know about scripts as such - iptables -Lvn will give stats.

I think the above will need connmark aswell to work properly. I haven't 
tried l7 but suspect the above rules will only classify the first 
packets of each connection.


Andy.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Bridge and Router on the same device

2006-11-12 Thread Net Cerebrum

I want to configure a device with three network interfaces where two of them would bridge two segments of the LAN subnet and the third one would be connected to the WAN link.eth0 - 10.10.10.2/24
 to be connected to the internet gateway having IP 10.10.10.1/24 (also the default gateway for the device)eth1 and eth2 bridged as br0 with IP address 
172.16.100.1 connected to different segments of the subnet 172.16.100.0/24. WAN (10.10.10.1)   |
   |  eth0 (10.10.10.2)-eth1   eth2--
LAN (172.16.100.0/24) LAN (172.16.100.0/24)I plan to configure the Bridge IP (
172.16.100.1) as the default gateway for the LAN and also regulate the traffic between the two bridged interfaces (eth1 and eth2) using a user space tool. Further since the traffic meant for internet would pass through eth0, there would be a need to regulate the traffic between eth1 and eth0 and also eth2 and eth0.
Is the above arrangement feasible ? Would it be possible to define static routes on this device itself involving hosts reachable through either of the interfaces.Thank you in advance.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Re: Troubles DNATing UDP

2006-11-12 Thread Покотиленко Костик

В Птн, 10/11/2006 в 16:39 +0100, dAm2K пишет:
   Once again, all those packets reach INPUT chain, rules in -t nat -I
   PREROUTING not working.
  
   So here is the question: Does the UDP is being DNAT'ed differently
   comparing with TCP? What is the difference? How can I DNAT them?
 
 If your HW UDP pinger's default gateway is your natting firewall, try
 to ping directly the 192.168.1.2 web server. If default gateway is
 another router, try adding the route 192.168.1.0/25 to you HW pingers
 and ping directly 192.168.1.2.

That would probably help, but it is not desirable. The topology may
change, so it's better ping the closest roouter and to natting in it.

 If this is not possible (and you are UDP pinging you firewall) open
 dport 4000 udp in INPUT chain on your firewall and do natting:
 
 iptables -t filter -A INPUT -p udp -m udp -s 10.10.0.0/16 -d
 10.10.100.1 --dport 4000 -j ACCEPT
 iptables -t nat -A PREROUTING -p udp -m udp -s 10.10.0.0/16 -d
 10.10.100.1 --dport 4000 -j DNAT --to-destination 192.168.1.2
 
 This way 192.168.1.2 host should receive udp packets coming from the firewall.

This is what I've done. But, packets are reaching INPUT chain, counters
of the first rule are increasing, and packets are not reaching second
rule, it's counters are zero all the time. And DNAT'ing not working :/

 My setup is running smoothly with UDP and NAT, I'm using with
 playstation online games...
 
 Hope this help. Bye, Dino.
 
-- 
Покотиленко Костик [EMAIL PROTECTED]

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Troubles DNATing UDP

2006-11-12 Thread Покотиленко Костик

В Птн, 10/11/2006 в 10:31 -0600, Taylor, Grant пишет:
 Покотиленко Костик wrote:
 
 snip
 
  As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to
  redirect them to 192.168.1.2 by:
  
  iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT
  --to-destination 192.168.1.2:4000
  iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT
 
 (Before morning coffee...)
 
 One quick question / point.  Your source and destination ports are both 4000 
 right?  (I presuming yes.)  Your PREROUTING rule is looking to DNAT any UDP 
 traffic that has a destination port of 4000 to 192.168.1.2.  What happens to 
 the reply traffic from 192.168.1.2 that is destined to port 4000 on 10.0.x.y?

There is not such traffic as that kind of ping not supposed to do
replay. Explain latter.

  Neither of those rules not catching the packets, they all reach
  10.10.100.1 INPUT chain. Those rule counters are zero.
 
 Hum.  Try adding a rule similar to this:
 
 iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j LOG
 
 To see if you can match the packets at all.

I did that, nothing is matched. This is strange.

  If I do:
  
  iptables -t mangle -I PREROUTING 1 -p udp --dport 4000
  
  this rule catch needed packets, but not in NAT tables! Why?
 
 I would expect that you could match the packets any where they traverse the 
 kernel.
 
 snip
 
  Here is tcpdump from 10.10.100.1:
  
  # tcpdump -i br0 port 4000 -n
  tcpdump: verbose output suppressed, use -v or -vv for full protocol
  decode
  listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
  16:36:53.202130 IP 10.10.100.23.4000  10.10.100.1.4000: UDP, length: 74
  16:36:54.092413 IP 10.10.100.21.4000  10.10.100.1.4000: UDP, length: 74
  16:36:54.143128 IP 10.10.100.22.4000  10.10.100.1.4000: UDP, length: 74
  16:36:55.291886 IP 10.10.100.23.4000  10.10.100.1.4000: UDP, length: 74
  16:36:55.545621 IP 10.10.100.22.4000  10.10.100.1.4000: UDP, length: 74
  16:36:55.743096 IP 10.10.100.21.4000  10.10.100.1.4000: UDP, length: 74
 
 Hum...
 
  Once again, all those packets reach INPUT chain, rules in -t nat -I
  PREROUTING not working.
 
 You appear to be using a bridge interface, not a real network interface. 
 (Not that this is a problem.)
 
 Do you have the Bridged IP/ARP packets filtering option enabled in the 
 kernel?  If you do, this option will enable NetFilter Layer 3 filtering at 
 the EBTables Layer 2 level.  I.e. you can use IPTables to filter bridged 
 traffic.  In this case you will need to write rules to allow your bridged 
 traffic to flow through, as it is dependent on your Table / CHAIN default 
 policies.

There are alot of other udp and tcp traffic already comming through.

  So here is the question: Does the UDP is being DNAT'ed differently
  comparing with TCP? What is the difference? How can I DNAT them?
 
 I do not think that the problem is with the protocol(s) per say, but rather 
 the filtering that is in place.
 
 Will you please do an iptables-save output so that we can see your entire 
 firewall script to better evaluate what is going on.

I'll study the situation once again today and send the entire rules if
no luck.

  Thanks in advance.
 
 No problem.
 
  P.S. This king of UDP ping doesn't require responce, its just to see
  which remote point is still alive.
 
 Sorry, I have to ask.  How are you going to be able to tell if a point is 
 active if you do not get a reply?  Are you looking for some sort of anomaly 
 in reply / error (or lack there of) traffic to determine if a point is active?

You should get 1 packet per second from each HW pinger, if you don't get
or get less than 1packet/s from particular HW pinger, then there are
problems with the route to that HW pinger. For debugging purpose it's
possible to ping clients in between and figure out where the problem
starts to take place.

-- 
Покотиленко Костик [EMAIL PROTECTED]

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Why did I need strange ceiling settings? (full version)

[LARTC] Script for get bandwidth statistic from iptable

[LARTC] bridge stops bridging

Re: [LARTC] Why did I need strange ceiling settings? (full version)

Re: [LARTC] Lartc documentation version?

Re: [LARTC] Script for get bandwidth statistic from iptable

[LARTC] Bridge and Router on the same device

[LARTC] Re: Troubles DNATing UDP

Re: [LARTC] Troubles DNATing UDP

9 matches

Site Navigation

Mail list logo

Footer information