Re: [LARTC] List fault?

[Alexander Samad]

Yes, agree, affirmative, aye

On Thu, May 5, 2011 at 12:10 PM, Russell Stuart
 wrote:
> On Wed, 2011-05-04 at 13:06 -0500, Grant Taylor wrote:
>> Seeing that now messages seem to be flowing in a timely manner, I'd
>> suggest that we give this list a week to a month probation to see if
>> it has straightened up it's act.I'd also like a comment from the list
>> maintainer or a moderator in his / her stead.
>
> The argument against that it is well neigh impossible to move the list
> if the lists dies again, and we all loose contact with each other.  We
> can only move the list while we are a coordinated group, and the only
> means we have of coordinating is this list.  Dying again soon seems
> likely.  I don't know why the list burst into life this time around, but
> it has happened several times before only to die again a short while
> later.
>
> I like others think the list and its associated HOWTO is a pretty
> important resource.  It would be nice to rescue it while we have the
> chance.
>
>> I'd also like a comment from the list maintainer or a moderator in
>> his / her stead.
>
> This person would be very handy if they pop up, but I would not be
> waiting around for them.
>
> The current problem we have is a social one.  We are a highly technical
> group.  Just about of any of us could run a list server.  I imagine most
> of us have the resources to do so.  So the problem isn't running the
> server.  It is organising ourselves so the list is can be maintained
> over decades as participants come and go.  Having one person in charge,
> running a domain name owned by them or on hardware owned by them is not
> a good way to go.
>
> So Radu your offer to set up the list is great - but since it just
> replicates the situation we are in now I don't think it or similar
> offers are such a good idea.
>
> A list on vger.kernel.org does seem like a workable solution.  Large a
> third party provider such as google groups, yahoo groups, github,
> sourceforge or savanaha may be an even better solution as they would be
> just a reliable, and they provide a web page were we could collaborate
> on for things like HOWTO's.  We would just have to organise among
> ourselves governance of the list properly.
>
> Normally I'd suggest we explore these other alternatives.  But we don't
> know when the axe will fall again.  The chief attraction of
> vger.kernel.org seems to be we don't have to organise governance - we
> just hand it over to davem and matti (vger's admins).  So there is no
> mucking around with internal politics - one or more of us just ask them
> to set set up the list.
>
> So who is in favour of doing this ASAP - like within the next few week
> or so?  If you respond to this email, we can use the archived responses
> as proof to vger.kernel.org's admins there is sufficient interest to
> make it there worth their while.
>
>> However I think that this list (LARTC) is well known and documented all
>> over the place.  So even if we migrate elsewhere, there will still be
>> people that stumble on to this list.
>
> Yes, but there is nothing we can do about that.  Stumbling over a dead
> list is not useful, regardless of how easy it is to find.  A working
> list what we need, and that should be our first priority.
>
> If the person who owns lartc@mailman.ds9a.nl pops up then we can do
> other things that ameliorate "stumble over this list" problem - things
> like putting in email redirects, put notices on web pages and so on.
> But such things are just icing on the cake.  We should not wait to see
> whether we can do it.  Just move the list, and organise the icing later
> if we can.
>
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] private to public IP

[Alexander Samad]

On Sun, Jul 02, 2006 at 02:33:02PM +0300, Wennie V. Lagmay wrote:
> Hi all,
> I want to create a log on Iptables wherein to store and to identify which 
> private Ip is connected on public Ip on a certain date and time. Can you 
> help me on this

tcpdump
> 
> Thanks,
> 
> Wennie 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Linux router performance

[Alexander Samad]

On Thu, Jun 01, 2006 at 04:03:29AM +0200, Carl-Daniel Hailfinger wrote:
> Alexander Samad wrote:
> > On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote:
> >> Damjan wrote:
> >>>>> I wonder about the performance of a Linux box used as router (I guest 
> >>>>> I'm
> >>>>> not the first :). Althought I know it mainly depends on the hardware, 
> >>>>> I'm
> >>>>> trying to find some references on the topic or comparations with other
> >>>>> routing solutions (FreeBSD box used as router, Cisco, etc). For example,
> >>>>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf
> >>>>> (althought is related with Linux-briding more than with Linux-routing) 
> >>>>> shows
> >>>>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 
> >>>>> Mbps
> >>>>> can be achieved.
> >>>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express
> >>>> gigabit cards (but that was with 1500 byte packets). Never tried more
> >>>> although the box has 6 interfaces capable of gigabit, 4 of them attached
> >>>> via PCI-Express.
> >>> But that's _only_ 8 packets/s isn't it.
> >> Hm. How do you arrive at that result? I get twice the numbers.
> >> nic a: 1 gbit in -> nic b: 1 gbit out
> >> nic b: 1 gbit in -> nic a: 1 gbit out
> >> total 2 gbit
> >> 2 gbit /(1500*8 bit/frame) ~ 160k packets/s
> >>
> >> Please note that I did not test with smaller frame sizes, so 1Mp/s
> >> may be possible (I'll test that if I have some spare time).
> > 
> > what if you test inbound and outbound at the same time - the cards
> > should be capable of full duplex ?
> 
> I tested 1 gbit in and 1 gbit out per nic at the same time. That's
> how I arrived at my results.
sorry I might be being very dense on this, but 2 nics 1G in and out
shouldn't that be
4gbit / (1500*8 bit/frame) ~ 320k packets/s

My presumption is that the nic can send and recieve at the same time

> 
> Regards,
> Carl-Daniel
> -- 
> http://www.hailfinger.org/
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Linux router performance

[Alexander Samad]

On Thu, Jun 01, 2006 at 02:44:57AM +0200, Carl-Daniel Hailfinger wrote:
> Damjan wrote:
> >>> I wonder about the performance of a Linux box used as router (I guest I'm
> >>> not the first :). Althought I know it mainly depends on the hardware, I'm
> >>> trying to find some references on the topic or comparations with other
> >>> routing solutions (FreeBSD box used as router, Cisco, etc). For example,
> >>> http://facweb.cti.depaul.edu/jyu/Publications/Yu-Linux-TSM2004.pdf
> >>> (althought is related with Linux-briding more than with Linux-routing) 
> >>> shows
> >>> in Figure 14 that with an AMD Duron 1.3GHz 512M RAM a throughput of 90 
> >>> Mbps
> >>> can be achieved.
> >> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express
> >> gigabit cards (but that was with 1500 byte packets). Never tried more
> >> although the box has 6 interfaces capable of gigabit, 4 of them attached
> >> via PCI-Express.
> > 
> > But that's _only_ 8 packets/s isn't it.
> 
> Hm. How do you arrive at that result? I get twice the numbers.
> nic a: 1 gbit in -> nic b: 1 gbit out
> nic b: 1 gbit in -> nic a: 1 gbit out
> total 2 gbit
> 2 gbit /(1500*8 bit/frame) ~ 160k packets/s
> 
> Please note that I did not test with smaller frame sizes, so 1Mp/s
> may be possible (I'll test that if I have some spare time).

what if you test inbound and outbound at the same time - the cards
should be capable of full duplex ?
> 
> 
> Regards,
> Carl-Daniel
> -- 
> http://www.hailfinger.org/
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multi default gateway and 2.4.30

[Alexander Samad]

On Fri, Apr 07, 2006 at 08:27:53AM +1000, Alexander Samad wrote:
> On Fri, Apr 07, 2006 at 08:04:18AM +1000, Alexander Samad wrote:
> > Hi
> > 
> > I have just moved my firewall from a 2.6 debian machine to a 2.4.30
> > openwrt (linksys wrt54gs) box.
> > 
> > I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns.
> > 
> > Now when i have moved to 2.4.30 I am having problems.  Everything else
> > is working fine except when I DNAT packets from the firewall to an
> > internal address, ie my web browser is inside so I DNAT from the
> > external IP  to the internal web server.
> > 
> > now I am getting time outs, upon investigation what is happening is that
> > packets are coming in, getting DNAT'ed, the web server is returning
> > them, they get un DNAT, but a new call to the routing table is made and
> > it seems to bypass the ip rules rules I have, all traffic that
> > terminates on the external IP is okay and doesn't suffer from the
> > problem.
> > 
> > I remember reading about patches for the iproute and the kernel but I
> > haven't kept up to date with those since I started using 2.6
> > 
> > Am i missing a patch ??
> > 
> > Thanks
> > 
> > 
> 
> Had anothe look through the archives, via google and found a thread
> about 2.4.29 and the fact that the default routes shouldn't be in the
> main table.
> 
> I have removed the default routes and placed them in the default table
> and things seem to be okay now.
> 
> Is this a know problem 

Oops bumbling fingers type the wrong addresses in tcpdump, make no
difference. it is like ip ru is not being used after un natting is
happening


> 
> 
> > ___
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 



> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multi default gateway and 2.4.30

[Alexander Samad]

On Fri, Apr 07, 2006 at 08:04:18AM +1000, Alexander Samad wrote:
> Hi
> 
> I have just moved my firewall from a 2.6 debian machine to a 2.4.30
> openwrt (linksys wrt54gs) box.
> 
> I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns.
> 
> Now when i have moved to 2.4.30 I am having problems.  Everything else
> is working fine except when I DNAT packets from the firewall to an
> internal address, ie my web browser is inside so I DNAT from the
> external IP  to the internal web server.
> 
> now I am getting time outs, upon investigation what is happening is that
> packets are coming in, getting DNAT'ed, the web server is returning
> them, they get un DNAT, but a new call to the routing table is made and
> it seems to bypass the ip rules rules I have, all traffic that
> terminates on the external IP is okay and doesn't suffer from the
> problem.
> 
> I remember reading about patches for the iproute and the kernel but I
> haven't kept up to date with those since I started using 2.6
> 
> Am i missing a patch ??
> 
> Thanks
> 
> 

Had anothe look through the archives, via google and found a thread
about 2.4.29 and the fact that the default routes shouldn't be in the
main table.

I have removed the default routes and placed them in the default table
and things seem to be okay now.

Is this a know problem 


> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Multi default gateway and 2.4.30

[Alexander Samad]

Hi

I have just moved my firewall from a 2.6 debian machine to a 2.4.30
openwrt (linksys wrt54gs) box.

I orginially had this working with 2 isp, 1 cable 1 adsl and dyndns.

Now when i have moved to 2.4.30 I am having problems.  Everything else
is working fine except when I DNAT packets from the firewall to an
internal address, ie my web browser is inside so I DNAT from the
external IP  to the internal web server.

now I am getting time outs, upon investigation what is happening is that
packets are coming in, getting DNAT'ed, the web server is returning
them, they get un DNAT, but a new call to the routing table is made and
it seems to bypass the ip rules rules I have, all traffic that
terminates on the external IP is okay and doesn't suffer from the
problem.

I remember reading about patches for the iproute and the kernel but I
haven't kept up to date with those since I started using 2.6

Am i missing a patch ??

Thanks




signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] vpn multihoming

[Alexander Samad]

On Sun, Mar 26, 2006 at 12:57:10PM -0800, Marius M wrote:
> Hello all,
> 
> I have a linux router with 2 interfaces(eth0 - ISP and
> eth1 - LAN). I've established a VPN
> connection(openvpn) over eth0 with a friend of mine =>
> tun0 interface.
> 
> I want half of my LAN to have Internet access through
> the eth0 interface and the other half through the tun0
> interface.
> 
> I've set up a script like the "load balancing split
> access" instructions in the lartc howto, but it
> doesn't work. Here's the important part of the script:
> 
>   ip route add $P1_NET dev $IF1 src $IP1 table T1
>   ip route add default via $P1 table T1
>   ip route add $P2_NET dev $IF2 src $IP2 table T2
>   ip route add default via $P2 table T2
> 
>   ip route add $P1_NET dev $IF1 src $IP1
>   ip route add $P2_NET dev $IF2 src $IP2
> 
>   ip rule add from $IP1 table T1
>   ip rule add from $IP2 table T2
> 
> Note that ping works over the tunnel, over the
> subnets, but the users on my LAN can't have Internet
> connectivity through eth0 or tun0.
> 
> My firewall has only this rule:
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o
> eth0 -j MASQUERADE

You will need to use SNAT to the interface address
mail me offline if you want a copy of my scripts for setting up the
firewall and ip & tc

Alex

> I've changed eth0 with tun0 and I doesn't work either.
> 
> What can be done to fix this problem?
> 
> Thanks in advance,
> M.
> 
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Setting an alias as the "default" IP address, or something similar?

[Alexander Samad]

On Mon, Jan 23, 2006 at 05:49:02PM +1100, Carl Brewer wrote:
> Alexander Samad wrote:
> >On Mon, Jan 23, 2006 at 01:30:48PM +1100, Carl Brewer wrote:
> >>
> >>Hello,
> >>Ive had a poke around through various linux routing documents,
> >>but haven't found what I think is an elegant solution to a
> >>routing issue I'm having with a hosting provider and RHEL ES 4 running
> >>in a VMware VM.
> >>
> >>Here's a diagram of the situation :
> >>
> >>
> >> Default route
> >> at provider our host (A)
> >> 72.3.230.1/26  72.3.230.30/26 the VM (B)
> >>192.168.239.1/24 - 192.168.239.2/24
> >>   72.3.205.160/32
> >>
> >hi 
> >
> >maybe I am missign something but can't your just use this
> >
> >ip r a default via 192.168.239.1 src 72.3.205.160
> >
> >plus you might need this as well
> >ip r a 192.168.239.0/24 src 192.168.239.2
> 
> I just needed the first one, thankyou.  That worked a treat.
> 
> Out of curiosity, I have that command currently in rc.local, but is
> there a better place to put it in the redhat startup sequence? Normally
> it'd do in /etc/sysconfig/network but I'm not sure of the possibility of
> putting that sort of thing in there?
Hi

Sorry not sure about redhat, but rc.local sounds like the place to put
it


> 
> 
> 
> -- 
> ===
> Vivitec Pty. Ltd.
> Suite 6, 51-55 City Rd.
> Southbank, 3006.
> Ph. +61 3 8626 5626
> Fax +61 3 9682 1000
> ===
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Setting an alias as the "default" IP address, or something similar?

[Alexander Samad]

On Mon, Jan 23, 2006 at 01:30:48PM +1100, Carl Brewer wrote:
> 
> 
> Hello,
> Ive had a poke around through various linux routing documents,
> but haven't found what I think is an elegant solution to a
> routing issue I'm having with a hosting provider and RHEL ES 4 running
> in a VMware VM.
> 
> Here's a diagram of the situation :
> 
> 
>  Default route
>  at provider our host (A)
>  72.3.230.1/26  72.3.230.30/26 the VM (B)
> 192.168.239.1/24 - 192.168.239.2/24
>72.3.205.160/32
> 
hi 

maybe I am missign something but can't your just use this

ip r a default via 192.168.239.1 src 72.3.205.160

plus you might need this as well
ip r a 192.168.239.0/24 src 192.168.239.2

You might want to look at bridging, the vm interface sort of becomes the
external interface and teh vm nic driver keeps the traffic different

> 
> I need to have the 72.3.205.160 address be used by the
> linux box B in the VM as its default IP address - ie :
> when traffic goes out from it (originating) it needs
> to go out the 72.3.205.160/32 interface and then
> via the 192.168.239.2 to .1 (default route).
> 
> This setup is because the hosting vendor will only allocate
> us /32 addresses in addition to the base IP address they supply, which
> is fine if we run them as aliases on eth0 on our host, but doesn't work
> so well in a VM (you can't attach a route to a /32 that I'm
> aware of, if you can, I'd *love* to know how!)
> 
> Does anyone here have a suggestion for the neatest way to
> do this?  At present I have the 192.168 network and a static
> route on A pointing the 72.3 address via 192.168.239.2 as that
> seemed to be the easiest way to do it, and inbound traffic
> works fine, but I haven't found a way to make the box in the
> VM use the 72.3.205.160 address as its source when it originates
> traffic, so things like DNS queries etc don't work unless I
> also NAT outgoing traffic on A, which I'd prefer not to do unless
> there's no alternative.  Maybe a bridge between the two?  I don't
> really have a handle on the VMware bridge setup (it's VMware
> workstation 5.0 at the moment). so maybe it's something that
> would be better done in VMware, but I'd prefer to use a purely IP
> routing solution if possible so we're not tied to VMware (at some
> point I want to migrate this to xen or seperate hardware).
> 
> Should I maybe use a tunnel?  I have no experience with tunneling, and
> not really sure of how it would solve the problem
> 
> 
> Any suggestions?
> 
> Thanks!
> 
> Carl
> 
> 
> 
> 
> -- 
> ===
> Vivitec Pty. Ltd.
> Suite 6, 51-55 City Rd.
> Southbank, 3006.
> Ph. +61 3 8626 5626
> Fax +61 3 9682 1000
> ===
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Re: Multi-path routing only using last nexthop in default route.

[Alexander Samad]

On Tue, Jan 17, 2006 at 04:53:06PM -0500, Jody Shumaker wrote:
> Does anyone have a confirmed to be working multipath setup? I'd like to see
> their route output and confirm that this really is an issue.  The issue
> might actually be something else and this output is expected? I'm just
> sticking on this because the order of nexthops is what changes the behavior,
> which seems wrong.

I think mine is working, because I se traffic heading out of the second
interface (ones that I know have originated from my box), plus when I check the 
cache table there are entries for both
interfaces.

just can't prove it right now 8(

A

> 
> Also, if I try retieving paths from an internal address to an external, it
> will always use only the last nexthop.
> 
> # for x in $(seq 1 10); do ip route get 66.1.1.$x from 192.168.0.128 iif
> eth0; done
> 66.1.1.1 from 192.168.0.128 dev ppp0  src 192.168.0.1
> cache   mtu 1492 advmss 1452 metric10 64 iif eth0
> 66.1.1.2 from 192.168.0.128 dev ppp0  src 192.168.0.1
> cache   mtu 1492 advmss 1452 metric10 64 iif eth0
> etc.
> 
> I'm using 2.6.14-gentoo-r5 #4 SMP PREEMPT w/ julian's patches and iptables
> v1.3.4
> 
> - Jody
> 
> On 1/17/06, Alexander Samad <[EMAIL PROTECTED]> wrote:
> >
> > On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote:
> > > Yes, it just shows you what is in the cache, but I was specifying ip
> > > addresses that weren't in the cache yet. I also tried doing traceroutes
> > from
> > > an internal pc, and those always ended up going over the 1 interface.
> > I've
> > > also tried adjusting the weights to 1:1 and opening up numerous
> > connections
> > > to multiple ftp's.
> > >
> > > Also for comparison, if I change the order of the nexthop's I'll instead
> > get
> > > effectively the reverse.
> > >
> > > # ip route get 66.1.1.11
> > > 66.1.1.11 via 66.189.76.1 dev eth1  src 71.248.183.63
> > > cache  mtu 1500 advmss 1460 metric10 64
> > > # ip route get 66.1.1.12
> > > 66.1.1.12 via 66.189.76.1 dev eth1  src 66.189.76.198
> > > cache  mtu 1500 advmss 1460 metric10 64
> >
> > your right I tried it on my machine
> > for x in $(seq 1 10); do ip r g 1.1.1.$x; done
> > 1.1.1.1 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.2 via 220.233.1.45 dev ppp0  src 141.168.16.16
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.3 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.4 via 220.233.1.45 dev ppp0  src 141.168.16.16
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.5 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.6 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.7 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.8 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.9 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> > 1.1.1.10 via 220.233.1.45 dev ppp0  src 220.233.15.63
> > cache  mtu 1492 advmss 1452 metric 10 64
> >
> > just the src address is changing, I am pretty sure this used work at
> > some point in time, i am using 2.6.14-1-smp, iptables v1.3.3
> >
> >
> >

> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Re: Multi-path routing only using last nexthop in default route.

[Alexander Samad]

On Tue, Jan 17, 2006 at 12:37:48AM -0500, Jody Shumaker wrote:
> Yes, it just shows you what is in the cache, but I was specifying ip
> addresses that weren't in the cache yet. I also tried doing traceroutes from
> an internal pc, and those always ended up going over the 1 interface. I've
> also tried adjusting the weights to 1:1 and opening up numerous connections
> to multiple ftp's.
> 
> Also for comparison, if I change the order of the nexthop's I'll instead get
> effectively the reverse.
> 
> # ip route get 66.1.1.11
> 66.1.1.11 via 66.189.76.1 dev eth1  src 71.248.183.63
> cache  mtu 1500 advmss 1460 metric10 64
> # ip route get 66.1.1.12
> 66.1.1.12 via 66.189.76.1 dev eth1  src 66.189.76.198
> cache  mtu 1500 advmss 1460 metric10 64

your right I tried it on my machine 
for x in $(seq 1 10); do ip r g 1.1.1.$x; done
1.1.1.1 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.2 via 220.233.1.45 dev ppp0  src 141.168.16.16 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.3 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.4 via 220.233.1.45 dev ppp0  src 141.168.16.16 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.5 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.6 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.7 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.8 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.9 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64
1.1.1.10 via 220.233.1.45 dev ppp0  src 220.233.15.63 
cache  mtu 1492 advmss 1452 metric 10 64

just the src address is changing, I am pretty sure this used work at
some point in time, i am using 2.6.14-1-smp, iptables v1.3.3

> 
> It always is pointing to dev eth1 while with the reverse order it was ppp0.
> All this by only changing the order of the nexthops. I went through and
> double checked that I did apply julian's patches to the kernel source I last
> built with.
> 
> - Jody
> 
> On 1/16/06, Alexander Samad <[EMAIL PROTECTED]> wrote:
> >
> > On Mon, Jan 16, 2006 at 08:59:32PM -0500, Jody Shumaker wrote:
> > > I found that for ppp devices, i should ony define the next  hop with the
> > > dev, not a via.  However this still didn't fix my problem, but I've
> > narrowed
> > > down my problem a little further.
> > >
> > > # ip route get 66.189.123.136
> > > 66.189.123.136 dev ppp0  src 71.248.183.244
> > > cache  mtu 1492 advmss 1452 metric10 64
> > > # ip route get 66.189.123.137
> > > 66.189.123.137 dev ppp0  src 66.189.76.198
> > > cache  mtu 1492 advmss 1452 metric10 64
> >
> > doesnt the second ip r g just show you what you have in the route cache,
> > when I try it on my multi home machine
> >
> > default  metric 5
> > nexthop via 141.168.16.1  dev eth0 weight 3
> > nexthop via 220.233.1.45  dev ppp0 weight 4
> >
> > but this might be because I don't have the round-robin patch applied to
> > the kernel.
> >
> >
> > >
> > > It does properly do a 5:1 round robin choice , but only the src changes,
> > not
> > > the dev.  The above I believe should really have outputted for the
> > second
> > > route:
> > > 66.189.123.137 dev eth1  src 66.189.76.198
> > > cache  mtu 1492 advmss 1452 metric10 64
> > >
> > > I'm not sure what is wrong with my config, as I've gone over and over
> > it. My
> > > best guess is that something is wrong in the kernel I compiled with the
> > > patches.
> > >
> > > # ip rule show
> > > 0:  from all lookup local
> > > 50: from all lookup main
> > > 201:from 71.248.183.244 lookup 201
> > > 202:from 66.189.76.198/22 lookup 202
> > > 221:from all lookup 221
> > > 32766:  from all lookup main
> > > 32767:  from all lookup default
> > >
> > > # ip route show table main
> > > 10.9.44.15 dev ppp0  proto kernel  scope link  src 71.248.183.244
> > > 192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.2
> > > 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
> > > 66.189.76.0/22 dev eth1  proto kernel  scope link  src 66.189.76.198
> > > 127.0.0.0/8 dev lo  scope link
> > >
> > > # ip route show table 201
> > > defau

Re: [LARTC] Re: Multi-path routing only using last nexthop in default route.

[Alexander Samad]

On Mon, Jan 16, 2006 at 08:59:32PM -0500, Jody Shumaker wrote:
> I found that for ppp devices, i should ony define the next  hop with the
> dev, not a via.  However this still didn't fix my problem, but I've narrowed
> down my problem a little further.
> 
> # ip route get 66.189.123.136
> 66.189.123.136 dev ppp0  src 71.248.183.244
> cache  mtu 1492 advmss 1452 metric10 64
> # ip route get 66.189.123.137
> 66.189.123.137 dev ppp0  src 66.189.76.198
> cache  mtu 1492 advmss 1452 metric10 64

doesnt the second ip r g just show you what you have in the route cache,
when I try it on my multi home machine

default  metric 5 
nexthop via 141.168.16.1  dev eth0 weight 3
nexthop via 220.233.1.45  dev ppp0 weight 4

but this might be because I don't have the round-robin patch applied to
the kernel.


> 
> It does properly do a 5:1 round robin choice , but only the src changes, not
> the dev.  The above I believe should really have outputted for the second
> route:
> 66.189.123.137 dev eth1  src 66.189.76.198
> cache  mtu 1492 advmss 1452 metric10 64
> 
> I'm not sure what is wrong with my config, as I've gone over and over it. My
> best guess is that something is wrong in the kernel I compiled with the
> patches.
> 
> # ip rule show
> 0:  from all lookup local
> 50: from all lookup main
> 201:from 71.248.183.244 lookup 201
> 202:from 66.189.76.198/22 lookup 202
> 221:from all lookup 221
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> # ip route show table main
> 10.9.44.15 dev ppp0  proto kernel  scope link  src 71.248.183.244
> 192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.2
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
> 66.189.76.0/22 dev eth1  proto kernel  scope link  src 66.189.76.198
> 127.0.0.0/8 dev lo  scope link
> 
> # ip route show table 201
> default via 10.9.44.15 dev ppp0  proto static  src 71.248.183.244
> prohibit default  proto static  metric 1
> 
> # ip route show table 202
> default via 66.189.76.1 dev eth1  proto static  src 66.189.76.198
> prohibit default  proto static  metric 1
> 
> # ip route show table 221
> default  proto static
> nexthop via 66.189.76.1  dev eth1 weight 1
> nexthop dev ppp0 weight 5

> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] multipath patches

[Alexander Samad]

Hi

Can any one point me to any doco on the multipath patches that have been
added to the 2.6.13+

There now seems to be modules multipath_cached multipath_random
multipath_rr etc

Thanks
A


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multipath Routing..

[Alexander Samad]

On Tue, Aug 16, 2005 at 06:11:26AM +0200, Daniel Frederiksen wrote:
> Ok folks, here goes..
> 
> I have been boggling with a problem for the past week, and still haven't 
> found a solution..
> 
> I'm trying to route traffic from two providers through a Linux machine.
> But that is not the problem. The ISP's have provided me with a WAN IP 
> class for both of the lines, to be routed into a DMZ where the machines 
> a to respond to their respective designated WAN IP on both lines.
> Every machine on the DMZ has two IP's one on each ISP WAN Class.
> 
> I think I'll better draw a map:
> 
> 
>   WAN1(eth2), WAN2(eth3)
>- (eth0)
>|   |-\ --
>|  DMZ  |---\  \/---|  ISP1  |-
>-\  \  /-- \
>  \  \/ \
>  -
>  |  Linux GW/FW  | WWW
>  -
>  /   \   (eth1)/
>-/ \-- /
>|  LAN  |---/   \---|  ISP2  |-
>-   --
>   NAT(eth4)
> 
> 
> The DMZ has two WAN IP classes routed from the ISP.
> 
> The thing I just can not figure out is how to make the respective WAN IP 
> from the DMZ route out the right ISP link, and the right request from 
> the ISP route into the DMZ.
> 
> .. and finally how can I make the LAN able to access it all..

you need to use ip ru

my ip ru looks like 
0:  from all lookup local 
200:from 141.168.16.16 lookup cable 
201:from 220.233.15.63 lookup adsl 
32766:  from all lookup main 
32767:  from all lookup default 

I created 200 and 201 which means that all traffic that came in on the
cable 141.168.16.16 will go out the cable

ip ro sh tab cable
192.168.11.0/24 dev br0  scope link 
192.168.10.0/24 dev eth3  scope link 
192.168.9.0/24 dev eth4  scope link 
default via 141.168.16.1 dev eth0  src 141.168.16.16  metric 30 


and the routing tab for the adsl uses the adsl as its default gw.

does that help ?


> 
> Thanks for your time..
> 
> /Daniel Frederiksen
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IPTables script

[Alexander Samad]

On Thu, May 12, 2005 at 09:40:56AM +0200, Sylvain BERTRAND wrote:
> On Jeu 12 mai 2005 8:14, Lee Sanders a ?crit :
> > Hi All,
> >
> > I've been playing with QOS for a short while now and have worked out how
> > to do
> > what I want using HTB. Great queuing discipline btw.
> >
> > My problem is the tc filters I want to setup aren't working because
> > iptables is getting to the packets first and mangling the src address.
> >
> > The iptables script I am using is MonMotha's Firewall 2.3.8 and it
> > includes
> > lots of nice goodies like syn flood rate limiting. The extra bits like
> > this
> > are why I'm using it rather than figuring the iptables configuration out
> > myself.
> >
> > My network configuration is trivial, adsl router connected to linux box
> > connected to two networks, LAN and WLAN.
> >
> > I like having these iptables features but MonMotha's Firewall isn't
> > designed
> > with QOS in mind.
> >
> > My question for this list, is there a recommended iptables router script
> > that
> > everyone here uses designed with QOS in mind or have you all written your
> > own ?
> >
> > Thanks in Advance
> >
> > Lee
> >
> 
> Hi Lee,
> 
> Below is my script. It's inspired from LARTC, for the same configuration
> as you : home Linux routeur with DSL on eth1, masquerading trafic from
> LAN. The server is running a few services (http,mail,dns), and I want
> these services to have priority, and also the users must have priority for
> their mail & http over the default class. The trafic to/from the services
> not defined below goes to default class, which is fine (ftp, im, ...).
> Hope you can use it, though it's certainly not perfect.
> 
> Sylvain
> 

Sylvain

Q) why use do your matching in tc filter and not netfilter ?  Is one way
better than the other.

I started out doing it via filter and then moved to netfilter instead
using mark.

Curious to hear what other people have/do do

Alex

> 
> #!/bin/bash
> 
> UPLINK_EXT=950  # outgoing DSL bandwidth, kbps
> DEV_EXT=eth1# DSL link
> 
> tc qdisc del dev ${DEV_EXT} root2> /dev/null > /dev/null
> 
> tc qdisc add dev ${DEV_EXT} root handle 1: htb default 20
> 
> # root class
> tc class add dev ${DEV_EXT} parent 1: classid 1:1 htb rate
> $[${UPLINK_EXT}]kbit prio 0
> # fast ( 80% )
> tc class add dev ${DEV_EXT} parent 1:1 classid 1:10 htb rate
> $[8*${UPLINK_EXT}/10]kbit ceil $[${UPLINK_EXT}]kbit burst 10k prio 1
> # slow ( 20% )
> tc class add dev ${DEV_EXT} parent 1:1 classid 1:20 htb rate
> $[2*${UPLINK_EXT}/10]kbit ceil $[8*${UPLINK_EXT}/10]kbit burst 2k prio 5
> 
> # stochastic fairness
> tc qdisc add dev ${DEV_EXT} parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev ${DEV_EXT} parent 1:20 handle 20: sfq perturb 10
> 
> # trafic with priority
> # CLIENT
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 22 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 25 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 53 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 80 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 110 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 143 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 443 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 993 0x flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 995 0x flowid 1:10
> # SERVER
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> sport 22 0xfffd flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> sport 25 0xfffd flowid 1:10
> tc filter add dev ${DEV_EXT} protocol ip parent 1: prio 4 u32 match ip
> dport 53 0x flowid 1:10
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multiple Internet links - routing traffic to the correct one.

[Alexander Samad]

On Wed, May 11, 2005 at 08:00:30AM +0200, Hamish Whittal wrote:
> Hi all,
> I have the following configuration:
>  ___
>   ++/
>  diginet link ||   |
> +-+ Provider 1 +---
> __  | || /
> ___/  \_ +--+---+ ++|
>   _/\__(eth0)|  eth1 (stat) |  /
>  / \  254|  |  |
> | Local network -+ Linux router |  | Internet
>  \192.168.1.x __/|  |  |
>\__ __/   |   eth2 (dyn) |  \
>   \___/  +--+---+ ++|
>254| |ppp0 || \
> (eth3)| +-+ Telecomms  +---
>   |  adsl link|   ADSL |  |
>___  |   ++   \
>  _/   \__ |
>   __/\___ |
>  /   \+
> | Local Network  |
>  \__172.16.1.x__/
> \__   ___/
>\_/
> 
> In words:
> Two local LAN's (172.16.1.x) and (192.168.1.x). They service different
> parts of the organisation. The point is, the client does not want
> traffic from the 172.16.1.x network going over the ADSL link otherwise
> the cap will be reached in hours (iterally). The Router is also the mail
> server, so mail is delivered to the eth1 interface via a static IP
> address (eth1 in the diagram) - it is a 196.xx.xx.xx address.
> The ADSL is not a static address - 165.146.yy.yy.
> The LAN interface from the 192.168.1.x network on the router is
> 192.168.1.254. The LAN interface on the other network is 172.16.1.254.
> The 10.x.x.x network is an IP I have assigned to the eth2 interface to
> ensure that I can still talk to my adsl router, but the ppp0 link is a
> pppoe connection to the telecomms provider.
> 
> So, with some assistance, I have set up the following:
> Table main:
> 165.146.128.1   dev ppp0 proto kernel scope link  src 165.146.yy.yy 
> 196.xx.xx.xx/nn dev eth1 proto kernel scope link  src 196.xx.xx.xx 
> 10.0.0.0/24 dev eth2 proto kernel scope link  src 10.0.0.254 
> 192.168.1.0/24  dev eth0 proto kernel scope link  src 192.168.1.254 
> default via 196.xx.xx.xx dev eth1
> (the default route here is going out through the diginet link -
> 196.xx.xx.xx in this table)
> 
> table adsl:
> 10.0.0.0/24 dev eth2  scope link 
> 192.168.1.0/24  dev eth0  scope link 
> 127.0.0.0/8 dev lo  scope link 
> default via 165.146.yy.yy dev ppp0
> 
> the rules:
> 0:  from all lookup local 
> 90: from all to 192.168.1.0/24 lookup main 
> 100:from 192.168.1.0/24 lookup adsl 
> 32766:  from all lookup main 
> 32767:  from all lookup default

You need to have another rule 

100:from {adsladdress}/32 lookup adsl 

because your packets is getting MASQ and then rehitting the routing
table, which says roue out the default link which is actually the digi
link, most isp don;t allow asym routing of packets (ie will not allow
you to send a packet with a source address not in their address space),
it will probably still have the 172 address on it (not sure)

You should be able to confirm this by tcpdump'ing on eth1 


> 
> ip route add default via 165.146.yy.yy dev ppp0 table adsl
> Now here it croaks. When I add this route, the continuous ping to a host
> on the internet from a machine on the Local Network (192) stops, which
> tells me it cannot get out via the ADSL link. In order to check whether
> the ADSL was working, I tried swapping the routes around so that the
> default traffic uses to ADSL link, and this worked - so it's not a
> problem with the physical ADSL link to the Internet.
> 
> I have tested the following:
> 1) From a PC on the 192 net, I can ping the Telcomms ADSL gateway on the
> remote side (in my case, this is 165.146.128.1), but not further.
> 2) From the Linux router, I can ping to the 165.146.128.1 and beyond.
> 3) I know the firewall rules are not blocking traffic since I am logging
> any traffic that is blocked by the firewall and nothing is showing up in
> the logs.
> 
> My NAT firewall rules are as follows:
> 
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE 
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source
> 196.xx.xx.xx 
> 
> So, what's so hard about that! And yet, the minute I add a default route
> to the adsl table, things go pear shaped. Take that out, and the people
> on the LAN (192 net) can talk to everything on the Internet.
> 
> So, what am I doing wrong here? I hope this is sufficient information to
> assist me in my routing woes.
> Any help.yadda yadda.
> Cheers
> H
> 
> 

Re: [LARTC] Starting from scratch w/ multiple uplinks

[Alexander Samad]

On Tue, May 10, 2005 at 02:39:57PM +0200, Paulo Andre wrote:
> Markus Schulz wrote:
> > Am Montag, 9. Mai 2005 16:05 schrieb Rafael A Barrero:
> > 
> >>Hi guys;
> >>
> > 
> > [...]
> > 
> >>Here's what I want to know:
> >>1. Does an updated guide exist for multiple providers?
> > 
> > 
> > Look at this howto: http://www.ssi.bg/~ja/nano.txt
> > 
> > i've build based onto this howto a load balanced linux (kernel 2.6.11.8) 
> > system with two adsl 3mbit/512kbit devices and it works fine.
> > 
> Hi Markus,
> Can your solution allow incoming packets into your network from a link A
> ,return out of the link A without nat'ing? I have been trying to get
> this to work for a while and I am stumped.

If you always want that to be available via a certain route just place
static routes in place in all 3 tables

> 
> Paulo
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Starting from scratch w/ multiple uplinks

[Alexander Samad]

On Tue, May 10, 2005 at 01:02:20PM +0200, Markus Feilner wrote:
> Am Montag, 9. Mai 2005 17:58 schrieb Sylvain BERTRAND:
> > On Lun 9 mai 2005 17:14, Rafael A Barrero a ?crit :
> > > Hey;
> > >
> > > I guess I should have included that aspect : what I want to
> > > achieve.
> > >
> > > I'd ideally like to use the new (faster line) as the default line
> > > for traffic, but be able to use the old line just as often
> > > depending on usage of the new line. However, it wouldn't matter if
> > > traffic routed randomly either. If one of the two lines is down,
> > > obviously use the one that is up.
> >
> > Iproute allows you to route packets according to their iptable's MARK
> > field... you can randomly mark packets from new connections (with the
> > appropriate ratio for each link), and route on this criterion.
> >
> > You should have a script in /etc/ppp/if{up,down}.d/ that changes the
> > routes if one link goes {up,down}.
> 
> ACK. But how do you do the checking, if the link is down?
> Especially if you have a dsl router in a ethernet subnet.
> My subnet consists of three hosts, two of them are bintec routers who do 
> the dsl stuff. They are reachable, even if the DSL Line is gone.
> How would U check that?

I run pppoe on the box so have control over the session or run a ping
out side, but my guess is that the linux box will dead route the route
when the adsl send back an icmp net unreachable

> 
> >
> > > I just want to get the most out of both lines at the same time. My
> > > internal network has two services (http, imap) that need require
> > > port- forwarding from the router. Other than that the internal
> > > network is used for surfing the web, ssh, ftp, irc, p2p cients.
> >
> > Your services can listen on both interfaces, no problem with that...
> > you can have load balancing on those links with multiple DNS records
> > (though that's not a "good thing" (tm).
> >
> > Use the iptables MARK to use both at the same time, and the
> > appropriate iproute setup.
> >
> > > What about my questions regarding updated documentation for
> > > iproute2 (setting this all up)?
> >
> > I think the contents of LARTC are enough material for you (and of
> > course, man iproute, man iptables).
> >
> Of course, but there is a need for some comprehensive, easy to 
> understand HOWTO for non-techies... I guess.
> Especially when it comes to tc and tcng...
> 
> 
> >
> > For the record, I've never actually done this kind of setup, I'm just
> > thinking of what should be done to achieve those things. Somebody
> > correct me if this is just nonsense.
> >
> > Regards,
> >
> > Sylvain
> >
> > ___
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> -- 
> Mit freundlichen Gr??en
> Markus Feilner
> ---
> Feilner IT Linux & GIS 
> Linux Solutions, Training, Seminare und Workshops - auch Inhouse
> Beraiterweg 4 93047 Regensburg
> fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 
> mail [EMAIL PROTECTED] web http://www.feilner-it.net
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Starting from scratch w/ multiple uplinks

[Alexander Samad]

On Mon, May 09, 2005 at 04:06:12PM -0400, Brian J. Murrell wrote:
> On Mon, 2005-05-09 at 20:11 +0200, Markus Schulz wrote:
> > Am Montag, 9. Mai 2005 16:05 schrieb Rafael A Barrero:
> > > Hi guys;
> > >
> > [...]
> > > Here's what I want to know:
> > > 1. Does an updated guide exist for multiple providers?
> > 
> > Look at this howto: http://www.ssi.bg/~ja/nano.txt
> 
> Indeed, and herein contains the patched needed to a kernel for it to
> route packets with a given NATted source address out the right
> interface.  Not sure which patch(es) exactly in there do it if not all
> of them are really needed for just that functionality.

I haven't pacthed mine and it seems to work, using a debian 2.6.11-3
source package.

What i have done is setup a set of files in
/var/run/multigw{,.dev,.gw,.ip,.speed}, this are feed from scripts in
/etc/ppp/ip-{up.d,down.d}/adsl - this populates the files with valid
numbers when the line goes up or deletes the control file when going
down.  This scripts also run my multigw.sh which setups routes and ip
rules as well - also setups up the SNAT rules are well, I have attached
the script



> 
> I sure wish this patch would get rolled into the main kernel.  I hate
> having to maintain umpteen kernels for different tasks.
> 
> b.
> 



> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



multidgw.sh
Description: Bourne shell script


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Multipath Routing in same subnet - Please take a look

[Alexander Samad]

On Fri, May 06, 2005 at 08:41:55PM -0700, gypsy wrote:
> Christian Schmid wrote:
> > 
> > Hello.
> 
> > 80.237.244.0/26 dev eth1  proto kernel  scope link  src 80.237.244.52
> > default
> >  nexthop via 80.237.244.1  dev eth1 weight 100
> >  nexthop via 80.237.244.33  dev eth1 weight 100
> 
> Do not use weight parameters exceeding a single digit!
>  
> > I have read postings on the net but all of them are using huge scripts 
> > because they are on different
> > networks. My problem seems to be a much easier problem but I just cant get 
> > this to work. :(
> > 
> > Please help.
> > 
> > Best regards,
> > Chris
> 
> I'm no expert, but my suggestion is to use 2 NICs and connect one to
> each uplink or at least add 2 entries into /etc/iproute2/rt_tables.  I
> think you'll find a similar situation answered in the ML within the last
> 10 days or so, but I can't recall the subject of the thread.  Nor can I
> find anything specifying exactly what rt_tables needs to contain :/
> 
> You can review what I've gleaned from this ML at 
> http://yesican.chsoft.biz/lartc
> 
> The most urgent things for you to know:
> 1) The LARTC HOWTO is wrong
> 2) You must apply Julian's patch
> 3) You _really_ need to read nano.txt
> 4) All of the intelligible success stories WRT multipath are either on
> yesican or are linked to from there.

here is my setup (firewall with 2 default routes) eth0 = cable,  ppp0
adsl.  I changed the dhcpd client to add the default route for each in
on a different metric, that way if the one of the lines is out the other
default route will still work!



from ip r (whith some stuff removed - but the essential stuff is here)

default  metric 5 
nexthop via 141.168.16.1  dev eth0 weight 4
nexthop via 202.7.162.89  dev ppp0 weight 2
default via 141.168.16.1 dev eth0  metric 10 
default via 202.7.162.89 dev ppp0  metric 20 


from ip ru
0:  from all lookup local 
200:from 141.168.16.16 lookup cable 
201:from 60.240.81.237 lookup adsl 
32766:  from all lookup main 
32767:  from all lookup default 


the important ones are 200, 201 these setup up the routing for each of
the different legs - cause they will be different! so 141.168.16.16 is
on eth0 and 60.240.81.237 is on ppp0 (they are the actual address on
the interfaces)

cat /etc/iproute2/rt_tables (these are where the names come from above!)
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep

200 cable
201 adsl


These are the routing tables for 200 and 201, the 192.168 address are
the local address. The routing engine workes from the lowest numbered ru
(from ip ru ) and works to the larger numbered ones until it finds a
rule that matches!

# ip r sh tab 200
192.168.11.0/24 dev br0  scope link 
192.168.10.0/24 dev eth3  scope link 
192.168.9.0/24 dev eth4  scope link 
default via 141.168.16.1 dev eth0 
default via 141.168.16.1 dev eth0  metric 10 

# ip r sh tab 201
192.168.11.0/24 dev br0  scope link 
192.168.10.0/24 dev eth3  scope link 
192.168.9.0/24 dev eth4  scope link 
default via 202.7.162.89 dev ppp0 


Hope that helps


> 
> --gypsy
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Suspicious Attachment

[Alexander Samad]

On Sat, Apr 23, 2005 at 01:58:00AM +0200, Arjen Meek wrote:
> On Tue, Apr 19, 2005 at 10:15:19AM +0200, Michael Renzmann wrote:
> > I agree, but I also see no reason to have this discussion arising over 
> > and over again. Local filtering should do the trick until that moron 
> > understands that it is a bad idea to automatic ansers to the spoofed 
> > sender of a virus mail.
> 
> My mailserver runs qmail (actually mailfront for SMTP) and rejects any
> message that ClamAV thinks to contain a virus with a "554 Message
> refused", which in my opinion is the correct SMTP reply for any
> message I don't want on my server (silently dropping the mail seems
> like a risky thing to do). No bounce message is sent by my server.
> 
> However, I recieved this from the mailinglist manager:
> > Your membership in the mailing list LARTC has been disabled due to
> > excessive bounces The last bounce received from you was dated
> > 21-Apr-2005.  You will not get any more messages from this list until
> > you re-enable your membership.  You will receive 3 more reminders like
> > this before your membership in the list is deleted.
> 
> Looking at my logs it must be outpost.ds9a.nl actually generating the
> bounce message.
> 
> If 554 is not the right reply for such a message, what would be a better
> way to indicate that the message is concidered utacceptable by my
> server?
> If it is the best reply, what should I do to avoid being kicked off the
> list because my mail server doesn't say "that's fine with me" when it
> gets sent a virus message?

I am having the same problem but using debian + exim & clamav

> 
> Sorry for replying to an offtopic thread, but since the virus problem
> is apparently known here I figured someone might be able to tell me the
> correct way to handle such situations.
> 
> Personally, I think it would be a very good thing for any system that
> distributes e-mail, especially one that multiplies it as well like a
> mailing list does, to refuse distributing content that is clearly of a
> malicious nature, to avoid increasing the size of the problem.
> 
> regards,
> Arjen
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] Help Disecting kernel crash with ldisc

[Alexander Samad]

Hi

Recently I upgraded my kernel to 2.6.11 (debian) and applied some
patches from pom-ng (netfilter) and the iproute2-ss050330 package

I have been experiencing a lot of crashes in the kernel (snip below)
==
Apr  5 20:00:21 sydlxfw01 kernel: Unable to handle kernel NULL pointer
dereference at virtual address 0221
Apr  5 20:00:21 sydlxfw01 kernel:  printing eip:
Apr  5 20:00:21 sydlxfw01 kernel: c01ebec0
Apr  5 20:00:21 sydlxfw01 kernel: *pde = 
Apr  5 20:00:21 sydlxfw01 kernel: Oops: 0002 [#1]
Apr  5 20:00:21 sydlxfw01 kernel: PREEMPT 
Apr  5 20:00:21 sydlxfw01 kernel: Modules linked in: rtc nvidia tun
l2cap bluetooth nfsd exportfs lockd sunrpc ipt_ULOG defl
ate twofish serpent aes_i586 blowfish des sha256 sha1 crypto_null
xfrm_user ipcomp esp4 ah4 af_key lp autofs4 capability com
moncap ip_nat_ftp ip_conntrack_ftp binfmt_misc binfmt_aout raw
ppp_deflate zlib_deflate bsd_comp ppp_async crc_ccitt ppp_gen
eric slhc eepro100 eth1394 bridge atm cls_fw cls_u32 sch_sfq sch_htb
af_packet ip6t_limit ip6t_LOG ip6t_mac ip6t_MARK ip6tab
le_mangle ip6table_filter ip6_tables md5 ipv6 ipt_TARPIT ipt_limit
ipt_REJECT ipt_LOG ipt_mac ipt_mark ipt_MASQUERADE iptabl
e_nat ipt_owner ipt_MARK ipt_state ip_conntrack iptable_mangle
iptable_filter ip_tables tsdev psmouse parport_pc parport evd
ev floppy pcspkr sundance mii crc32 ohci1394 ieee1394 snd_intel8x0
snd_ac97_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_time
r snd soundcore snd_page_alloc i2c_i801 i2c_core ehci_hcd usbhid usblp
uhci_hcd intel_agp intel_mch_agp agpgart i8xx_tco ide
_cd cdrom usb_storage usbcore sg aic7
Apr  5 20:00:21 sydlxfw01 kernel: xx ide_disk ide_generic via82cxxx
trm290 triflex slc90e66 sis5513 siimage serverworks sc12
00 rz1000 pdc202xx_old opti621 ns87415 hpt366 hpt34x generic cy82c693
cs5530 cs5520 cmd64x amd74xx alim15x3 aec62xx pdc202xx
_new unix ext2 ext3 jbd mbcache dm_mod raid5 xor raid1 md sd_mod
ata_piix libata scsi_mod piix ide_core
Apr  5 20:00:21 sydlxfw01 kernel: CPU:0
Apr  5 20:00:21 sydlxfw01 kernel: EIP:
0060:[tty_ldisc_ref_wait+144/192]Tainted: P  VLI
Apr  5 20:00:21 sydlxfw01 kernel: EFLAGS: 00010286   (2.6.11-1-ntf) 
Apr  5 20:00:21 sydlxfw01 kernel: EIP is at tty_ldisc_ref_wait+0x90/0xc0
Apr  5 20:00:21 sydlxfw01 kernel: eax: 0221   ebx: dde3b00c   ecx:
c01f3ce0   edx: de12
Apr  5 20:00:21 sydlxfw01 kernel: esi:    edi: 0246   ebp:
   esp: dc195e94
Apr  5 20:00:21 sydlxfw01 kernel: ds: 007b   es: 007b   ss: 0068
Apr  5 20:00:21 sydlxfw01 kernel: Process screen (pid: 9804,
threadinfo=dc194000 task=dc57e020)
Apr  5 20:00:21 sydlxfw01 kernel: Stack: c01ebf06 dde3b000 dde3b000
c01ec558 dde3b000 de12  c01f3cfd 
Apr  5 20:00:21 sydlxfw01 kernel:dde3b000 de12 c01f050b
de12 c01f28d8 de12 dc6bc6b7 0400 
Apr  5 20:00:21 sydlxfw01 kernel: c02d4c40 dc194000
de12093c 7fff   0001 
Apr  5 20:00:21 sydlxfw01 kernel: Call Trace:
Apr  5 20:00:21 sydlxfw01 kernel:  [tty_ldisc_ref+22/48]
tty_ldisc_ref+0x16/0x30
Apr  5 20:00:21 sydlxfw01 kernel:  [tty_wakeup+72/112]
tty_wakeup+0x48/0x70
Apr  5 20:00:21 sydlxfw01 kernel:  [pty_unthrottle+29/48]
pty_unthrottle+0x1d/0x30
Apr  5 20:00:21 sydlxfw01 kernel:  [check_unthrottle+59/64]
check_unthrottle+0x3b/0x40
Apr  5 20:00:21 sydlxfw01 kernel:  [read_chan+1080/2016]
read_chan+0x438/0x7e0
Apr  5 20:00:21 sydlxfw01 kernel:  [default_wake_function+0/32]
default_wake_function+0x0/0x20
Apr  5 20:00:21 sydlxfw01 last message repeated 2 times
Apr  5 20:00:21 sydlxfw01 kernel:  [tty_read+246/288]
tty_read+0xf6/0x120
Apr  5 20:00:21 sydlxfw01 kernel:  [vfs_read+229/352]
vfs_read+0xe5/0x160
Apr  5 20:00:21 sydlxfw01 kernel:  [sys_read+81/128] sys_read+0x51/0x80
Apr  5 20:00:21 sydlxfw01 kernel:  [sysenter_past_esp+82/117]
sysenter_past_esp+0x52/0x75
Apr  5 20:00:21 sydlxfw01 kernel: Code: 54 24 34 90 8d b4 26 00 00 00 00
b9 02 00 00 00 89 fa b8 2c b2 30 c0 e8 cf 3a f4 ff 
89 1c 24 e8 07 ff ff ff 85 c0 75 07 e8 fe ed <09> 00 eb dc 89 fa b8 2c
b2 30 c0 e8 f0 3b f4 ff 8b 7b 54 85 ff 
Apr  5 20:00:21 sydlxfw01 kernel:  ve!
Apr  5 20:00:21 sydlxfw01 kernel: release_dev: ptm4: read/write wait
queue active!
Apr  5 20:00:22 sydlxfw01 last message repeated 11689 times


I seem to get lots of "release_dev: ptm4: read/write wait
queue active!" messages


It seems to be in tty_ldisc_ref, but I could be wrong.

How do I go about diagnosing the problem - or find the section of code
that is causing the problem ?  I still have the src tree I used to build
this kernel.


This is my normal tc setup for IF={eth0,ppp0}


tc qdisc add dev $IF root handle 1: htb default 20



# Parent Class = Full speed of the link ?
tc class add dev $IF parent 1: classid 1:1 htb rate ${SPEED}kbit
ceil ${SPEED}kbit burst ${BURST}b mtu $MTU

# MARK_TC_90 FW 0x1
tc class add dev $IF parent 1:1 classid 1:10 htb rate
$[9*${SPEED}/10]kbit ceil ${

Re: [LARTC] Help please with tc and iptables mark

[Alexander Samad]

On Mon, Apr 04, 2005 at 02:31:52PM +0100, Andy Furniss wrote:
> Adrian Turcu wrote:
> >Hello list members,
> 
> There is alot of work going on with tc at the moment - There are/will be 
> lots more matches and the ability to run iptables commands from filters.

Is there any doco on this functionality ?  Any body thought of running a
wiki ?

> 
> >
> 
> Andy.
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


signature.asc
Description: Digital signature
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] how to read the stats

[Alexander Samad]

Hi

okay



#!/bin/bash

#
# Script to test TC

IF=${IF:-'eth0'}
SPEED=64
#
# 327b for 256 kbits (1K)
# 131K burst for 100Mb/s
# 12K burst for 10Mb/s
# pipe size /100 /8
BURST=163
BURST=$[$SPEED*1024/100/8]
MTU=1600
MTU=1500


TC='/sbin/tc'
TC='/usr/local/bin/tc'

tc_start2(){
# install root HTB, point default traffic to 1:20 

tc qdisc add dev $IF root handle 1: htb default 20

# shape everything at $SPEED speed - this prevents huge queues in your
# DSL modem which destroy latency:

tc class add dev $IF parent 1: classid 1:1 htb rate ${SPEED}kbit ceil 
${SPEED}kbit burst ${BURST}b mtu $MTU

# high prio class 1:10:

tc class add dev $IF parent 1:1 classid 1:10 htb rate $[9*${SPEED}/10]kbit 
ceil ${SPEED}kbit burst ${BURST}b prio 1 mtu $MTU quantum 8

# bulk & default class 1:20 - gets slightly less traffic, 
# and a lower priority:

tc class add dev $IF parent 1:1 classid 1:20 htb rate $[5*${SPEED}/10]kbit 
ceil $[9*${SPEED}/10]kbit burst $[10*${BURST}/10]b cburst $[9*${BURST}/10]b prio 2 mtu 
$MTU quantum 8

# for BTTorrent

tc class add dev $IF parent 1:1 classid 1:30 htb rate $[4*${SPEED}/10]kbit 
ceil $[8*${SPEED}/10]kbit  burst $[8*${BURST}/10]b cburst $[6*${BURST}/10]b  prio 3 
mtu $MTU quantum 8

# Filters
# both get Stochastic Fairness:
tc qdisc add dev $IF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $IF parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $IF parent 1:30 handle 30: sfq perturb 10

# TOS Minimum Delay (ssh, NOT scp) in 1:10:
tc filter add dev $IF parent 1: protocol ip prio 10 u32 \
match ip tos 0x10 0xff \
flowid 1:10

# ICMP (ip protocol 1) in the interactive class 1:10 so we 
# can do measurements & impress our friends:
tc filter add dev $IF parent 1: protocol ip prio 10 u32 \
match ip protocol 1 0xff \
flowid 1:10

# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class:

tc filter add dev $IF parent 1: protocol ip pref 1 u32 \
match ip protocol 6 0xff \
match u8 0x05 0x0f at 0 \
match u16 0x 0xffc0 at 2 \
match u8 0x10 0xff at 33 \
flowid 1:10


#  limit BTTorent to flow :30
# want to match all packets that have a source of 6880-6888
# as I can only match/rate limit out going
tc filter add dev $IF parent 1: protocol ip prio 10 u32 \
match ip protocol 6 0xff \
match ip sport 6880 0xfff0 \
flowid 1:30

#   match u16 0x1ae0 0xfff0 at 20 \

# Match firewall marks
tc filter add dev $IF parent 1: protocol ip pref 5 handle 4 fw flowid 1:30

#   # For pings !
#   tc filter add dev eth0 parent 1: protocol ip prio 100 u32 match ip protocol 1 
0xFF flowid 1:10

# rest is 'non-interactive' ie 'bulk' and ends up in 1:20

}

tc_start(){
tc_start2
}

tc_stop(){
$TC qdisc del dev $IF root
}

tc_show(){
$TC -s -d qdisc show dev $IF
$TC -s -d class show dev $IF
$TC -s -d filter show dev $IF
}

case "$1" in
start)
tc_start
;;
stop)
tc_stop
;;
restart)
tc_stop
tc_start
;;
show)
tc_show
;;
*)
tc_show
#exit 1
;;
esac

exit 0


Thanks

On Thu, Oct 21, 2004 at 09:18:29PM +0200, Stef Coene wrote:
> On Thursday 21 October 2004 11:59, Alexander Samad wrote:
> > class htb 1:30 parent 1:1 leaf 30: prio 3 quantum 8 rate 25Kbit ceil
> > 51Kbit burst 63b/8 mpu 0b overhead 0b cburst 47b/8 mpu 0b overhead 0b
> > level 0
> >  Sent 495316458 bytes 541852 pkts (dropped 9303, overlimits 0 requeues
> > 0)
> >
> > >>> THIS is the line I have problems understanding
> > >>> I read it as 6190bit/sec which seems to be way lower than the 25Kbit
> > >>> set for the rate and much lower than the ceil
> > >>> so why do I have a backlog
> >
> >  rate 6190bit 7pps backlog 46p
> >  lended: 220159 borrowed: 321647 giants: 0
> >  tokens: -493609 ctokens: -242500
> >
> >
> > Having said all that it does seem to be limiting to 25Kbit, with burst
> > upto 51 !
> Can you post the executed tc commands?  Much easier for us to see what you 
> did.
> 
> Stef
> 
> -- 
> [EMAIL PROTECTED]
> ?"Using Linux as bandwidth manager"
> ? ? ?http://www.docum.org/
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

[LARTC] how to read the stats

[Alexander Samad]

Hi

I have setup iproute2 and need a bit of help reading the stats from it


= output
qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 ver 3.17
 Sent 547326809 bytes 1342627 pkts (dropped 9303, overlimits 2817572
requeues 0) 
 backlog 46p 
qdisc sfq 10: limit 128p quantum 1514b flows 128/1024 perturb 10sec 
 Sent 41874343 bytes 730889 pkts (dropped 0, overlimits 0 requeues 0) 
qdisc sfq 20: limit 128p quantum 1514b flows 128/1024 perturb 10sec 
 Sent 10136008 bytes 69886 pkts (dropped 0, overlimits 0 requeues 0) 
qdisc sfq 30: limit 128p quantum 1514b flows 128/1024 perturb 10sec 
 Sent 495316458 bytes 541852 pkts (dropped 9303, overlimits 0 requeues
0) 
 backlog 46p 


 This I belive is my parent class is has access to the whole 64Kbit
class htb 1:1 root rate 64Kbit ceil 64Kbit burst 80b/8 mpu 0b overhead
0b cburst 1507b/8 mpu 0b overhead 0b level 7 
 Sent 542500093 bytes 1342581 pkts (dropped 0, overlimits 0 requeues 0) 
 rate 7201bit 20pps 
 lended: 322826 borrowed: 0 giants: 0
 tokens: -228224 ctokens: -45568

class htb 1:10 parent 1:1 leaf 10: prio 1 quantum 8 rate 57Kbit ceil
64Kbit burst 80b/8 mpu 0b overhead 0b cburst 1507b/8 mpu 0b overhead 0b
level 0 
 Sent 41874343 bytes 730889 pkts (dropped 0, overlimits 0 requeues 0) 
 rate 681bit 12pps 
 lended: 730878 borrowed: 11 giants: 0
 tokens: 2966 ctokens: 185856

class htb 1:20 parent 1:1 leaf 20: prio 2 quantum 8 rate 32Kbit ceil
57Kbit burst 80b/8 mpu 0b overhead 0b cburst 71b/8 mpu 0b overhead 0b
level 0 
 Sent 10136008 bytes 69886 pkts (dropped 0, overlimits 0 requeues 0) 
 rate 302bit 1pps 
 lended: 68718 borrowed: 1168 giants: 0
 tokens: -149248 ctokens: -73584


 this is the low bandwidth class (bittorrent etc)
class htb 1:30 parent 1:1 leaf 30: prio 3 quantum 8 rate 25Kbit ceil
51Kbit burst 63b/8 mpu 0b overhead 0b cburst 47b/8 mpu 0b overhead 0b
level 0 
 Sent 495316458 bytes 541852 pkts (dropped 9303, overlimits 0 requeues
0) 
>>> THIS is the line I have problems understanding
>>> I read it as 6190bit/sec which seems to be way lower than the 25Kbit
>>> set for the rate and much lower than the ceil
>>> so why do I have a backlog
 rate 6190bit 7pps backlog 46p 
 lended: 220159 borrowed: 321647 giants: 0
 tokens: -493609 ctokens: -242500


Having said all that it does seem to be limiting to 25Kbit, with burst
upto 51 !


This is on a patched debian 2.6.8 kernel (pom-ng patch'ed) and iproute2-ss040831

Thanks
Alex



signature.asc
Description: Digital signature

[LARTC] Multiple default routes

[Alexander Samad]

Hi

I have been trying to setup multiple defaults routes with equal
weighting I can do it with 

route add -net default gw 10.18.141.254
route add -net default gw 10.18.141.252
route add -net default gw 10.18.141.253

but if I try this setup with ip r i have to place each one on different
weight levels

oh and its on the same interface

Alex



signature.asc
Description: Digital signature

Re: [LARTC] mark & owner for local connections

[Alexander Samad]

On Fri, Oct 15, 2004 at 11:05:41AM +, [EMAIL PROTECTED] wrote:
> Hi,
> 
> Host A has two interfaces: eth0, tap0.
> I want that all locally generated traffic from user 1004 goes through
> tap0.
> 
> This is what I did:
> 
> iptables -A OUTPUT -t mangle -m owner --uid-owner 1004 -j MARK --set-mark 2
> echo 202bigmac.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table  bigmac.out
> ip route add default via 10.0.0.1 dev tap0 table bigmac.out

why not change this to 
ip route add default via 10.0.0.1 dev tap0 table bigmac.out src
IPADDRESSofTAP0


> ip route flush cache
> 
> This results in these problems:
> - packets from 1004 are send out via tap0 but with source ip of eth0.
>   (seen in tcpdump -n -i tap0)
> - iptables packetfilter rules have to bet set on eth0 and not on tap0.
>   (if i deny everything on -o eth0 no packet is send out to -o tap0 anymore..)

From my understanding the tap packets go over eth0, you still need to
allow ipip packets (can check with tcpdump)

> 
> 
> Ideas?
> 
> 
> Ralf
> [EMAIL PROTECTED]
> 
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

Re: [LARTC] Classful Queuing

[Alexander Samad]

On Mon, Oct 11, 2004 at 10:46:01PM -0500, [EMAIL PROTECTED] wrote:
> >But will the mark still exist after the encryption/encapsulation?
> >>not so about ingres, but the marking stay with the packet after the enc
> >>( well on 2.6 with native stack it does).  I use this for marking
> >>packets.
> 
> Isn't this going to depend on whether you are encrypting the whole packet 
> (VPN style) or just the data portion of the packet (SSL style)?

I use it to mark parkets that are then esp enc.  I am using in currently
with 2.6 and native ipsec stack to mark all packets that come in as esp
and then are de - enc, I allow these through the firewall. This was my
way around the old the problem of how to setup the firewall when the
ipsecX interface dissappeared.

I beleive the packet is encaped in place not duplicate.  Then the new
packet is refeed back in to netfilter.

Alex





signature.asc
Description: Digital signature

Re: [LARTC] Classful Queuing

[Alexander Samad]

On Mon, Oct 11, 2004 at 07:31:28PM -0600, Jamin W. Collins wrote:
> On Tue, Oct 12, 2004 at 11:16:54AM +1000, Alexander Samad wrote:
> > 
> > I think what you need to look for is marking of packets with netfilter -
> > let it classify and then used tc to place the properly marked packets
> > into the proper queue
> > 
> > Because you can mark in the PREROUTING table in mangle before it is enc
> 
> But will the mark still exist after the encryption/encapsulation?  Plus,
> that only deals without outgoing not incoming utilization if I'm
> following this correctly.  The incoming packets would not be
> identifiable until they were taken off the eth1 interface for their
> specific interface (ppp or ipsec), right?

not so about ingres, but the marking stay with the packet after the enc
( well on 2.6 with native stack it does).  I use this for marking
packets.


> 
> -- 
> Jamin W. Collins
> 
> "Never underestimate the power of very stupid people in large groups."
> -- John Kenneth Galbraith
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

Re: [LARTC] Classful Queuing

[Alexander Samad]

Hi

I think what you need to look for is marking of packets with netfilter -
let it classify and then used tc to place the properly marked packets
into the proper queue

Because you can mark in the PREROUTING table in mangle before it is enc

Alex

On Mon, Oct 11, 2004 at 07:01:57PM -0600, Jamin W. Collins wrote:
> OK, I'm stumped.  I've read through most of the LARTC HOWTO and have yet
> to find a basis for what I need to accomplish.
> 
> I have a Linux box that controls access to and from the Internet at my
> workplace.  We have a number of remote employees that connect via PPTP
> and IPSEC to the office's internal network.  Some of these remote
> employees are currently using SIP phones.  The problem is occasionally
> the available bandwidth becomes consumed and the VoIP calls (obviously)
> suffer because of this.
> 
> Configuration:
> eth0 - connected to the internal office
> eth1 - connected to the internet
> pppX - incoming on eth1 connection
> ipsec0 - incoming on eth1 connection
> 
> My question, how can I set classful htb queuing up so that it's rules
> encompass all traffic on eth1 (including that to and from the ipsec and
> ppp connections) while reserving bandwidth for and prioritizing the SIP
> traffic?
> 
> In looking through chapter 9 it appears that all the configurations
> apply to a specific interface, and thus would only get eth1 for example.
> While the traffic on the ppp and ipsec connections would arrive on the
> eth1 interface only after being placed on their specific interfaces and
> encrypted, thus most likely missing proper classification and
> prioritization.
> 
> Am I over thinking this problem or missing something?
> 
> I'll happily provide any clarification or additional information needed.
> 
> -- 
> Jamin W. Collins
> 
> It has always been Debian's philosophy in the past to stick to what
> makes sense, regardless of what crack the rest of the universe is
> smoking.  -- Andrew Suffield
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

Re: [LARTC] NAT+mangle+tc

[Alexander Samad]

Hi

What you can do is mark the packets in netfilter (iptables) and then use
the marks to assign the packets to classes

you can do something like

iptables -t mangle -A PREROUTING -s AddrIWantToShape -j mark 0x02
iptables -t mangle -A PREROUTING -s AddrIWantToShape2 -j mark 0x03

iptables -t nat -A POSTROUTING -s AddrIWantToShape -o InternetInt -j MASQ
iptables -t nat -A POSTROUTING -s AddrIWantToShape2 -o InternetInt -j MASQ


tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 2 fw flowid 1:30
tc filter add dev InternetInt parent 1: protocol ip pref 5 handle 3 fw flowid 1:40

Something like that

Alex

On Mon, Oct 11, 2004 at 07:45:02PM +0300, emo terziev wrote:
> Hi , Jason
>I know LARTC HOWTO. mi download shapers work fine, but 
> I don't know can i limit upload when i have NAT because source IP
> address is changed
> and i cannot make u32 src filter. 
> 
> in other hand package marking isn't usable in my case because i want 
>   user A to have for example 128K to Group A networks  and 64K to group B
>   user B to have   256k to group A and 1Mbit to group B
> 
> download is easy, but for upload i unfortunatly don't know how should  to be  :(
>  ,This is over my knowlage i think. 
> 
> Please anyone with more experience just to give mi idea how can be done.
> 
> 
> +---+   |  S  |
> | User A |---+  W | +NAT  
> +--+|  I   |eth1 eth0group A
> +--+|  T  |+++--- 180 diferent
> Networks -+
> | User B |+  C  +-| Router || 
>  Internet
> +--+|  H  |+++---all rest
> internet  ---+
>... / ...  
>   group B
> +--+|  H  |
> | User N |---+  U  |
> +---+   |  B  |   >
>  +-+
> 
> 
> 
> Best Regards
> emo terziev
> 
> On Mon, 11 Oct 2004 12:09:24 -0400, Jason Boxman <[EMAIL PROTECTED]> wrote:
> > On Monday 11 October 2004 07:29, emo terziev wrote:
> > > Hi All,
> > >   I wonder can I do NAT+mangle+tc on same maschine? I want to shape
> > > outgoing traffic per IP on my gateway computer.
> > 
> > Sure, you can do that on the same machine.
> > 
> > You can do NAT with a variety of scripts or just hand written iptables rules.
> > Personally, I use the gShield iptables firewall.  As for `tc`, you might look
> > into the LARTC HOWTO.
> > 
> > http://lartc.org/
> > 
> > --
> > 
> > Jason Boxman
> > Perl Programmer / *NIX Systems Administrator
> > Shimberg Center for Affordable Housing | University of Florida
> > http://edseek.com/ - Linux and FOSS stuff
> > 
> > ___
> > LARTC mailing list / [EMAIL PROTECTED]
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

Re: [LARTC] Prioritizing forwarded traffic over locally generated traffic

[Alexander Samad]

Hi

would it be possible to post the scripts that set this up ???

Alex

On Fri, Sep 24, 2004 at 05:55:36PM +0100, Neil Greatorex wrote:
> Many thanks to both of you for your replies.
> 
> I have managed to get the setup working how I intended now - by using HTB
> classes/qdiscs. I had tried this approach before as one of many, however
> what I had failed to do was create the two classes I am filtering the
> traffic into as subclasses of a parent HTB class that was limited to the
> rate of the connection. Now it works as I intended!
> 
> I'm now going to tackle the harder problem of doing it for downloading - I'm
> off to play with IMQ :-)
> 
> Again, many thanks for your suggestions/advice!
> 
> Cheers,
> Neil
> 
> --
> #include "sig.h"
> #define NAME"Neil Greatorex"
> #define E-MAIL  "[EMAIL PROTECTED]" 
> 
> http://www.spreadfirefox.com/?q=affiliates&id=7889&t=58
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On Behalf Of kraquen
> > Sent: 24 September 2004 6:36 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [LARTC] Prioritizing forwarded traffic over 
> > locally generated traffic
> > 
> > Sounds to me like he's trying to match via source IP.. which 
> > would catch 
> > everything just fine..
> > 
> > Niel,
> > I do something very similar, its fairly simple..
> > 
> > you want to mark packets in your prerouting, then match 
> > against them in 
> > your qdiscs..
> > 
> > i use an htb.. my upload link can handle about 85 kilobytes / sec.
> > 
> > I have several classes that match with various rates, the cieling for 
> > all of them is ~80
> > 
> > Then i have a class that matches the mark that i use for that 
> > specific IP.
> > 
> > That mark goes into a class with a rate of 2 KB/s and a cieling of 75
> > 
> > that class gets 75 when nothing else is running, and 2 if 
> > other classes 
> > are filling it up.
> > 
> > Hope this helps,
> > Jason
> > Jason Boxman wrote:
> > 
> > >On Thursday 23 September 2004 18:09, Neil Greatorex wrote:
> > >  
> > >
> > >>Hi,
> > >>
> > >>I'm a complete newbie at this traffic shaping / QoS stuff 
> > so please excuse
> > >>me if this is a silly question. I've searched and searched 
> > on Google and I
> > >>just end up confusing myself even more, so I thought I'd 
> > post my question
> > >>to this list and see whether someone can help me!
> > >>
> > >>
> > >
> > >Sure.
> > >
> > >  
> > >
> > >>Basically, I am running a Linux box as a NAT router on my 
> > home network
> > >>(machine name marvin). I want to use mldonkey on the router 
> > box for P2P
> > >>downloads. What I wish to do, is to have any traffic that 
> > originates on the
> > >>internal LAN take priority over traffic that is generated 
> > from mldonkey on
> > >>marvin. I don't wish to restrict the maximum bandwidth for the P2P
> > >>downloads on a permanent basis if I can help it - so that 
> > all the bandwidth
> > >>is used all of the time.
> > >>
> > >>
> > >
> > >So you'd like to classify p2p traffic from mldonkey 
> > (Overnet/Kad/eDonkey) such 
> > >that it is granted a lower priority than other traffic?  Not 
> > a problem.  
> > >However, because those three protocols use random ports, you 
> > cannot classify 
> > >'edonkey' traffic based on port.  You can use either ipp2p 
> > or L7-Filter to 
> > >match these flows based on layer 7 pattern matching, though.
> > >
> > >  
> > >
> > >>My plan was to use the PREROUTING and OUTPUT chains of the 
> > mangle table to
> > >>mark the packets, and then use some form of qdisc/class 
> > structure that will
> > >>prioritise one over the other.
> > >>
> > >>
> > >
> > >I believe you can use the POSTROUTING chain of the mangle 
> > table and nab all 
> > >traffic.  L7-Filter has a nice graphic[1] available.
> > >
> > >[1] http://l7-filter.sourceforge.net/PacketFlow.png
> > >
> > >  
> > >
> > >>The aim of this is to have an upload that would normally take say 20
> > >>seconds from a machine on the LAN still take 20 seconds 
> > when mldonkey is
> > >>uploading - so the NAT traffic will take all the bandwidth away from
> > >>mldonkey. The closer to this aim I can get the better!
> > >>
> > >>
> > >
> > >That makes sense, although the time interval is relative to 
> > the data size and 
> > >protocol being used, so it isn't a useful measure for the 
> > rest of us.  What's 
> > >the link size?  What's the file / data size?
> > >
> > >  
> > >
> > >>To test implementations, I am using SFTP to upload a file 
> > from both a
> > >>machine on my internal network (named slartibartfast), and 
> > marvin (the
> > >>router machine) simultaneously. The perfect behaviour would 
> > be for the
> > >>upload on slartibartfast to take 20 seconds, and the upload 
> > on marvin to
> > >>take 40.
> > >>
> > >>
> > >
> > >Which implementations have you tried to use?  I'd imagine 
> > Wondershaper?  
> > >Others?
> > >
> > >  
> > >
> > >>I have tried various setups of qdis

Re: [LARTC] IPv6 routing question - corrected

[Alexander Samad]

Hi

Sorry having a bit of a problem reading your diagram but is the
destination  on the wire or is routed via box B

have you tried a tcpdump on B to see what it sees ?

A


On Mon, Sep 20, 2004 at 03:40:39AM +0100, filipe abrantes wrote:
> hi and thanks for replying,
> 
> #ip r g 3030::254
> 3030::254 via 3030::254 dev eth0  src 2020::2  metric 0
> cache  mtu 1500 advmss 1440
> 
> 
> 
> Alexander Samad wrote:
>  what do you get when you try
> 
> 
>  ip r g 3030::254
> 
>  A
> 
>  On Mon, Sep 20, 2004 at 02:57:17AM +0100, filipe abrantes wrote:
>   * sorry for the other schema, it came out a mess. I hope
>   this one is
>   understandable.
> 
>   hi:
> 
>   I have this 2 boxes set up like this:
> 
> 
>2020::2/128
>   2020::254/1283030::254/128
>  192.168.0.2/24 192.168.0.254/24
> 
>   192.168.30.254/24
> 
>+---+   eth0
>   eth3
>   +---+
> |  |=== |
>   |   eth1
> |   A
>   | |   B
>   | 
> |
>   | |
>   |
> 
>   +---
>   +   +--
>   -+
> 
> 
> 
> A
> 
>   # ip r l
>   192.168.30.254 dev eth0  scope link
>   192.168.0.0/24 dev eth0  scope link
>   169.254.0.0/16 dev lo  scope link
>   127.0.0.0/8 dev lo  scope link
> 
>   # ip -6 r l
>   2020::254 dev eth0  metric 1024  mtu 1500 advmss 1440
>   3030::254 dev eth0  metric 1024  mtu 1500 advmss 1440
>   (...plus link local and multicast routes)
> 
> 
> B
> 
>   # ip r l
>   127.0.0.1 dev lo  scope link
>   192.168.0.0/24 dev eth3  proto kernel  scope link  src
>   192.168.0.254
>   192.168.30.0/24 dev eth1  proto kernel  scope link  src
>   192.168.30.254
> 
>   # ip -6 r l
>   2020::2 dev eth3  metric 1024  mtu 1500 advmss 1440
>   metric10 64
>   (...plus link local and multicast routes)
> 
>   # cat /proc/sys/net/ipv4/ip_forward
>   1
>   #cat /proc/sys/net/ipv6/conf/all/forwarding
>   1
> 
> 
>   The problem is that i can ping 192.168.30.254 from A, but i
>   can't ping
>   3030::254 from A, anyone has a clue why this happens? Is
>   there any
>   feature i need to turn on or anything misconfigured? Why
>   does it work
>   for IPv4 but not for IPv6?
> 
> 
>   A -> B
> 
>   # ping 192.168.30.254
>   PING 192.168.30.254 (192.168.30.254) 56(84) bytes of data.
>   64 bytes from 192.168.30.254: icmp_seq=0 ttl=64 time=0.175
>   ms
>   64 bytes from 192.168.30.254: icmp_seq=1 ttl=64 time=0.122
>   ms
> 
>   #ping6 3030::254
>   PING 3030::254(3030::254) 56 data bytes
>   From ::1 icmp_seq=0 Destination unreachable: Address
>   unreachable
>   From ::1 icmp_seq=1 Destination unreachable: Address
>   unreachable
> 
> 
>   Regards
> 
>   Filipe Abrantes
>   ___
>   LARTC mailing list / [EMAIL PROTECTED]
>   
> _h_t_t_p_:_/_/_m_a_i_l_m_a_n_._d_s_9_a_._n_l_/_m_a_i_l_m_a_n_/_l_i_s_t_i_n_f_o_/_l_a_r_t_c
>  HOWTO: _h_t_t_p_:_/
>   _/_l_a_r_t_c_._o_r_g_/
> 
>   ___
>   LARTC mailing list / [EMAIL PROTECTED]
>   
> _h_t_t_p_:_/_/_m_a_i_l_m_a_n_._d_s_9_a_._n_l_/_m_a_i_l_m_a_n_/_l_i_s_t_i_n_f_o_/_l_a_r_t_c
>  HOWTO: _h_t_t_p_:_/
>   _/_l_a_r_t_c_._o_r_g_/
> 
> 


signature.asc
Description: Digital signature

Re: [LARTC] IPv6 routing question - corrected

[Alexander Samad]

what do you get when you try 


ip r g 3030::254

A

On Mon, Sep 20, 2004 at 02:57:17AM +0100, filipe abrantes wrote:
> * sorry for the other schema, it came out a mess. I hope this one is 
> understandable.
> 
> hi:
> 
> I have this 2 boxes set up like this:
> 
> 
>  2020::2/128   
> 2020::254/1283030::254/128
>192.168.0.2/24 192.168.0.254/24   
> 192.168.30.254/24
> 
>  +---+   eth0eth3   
> +---+
>   |  |=== |  |   eth1
>   |   A
> | |   B|   
>   |  
> | |  |
>  
> +---+   +---+
> 
> 
> 
>   A
> 
> # ip r l
> 192.168.30.254 dev eth0  scope link
> 192.168.0.0/24 dev eth0  scope link
> 169.254.0.0/16 dev lo  scope link
> 127.0.0.0/8 dev lo  scope link
> 
> # ip -6 r l
> 2020::254 dev eth0  metric 1024  mtu 1500 advmss 1440
> 3030::254 dev eth0  metric 1024  mtu 1500 advmss 1440
> (...plus link local and multicast routes)
> 
> 
>   B
> 
> # ip r l
> 127.0.0.1 dev lo  scope link
> 192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.254
> 192.168.30.0/24 dev eth1  proto kernel  scope link  src 192.168.30.254
> 
> # ip -6 r l
> 2020::2 dev eth3  metric 1024  mtu 1500 advmss 1440 metric10 64
> (...plus link local and multicast routes)
> 
> # cat /proc/sys/net/ipv4/ip_forward
> 1
> #cat /proc/sys/net/ipv6/conf/all/forwarding
> 1
> 
> 
> The problem is that i can ping 192.168.30.254 from A, but i can't ping 
> 3030::254 from A, anyone has a clue why this happens? Is there any 
> feature i need to turn on or anything misconfigured? Why does it work 
> for IPv4 but not for IPv6?
> 
> 
> A -> B
> 
> # ping 192.168.30.254
> PING 192.168.30.254 (192.168.30.254) 56(84) bytes of data.
> 64 bytes from 192.168.30.254: icmp_seq=0 ttl=64 time=0.175 ms
> 64 bytes from 192.168.30.254: icmp_seq=1 ttl=64 time=0.122 ms
> 
> #ping6 3030::254
> PING 3030::254(3030::254) 56 data bytes
> From ::1 icmp_seq=0 Destination unreachable: Address unreachable
> From ::1 icmp_seq=1 Destination unreachable: Address unreachable
> 
> 
> Regards
> 
> Filipe Abrantes
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


signature.asc
Description: Digital signature

[LARTC] ip rule Question

[Alexander Samad]

Hi

I am trying to setup symetrical routing to a mutlihomed linux box.

Basically I haev a linux box with 3 interfaces front, back and backup

From another pc (3-4 hops away )) I would like to be able to ping both
the front and have the return path take the same route.

so server

eth0 10.124.167.21/24
eth1 10.124.168.21/24
eth3 192.168.8.21/24

my ip rules looked something like



0:  from all lookup local 
1:  from all lookup main 
2:  from 10.124.167.21 lookup 250
20001:  from 10.124.168.21 lookup 251
20002:  from 192.168.8.21 lookup 252
32766:  from all lookup main
32767:  from all lookup 253


tab 250
default via 10.124.167.254 dev eth0

tab 251
default via 10.124.168.254 dev eth1

tab 252
default via 192.168.8.254 dev eth2

tab main
192.168.8.0/24 dev eth2  proto kernel  scope link  src 192.168.8.21
10.124.167.0/24 dev eth0  proto kernel  scope link  src 10.124.167.21 
10.124.168.0/24 dev eth1  proto kernel  scope link  src 10.124.168.21 
192.168.0.0/16 via 192.168.8.254 dev eth2 
127.0.0.0/8 dev lo  scope link 


tab 253
default via 10.124.167.254 dev eth0


Now this all works fine, my next step was to add secondary addresses to
the interfaces.

So I want to add 
10.124.167.12 to eth0

I added another ip ru line as well
ip ru add from 10.124.167.12 table 250

Again this worked fine, my next step is what if I want to add multiple
(5-6) ip addresses  can I cover it all with this ip ru
ip ru add from 10.124.167.0  table 250

I have tried this but it did not work. Do I need to make it 
ip ru add from 10.124.167.0/24  table 250

or do I have to add an entry for each ip address bount to that
interface??


Thanks
Alex



signature.asc
Description: Digital signature