[LARTC] sangoma WAN boards with lartc
Hi anyone using sangoma hardware with lartc? pls let me know Thanks Imthiyaz Original Message: - From: [EMAIL PROTECTED] Date: Fri, 15 Jun 2007 12:00:07 +0200 (CEST) To: lartc@mailman.ds9a.nl Subject: LARTC Digest, Vol 28, Issue 23 Send LARTC mailing list submissions to lartc@mailman.ds9a.nl To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of LARTC digest... Today's Topics: 1. RE: Re: PQ questions (Tim Enos) 2. Re: PQ questions (Christian Benvenuti) 3. RE: Re: PQ questions (Salim S I) 4. Re: PQ questions (Christian Benvenuti) 5. RE: Re: PQ questions (Salim S I) 6. RE: Re: multiple routing tables for internal router programs (Salim S I) -- Message: 1 Date: Fri, 15 Jun 2007 02:43:21 -0400 From: Tim Enos [EMAIL PROTECTED] Subject: RE: [LARTC] Re: PQ questions To: 'Christian Benvenuti' [EMAIL PROTECTED], lartc@mailman.ds9a.nl Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi Christian, Thanks for the help. Please see my in-line comments: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Benvenuti Sent: Thursday, June 14, 2007 4:44 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Re: PQ questions Hi, Hi all, First, let me say I've been most impressed with how quickly and professionally people on this list ask and answer questions. Next, let me say that with which I need help is properly configuring strict PQ, and gathering certain stats. Specifically: - I need to create a priority queue with four queues (let's say they are of high, medium, normal, and low priority) - I need to use tc filters such that: - EF (0xB8) goes to the high priority queue - AF21 (0x50) goes to the medium priority queue - AF11 (0x28) goes to the normal priority queue, and - BE traffic goes to the low priority queue - For stat collection, I need to see: - how many bytes and packets are in each of the four queues - My configuration thus far is: tc qdisc add dev eml_test root handle 1: prio bands 4 priomap 0 1 2 3 tc filter add dev eml_test parent 1:0 prio 1 protocol ip u32 match ip tos 0xb8 0xff flowid 1:1 tc filter add dev eml_test parent 1:0 prio 2 protocol ip u32 match ip tos 0x80 0xff flowid 1:2 tc filter add dev eml_test parent 1:0 prio 3 protocol ip u32 match ip tos 0x50 0xff flowid 1:3 tc filter add dev eml_test parent 1:0 prio 4 protocol ip u32 match ip tos 0x00 0xff flowid 1:4 __ Here is an article you may find useful: http://citeseer.ist.psu.edu/539891.html Here is the description of the configuration parameters of the PRIO qdisc: http://www.lartc.org/howto/lartc.qdisc.classful.html#AEN903 (just in case you did not know what the priomap option is used for) My questions are: - What if anything is missing/requiring change in my config given the stated requirements? Your config does not prevent an higher priority class from starving a lower priority class. Exactly. That is requirement. You can prevent it in two different ways (at least): Don't want to prevent it right now. 1) You can assign a TBF qdisc (Token Bucket) to the PRIO classes TBF: http://www.lartc.org/howto/lartc.qdisc.classless.html#AEN691 2) You can replace the PRIO qdisc with something like HTB/CBQ CBQ: http://www.lartc.org/howto/lartc.qdisc.classful.html#AEN939 HTB: http://luxik.cdi.cz/~devik/qos/htb/ - What if any command should I use to view how many bytes and packets are in each of the four queues? The PRIO qdisc does not return statistics for its classes. However, a simple workaround consists of explicitly adding a qdisc to the four classes. By default the PRIO qdisc assigns a pFIFO (packet FIFO) qdisc to its classes. Here is how you can replace the 4 default pFIFO qdisc with 4 explicit pFIFO qdisc: tc qdisc add dev eml_test parent 1:1 pfifo limit 1000 tc qdisc add dev eml_test parent 1:2 pfifo limit 1000 tc qdisc add dev eml_test parent 1:3 pfifo limit 1000 tc qdisc add dev eml_test parent 1:4 pfifo limit 1000 Now you can get the stats with: tc -s -d qdisc list dev eml_test Those stats are nice to have, but the ones I must have are for how many bytes/packets are enqueued at whatever time I check the queues. Regards /Christian [ http://benve.info ] I have tried to configure PQ to have two queues per filter with no success. Is it even possible to have (what I'll call) hierarchical PQ? I have yet to find
Re: [LARTC] HTB
Marco Aurelio ha scritto: What exactly happens if the sum of the children classes rate is bigger than the parent's? HTB will assign to the leaf the rate regardeless of the value of the parent's rate. The parent's rate is used only to compute how much bandwith must be allocated to the leaf's ceil. What if the majority of these classes are using less than the minimum rate established (eg. 0kbps)? -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] PPPoE and shaping
Hi all, I have a little problem with my home-made slackware linux server. Here is the scenario: 1. I have a local wifi network 2. my server do masquerading and exit in internet via a PPPoE connection Goals: 1. not use SQUID 2. shaping the traffic with classes 3. emule connection must have minimum priority and a band-limit of 10KBytes/s in uplink (server---internet) Any idea? Thx, Diego -- Diego Giardinetto Skype Name: cpuzorro MSN: [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Kernel timer frequency and HTB
Hello, i have a linux box which is acting as a lan router towards the internet doing traffic shaping. My link is 10Mbit/s full duplex. I have set some HTB classes with a rate of 20% (2Mbit/s) and a ceil of 95% (9.5Mbit/s). Is such an excursion of bandwidth in the HTB classes feasible for HTB to control? What Timer frequency (kernel menuconfig) is the most suitable among 250, 300 and 1000Hz for HTB? Also, I really don't have any ideas on how the frequency could affect the network adapter performance. Is a high frequency going to have bad effects on interrupts handling? Has anybody any suggestions about this issue? I have some warnings about HTB quantums being too big, but as i understand, those should only affect the precision of the shaping without undermining the shaping completely. Thank you a lot. jack ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Divide bandwidth between 4 groups of ip with the same rate
Hello, I have begun to use the tc scripts since 2 weeks ago, so I am beginner. I am trying to divide my bandwidth in 4 independent ones. Each of these sub-bandwidths is assigned to 4 different groups of ip. Bandwidth sharing is allowed. I put a Linux with two Ethernet card between the router and the LAN. Eth1 is the card connected to the router and eth0 is the one connected to the LAN. My ISP provides 3 mbit upload and 300 kbit download. I define 4 classes for download with a rate of 300kbit and a ceil of 2700 kbit (1:10 to 1:40, parent 1:12). In the same way, I define 4 classes for upload with a rate of 72kbit and a ceil of 200kbit (2:10 to 2:40, parent 2.12). Everything looks work fine, nevertheless when traffic through one of these classes are near to its ceil (200kbit), the http traffic through the rest of the classes becomes slow, and I do not understand whit the free 56 kbit is not used by these traffic. Whatever, htb should decrease the rate of the abusive class, should not? Thank you in advance for your teaching. The script that I am using is: #Shaping in eth0 for download traffic tc qdisc add dev eth0 root handle 1: htb default 50 tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 80mbit ceil 100mbit tc class add dev eth0 parent 1:1 classid 1:12 htb rate 2700kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:10 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:20 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:30 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:40 htb rate 300kbit ceil 2700kbit prio 7 tc class add dev eth0 parent 1:12 classid 1:50 htb rate 30kbit ceil 270kbit prio 7 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.0/26 flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.64/26 flowid 1:20 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.128/26 flowid 1:30 tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.0.192/26 flowid 1:40 #Shaping in eth1 for upload traffic marking packets at mangle tc qdisc add dev eth1 root handle 2: htb default 50 tc class add dev eth1 parent 2: classid 2:1 htb rate 10mbit tc class add dev eth1 parent 2:1 classid 2:11 htb rate 8mbit ceil 10mbit tc class add dev eth1 parent 2:1 classid 2:12 htb rate 256kbit tc class add dev eth1 parent 2:12 classid 2:10 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:20 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:30 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:40 htb rate 72kbit ceil 200kbit prio 7 tc class add dev eth1 parent 2:12 classid 2:50 htb rate 10kbit prio 7 tc qdisc add dev eth1 parent 2:10 handle 210: sfq perturb 10 tc qdisc add dev eth1 parent 2:20 handle 220: sfq perturb 10 tc qdisc add dev eth1 parent 2:30 handle 230: sfq perturb 10 tc qdisc add dev eth1 parent 2:40 handle 240: sfq perturb 10 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.0/26 --set-mark 1 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.64/26 --set-mark 2 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.128/26 --set-mark 3 iptables -A FORWARD -t mangle -i eth0 -j MARK -s 192.168.0.192/26 --set-mark 4 tc filter add dev eth1 protocol ip parent 2:0 handle 1 prio 16 fw flowid 2:10 tc filter add dev eth1 protocol ip parent 2:0 handle 2 prio 16 fw flowid 2:20 tc filter add dev eth1 protocol ip parent 2:0 handle 3 prio 16 fw flowid 2:30 tc filter add dev eth1 protocol ip parent 2:0 handle 4 prio 16 fw flowid 2:40 TERRA -- ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] prio not seeming to work
Flechsenhaar, Jon J wrote: Two questions 1.) When you type tc class ls dev ethx - Do you see that both ftp streams are flowing into their proper class; 1:1, 1:3? 2.) Are you sending enough traffic to reach the point of congestion on you link? - If your not then it will service all the traffic at the same rate. Hi John, 1. Hmm, I guess not: [EMAIL PROTECTED] ~]# tc class ls dev eth0 class prio 1:1 parent 1: class prio 1:2 parent 1: class prio 1:3 parent 1: Am I missing something in my short sweet little script? Again, it is: tc qdisc add dev eth0 root handle 1: prio tc filter add dev eth0 parent 1:0 prio 1 protocol ip u32 \ match ip dst 208.0.0.0/8 flowid 1:1 tc filter add dev eth0 parent 1:0 prio 3 protocol ip u32 \ match ip dst 0.0.0.0/0 flowid 1:3 2. I'm definitely saturating my 384k upstream. Bob ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Need big buffer!
Hi gang, I have an application that is sending streaming media to a server. The encoder computer sends an average of 200kbit stream; but for short, 1 second bursts, can hit 400-500kbits. After it does one of these bursts, it reduces its output for another second or two, so that it maintains its average of 200kbits. The problem is that it is sending UDP packets into a DSL link that has a fixed upstream cap of 300kbit. All is fine until it decides to burst, then I get dropped packets. Is there a way I can insert a linux box after the encoding machine that I can use some traffic shaping to: 1. Make sure it never sends more than 300k up (I do know how to do this now) 2. Make a big buffer so that I can still get all the data through the pipe, albeit with some delay, when these bursts happen. I would need this buffer to handle at least 2 seconds worth, maybe more. I need something like this: TimeIN OUT (secs) (kbit) (kbit) -- 0.0 200 200 0.5 200 200 1.0 350 300 1.5 400 300 2.0 25 175 2.5 50 50 3.0 175 175 3.5 200 200 ...etc... Ideas? Bob ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Need big buffer!
Bob Puff wrote: If you know how to do the 300k limit then using that same method add a queue depth to handle the difference on that class. How do I do that? (sorry, newbie to tc) Bob I've been trying to read up, and still not coming up with concrete info on queue sizes. Right now, my code for limiting to 300k is: tc qdisc add dev eth0 root handle 1: htb default 21 tc class add dev eth0 parent 1: classid 1:1 htb rate 300kbit tc class add dev eth0 parent 1:1 classid 1:20 htb prio 0 rate 100kbit tc class add dev eth0 parent 1:1 classid 1:21 htb prio 1 rate 100kbit ceil 300k ..with some matches for prioritizing other traffic into class 1:20. I assume there is something I need to add to the first line, but everything I've read about never mentions htb. Bob ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] need help with tc filters
Hi Jim, Try something a little more simple: tc qdisc del dev $IF root tc qdisc add dev $IF root handle 1: htb default 11 tc class add dev $IF parent 1: classid 1:1 htb rate 384kbit tc class add dev $IF parent 1:1 classid 1:10 htb prio 0 rate 384kbit burst 3k tc class add dev $IF parent 1:1 classid 1:11 htb prio 3 rate 384kbit # bulk ssh on port 20022 goes to 1:11: (low priority) tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip sport 20022 0x flowid 1:11 tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip dport 20022 0x flowid 1:11 # ICMP goes fast: tc filter add dev $IF parent 1:0 protocol ip prio 0 u32 \ match ip protocol 1 0xff flowid 1:10 Some minor changes in numbers there. Class 1:10 is fast, 1:11 is bulk. Bob Jim Lawson wrote: Hi, I am attempting to set up some simple outbound shaping following the LARTC HOWTO. The HTB qdisc seems to work as the documentation says, but my filters don't seem to be working. All of the packets go to the default queue regardless of what filters I set, it seems. (according to tc -s qdisc show) I am trying to get this working on my openwrt box (whiterussian rc6), but when testing it on my Debian etch box for comparison, I see the same behavior. I'm hoping someone can point out what I'm doing wrong with the filters... FYI: vlan1 is the outbound interface of my wrt54g. Script follows: IF=vlan1 insmod cls_u32 insmod sch_htb insmod sch_prio insmod sch_sfq # # qdisc/class tree # 1: root (HTB) qdisc # | # 1:10 class rate 384000bit # | # 10: prio qdisc #/ | \ # 10:1 | 10:3 # | 10:2| # 101: | | sfq # 102: | sfq #103: sfq tc qdisc del dev $IF root tc qdisc add dev $IF root handle 1: htb default 10 tc class add dev $IF parent 1: classid 1:10 htb rate 384kbit burst 3k # This automatically creates 10:1, 10:2, 10:3 tc qdisc add dev $IF parent 1:10 handle 10: prio # Add sfq qdisc to each of the priority classes tc qdisc add dev $IF parent 10:1 handle 101: sfq tc qdisc add dev $IF parent 10:2 handle 102: sfq tc qdisc add dev $IF parent 10:3 handle 103: sfq # bulk ssh on port 20022 goes to 103: (low priority) tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip sport 20022 0x flowid 103: tc filter add dev $IF parent 1:0 protocol ip prio 1 u32 \ match ip dport 20022 0x flowid 103: # ICMP goes fast? tc filter add dev $IF parent 1:0 protocol ip prio 2 u32 \ match ip protocol 1 0xff flowid 101: ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] multipath device round robin not working?
Hi, I have a linux server running kernel 2.6.19 that is connected with 2 seperate 100Mbit links to the same isp: +---+ +---+ | I | +---+ | | | S | | | |eth0 --+--+ P | | | | | | S | | | | linux 2.6.19 | | W || ISP GATEWAY | | | | I | | | |eth1 --+--+ T | | | | | | C | | | +---+ | H | +---+ +---+ Both links have their own ip but have the same gateway. The problem is I can't seem to get egress traffic load balanced over the 2 nics. IP config after boot (dhcp from isp) ip a: 1: lo: LOOPBACK,UP,1 mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:0f brd ff:ff:ff:ff:ff:ff inet 10.0.0.110/24 brd 10.0.0.255 scope global eth0 3: eth1: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:ed brd ff:ff:ff:ff:ff:ff inet 10.0.0.120/24 brd 10.0.0.255 scope global eth1 Default routing table after boot ip r: 10.0.0.0/24 dev eth0 scope link 10.0.0.0/24 dev eth1 scope link metric 1 127.0.0.0/8 dev lo scope link default via 10.0.0.1 dev eth0 default via 10.0.0.1 dev eth1 metric 1 I enabled ip_forward and set arp_ignore to 1 for eth0 and eth1 to make sure the correct nic answers to arp requests. I tried to get the egress load balancing to work by replacing the above two default routes with: ip route add default mpath drr nexthop via 10.0.0.1 dev eth0 weight 1 onlink nexthop via 10.0.0.1 dev eth1 weight 1 onlink I assumed that with mpath device round robin both nics would be used more or less equally, but the reality is only one of the nics actually works and the second nic even stops responding to arp requests. Am I doing something totally wrong or impossible here or is the device round robin code not working properly? ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] routing between two isp
I have three ethernet card and two of them connected to diffrent ISP and has diffrent gateways. And one ethernet card is connected to local lan. I have installed iptables and configured the firwall to work as nat gateway for the users. Now I want to route only mail traffic to the perticular ISP and which I am not able to do it. I have done iproute configuration what ever lartc said. But still I am able to access internet only through one ISP. can someone tell me how can I load blance between two ISPs connected to single machine. Thanks Imthiyaz mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Multivoip 3010
Anyone has configued Multivoip 3010 with Asterisk ? I am tring to configure this box to work with asterisk . Thanks Imthiyaz mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] two isp issues
I am usong three ehternet cards eth0 , eth1 , eth2 and eth0 and eth2 is connected to two diffrent ISP and eth1 is connected to local lan. I am tring to route all the mail traffic to eth1 and I have followed the lartc doc. But it seems the solution does not work for me . is there a way I could connect two diffrent ISP in one linux box with diffrent gateway address and dns. Thanks Imthiyaz mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] routing ssh to secondary uplink
Hello, I'm following this HOWTO http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH from a secondary ISP. I can see using tcpdump,jnettop,iftop that when one of the computers located in my internal network is trying to SSH to a box online using SSH, packets are routed via the secondary internet ethernet card. However, packets don't seem to know how to get back. my script: route add default gw 10.2.2.1 ip route add table 1 default via SECONDARYGW iptables -t mangle -A PREROUTING -p tcp --dport 22 -s 192.168.1.0/24 -j MARK --set-mark 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to MYSECONDARYIP iptables -t nat -A POSTROUTING -o $EXT_NIC -s 192.168.1.0/24 -j SNAT --to MYPRIMARYIP ip rule add fwmark 1 table 1 ip route flush cache Sincerely, -- [EMAIL PROTECTED] [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] routing ssh to secondary uplink
Hello, That worked. thanks =) On Thu, 2006-07-06 at 12:30 +0200, Torsten Luettgert wrote: On Do, 2006-07-06 at 09:49 +0300, [EMAIL PROTECTED] wrote: Hello, I'm following this HOWTO http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH from a secondary ISP. I can see using tcpdump,jnettop,iftop that when one of the computers located in my internal network is trying to SSH to a box online using SSH, packets are routed via the secondary internet ethernet card. However, packets don't seem to know how to get back. I understand the two uplinks have different ethernet interfaces. Did you disable rp_filter? Perhaps echo 0 /proc/sys/net/ipv4/conf/(interface for ssh)/rp_filter would help. You can also use tcpdump on that interface to see if the return packets arrive at your box, and on the inner interface to see if they leave it. Regards, Torsten -- [EMAIL PROTECTED] [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] tc patched doesn't work with WFQ TOO
I've the same problem of Julien Bisconti. Can someone help me ? I try to compile iproute2 for my target ppc 8260. Thank you ! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] linux bridging vlans?
Andraz Sraka wrote: but still no data is forwarded from one interface to another? Is there any sysctl stuff, that I need to set up like 'ip_forwarding' when doing routing? Is there something bridging parameter for forwarding or am I misconfigured things above? I think that the bridge device don't support vlan. The attached patch could add that support (mind that I haven't compiled nor tested the patch). Let me know if it works. -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** --- linux-source-2.6.16/net/bridge/br_device.c 2006-03-20 06:53:29.0 +0100 +++ linux-source-2.6.16/net/bridge/br_device.c.new 2006-03-30 10:53:25.0 +0200 @@ -186,5 +186,7 @@ dev-priv_flags = IFF_EBRIDGE; dev-features = NETIF_F_SG | NETIF_F_FRAGLIST - | NETIF_F_HIGHDMA | NETIF_F_TSO | NETIF_F_IP_CSUM; + | NETIF_F_HIGHDMA | NETIF_F_TSO | NETIF_F_IP_CSUM + | NETIF_F_HW_VLAN_FILTER | NETIF_F_HW_VLAN_RX + | NETIF_F_HW_VLAN_TX | NETIF_F_VLAN_CHALLENGED; } ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Htb queueing problem
Diego Andrés Asenjo Gonzalez ha scritto: Sorry, a typo :p. You pointed clearly the -o eth1 in the previous message. Really, is the first time that I use -i or -o in the rule. One point is that the box is a bridge between a LAN and a router, eth0 is in the LAN and eth1 in the router. So, I thought I can ommit the interface. You have to use physdev on a bridge (-m physdev --physdev-out eth1). -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] want to diffrentiate the traffic
ram ha scritto: i have huge traffic going to internet at this moment iam using cisco to do QoS after reading lartc i would like to shift the setup to linux i have 45mb internet make 40mb for all traffic, and 5mb for voice if Voice not used 45 MB for Data any sample configuration , or example will be good to start with becoz its very high traffic .. so suggest me what server capacity i need to interms of CPU, RAM, HDD.. planning to Deploy on FC4 It's not a high volume of traffic. A PIII 1Ghz with 512MB ram should do the work. -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Consider r2q change
James Lista ha scritto: Buddies, When I run my HTB script it says the below message with dmesg what does that mean ? HTB: quantum of class 10001 is big. Consider r2q change. The kernel calculate the quantum using rate / r2q (rate to quantum) which have a default value of 10. If the calculated value is less than 1000 then the quantum will have a value of 1000 and you get the message you posted. You should have a quantum value bigger than your MTU. -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] What is: Consider r2q change
Oliver Schulze L. ha scritto:
I'm getting this warning/error in /var/log/messages:
May 26 18:21:05 mail kernel: HTB: quantum of class 10010 is small.
Consider r2q change.
Its a big deal? What should I do?
If I understand the source, that message occours when you have a leaf
class whose calculated quantum (rate/r2q) is less than 1000 byte and the
kernel set the quantum to 1000 byte.
I've read that the quantum should be bigger than the MTU so I don't
understand why the kernel don't use a minimum quantum value bigger than
1500. Someone has a clue?
From kernel-source-2.6.10/net/sched/sch_htb.c
if (!hopt-quantum cl-un.leaf.quantum 1000) {
printk(KERN_WARNING HTB: quantum of class %X is small. Consider r2q
change.\n, cl-classid);
cl-un.leaf.quantum = 1000;
--
**
Marco Innocenti Gruppo Infrastruttura e Sicurezza
CINECA phone:+39 0516171553 / fax:+39 0516132198
Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED]
40033 Casalecchio di RenoBologna (Italia)
**
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB statistics
Andy Furniss wrote: there is something I'm not able to understand about HTB statistics. Why the qdisc show show how many packets are overlimits but in the classes there are always 0 packets overlimits or dropped? Overlimits is more a kernel thing then usefull as a traffic control figure and tc qdisc -s .. shows the root 1: htb but tc -s class doesn't. You can see drops with tc -s class - but the default htb queue is too long in this test. Add a specific queue to the class 1:10 so you can specify length. eg. tc qdisc add dev eth0 parent 1:10 handle 10: bfifo limit 64k Thank you for your reply. So there is not a way to know that a specific class is actually shaping the traffic without attaching a qdisc to each class? -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB statistics
Hi, there is something I'm not able to understand about HTB statistics. Why the qdisc show show how many packets are overlimits but in the classes there are always 0 packets overlimits or dropped? I try to expain with a simple example. I create a qdisc htb with only a class and then i do a lot of traffic. pc-innocenti:~# tc qdisc add dev eth0 parent root handle 1: htb default 10 pc-innocenti:~# tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1kbit cei l 1kbit quantum 2000 The qdisc show that there are packets overlimits: pc-innocenti:~# tc -s -d qdisc show qdisc htb 1: dev eth0 r2q 10 default 10 direct_packets_stat 1145 ver 3.17 Sent 339419 bytes 1533 pkts (dropped 0, overlimits 402) backlog 370p The class instead always show 0 packet overlimits or dropped. pc-innocenti:~# tc -s -d class show dev eth0 class htb 1:10 root prio 0 quantum 2000 rate 1000bit ceil 1000bit burst 1600b/8 mpu 0b overhead 0b cburst 1600b/8 mpu 0b overhead 0b level 0 Sent 66307 bytes 480 pkts (dropped 0, overlimits 0) rate 912bit backlog 448p lended: 32 borrowed: 0 giants: 0 tokens: -13238252 ctokens: -13238252 -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** -- ** Marco Innocenti Gruppo Infrastruttura e Sicurezza CINECA phone:+39 0516171553 / fax:+39 0516132198 Via Magnanelli 6/3 e-mail: [EMAIL PROTECTED] 40033 Casalecchio di RenoBologna (Italia) ** ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] SNAT and multiply real addresses ?
hi, I have a real networks on the eth0 side and real network on the eth1 side. a.a.a.0/24 x.x.x.0/24 eth0--SNAT-box--eth1:0 y.y.y.2/24 y.y.y.1/24 ===INTERNET z.z.z.0/24 I want to nat those behind eth0 to go out as y.y.y.0/24 (eth1 is with another address different gw and address, so that i'm using eth1:0 and separate ruletable) I'm currently tring to do it this way : ifconfig eth1:0 y.y.y.2 netmask 255.255.255.0 ip route add default via y.y.y.1 table eth10-net ip rule from x.x.x.0/24 lookup eth10-net iptables -t nat -A POSTROUTING -s x.x.x.0/24 -j SNAT --to-source y.y.y.3-y.y.y.254 doesn't seem to work.. the problem is that the eth1 interface have y.y.y.2 but not the all the addresses i need to have on eth1 interface... Probably I can set ~250 eth1 aliases but this will be overkill. ?!?! Is there any other solution...!?!? I can do also : iptables -t nat -A POSTROUTING -s x.x.x.Z -j SNAT --to-source y.y.y.Z and it works, but then again this is one IP scenario ? I dont have access to y.y.y.1/24 device. - http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip MS Office is popular in the same way as heart disease is the most popular way to die. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] priorizing vlans in a bridge
Hi, You should use eth0.1 and eth0.2 in your tc statements ... ciao charles On Thu, 2005-02-10 at 23:05, [EMAIL PROTECTED] wrote: Hi, this is my Linux Box LAN 1 -|--eth1 ---br1---eth0.1 | | \| |eth0--|- 802.1q tagged 1 Mbps link | /| LAN 2 -|--eth2 ---br2---eth0.2 | I have to bridge the 2 lans in the left side of the diagram with my linux box running as a bridge. I have to tag the traffic of each lan so I created the 2 vlans interfaces on eth0 (tag 1 and tag 2). All works fine. But now I have to priorize LAN1 traffic so it leaves the bridge before LAN2. Also I need to shape the traffic to the 1 Mbps link. I read about the prio qdisc but it honours the TOS field of the IP packets, and I don't want to unless it was really necessary. I read about the prio option of the htb qdisc and made some scripts, but they don't work as I expected. HTB script: tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 500kbit ceil 1000kbit prio 1 tc filter add dev eth0 parent 1: prio 1 protocol ip handle 1 fw classid 1:11 iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 500kbit ceil 800kbit prio 2 tc filter add dev eth0 parent 1: prio 1 protocol ip handle 2 fw classid 1:12 iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 2 What do you suggest me? Thanks in advance. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] A question on the iproute default queues
Hi, when iproute is installed then the default queue that it is giving to an interface is pfifo_fast. I would like to ask whether it is possible to disable this feature and rather have the kernel give by default to an interface the queue that it would give if iproute hadn't been installed. I want to be able to customize the queue with tc only when it is necessary. Is this possible? Regards, Yannis ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] bandwidth for each individual IP
Ionut Gogu wrote: Hello! I'm using a Slackware Linux as a router and 50 IP addresses for my LAN Clients. Is there any program i can install that will be able to tell me: how much (ie. kbps) each individual IP is using at moment t? salut, :) u can use tcptrack, supports libcap expressions , as i am sure iftop does too, as i see based on libcap, never tested it alltho' ... but preparing for ... :) tcptrack is a robust application, responds very quickly to kernel load from network traffic, myself using it for network monitoring and audit for more than 62 workstations, libcap expressions filtering are less complicated than tcpdump based ones, other words looks good, works good. http://www.rhythm.cx/~steve/devel/tcptrack/ ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute-save ?
that is the hard part to make it not mess with normal if-up/down scripts and routes they add... I have alot of manual routes and rules which are not easy handled especialy when I add another boxes which also happen to have different routes. If I can figure out the format of the default-ip-up/down routes I can skip them with a regex.. will have to look.. |I think it doesn't sound elegant, routing system strictly depends on |availability interfaces, so setting up routes should be done in if-up |and if-down script, for example, if you unplug a NIC before booting the |computer, do you want the route for that NIC to be set up? And sometimes |you may need to bring down a NIC - then the kernel will delete your |routes automatically, if you have a nice if-up script, the routes will |be recovered when you bring it up. An init.d script can't do it. |If you still want a init.d script, go ahead and write your own script, |it's rather easy to do save states and restore on boot, but I guess you |may want things to done right instead of a messy solution. | |[EMAIL PROTECTED] wrote: | |Anyone to know iproute-save, iproute-restore like script similar iptables-save/restore ? |that stores everytihng routes,rules,tables everything ... |then init.d-script that among other things stores the state on shutdown :) (thats easy then) | | | - http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip MS Office is popular in the same way as heart disease is the most popular way to die. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iproute-save ?
Anyone to know iproute-save, iproute-restore like script similar iptables-save/restore ? that stores everytihng routes,rules,tables everything ... then init.d-script that among other things stores the state on shutdown :) (thats easy then) - http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip MS Office is popular in the same way as heart disease is the most popular way to die. ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Determing the pfifo backlog
Greetings -- in the Linux Advanced Routing Traffic Control HOWTO chapter 14.1 on bfifo/pfifo it says that: you can use this qdisc to determine the backlog on your interface. But it does not say exactly how. Command [#tc -s qdisc ls] outputs the number of packets sent so far but it does not output any info about the backlog. My first question is whether a command exists that provides info about the backlog. My second question is whether a system call exists that provides this info. I would like to be able to query on the backlog at real time and invoking the shell on each such query sounds like a lot of overhead. Kind regards, Yannis ___ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tc filter for vlan id?
hi wolfgang, yes you can ... setup an iptables rule to mark packets depending on the the interface -- eth0.1 == 0x1 eth0.2 == 0x2 you can then setup a traffic policy based on the marked packets. cheers charles On Sun, 2004-11-28 at 13:12, Wolfgang Schmid wrote: Hello I want to use vlans in my network and I would like to know if I cant filter for vlan ids to do traffic shaping? Anybody who has experience with such things? best regards Wolfgang ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ip_conntrack value not correct !
It seems that the value of net.ipv4.ip_conntrack_max has no so much to do with the conntrack 'cause the when I measure current number of connections i.e.: wc -l /proc/net/ip_conntrack they show as ~20-30 000 connection, but I set sysctl -w net.ipv4.ip_conntrack_max=15 and packets get dropped, I have to set it to value above 200 000 so that packets are not dropped ?!! Any idea why is that ? and what is the real correspondence between these values, so that I can set correct value in advance, but not wait until packets start to drop !! tia ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Multiply targets ?
hi,
I have two situation where I need two targets in one rule ...
First one
iptables -N syn-flood
iptables -A syn-flood -m limit --limit ${synConns} --limit-burst ${synBurst} -j
RETURN
iptables -A syn-flood -j DROP
iptables -A protect -p tcp --syn -j syn-flood
Now I want to be able to say :
iptables -A syn-flood -m limit --limit ${synConns} --limit-burst ${synBurst} -j
LOG --log-prefix Synflood -j RETURN
i.e. I want to return and log the event of syn flooding Next I want to be
able for this rule to handle per-IP syn-floods automaticaly
but not globaly as it is now. How do u do this ?!!
And as a side effect view which one is the flooder in the syslog..
The next thing I want to do is instead :
iptables -A FORWARD -t mangle -s x.x.x.0/24 -j MARK --set-mark 7
I want it to act like this :
iptables -A FORWARD -t mangle -s x.x.x.0/24 -j MARK --set-mark 7 -j RETURN
i.e. mark and return, 'cause I have hundred of such rules and it is useless to
scan them all for all packets .
tia
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] interesting expert problem - shaping over VPN
hi trevor, well, if you're controlling whats going over the vpn then there are several options: i've been playing with racoon lately (well longer then with freeswan) so i'm not so sure with ipsec, but ... it appears that the meta-data ( i.e. packet marking) is perserved on packets that have not yet been encrypted but are going to be. as a general strategy, i would mark packets with different marks depending on what the payload is -- maybe something like 0x1 for voice, 0x2 for smtp, etc. then use these marks on the public interface to egress them towards the internet in the highest priority. mark the inbound packets coming off the internet (once they've been decrypted) and place them in highest priority (depending on their type) this wouldn't be too bad -- in fact it's about all you can do. Alternatively, and with more complexity, open up several tunnels with different spi's -- pass traffic into tunnel by type -- this would allow you to know what an encrypted packet was carrying without having to decrypt it. cool, but i'm not sure that it would help much. anyone else done this??? tcng files are great (hint :-) cheers charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] alot of traffic over pppoe ?
hi I was wondering is pppoe scalable enought to support Gbps speeds or at least tens of hundred of Mbps ? From the docs I read it seems that after user is auth over pppoe the client traffic still passes over ppp-channel from pppoe-client --- pppoe-server --- Internet Instead of pppoe-client --- Internet m'I correct with this assumption ? From this I conclude that maximum traffic is the amout the server will be able to handle, but not so dependable from the Layer2-network capabilities.. So is there something I'm missing here ? tia ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Help me please
Hi, i'm testing MPLS QoS on Linux, i've found tequila project but every time i try to send mail to its mailing list, it fails and i receive a mail that advise me its address has a fatal error? Could you tell me something about it? Is there any project about MPLS QoS (in particular MPLS TE features)? Which is its URL? Thnks in advance for the help Libero ADSL: navighi gratis a 1.2 Mega, senza canone e costi di attivazione. Abbonati subito su http://www.libero.it ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] building module with tcng
hi all,
i'm having problems building a module from my tcng configuration file.
could someone verify the syntax for building a kernel module?
i did it as shown below ... module gets built but i cannot load it.
thanks
charles
ps -- sorry, don't know c++ :-)
[root]# cat /etc/tcng.test
#define LAN eth0
#define LAN_INGRESS 75
#define LAN_EGRESS 75
dev LAN {
egress {
class ( $adsl_high ) if 1;
htb ( ) { class ( rate LAN_EGRESS kbps, ceil LAN_EGRESS kbps ) {
$adsl_high = class ( prio 1, rate LAN_EGRESS kbps, burst
6kB, ceil LAN_EGRESS kbps )
{ sfq ( perturb 10 sec ); };
}
}
}
}
[root]# tcc -t c /etc/tcng.test
# Device eth0
tc qdisc add dev eth0 handle 1:0 root dsmark indices 2 default_index 0
tc qdisc add dev eth0 handle 2:0 parent 1:0 htb
tc class add dev eth0 parent 2:0 classid 2:1 htb rate 9375bps ceil
9375bps
tc class add dev eth0 parent 2:1 classid 2:2 htb rate 9375bps ceil
9375bps burst 6144 prio 1
tc qdisc add dev eth0 handle 3:0 parent 2:2 sfq perturb 10
tc filter add dev eth0 parent 2:0 protocol all prio 1 tcindex mask 0x1
shift 0
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 1 tcindex
classid 2:2
insmod cls__c010151.o
tc filter add dev eth0 parent 1:0 protocol all prio 1 _c010151
[root]# tc qdisc add dev eth0 handle 1:0 root dsmark indices 2
default_index 0
[root]# tc qdisc add dev eth0 handle 2:0 parent 1:0 htb
[root]# tc class add dev eth0 parent 2:0 classid 2:1 htb rate
9375bps ceil 9375bps
[root]# tc class add dev eth0 parent 2:1 classid 2:2 htb rate
9375bps ceil 9375bps burst 6144 prio 1
[root]# tc qdisc add dev eth0 handle 3:0 parent 2:2 sfq perturb 10
[root]# tc filter add dev eth0 parent 2:0 protocol all prio 1 tcindex
mask 0x1 shift 0
[root]# tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 1
tcindex classid 2:2
[root]# insmod cls__c010151.o
cls__c010151.o: ELF file cls__c010151.o not a relocatable object
[root]# tc filter add dev eth0 parent 1:0 protocol all prio 1 _c01015
RTNETLINK answers: Invalid argument
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] unsubscribe
Dnia 2004-10-01 07:11, Uytkownik [EMAIL PROTECTED] napisa: Send LARTC mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://mailman.ds9a.nl/mailman/listinfo/lartc or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of LARTC digest... Today's Topics: 1. Re: tc monitoring (Jason Boxman) 2. iproute2-2.2.4 (Harini Cheruvu) 3. RE: tc monitoring (Michael S. Kazmier) --__--__-- Message: 1 From: Jason Boxman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: The Vortex To: [EMAIL PROTECTED] Subject: Re: [LARTC] tc monitoring Date: Thu, 30 Sep 2004 10:37:52 -0400 On Thursday 30 September 2004 09:06, Andreas Klauer wrote: snip Ah, sorry, I've never used GRED before, and I wanted to avoid QDisc-specific parsing as much as possible. The tc command really isn't suited for this kind of application. I really wish there was a library with a decent API that lets you access this data directly. Parsing tc output is just a bad hack. ;) There's also SNMP extensions for QoS. http://x-ray.prokon.cz/data/snmp/downloads/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] interesting expert problem - shaping over VPN
whoops, oh yea -- ipsec and that whole eth0 thingy :-/ no wakeup on sundays. are you running your tunnel exclusively for voice, or are there other protocols as well ( i.e. contention). cheers c On Sun, 2004-09-26 at 11:36, Trevor Cordes wrote: On 26 Sep, [EMAIL PROTECTED] wrote: hi trevor, perhaps others can chime in on their experiences and configs that have shown promise for voip. OK, I'll keep watching/posting. i would think that you would want to egress on both interfaces to insure that the packets you want pass first. i thought that you had both already. I have egress on ipsec0 and ppp0 but not eth0. It's actually 3 interfaces total, which is why I hate PPPoE... it's so over complicated. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] interesting expert problem - shaping over VPN
hi trevor, On Fri, 2004-09-24 at 05:44, Trevor Cordes wrote: On 18 Sep, [EMAIL PROTECTED] wrote: hi, there was a thread on this recently -- please search the archives for traffic queueing and ipsec vpn Ya, I had seen that. I just reread the thread and it doesn't really help me with my problem. It's all conceptual with no specifics, and the concepts appear to agree with my knowledge and current configuration attempt. The only thing that puzzles me a bit is this talk of INGRESS and EGRESS, which I don't recall being in the HOWTO's and I'm not really sure of what signifigance they are. basically, ingress is more difficult to control and to granularly regulate traffic as we have no control over what's coming in and in what order. i have seen studies that indicate RED as an effective way of handling ingress. I just wish I could be sure that that really is the case as I feel like I'm real close to a solution. The filtering is working great, passing packets into the proper QDISC. It just doesn't appear to help the VoIP at all. Of course, it doesn't help that there's that kernel panic bug in HTB into ipsec (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130172) Thanks for your help. egress on the other hand is completely under your control as you select in what order and with what speed packets are dequeued to the hardware. in slowing packets to be dequeued, tcp's AIMD comes into play -- Additive Increase Multiplicative Decrease, that is, tcp ramps up speed until a packet is lost or until an ACK takes longer than the congestion window. at that time, tcp multiplicatively decrease speed (cuts it in half) and then starts to ramp up again until such time as tcp feels that it has obtained optimum throughput. I'm starting to think perhaps my problem is not necessarily in shaping stuff into the VPN, it's shaping everything out over the ADSL connection. I read somewhere that a 128k upload ADSL connection will take 40ms to transmit a max-size packet. So shaping becomes pointless if 40ms is too long for the VoIP to handle as a delay. i think that you may be getting a bit confused -- in a simple lan/adsl environment, there are two ingresses and egresses: ingress coming in on ppp0 for example, and egress leaving eth0 towards the lan. similarly, there is ingress on eth0 as packets come in from the lan, and egress on ppp0 as packets are dequeued towards the adsl. i think that you should try placing egress on your ppp0 to classify packets and priorities in such a way that they are dequeued in a manner that corresponds with your needs. snip cheers chalres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] traffic queueing and ipsec vpn
hi alexis, its been a while since i did this modification to the kptd. the diagram assumes that this a linux box doing a vpn tunnel(s). lets assume that eth0 is facing the lan and eth1 is facing the internet and that eth1 has one or more ipsec interfaces. a packet from the lan comes in on eth0 and is destined to lan via an ipsec tunnel. i *believe* that before the routing decision is made, the ipsec process changes the interface to the appropriate ipsecX interface name. the packet, as it is not destined for this local machine, pass thru FORWARD, POSTROUTING, and then EGRESS. ipsec encrypts the packet and the new esp packet is repassed thru POSTROUTING and EGRESS and is dequeued to the hardware. if i am not mistaken, meta data from the unencrypted packet is preserved, that is, that you may mark the packet in POSTROUTING and then use that mark to make an QOS EGRESS decision on the ESP packet. i'll have to check this again, but i don't have a bunch of time at the moment. now, assume an esp packet arrives on eth1 addressed to this box because it is at the end of the tunnel. the esp packet passes PREROUTING, INGRESS, and passes INPUT as it addressed for this machine. after INPUT, ipsec decrypts the packet and it is passed thru PREROUTING, INGRESS, FORWARD (as it is destined now for a machine on the lan), POSTROUTING, EGRESS and dequeued to the hardware. cheers chalres On Fri, 2004-09-03 at 22:16, Alexis wrote: Thank you very much for the quick answer. Let me ask you a question about it so I can save time, analyzing this ascii I can see after qos ingress and before input routing a statement that says if dst ip via ipsec put on ipsecX interface Ok, this is my basic schema LAN |ethX| linuxbox |ethZ| IPSEC VPN This means, all the LAN traffic that reaches the linuxbox is forwarded from ethX to ethZ and then via ipsec reaches its destination. As ive never configured an ipsec vpn using linux yet (only used cisco and nortel) my question is. if dst ip via ipsec put on ipsecX interface this means that ill have an ipsecX interface and I need to set the queues in this interface? Or I need to set up my queues on ethZ? Thanks in advance. Ps: ill configure ipsec vpn using kernel 2.6 -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Viernes, 03 de Septiembre de 2004 16:32 Para: Alexis; LARTC list Asunto: Re: [LARTC] traffic queueing and ipsec vpn hi alexis, i -- THINK -- that this is how it happens. cheers charles On Fri, 2004-09-03 at 20:12, Alexis wrote: Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress classifiers will act before the packet leave the kernel and enter to the vpn tunnel, is this correct? Here's my situation , i have a headquarter box that is a database (to call it with a name) and then a lot of branches that send queries to this database and based on the results, the branches send packets to other branches trough some established IPSEC tunnels. So, hq is the route database, and the branches send voice traffic to other branches. Now i have to set traffic shaping and manage the bandwith for senialization and for voice flows (rtp flows). So i need to be shure that i can classify the packets at the outside interface before them enters to the vpn tunnel. is this correct? Thanks in advance. -- Alexis ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] traffic queueing and ipsec vpn
hi alexis, please do -- i'd like to see just how far off i am :-) i've been just playing arounfd with racoon instead of freeswan -- totally different animal ... cheers charles On Sat, 2004-09-04 at 16:39, Alexis wrote: Thanks again, this is _really_ enough info, ill do a lab and test this, I think this is the best way to realize how this work. Best regards. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Sábado, 04 de Septiembre de 2004 5:15 Para: LARTC list Asunto: RE: [LARTC] traffic queueing and ipsec vpn hi alexis, its been a while since i did this modification to the kptd. the diagram assumes that this a linux box doing a vpn tunnel(s). lets assume that eth0 is facing the lan and eth1 is facing the internet and that eth1 has one or more ipsec interfaces. a packet from the lan comes in on eth0 and is destined to lan via an ipsec tunnel. i *believe* that before the routing decision is made, the ipsec process changes the interface to the appropriate ipsecX interface name. the packet, as it is not destined for this local machine, pass thru FORWARD, POSTROUTING, and then EGRESS. ipsec encrypts the packet and the new esp packet is repassed thru POSTROUTING and EGRESS and is dequeued to the hardware. if i am not mistaken, meta data from the unencrypted packet is preserved, that is, that you may mark the packet in POSTROUTING and then use that mark to make an QOS EGRESS decision on the ESP packet. i'll have to check this again, but i don't have a bunch of time at the moment. now, assume an esp packet arrives on eth1 addressed to this box because it is at the end of the tunnel. the esp packet passes PREROUTING, INGRESS, and passes INPUT as it addressed for this machine. after INPUT, ipsec decrypts the packet and it is passed thru PREROUTING, INGRESS, FORWARD (as it is destined now for a machine on the lan), POSTROUTING, EGRESS and dequeued to the hardware. cheers chalres On Fri, 2004-09-03 at 22:16, Alexis wrote: Thank you very much for the quick answer. Let me ask you a question about it so I can save time, analyzing this ascii I can see after qos ingress and before input routing a statement that says if dst ip via ipsec put on ipsecX interface Ok, this is my basic schema LAN |ethX| linuxbox |ethZ| IPSEC VPN This means, all the LAN traffic that reaches the linuxbox is forwarded from ethX to ethZ and then via ipsec reaches its destination. As ive never configured an ipsec vpn using linux yet (only used cisco and nortel) my question is. if dst ip via ipsec put on ipsecX interface this means that ill have an ipsecX interface and I need to set the queues in this interface? Or I need to set up my queues on ethZ? Thanks in advance. Ps: ill configure ipsec vpn using kernel 2.6 -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Viernes, 03 de Septiembre de 2004 16:32 Para: Alexis; LARTC list Asunto: Re: [LARTC] traffic queueing and ipsec vpn hi alexis, i -- THINK -- that this is how it happens. cheers charles On Fri, 2004-09-03 at 20:12, Alexis wrote: Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress classifiers will act before the packet leave the kernel and enter to the vpn tunnel, is this correct? Here's my situation , i have a headquarter box that is a database (to call it with a name) and then a lot of branches that send queries to this database and based on the results, the branches send packets to other branches trough some established IPSEC tunnels. So, hq is the route database, and the branches send voice traffic to other branches. Now i have to set traffic shaping and manage the bandwith for senialization and for voice flows (rtp flows). So i need to be shure that i can classify the packets at the outside interface before them enters to the vpn tunnel. is this correct? Thanks in advance. -- Alexis ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] traffic queueing and ipsec vpn
hi alexis, i -- THINK -- that this is how it happens. cheers charles On Fri, 2004-09-03 at 20:12, Alexis wrote: Hi all, ive been reading lartc howto, im new about traffic shaping/police. As far as red (chapter 9 complete) i saw that first the packet passes at the ingress qdisc, then it passes to the ip stack if the packet is directed to the box or its forwarded (is my case), then it falls to the egress classifier/s. Now, i understand if i have an ipsec vpn at the outside interface, the egress classifiers will act before the packet leave the kernel and enter to the vpn tunnel, is this correct? Here's my situation , i have a headquarter box that is a database (to call it with a name) and then a lot of branches that send queries to this database and based on the results, the branches send packets to other branches trough some established IPSEC tunnels. So, hq is the route database, and the branches send voice traffic to other branches. Now i have to set traffic shaping and manage the bandwith for senialization and for voice flows (rtp flows). So i need to be shure that i can classify the packets at the outside interface before them enters to the vpn tunnel. is this correct? Thanks in advance. -- Alexis Title: Welcome on docum.org Kernel Packet Traveling Diagram Network---+--- | +--+ +---+---++-+-+ |IPCHAINS || IPTABLES | | INPUT || PREROUTING| +---+---+| +---+---+ | || | conntrack | | || +---+---+ | || |mangle | | - MARK WRITE|| +---+---+ | || | IMQ | | || +---+---+ | || | nat | | - DEST REWRITE || +---+---+ | DNAT or REDIRECT or DE-MASQUERADE |+-+-+ +--+ | +---+---+ | QOS | |INGRESS| +---+---+ | || +---+---+ | if dst ip via ipsec | | put on ipsecX interface | +---+---+ | packet is for +---+---+ packet is for this machine | INPUT | another address+--+ROUTING+--+| |+ PDBB | || +---+ |+---+---+ || IPTABLES| || INPUT | || +-+-+ | || | mangle | | || +-+-+ | || | filter | | || +-+-+ |to iptables prerouting |+---+---+^|||||||+---+ yes +--+ || esp packet |---| decrypt | |+---+ +--+ || || no || +---++---+---+ +---+---+ +---+---+ | Local | |IPCHAINS | |IPTABLES | |Process| |FORWARD| |FORWARD| +---+---+ +---+---+ | +-+-+ | | | | | mangle | | - MARK WRITE+---+---+ | | +-+-+ | |OUTPUT | | | | filter | | |ROUTING| | | +-+-+ | +---+---+ | +---+---+ | +---+ +---+---+ ||IPTABLES | || OUTPUT
Re: [LARTC] ARP limit ?
from make config -- arpd - help This code is experimental and also obsolete. . 2.4.22 That is why I try to use bogger gc_* thanx for the links.. reading now.. Hello, yep, i'm using them, i needed to know the max and anyone experiencing Those are int and nothing in the kernel code prevents them having MAX_INT-1 assigned as a value. However you have a rather serious networking problem anyway if you exceed the predefined gc* values. Some more information (besides reading the related kernel code): http://www.rstack.net/arp.html http://www.rstack.net/tuning_proc_for_arp.html problems with very big arp's Yes, the time spent in the GC to reach the equilibrium is rather high with a high number of stale cache entries. Once gc_tresh3 threshold kicks in you get an aggressive table flush concurrent with the new neighbour entries. arpd is marked as depricated or so!? No, not at all ;). Best regards, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] ARP limit ?
2.4.22 That is why I try to use bogger gc_* thanx for the links.. reading now.. gc_* is of course the way to go and as I've stated before, I would rather think of a misconcepted network architecture when seing neighbour table overflows and fix that flaw instead of using arpd. I found myself back a couple of times in a situation where I had to fiddle with the proc-fs values in a load balanced environment using asymmetric routing. ]- i know it is not good to have big LAN's, but I'm in situation if I move to more router oriented network, the things will become much more problematic. The routers itself will become the biggest botlleneck (much worse than big ARP tables).. and also will limit my ability to balance the network (CATV).. with two words better stick to big ARP tables rather than introduce other weak links.. and wait until it becomes big enought and I can logicaly separate small blocks of the network behind routers.. and still have big ARP (but not enourmous :)) One additional question...if I deploy parallel router i.e. before : big LAN[router]---Internet after : big LAN[router1]---Internet |--[router2]--| so that part of the LAN is routed via router1 and part of it over router2.. if I follow my thoughts the ARP will spread over the routers and as consequence router1 will shrink its arp table. (big LAN - is phisicaly one net, but logicaly/IP several subnets).. router1 will make arp-request only for its IP-subnets, but not for those that router2 take care of. are my thoghts correct... tia ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ARP limit ?
what is the limit on the arp cache entires ?! Does someone have very big LANs with linux-routers ? How big ? (i mean flat L2 network, not segmented) I want to know how much can my net can scale ? thanx ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] TC-ng questions/problems
Hi Joost, I hope you saw Steph's message on the link ... On Thu, 2004-08-05 at 12:36, Joost Kraaijeveld wrote: But it's true: in the logfiles I see r2q mentioned (jumping with joy in my office, hope at last). Careful not to jump too hard -- you might wake up the management :-) Cheers Charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] TC-ng questions/problems
Hi Joost,
I think that maybe you have run across an issue that I too had trouble
with. A snip from a message from Martin BROWN explains:
You have not actually found a bug, but rather a historical strangeness
about the Linux traffic control system. For reasons of which I'm
ignorant, the syntax for the tc command uses bps for bytes/second.
So,
64000 bytes/second is actually 512 kilobits/second (512 kbps in
common
usage), but is 512 kbit to the tc tool. Here's a brief chart:
tc syntax tcng syntax
+++
bytes/second | bps | Bps |
bits/second | bit | bps |
kilobytes/second | kbps | kBps |
kilobits/second | kbit | kbps |
+++
Note that the tcng syntax is exactly the same sort of syntax we use in
general when discussing speed of WAN links. It's a 512 kbps line
means
it's 512 kilobits per second, but this would be 64000 bytes per second
if
we were writing a tc command line.
Hope this helps!
Cheers
Chalres
On Thu, 2004-08-05 at 09:53, Joost Kraaijeveld wrote:
Hi all,
We have 2 class C networks that are connected by a Linux router with the internet.
We want to apply traffic control (bandwidth control). For that we wrote the tcc
script below. We have 2 problems:
1. To establish a 2 megagit download we must actually set the value to 2500kbps. Is
there a possible reason for that?
2. If we enable the WAN device we get very hight ping times (they change from 21.1
ms to 2000 ms) and erratic upload values that partly suffer from the problem above
(we want to allow for an upload of 512kb and have to specify a upload of 712 to get
that) but most of the time we have a far worse actual upload. Anyone any ideas?
We use Debian 2.6.3-1-386 (Sarge) with tcng 9m.
Any help is greatly appreciated.
Groeten,
Joost Kraaijeveld
Askesis B.V.
Molukkenstraat 14
6524NB Nijmegen
tel: 024-3888063 / 06-51855277
fax: 024-3608416
e-mail: [EMAIL PROTECTED]
web: www.askesis.nl
///
#include fields.tc
#include ports.tc
#define WAN eth0
#define LAN83 eth1
#define LAN84 eth2
/* The WAN section is about upload to the internet */
dev WAN
{
egress
{
class ( $uploadRouter ) if ip_src == 192.168.83.1 || ip_src ==
192.168.84.1;
class ( $uploadGKS ) if ip_src == 192.168.83.22 ;
class ( $upload83 ) if ip_src:24 == 192.168.83.0 ;
class ( $upload84 ) if ip_src:24 == 192.168.84.0 ;
class ( $others ) if 1 ;
htb ()
{
class ( rate 18Mbps, ceil 18Mbps )
{
$uploadRouter = class ( rate 18Mbps, ceil 18Mbps );
$uploadGKS= class ( rate 10Mbps, ceil 10Mbps ) ;
$upload83 = class ( rate 5Mbps,ceil 5Mbps ) ;
$upload84 = class ( rate 712kbps, ceil 712kbps ) ;
$others = class ( rate 18Mbps , ceil 18Mbps ) ;
}
}
}
}
/* This section is about downloading to the 83 network */
dev LAN83
{
egress
{
class ( $downloadRouter ) if ip_dst == 192.168.83.1;
class ( $downloadGKS )if ip_dst == 192.168.83.22;
class ( $download ) if ip_dst:24 == 192.168.83.0;
class ( $others ) if 1 ;
htb ()
{
class ( rate 18Mbps, ceil 18Mbps )
{
$downloadRouter = class ( rate 18Mbps, ceil 18Mbps ) ;
$downloadGKS= class ( rate 10Mbps, ceil 10Mbps ) ;
$download = class ( rate 5Mbps, ceil 5Mbps ) ;
$others = class ( rate 18Mbps, ceil 18Mbps ) ;
}
}
}
}
/* This section is about downloading to the 84 network */
dev LAN84
{
egress
{
class ( $download ) if ip_dst:24 == 192.168.84.0;
class ( $others ) if 1 ;
htb ()
{
class ( rate 18Mbps, ceil 18Mbps )
{
$download = class ( rate 2500kbps,ceil 2500kbps ) ;
$others= class ( rate 18Mbps, ceil 18Mbps ) ;
}
}
}
}
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] TC-ng questions/problems
Hi Joost, OK -- on the units of measure -- you may to double check that your upstream provider is 2.000.000 bits/s and not 2 * 1024^1024. I think that your r2q is probably off -- please see: http://www.docum.org/stef.coene/qos/faq/cache/31.html Check your system log as well -- you may see an indication of the problem. You can try #define MYR2Q 20 and then in your htb declaration try htb ( r2q MYR2Q ) Also consider specifying a burst of 6kB and try someother values. Cheers Charles On Thu, 2004-08-05 at 10:26, Joost Kraaijeveld wrote: Hi Chalres, Thanks for the answer. I have also been bitten by the byte/bit bug in the past but in this case it must be something different. All my values are in in the correct amount of bits. The most important problem is actually problem 2: why does the tc toward internet (dev WAN) do what it does? Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: [EMAIL PROTECTED] web: www.askesis.nl ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tcng + NAT
Hello, you can try: . . . // ip header type of service class ( $adsl_high ) if ip_tos == 0x80; // metadata packet mark class ( $adsl_medium ) if meta_nfmark == 0x30; . . . Cheers Charles On Mon, 2004-08-02 at 18:02, [EMAIL PROTECTED] wrote: Does anybody know how to you use tcng with packet marking. I'm masquerading my connection so to shape outbound traffic I need to mark packets with iptables. But how to you make tcng to recognize marked packets? Thanks for your help. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ala gateway problems
hi, I have very annoying problem.. First a simple diagram : x.x.1.0/24 -| x.x.2.0/24 -| (gw: eth0: x.x.1.1 eth1: x.x.2.1 eth1: x.x.3.1) x.x.3.0/24 -| now I have two machines x.x.3.10 (2.4 kernel) and x.x.3.11(2.6 kernel) AND they are in the same LAN (phisical net) but as u see in different IP (logical nets). As I look the traffic with tcpdump and iftop and the path is the following : (f.e lets take host at address x.x.1.5 and destination x.x.3.10 ) x.x.1.5 gw:x.x.1.1 x.x.3.10 --- x.x.1.5 take into account gateway on the return path is not used (remember they are on the same LAN), which is what I want... Now I have deployed a new server with a 2.6 kernel, all other routing tables,ifconfig is the same.. but now the path of the packets is : x.x.1.5 gw:x.x.1.1 x.x.3.11 --- gw:x.x.3.1? --- x.x.1.5 Now I want the first behavior, but have no CLUE what is different, is there some option to set or what ?!! The second behavior is the not suitable 'cause if there wasn't qos on the gateway it will not be able to handle the traffic... One my thought is this has to be something with ARP..'cause I dont see arp entires on the new machine ... #arp -n | wc -l 3 on the old one there is : # arp -n | wc -l 105 both are contacted from many hosts... much more than 3 !! ?? ANY IDEA ?? tia ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] htb and 2.6.5 ?
does someone have expirience with HTB and kernel 2.6.5 and up... Does anyone have tested it with thousand of classes and filters.. How it behaves.. tia ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] prio0 problem
Hello, Just ran into a weird issue. Debian woody with ernel 2.4.26 from backports. A htb hierarchy with a class for local originated traffic, having a bunch of prio 0 filters. All other filters from other classes use prio 3 to prio 6. Well, it does not work as expected, there is local traffic that does not go to that class. Changing filters to prio 1 and it all works as expected. What am I missing? --- Connex scaneaza automat toate mesajele impotriva virusilor folosind RAV AntiVirus. Connex automatically scans all messages for viruses using RAV AntiVirus. Nota: RAV AntiVirus poate sa nu detecteze toti virusii noi sau toate variantele lor. Pentru a inlatura efectele nedorite si din dorinta de a va oferi in permanenta servicii de cea mai buna calitate mesajele detectate ca fiind infectate vor fi sterse automat . Va rugam sa luati in considerare ca exista un risc de fiecare data cand deschideti fisiere atasate si ca MobiFon nu este responsabila pentru nici un prejudiciu cauzat de virusi. Disclaimer: RAV Antivirus may not be able to detect all new viruses and variants. In order to remove unwanted effects and to continuously provide quality services all infected e-mails will be automatically deleted .Please be aware that there is a risk involved whenever opening e-mail attachments to your computer and that MobiFon is not responsible for any damages caused by viruses. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [Fwd: Re: [LARTC] Simple HTB setup with tcng]
hi clemment, On Wed, 2004-05-05 at 13:54, Clement MOREAU wrote: Thank you for your help. It generates this script : tc qdisc add dev eth0 handle 1:0 root htb default 2 ----^^^ tc class add dev eth0 parent 1:0 classid 1:1 htb rate 75000bps ceil \ 75000bps tc class add dev eth0 parent 1:0 classid 1:2 htb rate 125000bps tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32 \ 0xa01 0x at 12 classid 1:1 But I thought it was necessary to have a root htb class on the top of the hierarchy to get it working as expected. Is that true ? yes and it does -- all packets matching the u32 filter (in this case 10.0.0.1) will go to the 1:1 class and be limited to the 75 kilobytes per second. cheers charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Simple HTB setup with tcng
salut clemment
try adapting the following to your needs ... it's been working for me.
roughly similar to wondershaper excepting that it is in tcng:
i have a ppp interface on an analog modem so in my firewall i mark
packets coming in from this device as following:
iptables --append PREROUTING --table mangle --in-interface ppp0 \
--jump MARK --set-mark 0x7
cheers
charles
/*
* tc next generation script by
* charles shick
*/
#define LAN eth0
#define LAN_INGRESS 70
#define LAN_EGRESS 70
dev LAN {
#ingress {
#$policer = SLB( cir LAN_INGRESS kbps );
#class ( ) if SLB_ok( $policer );
#drop if 1;
#}
egress {
class ( $ppp ) if meta_nfmark == 0x7;
class ( $high ) if ip_proto == IPPROTO_ICMP ||
ip_tos == 0x10 ||
tcp_sport == 80 ||
tcp_sport == 110 ||
udp_sport == 53 ||
tcp_ack;
class ( $medium ) if tcp_dport == 25;
class ( $low ) if 1;
htb () { class ( rate LAN_EGRESS kbps ) {
$ppp = class ( prio 1, rate 56 kbps )
{ sfq ( perturb 10 sec ); };
$high = class ( prio 1, rate ( 0.5 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
$medium = class (prio 2, rate ( 0.3 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
$low = class (prio 3, rate ( 0.2 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
}
}
}
}
On Wed, 2004-05-05 at 08:46, Clement MOREAU wrote:
Hello all,
I am trying to set up a simple htb based system, where packets with
source ip 10.0.0.1 should have their own class.
I plan to use tcng to set it up easier.
Is there something wrong in my tcng file ?
~/tcng$ cat htb
/*
*/
#include fields.tc
#include ports.tc
dev eth0 {
htb ( ) {
class ( rate 600kbps, ceil 600kbps )
{
class () if ip_src == 10.0.0.1 ;
class (default) ;
}
}
}
When I compile it, I get :
~/tcng$ tcc htb
# Device eth0
tc qdisc add dev eth0 handle 1:0 root htb default 3
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 75000bps ceil
75000bps
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 75000bps ceil
75000bps
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 75000bps ceil
75000bps
tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match u32
0xa01 0x at 12 classid 1:2
which is not working as expected.
Packets never get matched. From what I understand of tc (not too much),
the filter should have been :
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32
0xa01 0x at 12 classid 1:2
(I replaced parent 1:1 by parent 1:0).
I tried this setup and it works as expected (at least : packets from the
server gets matched, other don't. I have used tc -s class show dev eth0
to see it).
Do I miss something ?
Thank you.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Simple HTB setup with tcng
salut clemment,
well, i see better now -- you could try something like:
#include fields.tc
#include ports.tc
dev eth0 {
htb () {
class ( rate 600kbps, ceil 600kbps ) if ip_src == 10.0.0.1;
}
}
cheers
charles
On Wed, 2004-05-05 at 10:15, Clement MOREAU wrote:
Thank you for your help.
this setup is creating an additionnal qdisc (dsmark). For performance
reasons, I would prefer using filters directly attached to htb qdisc. I
think it is possible, at least it seems to be possible with tc (not
tcng).
It seems to me that tcc is doing something wrong with htb and indexes,
do I miss something ?
Thank you.
Le mer 05/05/2004 à 09:59, [EMAIL PROTECTED] a écrit :
salut clemment
try adapting the following to your needs ... it's been working for me.
roughly similar to wondershaper excepting that it is in tcng:
i have a ppp interface on an analog modem so in my firewall i mark
packets coming in from this device as following:
iptables --append PREROUTING --table mangle --in-interface ppp0 \
--jump MARK --set-mark 0x7
cheers
charles
/*
* tc next generation script by
* charles shick
*/
#define LAN eth0
#define LAN_INGRESS 70
#define LAN_EGRESS 70
dev LAN {
#ingress {
#$policer = SLB( cir LAN_INGRESS kbps );
#class ( ) if SLB_ok( $policer );
#drop if 1;
#}
egress {
class ( $ppp ) if meta_nfmark == 0x7;
class ( $high ) if ip_proto == IPPROTO_ICMP ||
ip_tos == 0x10 ||
tcp_sport == 80 ||
tcp_sport == 110 ||
udp_sport == 53 ||
tcp_ack;
class ( $medium ) if tcp_dport == 25;
class ( $low ) if 1;
htb () { class ( rate LAN_EGRESS kbps ) {
$ppp = class ( prio 1, rate 56 kbps )
{ sfq ( perturb 10 sec ); };
$high = class ( prio 1, rate ( 0.5 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
$medium = class (prio 2, rate ( 0.3 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
$low = class (prio 3, rate ( 0.2 * LAN_EGRESS )kbps )
{ sfq ( perturb 10 sec ); };
}
}
}
}
On Wed, 2004-05-05 at 08:46, Clement MOREAU wrote:
Hello all,
I am trying to set up a simple htb based system, where packets with
source ip 10.0.0.1 should have their own class.
I plan to use tcng to set it up easier.
Is there something wrong in my tcng file ?
~/tcng$ cat htb
/*
*/
#include fields.tc
#include ports.tc
dev eth0 {
htb ( ) {
class ( rate 600kbps, ceil 600kbps )
{
class () if ip_src == 10.0.0.1 ;
class (default) ;
}
}
}
When I compile it, I get :
~/tcng$ tcc htb
# Device eth0
tc qdisc add dev eth0 handle 1:0 root htb default 3
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 75000bps ceil
75000bps
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 75000bps ceil
75000bps
tc class add dev eth0 parent 1:1 classid 1:3 htb rate 75000bps ceil
75000bps
tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match u32
0xa01 0x at 12 classid 1:2
which is not working as expected.
Packets never get matched. From what I understand of tc (not too much),
the filter should have been :
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32
0xa01 0x at 12 classid 1:2
(I replaced parent 1:1 by parent 1:0).
I tried this setup and it works as expected (at least : packets from the
server gets matched, other don't. I have used tc -s class show dev eth0
to see it).
Do I miss something ?
Thank you.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] VSAT sysctl parameters
Hi Andres, Check back a few days and you should see a complete post on your question. summary for gilat: -no need to change sysctl anywhere, the indoor unit renegotiates tcp 4 congestion windows, etc for every tcp connection -use a proxy and forward requests to the gilat idu 9877 proxy port -be reminded that gilat allows only 32 simultaneous tcp connections -that gilat recently reduced the icmp packet size to 41 bytes, hence, you can ping an indoor unit with windows (32 bytes by default) but NOT linux (56 bytes). use ping -s 32 nnn.nnn.nnn.hhh cheers chalres On Sun, 2004-02-22 at 02:37, ThE LinuX_KiD wrote: Hi ! - Can you specify which satellite platform your on? Gilat/Satlynx, - Eutelsat, Astra BBI -- they each have some differences ... Yes, I've Gilat/SatLynx. Thank you! andres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] VSAT sysctl parameters
Hi Andres, Can you specify which satellite platform your on? Gilat/Satlynx, Eutelsat, Astra BBI -- they each have some differences ... Cheers Charles On Fri, 2004-02-13 at 21:37, ThE LinuX_KiD wrote: Hi, I'm trying to setting a very low bandwidth VSAT connection (90 kbits download / 20kbits upload) I'm looking for best kernel SYSCTL parameters for this Have someone a sysctl configuration for this ? Thank you! andres ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] VSAT sysctl parameters
hi andres, i re-read your question and now that i have a bit more time, i'll try to respond to it more carefully: On Fri, 2004-02-13 at 21:37, ThE LinuX_KiD wrote: Hi, I'm trying to setting a very low bandwidth VSAT connection (90 kbits download / 20kbits upload) I'm looking for best kernel SYSCTL parameters for this Have someone a sysctl configuration for this ? your question implies that the vsat system that you're currently using is un-optimized by the provider -- i'll try to explain. here in europe, the two principal providers Eutelsat and Satlynx both offer true two-way satellite service that are asymmetrical in bandwidth. the eutelsat d-start product as well as the satlynx 360e are both optimized by the provider, that is to say, that both re-negotiate the layer 4 tcp connection parameters for each tcp session. if you take the time to try to reset the tcp parameters, it is really unnecessary as they are thrown out and replaced by the providers variables (performed by the indoor unit). the exceptions are the astra bbi platform and other pure vsat platforms that do not perform layer 4 renegotiation or ack spoofing and the like. at this point, tweaking the sysctl parameters helps enormously, however, it is noteworthy that a client passing its traffic via your linux router, will not inherit the router's parameters: each client will setup its own tcp parameters during the handshake. so, here's a brief summary: squid and/or another http proxy: a http proxy server is recommended in all cases. setup a large cache, good memory and cache object size. avoid using the bandwidth if you do not have to. satlynx 360e: no need to much here with your router, excepting that you should really try to make use of the http proxy port (9877) provided by the indoor unit. you can setup a transparent squid proxy (or regular) and put a line in the squid.conf like: cache_peer $GILAT_INDOOR_IP parent 9877 0 no-query when squid doesn't find the cache object, it will send the http request through their proxy port and you will enjoy the benefits of their caching and acceleration. eutelsat d-star: like the gilat, eutelsat has optimized their backbone with ack spoofing and tcp layer renegotiation. no need to worry about clients behind this idu either. astra bbi and other pure vsat connections: here you will want to do your maximum effort to tweak sysctl and use a proxy so that the linux router will use its tcp paramters at layer 4. here's a few suggestions for sysctl.conf, your mileage may vary: net.core.wmem_max = 8388608 net.core.rmem_max = 8388608 net.ipv4.tcp_wmem = 4096 20 25 net.ipv4.tcp_rmem = 4096 20 25 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_fack = 1 #net.ipv4.tcp_wmem = 4096 87380 4194304 #net.ipv4.tcp_wmem = 4096 25 30 #net.ipv4.tcp_rmem = 4096 87380 4194304 #net.ipv4.tcp_rmem = 4096 15 20 the # statements were taken from several howtos and you should give them a try to see if your getting improvements. remember again that using squid will cause these parameters to be used as opposed to a client behind that does its own layer 4 negotiation. iptables patches may be of help as well to get a clients tcp negotiation to support better congestion window size. older ip stacks (i.e. win 95 and nt 40) can be problematic as these paramters cannot be changed (as far as i know). patience, testing, and let us know! cheers charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] ignore - test
alive ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] I can't get TCNG to compile!!!
hi,
i have had the same problem ...
after running ./configure, edit the config file and change the line
with
KFULLVERSION=2.4.21-9
to just
KFULLVERSION=2.4.21
without the - or smp -- these symbols cause problems.
make and enjoy
cheers
charles
On Mon, 2004-01-26 at 23:39, [EMAIL PROTECTED] wrote:
Help! I can't get TCNG to compile!!! It did this on 2 different
machines! Here are the errors:
Kernel: 2.4.22
[EMAIL PROTECTED] tcng]# uname -a
Linux localhost.localdomain 2.4.22-1.2149.nptl #1 Wed Jan 7 13:08:26
EST
#if KFULLVERSIONNUM = 0x20416 /* gratuitous interface change in
2.4.22 :-(
*/
ERROR:
ake -f Makefile.unclean tcsim
make[2]: Entering directory `/home/jradke/tcng/tcsim'
cc -E -g -Wall -Wstrict-prototypes -Wmissing-prototypes
-Wmissing-declarations -I../shared -Iklib -Iklib/include
-Iulib/iproute2/include -I. -DVERSION=\`cat ../VERSION`\
-DTOPDIR=\/home/jradke/tcng\ -DTCC_CMD=\/home/jradke/tcng/bin/tcc\
-DKFULLVERSION=\2.4.22-1.2149.nptlcustom\ -DKFULLVERSIONNUM=`printf
0x%02x%02x%02x 2 4 22`-1.2149.nptlcustom -DIVERSION=\010824\ -I.
-M *.c .depend || \
{ rm -f .depend; exit 1; }
trace.c:41:5: too many decimal points in number
make[2]: *** [.depend] Error 1
make[2]: Leaving directory `/home/jradke/tcng/tcsim'
make[1]: *** [tcsim] Error 2
make[1]: Leaving directory `/home/jradke/tcng/tcsim'
make: *** [all] Error 1
Kernel: 2.6.1
ERROR:
klib/include/linux/errno.h:4:31: asm-generic/errno.h: No such file or
directory
make[2]: *** [.depend] Error 1
make[2]: Leaving directory `/home/jradke/tcng/tcsim'
make[1]: *** [tcsim] Error 2
make[1]: Leaving directory `/home/jradke/tcng/tcsim'
make: *** [all] Error 1
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] kptd ipsec
hi all, could someone describe where the encryption de-encryption is in the kptd? thanks! charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] traffic shaping and kernel 2.6.0
hello all, I am newbie to this list, Is anybody has did some experimentation about traffic control with kernel 2.6.0 as there is one special module called traffic shapper in experimental category. Has anybody tried it? Are there any other special tools for the same? Is there any documentation regarding the same? I myself is going to try it with kernel 2.6.0 so welcome to advices. Thanks in advance. -SIDDHARTH ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] How can I unsubscribe mailing list?
List-Unsubscribe: http://mailman.ds9a.nl/mailman/listinfo/lartc or mailto:[EMAIL PROTECTED] cheers On Thu, 2003-12-18 at 05:13, Sittichai Amornrojvorawut wrote: Please let me know how can I unsubscribe mailing list.I really would like to unsubscribe mailing list as soon as possible. Thank you _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] bandwidth test software: client/server
hi all, i've got my tc (and my client's tc) in place and would like to setup a bandwidth test server where clients can go to the web page and test their bandwidth (click a button and do a test). i googled and found lots of site that have the test software, but didn't find the actual test software. any links? cheers charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: no bug in tcng; tc kbit v. tcng kbps [LARTC] was tcng error
hi martin,
On Thu, 2003-11-27 at 20:58, Martin A. Brown wrote:
Hello Charles,
: after slicing and dicing, i found that i had cut and pasted bad syntax,
: so i have solved the problem posted in my first message.
Where did you find the original (I'm hoping it's not one of mine). If so,
let me know, and I'll fix it.
indeed, i used some of your examples as well as those included in the
tcng/examples-ng directory, and wshaper.htb to create the following
(i'll post it now as it is untested but functioning less or more)
#define DEVICE eth0
#define DOWNLINK 1024
#define UPLINK 512
#include fields.tc
#include ports.tc
dev DEVICE {
ingress {
$policer = SLB( cir DOWNLINK kBps, cbs 60kB, mpu 0b );
class () if SLB_ok($policer);
drop if 1;
}
egress {
class ($high) if tcp_ACK ||
ip_proto == IPPROTO_ICMP ||
ip_tos == 0x10 ||
tcp_dport == PORT_SSH ||
tcp_dport == 8080 ||
tcp_dport == 18082 ||
tcp_dport == 18083;
class ($medium) if tcp_dport == PORT_HTTP ||
tcp_dport == PORT_SMTP ;
class ($low) if 1;
htb () {
class (rate UPLINK bps, burst 6kB) {
$high = class (prio 1, rate UPLINK kBps)
{ sfq (perturb 10 sec); };
$medium = class (prio 2, rate (0.9*UPLINK)kBps)
{ sfq (perturb 10 sec); };
$low = class (prio 3, rate (0.8*UPLINK) kBps)
{ sfq (perturb 10 sec); };
}
}
}
}
[ example snipped ]
: notice that the UPLINK of 512 kbps (arguably 524288 bps) has been
: incorrectly calculated as 64000 bps
You have not actually found a bug, but rather a historical strangeness
about the Linux traffic control system. For reasons of which I'm
ignorant, the syntax for the tc command uses bps for bytes/second. So,
64000 bytes/second is actually 512 kilobits/second (512 kbps in common
usage), but is 512 kbit to the tc tool. Here's a brief chart:
tc syntax tcng syntax
+++
bytes/second | bps | Bps |
bits/second | bit | bps |
kilobytes/second | kbps | kBps |
kilobits/second | kbit | kbps |
+++
Note that the tcng syntax is exactly the same sort of syntax we use in
general when discussing speed of WAN links. It's a 512 kbps line means
it's 512 kilobits per second, but this would be 64000 bytes per second if
we were writing a tc command line.
ah ha -- thanks for this much clearer now ... perhaps this table is
worthy of inclusion in the howto or a compatibility option in tcng?
curious also on your experience with ingress -- i noticed that using a
Single Leaky Bucket, and playing with the cbs parameter can dramatically
(obviously) affect the ingress policing. is there a general rule of
thumb in calculating the cbs size based on the cir?
cheers
charles
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] was tcng error; now found bug in tcc
hi werner, thanks very much -- i've got it now! btw, tcng is just great -- simply marvelous! cheers charles On Thu, 2003-11-27 at 20:06, Werner Almesberger wrote: [EMAIL PROTECTED] wrote: have i missed something, or indeed there is a problem?? No, all this should be correct - in tc, bps means Bytes per second. And in tcng, rates and packets use the multiplier 1000, while bit and byte sizes use the multiplier 1024. This just follows what is the most common use for the respective unit. If you don't like the 1000 multiplier, you can just #define bps b/1s #define kbps kb/1s #define Mbps Mb/1s #define Gbps Gb/1s #define Bps B/1s #define kBps kB/1s #define MBps MB/1s #define GBps GB/1s - Werner ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] was tcng error; now found bug in tcc]
hi all,
after slicing and dicing, i found that i had cut and pasted bad syntax,
so i have solved the problem posted in my first message.
that said, i have found an issue in 9h and 9i of tcng running on a
bi-processor with redhat-8 up2date with 2.4.20 kernel.
here's a small tcng cfg:
#define DEVICE eth0
#define UPLINK 512
dev DEVICE {
egress {
htb () {
class (rate UPLINK kbps) {
}
}
}
}
[root]# cat tc.bug | tcc
tc qdisc add dev eth0 handle 1:0 root dsmark indices 1 default_index 0
tc qdisc add dev eth0 handle 2:0 parent 1:0 htb
tc class add dev eth0 parent 2:0 classid 2:1 htb rate 64000bps
--
notice that the UPLINK of 512 kbps (arguably 524288 bps) has been
incorrectly calculated as 64000 bps
similarly, the following:
#define DEVICE eth0
#define UPLINK 64
dev DEVICE {
egress {
htb () {
class (rate UPLINK kBps) {
}
}
}
}
[root]# cat tc.bug | tcc
tc qdisc add dev eth0 handle 1:0 root dsmark indices 1 default_index 0
tc qdisc add dev eth0 handle 2:0 parent 1:0 htb
tc class add dev eth0 parent 2:0 classid 2:1 htb rate 64000bps
--
if i express the UPLINK in kilobytes/s, then the rate has been
incorrectly multiplied by 1000 instead equaling 64 * 8 * 1024 = 524288
have i missed something, or indeed there is a problem??
many thanks
charles
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] tcng error
hi all,
below is my tcng configuration (based on wondershaper) which yields an error that i do not understand ...
can't dump subexpression (if_u32.c, access expected)
[==]--[.IPv6 address]--[==]--[access]-- (none)
| | | +-- 9
| | | `-- 8
| | `--[offset]--[access]-- (none)
| | | +-- 2
| | | `-- 16
| | `--[]--[]--[access]-- (none)
| | | | +-- 0
| | | | `-- 8
| | | `-- 15
| | `-- 2
| `-- :::::::
`-- 80
can anyone comment on why this is happening?
additionally, any expressions getting active/passive ftp into $medium would be greatly appreciated -- i would imagine that i have to mark in netfilter??
thanks
charles
here comes the config ... :-)
#define DEVICE eth0
#define DOWNLINK 1024
#define UPLINK 512
#include fields.tc
#include ports.tc
dev DEVICE {
egress {
class ($high) if ip_proto == IPPROTO_ICMP ||
tcp_ACK ||
tcp_dport == 8080 ||
tcp_dport == 18082 ||
tcp_dport == 18083;
class ($medium) if ip_proto == tcp_dport == 80 ||
tcp_dport == 25 ;
class ($low) if 1;
htb () {
class (rate UPLINK kbps, burst 6kB) {
$high = class (prio 1, rate UPLINK kbps)
{ sfq (perturb 10 sec); };
$medium = class (prio 2, rate (0.9*UPLINK) kbps)
{ sfq (perturb 10 sec); };
$low = class (prio 3, rate (0.8*UPLINK) kbps)
{ sfq (perturb 10 sec); };
}
}
}
}
Re: [LARTC] howto mark packets
hi cezar, why not use the TOS mark -- it is carried in the packet's tcp header ... you can only have 8 types/marks however ... cheers charles On Mon, 2003-11-24 at 17:03, Cezar Atanasiu wrote: On Mon, 24 Nov 2003 16:43:40 +0100 Eric Leblond [EMAIL PROTECTED] wrote: Le lun 24/11/2003 à 16:16, Cezar Atanasiu a écrit : Hi folks, The questions : 1. can that be done ? not that way, fw mark are lost when you leave the computer I know, that is why I asked. 2. if the answer to the first q. is yes, can that be done w/o patching the kernel on the first router w/ experimental patches ? you can do that in a capillotracté way (such an idea) by using tunnels(gre or ipip) and doing some iproute2 an A do push packet in a tunnel corresponding to their mark and have B route by interface. Hmm, that would become too complicated. There is no other way ? BR, -- Eric Leblond NuFW, Now User Filtering Works (http://www.nufw.org) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] failover-overload
hi all, curious if anyone can comment on the existence (or perhaps) non existence of an overload feature -- when one line to an isp is at its peek, the second line starts getting the new sessions? also, i noticed in an earlier thread the keepalive daemon for just failover (the first line is an adsl, the second and third are vsat) -- given the extra delay that a vsat imposes, i prefer to keep them for an overload or failover condition. could someone post their cfg from keepalive and/or comment on its efficacy? thanks a million charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] help me, tanks
Hi, I'm new in the list, and I need help! I'd know if exist a free tool for monitoring network traffic and same time that perform simulation of jitter, losing packets and packet delay for customizing the measurements. Thanks for help! ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] help me, thanks
Hi, I'm new in the list, and I need help! I'd know if exist a free tool for monitoring network traffic and same time that perform simulation of jitter, losing packets and packet delay for customizing the measurements. Thanks for help! ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] appliance recommendation
hi mohan, pádraig, thanks for your help perfect cheers charles On Mon, 2003-09-01 at 14:54, Padraig Brady wrote: [EMAIL PROTECTED] wrote: hi all, can anyone comment on an excellent inexpensive linux compatible appliance with 4 or more ethernet ports that could be suitable for bandwidth management and routing? something like the http://www.en.storever.com/product/openbrick/openbrick-e this is the only thing i could find, but i would prefer higher port density ... I've tried various advantech products and have been very impressed. Currently I'm working with the FWA-3660 and forwarding up to 240K packets/second. http://www.advantech.com/products/Model.asp?Category_ID=1-DENFNbu= Pádraig. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] appliance recommendation
hi all, can anyone comment on an excellent inexpensive linux compatible appliance with 4 or more ethernet ports that could be suitable for bandwidth management and routing? something like the http://www.en.storever.com/product/openbrick/openbrick-e this is the only thing i could find, but i would prefer higher port density ... thanx! charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] policy routing on locally generated packets; application routing;-- much better with iptables-1.2.8-8.80.2
hello, just a quick note after the thread concerning source ip selection on locally generated packets, etc. quick schema +--+ lan_a --- | eth0alice eth1 | isp_a | | +--+ here's alice's ifconfig eth0 191.168.0.254/24 eth1 192.168.1.254/24 eth1:1 192.168.1.100/24 here's alice's default routing table: 192.168.0.0/24 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link after installing iptables-1.2.8-8.80.2 on redhat-8.0, icmp protocol is being handled as one would expect if the following script is used: #mark locally generated packets in OUTPUT #and snat them later in POSTROUTING iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 iptables --append POSTROUTING --table nat --match mark \ --mark 0x2 --jump SNAT --to-source 192.168.1.100 whereas the previous version of iptables was not using the --to-source address for icmp, it is working now (i haven't checked why yet -- i had built it myself). so tcp/udp/icmp are perfect. expressions in the mangle table (uid/gid/pid/) are fully supported, therefore it is now possible to policy route/snat on a user, group or application ... very cool. the only exception for the moment is arp -- it will use the source address as defined in the default routing table. concering the src ip address selection for arp, there is a patch/thread very recently discussed at: http://marc.theaimsgroup.com/?l=linux-kernelm=106141566718585w=2 cheers thanks to all charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] OUTPUT chain marking after or before routing?
Hello Martin, Thanks very much for your explanation. So, locally generated packets marked in the OUTPUT chain have already been routed. This is really quite sad isn't it? I was attempting the following for locally generated packets: iptables --append OUTPUT --table mangle --match owner \ --uid-owner 500 --jump MARK --set-mark 0x5 ip rule fwmark 0x5 table 5; etc ... By matching the process uid or gid, I was counting on being able to policy route based on who was asking -- quite a neat solution actually. ip rule doesn't allow to match a uid/gid, and from your explanation, it would be hard to imagine. I don't suppose you have a way around this?? Cheers Charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] OUTPUT chain marking after or before routing?
Hi Martin, Catalin, Chijioke, This subject intrigues me greatly and is closely related to a post of just a few days ago: snip from my original post +--++---+ | eth1 192.168.1.1 || 192.168.1.250 | | eth1:1 192.168.1.101 || | +--++---+ iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 ip rule add fwmark 0x2 table 2 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.1 ip rule add to 192.168.1.250 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.101 According to my reading of the KPTD (and my understanding), packets generated on the local machine have already been routed by the time the OUTPUT chain is traversed. See: http://www.docum.org/stef.coene/qos/kptd/ i have spent alot of time looking at this diagram and don't understand what happens when. curiously, to my post patrick McHardy was kind enough to test and: On Sun, 2003-07-13 at 23:43, Patrick McHardy wrote: I tested your setup and it works fine (with 2.5 though). Are you sure you have CONFIG_IP_ROUTE_FWMARK enabled for your running kernel ? ip rule won't give errors if not .. very interesting, and i have yet to make it work here, although i haven't debugged it yet : have u tried putting it on the FORWARD chain?? Unfortunately the FORWARD chain will not work if these are locally generated packets. yup. I see two potential approaches to this problem: - invert your logic; main routing table uses ppp0 gateway IP as default gateway, mark all traffic passing through your router box, and use ip rule add fwmark $MARK table $INTERNET with another routing table for the Internet-bound traffic. martin, this is pure genius - send all locally generated traffic via ppp0; ip rule add iif lo table smtp and watch all traffic generated on the local machine leave via ppp0. You'll want to add the locally connected networks to table smtp. can you comment why this is -- ip rule to xxx.xxx.xxx.xxx table n works, and iptables fwmark y table n doesn't? is it because OUTPUT checked the rule while the packet was generated locally, but not after it was marked? 1000 thanks charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] marking in OUTPUT --mangle; locally generated packetsand route lookup - broken?
Hi Patrick, Sincere thanks for your time help! i assume you mean CONFIG_IP_ROUTE_FWMARK and not CONFIG_IP_NF_TARGET_MARK. Yup -- sorry! i would start with putting some printks in ipt_local_hook (net/ipv4/netfilter/iptable_mangle.c) before the call to ip_route_me_harder and in ip_route_me_harder (net/core/netfilter.c) itself. Trying this today ... Kindest Regards Charles Shick ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Re: [LARTC] marking in OUTPUT --mangle; locally generated packetsand route lookup - broken?]
Hi Patrick, Thanks for you message. I double checked, and my kernel .config is y to FWMARKing. I'm on 2.4.20-13.8 with iptables 1.2.8. The netfilter list suggested *not* using an aliased address, which i tried and that failed. bummer. More testing ... BTW, is there a way to trace or debug what's going on on my machine to track the route lookup process? Thanks! Charles On Sun, 2003-07-13 at 23:43, Patrick McHardy wrote: I tested your setup and it works fine (with 2.5 though). Are you sure you have CONFIG_IP_ROUTE_FWMARK enabled for your running kernel ? ip rule won't give errors if not .. Bye Patrick [EMAIL PROTECTED] wrote: hello all, i have come accross a curious issue: +--++---+ | eth1 192.168.1.1 || 192.168.1.250 | | eth1:1 192.168.1.101 || | +--++---+ iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 ip rule add fwmark 0x2 table 2 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.1 ip rule add to 192.168.1.250 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.101 are there issues concerning the marking of OUTPUT packets generated on the local box that i should be aware of? many, many thanks charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] fwmark(ing) in OUTPUT; has anyone had success?
hi all, sorry for the re-post, but i am in a bad way ... trying to fwmark in OUTPUT --mangle has led to a null result for a routing table lookup. has anyone successfully accomplished this -- can you comment on your distro/iptables version ? in your debt, charles on redhat 8 with iptables 1.2.8 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] marking in OUTPUT --mangle; locally generated packets and routelookup - broken?
hello all, i have come accross a curious issue: +--++---+ | eth1 192.168.1.1 || 192.168.1.250 | | eth1:1 192.168.1.101 || | +--++---+ iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 ip rule add fwmark 0x2 table 2 ip route add 192.168.1.0/24 dev eth1 src 192.168.1.101 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.1 ip rule add to 192.168.1.250 table 2 ip route flush cache telnet 192.168.1.250 ; and tcpdump gives src ip address as 192.168.1.101 are there issues concerning the marking of OUTPUT packets generated on the local box that i should be aware of? many, many thanks charles ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] advice for bandwidth control traffic accounting
hello gentle readers, a somewhat complicated situation to explain, but I am most curious to hear any advice or comments that you may be kind enough to offer. I have the following situation: [ multiple ] [ client - BW-Linux-1 ] - BW-Linux-2 - Internet [ networks ] (A)(B) (C) (D) [[X]] metrics: [X] multiple, mututally exclusive [X]'s will exist (A) private rfc-1918 address spaces that do not conflict with other client networks in the same (A) -- we hope! we are limited to 14 client nets behind (B) if we nat each one with a seperate address. (B) -NAT's each client network in (A) with its own address from (C) -large squid to hopefully economize (C) bandwidth (C) an expensive link out of our administrative control. we get a rfc-1918 /28 for each [X]. 2^4-2=14 usable addresses. (D) -large parent squid cache for BW-Linux-1 -iptables passes pkt hdrs to ulogd and we save portions to mysql -summary traffic accounting for each (A) -- how much and where for http, ftp, etc. questions: it would be desirable if (D) could collect all traffic data for bandwidth usage graphs, etc., however, due to natting and squid, ascertaining what a specfic host did in (A) seems unlikely. does anyone know of a connection tracking mechnism (x-forwarded-for, or other) such that (D) could know what a specific host in (A) did? when a network in (A) exceeds its bandwidth quota, it will require (or would be best) that both BW-Linux-1 and BW-Linux-2 acted in a cooperative manner limiting its bandwidth. is there an existing mechinism to have tc perform changes cooperatively on (B) and (D)? does anyone have experience with the quota patch in iptables and jumped to a userspace target to instigate tc commands? i'm thinking about trying to develop a program that would allow (B) and (D) to syncronize their tc policy simultaneously ... Many, Many Sincere Thanks Charles Shick ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB doesn't respect rate values
Original Message: - From: Sergiusz Brzeziñski [EMAIL PROTECTED] Well, it helped in 80%. Why only in 80? I repeated my test with SFQ and: - it worked better than bevore, there where long time periods (15-20sec.) with right rate-values http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ I didnt follow this thread from beginning, sorry if i didnt solve the problem. From your last post to this list i assumed you have set correct rate values to each class, but the distribution is still unfair. Am i right ? At first i applied HTB for my bandwidth manager i came into the same problem. When my users at one class start to open several tcp streams, perhaps you can see such as Kazaa, DAP, FlashGET. These can consume high bandwidth. Also they opened several tcp streams to the same destination host. The fact is those class get high rate while the other class is suffer. I applied HTB with SFQ as leaf qdisc. I played with the quantum values and it started to work well. Try it.. Regards, Rio Martin. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Limiting bandwidth usage - where to begin
On squid, bandwidth limiting based on delay pools. And it unable to burst, CMIIW. If you want your users get maximum rate when the others idle, use HTB.. They would be shape at minimum rate when the others request for more bandwidth. I am using HTB and SFQ as leaf, and so far my bandwidth management running fine and all users i managed so happy with the new system i applied. But i have one small problem, that i might need solutions from the list.. My connection to ISP not in clear channel quality. They applied burstable rate for me also. So how do i set HTB to follow the total bandwidth allocated my ISP to my backbone. Regards, Rio Martin. Original Message: - From: Aqil [EMAIL PROTECTED] Date: Mon, 7 Jul 2003 05:21:16 +0200 (CEST) To: [EMAIL PROTECTED] Subject: [LARTC] Limiting bandwidth usage - where to begin Hi, I am very new in this list.. I want each of my internet users to be limited in his/her usage of bandwidth. The limitation will be done in my squid (linux) box, as they all have to be authenticated by squid before going to the internet jungle.. Then anybody here could tell me where to begin to do such thing ? Any idea/solution would be very appreciated TIA regards, aqil ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] HTB burstable for 2 interface , how ?
Dear folks, Here goes my bandwidth manager: INTERNET | |eth0 202.14.41.1 BW.Manager | | | +eth1192.168.1.0/24 | +--eth2192.168.2.0/24 Total incoming bandwidth to eth0 is 1024kbps should be shared to eth1 and eth2, which mean each get 512Kbps and burstable to 1024Kbps if other host is idle. My question is how do i apply HTB to these situation ? As far as i know eth1 and eth2 should be define as parent and cannot be as children. Regards, Rio Martin. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] HTB burstable for 2 interface , how ?
It wont work.. eth0 only for public ip traffic. It wont handle private network traffic. Traffic to private network can be manage through eth1 eth2 I guess the answer is IMQ .. i'll try .. Documentation please, or perhaps docum.org already have documentation regarding IMQ ? Regards, Rio Martin. Original Message: - From: ? [EMAIL PROTECTED] Well this can be done easily You have to define a class having rate and ceiling 1024 kbps ( Kilobytes if you want kilobits make its kbits ) in order not to exceed this limit. Then you have to create two subclasses for the two networks by having as rate 512 and ceiling 1024. Then you must make the apropriate filters that will classify the traffic in the right flows. All theese for eth0. So when the 192.168.1.0 is idle 192.168.2.0 will allocate all the 1024 kbps bandwidth but when both will have traffic then they will take 512 each. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] What happened if the parent rate lower than children ?
Dear folks, finally i found something weird after i foolishly try to lower parent rate. i set parent class rate and ceil to 40kbit while children rate i set to 10kbit and ceil to 100kbit i check the statistic and i couldnt find parent details and rate, missing.. is this usual ? before i did this foolish thing, statistic for parent such as rate is exist.. Help me analyze this .. Regards, Rio Martin. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Unknown qdisc htb, hence option default is unparsable
Dear all, I tried to re-compile iproute2 from ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss010824.tar.gz But still htb is unknown .. Regards, Rio Martin. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] Linux router and Bandwidth control
If you put your friends in NAT (Private IP), no problem .. They have webserver, all you have to do is forward packets going to port 80 to private ip:80 Further more read iptables-howto Regards, Rio Martin. Original Message: - From: Joe [EMAIL PROTECTED] Date: Wed, 25 Jun 2003 17:51:51 +0530 To: [EMAIL PROTECTED] Subject: [LARTC] Linux router and Bandwidth control Hello All, I have 1.5Mbits Backbone connection with 16 public ip address. I like to provide share my connection with someother my friends how will have public ip addess. So i wanted to configre linux router with bandwidth controll for my friends connection. Actully i tried with single interface in linux and CBQ but it does not controll. I should do not use NAT as my friends are running web servers. Is it possible to configure in linux.or some links to configure this Advance thanks Joe ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Linux router and Bandwidth control
Hi all, About servers in private network, could you all mention good points why servers should be put in private network. I must write down some reports about these, because during this week, i have new jobs maintaining new organisation that still put their servers in public ip range. I ve just moved several servers like mailserver,dns,web to private network. And soon all servers will be moved to the private network. Thanks. Regards, Rio Martin. Original Message: - From: Leigh Waldie [EMAIL PROTECTED] Date: Wed, 25 Jun 2003 16:42:26 +0100 (BST) To: [EMAIL PROTECTED] Subject: Re: [LARTC] Linux router and Bandwidth control Hi Joe, I see no real reason giving the servers real IP addresses, you're better keeping the NAT and forward the ports to the private address. If you have more than one mail server, you can map diffrent public IP address to a diffrent private address. this will also keep your servers safe... Agreed this is of course the best way to secure lots of servers. And if you like the look of wrr as a qdisc, (and it does seem to have some very advanced features - such as the ability to spot large downloads and automatically decrease the available bandwidth for that connection for the duration of the download - although I could be wrong in my understanding of this) , then you can still use this qdisc with a NATing router, so have a look at their site anyway. The suggestion of a bridge was intended as a simple no fuss solution which can easily be bypassed in times of need - such as component failure - by simply taking the cable out of the bridge and plopping it straight back in the router. I was of course assuming that your friends would take care of their own security, thus removing the burden of you even telling them about the traffic shaping as well as preventing you from having to manage all their port forwarding requirements. I'm sure the whole business of traffic shaping is far too complicated for any one answer to be correct even one percent of the time so I accept that this answer may be useless for you. Good luck! Leigh mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] FW: Weird! HTB does not work with my new box..
Folks, I tried to implemented HTB in Slackware Linux 9.0 this is what happened: Unknown qdisc htb, hence option default is unparsable **HTB: failed to set root qdisc on eth0! [EMAIL PROTECTED]:/etc/sysconfig/htb# lsmod Module Size Used byNot tainted sch_htb21120 0 (unused) cls_route 5560 0 (unused) cls_u32 5724 0 (unused) cls_fw 3480 0 (unused) sch_sfq 3520 0 (unused) this is weird isnt it? all modules needed for HTB exist but error message said something about unknown qdisc.. Regards, Rio Martin. mail2web - Check your email from the web at http://mail2web.com/ . ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] unsuscribe
___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Artificial latency
hi ryan, i had asked a similar question a while back, and stef recommended the following: http://snad.ncsl.nist.gov/itg/nistnet make sure to read the faq! cheers charles On Sun, 2003-06-08 at 01:19, Ryan Agler wrote: I have a situation where I would like to introduce an artificial delay of 100 milliseconds to incoming UDP traffic to a particular client. Here is my setup: +---+ +---+ | Linux | | | 'Internet'---eth1| NAT |eth0==|192.168.1.4| | | | | +---+ +---+ Note I'm not looking to restrict the RATE or SPEED at all, just to add a DELAY, and only to incoming UDP packets coming in from the Internet destined for 192.168.1.4. I have kernel 2.4.20 with all the latest and greatest tc, htb patches, etc. Can anyone help?? Thanks much, +Ryan ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Can I Classify Non-IP Traffic?
Background: Thanks to the LARTC howto, this list and Stef Coene's and devik's excellent web sites I now have an ethernet bridge (patch bridge-nf.0.0.7) happily prioritising traffic (12Mbit) into 10 queues (9 for IP and 1 for non-IP) using a combination of iptables (fwmark) and htb3 and sfq. Many thanks. At the moment I'm filtering all non-IP traffic by setting the default queue on the htb root qdisc to my non-IP class and having my last rule in iptables (POSTROUTING) marks all IP packets such that htb places these packets into my lowest priority IP queue (note this is different from the default). My question is can classify the non-IP traffic? Ideally I'd like to be able create a queue for IPX traffic.I know the tc filters command has a protocol statement but I can't find any information about setting this to anything but ip or ipv6. Griff ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
