Re: [LARTC] How to fight with encrypted p2p
As you might have seen, these are words from ipp2p author: """ I have seen some pieces of code from ipoque which can detect encypted bittorrent and edonkey traffic. Unforunately, this code will not work with iptables, because it needs more information about the flow history and the history of an ip address. Right now, I do not have the time and the money to develop a filter like this, but if you are interested in a developement in this direction, please contact me. """ I *think* that we need something like a "bittorrent helper" in the kernel to keep this extra information about the flow history and then an iptables plugin to match. What do you think? Maybe we could contact him to know what kind of information is it? On Nov 12, 2007 9:17 AM, sawar <[EMAIL PROTECTED]> wrote: > Rtorrent which I use sometimes have ability to completely disable plain text > communication : > > man rtorrent > allow_incoming (allow incoming encrypted connections), > try_outgoing (use encryption for outgoing connections), require (disable > unencrypted handshakes), require_RC4 (also disable plaintext > transmission after the initial encrypted handshake), enable_retry (if the > initial outgoing connection fails, retry with encryption turned on if it was > off or off if it was on), prefer_plain text (choose plaintext when peer > offers a choice between plaintext transmission and RC4 encryption, otherwise > RC4 will be used). > > and many other clients have similar abilities. > I'm afraid that full encrypted and enabled by default communication is only a > matter of time and we will lose this "fight" very soon. > > > > Some clients P2P clients are nice about there encryption and negotiate > > encryption ahead of time using plain communication. I.E. Limewire, > > Azureus. However, some just start TLS and that is all you can see. > > > > Looking at ipp2ps signatures, I don't see anything that leads me to > > believe they track that kind of info. > > > > > > > > David Bierce > > > > On Nov 11, 2007, at 9:48 PM, Mohan Sundaram wrote: > > > sAwAr wrote: > > >> Hi > > >> I believe that whole question is in topic. Is there any way to > > >> recognize ( and then shape ) p2p traffic which is encrypted? > > >> Modern p2p clients have this ability moreover some of them have > > >> this enabled by default. Now I'm using ipp2p for iptables but as I > > >> know this doesn't recognize encrypted traffic. > > >> Thanks in advance. > > >> Pozdrawiam > > >> Szymon Turkiewicz > > > > > > Have not tried this. An idea. P2P initiations are not encrypted > > > AFAIK. Thus connections can be marked and related traffic shaped. If > > > initiation is also encrypted, then I think we have a serious problem. > > > > > > Mohan > > > ___ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > ___ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Fair que between 255 users
WRR worked for me in the past but it is not maintained anymore. On 10/30/07, Jens Thiele <[EMAIL PROTECTED]> wrote: > On 29 Okt 2007, [EMAIL PROTECTED] wrote: > > > В сообщении от Monday 29 October 2007 22:46:39 Thomas Elsgaard > > написал(а): > >> Hello guys > >> > >> I have a subnet with 255 users, which need to share 1 single slow > >> internet connection, so i would like to implement a kind of *fair > >> queuing *on the UPLOAD between them, which means that they all share > >> the connection equally.. > >> > >> The tools that i have available is: A linux box with IPROUTE2,HTB and > >> TC.. > >> > >> I have looked at some examples, and my first idea was to make 255 > >> entries in iproute2, marking each source IP from 1-255 , and then > >> adding one class in HTB, with 255 childs... but isn't there a smarter > >> way? > >> > >> Does anyone have an example? or a good idea > > > > > > simply sfq -- is enough, isn't it? > > No (at least not yet?) > > Quoting the man page (man sfq): > "SFQ does not shape traffic but only schedules the transmission of > packets, based on 'flows'. The goal is to ensure fairness so that each > flow is able to send data in turn, thus preventing any single flow from > drowning out the rest." > > And: > "SFQ is work-conserving and therefore always delivers a packet if it > has one available." > > ESFQ might help. Using google: > http://fatooh.org/esfq-2.6/ > > Note: > Corey Hickey is working on getting some ESFQ features into kernel > mainline SFQ: > Search for "SFQ: backport some features from ESFQ (try 5)" on netdev ml. > > Greetings > Jens > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] htb on Gigabit Interfaces
On 9/18/07, hhoxha <[EMAIL PROTECTED]> wrote: > > > Hi every body > > I have a linux server with Intel(R) Xeon(TM) CPU 3.20GHz , and 2 Gigabit > of RAM , kernel version 2.6.22.6 , and 2 Intel 82541PI Gigabit Ethernet > controllers > > > In simple situation i would like to limit bandwidth for 2 customers 1) ( > to 34 Mb/s ) and 2) 68 Mb/s . > > My conf is as below > / > #IFACE FACONG THE CUSTOMERS > > /sbin/tc qdisc add dev eth0 root handle 1:0 htb > > #IFACE FACING THE INTERNET > > /sbin/tc qdisc add dev eth1 root handle 1:0 htb > > > /sbin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 150mbit quantum > 3 > /sbin/tc class add dev eth1 parent 1:0 classid 1:1 htb rate 150mbit quantum > 3 > > #second customer download > > /sbin/tc class add dev eth0 parent 1:0 classid 1:2 htb rate 68mbit ceil > 68mbit quantum 3 try parent 1:1 > > #seconf customer upload > > /sbin/tc class add dev eth1 parent 1:0 classid 1:2 htb rate 68000kbit ceil > 68000kbit quantum 3 and here > > # first customer download > > /sbin/tc class add dev eth0 parent 1:0 classid 1:3 htb rate 34mbit ceil > 34mbit quantum 3 and here > > # first customer upload > > /sbin/tc class add dev eth1 parent 1:0 classid 1:3 htb rate 34mbit ceil > 34mbit quantum 3 aand here > > > #then iptable classify rules > > #TO_FIRST CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j > CLASSIFY --set-class 1:2 > > > #FROM_FIRST CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY > --set-class 1:2 > > > #TO_SECOND CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j > CLASSIFY --set-class 1:3 > > > #FROM_SECOND CUSTOMER > > /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY > --set-class 1:3 > > > > / > > For the customer with 34 Mb/s of bandwidth i can hardly reach 8 Mb/s and > at this point i can notice an increased number of packets in the htb > scheduler queue . > > With the tc ( htb disabled ) the line rate of nearly 100 Mb.s of the > customer can be reached easily > > Is there any special tunning or conf that should be done considering the > gig interfaces in place > > Thank you > > Hysen Hoxha > AlbTelecom > Albania > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] doubt about bridge qdisc
On 9/16/07, Salatiel Filho <[EMAIL PROTECTED]> wrote: > Hi guys, i have a little doubt ; > I have eth0 ethernet and eth1 wireless , and they are bridged in br0 > > Is there any difference in the behavior between do > > tc qdisc add dev br0 root sfq > > OR > > tc qdisc add dev eth0 root sfq && tc qdisc add dev eth1 root sfq > > Yes. Only local traffic is passed trough br0 and only all interface traffic is passed trough each interface. > > -- > []'s > Salatiel > > "O maior prazer do inteligente é bancar o idiota >diante de um idiota que banca o inteligente". > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] NAT-aware traffic analysis
Sorry if didn't reply you as expected Currently I use iptables to monitor how many bytes and packets each client has transmitted: Each client has an ACCEPT rule that matches their IP and MAC address I can see the byte and packet counters with iptables -L -n -v then, I use a script to parse this output and feed the apropriate RRD. Previously, I used to parse the output of tc -s class ls dev ifb0 which gave me almost the same result On 9/6/07, Ming-Ching Tiew <[EMAIL PROTECTED]> wrote: > > From: "Marco Aurelio" <[EMAIL PROTECTED]> > > > If you use IFB or IMQ you can shape the outgoing WAN traffic before NAT > > > > I am not sure if I understand this reply or the reply seems to me, > is not replying to my original question. > > I am asking how to collect statistics about LAN users with respect > to their WAN usage, with LAN IP as the breakdown. > > I am not asking how to do traffic shaping. And may I know how > does IMQ help that ? > > Actually with more thought given to the problem, I think I am > quite inclined to using iptables ULOG. But ULOG solution > has a few things need mentioning :- > > 1. Might be very heavy on system loading. Hope people can > clarify if it is a real concern. And anyone has experience using > ULOG 2.x ? Will 2.x be more friendly to system loading > compared to 1.x ? > > 2. Logging goes into either file or database. It's to be a offline > monitoring mechanism. Is there a way to use ULOG for online > monitoring ? > > 3. Next, each ULOG is only specifying one side of the traffic. eg :- > > iptables -A FORWARD -i eth0 -o eth1 -j ULOG . > > I will need another iptables rule to specify the returning traffic, eg > :- > > iptables -A FORWARD -i eth1 -o eth0 -j ULOG . > >Combining two independent logs as one connection will still be a > challenge. > > Hope to see more suggestions and discussion. > Thank you. > > > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] NAT-aware traffic analysis
If you use IFB or IMQ you can shape the outgoing WAN traffic before NAT On 9/5/07, Martin A. Brown <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Greetings, > > : I have tried using iptraf for my NAT firewall to analyse the IP > : traffic. Basically I am faced with this difficulty of related the > : source IP to the outgoing interface to the internet, so I am > : wondering if anyone has a suggestion for a different ways to do > : it, or a suggestion for a better tool. > > I don't know of a flow analysis tool that records internal and > external addresses at the NAT boundary. Without knowing how you > separate your traffic outbound, it'd be hard for us to guess what > the shortcomings of any of these solutions might be, but here are a > few ideas: > > * Record the state of /proc/net/ip_conntrack and your flow > information snapshots at exactly the same time. Use the > ip_conntrack state information (programmatically) to yield > the answers you want about usage information. > > * Use a flow analysis tool (e.g., argus) to record the flow > information on your internal interface. Since you built the > rules for distributing traffic and selecting the path for > outbound flows, you should be able to map this same logic onto > your recorded flows. > > In short, I think you may have better luck approaching the problem > as a flow-analysis problem than a statistical summarization of > traffic on any specific interface. > > Good luck, > > - -Martin > > - -- > Martin A. Brown > http://linux-ip.net/ > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG3i65HEoZD1iZ+YcRAkqiAJ4rp7p3Sg+b4i0PYvpXRlHZtrm/ogCfe52L > 00fFE3OOeNHP8QIiTRuB9LM= > =Egrt > -END PGP SIGNATURE- > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Deleting a tc filter rule
On 6/27/07, Martija, Ricardo V <[EMAIL PROTECTED]> wrote: Hi, I am very new to tc. I added a filter using the following command: tc filter add dev eth0 V parent 20:0 protocol ip prio 1 handle ::128 u32 match ip tos 0x44 0xfc flowid 20:1 tc filter add dev eth0 V parent 20:0 protocol ip pref 1234 prio 1 handle ::128 u32 match ip tos 0x44 0xfc flowid 20:1 To check if the filter rule was indeed added, I run tc filter show dev eth0 parent 20: This gave me the following output: filter protocol ip pref 1 u32 filter protocol ip pref 1 u32 fh 800: ht divisor 1 filter protocol ip pref 1 u32 fh 800::128 order 296 key ht 800 bkt 0 flowid 20:1 match 0044/00fc at 0 I tried deleting the filter rule that I added using: tc filter del dev eth0 pref 1 protocol ip handle 800::160 tc filter del dev eth0 pref 1234 This gave me the following message: Must specify filter type when using "handle" I modified the delete command, as follows: tc filter del dev eth0 pref 1 protocol ip handle 800::160 u32 This gave the following error message: RTNETLINK answers: Invalid argument I am pretty much stumped. Can anyone tell me how I can delete a tc filter rule? Thanks, Rick ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] shaping using source IP after NAT
I think it is better to use an IFB device and shape the upload traffic using source IP before the NAT http://linux-net.osdl.org/index.php/IFB On 6/13/07, VladSun <[EMAIL PROTECTED]> wrote: Ethy H. Brito написа: > On Mon, 11 Jun 2007 22:02:31 +0300 > VladSun <[EMAIL PROTECTED]> wrote: > > > >> TC is performed after POSTROUTING, so you can not do any IP related TC >> filtering. You can use CPU friendly patches for iptables like IPMARK or >> IPCLASSIFY. Take a look at them. >> > > Ok. Can someone point me the right direction to add IPMARK kernel support? > > I downloaded patch-o-matic today's snapshot and there is no IPMARK there. > > I have iptables-1.3.7 and kernel 2.6.21.1 sources (distro is slackware 11.0) > > The curious thing is that IPMARK is at iptables man page but I got and > error when I execute it. It says it could not > find /usr/lib/iptables/libipt_IPMARK.so: > > # locate -i IPMARK > # (no output here) > > > Regards. > > Ethy > > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > Try "./runme download" in tge PoM directory. It should work if there is defined download URL for IPMARK in the source.list file in the PoM directory. If it doesn't work try to download older version of PoM. That is because netfilter team has refused to include IPMARK in the official versions some time ago. Regards ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] shaping using source IP after NAT
Use IFB which seems to be already on kernel 2.6 On 6/11/07, VladSun <[EMAIL PROTECTED]> wrote: Ethy H. Brito написа: > Hi all > > I am using a pass trhu router and I need to QoS some clients output by its > IP address. The problem is that QoS is due after NATing. > > Is there some clever way of doing this besides MARKing every packet with > some IP hashing in POSTROUTING NAT table? > > Regards > > Ethy > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > TC is performed after POSTROUTING, so you can not do any IP related TC filtering. You can use CPU friendly patches for iptables like IPMARK or IPCLASSIFY. Take a look at them. Regards! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB
What exactly happens if the sum of the children classes rate is bigger than the parent's? What if the majority of these classes are using less than the minimum rate established (eg. 0kbps)? -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] how hierarchical is HTB?
What exactly happens if the sum of the children classes rate is bigger than the parent's? What if the majority of these classes are using less than the minimum rate established (eg. 0kbps)? On 6/6/07, Flechsenhaar, Jon J <[EMAIL PROTECTED]> wrote: Few quick comments: HTB parent rate should never be less than the sum of its children. This is referring to the rate parameter not the ceil. Class 1:20 needs to equal 1:200+1:201. You will get strange results if you try and test with any configuration where the the sum of all childeren rates are greater than their parent. Borrowing occurs from the parent and from classes at the same level. So if you have 3 leaf classes. 1:1, 1:2, and 1:3 they will get their assigned rate and borrow up their ceil if there is extra bandwidth. If there is no traffic in one of the classes then it can give its assured bandwidth to the other 2 classes with traffic. Borrowing is based on the priority assigned to the class. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -Original Message- From: Claudio Greco [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 7:58 AM To: Ethy H. Brito Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] how hierarchical is HTB? > root class 1: (rate=100, ceil=100) > 1: children classes 1:10 (30,100) and 1:20 (70,100) 1:10 children > classes 1:100 (10,100) and 1:101 (20,100) 1:20 children classes 1:200 > (30,100) and 1:201 (70,100) > > I managed to have the root rate equals to the sum of its children. > > Well, it is still true that total assured rate for classes 1:200 and 1:201 is greater than assured rate for class 1:20. Still, I don't think this is a big deal. > But how must the rates of the leaves be signed? > What do you mean with 'signed'? > And how the bandwidth of these leaves will be distributed when > borrowing/lending is necessary? > > As far as I know, when a leaf is 'yellow', i.e. its rate is greater than its assured rate and lesser than its ceil rate, it can borrow from its parent providing there's a yellow-path to the root and the root is green (root can't be yellow, only green or red). If there's more than one child borrowing from the same class, they're served according to their priority (argument prio in *tc class add*). If there's more than one child having the same priority, then they're served in DRR order (Deficit Round Robin). You can tune DRR behaviour with arguments r2q in *tc qdisc add* and quantum in *tc class add*. > classs 1:10 will/may lend/borrow from class 1:20. I know that. > No it can not. A class can only borrow from its parent, never from its siblings. > But how about 1:1XX and classes 1:2XX? will the borrow/lend from each > others? > > ibidem. > Any docs about this? > > You may see: http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm http://luxik.cdi.cz/~devik/qos/htb/manual/theory.htm ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] CBQ + Layer7 x Emule
from ipp2p news page ""quote"" I suggest the following tcp and udp for connection tracking (see docu section) 01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark 02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT 03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1 04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark 05# iptables -t mangle -A PREROUTING -p udp -m ipp2p --ipp2p -j MARK --set-mark 1 detect TCP FIRST, SAVE MARK , and detect udp after you saved the mark !! You will have now every p2p packet marked, but a dramtic reduce of udp missmatches. ""quote"" On 6/8/07, Salatiel Filho <[EMAIL PROTECTED]> wrote: On 6/8/07, Saulo Silva <[EMAIL PROTECTED]> wrote: > HI Marcos , > > I tried your rules, but without success . Thank for that help . > And , how about ip2pp ? Is this application could do that ? Help me to shape edonkey traffic ??? > > Best Regards, > > Saulo Silva > > > 2007/6/8, Marco Aurelio <[EMAIL PROTECTED]>: > > > l7's edonkey filter does not match all edonkey traffic, it does not > > match data packets (that you want to shape). It matches however the > > signaling packets that can be related to data connections. > > > > I never tried L7 but I think these may help you > > > > iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark > > iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 > > iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark > > > > > > On 6/8/07, Saulo Silva < [EMAIL PROTECTED]> wrote: > > > Hi All , > > > > > > My first message and I have a little problem with my FC6 box trying to block > > > emule traffic using layer7 . > > > > > > Here my network : > > > > > > Internet - ADSL Router --- FC6 Box > > > Emule Box > > > > > > external ADSL : Dynamic > > > Internal ADSL : 192.168.254.1 > > > > > > external FC6 : 192.168.254.3 > > > internal FC6 : 192.168.253.1 > > > > > > Emule Box : 192.168.253.3 > > > > > > I guess that everything is ok with layer7 . Here my mangle rules . > > > > > > # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK > > > --set-mark 2 > > > # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix > > > "PREROUTING MARK : " > > > > > > > > > iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark > > > 2 > > > iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD > > > MARK : " > > > > > > The output from log is : > > > > > > Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 > > > SRC= 203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105 > > > ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0 > > > > > > Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 > > > SRC=200.209.170.138 DST= 192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115 > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > > Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= > > > 200.209.170.138 DST= 192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114 > > > ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 > > > > > > Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= > > > MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC= > > > 200.244.104.10 DST= 192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042 > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 > > > > > > Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= > > > 200.244.104.10 DST= 192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042 > > > PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 > > > > > > So it's look like mark is working . > > > > > > So now I use the cbq.init script with that configuration : > > > > > > cat /etc/sysconfig/cbq/cbq- 0002.emule_in > > > > > > DEVICE=eth0,100Mbit,10Mbit > > > RATE=3Kbit > > > WEIGHT=1Kb
Re: [LARTC] CBQ + Layer7 x Emule
l7's edonkey filter does not match all edonkey traffic, it does not match data packets (that you want to shape). It matches however the signaling packets that can be related to data connections. I never tried L7 but I think these may help you iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark On 6/8/07, Saulo Silva <[EMAIL PROTECTED]> wrote: Hi All , My first message and I have a little problem with my FC6 box trying to block emule traffic using layer7 . Here my network : Internet - ADSL Router --- FC6 Box Emule Box external ADSL : Dynamic Internal ADSL : 192.168.254.1 external FC6 : 192.168.254.3 internal FC6 : 192.168.253.1 Emule Box : 192.168.253.3 I guess that everything is ok with layer7 . Here my mangle rules . # iptables -t mangle -A PREROUTING -mlayer7 --l7proto edonkey -j MARK --set-mark 2 # iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix "PREROUTING MARK : " iptables -t mangle -A FORWARD -mlayer7 --l7proto edonkey -j MARK --set-mark 2 iptables -t mangle -A FORWARD -m mark --mark 2 -j LOG --log-prefix "FORWARD MARK : " The output from log is : Jun 8 14:18:46 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC=203.91.83.127 DST=192.168.253.3 LEN=180 TOS=0x00 PREC=0x00 TTL=105 ID=18725 PROTO=TCP SPT=51674 DPT=4662 WINDOW=16944 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:48 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC=200.209.170.138 DST=192.168.254.3 LEN=139 TOS=0x00 PREC=0x00 TTL=115 ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:48 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= 200.209.170.138 DST=192.168.253.3 LEN=139 TOS=0x00 PREC=0x00 TTL=114 ID=18002 DF PROTO=TCP SPT=1476 DPT=4662 WINDOW=65535 RES=0x00 ACK PSH URGP=0 Jun 8 14:18:51 fs-linux kernel: PREROUTING MARK : IN=eth0 OUT= MAC=00:06:4f:47:ad:e0:00:0f:3d:cc:29:e0:08:00 SRC= 200.244.104.10 DST=192.168.254.3 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=7042 PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 Jun 8 14:18:51 fs-linux kernel: FORWARD MARK : IN=eth0 OUT=eth1 SRC= 200.244.104.10 DST=192.168.253.3 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=7042 PROTO=TCP SPT=50675 DPT=4662 WINDOW=64952 RES=0x00 ACK FIN URGP=0 So it's look like mark is working . So now I use the cbq.init script with that configuration : cat /etc/sysconfig/cbq/cbq-0002.emule_in DEVICE=eth0,100Mbit,10Mbit RATE=3Kbit WEIGHT=1Kbit PRIO=5 BOUNDED=yes ISOLATED=yes MARK=2 cat /etc/sysconfig/cbq/cbq-0002.emule_out DEVICE=eth1,100Mbit,10Mbit RATE=3Kbit WEIGHT=1Kbit PRIO=5 BOUNDED=yes ISOLATED=yes MARK=2 that generate this tc codes . /sbin/tc qdisc add dev eth0 root handle 1 cbq bandwidth 100Mbit avpkt 3000 cell 8 /sbin/tc class change dev eth0 root cbq weight 10Mbit allot 1514 /sbin/tc qdisc del dev eth1 root /sbin/tc qdisc add dev eth1 root handle 1 cbq bandwidth 100Mbit avpkt 3000 cell 8 /sbin/tc class change dev eth1 root cbq weight 10Mbit allot 1514 /sbin/tc class add dev eth0 parent 1: classid 1:2 cbq bandwidth 100Mbit rate 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded isolated /sbin/tc qdisc add dev eth0 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:2 /sbin/tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 100Mbit rate 3Kbit weight 1Kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt 3000 bounded isolated /sbin/tc qdisc add dev eth1 parent 1:2 handle 2 tbf rate 3Kbit buffer 10Kb/8 limit 15Kb mtu 1500 /sbin/tc filter add dev eth1 parent 1:0 protocol ip prio 200 handle 2 fw classid 1:2 Can anyone explain me what is wrong . Why I cannot shape this traffic Any help will be appreciated . Best Regards , Saulo Silva ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] elementary usage clamping
On 6/6/07, Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote: On Wed, 2007-06-06 at 12:42 -0300, Marco Aurelio wrote: > use the HTB wondershaper that can be found at lartc.org Thanks for your reply. I looked at wondershaper, and I could not tell from the documentation whether it actually limited the rate of packets transmitted, and policed incoming packets, in a reliable fashion. What do you mean by reliable fashion? The upstream is hard limited by the kernel. So it is absolutely reliable. The data people send you (downstream) you cannot control directly. In other words, all the documentation I see is written as if it is addressing the case of a residential customer with a bandwidth-limited connection (cable modem, say), that has large queues, and arranges to shape on the box instead of on the connection's queues, allowing for better and more sensitive control. You can use it in your environment. The wondershaper limits your traffic a bit less than the link speed, for the packets to be queued in the kernel and not in the modem (hub, switch, etc), so you can reserve some resources for the real time traffic. In your case, the modems or hubs may almost never queue. Please tell me more about the limits of the provider. You say that they bill you if you use more than 1Mbps? I mean, this is strange because they normally define a transfer quota (eg: 100GB per month) and not a bandwidth limit. And also, what services are you providing in this server? But it still seemed (from what I read) as if it tries to keep the pipe as full as possible, merely reordering packets carefully, in which case I'm sure to lose, because I *don't want* the pipe as full as possible; I want to dribble bits out the pipe to conform to the pricing I have agreed with my ISP. You don't keep the pipe as full as possible all the time. Only when you are sending more than the limit rate you specified in the script. Am I missing something? Thomas -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] elementary usage clamping
use the HTB wondershaper that can be found at lartc.org On 6/6/07, Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote: I'm pretty smart, and was once regarded as pretty network and computer savvy. But the world has obviously passed me by! I have a server in a colocation facility, and I was recently hit by a bill for overage; I used more bandwidth than I expected, and I must pay. So now, I want to bother with packet shaping on the server. The *most* important thing is to clamp bandwidth to the 1Mbps that my contract allows for. This is well within my ordinary usage; there is no reason for me to want more. But I must be careful about overage: when I am transferring large amounts of data, I don't mind waiting for how long it takes at 1Mbps (minus overhead), but I certainly don't want to pay lots extra! This is the most important thing. The next thing is that, once the bandwidth has been clamped, I want to have the ability to be flexible about shaping traffic. Obviously such things as ssh need priority, and then AFS, and then ftp and http. But this is still really only a single-user case, so even if the shaping is not so great, it's ok. I cannot, for the life of me, figure out what tcng syntax would get me what I want. Can someone help me? Thomas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext 5 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] tc-htb traffic shaping script
http://lartc.org/wondershaper/ On 5/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: I can send you mine, it's a modified version of one I found somewhere on the net to be able to limit bandwith on a linux router. I did no cleaning up or anything #!/bin/bash # tc uses the following units when passed as a parameter. # kbps: Kilobytes per second # mbps: Megabytes per second # kbit: Kilobits per second # mbit: Megabits per second # bps: Bytes per second # Amounts of data can be specified in: # kb or k: Kilobytes # mb or m: Megabytes # mbit: Megabits # kbit: Kilobits # To get the byte figure from bits, divide the number by 8 bit # # # Name of the traffic control command. TC=/sbin/tc IPTABLES=/sbin/iptables # The network interface we're planning on limiting bandwidth. IF1=eth1.106# Interface IF2=eth0# Interface # Download limit (in mega bits) DNLD=100mbit # DOWNLOAD Limit # Upload limit (in mega bits) UPLD=100mbit # UPLOAD Limit # IP address of the machine we are controlling #IP=81.18.0.0/24#Host IP #IP=0.0.0.0/0 #Host IP # Filter options for limiting the intended interface. IN="$TC filter add dev $IF2 protocol ip parent 1:0 prio 1" OUT="$TC filter add dev $IF1 protocol ip parent 2:0 prio 1" start() { # All traffic originating from IF1 gets marked $IPTABLES -t mangle -D PREROUTING -i $IF1 -j MARK --set-mark 106 >/dev/null 2>&1 $IPTABLES -t mangle -A PREROUTING -i $IF1 -j MARK --set-mark 106 # INBOUND matches on fwmark 106 and gets shaped when it leaves the IF2 interface $TC qdisc add dev $IF2 root handle 1: htb default 30 $TC class add dev $IF2 parent 1: classid 1:1 htb rate $DNLD $IN handle 106 fw flowid 1:1 printf "\n" printf "Shaping traffic incoming on $IF1 ==> $IF2 to max. $DNLD" # OUTBOUND matches all traffic heading out IF1 gets shaped, no filter needed $TC qdisc add dev $IF1 root handle 2: htb default 1 $TC class add dev $IF1 parent 2: classid 2:1 htb rate $UPLD #$OUT u32 match ip src $IP flowid 2:1 printf "\n" printf "Shaping traffic incoming on $IF2 ==> $IF1 to max. $UPLD\n" # The first line creates the root qdisc, and the next line # creates a child qdiscs that respectively are used to shape download # and upload bandwidth. The third line defines a filter if required. } stop() { # Stop the bandwidth shaping. $TC qdisc del dev $IF1 root $TC qdisc del dev $IF2 root $IPTABLES -t mangle -D PREROUTING -i $IF1 -j MARK --set-mark 106 } restart() { # Self-explanatory. stop sleep 1 start } show() { # Display status of traffic control status. #$TC -s qdisc ls dev $IF1 $TC -s qdisc ls dev $IF2 } case "$1" in start) echo -n "Starting bandwidth shaping: " start echo "done" ;; stop) echo -n "Stopping bandwidth shaping: " stop echo "done" ;; restart) echo -n "Restarting bandwidth shaping: " restart echo "done" ;; show) echo "Bandwidth shaping status for $IF2:" show echo "" ;; *) pwd=$(pwd) echo "Usage: tc.bash {start|stop|restart|show}" ;; esac exit 0 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arman Sent: donderdag 24 mei 2007 12:46 To: lartc@mailman.ds9a.nl Subject: [LARTC] tc-htb traffic shaping script Hi, Is there any tested good HTB script for traffic shaping available like as that of CBQ available at. http://freshmeat.net/projects/cbq.init I am n new bie and need to work on htb. -- Regards, M Arman ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Token Bucket Filter and Dropping
you need hierarchical token bucket for that have you tried HTB? On 5/8/07, Piotr Wójcicki <[EMAIL PROTECTED]> wrote: I am trying to create my own Token Bucket Filter. However, I have a problem with packet dropping. Scenario : I got two streams 20KB/s each. I got one bucket with rate 20KB/s I put both streams into this bucket. When buffer is full packets need to be dropped. The problem is that only every other packet needs to be dropped in this scenario. Streams are the same so queue looks like that : S1 | S2 | S1 | S2 Packets form both streams are one by one. The result is that all packets from stream S1 are being dropped and all packets from Stream S2 are being sent. Ideally half of dropped packets would be from S1 and half from S1. What are possible solutions to this problem ? Piotr Wojcicki ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: tc questions
Hello. I may be misunderstanding what you are trying to do, but I think tc -s class ls dev eth1 shows the stats you want. note on the "class" word On 4/9/07, Alejandro Ramos Encinosa <[EMAIL PROTECTED]> wrote: Hi to all. why when I do "tc qdisc show ..." it JUST shows me those qdisc I explicitly attached to classes without any child class? > >>> The default pFIFO qdisc that get attached to the classes are not >>> shown by the above command. > >>...and which is the command that will show them?? > > There is no command that does that. > If you really want to see them, you can explicitly attach a pFIFO > queue to the classes. I have a little question here: If I understood well, if I want to see a classless qdisc statistics I must explicity attach the qdisc to the classful qdisc. However, I have (for example) the following configuration and I still don't get the statistics for 120: (just for 1: and 121:): 8<8<- tc qdisc add dev eth1 root handle 1: htb default 10 tc class add dev eth1 parent 1: classid 1:1 htb rate 100mbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 2mbit tc class add dev eth1 parent 1:1 classid 1:20 htb rate 98mbit tc qdisc add dev eth1 parent 1:20 handle 120: sfq perturb 10 tc class add dev eth1 parent 1:20 classid 1:21 htb rate 49mbit tc qdisc add dev eth1 parent 1:21 handle 121: sfq perturb 10 tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 10.6.70.1 flowid 1:20 tc filter add dev eth1 protocol ip parent 1:20 prio 1 u32 match ip sport 80 0x flowid 1:21 >8>8- If I run `tc -s qdisc show dev eth1' then I will get something like 8<8<- qdisc htb 1: r2q 10 default 10 direct_packets_stat 0 Sent 2284 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 qdisc sfq 121: parent 1:21 limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 >8>8- i.e. not 120: at all!!! and I need to get that flow. Worth of that is that if I run `tc -s class show dev eth1' then I will get this for class 1:20 8<8<- class htb 1:20 parent 1:1 rate 98000Kbit ceil 98000Kbit burst 50580b cburst 50580b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 4229 ctokens: 4229 >8>8- and I am sure I am generating traffic that matchs its filter. Can any of you to help me? PS: what I really want is a way to obtain statistics for each qdisc. -- Alejandro Ramos Encinosa <[EMAIL PROTECTED]> Fac. Matemática Computación Universidad de La Habana ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ipp2p problems
On 3/14/07, J.E. <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED]:/usr/src/ipp2p-0.8.0# iptables -m ipp2p --help iptables: match `ipp2p' v (I'm v1.3.1). Only i get this line, iptables: match `ipp2p' v (I'm v1.3.1) You are running iptables version 1.3.1, and this is not the version you compiled ipp2p for (1.3.3) What is the output of the ipp2p make install? -- Marco [EMAIL PROTECTED]:/usr/src/ipp2p-0.8.0# iptables -A FORWARD -m ipp2p --ipp2p -j DROP iptables: match `ipp2p' v (I'm v1.3.1). Only one line, again. [EMAIL PROTECTED]:/usr/src/ipp2p-0.8.0# iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination DROP !icmp -- anywhere anywherestate INVALID eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere Reject all -- anywhere anywhere LOGall -- anywhere anywherelimit: avg 5/min burst 2 LOG level info prefix `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere I don't see anything of ipp2p. (In Spanish: Nada por aquí nada por allá :) ) Always i get the same results with: Ubuntu Dapper Kernels: 2.6.15-27-386, 2.6.15-28-386 iptables: 1.3.3 ipp2p: 0.8.0 Ubuntu Breezy (i think) Kernel: 2.6.12-10-386 iptables: 1.3.1 ipp2p: 0.8.0 I don't know what's going on. Any ideas? Thank you all Juanen ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] LARTC Wiki
Hi all, Since the mail list receives a lot of repeated subjects (for example: "i have two adsl lines..."), maybe these specific issues should be treated on the LARTC Guide, or maybe if we had an wiki? Is there a LARTC Wiki? If not, what do you think about creating one? Thanks -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] bridge and ipp2p question
This is not possible because ipp2p does not match every p2p packet but only some essential signaling packets. By filtering these packets, the p2p client cannot estabilish connections to transfer data, and that's how it filters it. Sometimes, ipp2p 'discovers' that this is a p2p related connection after the connection has been established, and then drops the signaling packets. And since you are not an AS and you have one different address per connection, you cannot route packets with a different source address than the one the connection has been established. I have a different approach on this, it is not a perfect soulution, but it work quite well on some enviroments: I route all the traffic through one NIC (the garbage p2p connection) and then (with iptables or u32) direct the important traffic by port (HTTP, FTP, IRC, MSN, DNS, SMTP, POP, etc) through the other NIC (the non-p2p connection). Then I filter (with ipp2p) the p2p traffic on the non-p2p NIC because some p2p clients try to mask the connections as it were these services. This works quite well, but you need to know every service your clients use. I use this on a router, I never tested this with a bridge, but it may work too. -- Marco On 1/17/07, Roberto Pereyra <[EMAIL PROTECTED]> wrote: Hi all !!! I have a firewall bridge (not router) with two nics that filter p2p with ipp2p. All works fine but now I need to add a third nic to route all p2p traffic through this nic. It is that possible with a bridge ? Later (with other server) connect to this nic I do loading balancing with two adsl lines to route all p2p traffic. Any hint ? Any howto ? Thanks in advance. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliate/scripts/t.php?a_aid=426&a_bid=56 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc