Re: [LARTC] SIP, NAT, and load balancing problems
I unfortunately think that I can't use that solution (if I understood it well). My box actually has two functions, it's an Asterisk box and a load balancing router. For LAN clients, as this box represents their default gateway, there would be no problem in implementing a pure routing solution. I could create a new subnet on a dummy interface, and reconfigure all LAN SIP phones to point to that IP, the box itself would route packets to its dummy interface. For WAN clients, what I need is to have a unique interface (a unique public IP) accepting SIP connections, and outgoing traffic always passing by this interface. My current issue is with outgoing SIP/RTP traffic that sometimes gets load-balanced and uses the other public IP, which i have to force to the other interface, with lots of NATing/Re-Routing problems, as a single call can have multiple UDP flows (SIP and RTPs). My main problem with the DummyNet solution on the WAN side is that I cannot access to the internet routers behind this box, so I can't add routes to reach a new subnet. This means that I'm back with the same type of problem trying to NAT, but this time not only the box's outgoing traffic, but also the clients incoming traffic, for them to reach the dummy0 interface. Tell me if i'm wrong, but that solutions appears to me as more complicated in my particular case. Aouch, that's much harder than I thought it would be. :-( François. Grant Taylor wrote: François Delawarde wrote: What i meant is that people (in #asterisk on freenode) told me that Asterisk could be bound to a unique IP, or to all IPs (binding it to 0.0.0.0). But if you know a way to bind it to only some IPs, then yeah! I need your help :-) I guess we need to put something in the bindaddr parameter of sip.conf. Right now I have: [general] bindaddr=0.0.0.0 I have 3 IPs in 3 interfaces: eth0 (LAN): 192.168.10.1 eth1 (WAN): 192.168.1.2 (gw 192.168.1.1) eth2 (WAN): 192.168.2.2 (gw 192.168.2.1) How can I bind Asterisk SIP to 192.168.10.1 and 192.168.2.2 only, to work around my load balancing problem? I'll email you off the mailing list as this does not pertain to LARTC. If Asterisk is only listening to one IP and you are routing to get to your other network, you could end up with some really weird issues that will be very difficult to over come, probably MUCH harder than resolving the issue with Asterisk only binding to one interface. I don't really understand what you mean, but that's right, i have really weird issues. What I was saying is that if Asterisk is only bound to one IP address, be it loopback, eth0, eth1, or even a dummy0 interface, you will have to route traffic to that address. If you can indeed only bind Asterisk to only one IP address or all IP addresses on the system, I would recommend that you use DummyNet to bind Asterisk to. However this may be a problem down when NATing comes in to play. (More on this later.) Supposing that you bind Asterisk to the dummy0 interface, either all equipment will need to its self know how, or the default router for the equipment will need to know how to reach the subnet on the dummy0 interface. This usually means that you will have to have the default gateway for all client systems / phones know how to reach the subnet on the dummy0 interface. I.e. the default gateway will have to have a route to the subnet on the dummy0 interface via the interface on the Asterisk box facing the router(s). Consider: +--+ | Asterisk Box | | [A.B.C.D/NM]-|---(INet) (192.168.0.0/24)---|-[192.168.0.254/24] | | [192.2.0.254/24] | | | | +--+ | [dummy0] In this case, 192.168.0.254/24 is the LAN, the internet is it's own IP, and 192.2.0.254/24 is assigned to the dummy0 interface. If you bind Asterisk to the 192.2.0.254 IP on the dummy0 interface, you will have to route all traffic that is to or from Asterisk in to and out of the dummy0 network. Now that you can easily see that you would have to route traffic in to and out of the dummy0 interface, I can probably better explain the weird routing issue that you have. You are binding Asterisk to an IP on your system. No matter what IP you bind Asterisk to, traffic from any other subnet will have to be routed to that subnet to reach Asterisk. With this in mind, now consider if you bind Asterisk to one WAN interface, traffic to / from your LAN or the other WAN interface will have to be routed to be able to reach Asterisk. If you bind Asterisk to the LAN interface, traffic to / from either WAN will have to be routed to be able to reach Asterisk. Usually routing traffic is not an issue. However, as you have pointed out, when you MASQUERADE traffic as it leaves either of your WAN
[LARTC] blocking traffic on the FORWARD chain using physdev
Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 --- BRIDGE --- eth0 # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] SIP, NAT, and load balancing problems
I have ip_nat_sip compiled in the kernel (and not as a module). Is that an issue? Could you give me an example of how I could do using CONNMARK and fwmark based routing if I have an outgoing RTP flow bound to the wrong interface? Thanks a lot, François. Patrick McHardy wrote: François Delawarde wrote: I was thinking of trying that along with the netfilter SIP helper, but I don't even understand how helpers work yet. If you have an idea of how i could use those things, it would also be worth trying. Just load ip_nat_sip, it should adjust the SDP information according to the NATing done on the connection. You need to make sure though that the RTP stream really does use the same connection (and NAT) as the SIP connection, which is best done by using CONNMARK and fwmark based routing. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] blocking traffic on the FORWARD chain using physdev
Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 --- BRIDGE --- eth0 # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William ___ LARTC mailing list [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Thanks for that. Would you be able to give a simple example on how to block outgoing traffic using ebtables and icmp? as I get an error when using icmp? ebtables -A FORWARD -i eth1 -p icmp -j DROP Error message - Problem with the specified protocol. Kind Regards William -Original Message- From: Oscar Mechanic [mailto:[EMAIL PROTECTED] Sent: 14 December 2006 12:27 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 --- BRIDGE --- eth0 # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William ___ LARTC mailing list [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar tc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: Thanks for that. Would you be able to give a simple example on how to block outgoing traffic using ebtables and icmp? as I get an error when using icmp? ebtables -A FORWARD -i eth1 -p icmp -j DROP Error message - Problem with the specified protocol. Kind Regards William -Original Message- From: Oscar Mechanic [mailto:[EMAIL PROTECTED] Sent: 14 December 2006 12:27 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 --- BRIDGE --- eth0 # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 --- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William ___ LARTC mailing list [EMAIL PROTECTED]://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar tc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] hfsc rule command problem
My hfsc rule .. tc qdisc add dev eth2 handle 1: root hfsc iptables -t mangle -N ms-all iptables -t mangle -N ms-all-chains iptables -t mangle -N ms-prerouting iptables -t mangle -A PREROUTING -j ms-prerouting iptables -t mangle -A ms-prerouting -j CONNMARK --restore-mark iptables -t mangle -A ms-prerouting -p udp --dport -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p tcp --dport 23 -j MARK --set-mark 1 iptables -t mangle -A ms-prerouting -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j MARK --set-mark 2 iptables -t mangle -A ms-prerouting -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A ms-prerouting -j CONNMARK --save-mark iptables -t mangle -A FORWARD -o eth2 -j ms-all iptables -t mangle -A POSTROUTING -o eth2 -j ms-all-chains tc class add dev eth2 parent 1: classid 1:1 hfsc sc m2 1kbit tc filter add dev eth2 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 tc class add dev eth2 parent 1:1 classid 1:11 hfsc ls m2 3500kbit ul m2 1kbit iptables -t mangle -N ms-chain-eth2-1:11 iptables -t mangle -A ms-all-chains -m mark --mark 1 -j ms-chain-eth2-1:11 iptables -t mangle -A ms-all -o eth2 -j ms-chain-eth2-1:11 tc class add dev eth2 parent 1:11 classid 1:111 hfsc rt m1 3500kbit d 10s m2 200kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 111: parent 1:111 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p udp --dport -j CLASSIFY --set-class 1:111 iptables -t mangle -A ms-chain-eth2-1:11 -p udp --dport -j RETURN tc class add dev eth2 parent 1:11 classid 1:112 hfsc rt m1 3500kbit d 10s m2 1300kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 112: parent 1:112 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j CLASSIFY --set-class 1:112 iptables -t mangle -A ms-chain-eth2-1:11 -p udp -m multiport --dports 1755,5005,1024:4443,4445:5500 -j RETURN tc class add dev eth2 parent 1:11 classid 1:113 hfsc rt m1 3500kbit d 10s m2 1500kbit ls m2 3500kbit ul m2 3500kkbit tc qdisc add dev eth2 handle 113: parent 1:113 sfq iptables -t mangle -A ms-chain-eth2-1:11 -p tcp --dport 23 -j CLASSIFY --set-class 1:113 iptables -t mangle -A ms-chain-eth2-1:11 -p tcp --dport 23 -j RETURN tc class add dev eth2 parent 1:11 classid 1:199 hfsc rt m1 3500kbit d 10s m2 500kbit ls m2 3500kbit ul m2 3500kbit tc qdisc add dev eth2 handle 199: parent 1:199 sfq iptables -t mangle -A ms-chain-eth2-1:11 -j CLASSIFY --set-class 1:199 iptables -t mangle -A ms-chain-eth2-1:11 -j RETURN tc class add dev eth2 parent 1:1 classid 1:12 hfsc ls m2 7500kbit ul m2 1kbit iptables -t mangle -N ms-chain-eth2-1:12 iptables -t mangle -A ms-all-chains -m mark --mark 2 -j ms-chain-eth2-1:12 iptables -t mangle -A ms-all -o eth2 -j ms-chain-eth2-1:12 tc class add dev eth2 parent 1:12 classid 1:121 hfsc ls m2 3500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 121: parent 1:121 sfq iptables -t mangle -A ms-chain-eth2-1:12 -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j CLASSIFY --set-class 1:121 iptables -t mangle -A ms-chain-eth2-1:12 -p tcp -m multiport --dports 20,21,5001:5004,5006:5100 -j RETURN tc class add dev eth2 parent 1:12 classid 1:122 hfsc ls m2 3500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 122: parent 1:122 sfq iptables -t mangle -A ms-chain-eth2-1:12 -p tcp --dport 80 -j CLASSIFY --set-class 1:122 iptables -t mangle -A ms-chain-eth2-1:12 -p tcp --dport 80 -j RETURN tc class add dev eth2 parent 1:12 classid 1:299 hfsc rt m1 3500kbit d 10s m2 500kbit ls m2 500kbit ul m2 7500kbit tc qdisc add dev eth2 handle 299: parent 1:299 sfq iptables -t mangle -A ms-chain-eth2-1:12 -j CLASSIFY --set-class 1:299 iptables -t mangle -A ms-chain-eth2-1:12 -j RETURN I have got a big problem, I don’t know my rule are wrong?? My rule are like this Root Real time class Non-real time class #interior class (Voip ,MMS, Telnet, default) (HTTP FTP default) #leaf class My setting rate in each class is Real time class guarantee rate: 3500kbitmax rate: 1kbit VoIP guarantee rate: 200kbit max rate: 3500kbit MMS guarantee rate: 1300kbitmax rate: 3500kbit Telnet guarantee rate: 1500kbitmax rate: 3500kbit Defaultguarantee rate: 500kbit max rate: 3500kbit Non Real time class HTTPguarantee rate: 7500kbitmax rate: 1kbit FTP guarantee rate: 3500kbitmax rate: 7500kbit Defaultguarantee rate: 3500kbitmax rate: 7500kbit I need to input traffic with so very load to shaper about 10Mbit by traffic generator but nomatter I
Re: [LARTC] About HFSC ?
Sébastien CRAMATTE wrote:
Hello,
I’ve read this Article avout VOIP and HFSC
http://automatthias.wordpress.com/2006/06/30/hfsc-and-voip/
I’ve got few questions ?
Considering this
tc class add dev $DEV parent 1:1 classid 1:2 hfsc \
rt m1 ${UPLINK}kbit d 50ms m2 $[1*$UPLINK/10]kbit \
ls m1 ${UPLINK}kbit d 50ms m2 $[3*$UPLINK/10]kbit \
ul rate ${UPLINK}kbit
That command and the script look a bit iffy to me - but then I could be
wrong and often am :-)
rt = realtime curve
ls = linksharing curve
but
m1 = ?
m1 = slope/rate of the first part of the curve.
m2 = ?
m2 = slope/rate of the second part.
d = dmax ?
I think they will be equal if m1m2, but not if m1m2. dmax is a time
when used with umax bytes hfsc will calculate the m1 bitrate needed to
send a packet umax bytes long with a delay of dmax. d is the point on
the x axis where m1 ends and m2 starts. If m1m2 then d is still d but
not the same as dmax.
Look at the curves on p10 of the sigcom pdf - I think xi = d
http://trash.net/~kaber/hfsc/SIGCOM97.pdf
You can use either format with linux, when you do tc -s -d class ls ...
the output will be in m1 d m2 format.
Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ADSL traffic shaping to improve latency
Eye of the Beholder wrote:
Hello.
I have a 1024/256kbit ADSL and tried to shape outgoing traffic in order
to improve latency.
Here is my config.
UPLOAD_RATE=256
UPRATE=$[4*$UPLOAD_RATE/5] (a little smaller)
Depends on traffic - you may need to go smaller if there are lots of
small packets, you can patch for dsl/atm overheads.
UP70=$[7*$UPRATE/10]kbit
UP30=$[3*$UPRATE/10]kbit
UP20=$[2*$UPRATE/10]kbit
UPRATE=${UPRATE}kbit
You should really make these add up to 100 not 120.
IF=eth2
IPTABLES=iptables -t mangle -A POSTROUTING
(Initialize)
tc qdisc del dev $IF root /dev/null
iptables -t mangle -F
(Root qdisc / class)
tc qdisc add dev $IF root handle 1: htb default 20
Your arp will go to default which is not nice.
tc class add dev $IF parent 1: classid 1:1 htb rate 100mbit
(class for lan traffic)
tc class add dev $IF parent 1:1 classid 1:100 htb rate 100mbit quantum 10
(parent class for adsl traffic)
tc class add dev $IF parent 1:1 classid 1:3 htb rate $UPRATE (different classes)
tc class add dev $IF parent 1:3 classid 1:70 htb rate $UP70 ceil $UPRATE prio 1
tc class add dev $IF parent 1:3 classid 1:30 htb rate $UP30 ceil $UPRATE prio 2
quantum 1200
tc class add dev $IF parent 1:3 classid 1:20 htb rate $UP20 ceil $UPRATE prio 3
quantum 1200
(queues)
tc qdisc add dev $IF parent 1:100 handle 100: sfq perturb 10
tc qdisc add dev $IF parent 1:70 handle 70: sfq perturb 10
tc qdisc add dev $IF parent 1:30 handle 30: sfq perturb 10
tc qdisc add dev $IF parent 1:20 handle 20: sfq perturb 10
(filters)
tc filter add dev $IF parent 1:0 protocol ip handle 100 fw classid 1:100
tc filter add dev $IF parent 1:0 prio 1 protocol ip handle 7 fw classid 1:70
tc filter add dev $IF parent 1:0 prio 2 protocol ip handle 3 fw classid 1:30
tc filter add dev $IF parent 1:0 prio 3 protocol ip handle 2 fw classid 1:20
(Mark packets)
I would just -J RETURN for lan traffic here and not use htb defaut or
the 100meg class/marking
(Interactive class (70%))
$IPTABLES -p icmp -j MARK --set-mark 7
$IPTABLES -p icmp -j RETURN
$IPTABLES -p tcp --dport 22 -j MARK --set-mark 7
$IPTABLES -p tcp --dport 22 -j RETURN
$IPTABLES -p tcp --dport 6667 -j MARK --set-mark 7
$IPTABLES -p tcp --dport 6667 -j RETURN
$IPTABLES -p tcp --dport 53 -j MARK --set-mark 7
$IPTABLES -p tcp --dport 53 -j RETURN
$IPTABLES -p udp --dport 53 -j MARK --set-mark 7
$IPTABLES -p udp --dport 53 -j RETURN
(30% Class)
$IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995 -j MARK
--set-mark 3 $IPTABLES -p tcp -m multiport --dport 20,21,25,80,443,995
-j RETURN
(Lan class)
$IPTABLES -d 192.168.1.0/24 -j MARK --set-mark 100
$IPTABLES -d 192.168.1.0/24 -j RETURN
(anything else)
$IPTABLES -j MARK --set-mark 2
(I changed the default quantum values because i got messages HTB: quantum of
class
10001 is big/small. Consider r2q change. but my tc didn't accept r2q as a
parameter.)
The 100meg class should go and I would set quantum to 1514 on the
remaining (1514 because a 1500 ip length packet is seen as 1514 on an
eth interface)
I have tested that different packets get different marks (with iptables
-v -t mangle -L) and also that they go to the different classes (with tc -s -d
class
show dev eth2) so i guess my rules are correct.
However, i put a large file to download in order to test and during the
download i get 1500-2500ms ping times.
This only shapes upload, shaping download is harder. I have written lots
about this before - see archives.
Andy.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Reassigning a flow to a different queue
drew einhorn wrote: I'd like to initially assign all http flows to a interactive priority queue. But if the cumulative amount of traffic exceeds a threshold, I'd like to reassign it to a low priority bulk queue. Say someone is doing an http download of a huge .iso. Is this possible? You could use iptables connbytes - but that is not cumulative for multiple connections. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Limit pps not just bandwidth (kbps) on ingress
Flechsenhaar, Jon J wrote: I want to limit pps (packets per second) not just bandwidth on the ingress side. I can do this using IP tables but I'm curious if there is a way to do this with TC. Thanks. I don't think so, maybe you could ask on netdev netdev@vger.kernel.org and/or jamal [EMAIL PROTECTED] Seems like it could be a useful addition for policers. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] [announce] iproute2 2.6.19-061214
This is an update to the iproute2 command set. It can be downloaded from: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.18-061214.tar.gz Repository: git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git For more info on iproute2 see: http://linux-net.osdl.org/index.php/Iproute2 The version number includes the kernel version to denote what features are supported. The same source should build on older systems, but obviously the newer kernel features won't be available. As much as possible, this package tries to be source compatible across releases. Changes from 2.6.18-061002 to 2.6.19-061214: Boian Bonev: Display local route table name correctly in output of: Hasso Tepper: Fixes for tc help commands jamal: Multicast computation off by one Update generic netlink header Add controller support for new features exposed clarify ok and pass Fix missing class/flowid oddity Mention need for db dev package update xfrm async events make muticast group to bitmask conversion generic update xfrm monitoring to use nl_mgrp Masahide NAKAMURA: ADDR: Fix print format for lifetimes. ADDR: Enable to add IPv6 address with valid/preferred lifetime. ADDR: Define 0xU as INFINITY_LIFE_TIME regarding to the kernel. TUNNEL: Split common functions to export them. TUNNEL: Import ip6tunnel.c. TUNNEL: IPv6-over-IPv6 tunnel support. XFRM: sub policy support. XFRM: Mobile IPv6 route optimization support. XFRM: support report message by monitor. XFRM: Mobility header support. Noriaki TAKAMIYA: ADDR: Add the 'change' and 'replace' commands to the IPv6 address manipulation context. Patrick McHardy: [IPROUTE]: Add support for routing rule fwmark masks Stephen Hemminger: Man page for ss submitted by Alex Wirt Typo in man page Trap possible overflow in usec values to netem genl Makefile LDFLAGS SA and SP in IPSec BEET mode. Route metrics decode bug. lnstat man page Man page for rtmon Update to 2.6.19 headers Add more includes Change to post 2.6.19 sanitized headers Eliminate trailing whitespace Thomas Graf: Add support for inverted selectors Add rule notification support to ip monitor ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
