RE: [LARTC] Linux router performance

[S Mohan]

Damjan wrote:
>>> On an AMD Athlon64 3200+ (2 GHz) I was able to saturate 2 PCI-Express
>>> gigabit cards (but that was with 1500 byte packets). Never tried more
>>> although the box has 6 interfaces capable of gigabit, 4 of them attached
>>> via PCI-Express.
>> 
>> But that's _only_ 8 packets/s isn't it.
>
>Hm. How do you arrive at that result? I get twice the numbers.
>nic a: 1 gbit in -> nic b: 1 gbit out
>nic b: 1 gbit in -> nic a: 1 gbit out
>total 2 gbit
>2 gbit /(1500*8 bit/frame) ~ 160k packets/s
>
>Please note that I did not test with smaller frame sizes, so 1Mp/s
>may be possible (I'll test that if I have some spare time).

I've done some benchmarks on a Sunfire x2100 with 2 port PCI Express
ethernet cards. It switches 800KPPS for 64B packets.

Regards
Mohan

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] QOS on each interface

[S Mohan]

Htb-init has what you are looking for. 

Warm regards
Mohan 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Segree, Gareth
Sent: Wednesday, October 06, 2004 3:40 AM
To: '[EMAIL PROTECTED]'
Subject: [LARTC] QOS on each interface



I have a firewall with 3 interfaces DMZ, INTERNET, LAN. 
Does anyone have an example script to do QOS on multiple intefaces
using htb? 


Gareth Segree 
mailto:[EMAIL PROTECTED]
  
Technical Support Analyst 
The Gleaner Company Ltd. 
7 North Street 
Kingston 
Tel: 922-3400 


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] small kernel distro recommendations for QoS box

[S Mohan]

Why not try LEAF or Embedian? I use LEAF and it works well. Will take you a
while to get used to it as opposed to standard RH kind of distro. The LEAF
site is pretty good. I can also help you offlist, if need be. I'm also the
maintainer of the QoS and bridging chapters on the LEAF Users Guide. 

Warm regards
Mohan 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 04, 2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] small kernel distro recommendations for QoS box



Hello All. 

I've built some boxes for QoS that work wonderfully. Much thanks to
everyone's work on this project. Citrix + Videoconferencing are working
great. 

Thing is, I'd really like to not rely on the old 4GB drives in these
machines. I would like to build a kernel small enough to put on a 32 or 64
MB flash (compressed). Fedora Core 1, minimal install + bridge-utils is
still around 500 MB (will probably be about 1/3 that compressed). 

TIA 
-Ron 




___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] should I shape tun[N] or eth0 ?

[S Mohan]

AFAIK, tc will work on real and not virtual interfaces.

Warm regards
Mohan  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Etienne Ledoux
> Sent: Wednesday, August 04, 2004 9:05 PM
> To: [EMAIL PROTECTED]
> Subject: [LARTC] should I shape tun[N] or eth0 ?
> 
> Greetings,
> 
> me again. I'm starting to feel miff now.
> 
> If I have a few vpn tunnels with different tun interfaces. 
> And all this tunnel traffic is coming in on my eth0 
> interface, it also leave via eth0 again. I would like to 
> share the available bandwidth evenly with tunnel clients. 
> Would applying the bandwidth rule on eth0 with htb & sfq work 
> for sharing the bandwidth or will bandwidth rules only affect 
> tunnel traffic if I apply it to the actual tun[n] intefaces ?
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED] 
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] the "cisco vs. Linux" thread

[S Mohan]

You could try the following:
1. http://www.axiomtech.com.tw
2. http://www.soekris.com
3. http://www.pcengines.com
4. http://www.nexedi.org
5. http://www.nagasaki.com.tw
6. http://www.iei.com.tw
7. http://www.advantech.com
8. http://www.lannerinc.com

An a lot more. Nagasaki is good and has a few good options. Cheapest of the
lot. Most of these are Taiwanese/Chinese companies with US offices.

Warm regards
Mohan  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Glen Mabey
> Sent: Sunday, July 11, 2004 4:22 AM
> To: LARTC Mailing List
> Subject: Re: [LARTC] the "cisco vs. Linux" thread
> 
> On Fri, Jul 09, 2004 at 10:35:22AM -0400, Alfie Viechweg wrote:
> > Regarding building your own router/switch. You might want 
> to check out 
> > www.routerboard.com for a really reasonably priced 4 port NIC.
> 
> I had no idea this type of board existed! (forgive my excitement)
> 
> Alfie, have you used the Routerboard 230 or 240 products?  
> Anyone else?
> 
> Could anyone else recommend other manufacturers of this type of
> hardware: an embedded system board with
> * a couple of NICs
> * PCMCIA
> * runs linux
> 
> Thanks --
> Glen
> 
> --
> **
> Glen W. Mabey
> [EMAIL PROTECTED]
> http://mabeys.homelinux.com/glen/
> **
> ___
> LARTC mailing list / [EMAIL PROTECTED] 
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] QOS Script difficulty on bridge

[S Mohan]

If eth0 is your interface connected to the Internet, shape outgoing traffic
on eth1. This will simulate the effect of limiting download coming thro'
eth0 and also shape traffic from the local machine going out to the LAN on
eth1. In case you want to limit download from the local machines to nodes on
eth0 and eth1, apply QoS on both interfaces. Bridging does not affect or
help this in any way. Ethernet interfaces do not need to have IP addresses
for QoS to be applied in Linux. I've used htb-init with bridge-nf which has
been documented in the LEAF Bering user manual. In case you have any
questions, I'll be glad to answer them as the maintainer of that part of the
documentation.

HTH.

Warm regards
Mohan  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ed Wildgoose
> Sent: Wednesday, June 16, 2004 9:23 PM
> To: [EMAIL PROTECTED]
> Subject: [LARTC] QOS Script difficulty on bridge
> 
> I'm playing with the rather excellent QOS script from 
> Alexander Clouter at http://digriz.org.uk/jdg-qos-script/
> 
> So far I am really impressed with it - a very impressive 
> example of the power of linux QOS rules (has pretty much 
> everything in it from the LARTC Howto!)  However, the 
> instructions hint that "for QoS to affect locally generated 
> traffic in a non ethernet bridge setup you must have IMQ". 
> 
> Now, I *DO* have a bridged config (br -> eth0 & eth1), but I 
> can't see how I can set things up so that traffic from the 
> local machine suffers the effect of the QOS limitations (on 
> download) without using IMQ.
> 
> More broadly, can *anyone* see how it might be possible to 
> limit the download rate to a local machine running as a 
> bridge, without using IMQ? 
> (err, and not using the policer either, I want an HTB qdisk 
> running on the download traffic - I just want to know if I am 
> missing something obvious about the way the bridge works)
> 
> Just for reference only the bridge has an ip address, both 
> physical interfaces are anonymous.
> 
> Thanks for any pointers. 
> 
> Ed W
> 
> P.S. Anyone using this script on 2.6 with a bridge needs to 
> be aware that the syntax for "tc" has changed.  You can't use 
> "tc -i eth0" 
> anymore, you need "tc -i br0 -m physdev --physdev-in eth0".  
> And the same for "-o".  Hope that helps anyone who tries the 
> script out
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED] 
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: 
> http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] IP Failover

[S Mohan]

This would make greater sense/benefit/appropriateness on two different
machines, I think. vrrpd is another good alternative. sourceforge is the
repository.

Regards
Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Ben
Sent: Monday, September 29, 2003 11:12 PM
To: [EMAIL PROTECTED]
Subject: Re: [LARTC] IP Failover


there are several; http://www.linux-ha.org/ is a good place to start.

On Mon, 2003-09-29 at 10:36, John Klingler wrote:
> Does anyone know of a system service that will provide automatic IP
> failover on a system with dual (redudnant) Ethernet adapters?
>
> For example, I can simulate this by manually deactivating eth0 and
> activating eth1, although it takes about 15 secs for the MAC address to
> be updated.
>
> It should be relatively simple to write a program that monitors the
> current Ethernet interface and does the change-over automatically (and
> forces the MAC update), but before re-inventing the wheel, I suspect
> there is already a system program that already does this, I just haven't
> found one on Red Hat 8.0.
>
>
> thanks in advance,
>
>
> --John Klingler
>
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Layer 7 application blocking via tc/iptables?

[S Mohan]

>From the docs I've read, the U32 classifier itself can do this. May be worthwhile 
>investigating.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Julien Gateaud
Sent: Friday, August 29, 2003 1:07 PM
To: Stef Coene; Derek; [EMAIL PROTECTED]
Subject: Re: [LARTC] Layer 7 application blocking via tc/iptables?


On Thu, 28 Aug 2003 19:54:41 +0200, Stef Coene <[EMAIL PROTECTED]> 
wrote:

> On Wednesday 27 August 2003 22:25, Derek wrote:
>> Hi All,
>>
>>
>> I hope this is the correct place to ask about this, but can someone give
>> me an example of blocking a certain application via the layer 7 patch
>> and iproute/iptables?
>>
>> For more of a specific example, I'm trying to block certain instant
>> messaging clients on my network, and I have yet to find a way to do it
>> (using mark or otherwise).
>>
>> Any help would be greatly appreciated!
> Iptables can look at the packet contents.  If you know how the clients 
> are negotiating with the servers, you can block these packets.  Or try to 
> find out the ports and ip addresses and block these.
>
> Stef
>
In patch-o-matic there is a module called string which match if a string is 
present into payload.
Maybe you could use that but i can't say if it's stable or not.

-- 
Julien Gateaud
Security Keepers S.A.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] DNAT issues

[S Mohan]

My points:

1. When you call directly by IP, DNS does not come to play. Why should the
DNS matter then?
2. The port redirection happens on incoming packets on eth1 and not eth0
(LAN I/F). Thus LAN traffic should not be affected.
3. In any case, port 80 requests are not redirected to 194.x.x.x IP.

My solution, in case the redirection affects LAN traffic would be to give a
not condition for the local subnet as source.
iptables -t nat -A PREROUTING -i eth1 -s !192.168.0.1/24 -d 194.105.29.2 -p
TCP --dport 80 \
-j DNAT --to-destination 192.168.0.2

This makes sure that local traffic is not redirected.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Vlad Mihai
Sent: Friday, August 22, 2003 12:33 AM
To: [EMAIL PROTECTED]
Subject: FW: [LARTC] DNAT issues




Thanks very much. I never thought of that :)

However the idea comes from a tutorial listed at ww.netfilter.org.
There, the author explains the same issue and gives a solution...
But that solution is not working for me.

I have posted that part of the tutorial here:
http://www.concorde.utcluj.ro/iptables2.pdf
since netfilter.org is down.

The section explaining my issue is located on the second page - the left
column.

Take a look there if you have time, and maybe some of u will understand
better than me :)

The problem with the routing still remains unsolved for me :(

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Ethy H. Brito
Sent: Thursday, August 21, 2003 9:22 PM
To: [EMAIL PROTECTED]
Subject: Re: [LARTC] DNAT issues

On Thu, 21 Aug 2003, Vlad Mihai wrote:

> Now, the web browser on 192.168.0.121 will see packets coming from
> 192.168.0.2, and it will assume
> they are bogus packets, and will ignore them... SO, NO CONNECTION...
>
> Remember 192.168.0.121 asked for packets from 194.105.29.2 and not
from
> 192.168.0.2!!!
>
> What can I do to allow my LAN clients to access the web server through
> the router?
> Please write me a line of code :) I am new to "iptables" :(

This is a DNS problem. It is a commom mistake to admit that the internal
network is part of the internet. IT IS NOT.
This may be easly solved creating "zones" at you DNS server.
Your web server must be identified as part of your internal net. If it
is
not identified like this you will have to make lots of malabarithm to
overcome this.
Consult DNS server man pages to configure it. This is not the only
solution
but the simplest one for sure.

Regards

Ethy H. Brito /"\
InterNexo Ltda.   \ /  CAMPANHA DA FITA ASCII - CONTRA MAIL HTML
+55 (12) 3941-6860 X   ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL
S.J.Campos - Brasil   / \

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] FTP Connection Tracking in a Bridge

[S Mohan]

Doh. So dumb of me. I have documented this but this skipped my attention.
Thanks Staf. AFAIK, in a bridged mode, only the FORWARD table is processed.
The packet does not traverse any other traditional netfilter table. This is
the reason for the existence of ebtables. ebtables provides all these tables
within its realm.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Stef Coene
Sent: Wednesday, August 20, 2003 5:57 PM
To: Wayne; [EMAIL PROTECTED]
Subject: Re: [LARTC] FTP Connection Tracking in a Bridge


On Wednesday 20 August 2003 10:48, Wayne wrote:
> Hello,
>
> I have a box running as a bridge and am trying to track the passive FTP
> sessions by marking them with iptables (CONNMARK option installed) and
then
> trying to pick up the mark using tc filter fwmark. This is not working.
>
> I have checked the marking of the packets and this is working fine because
> I can see the marks when I cat /proc/net/ip_conntrack.
>
> Having setup my queues and using the following command:
>
> tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
> 1:2a
>
> I do not get any traffic going in to this queue. I am running kernel
> 2.4.21.
>
> My question is whether the packet that I have marked is actually every
> getting to the tc filter. As I am running a bridge, does the packet get
> marked in iptables PREROUTING, and then go straight to the FORWARD rule
and
> then out.
>
> What is the sequence in which iptables processes the packet and then the
tc
> filter processes the packet.
>
> Many thanks
Just wondering, can you really use iptables on a bridge?  I thought you have
to use ebtables : http://www.docum.org/stef.coene/qos/faq/cache/41.html

Stef

--

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] FTP Connection Tracking in a Bridge

[S Mohan]

You must use fwmark setting and not connmark.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Wayne
Sent: Wednesday, August 20, 2003 2:18 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] FTP Connection Tracking in a Bridge


Hello,
I have a box running as a bridge and am trying to track the passive FTP
sessions by marking them with iptables (CONNMARK option installed) and then
trying to pick up the mark using tc filter fwmark. This is not working.
I have checked the marking of the packets and this is working fine because I
can see the marks when I cat /proc/net/ip_conntrack.
Having setup my queues and using the following command:
tc filter add dev eth1 parent 1:2 protocol ip prio 1 handle 2 fw classid
1:2a
I do not get any traffic going in to this queue. I am running kernel 2.4.21.
My question is whether the packet that I have marked is actually every
getting to the tc filter. As I am running a bridge, does the packet get
marked in iptables PREROUTING, and then go straight to the FORWARD rule and
then out.
What is the sequence in which iptables processes the packet and then the tc
filter processes the packet.
Many thanks
Wayne

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] redundancy and multipath routing.

[S Mohan]

I use a LEAF Bering distribution which is 2.4.18 kernel based. I wanted to
experiment using it for link load balancing and  redundancy and ran up some
hitches. Pointers would be welcome and helpful.

I set up a single machine with 2 ethernet interfaces as per the network
schematic below.


 +--+ A.B.64.175/26
 |  | eth0--- gw A.B.64.134
 | LEAF Box |
 |  | eth1--- gw A.B.65.129
 +--+ A.B.65.131/29

I have a third ethernet port that I  can configure as 192.168.1.1 local LAN
interface.A.B.64.134 is a land link (approx 400ms latency) while A.B.65.129
is a satellite link (approx 750ms latency). The latency was found by
changing default route and pinging the same target IP.

[Case 1]
I first wanted to check if fail over from one interface to another works
using the metrics declarative in the routes for priority of routes.

The commands I gave and the outputs are as under:

# ip ad flush dev eth0
# ip ad flush dev eth1
# ip ad flush dev eth2
# ip ad add dev eth0 A.B.64.175/26
# ip ad add dev eth1 A.B.65.131/29
# ip add ro default via A.B.64.134 metric 1
# ip add ro default via A.B.65.129 metric 2
# ping W.X.Y.Z

[Result 1]
Pings responds with packet replies if both are connected. If I disconnect
the ethernet cable from eth0, the ping was still going thro'. If I connect
the cable on eth0 and disconnect eth1, ping stops. If I connect back eth1,
ping resumes with the icmp packet count at a much larger number than when it
stopped with the difference in packets shown as lost.

I thought by looking at ping latency, I could make out which link is being
used. Latency was always 750ms.

My surmise:
The originating IP for the ping is taken as A.B.65.131. Thus replies do not
land up if eth1 is not connected even though packets go out of eth0. If eth1
was connected, it was used as a preferred route as originating IP was from
this subnet.

[Question 1]
Am I wrong? Is my interpretation of metrics wrong?

[Case 2]
I removed the default route and added a multipath route using commands as
under:

# ip ro del default
# ip ro del default
# ip ro add default nexthop via A.B.64.134 dev eth0 weight 1 \
nexthop via A.B.65.129 dev eth1 weight 1

[Result 2]
Giving a ping here had the same results as in [Result 1]. I expected each
ping packet to have different latency switching between 450 and 750ms. Did
not happen. Latency was 750ms consistently.

[Case 3]
The above weight go by flows and not packets. Maybe a single single ping is
treated as one flow. I changed the multipath to include equalize using
commands as under:

# ip ro del default
# ip ro add default equalize nexthop via A.B.64.134 dev eth0 weight 1 \
 nexthop via A.B.65.129 dev eth1 weight 1

[Result 3]
Same as [Result 1] and [Result 2]. Atleast here I should have got latencies
switching between 450 and 750ms for alternating ICMP requests.

[Questions]
1. Is this method of testing correct?
2. Are there any other utilities/ methodologies that I can use to test this
better?
3. Is expecting load balancing/ redundancy to happen for a single flow
wrong?

TIA
Mohan

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Bandwith sharing in NAT environment.

[S Mohan]

In a NAT environment, it is advisable to mark packets in prerouting stage.
Subsequently, till the packets leaves the system , the mark will not be
changed by any other process except a explicit mark iptables statement. Even
if NAT changes IP address, the fw mark will still be the same allowing for
classification. AFAIK, mark can have values rangign from 1 to 255.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Raghuveer
Sent: Thursday, August 14, 2003 4:33 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] Bandwith sharing in NAT environment.



Rajesh wrote:

>Hi
>
>I wish to implement Bandwith sharing in a NAT environment.
>
>The question is whether I can classify input packets on the basis of
ip-addresses (private LAN addresses)? These packets finally need to be NATed
before going on to Internet.
>
>Would the tc filters see the private addresses and put it in the
appropriate classes or would the tc filters see only the NATed address and
the filter would fail in putting the packets in the appropriate classes?
>
>The n/w diag would be somewhat like this
>
>private address LAN ips -->iptables(NAT)-->Internet.
>
>
private address LAN
ips -->tc(netlink)->iptables(NAT)-->Internet
I feel this is how it is...so dnat will be after tc in LAN to WAN and snat
will be before tc in WAN to LAN.

-Raghu

>Can I mark packets using iptables matching source ip-address?
>What address will tc filter see when the private addresses are masqueraded
?
>
>Any help is most welcome.
>
>Cheers,
>Rajesh
>
>
>
>
>___
>No banners. No pop-ups. No kidding.
>Introducing My Way - http://www.myway.com
>___
>LARTC mailing list / [EMAIL PROTECTED]
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>
>


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] help on Layer 7 with TC

[S Mohan]

I found some time ago that the u32 classifier can read any part of a
packet - header and/or data section using the byte offset facility and
action on match. If I understand correct, the Layer 7 filter patch does the
same as P2P applications use the same ports as many other services but the
payload is different. The filter has payload patterns that it searches for
to identify the application. Maybe the Layer 7 filter patch searches without
byte offset - meaning a substring kind of search and uses the boolean
outcome for action trigger. Can this be then done using the u32 filter
itself?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of hare ram
Sent: Monday, July 28, 2003 12:56 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] help on Layer 7 with TC


Hi

i have seen your post in news group that layer 7 filtering can be used with
TC

iam trying to deploy layer 7 in RH 9.0
which got a kernel of 2.4.20 i have upgraded to 2.4.20-19 now

but the Layer 7 available for only 2.5 and above
how can i use this patch for 2.4.20-19

does any one have clue for the same or any other Patch i can get to deploy
with 2.4.20

help will be appreciate

hare


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] bandwidth shaping over multiple WAN links

[S Mohan]

I've read this based on this post. It deals with static IP scenario for both
links. If we have two DSL links on dynamic IP and pppd inserts default
route. If we run pppd/ppoe on two links and want to load balance between
these links, how do we get pppd to add these links as alternate default
routes with weights? Or do we have to do this explicitly with ppp-up?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of hare ram
Sent: Saturday, July 26, 2003 4:54 PM
To: Madhuri Patwardhan
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] bandwidth shaping over multiple WAN links


Hi

Yes, you can achive the same with  RH 8.0 also.
yes iam using multiple ethernet  for internet side ( backbone side)
and one ethernet for LAN side
and loadbalancing all the links..

iam refereing

http://www.ssi.bg/~ja/nano.txt

with the help of  julian, i have achived this for load balancing

for shaping the b/w best places are

www.lartc.org
www.docum.org ( stef)

will help you lot

best of luck

hare
- Original Message -
From: "Madhuri Patwardhan" <[EMAIL PROTECTED]>
To: "hare ram" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, July 26, 2003 4:12 PM
Subject: Re: [LARTC] bandwidth shaping over multiple WAN links


>
>
> We are using redhat 8.0, however we can switch to redhat 9.0 if required.
>
> So you have one linux box with multiple ethernet cards each connected to a
> seperate WAN link and you are doing traffic shaping over these links?
>
> I have read about load balancing with 'teq' or something like that with
> linux. Are you refering to that?
>
> Madhuri
>
>
> On Sat, 26 Jul 2003, hare ram wrote:
>
> > Hi Madhuri
> >
> > yes its possible,
> >
> > you can make all link one big pipe and share the load  equally
> >
> > to do this you need to add some patches to you kernel
> >
> > you did not mention what distro are you using
> >
> > iam using redhat 9.0, with multiple links working fine
> >
> >
> > best of luck
> >
> > hare
> >
> > - Original Message -
> > From: "madhuri" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Saturday, July 26, 2003 3:09 PM
> > Subject: [LARTC] bandwidth shaping over multiple WAN links
> >
> >
> > >
> > > Hi,
> > >
> > > We have three WAN links each of capacity 2 Mbps.
> > >
> > > There is a one linux box per link which is used for NAT and firewall.
So
> > > I have three linux boxes and three WAN links to talk to the internet.
> > >
> > > We want to do bandwidth shaping over these three links. I know
> > > individually we can do bandwidth shaping for a particular WAN link
using
> > > linux tc tool. I can repeat the same bandwidth shaping commands for
> > > other two links also. However it would be better if I can treat three
> > > links as one big WAN pipe and do the bandwidth shaping for all of them
> > > at one place. Is it possible?
> > >
> > > I am just thinking aloud and not sure if that is possible or not.
> > >
> > >
> > > Thanks,
> > > Madhuri
> > >
> > > ___
> > > LARTC mailing list / [EMAIL PROTECTED]
> > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > >
> >
> > ___
> > LARTC mailing list / [EMAIL PROTECTED]
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] traffic controlling strategy

[S Mohan]

Shaping is done on the physical device irrespective of number of virtual
interface unless there is a specific virtual device support in kernel like
for IMQ. Best option would be to shape traffic on eth1 and eth0. Activate
policing for ingress queue on eth0 (external interface). Queue builds up for
incoming on linux box for incoming traffic.

Reason for this, no change/ recompilation of kernel required. Stable (look
at recent post on IMQ bug fix). IMQ need be used only if you want to
control/cap aggregated incoming and outgoing bandwidth and not control them
individually.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Kai Weber
Sent: Tuesday, June 24, 2003 6:20 PM
To: lartc
Subject: Re: [LARTC] traffic controlling strategy


* alexandru matei <[EMAIL PROTECTED]>:

> 1/ using default outbound shaping  on eth1 (outside interface) for
> outgoing and outbound shaping on eth0 (inside interface) for incoming
> 2/  using default outbound shaping  on eth1 (outside interface) for
> outgoing and inbound shaping (with IMQ) on eth1 (outside interface) for
> incoming
> ...
> Which combination do you recommand? Any reason for your recommandation?

I have the same problem and thinking of an third strategy:

3/ Splitting the outside interface into two virtual interfaces: eth0:0
for incoming, eth0:1 for outgoing traffic and routing the two interfaces
that both traffic seems to go out of the interface.

Bad english maybe, but probably totally wrong, too.

Kai
--
* mail [EMAIL PROTECTED]
  web http://www.glorybox.de
  pgp 0x594D4132
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] wondershaper htb P2P downloads

[S. Mohan]

Believe L7 filtering matches kaaza. http://l7.sourceforge.net.

Mohan
>On Wednesday 28 May 2003 04:07, Paul Suela wrote:
>> Sir,
>>
>> Thanks for the wondershaper utility!
>>
>> It has improved the response time for my ssh connections to my home
>> server whenever i need to access it from the Internet.
>>
>> However, is there a way to setup a bandwidth, say 10kbits/sec (i only
>> have 128kbits/sec DSL), and assign it to a particular traffic type like
>>   kazaa and other P2P file-sharing?
>>
>> This way it will guarantee that my home users of kazaa will only eat up
>> and share that total small amount amongst my family and nothing more.
>>
>> I don't want to restrict P2P usage in my home network but just put a
>> configurable limit. Any help will be greatly appreciated. :)
>You can limit some parts of the traffic to a lower bandwidth.  But the problem

>is to match that traffic.  And kazaa is very hard to match.  It uses random

>ports and even ACK packets for uploads.  
>As fas I know there is no way to perfectly match kazaa traffic.
>
>Stef
>
>-- 
>
>[EMAIL PROTECTED]
> "Using Linux as bandwidth manager"
> http://www.docum.org/
> #lartc @ irc.oftc.net
>
>___
>LARTC mailing list / [EMAIL PROTECTED]
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Need help please

[S Mohan]

You'll need to identify the sources/ protocols etc and rate limit them.
E.g. Ping of Death is avoided by either dropping icmp-echo-request or
rate limiting them to 5 per second. Need to use iptables for that.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Webadmin
Sent: Thursday, March 20, 2003 6:20 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] Need help please


Hi All;
We've been getting some DDOS attack recently, due to this I was just
wondering 
if we use some network traffic control techniques in order to reduce the
risk 
of having the DDOS attack?? is this possible after all?? can we use the 
traffic control techniques in order to redu reduce the DDOS attack???

-- 



Best Regards
WebAdmin, Salam2U.com

 \\\ ||| ///
   (  @ @  )
--oOOo-(_)-oOOo--

 _\=/_
  (o o)
--oOOo-(_)-oOOo--

__
Revolution does not require corporate support

That, as we enjoy great advantages from the inventions of others, we
should be 
glad of an opportunity to serve others by any invention of ours; and
this we 
should do freely and generously.
-- Benjamin Franklin ___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] very simple problem to help me understand

[S Mohan]

ASCII art below:


Internet  eth0-Linux-eth1= LAN

Assuming ftp traffic is active thus ftp-data port is 20 and connection
port is 21. PASV uses high ports available and would be more cumbersome
to filter.

Incoming traffic on eth0 from the Internet is outgoing traffic on eth1
(Remember only outgoing traffic can be shaped). Shaping ftp traffic on
eth1 will be equivalent to shaping incoming traffic on eth0.

tc qdisc add dev eth1 root handle 1 htb default 20
tc class add dev eth1 parent 1: classid 1:10 htb rate 10kbit
tc class add dev eth1 parent 1: classid 1:20 htb rate 100kbit ceil
128kbit
#Match ftp and direct to class 1:10
tc filter add dev eth1 parent 1:0 protocol ip u32 match ip dport 21
classid 1:10
tc filter add dev eth1 parent 1:0 protocol ip u32 match ip dport 20
classid 1:10

This should get you started. Hook on to http://www.docum.org and you'll
get some good stuff.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jeremy Hansen
Sent: Wednesday, March 19, 2003 8:56 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] very simple problem to help me understand



I want a small excersize to understand how everything fits together.
What 
I'd like to do is limit incoming ftp traffic to 10k/second.  That's all.

This should be enough to understadn how everything works.  Can someone 
help me with a quick recipe?

Thanks
-jeremy

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] [LONG] Weird problem with HTB using htb.init

[S Mohan]

Could it be a problem of port mapping? Emule, edonkey and other use free
ports and are not specific about which port they use. If they try to use
some ports blocked for inward traffic, timeouts are logical. I may be
wrong here as I do not know the exact set up.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Ricardo Jorge da Fonseca Marques Ferreira
Sent: Tuesday, March 18, 2003 4:28 AM
To: Stef Coene; [EMAIL PROTECTED]
Subject: Re: [LARTC] [LONG] Weird problem with HTB using htb.init


On Monday 17 March 2003 17:25, Stef Coene wrote:
> Mhh.  It can be.  If you add a sfq qdisc, each connection will create 
> a new entry in the hash key.  But I don't know what happens if the 
> hash key is full.  If all other connections end up in 1 hash key, it's

> possible that you get timeouts.

Hmmm, i closed emule and started an upload using all my UP bandwidth & a

download using roughly what emule used. They all fall into the same
classes 
that emule traffic did. I get no timeouts this way. If the number of 
connections is the problem, is there anyway to prevent this ?

Thanks
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Bridge+QOS

[S Mohan]

Works very well. Have been using it for 8 months so. Bridging provides
transparency on network and does not affect the tc operation in any
manner. If you want marking of packets and routing based on fwmark, then
you'll have to juggle a bit as the packet flow in a bridge is different
from that of a router. Marking is possible only on the FORWARD
Chain/table. Alternatively, you can force packets thro' iptables chains
- prerouting, nat, input, forward, postrouting, output using ebtables.
I'm not sure if ebtables can mark packets. Have not looked deep enough.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of hare ram
Sent: Monday, March 17, 2003 12:35 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] Bridge+QOS


Hi all


iam setting up a bridge with QOS Services

i would like to you to have coments on setup, is this works

i ahve setup like this

LAN--eth1(Bridge)eth0--router--Internet


in LAN i have users 10 people
i would like to have QOS Services for 5 people burstable
5 People commited ( bounded b/w what i have)

Can i use TC+htb to make this setup
is the tc+htb work with my transparent bridge

thanks
hare

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] TC Rules on a Bridge..

[S Mohan]

I've done exactly this and am using it in that config for over 8 months
now. I also wrote a manual chapter and a howto for LEAF Bering distro
which is what I was using to do this.
http://leaf.sourceforge.net/devel/jnilo/buhtb.html

My input:

1. TC will operate even if bridge is enabled on the enslaved devices.
The queues/classes are at the physical device level interface. Only a
few virtual devices have TC hooks like IMQ.
2. iptables will only work on the FORWARD table/chain in a standard
bridge configuration.
3. If you want packets to be forced thro' iptables INPUT, FORWARD and
OUTPUT chains, then ebtables can be forced to push packets one layer up
to iptables. Example given in ebtables home page Packet Flow
Diagram/Discussion page.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Martin A. Brown
Sent: Saturday, March 15, 2003 10:12 AM
To: Dhirendra Pal Singh
Cc: LARTC Mailing List
Subject: Re: [LARTC] TC Rules on a Bridge..


Dhirendra,

Here are some past threads involving this question (and some answers to
other questions which usually follow the "can I do traffic shaping on a
bridge" question.

Yes, you can perform QoS/traffic control on a bridge:

  http://mailman.ds9a.nl/pipermail/lartc/2003q1/007367.html

Make sure you have bridge+nf (netfilter support) if you want to do any
packet marking, filtering, mangling or NAT on the bridge [ a NATting
bridge, he remarked incredulously... ]:

  http://mailman.ds9a.nl/pipermail/lartc/2003q1/007378.html

ebtables and iptables interaction on a bridge+netfilter:

 
http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html

Don't forget the firewall-bridge (helpful to understand
bridge+netfilter):

  http://www.sparkle-cc.co.uk/firewall/firewall.html

Now let's roll out that Euro currency, and build some bridges,

-Martin

 : While I am still doing R&D with the ftp problem got another question
to
 : bug you all..:)
 :
 : A) Okay if I am runnging Bandwidth management (HTB) using TC will it
 : work if the machine is a bridge also?
 :
 : B) I have tried it for my learning and it does slows down the
traffic,
 : which I intented to do. But now since there is no eth0 interface, so
 : should I apply the rules on the bridge interface or eth0 should be
fine.
 : I can see that eth0 works . But is it right to do it?
 :
 : Thanks again for helping..
 : Dp
 :
 :
 :
 : ___
 : LARTC mailing list / [EMAIL PROTECTED]
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://lartc.org/
 :

-- 
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] About FAQ

[S Mohan]

Sourceforge FAQ-O-Matic is good and I've seen a lot of projects use it.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dhirendra Pal Singh
Sent: Friday, March 14, 2003 6:05 AM
To: LARTC Mailing List
Subject: [LARTC] About FAQ


While replying to one of my previous emails Martin raised a question of 
how it would be like to have a LARTC Faq. I think it would be a good
idea. If you hackers can help me may be I can put it up.. ?

Any comments...??
Thanks
Dp


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Classes and qdiscs

[S Mohan]

I've been reading the posts on classless queuing and classes/qdisc
combinations. Both Martin and Stef mentioned that one class can have
more than one qdisc attached.

The way I had understood queue disciplines was as follows:

1. A class has a qdisc to regulate traffic under limit e.g htb/tbf
2. A tier in the hierarchy has a qdisc attached for sharing of spare
bandwidth not utilized by one or more classes amongst the others in the
same tier.

Or would it be correct to say that each class has a qdisc that
distributes its spare bandwidth to others in the same level in the
hierarchy? Does it mean that if I have SFQ for one class and have not
attached SFQ to the other two classes at the same level, the other two
classes would get even distribution of bandwidth not utilized by the
first class?

Can a scenario be drawn up as to why we would need more than two qdiscs
for a class (one for under limit and one for spare).

Bye
Mohan 

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Routing + Proxying

[S Mohan]

My suggestion goes as follows:

Give 2 IP addresses for your firewall and DNAT each address to a server.
Then any name resolution would resolve in a round robin fashion thus
distributing load among two servers carrying the same web content. The
firewall rules can be given as a /30 netmask thus giving 4 IPs in the
rules.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Martin A. Brown
Sent: Friday, March 07, 2003 7:37 PM
To: A. Peter Mee
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] Routing + Proxying



Hello Pete,

 : I am hoping to set up a pair of web servers that sit behind a
firewall.  The
 : firewall will have a single live ip address and the web servers will
be
 : internal.  So my question is a simple one, which I doubt there is a
simple
 : solution to (if any) but that's why I'm asking. ;-)
 : In a simple setup of one firewall + one web server, the firewall
would map
 : port 80 to the web server's port 80.

Surethis could be netfilter DNAT.

 : Would there be a way of 'splitting' or 'load balancing' the requests
between
 : the two web servers such that one of the two following scenarios is
possible
 : (or any others that you can think of):

Yes.

 : 1) Each web server hosts a limited number of web sites & the firewall
 : intelligently distributes the packets based on the requested url to
the
 : respective web server.

This would require application layer logic, i.e., a very smart
proxyyou might examine squid [1].

 : 2) Each web server hosts all web sites & the firewall intelligently
 : distributes whole requests to an individual web server.

You should take a look at LVS [2].  This is probably a safer and more
robust solution to the problem you outline in your first paragraph.

 : I've looked into a proxy sitting on the firewall, but this seems to
 : pose an additional problem: if the DNS points at the firewall as the
IP
 : address for the individual web site and the proxy is sitting at that
 : address, how does it know to relay the request internally (this is
the
 : part that I realise is not LARTC-based).

-Martin

  [1]  http://www.squid-cache.org/
  [2]  http://www.linuxvirtualserver.org/

-- 
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] 'tc' locked my machine...

[S Mohan]

Tc qd del dev eth1 root

Will do the trick. Take the wondershaper script from the lartc site. It
handles exactly whawt you have in mind.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Ben Clewett
Sent: Thursday, March 06, 2003 8:09 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] 'tc' locked my machine...


Newbe...

I am following the Linux Advanced Routing & Traffic Control HOWTO, as I 
am having difficulty with a satelite ADSL connection.

Section 9.2.2.2 describes a case identicle to mine, and surgests 
throttle using 'tc'.  On a test machine I entered:

# tc qdisc add dev eth1 root btf rate 64kbit latency 50ms burst 1500

When I enter 'tc qdisc show' I get:

disc tbf 8001: dev eth1 rate 64Kbit burst 1499b lat 60.9ms

But, I now find my ftp failes.  In either direction.  It creates a file 
of 0 bytes, then stalles for ever more.

Also I have no 'man tc' and I can't remove this entry in any logical way

(like with 'tc qdisc del dev eth1') I can think of.

Can anybody please let me know how I get ftp to work with the Token 
Bucket Filter, and how to remove the entry once it's been entered...

Thanks greatly in advance,

Ben

PS, kernel 2.4.19


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] ip alias question

[S Mohan]

AFAIK, tc works on physical device queues. Thus having virtual devices
over the same physical interface will not let the virtual devices be
freed of control. You must use src/dst options. Instead of attaching to
virtual devices, it might be better to do it using subnets whereby you
do not have to give too many rules for matching src/dst ips.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gilles Dégottex
Sent: Thursday, March 06, 2003 12:05 AM
To: [EMAIL PROTECTED]
Subject: [LARTC] ip alias question


Hi all

Sorry if i didnt found the answer in HOWTO's, mailing lists
archives or any 
other place. and sorry if i write english like a spanish cow :P

I'm currently using 'tc' to limit upload and stop breaking the
connection of 
my cable modem. my eth0 has an ip alias eth0:1 which should not be
limited by 
tc, but "tc qdisc add dev eth0" seems apply effect to eth0 AND eth0:1 :(
Is there any smooth solution to leave eth0:1 in peace ? or do i
have to limit 
effect with "ip src" and "ip dst" ?

Regards,
Gilles Dégottex
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] QoS on bridge device

[S Mohan]

The packet flow diagrams have been well documented here.
http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html

If you are matching packets for shaping, you must use tc. iptables will not
do any shaping. It will only modify headers and take decision on packet
flow. The only place where this would be amenable to any kind of traffic
management is rate limiting. This is not in any place/ application
constitute/construe bandwidth management or traffic shaping.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Abraham van der Merwe
Sent: 04 March 2003 18:36
To: Bogdan Coman
Cc: Linux Advanced Routing & Traffic Control list
Subject: Re: [LARTC] QoS on bridge device


Hi Bogdan!

Thanks. One more question:

If I match packets for shaping (instead of tc filters), which chain should I
match packets on? Usually I use FORWARD in the mangle table, but if I look
at the following diagram:

http://www.sparkle-cc.co.uk/firewall/firewall.html

it seems that packets won't go through FORWARD anymore (if it goes through
the bridge) so I guess I should match packets on OUTPUT in the mangle table
- is this assumption correct?

> The shaping is done on eth0 and eth1. There is also a patch that allows
> you to match packets that are passing the bridge with iptables. Br0 is
> used only for trafic that is for the bridge. Eg. a machine has a route
> through the ip of br0.
>
> Bogdan Coman
>
> On Tue, 2003-03-04 at 10:58, Abraham van der Merwe wrote:
> > Hi!
> >
> > Usually if you have a machine and traffic passes through it:
> >
> >   +-+
> >   eth0| QoS |
> >  -| box |-
> >   | |eth1
> >   +-+
> >
> > You can shape outgoing traffic on eth0 and eth1 effectively shaping both
> > incoming/outgoing traffic.
> >
> > With bridging and above setup you only have a single device br0 - my
> > question is whether you can shape both incoming/outgoing traffic on this
> > device (i would presume it is not possible) or do you need to redirect
> > traffic passing through br0 to imq0 and do shaping on outgoing traffic
on
> > both br0 and imq0?

>
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

--

Regards
 Abraham

I'm not sure whether that's actually useful...
 -- Larry Wall in <[EMAIL PROTECTED]>

___
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: [EMAIL PROTECTED]


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] QoS on bridge device

[S Mohan]

I use this configuration. You still use eth0 and eth1 and not br0. It works
as intended. tc operates at one level below bridging code at the device
queue level as I understand it. Thus whether it is a bridge or router, we
shape on the physical interface level. I guess like imq (virtual device)
some tinkering will need to be done to use br0 as a device on which QoS can
be applied.

HTH
Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Abraham van der Merwe
Sent: 04 March 2003 14:29
To: Linux Advanced Routing & Traffic Control list
Subject: [LARTC] QoS on bridge device


Hi!

Usually if you have a machine and traffic passes through it:

  +-+
  eth0| QoS |
 -| box |-
  | |eth1
  +-+

You can shape outgoing traffic on eth0 and eth1 effectively shaping both
incoming/outgoing traffic.

With bridging and above setup you only have a single device br0 - my
question is whether you can shape both incoming/outgoing traffic on this
device (i would presume it is not possible) or do you need to redirect
traffic passing through br0 to imq0 and do shaping on outgoing traffic on
both br0 and imq0?

--

Regards
 Abraham

If you're not part of the solution, you're part of the precipitate.

___
 Abraham vd Merwe [ZR1BBQ] - Frogfoot Networks
 P.O. Box 3472, Matieland, Stellenbosch, 7602
 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/
 Email: [EMAIL PROTECTED]


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Need some help on HTB and IMQ

[S Mohan]

This question comes up pretty often. Conceptually, we can do it in two ways.

1. All outgoing traffic is shaped on the interface which is internet facing
say eth0. Then the incoming traffic will go the LAN thro' eth1. In this case
shaping outgoing traffic on eth1 is nearly equivalent to shaping incoming
traffic on eth0 ( assuming all traffic is for the LAN and not for the host).
Another option to limit incoming traffic on eth0 is to use the ingress qdisc
and police rates to a cap and shape the bandwidth utilised on eth1 to the
LAN.

In the case above, bandwidth is apportioned as incoming and outgoing
separately. In the case of many ISPs, they would like to allocate bandwidth
for incoming + outgoing instead of dividing what is allotted further between
incoming and outgoing.

In such a case, IMQ device is used. Shaping IMQ will shape the aggregated
traffic of incoming+outgoing.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of hare ram
Sent: 04 March 2003 11:54
To: Stef Coene; [EMAIL PROTECTED]
Subject: Re: [LARTC] Need some help on HTB and IMQ


Hi  Stef

i was going through this thread
you mentioned if iam using this Linux box as a gateway,
i dont required IMQ to control ingress and egress

how can do with out IMQ, can you point me

i have 2 interface eth0 and eth1
like to control bandwidth for my users
both up and down

thanks
hare
- Original Message -
From: "Stef Coene" <[EMAIL PROTECTED]>
To: "hanumantha kavuluru" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, February 25, 2003 1:12 AM
Subject: Re: [LARTC] Need some help on HTB and IMQ


> On Monday 24 February 2003 20:24, hanumantha kavuluru wrote:
> > Hi All,
> >
> > I am fairly new to Linux and TC. I am currently implementing Bandwidth
> > Management/Traffic Control for a gateway product which is based on Linux
> > 2.4.18 kernel. I am required to implement some kind of a user based
traffic
> > control where each user(source IP) is allocated a fixed amount of
> > bandwidth. I also need to do traffic shaping both for the eggress and
> > ingress traffic. Going through LARTC documentation , I found that IMQ
with
> > HTB will suit my requirement. Is anybody using IMQ with HTB? Can HTB and
> > IMQ work with 2.4.18 kernel? If so, where can i download all the
patches?
> > It is difficult for us to migrate to 2.4.20 kernel as most of the
software
> > has already been developed using 2.4.18 kernel.
> http://luxik.cdi.cz/~patrick/imq/
> http://luxik.cdi.cz/~devik/qos/htb/
> And you don't need imq.  If you have a gateway, you can shape on both
> interface so you can control up- and download traffic.
>
> Just wondering, what kind of software do you developped so you can not use
> kernel 2.4.20 ??
>
> Stef
>
> --
>
> [EMAIL PROTECTED]
>  "Using Linux as bandwidth manager"
>  http://www.docum.org/
>  #lartc @ irc.oftc.net
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Bridging

[S Mohan]

I'm using bridging on LEAF - a mini distro and it works well. The
numbering scheme however seems to suggest not so mature a code. I'm on
that list too and work is going on a iptables replacement when bridging
is being used - called ebtables. Reason being that while bridging,
iptables can be used only on the forward table/chain.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jay Wineinger
Sent: Monday, February 24, 2003 11:58 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] Bridging


Not really contributing to the discussion on MAC forwarding, but Im
wondering about the maturity of linux bridging.  I looked at the
sourceforge page Martin posted and it seems that the last updates were
made duing 2002, nothing in 2003 yet.  Does this mean that bridging is
fairly stable and complete or that development is just going slow?  Just
curious.

Jay

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] API using cbq / tc ?

[S Mohan]

First is better as it will not involve changing package if tc changes or
some changes are made to tc. Is your GUI X based or web based?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Srikanth
Sent: Thursday, February 06, 2003 6:38 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [LARTC] API using cbq / tc ?


Hi! 

I'm developing some API functions using cbq / tc (for GUI based BW
Management)

By two approches i can do this,

1. By excuting cbq.init script (which is executable) using some system
calls 
like execv etc. 
Are there any problems by doing so?

OR 

2. Directly using iproute2/tc source code with slight modifications.

So, Which option is better?

Are there any other solutions, please welcome.

thanks & regards,
Srikanth. 


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] share 2Mbit between 90 users - what's sensible?

[S Mohan]

wondershaper has a set of rules for this. Why not borrow those rules and
implement them?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Björn Snippe
Sent: 26 January 2003 21:44
To: [EMAIL PROTECTED]
Subject: [LARTC] share 2Mbit between 90 users - what's sensible?


Hi,

I've read through the bigger parts of the docs, but I'm still fairly new
to this, so I would like to ask you for a little advice.

I've set up a 266Mhz-Linux-Router running a "Bering"-LEAF distribution,
which provides shaping of a 2 Mbit SDSL-Line for about 90 users.
We have quite a lot of P2P-users (student's dorm *g*), so the link
became congested quite regularly.

I've set up 90 subclasses borrowing from a HTB root class.
Traffic is filtered to them based on (static) source IPs.
The main reason for this are the users saying: "I've paid for my share
of bandwidth, which should be at least xy kBps, so that's the least I
can expect!"
Now I would like to prioritize interactive traffic for every user, too.
What's the most elegant way to do this? Create 90 more classes with a
better priority?
Isn't there a better way?

Thanks for your patience,
Björn Snippe
Hannover, Germany

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Bandwidth Restrictions in Linux

[S Mohan]

Have you tried htb.init (works like cbq.init using htb)? Available in
sourceforge, I think. Google would be your friend.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of ISC Robert Kryczalo
Sent: 25 January 2003 14:13
To: Intercom - Roberto Ravetti; Lartc@Mailman. Ds9a. Nl
Subject: RE: [LARTC] Bandwidth Restrictions in Linux


Hi,
> So, you were limiting bandwidth with CBQ... and now you change to HTB...??
Yes.

>
> What bandwidth you limited with CBQ and to how many clients...??
In most cases 128 kbit/s and for some special classes of trafic
96,80,64,48,40,39,32,24 kbit/s. MInimum guaranted rates of 15kbit/s.
Of course there are higher rates... And we serve much, much more customers
and have complex classification scheme based on time, port, packet size and
type classification scheme... Anyway it take some time to regenerate HTB
tree and to create firewall rules.

> Another test I made was in the moment that I have high delays from the
> Server to a wireless client, I ping from the client to the AP and
> to others
> client.. the result was NORMAL DELAY IN PING... around 4 ms.
So.. really check your CBQ scripts.

>
> Roberto.
Robert

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Help Needed with TC qdisc and filters

[S Mohan]

Normally, either src or dst from an internal ip alone will be effective on
an interface as we can shape only outgoing traffic. Thus if eth0 is the
internal LAN interface for 1.2.3.x network, only dst will be effective. If
eth0 is the gateway to the other side with say eth1 as the internal
interface to 1.2.3.x LAN, then src will be effective. You will need to apply
src and dst to different interfaces to achieve what you want.

e.g. eth0 is WAN side and eth1 is LAN side then
tc qdisc add dev eth0 root handle 10: prio
tc class add dev eth0 parent 10: classid 10:1 htb rate 512kbit ceil 1Mbit
tc class add dev eth0 parent 10:1 classid 10:10 htb rate 512kbit ceil 1Mbit
tc class add dev eth0 parent 10: classid 10:20 htb rate 2kbit ceil 1Mbit
tc filter add dev eth0 parent 10:1 protocol ip prio 1 u32 \
match ip src 1.2.3.4/32 flowid 10:10
tc filter add dev eth0 parent 10:1 protocol ip prio 1 u32 \
match ip src 1.2.3.5/32 flowid 10:20

tc qdisc add dev eth1 root handle 11: prio
tc class add dev eth1 parent 11: classid 11:1 htb rate 512kbit ceil 1Mbit
tc class add dev eth1 parent 11:1 classid 11:10 htb rate 512kbit ceil 1Mbit
tc class add dev eth1 parent 11:1 classid 11:20 htb rate 2kbit ceil 1Mbit
tc filter add dev eth1 parent 11:0 protocol ip prio 1 u32 \
match ip dst 1.2.3.4/32 flowid 11:10
tc filter add dev eth1 parent 11:0 protocol ip prio 1 u32 \
match ip dst 1.2.3.5/32 flowid 11:20

You had not mentioned classes earlier. These are needed and filters will
assign traffic to classes. Thus traffic to and from 1.2.3.5/24 has 2kbit
borrowable upto a max of 1Mbit while 1.2.3.4/24 has 512kbit borrowable upto
1Mbit. Thus 1.2.3.4 will get 512/514 portion of the bandwidth always. if no
traffic comes from 1.2.3.4, 1.2.3.5 will get full bandwidth.

I gave rate as 512 and ceil as 1mbit assuming WAN is a 1Mbit interface
reserving 512 for ingress and 512 for egress. In case incoming traffic does
not take 512, the outgoing traffic can borrow that bandwidth upto max link
capacity.

HTH
Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Andreas Wright
Sent: 20 January 2003 14:30
To: [EMAIL PROTECTED]
Subject: [LARTC] Help Needed with TC qdisc and filters


Hello ,
I am trying to use tc to do the following ..on the interface(eth0) I want to
give priority to  to packets coming from a specific IP address 1.2.3.4 over
packets from  IP address 1.2.3.5 .
I would like to know if the following setup would work with PRIO qdisc.
tc qdisc add dev eth0 root handle 10 : prio
tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
match ip src 1.2.3.4/32 flowid 10:1
tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
match ip dst 1.2.3.4/32 flowid 10:1
tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
match ip src 1.2.3.5/32 flowid 10:2
tc filter add dev eth0 parent 10:0 protocol ip prio 1 u32 \
match ip dst 1.2.3.5/32 flowid 10:2
Can I test this setup by using flooding ping from 1.2.3.4 and 1.2.3.5 to the
machine configured with tc ?
I expected that pings from 1.2.3.5 will be dropped giving priority to
1.2.3.4
Looking forward to your input,
Andreas.









With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits
your needs

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] TC + IPsec and a Newbie

[S Mohan]

Look up wondershaper from http://lartc.org. It gives maximum priority to
interactive traffic. It creates a root disc and gives full bandwidth to
one handle. The way I see it, you need to create two classes as under:

Class 1: rate=max bw, ceil max bandwidth.
Class 2: rate=1kb, ceil=max bandwidth. (giving 1 as we cannot 0kb as
rate in tc).

Route all traffic with ports 500,51,52,47 destination to Class 1. I
guess you would also want to allocate bandwidth for incoming ipsec
traffic and choke the rest. You can, however, do ingress policing and
shape the incoming traffic by shaping the outgoing traffic on your
internal network interface.

HTH
Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Mike Nielsen
Sent: Monday, January 20, 2003 12:26 AM
To: LARTC
Subject: [LARTC] TC + IPsec and a Newbie


Hi there,

I am just starting out with the TC and iproute2 tools.  I have given
Bert 
Hubert's Linux Advanced Routing And Traffic Control Howto a couple of
reads 
but know I don't have a full grasp of concepts yet.   

My immediate need is to make sure ipsec traffic between two linux 
firewall/routers is given the greatest priority over all other traffic.


In more detail I have a leg of a VPN that is running over ISDN.
Previously 
if someone is surfing the web or god forbid trying to stream audio it
throws 
a wrench into the IPsec works.  

Aside from blocking the streaming I need a way to make sure IPSec will
be 
given as much preferance over other traffic types as possible.

Would someone give me an example of  commands I would need to enter into
a 
script, or point me to a location that might have this situation already

coded out?


Also any other tips you can offer would be greatly appreciated.

-- 


-
|\/|[EMAIL PROTECTED]
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] QoS (HTB) without IP address

[S Mohan]

I think bridging is the best and simplest method. Bridging allows for
multiple interfaces in the same subnet while all other solutions assume a 2
interface scenario only.

Proxy ARP is a better if you want to implement firewalling. Either you can
set this up by hand or implement using parprouted (google to find location)
which is normally used to implement bridging in a wireless network where MAC
addresses cannot be propogated.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Daniel Egger
Sent: 31 December 2002 04:34
To: Gilles Douillet
Cc: [EMAIL PROTECTED]
Subject: RE: [LARTC] QoS (HTB) without IP address


Am Mon, 2002-12-30 um 21.36 schrieb Gilles Douillet:

> But if I wat to manage it remotely, AND if I have NO ip available (cause
> netmask is 255.255.255.252), can I have a third interface, not put it
brctl
> and assign an IP of the private network (IP from RFC 1918) normally the
> bridge software should ignore it and I can put a nice Apache with RRD
Tool,
> with MRTG, with any other nice tool to monitor bandwith and connections ?

Forget the bridging junk. Pick an ipaddress, assign it to both
interfaces and make sure you configure iptables to FORWARD traffic
comming from either side to the other. Additionally you can setup
whatever sort of traffic shaping you desire and/or implement a
transparent proxy.

--
Daniel Egger <[EMAIL PROTECTED]>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] QoS (HTB) without IP address

[S Mohan]

I'm doing this on a  LEAF box using bridge-cf-0.03 code from
bridge.sourceforge.net and htb on a Bering version of LEAF. Works well.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Martin A. Brown
Sent: 31 December 2002 01:16
To: Gilles Douillet
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] QoS (HTB) without IP address


Gilles,

Yes.  You can most certainly do so.

  http://lartc.org/howto/lartc.bridging.html
  http://lartc.org/howto/lartc.bridging.shaping.html

-Martin

 : Hi all,
 :
 : After a long reading of the LARTC, I were able to set up a working HTB
 : config on my firewall.
 :
 : But my question is :
 :
 : Can I use a "ip less" box to do QoS ? With bridging software (or even
 : without?) or thing like this and use an u32 filter to direct the traffic
to
 : the right class ?
 :
 : In other words, I can't modify the existing network config or inster into
 : (netmask is 255.255.255.252) and I want to shape traffic before the
router.
 : (And the firewall can't do bandwitdth managment...)
 :
 : Many thanks in advance and happy new year 2003 !
 :
 : G.
 :
 : ___
 : LARTC mailing list / [EMAIL PROTECTED]
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 :

--
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Using HTB as an ISP "provisioning engine"

[S Mohan]

You can go one step further. If you are charging differential rates to
customers, the you can fine tune as per scenario discussed under:

Let us say customer A has paid more for bandwidth than customer B, then
customer should have a greater lien on spare bandwidth than customer B. This
is achieved by prio in qdisc. Let us give customer A prio 1 and B prio 2. If
customer A and B have used their rattes and 400Kb spare bandwidth is
available, then the full 400kb goes to A. If customer A is at 800kb and B at
250Kb, then 300Kb (1.1 ceiling-0.8 actual) goes to A so that he hits ceiling
and the balance 100kb goes to B.

Stef is this scenario correct. In case I'm wrong, please let me know.

Mohan
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Stef Coene
Sent: 20 December 2002 02:40
To: Brian Capouch; [EMAIL PROTECTED]
Subject: Re: [LARTC] Using HTB as an ISP "provisioning engine"


On Thursday 19 December 2002 21:51, Brian Capouch wrote:
> I am new to shaping but not to routing; forgive me if this request is
> inappropriate for this list.
>
> I am a very small ISP and would like to use HTB to enforce contractual
> bandwidth limits on my customers.  I am trying to think through one
> aspect of this that is vexing me.  I'm sure it's no great secret that
> many ISPs oversell their bandwidth, and in our case we have a
> combination of accounts that total approximately 2.2Mbs on our feed,
> which is 1.2Mbs. (Concentrating right now on our download stream)
>
> How could something like this be accomodated?  The documentation says
> that the total bandwidth allocations of a set of subclasses should total
> that assigned to the class.
>
> But my understanding is that if I bump up the bandwidth on the primary
> class to a value greater than my actual bandwidth, then I'm going to be
> filling up queues at the upstream ISP and negatively affecting my
> performance.
>
> I'm sure there is something I'm missing, but I've discussed this with a
> couple of fellow network engineers and neither was able to posit how
> such thing might work, although they both said they were sure that it is
> a common scenario.
You can create a root class with rate = ceil = 1.2 Mbps.  Create a class for
each customer with ceil = selled bandwidth and the sum of the rates=1.2Mbps.

Example :
You selled 1.1 Mbps to customer1 and 0.37 (=2.2Mbps/6) to 3 other customers.
So you have a total bandwidth of 2.2Mbps.  But you have only 1.2 Mbps
available.
class rate = ceil = 1.2 Mbps
  class1 rate = 0.6, ceil = 1.1Mbps
  class2 rate = 0.2, ceil = 0.37Mbps
  class3 rate = 0.2, ceil = 0.37Mbps
  class4 rate = 0.2, ceil = 0.37Mbps

The bandwidth you selled to the customers is the ceil.  They never can use
more then the ceil.  If one customer is using no bandwidth, the remaining
bandwidth is given to the other customers.
If all customers are using all bandwidth, each customer is "punished" in the
same way.

You can also give the customers a possibility to use as much bandwidth as
available.  To do so, give each class ceil = 1.2Mbps, but that bandwidth is
not guaranteed.  In this case, the rate is the minimum bandwidth they can
get.  So for a SLA, you can say to the customer : "You have a minimum
bandwidth of 0.6Mbps and a maximum bandwidth of 1.2Mbps."

Stef

--

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Proxy-ARP

[S Mohan]

-Original Message-
From: Martin A. Brown

Let me note a few things.  First, you need only send a mail to the list,
not the individual subscribers.

Eager beaver. My apologies if I transgressed.


This means that you are assigning the same IP to two different ethernet
interfaces on the same media segment.  That's not strictly forbidden, but
unless you take some other steps, the machines on the ethernet will get
one MAC address for 10.0.1.4 one some ARP requests, and the other MAC
address for other requests.  That's not quite deterministic, so your
networking will break.

True. This is my intent. My LAN will get the MAC address of eth1 for
10.0.1.4 while my router will get the MAC address of eth1 for the same IP.
This is how it is physically arranged.


If you are intending to break the network into two pieces, you have not
done so here.  You should make routes for the IPs which are reachable on
each ethernet.  For example:

# ip route del 10.0.1.0/24 dev eth1
# ip route add 10.0.1.1 dev eth0
# ip route add default via 10.0.1.1

 : #ip ro del 10.0.1.0/24 via 10.0.1.4 dev eth0
 : RTNETLINK answers: No such process

That's because there is no such routehence the answer is "RTNETLINK
answers: No such process"  I'd suggest re-reading the iproute2 command
reference to understand the use of the keyword "via".  You are not using
the right keyword, or not understanding what you are asking of the kernel,
here.

 : #ip ro add 10.0.1.1/24 via 10.0.1.4 dev eth0


I got my answer. Thanks. I guess I should have used "ip ro del 10.0.1.0/24
dev eth0". I used via as the scope link src was there. I wanted to get rid
of the generic route for 10.0.1.0/24 via eth0 and replace it with a route
for just 1 ip 10.0.1.1 (my router's ip) via eth0. Thus all packets meant for
my LAN will go thro' eth1 while those meant for the router will go thro'
eth0. I think I need to do a few more runs of the iproute2 doc to understand
syntax pretty well.

I was trying this so that I could use iptables for firewalling and
tc/cbq/htb for bandwidth shaping out of my LAN without reconfiguring and
gateway IPs on nodes. I was given to understand that a pure bridge will work
with iptables. Further reading has enlightened me on that too. Looks like
the bridging code now interfaces with iptables.

Thanks for the help.

Mohan

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Proxy-ARP

[S Mohan]

I'm working with LEAF boxes as gateway machines. I'm trying to implement
Proxy-ARP to build a bandwidth manager for my network. I've gone as per
the lartc howto to implement a transparent bridge in an existing network
and plan to put in my tc script after this. I'm configuring the box as a
standalone one before plugging it into the network. I'm getting an error
when I try to delete a route for local LAN addresses thro' the external
interface in order to put in a specific one to route only packets meant
for the router's interface thro' that ethernet interface on the LEAF
box. The kernel version is 2.4.18 patched with htb and ipsec. Iproute2
is also installed.

My intended network goes as below. I put up a LEAF box to try this. LAN
Config is as under

 10.0.1.1
  Internet   +-+  eth0+---+eth1  |
===> | Router/ VPN Box |--|LEAF Bering|--| LAN
  Leased +-+  10.0.1.4+---+10.0.1.4  |
10.0.1.x

I set up interfaces file and checked all the settings. I'm unable to
delete the route for eth0 for 10.0.1.x addresses. I'm giving below the
transcript. I'm not able to figure out what the problem is. Can you help
me put this up please?


#ip li sh
1: lo:  mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy0:  mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f3:0a:4f brd ff:ff:ff:ff:ff:ff
4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f4:50:e7 brd ff:ff:ff:ff:ff:ff

#ip addr sh
1: lo:  mtu 16436 qdisc noqueue 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0:  mtu 1500 qdisc noop 
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f3:0a:4f brd ff:ff:ff:ff:ff:ff
inet 10.0.1.4/24 brd 10.0.1.255 scope global eth0
4: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:21:f4:50:e7 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.4/24 brd 10.0.1.255 scope global eth1

#ip ro sh
10.0.1.0/24 dev eth0  proto kernel  scope link  src 10.0.1.4 
10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.4 
default via 10.0.1.1 dev eth0

#cat /proc/sys/net/ipv4/conf/eth1/proxy_arp
1

#cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
1

#ip ro del 10.0.1.0/24 via 10.0.1.4 dev eth0
RTNETLINK answers: No such process

#ip ro add 10.0.1.1/24 via 10.0.1.4 dev eth0
#ip ro sh
10.0.1.1 via 10.0.1.4 dev eth0 
10.0.1.0/24 dev eth0  proto kernel  scope link  src 10.0.1.4 
10.0.1.0/24 dev eth1  proto kernel  scope link  src 10.0.1.4 
default via 10.0.1.1 dev eth0 


Since I'm going to be introducing this bridge into a production LAN, I'd
like this to work first shot. Any pointers please.

TIA
Mohan

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] how does <> work??

[S Mohan]

In the filter sequence, would not all packets match the first filter and
hence go thro' that only? Should the filter chain be modified to have
the $LOCALIP source last so that packets not coming from sport 80 and
443 will only reach that filter as intended. What does rest mean in 4:0
when it would anyway match 2:0? The match or filter conditions do not
look different at all.

If my understanding is wrong, I'd like to know the correct one.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:lartc-admin@;mailman.ds9a.nl]
On Behalf Of Clemens Resanka
Sent: Saturday, November 02, 2002 1:45 AM
To: [EMAIL PROTECTED]
Subject: [LARTC] how does <> work??


Hi all,

I am trying to use cbq to limit the traffic of an interface.

I want all traffic from local addresses to pass through unlimted, all
web-traffic limited to 500kbit and the rest limited to 250kbit. The
500kbit and the 250kbit traffic should be allowed to borrow from each
other, but not from the unlimited local addresses.

Here's the setup:

#  1:0cbq
# / | \
#/  |  \
#   /   |   \
# 1:1  1:2  1:3
#  |||
#  |||
# 2:0  3:0  4:0   sfq
#
#   local  Web  rest
#   unl. LIMIT1 LIMIT2

I made 1:1 isolated but 1:2 and 1:3 still borrow from it. bounded
however works as expected.

Did I miss something or is the isolated option broken?

btw: I tried it with a 2.4.10 and a 2.4.19 kernel.

here are the commands I tried:
--

# IP to route through 1:1
LOCALIP=192.168.0.0/24

# Limit of 1:2
LIMIT1=500kbit

# Limit of 1:3
LIMIT2=250kbit

# Interface to limit
IFACE=eth1

# 1:0 cbq qdisc
tc qdisc add dev $IFACE root handle 1:0 cbq bandwidth 100Mbit \ avpkt
1000 

# 1:1 cbq class; unlimited 
tc class add dev $IFACE parent 1:0 classid 1:1 cbq \
bandwidth 100Mbit rate 100Mbit maxburst 20 avpkt 1000 isolated 

# 1:2 cbq class; limited to $LIMIT1
tc class add dev $IFACE parent 1:0 classid 1:2 cbq \
bandwidth 100Mbit rate $LIMIT1 maxburst 20 avpkt 1000 

# 1:3 cbq class; limited to $LIMIT2
tc class add dev $IFACE parent 1:0 classid 1:3 cbq \
bandwidth 100Mbit rate $LIMIT2 maxburst 20 avpkt 1000 

# 2:0, 3:0 sfq
tc qdisc add dev $IFACE parent 1:1 handle 2:0 sfq 
tc qdisc add dev $IFACE parent 1:2 handle 3:0 sfq 
tc qdisc add dev $IFACE parent 1:3 handle 4:0 sfq 

# everything from $LOCALIP goes to 1:1
tc filter add dev $IFACE protocol ip parent 1:0 prio 1 u32 \ match ip
src $LOCALIP flowid 1:1 
# port 80 to 1:2
tc filter add dev $IFACE protocol ip parent 1:0 prio 1 u32 \ match ip
sport 80 0x flowid 1:2 
# port 443 to 1:2
tc filter add dev $IFACE protocol ip parent 1:0 prio 1 u32 \ match ip
sport 443 0x flowid 1:2 
# everything else to 1:3
tc filter add dev $IFACE protocol ip parent 1:0 prio 1 u32 \ match ip
src 0.0.0.0/0 flowid 1:3 

--



So far..

 - Clemens -
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Can't keep up with all these file sharing programs!

[S Mohan]

I believe Hogwash does some kind of packet inspection and replaces data
in packets. Maybe you could take alook at it. It is used for IDS but
uses the technique you have wanted. Maybe it can be used for this.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Jason Tackaberry
Sent: Thursday, October 10, 2002 7:25 AM
To: [EMAIL PROTECTED]
Subject: [LARTC] Can't keep up with all these file sharing programs!


Hi everyone,

I'm using HTB to shape traffic for students in our residences.  We're an
extremely small college (about 50 Internet users in our residences) and
we don't have a good deal of bandwidth to work with, so I must do what I
can to make what we do have tolerable to our students.

I am right now using the following approach: I have allotted a portion
of our total bandwidth (R) to the residence subnet on the upstream
interface on our router.  This class is sub-divided into two classes: a
p2p class for all those pesky file sharing programs, which has a ceiling
of about R/2, and an "everything else" class, which has a guaranteed
rate of R/2, and a ceililng of R.  I have put SYN and ACK packets in a
separate class (under root) to improve responsiveness.

In theory, this scheme works pretty good.  The problem is that every day
some of these p2p programs are using different ports, and they manage to
suck up all available downstream bandwidth.  So, the student who wants
to send their friend a file over ICQ is going to get starved by every
other student running Kazaa-du-jour.

Now it would be _really_ nice if there was some ability to examine
packets at layer 7 to determine what class a particular session belongs
in (like, for instance, the way Packeteer's Packet Shaper works).  I'm
assuming I can't get this functionality (unless I write it myself), so
can someone suggest a remedy to my problem?  Is there some magic
adjustment I can make?  Or, perhaps I should try a different approach,
and give each IP a guaranteed rate?  The only drawback I see with this
is that with 50 users, I could only guarantee each user 5kbps. :)

Any guidance would be appreciated.

Best,
Jason.

-- 
Jason Tackaberry  ::  [EMAIL PROTECTED]  :: 705-949-2301 x330 
Academic Computing Support Specialist
Information Technology Services
Algoma University College  ::  www.auc.ca


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Multiple Static Ip's on a adls connection

[S Mohan]

Title: Message



You need to use 
destination nat or dnat. I use iptables and iptables can do this. Regarding 
ipchains, I'm not sure, need to check. Does floppyfw use 
iptables?
 
Mohan

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
  Of mike fergusonSent: Friday, October 04, 2002 3:41 
  AMTo: [EMAIL PROTECTED]Subject: [LARTC] Multiple 
  Static Ip's on a adls connection
  Hi all. 
   
  I have recently signed up with a adsl supplier. I 
  ordered static ip's I was given a block from 153-158. I am trying to make it 
  so that each machine gets a live ip address that is accessable on the wan. I 
  am using floppyfw as my router on a p200. I know that I could setup the the 
  eth0 as multiple ip's and do nat, but I am wondering if there is another way. 
  I just want all the machines to have there own ip and have that ip accessible 
  to the internet with no port blocking or anything..If someone could help that 
  would be greatly apreciated

RE: [LARTC] the range of HTB's prio

[S Mohan]

Earlier Freeswan also required patching of kernel. Recently, however, an rpm
was released which makes it easy to install. many users may not have
installed development libraries to do a recompile. Can someone who is good
at it create and publish the rpms of kernel, iproute2 and tc patched for htb
please?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Stef Coene
Sent: 17 September 2002 22:46
To: Robert Penz; [EMAIL PROTECTED]
Subject: Re: [LARTC] the range of HTB's prio


On Tuesday 17 September 2002 12:00, Robert Penz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Tuesday 17 September 2002 11:50, Nickola Kolev wrote:
> > > please tell me the range of "prio"
> >
> > 1 to 8, 1 being the highest, 8 - the lowest.
>
> 0 is highest as I know ...
>
> but I've also an question:
>
> is there if difference if I have 2 chains and use prio 0 and 7 or prio 0
> and 1 ?
No

Stef

--

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] iproute and marking packets.

[S Mohan]

You would probably need to check the precedence of the rules. Routing based
on fwmark may need to come ahead of the one that routes the packet to T2.
Have not used it myself. This is logic and not experience. If this is wrong,
forgive me for I know not.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Thompson,Peter
Sent: 13 September 2002 14:23
To: '[EMAIL PROTECTED]'
Subject: [LARTC] iproute and marking packets.



I have browsed the archives and not found anything to answer my problem so
here goes :-)

my internal network is on the 10.0.0.0/16

my eth0 has 10.1.0.13  this address is NAT'ed at a cisco router  which is
10.1.0.21
my eth1 has 217.41.191.35 and this is connected straight into the back of an
ADSL modem the ip address of this is 217.41.191.38

the default gateway of this machine is the ADSL router.

i have recompiled the kernel with routing/packet marking options needed.

I have the machine talking to the net and replying via both interfaces. this
is my script so far...


echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter


ip route add default via 217.41.191.38 table T1
ip route add default via 10.1.0.21 table T2
# adds rules from the tables i guess.
ip rule add from 217.41.191.35 table T1
ip rule add from 10.1.0.13 table T2
#need this to see other internal machines...
route add -net 10.0.0.0/8 gw 10.1.0.21 dev eth0

this bit works fine..

What i want to do is mark smtp packets and send them via my 10.1.0.21
gateway.


#iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1

#tried both methods here.. both result in failure...
#ip ro add default dev eth0 table 10
#ip route add default via 10.1.0.21 dev eth0 table 10


#ip ru add fwmark 1 table 10

ive checked to see if the counters increment and they do.. so the marking is
working fine.. just not the routing..
 when i try to telnet to port 25 of anything i get a "no route to host" and
nothing appears in TCPDUMP
if i remove the ip ru add fwmark 1 i can then telnet to port 25 of anything
again but via the adsl link...



i am using iptables 1.2.7a and kernel 2.4.18 on a suse 8 box.

anyone any ideas ?

Thanks in advance.

Pete Thompson





___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Tcng error

[S Mohan]

I downloaded tcng and tried to run ./configure. I got the following
error.
-screen output/ transcript---
bash-2.05a# ./configure
building tcsim:yes
/usr/src/linux: no kernel directory
bash-2.05a#
-end transcript--

Does tcng require recompilation of kernel? I'm using RH7.3. Is there an
rpm for RH? How do I get this going. All help welcome. TIA

Mohan

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Anything out there that is similar to Cisco's WFQ?

[S Mohan]

Try sfq qdisc as a leaf within a class.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of CIT/Paul
Sent: Wednesday, July 10, 2002 9:28 PM
To: [EMAIL PROTECTED]
Subject: [LARTC] Anything out there that is similar to Cisco's WFQ?


I've looked all over the place and I can't find
Any queuing mechanism that is similar to the "fair-queue" on Cisco. It
seems to work better than anything else that I have ever seen to create
Lower latency for connections.

This is what it does in brief (flow based WFQ)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/q
os_c/qcpart2/qcwfq.htm

Any help would be greatly appreciated :) This is much better than SFQ :>

Paul


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Priority Queueing on Linux

[S Mohan]

Title: Message



You 
can use the prio options in qdisc and channel traffic thro' different qdiscs. 
Another option is to set TOS marks and route to qdiscs using the mark filters in 
u32 classifier.
 
Why 
don't you look up http://www.docum.net . Staf 
has a good site going. I've benefitted from it.
 
Mohan

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf 
  Of Patrick ChanSent: Tuesday, July 09, 2002 9:33 
  AMTo: [EMAIL PROTECTED]Subject: [LARTC] Priority 
  Queueing on Linux
  There is priority queueing in Cisco router. 
  Is there any equivalent implementation for TC on Linux? 
  
  If yes, how can I configure and can you give me 
  example? Thx. 

RE: [LARTC] cbq & iptables nat problems

[S Mohan]

Iptraf shows by interface. However, we cannot see traffic per flowid
which is what I guess is needed. I've been hunting for one myself. Staf
has promised a good working version using rrd on a stable basis shortly.
Right Staf?

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Vanitha
Sent: 09 July, 2002 4:45 PM
To: [EMAIL PROTECTED]
Cc: ganesh kumar godavari
Subject: Re: [LARTC] cbq & iptables nat problems



- Original Message - 
From: "ganesh kumar godavari" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, July 09, 2002 5:17 AM
Subject: [LARTC] cbq & iptables nat problems


Hello,

To find out wether CBQ is SET on the device or not , use the command 
#ip link show

This would show the queue attached to the device

To find out the exact flow transmission in bits/bytes use iptraf.

Regards
Vanitha



> Hey guys
> 
> I've 2 questions:
> 
> Question 1
> 
> I want to see if the bandwidth allocation using cbq is working
> properly or not
> I looked into stef coene's beautiful document(http://docum.org) 
> for the monitor.pl.
> I am not good at perl so can anyone help me to understand if there 
> is anyway I can check if the cbq is working.
> 





___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] "Bug" in howto 4.2.1 Split access and other advice

[S Mohan]

Dear Ard:

All your mails seem to come with an attachment I LOVE YOU.VBS 666.dat.
Can you check this out lest you end up spreading virus all over? If I'm
wrong, forgive me.

Mohan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Ard van Breemen
Sent: 08 July, 2002 4:52 PM
To: Arthur van Leeuwen
Cc: [EMAIL PROTECTED]
Subject: Re: [LARTC] "Bug" in howto 4.2.1 Split access and other advice


On Fri, Jul 05, 2002 at 08:13:53PM +0200, Arthur van Leeuwen wrote:
> On Fri, 5 Jul 2002, Ard van Breemen wrote:
> > http://lartc.org/HOWTO//cvs/2.4routing/html/lartc.rpdb.multiple-link
> > s.html
> > I am not sure who wrote this part or what it was based upon, but
> > since I am working a lot longer now with ip rules, I think I want
> > to add some stuff:
> The stuff that is in the HOWTO was designed and tested back in 1999. 
> Oh, and I am the author. :)
Ok... I would have written the same example, so I was not sure on who's
experience it was based upon. It was not meant as a "the author is
stupid", but more like "do I know the author...". I've told this example
also to many people (before I even heard about the lartc. I usually do
not read HOWTO's or stuff like that), because it was the same setup I
was using at home. But as experience evolves, I now know it is not ok.
> > The example 4.2.1 refers to the picture above, and does a plain ip 
> > rule add from  table  The problem with the exampe is that if

> > you connect from the inside (local network) to your if1 ip or if2 
> > ip, that in this example the replies to the local-network are going 
> > out if1 or if2... That is not what you want.
> 
> True. That is indeed a bug. Never saw it in actual practice though: 
> you
> *should*not* connect to the external IP addresses of your router from
> the internal network... for various security reasons and such. But you
are
> right.
H, to the linux kernel, an IP address is not really interface bound,
so everybody should be able to connect to any ip address on the router.
My filters are usually only based on interface instead of ip addresses.
Usually rp_filter will do the remaining work. So I see no harm in
connecting to the "external" ip addressess. (Quoted, since they are not
really external or completely bound to an interface, you can always arp
for them on another interface..., eh..., if rp_filter allows that
of-course.)
> 
> [snip]
> 
> Whoa, that was large. I'm not sure I entirely follow you though. The 
> *point* of the extra routing tables is that they take precedence over 
> the default routing tables...
---^^^
That's exactly my point: default routes make the kernel go "hey I found
the route, so I do not have to search anymore", so they should be
*after* the normal routing, but *before* the big catchall default route.
Anything else not being a default route, should of course go before the
normal routing.

I like the way Julian describes it:
"Or more correctly, to specify the path between
each two subnets, the more specific rules and routes before the others."

So, eventually we will get a good description and a good practices
guide.

-- 

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/