RE: [LARTC] prio qdisc not wokring

[Salim S I]

If you use filters, you can use src IP or TOS to send traffic from
different clients to different bands. There is no connection tracking in
qdisc, the priority mapping is done according to the TC_PRIO.
I think this will help
http://www.opalsoft.net/qos/DS-23.htm
 
-Original Message-
From: Archana Rajagopal [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 07, 2007 10:36 AM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] prio qdisc not wokring
 
Thank you for the reply!
Is prio per flow based or per connection based.I mean if I have two
clients(two different systems)each sending different flows of traffic,
it seems to classify flows from one system but it does not aggregate the
flows of same priority of all clients.Is this observation correct?How do
I aggregate the flows?

Thank you
Archana.
On Dec 6, 2007 8:40 PM, Salim S I <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:
I do not know about TOS, but it can be mapped well with filters.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Archana Rajagopal
Sent: Friday, December 07, 2007 2:56 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] prio qdisc not wokring
 
Hi,
   I am working on linux 2.6.16.I tried to prioritize traffic using prio
module but its not working well.It always maps to same class
irrespective of ToS.Is it possible to fix it using filters?Anybody fixed
this problem? 

-- 
Regards
Archana Rajagopal 



-- 
Regards
Archana Rajagopal 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] prio qdisc not wokring

[Salim S I]

I do not know about TOS, but it can be mapped well with filters.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Archana Rajagopal
Sent: Friday, December 07, 2007 2:56 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] prio qdisc not wokring
 
Hi,
   I am working on linux 2.6.16.I tried to prioritize traffic using prio
module but its not working well.It always maps to same class
irrespective of ToS.Is it possible to fix it using filters?Anybody fixed
this problem? 

-- 
Regards
Archana Rajagopal 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] exporting service on multiple wan

[Salim S I]

Sorry, I forgot for a moment it was DMZ.

In mangle PREROUTING

-j CONNMARK restore-mark
-m mark --mark 0x0 -i WAN1 -j CONNMARK --set-mark 0x1
-m mark --mark 0x0 -i WAN2 -j CONNMARK --set-mark 0x2

Two routing tables, one for each mark.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mohan Sundaram
Sent: Friday, October 19, 2007 12:09 PM
To: 'LARTC'
Subject: Re: [LARTC] exporting service on multiple wan

Salim S I wrote:
> How about conn-marking the (NEW state)packets in POSTROUTING?
> 
Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE 
directive for packets coming from LAN to make sure packet goes out from 
the same interface it came on.

Mohan
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] exporting service on multiple wan

[Salim S I]

How about conn-marking the (NEW state)packets in POSTROUTING?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mohan Sundaram
Sent: Friday, October 19, 2007 10:19 AM
To: LARTC
Subject: Re: [LARTC] exporting service on multiple wan

Fabio Marcone wrote:
> Hi all,
> I've a routing problem. I'm setting up a router based on debian
(kernel
> 2.4).
> 
> I need to setup routing to export an ftp service (ftp server is in
dmz)
> to 2 wan (both).
> 
> I setup prerouting ad forward rule with no problem.
> 
> The problem is that reply packet use default gateway (default wan)
even
> though they are enter using the other wan.
> 
> I solved it marking packets in input from the dmz iface and force to
use
> another gateway (iproute2), but in this way I don't export ftp service
> on default wan.
> 
> how I can setup routing to export ftp service on both iface?
> 
> Thanks in advance,
> Fabio
One way to do this:
1. Assign 2 private domain IP addresses to the ftp server and listen to 
both for ftp. IP1 and IP2
2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2
3. On the Linux machine, set policy routing based on src IP of reply 
packet i.e. src IP1 goes thro' WAN1 and src IP2 goes thro' WAN2.

Mohan
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Filtering RTP/SIP protocol (Voip)?

[Salim S I]

SIP is pretty easy. Normally it uses 5060 port. But prioritizing this
port traffic won't enhance the overall voice quality.
RTP ports are decided dynamically during SIP handshake. To filter RTP
protocol from packet pattern will delay the traffic. So using port
number is easier way, BUT, you need to find out these ports from the SIP
handshake messages.
How to prioritize depends on your setup's capabilities.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Beat Meier
Sent: Friday, October 12, 2007 7:48 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Filtering RTP/SIP protocol (Voip)?

Hello

How can I filter (i.e. priorize) RTP protocol and SIP?
Has anybody wrote a  filter for that in the meantime
(In 2006 there was none answer from the list ...)

Thanks

Beat
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] NAT-aware traffic analysis

[Salim S I]

A different approach is to use iptables counters in FORWARD chain (-s
$CLIENT_IP -i eth0 -o ! eth0). That would require a  rule for each user.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ming-Ching Tiew
Sent: Wednesday, September 05, 2007 11:09 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] NAT-aware traffic analysis


I have tried using iptraf for my NAT firewall to analyse the IP traffic.
Basically I am faced with this difficulty of related the source IP
to the outgoing interface to the internet, so I am wondering if
anyone has a suggestion for a different ways to do it, or a suggestion
for a better tool.

Details :-

Supposed : eth0 - LAN
   eth1 - WAN1
   eth2 - WAN2

And then all source IPs in the LAN are SNAT to the respective
WAN interface when leave for internet. There are also DNAT
traffic from internet to the LAN.

I want to breakdown the statistic of LAN users using the
internet. If I run iptraf on eth0, I will see the LAN stats, but I
don't know for sure which one really go out to which WAN
( some traffic does not even go out to the WAN at all ! ).

Then when I sniff at eth1 or eth2, I lost the information about the LAN
IPs.

How could I do a stateful or NAT-aware traffic analysis ? Anyone has
a good suggestion ?



Important Warning! 

*** 

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Policy routing question

[Salim S I]

Older versions of ping does not support interface with I option. It
won't give error, but it simply won't work. I had such an issue and was
solved with the latest ping tool.
Have you tried using tcpdump to capture packets from interfaces? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
Sent: Wednesday, August 22, 2007 4:09 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Policy routing question

No takers on this question? I investigated further and it seems that 
this is a specific problem with iputils-ping. It seems that regardless 
of the supplied interface name, the source IP is chosen to be closest t 
the default gateway. OTOH my ability to follow C code is next to 
minimal, and I would really appreciate if someone can confirm this. Here

is the part I believe is relevant:

if (source.sin_addr.s_addr == 0) {
socklen_t alen;
struct sockaddr_in dst = whereto;
int probe_fd = socket(AF_INET, SOCK_DGRAM, 0);

if (probe_fd < 0) {
perror("socket");
exit(2);
}
if (device) {
struct ifreq ifr;
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, device, IFNAMSIZ-1);
if (setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE,
device, 
strlen(device)+1) == -1) {
if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
struct ip_mreqn imr;
if (ioctl(probe_fd, SIOCGIFINDEX, &ifr)
< 0) {
fprintf(stderr, "ping: unknown
iface %s\n", device);
exit(2);
}
memset(&imr, 0, sizeof(imr));
imr.imr_ifindex = ifr.ifr_ifindex;
if (setsockopt(probe_fd, SOL_IP,
IP_MULTICAST_IF, &imr, sizeof(imr)) 
== -1) {
perror("ping: IP_MULTICAST_IF");
exit(2);
}
}
}
}

if (settos &&
setsockopt(probe_fd, IPPROTO_IP, IP_TOS, (char
*)&settos, sizeof(int)) 
< 0)
perror("Warning: error setting QOS sockopts");

dst.sin_port = htons(1025);
if (nroute)
dst.sin_addr.s_addr = route[0];
if (connect(probe_fd, (struct sockaddr*)&dst, sizeof(dst)) ==
-1) {
if (errno == EACCES) {
if (broadcast_pings == 0) {
fprintf(stderr, "Do you want to ping
broadcast? Then -b\n");
exit(2);
}
fprintf(stderr, "WARNING: pinging broadcast
address\n");
if (setsockopt(probe_fd, SOL_SOCKET,
SO_BROADCAST,
   &broadcast_pings,
sizeof(broadcast_pings)) < 0) {
perror ("can't set broadcasting");
exit(2);
}
if (connect(probe_fd, (struct sockaddr*)&dst,
sizeof(dst)) == -1) {
perror("connect");
exit(2);
}
} else {
perror("connect");
exit(2);
}
}
alen = sizeof(source);
if (getsockname(probe_fd, (struct sockaddr*)&source, &alen) ==
-1) {
perror("getsockname");
exit(2);
}
source.sin_port = 0;
close(probe_fd);
} while (0);


Peter Rabbitson wrote:
> Hi,
> 
> I have a testing multihome setup, with the default gateway being one
of 
> the links and using policy routing to honor requests for a specific 
> link. Everything works as expected when I request a specific IP to
bind 
> to. But if I request a specific interface things fall apart in ways
that 
> I can not explain:
> 
> default gw (WORKS)
> --
> [EMAIL PROTECTED]:~$ ping -c 1 yahoo.com
> PING yahoo.com (216.109.112.135) 56(84) bytes of data.
> 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 
> ttl=48 time=142 ms
> 
> 
> request IP on same link as default gw (WORKS)
> -
> [EMAIL PROTECTED]:~$ ping -I 192.168.9.102 -c 1 yahoo.com
> PING yahoo.com (66.94.234.13) from 192.168.9.102 : 56(84) bytes of
data.
> 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1
ttl=47 
> time=176 ms
> 
> request IP on secondary link (WORKS)
> 
> [EMAIL PROTECTED]:~$ ping -I 172.16.0.2 -c 1 yahoo.com
> PING yahoo.com (216.109.112.135) from 172.16.0.2 : 56(84) bytes of
data.
> 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 
> ttl=47 time=146 ms
> 
> request interf

RE: [LARTC] two providers

[Salim S I]

> "ip route add default via ppp0 table T1"
 
via is not for device name.
 
After ppp0 is up, type ifconfig and see the gateway,and use that
gateway.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Indunil Jayasooriya
Sent: Tuesday, August 21, 2007 7:12 PM
To: mangal regmi; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] two providers
 

Pls either DELETE your script or save it somewhere else.

and Now, replace your script with this. 

AND TRY, if it works. 

this is the script. 


echo "11 T1" >> /etc/iproute2/ rt_tables
echo "12 T2" >> /etc/iproute2/rt_tables


ip route add 202.51.78.0/24 dev eth1 src 202.51.78.122
  table T1
ip route add default via ppp0 table T1
ip route add 203.78.165.0/29   dev eth2 src
203.78.165.154   table T2
ip route add default via 203.78.165.153   table
T2

ip rule add from 202.51.78.122   table T1
ip rule add from 203.78.165.154   table T2


ip route add default scope global nexthop via 202.51.78.122
  dev eth1 weight 1 nexthop via 203.78.165.153
  dev eth2 weight 1



THAT'S it. try and let me know. 

N-JOY IPROUTE2





On 8/21/07, mangal regmi <[EMAIL PROTECTED]> wrote:
many many thanks for ur help
ok i m making my problem more clear...

my LAN ip is :172.16.100.0/24
ip of eth1 is :202.51.78.122  and this is fixed and permanent address
and it has no netmask and gateway(so, to provide
internet to my LAN i have used the ppp0 for this connection ) 
ip of eth2 : 203.78.165.154; netmask: 255.255.255.248
 ; gateway:203.78.165.153

for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 
for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1
for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2

and my rules are placed in /etc/iproute2/rt_tables as suggested by
lartc.org
 
and the whole copy of my above file is copied below:::>>>


#
# reserved values
#
#255local
#254main
#253default
#0  unspec
#
# local
#
#1  inr.ruhep

#
# below this is added by me and above this is by default
# two addational routing tables

#ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1
#ip route add default via ppp0 table T1
ip route add 203.78.165.0/24   dev eth2 src
203.78.165.154 table T2
ip route add default via 203.78.165.153 table T2

# main routing table

ip route add 202.51.78.0/24 dev eth1 src ppp0 
ip route add 203.78.165.0/24 dev src 203.78.165.154

# preference for default route

ip route add default via 202.51.76.122

# routing rules

ip rule add from ppp0 table T1
ip rule add from 203.78.165.154 table T2

# entries for local network 

ip route add 172.16.100.0/24dev eth0 table T1
ip route add 203.78.165.0/24dev eth2 table T1
ip route add 127.0.0.0/8dev lo   table T1
ip route add 172.16.100.0/24dev eth0 table T2
ip route add 202.51.78.0/24 dev eth1 table T2
ip route add 127.0.0.0/8dev lo   table T2

#load balancing
ip route add default scope global nexthop via ppp0 dev eth1 weight 1
nexthop via 203.78.165.153 dev eth2 weight 1

this above one is the full and exact copy of my working





Indunil Jayasooriya <   [EMAIL PROTECTED]>
wrote:
 
On 8/21/07, mangal regmi <[EMAIL PROTECTED]> wrote:
Hi to all
i think this is not a new problem for this forumbut its newest for
me as i m a new  linux lerner. Even if it is new plzzreply me ur
answer..n if its already asked n have solution..plzz forward the
solution.  My problem is here mentioned: 
I have fedora core 4 as a linux server. there r two external links
connected to this. 

I there are 2 external links, What is the file /etc/sysconfig/network
like?

Can you witre down the file? 
 
the settings are as: eth0 ->for internal (that is for LAN) 
 eth2 ->dsl connection
 eth1 ->cable line connection( this
connection has no gateway and netmask address provided so this is
connected via ppp0. this is provided from ISP via DHCP but have the
fixed ipaddress) Hey, What is this FIXED ip address? Is it a perment
address? 
 
YOUR eth0 of Fedora Server is for internal (that is for LAN)
YOUR eth2 of Fedora Server is connected to the dsl connection. 
YOUR eth1 of Fedora Server is connected to the cable line connection. It
has a ip. 


i want to use these two link to provide the internet in my LAN where
there are about 8 to 10 computers. i want that if any of the link goes
down ...the other should  continue the internet ...n also while both the
links r up..the load should be shared   between these two linksso
that the net conection and downloads be faster 

i have heard about the scriptsthat can do thisbut i have no idea
how to write these...scripts. i need these  to be on after reboot
also... 

To come up the script

RE: [LARTC] Policy base forwarding issues

[Salim S I]

Why don't you use DNAT ?
The via address is supposed to be the address of nexthop router.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pranav Desai
Sent: Saturday, August 18, 2007 6:53 AM
To: lartc
Subject: [LARTC] Policy base forwarding issues
 
Hello All,

I am trying to setup a linux box as a forwarding router based of src IP.
The problem is that it does forward the pkts to the intended server
specified in the ip rule, but it also forwards it to the original dst
(dst specified in the pkt). 


Here is the setup:

[10.1.0.166]
[192.168.1.225]
 |
|
 |[A]
[B]  |
 |---[10.1.0.63/172.16.1.63] ---
[172.16.1.64/192.168.1.65] -| 
 |   linux box only has  linux-router in
question  | 
 |  net.ipv4.ip_forward=1
| 
 |
| 
[10.1.0.167]
[192.168.1.100]


A - is just a linux box doing forwarding for the 2 networks 10.1.x.x - >
172.16.1.x.
B - is the linux router which I want to setup as forwarding.

The pkts come from 10.1.0.166 and .167  ->  to 192.168.1.100
 
I want to setup rules on [B] to forward all pkts with src addr.
10.1.0.166 to 192.168.1.225.
And, all pkts from 10.1.0.167   to 192.168.1.100
should still go to 192.168.1.100.

Here are the rules I setup.

[EMAIL PROTECTED] ~]# ip rule sh
0:  from all lookup local 
32765:  from 10.1.0.166 lookup 225
32766:  from all lookup main
32767:  from all lookup default

[EMAIL PROTECTED] ~]# ip ro sh tab 225
192.168.1.0/24   via 192.168.1.225 dev eth1

The pkts still go to both .225 and .100. I checked on another machine
connected to the same switch as 192.168.1.100 and 192.168.1.225 and its
not receiving the pkts. So, it doesnt seem like the switch is screwing
up and broadcasting the packets everywhere.

I would appreciate any kind of help or pointers. 

Thanks for your time.

-- pranav

--
http://pd.dnsalias.org 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10

[Salim S I]

Did you try to capture the packets with tcpdump or something and check
the TOS field? Was it correct?
I had a similar set up before, though not bridge, and it worked.

-Original Message-
From: Salim S I [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 17, 2007 10:59 AM
To: 'Salim S I'; 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10 

Sorry, I hadn't seen 0x68 match.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salim S I
Sent: Friday, August 17, 2007 10:47 AM
To: 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10 

Is it because the TOS and DSCP values are different?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10 


This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.

I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.

But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.

The full story as follows :-

1. On the source testing machine, I do this to set the tos and dscp
settings
:-

 (A)  iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
 ( to make ssh tos value 0x10 )

 or

  (B) iptables -t mangle -A OUTPUT  -j DSCP --set-dscp 0x1a
 ( to make ssh DSCP value 0x68 )

2. Then on the bridge machine, I have tc filter as follows :-

(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10

   Then I do a ssh login to side B of the bridge from side A.
   It shows that the traffic has been classified correctly.

(B)
   tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10

Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.

 (C)
However if I ping side B of the bridge from side A, it shows
   that icmp could be classified into class 1:10.

   Why it is just not possible to classify anything other than icmp ?

Regards.





Important Warning! 

*** 

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10

[Salim S I]

Sorry, I hadn't seen 0x68 match.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salim S I
Sent: Friday, August 17, 2007 10:47 AM
To: 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with
TOSbiggerthan 0x10 

Is it because the TOS and DSCP values are different?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10 


This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.

I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.

But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.

The full story as follows :-

1. On the source testing machine, I do this to set the tos and dscp
settings
:-

 (A)  iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
 ( to make ssh tos value 0x10 )

 or

  (B) iptables -t mangle -A OUTPUT  -j DSCP --set-dscp 0x1a
 ( to make ssh DSCP value 0x68 )

2. Then on the bridge machine, I have tc filter as follows :-

(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10

   Then I do a ssh login to side B of the bridge from side A.
   It shows that the traffic has been classified correctly.

(B)
   tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10

Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.

 (C)
However if I ping side B of the bridge from side A, it shows
   that icmp could be classified into class 1:10.

   Why it is just not possible to classify anything other than icmp ?

Regards.





Important Warning! 

*** 

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Unable to match/classify non-icmp traffic with TOS biggerthan 0x10

[Salim S I]

Is it because the TOS and DSCP values are different?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ming-Ching Tiew
Sent: Thursday, August 16, 2007 5:21 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS
biggerthan 0x10 


This problem is driving nuts, so I am seeking help here.
Your help will be deeply appreciated.

I have made myself a Linux bridge with eth1 and eth0 to
form br0. Then I run a script to configure tc with htb on it.

But I can never match non-icmp traffic ( such as tcp and udp )
with TOS or DSCP values such as 0x68.

The full story as follows :-

1. On the source testing machine, I do this to set the tos and dscp
settings
:-

 (A)  iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10
 ( to make ssh tos value 0x10 )

 or

  (B) iptables -t mangle -A OUTPUT  -j DSCP --set-dscp 0x1a
 ( to make ssh DSCP value 0x68 )

2. Then on the bridge machine, I have tc filter as follows :-

(A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x10 0xfc flowid 1:10

   Then I do a ssh login to side B of the bridge from side A.
   It shows that the traffic has been classified correctly.

(B)
   tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10
  tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \
   match ip tos 0x68 0xfc flowid 1:10

Then I do a ssh login to side B of the bridge from side A,
the traffic has not been classified correctly. The class 1:10
picks up zero traffic.

 (C)
However if I ping side B of the bridge from side A, it shows
   that icmp could be classified into class 1:10.

   Why it is just not possible to classify anything other than icmp ?

Regards.





Important Warning! 

*** 

This electronic communication (including any attached files) may contain
confidential and/or legally privileged information and is only intended
for the use of the person to whom it is addressed. If you are not the
intended recipient, you do not have permission to read, use,
disseminate, distribute, copy or retain any part of this communication
or its attachments in any form. If this e-mail was sent to you by
mistake, please take the time to notify the sender so that they can
identify the problem and avoid any more mistakes in sending e-mail to
you. The unauthorised use of information contained in this communication
or its attachments may result in legal action against any person who
uses it.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load Balancing , MSN and SSL

[Salim S I]

http://mailman.ds9a.nl/pipermail/lartc/2007q2/020779.html
 
http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
 
Two different approaches. 
 
-Original Message-
From: Saulo Silva [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 05, 2007 11:58 AM
To: Salim S I
Subject: Re: [LARTC] Load Balancing , MSN and SSL
 
I already tried with that with no success . 
Could you explain that better  ? 
2007/7/4, Salim S I <[EMAIL PROTECTED]>: 
Refer to the archives.
Use connmark.
 
-Original Message-
From: [EMAIL PROTECTED] [mailto:
<mailto:[EMAIL PROTECTED]>  [EMAIL PROTECTED]
On Behalf Of Saulo Silva
Sent: Thursday, July 05, 2007 9:01 AM
To: LARTC@mailman.ds9a.nl
Subject: [LARTC] Load Balancing , MSN and SSL
 
HI All , 

I am running a FC6 box with two internet links with load balance . Every
thing is working fine expect the MSN connection that failed and
reconnect every time and SSL connections .  I would link to know if with
the nona howto I could fix that . 

I have been tried with no success to redirect that connection only to
one link but its look like do not work . Here my configuration : 

#!/bin/bash 
#
# Script Baseado em
http://lartc.org/howto/lartc.rpdb.multiple-links.html
# 
#
#


IF0=eth1

function interface_interna() {
VALOR_IP=0
while [ $VALOR_IP -lt 254 ] ; do
   if [ $VALOR_IP -ne 33 ] ; then 
P0_NET=192.168.${VALOR_IP}.0
IP0=192.168.${VALOR_IP}.1 
ip route add $P0_NET dev $IF0 src $IP0 table T1
ip route add $P0_NET dev $IF0 src $IP0 table T2 
   fi
   VALOR_IP=$(expr $VALOR_IP + 1)
done 
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T1
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T2
}



IP1=xxx.xxx.xxx.18
IF1=eth0
P1_NET=xxx.xxx.xxx.16/30
P1=xxx.xxx.xxx.17 


IP2=192.168.254.250
IF2=eth2
P2_NET=192.168.254.248/29
P2=192.168.254.254



ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1 
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET dev $IF0 table T1
ip route add $P1_NET dev $IF1 table T1
ip route add $P2_NET dev $IF2 table T1 
ip route add 127.0.0.0/8 dev lo   table T1

ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add $P2_NET dev $IF2 table T2 
ip route add 127.0.0.0/8 dev lo   table T2

interface_interna 

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

#ROTAS DE BACKUP 

ip route add default via $P2 dev $IF2 metric 1 table T1 
ip route add default via $P1 dev $IF1 metric 1 table T2

#ROTAS DE SERVICOS 

ip rule add fwmark 2 table 21 prio 20   
ip rule add fwmark 3 table 22 prio 20

ip route add default via $P1 dev $IF1 table 21
ip route add default via $P2 dev $IF2 table 22

ip route flush cache

Here the iptables mangles rules : 

# MSN Services # 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
### SSL Services ### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
-j MARK  --set-mark 2

I add the rules from DNS and FTP too . 

But it's not seems to work . 

Any help will be appreciated . 

Saulo Silva



 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load Balancing , MSN and SSL

[Salim S I]

Refer to the archives.
Use connmark.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Saulo Silva
Sent: Thursday, July 05, 2007 9:01 AM
To: LARTC@mailman.ds9a.nl
Subject: [LARTC] Load Balancing , MSN and SSL
 
HI All , 

I am running a FC6 box with two internet links with load balance . Every
thing is working fine expect the MSN connection that failed and
reconnect every time and SSL connections .  I would link to know if with
the nona howto I could fix that . 

I have been tried with no success to redirect that connection only to
one link but its look like do not work . Here my configuration : 

#!/bin/bash 
#
# Script Baseado em
http://lartc.org/howto/lartc.rpdb.multiple-links.html
# 
#
#


IF0=eth1

function interface_interna() {
VALOR_IP=0
while [ $VALOR_IP -lt 254 ] ; do
   if [ $VALOR_IP -ne 33 ] ; then 
P0_NET=192.168.${VALOR_IP}.0
IP0=192.168.${VALOR_IP}.1 
ip route add $P0_NET dev $IF0 src $IP0 table T1
ip route add $P0_NET dev $IF0 src $IP0 table T2 
   fi
   VALOR_IP=$(expr $VALOR_IP + 1)
done 
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T1
ip route add 192.168.33.0/24  via 10.1.2.1 dev eth1 src 10.1.2.2
table T2
}



IP1=xxx.xxx.xxx.18
IF1=eth0
P1_NET=xxx.xxx.xxx.16/30
P1=xxx.xxx.xxx.17 


IP2=192.168.254.250
IF2=eth2
P2_NET=192.168.254.248/29
P2=192.168.254.254



ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1 
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET dev $IF0 table T1
ip route add $P1_NET dev $IF1 table T1
ip route add $P2_NET dev $IF2 table T1 
ip route add 127.0.0.0/8 dev lo   table T1

ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add $P2_NET dev $IF2 table T2 
ip route add 127.0.0.0/8 dev lo   table T2

interface_interna 

ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
nexthop via $P2 dev $IF2 weight 1

#ROTAS DE BACKUP 

ip route add default via $P2 dev $IF2 metric 1 table T1 
ip route add default via $P1 dev $IF1 metric 1 table T2

#ROTAS DE SERVICOS 

ip rule add fwmark 2 table 21 prio 20   
ip rule add fwmark 3 table 22 prio 20

ip route add default via $P1 dev $IF1 table 21
ip route add default via $P2 dev $IF2 table 22

ip route flush cache

Here the iptables mangles rules : 

# MSN Services # 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto
msnmessenger -j MARK  --set-mark 2 
### SSL Services ### 
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl
-j MARK  --set-mark 2

I add the rules from DNS and FTP too . 

But it's not seems to work . 

Any help will be appreciated . 

Saulo Silva




___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load Balance and SNAT problem.

[Salim S I]

> This is true for locally generated traffic only. Any
incomming/forwarded
> traffic can be controlled in the PREROUTING, thus the cache is never
> consulted.

The cache will still be consulted, in ip_route_input. That is for input
and forwarded traffic. Only if there is no matching entry, routing
tables will be employed.

If you look in the cache, you can see routes cached for same destination
through both wan interfaces. (well, in my case, I can see...).But their
fwmarks are different,as evident from ip_conntrack.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load Balance and SNAT problem.

[Salim S I]

Well, this is the relevant code in my kernel. (2.4.27)


for (rth = rt_hash_table[hash].chain; rth; rth = rth->u.rt_next)
{
if (rth->key.dst == key->dst &&
rth->key.src == key->src &&
rth->key.iif == 0 &&
rth->key.oif == key->oif &&
#ifdef CONFIG_IP_ROUTE_FWMARK
rth->key.fwmark == key->fwmark &&
#endif
!((rth->key.tos ^ key->tos) &
(IPTOS_RT_MASK | RTO_ONLINK))) 


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Grant Taylor
> Sent: Wednesday, June 27, 2007 10:39 AM
> To: Mail List - Linux Advanced Routing and Traffic Control
> Subject: Re: [LARTC] Load Balance and SNAT problem.
> 
> On 6/26/2007 9:22 PM, Salim S I wrote:
> > The caching is per destination and source ip. TOS, fwmark and input
> > interface too, if present.
> 
> Is the caching done on the combination of source and destination or
> singularly source or singularly destination?
> 
> If caching is done on the former, then as long as the source IP is
> different, you could potentially have different cached route choices
for
> different workstations with in a company.
> 
> 
> 
> Grant. . . .
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load Balance and SNAT problem.

[Salim S I]

The caching is per destination and source ip. TOS, fwmark and input
interface too, if present.

Routing with netfilter does not solve cache problems anyway, cache will
still be present, and it will be consulted before routing tables are
hit.

In my opinion, routing in netfilter gives more flexibility in
dynamically choosing weights and such.
But multipath routing gives a bit more IP persistence.

Both solutions work pretty well; there are die-hard fans for both of the
above approaches. Recent archives of lartc have lot of discussions on
it.


> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Grant Taylor
> Sent: Wednesday, June 27, 2007 10:08 AM
> To: Mail List - Linux Advanced Routing and Traffic Control
> Subject: Re: [LARTC] Load Balance and SNAT problem.
> 
> On 6/26/2007 9:03 PM, Mohan Sundaram wrote:
> > The caching would be per destination IP - so it is likely all
clients
> > will use the same route and thus interface.
> 
> This could be a problem.  I was taking the caching to be remembering
> which route was chosen and believing it to be associated with a
specific
> source IP address.  I can see this being a very large issue when
trying
> to do load balancing.
> 
> In light of this information, I think that better could be done in
> Netfilter.  However if there ever was a way to have route selection
per
> source IP in the kernel, I would be more interested in that.
> 
> I wonder if route selection caching would be different in different
> routing tables.  In other words use a different routing table for a
> different (set of) clients.  Thus one cached routing decision per
> routing table which could differ per routing table.
> 
> 
> 
> Grant. . . .
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Using Julian Anastasov's 'routes' patches on 2.4 kernel inconjunction with IPSec

[Salim S I]

I had the same problem. Had to disable ipsec interfaces to make things
work. Though the routing rules were in correct order, packets went to
ipsec interface.
Finally, I removed the patch.

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Seba Tiponut
> Sent: Monday, June 25, 2007 7:48 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Using Julian Anastasov's 'routes' patches on 2.4
kernel
> inconjunction with IPSec
> 
> Hello,
> 
> I use Julian Anastasov 'routes' (to be more specific: static_routes,
> alt_routes and nf_reroute) patches on a 2.4.32 kernel. On the same
host I
> run
> IPSec. I have discovered after a few hours of networking problems
that,
> when IPSec is enabled on that patched kernel, inspecting packets with
> tcpdump
> while arping-ing a host from a network physically connected to this
> machine,
> the arp requests show up on the ipsecX interface instead of the ethX
> interface. When IPSec isn't running, Julian's code works fine. I
suspect
> it
> has something to do with having two interfaces with the same data
(ipsecX
> mirroring the configuration from ethX).
> Can anyone give me a hint on how could I solve this problem? I've
googled
> a
> long time to no avail and I don't have the necessary skills to debug
the
> networking code from kernel.
> 
> Cheers,
> Seba.
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Redundant internet connections.

[Salim S I]

Use a ping script, which pings some IP every minute or so. Ping can bind
to a specific interface.

Ping -c 1 -w 1 -I eth1 $SOME_IP
Ping -c 1 -w 1 -I eth2 $SOME_IP

Check for return values for those pings.
Change your default routes based on the ping results.

This is the basic idea. You can add many other things to this, more IPs,
more counts, change time interval... (Better use IPs than domain names,
so that DNS queries won't have problem)

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Grant Taylor
> Sent: Thursday, June 21, 2007 3:06 PM
> To: Mail List - Linux Advanced Routing and Traffic Control
> Subject: [LARTC] Redundant internet connections.
> 
> (I know that what I'm wanting to do can be done, but for some reason I
> can not get it to work for the life of me.  I think I have been
staring
> at it too long and too closely.)
> 
> I have two different internet connections from two cooperating ISPs.
I
> also have a small 8 block of IPs that are globally routable that both
> ISPs will route to me via my world facing globally routable IPs that I
> have with them.  I.e. ISP A has a route to 75.19.28.7/29 via
12.34.56.78
> and ISP B has a route to 75.19.28.7/29 via 87.65.43.21.
> 
> I want to use one ISP as the primary default gateway and the other ISP
> as a backup default gateway.  That is to say I want to *NOT* use load
> balancing rather just redundancy in this situation.
> 
> I do *NOT* need to use NAT because I do have the globally routable IP
> address on *ALL* interfaces.
> 
> I.e.
> eth0:  75.19.28.6 (DMZ)
> eth1:  12.34.56.78 (ISP A)
> eth2:  87.65.43.21 (ISP B)
> 
> I want this router to use the default gateway for ISP A of
12.34.56.254
> and only use the default gateway of ISP B 78.65.43.1 if the default
> gateway of ISP A can not be reached.
> 
> If I set up the interfaces with their IPs and subnets and set up
> multiple default routes with varying metrics (for priority) and test
by
> taking an interface down, things work.  However, this is not a
realistic
> test because the interface will never physically go down.
> 
> For the sake of discussion, let one link be a DSL modem and the other
> link be a cable modem.  Each of the links is an external modem that
uses
> an ethernet cable to connect in to the router.  Thus no matter what
the
> state of the link coming in to my facility is, the link on the Linux
> router will always be up b/c the ethernet between the router and the
> modems sitting on the next shelf down will always be up.
> 
> I need a way for the Linux kernel to try to use a default gateway and
> switch to another one if it does not see any traffic.
> 
> Any help that any one could offer will be greatly appreciated.
> 
> 
> 
> Thanks in advance,
> 
> Grant. . . .
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Peter Rabbitson
> Sent: Friday, June 15, 2007 2:30 PM
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Re: multiple routing tables for internal router
> programs
> Well then you are certainly ahead of the game. Still I would suggest
to
> avoid the complexity of bit mask marks - it is rather error prone and
is
> pretty hard to maintain, while the same result can usually be achieved
> by other means (like in my SNAT example). As far as your original
> problem goes - it seems like a mark is getting eaten away or is not
set
> somewhere in the first place. I have not had any problems like the
ones
> you describe.

Those different MARKs are used for policy-routing, load balancing,
firewall, traffic control, virtual server, user-group profiles etc. I
think eventually you may have to use it, warts and all, or find some
other way for integrating all those. :-) I will soon run out of bits, it
seems.

I've replaced that multipath rule for local packets with a single route,
and change it on failovers. No balancing for local traffic, but there
isn't much local traffic anyway.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: PQ questions

[Salim S I]

I tested on wireless link. It could give a maximum of 45Mbps. And I sent
30Mbps of both low prio and high prio traffic. Total of 60Mbps.
My test was done with UDP, using tcpdump. When I increased the bandwidth
to 40Mbps each, the high priority class got lesser bandwidth. (maybe the
effect of the known issue that large amount of low prio traffic can
starve high prio traffic)

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Christian Benvenuti
> Sent: Friday, June 15, 2007 4:16 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Re: PQ questions
> 
> Hi,
>   a class is starved only if those with higher priority are
> always (of pretty often) backlogged and do not give the lower
> priority classes a chance to transmit.
> Therefore, if you transmit at a rate smaller than your CPU/s and
> NIC/s can handle you will not experience any starving.
> 
> For example, if you generate 50Mbit traffic on a 100Mbit NIC
> it is likely that you won't see any starving (unless your system is
> not able to handle 50Mbit traffic because of a complex TC or
> iptables configuration that consumes lot of CPU).
> 
> Regards
> /Christian
> [ http://benve.info ]
> 
> On Fri, 2007-06-15 at 15:46 +0800, Salim S I wrote:
> > Slightly offtopic... Has anyone really experienced starving of low
> > priority traffic with PRIO qdisc?
> > In my setup, I never achieved that, though I also wanted exactly
that
> > situation. I gave both the classes same amount of traffic at the
same
> > time. High prio got more bandwidth, but no starvation, even after I
sent
> > more traffic than the link capacity.
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > > On Behalf Of Christian Benvenuti
> > > Sent: Friday, June 15, 2007 3:32 PM
> > > To: lartc@mailman.ds9a.nl
> > > Subject: [LARTC] Re: PQ questions
> > >
> > > Hi,
> > >
> > > > > Your config does not prevent an higher priority class from
> > starving
> > > > > a lower priority class.
> > > >
> > > > Exactly. That is requirement.
> > >
> > > OK
> > >
> > > > Those stats are nice to have, but the ones I must have are for
how
> > many
> > > > bytes/packets are enqueued at whatever time I check the queues.
> > >
> > > That information is there. Here is an example:
> > > (b=bytes p=packets)
> > >
> > > #tc -s -d qdisc list dev eth1
> > >
> > > qdisc prio 1:  root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1
1
> > >   Sent 85357186 bytes 59299 pkt (dropped 0, overlimits 0 requeues
0)
> > >   rate 0bit 0pps backlog 0b 35p requeues 0
> > >  +-> This field is not initialized for
this
> > >  qdisc type
> > > qdisc pfifo 10:  parent 1:1 limit 1000p
> > >   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> > >  rate 0bit 0pps backlog 0b 0p requeues 0
> > > ^
> > > qdisc pfifo 20: parent 1:2 limit 1000p
> > >   Sent 85357120 bytes 59298 pkt (dropped 0, overlimits 0 requeues
0)
> > >  rate 0bit 0pps backlog 50470b 35p requeues 0
> > > ^^
> > > qdisc pfifo 30: parent 1:3 limit 1000p
> > >   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> > >   rate 0bit 0pps backlog 0b 0p requeues 0
> > >  ^
> > >
> > > > I have tried to configure PQ to have two queues per filter with
no
> > > success.
> > >
> > > What do you mean?
> > >
> > > > Is it even possible to have (what I'll call) hierarchical PQ? I
have
> > yet
> > > to
> > > > find it.
> > >
> > > Something like this?
> > >
> > > tc qdisc add dev eth1 handle 1: root prio
> > > tc qdisc add dev eth1 parent 1:1 handle 10 prio
> > > tc qdisc add dev eth1 parent 1:2 handle 20 prio
> > > tc qdisc add dev eth1 parent 1:3 handle 30 prio
> > >
> > > Regards
> > > /Christian
> > > [ http://benve.info ]
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: PQ questions

[Salim S I]

Slightly offtopic... Has anyone really experienced starving of low
priority traffic with PRIO qdisc?
In my setup, I never achieved that, though I also wanted exactly that
situation. I gave both the classes same amount of traffic at the same
time. High prio got more bandwidth, but no starvation, even after I sent
more traffic than the link capacity.

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Christian Benvenuti
> Sent: Friday, June 15, 2007 3:32 PM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] Re: PQ questions
> 
> Hi,
> 
> > > Your config does not prevent an higher priority class from
starving
> > > a lower priority class.
> >
> > Exactly. That is requirement.
> 
> OK
> 
> > Those stats are nice to have, but the ones I must have are for how
many
> > bytes/packets are enqueued at whatever time I check the queues.
> 
> That information is there. Here is an example:
> (b=bytes p=packets)
> 
> #tc -s -d qdisc list dev eth1
> 
> qdisc prio 1:  root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
>   Sent 85357186 bytes 59299 pkt (dropped 0, overlimits 0 requeues 0)
>   rate 0bit 0pps backlog 0b 35p requeues 0
>  +-> This field is not initialized for this
>  qdisc type
> qdisc pfifo 10:  parent 1:1 limit 1000p
>   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 0b 0p requeues 0
> ^
> qdisc pfifo 20: parent 1:2 limit 1000p
>   Sent 85357120 bytes 59298 pkt (dropped 0, overlimits 0 requeues 0)
>  rate 0bit 0pps backlog 50470b 35p requeues 0
> ^^
> qdisc pfifo 30: parent 1:3 limit 1000p
>   Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
>   rate 0bit 0pps backlog 0b 0p requeues 0
>  ^
> 
> > I have tried to configure PQ to have two queues per filter with no
> success.
> 
> What do you mean?
> 
> > Is it even possible to have (what I'll call) hierarchical PQ? I have
yet
> to
> > find it.
> 
> Something like this?
> 
> tc qdisc add dev eth1 handle 1: root prio
> tc qdisc add dev eth1 parent 1:1 handle 10 prio
> tc qdisc add dev eth1 parent 1:2 handle 20 prio
> tc qdisc add dev eth1 parent 1:3 handle 30 prio
> 
> Regards
> /Christian
> [ http://benve.info ]
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

> > NATing is done with MASQUERADE, not SNAT, I use another MARK for it,
but
> > in essence it is
> > -o eth2 -j MASQUEARDE
> > -o eth3 -j MASQUEARDE
> >
> > In addition, there are several other MARKs for policy routing. They
have
> > their own routing tables also. But at present, they are all empty.
> >
> 
> This is the part I definitely do not like. First of all - wht
> SNAT/MASQUERADE _all_ traffic? You should do this for forwarder
traffic
> only. Like so:

Yes, in fact, this is what I do. I mentioned I use MARK for
MASQUERADing, but forgot to elaborate. That particular MARK is set for
forwarded packets only.


> Also you mention that there are "other marks" , which means that you
> might very well be overwriting marks as you go. A packet/connection
can
> have only _one_ mark value at any time, no more no less (a 0x0 is
still
> a mark)


I use --or-mark in iptables, so that I can use bitwise masks. The 'ip'
tool supports bit masks too.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

I do the same way, from ip-up. But I only change the two concerned
rules. Rest of the things are free from IP.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Samad
Sent: Thursday, June 14, 2007 12:23 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

On Thu, Jun 14, 2007 at 11:50:30AM +0800, Salim S I wrote:
> I solved it, thought a bit ugly.
> 
> Have two more rules now in ip ru
> 
> 32150:  from all lookup main
> 32201:  from all fwmark 0x200/0x200 lookup wan1_route
> 32202:  from all fwmark 0x400/0x400 lookup wan2_route
> 32203:  from 10.20.0.137 lookup wan1_route
> 32204:  from 10.2.3.107 lookup wan2_route
> 32205:  from all lookup catch_all
> 32766:  from all lookup main
> 
> I did not like to include WAN IP anywhere, coz it may be dynamic, but
> well, seems like no choice.
ran into the same problem, I capture the link information at ip-up time
for 
ppp/pppoe and dhcp time for cable modem, then I fire off a scrip that
pulls 
down all the ip ru & ip ro and builds it from scratch (as well as the 
specialised iptables rules as well).  This should only happen when I
loose a 
connection so should be okay


> 
> And then two rules in OUTPUT chain
> Iptables -t mangle -A OUTPUT -o eth2 -j LB1
> Iptables -t mangle -A OUTPUT -o eth3 -j LB2
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Salim S I
> Sent: Wednesday, June 13, 2007 12:08 PM
> To: 'Peter Rabbitson'
> Cc: lartc@mailman.ds9a.nl
> Subject: RE: [LARTC] Re: multiple routing tables for internal router
> programs
> 
> My configuration 
> 
> [EMAIL PROTECTED]:~# ip ru
> 0:  from all lookup local
> 32150:  from all lookup main
> 32201:  from all fwmark 0x200/0x200 lookup wan1_route
> 32202:  from all fwmark 0x400/0x400 lookup wan2_route
> 32203:  from all lookup catch_all
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> [EMAIL PROTECTED]:~# ip ro li ta main
> 192.168.100.0/24 dev eth0  proto kernel  scope link  src
192.168.100.254
> 10.20.0.0/24 dev eth2  proto kernel  scope link  src 10.20.0.137
> 192.168.1.0/24 dev eth10  proto kernel  scope link  src 192.168.1.254
> 10.2.3.0/24 dev eth3  proto kernel  scope link  src 10.2.3.107
> 127.0.0.0/8 dev lo  scope link
> 
> [EMAIL PROTECTED]:~# ip ro li ta wan1_route
> default via 10.20.0.1 dev eth2  proto static
> [EMAIL PROTECTED]:~# ip ro li ta wan2_route
> default via 10.2.3.254 dev eth3  proto static
> 
> [EMAIL PROTECTED]:~# ip ro li ta catch_all
> default  proto static
> nexthop via 10.20.0.1  dev eth2 weight 1
> nexthop via 10.2.3.254  dev eth3 weight 1
> 
> The catch_all table comes into play only for local packets. All
> forwarded packets are marked in mangle PREROUTING, with 0x200 0r
0x400.
> 
> If not loadblancing ping script, there maybe other apps using domain
> names instead of IP address, they might still fail, right?
> 
> The problem happens when one of the link goes down (not the
nexthop,but
> after that). Then the kernel will pick an interface and wrong src IP
for
> local packets.
> 
> 
> -Original Message-
> From: Peter Rabbitson [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, June 12, 2007 7:24 PM
> To: Salim S I
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Re: multiple routing tables for internal router
> programs
> 
> Salim S I wrote:
> > Thanks! I get it now.
> > But why the src address for the interface is wrong? 
> > In my case eth2 has a.b.c.d and eth3 has p.q.r.s.
> > 
> > DNS queries going through eth2 has p.q.r.s as src address and those
> > going through eth3 has a.b.c.d. Something wrong with routing?
> 
> Possible. Post full configuration and someone might be able to help.
> 
> > I was wondering, how the ping script (to check the lonk status) of
> > others work id domain name is used.
> 
> Don't know about others, and I personally use ip addresses :)
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> 
> ___
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

The relevant portions are:

[EMAIL PROTECTED]:~# iptables -t mangle -L LOC -v
Chain LOC (1 references)
 pkts bytes target prot opt in out source
destination
10125 1152K CONNMARK   all  --  anyany anywhere
anywhereCONNMARK restore
   64 12017 LB1all  --  anyany anywhere
anywherestate NEW MARK match 0x0  random 84%
  174 28502 LB2all  --  anyany anywhere
anywherestate NEW MARK match 0x0

[EMAIL PROTECTED]:~# iptables -t mangle -L LB1 -v
Chain LB1 (2 references)
 pkts bytes target prot opt in out source
destination
 2350  257K MARK  all  --  anyany anywhere
anywhereMARK or 0x200
 2350  257K CONNMARK   all  --  anyany anywhere
anywhereCONNMARK save

[EMAIL PROTECTED]:~# iptables -t mangle -L LB2 -v
Chain LB2 (2 references)
 pkts bytes target prot opt in out source
destination
 6931 1196K MARK  all  --  anyany anywhere
anywhereMARK or 0x400
 6931 1196K CONNMARK   all  --  anyany anywhere
anywhereCONNMARK save

[EMAIL PROTECTED]:~# iptables -t mangle -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 8358 packets, 1290K bytes)
 pkts bytes target prot opt in out source
destination
 1551  119K LB1all  --  anyeth2anywhere
anywhere
 6788 1170K LB2all  --  anyeth3anywhere
anywhere

NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but
in essence it is 
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE

In addition, there are several other MARKs for policy routing. They have
their own routing tables also. But at present, they are all empty.

-Original Message-
From: Peter Rabbitson [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 14, 2007 3:27 PM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

Salim S I wrote:
> I solved it, thought a bit ugly.
> 

Sorry I didn't answer earlier. Can you post your iptables rules too, the

routing alone is not sufficient. If your setup is confidential at least 
show all statements that set MARKs one way or another. What you did is 
strange, but it might very well be warranted. Still - depends on your 
existing rules.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

I solved it, thought a bit ugly.

Have two more rules now in ip ru

32150:  from all lookup main
32201:  from all fwmark 0x200/0x200 lookup wan1_route
32202:  from all fwmark 0x400/0x400 lookup wan2_route
32203:  from 10.20.0.137 lookup wan1_route
32204:  from 10.2.3.107 lookup wan2_route
32205:  from all lookup catch_all
32766:  from all lookup main

I did not like to include WAN IP anywhere, coz it may be dynamic, but
well, seems like no choice.

And then two rules in OUTPUT chain
Iptables -t mangle -A OUTPUT -o eth2 -j LB1
Iptables -t mangle -A OUTPUT -o eth3 -j LB2

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salim S I
Sent: Wednesday, June 13, 2007 12:08 PM
To: 'Peter Rabbitson'
Cc: lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Re: multiple routing tables for internal router
programs

My configuration 

[EMAIL PROTECTED]:~# ip ru
0:  from all lookup local
32150:  from all lookup main
32201:  from all fwmark 0x200/0x200 lookup wan1_route
32202:  from all fwmark 0x400/0x400 lookup wan2_route
32203:  from all lookup catch_all
32766:  from all lookup main
32767:  from all lookup default

[EMAIL PROTECTED]:~# ip ro li ta main
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.254
10.20.0.0/24 dev eth2  proto kernel  scope link  src 10.20.0.137
192.168.1.0/24 dev eth10  proto kernel  scope link  src 192.168.1.254
10.2.3.0/24 dev eth3  proto kernel  scope link  src 10.2.3.107
127.0.0.0/8 dev lo  scope link

[EMAIL PROTECTED]:~# ip ro li ta wan1_route
default via 10.20.0.1 dev eth2  proto static
[EMAIL PROTECTED]:~# ip ro li ta wan2_route
default via 10.2.3.254 dev eth3  proto static

[EMAIL PROTECTED]:~# ip ro li ta catch_all
default  proto static
nexthop via 10.20.0.1  dev eth2 weight 1
nexthop via 10.2.3.254  dev eth3 weight 1

The catch_all table comes into play only for local packets. All
forwarded packets are marked in mangle PREROUTING, with 0x200 0r 0x400.

If not loadblancing ping script, there maybe other apps using domain
names instead of IP address, they might still fail, right?

The problem happens when one of the link goes down (not the nexthop,but
after that). Then the kernel will pick an interface and wrong src IP for
local packets.


-Original Message-
From: Peter Rabbitson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 12, 2007 7:24 PM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

Salim S I wrote:
> Thanks! I get it now.
> But why the src address for the interface is wrong? 
> In my case eth2 has a.b.c.d and eth3 has p.q.r.s.
> 
> DNS queries going through eth2 has p.q.r.s as src address and those
> going through eth3 has a.b.c.d. Something wrong with routing?

Possible. Post full configuration and someone might be able to help.

> I was wondering, how the ping script (to check the lonk status) of
> others work id domain name is used.

Don't know about others, and I personally use ip addresses :)


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

My configuration 

[EMAIL PROTECTED]:~# ip ru
0:  from all lookup local
32150:  from all lookup main
32201:  from all fwmark 0x200/0x200 lookup wan1_route
32202:  from all fwmark 0x400/0x400 lookup wan2_route
32203:  from all lookup catch_all
32766:  from all lookup main
32767:  from all lookup default

[EMAIL PROTECTED]:~# ip ro li ta main
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.254
10.20.0.0/24 dev eth2  proto kernel  scope link  src 10.20.0.137
192.168.1.0/24 dev eth10  proto kernel  scope link  src 192.168.1.254
10.2.3.0/24 dev eth3  proto kernel  scope link  src 10.2.3.107
127.0.0.0/8 dev lo  scope link

[EMAIL PROTECTED]:~# ip ro li ta wan1_route
default via 10.20.0.1 dev eth2  proto static
[EMAIL PROTECTED]:~# ip ro li ta wan2_route
default via 10.2.3.254 dev eth3  proto static

[EMAIL PROTECTED]:~# ip ro li ta catch_all
default  proto static
nexthop via 10.20.0.1  dev eth2 weight 1
nexthop via 10.2.3.254  dev eth3 weight 1

The catch_all table comes into play only for local packets. All
forwarded packets are marked in mangle PREROUTING, with 0x200 0r 0x400.

If not loadblancing ping script, there maybe other apps using domain
names instead of IP address, they might still fail, right?

The problem happens when one of the link goes down (not the nexthop,but
after that). Then the kernel will pick an interface and wrong src IP for
local packets.


-Original Message-
From: Peter Rabbitson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 12, 2007 7:24 PM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

Salim S I wrote:
> Thanks! I get it now.
> But why the src address for the interface is wrong? 
> In my case eth2 has a.b.c.d and eth3 has p.q.r.s.
> 
> DNS queries going through eth2 has p.q.r.s as src address and those
> going through eth3 has a.b.c.d. Something wrong with routing?

Possible. Post full configuration and someone might be able to help.

> I was wondering, how the ping script (to check the lonk status) of
> others work id domain name is used.

Don't know about others, and I personally use ip addresses :)


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

Thanks! I get it now.
But why the src address for the interface is wrong? 
In my case eth2 has a.b.c.d and eth3 has p.q.r.s.

DNS queries going through eth2 has p.q.r.s as src address and those
going through eth3 has a.b.c.d. Something wrong with routing?

I was wondering, how the ping script (to check the lonk status) of
others work id domain name is used.

-Original Message-
From: Peter Rabbitson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 12, 2007 6:02 PM
To: Salim S I
Cc: 'Andrea'; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

Salim S I wrote:
> Here is my issue with ping.
> 
> When I use -I with ping, the DNS queries for that domain is still sent
> out with wrong source address through the interface, and hence, no
> reply. This happens in both WAN interfaces.
> When I add rules in OUTPUT chain to reroute packets with the
unmatching
> source address and output interface, things work fine.
> 
> When I use IP address instead of URL, everything is fine.
> 

The problem is ping itself, which uses gethostbyname() which in turn 
does not understand how to bind to specific interfaces etc. Besides 
specifying IP addresses instead of hostnames is much much better IMHO. 
Here is the ping.c snippet:

 while (argc > 0) { 
 

 target = *argv; 
 

 
 

 bzero((char *)&whereto, sizeof(whereto)); 
 

 whereto.sin_family = AF_INET; 
 

 if (inet_aton(target, &whereto.sin_addr) == 1) { 
 

 hostname = target; 
 

 if (argc == 1) 
 

 options |= F_NUMERIC; 
 

 } else { 
 

 hp = gethostbyname2(target, AF_INET); 
 

 if (!hp) { 
 

 fprintf(stderr, "ping: unknown host 
%s\n", target); 

 exit(2); 
 

 } 
 

 memcpy(&whereto.sin_addr, hp->h_addr, 4); 
 

 strncpy(hnamebuf, hp->h_name, sizeof(hnamebuf) 
- 1); 

 hnamebuf[sizeof(hnamebuf) - 1] = 0; 
 

 hostname = hnamebuf; 
 

 } 
 

 if (argc > 1) 
 

 route[nroute++] = whereto.sin_addr.s_addr; 
 

 argc--; 
 

 argv++; 
 

 } 


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

Here is my issue with ping.

When I use -I with ping, the DNS queries for that domain is still sent
out with wrong source address through the interface, and hence, no
reply. This happens in both WAN interfaces.
When I add rules in OUTPUT chain to reroute packets with the unmatching
source address and output interface, things work fine.

When I use IP address instead of URL, everything is fine.

I have applied Julian's routes patch. 

What could be the problem?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
Sent: Tuesday, June 12, 2007 5:29 PM
To: Andrea
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs

Andrea wrote:
> Very very clear. Thanks very much!!! The only still obscure aspect for

> me is this:
> 
>  >you can request a specific interface (what you would do with the
ping 
> script)

Check the man page of ping, and look for the '-I' option. Most network 
testing utilities have this capability in one form or another.By the way

if you request an _interface_ and not a specific IP, the first IP of the

interface is taken as listed by `ip addr`
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Re: multiple routing tables for internal router programs

[Salim S I]

You have to capture the local packets in OUTPUT chain, not in
PREROUTING.

Well, I have a problem with the ping scripts used for dead gateway
detection, I will post it in another thread.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrea
Sent: Tuesday, June 12, 2007 4:00 PM
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: multiple routing tables for internal router
programs


> I was saying Andrea:  Try to define a new routing table, add a chain
in
> mangle table for tagging packets and add a rule to deliver those
packets
> to the new route.
> Again, I'm sorry.   I didn't know this is a "english-only" list.

Thanks for the reply.

This is the exact way that I used for managing traffic of my lan towards

 ISPs. But is this mode still valid if I want to manage services 
executed directly in the router?

this rule:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1

capture all (web) traffic that crosses my router. Can I capture only the

  (web) traffic generated from my router and directed to internet?

Anymore, I don't need it more: I've resolved my problem, the conflict 
between a "ping script" (that I'm writing for multiple gateway 
testing)and servers executed in router too: first version of my script 
sets a default gateway for testing it with ping, now I've discovered 
that I can use a specific route involving the gateway without setting 
default gateway, a much better solution.

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

-Original Message-
From: Luciano Ruete [mailto:[EMAIL PROTECTED] 
Sent: Saturday, June 02, 2007 11:28 AM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter

>Is not about ego, sorry if you take this personal, it is not my
intention, >i 
>speak rude because this list get heavly indexed by google, and it is
taked >as 
>good advice for many answer seekers.
>
>You afirm that Linux cannot handle load balancing properly and this is 
>completly WRONG and is bad advertising and a lie. 
>
>Since 2.4 series has been avaible the greats julian's patchs[1], and
then >in 
>2.6.12 CONNMARK has get in mainline, and with a litle of setup all
>connection 
>problems related to load balancing get perfectly solved.


I did not say Linux can't do Load balancing (btw, my setup has Julian's
DGD patch as well as CONNMARK). But there are some limitations to the
popular methods currently used.

1.As Peter Rabbitson [EMAIL PROTECTED] mentioned, one issue is the
separate control and data servers. He mentions AIM servers as example.
This probably can only be solved by having exception IP list. 

2.The other situation, and the one I am more concerned, is about
different connections which belongs to same session.

Consider Client X and Server Y. 

Client X initiates a connection from port a to port b of server Y.

Xa <---> Yb   This connection goes through WAN1.

After sometime, X opens another connection to Y from port c to port d.

Xc <---> Yd   This is a perfectly new TCP connection, so it may go
through WAN2

(Note that the client is NATed, and that no CONNTRACK exist for this
app)

The server may reject the second and subsequent connections as it comes
in with a different source IP than the first.

This situation happens often in IM and Gaming scenarios. Some sort of IP
persistence is required to handle this. And I was wondering if recent
match would solve this to an extent, without affecting performance. Or
if there are some other method available. (Note that I can't depend much
on cache).




___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

Before we get into the "Top-posting" stuff, it would be nice if you
follow the normal way of replying (or atleast marking a copy) to the
list. I think that is the basic idea behind mailing list.
If you had done that, I wouldn't have had to do the "Top-Posting". Take
a look at the archives please.

-Original Message-
From: Luciano Ruete [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 31, 2007 12:26 PM
To: Salim S I
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter

On Wednesday 30 May 2007 00:58:18 you wrote:
First of all, learn about basic[1] mailing list rules, mainly your 
top-posting[2] is breaking all the sense of the thread

>> Sorry, but it doesn't work that way

>yes it does.
Up to you if you refuse to accept, doesn't matter for me if you choose
to live in your little world.


>> CONNMARK needs helper modules like the ones for FTP or H.323 to
really
>> know if connections belong to the same session. To cover all gaming
and
>> IM apps with own helper modules is practically impossible. 

>this helpers are needed because some special protocols have special
needs, >all 
>other protocols are covered in a simpler maner bye flowing the tcp flow

>between two ports, you need al least a litle low level knowldge about
layer 
>3-4 protocols to undestand this.

Yessir. 3 bags full.
If you had read my post c l e a r l y, before you felt obliged to show
off your knowledge, you might have understood that I was talking about
the so-called 'special-protocols'.
Btw, thanks for that bit about "TCP flow between two ports", was quite
new to me.


>> I remember 
>> even MSN have had problems (timeout every 5 mins), but it seems to
have
>> been fixed at the server level.

>With CONNMARK solution 99,99% of the things works, i am the
sys/net-admin >from 
>an ISP that proves it,  whit load balancing over multiple links.

Sorry again! That figure of '99.99' is in YOUR case, but are you aware
there are others in this world too, with different scenarios/setups? You
did not think Peter and I were dreaming up a scenario,did you?
Btw, your being a netadmin doesn't automatically make your statements
correct.

>For each protocol that are not covered by simple tcp flow a helper
module >was 
written. 
It must be a well kept secret then!
I am sorry to say this, if your knowledge was half the size of your ego,
it would have been good for us all. 


>> Could you please point out if I had missed any open discussion in the
>> list which covers these things?

>just google(ie): "connmark site:lartc...archive"

Thanks for introducing google. But my question still stands.





___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

Sorry, but it doesn't work that way.
CONNMARK needs helper modules like the ones for FTP or H.323 to really
know if connections belong to the same session. To cover all gaming and
IM apps with own helper modules is practically impossible. I remember
even MSN have had problems (timeout every 5 mins), but it seems to have
been fixed at the server level.
Could you please point out if I had missed any open discussion in the
list which covers these things?


-Original Message-
From: Luciano Ruete [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 30, 2007 11:46 AM
To: Salim S I
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter

On Tuesday 29 May 2007 03:16:47 you wrote:
> None of the load balancing techniques I have come across seems to
cover
> 'IP-Persistence'. For example, a session with several connections (for
> which no conntrack-helper modules exist), will have problems, as its
> connections will be routed through different WAN interfaces. Some
> servers are very particular about the source IP of the packets they
> receive. I suspect online gaming and instant messengers will have
> problems with load balancing. How is the experience of other people in
> here?
>
> A rewrite of 'recent' match to include both source and destination may
> turn out to be a solution, albeit with low performance. Any other
ideas?

In this same thread a CONNMARK solution was exposed, and this same
CONNMARK 
solution was openly discused several times in this list.

All the cases that you mention (online gamming, instant messenger) and
all 
other that you do not mention are solved having a connection-aware
firewall, 
which is capable to route over the same link packets that belongs to the
same 
logical connection, this is achived perfectly using netfilter CONNMARK. 

Regards!
-- 
Luciano


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

None of the load balancing techniques I have come across seems to cover
'IP-Persistence'. For example, a session with several connections (for
which no conntrack-helper modules exist), will have problems, as its
connections will be routed through different WAN interfaces. Some
servers are very particular about the source IP of the packets they
receive. I suspect online gaming and instant messengers will have
problems with load balancing. How is the experience of other people in
here?

A rewrite of 'recent' match to include both source and destination may
turn out to be a solution, albeit with low performance. Any other ideas?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Luciano Ruete
Sent: Tuesday, May 22, 2007 11:28 AM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter

On Monday 14 May 2007 02:57, Peter Rabbitson wrote:
> Hi,
> I have searched the archives on the topic, and it seems that the list
> gurus favor load balancing to be done in the kernel as opposed to
other
> means. 

AFAIKR there aren't conflicting opinions, there are just to different 
aproaches and i belive that routing solution is user cause it was the
first 
and because sounds logical to implement multipath with your routing
tool. 
But iptables has become in a routing tool so far (and much more).

Personaly im using multipath, but i do not dislike the iptables aproach.

> I have been using a home-grown approach, which splits traffic 
> based on `-m statistic --mode random --probability X`, then CONNMARKs
> the individual connections and the kernel happily routes them. I
> understand that for > 2 links it will become impractical to calculate
a
> correct X. 

well, is not impractical with a litle of scripting in your firewal...
#!/bin/bash
# your uplinks weight as in kernel multipath
# ie:   link1 link2 link3 link4 link5
weight="  1 2 1 3 5  "
weight_total=
for n in $weight ; do
let weight_total=weight_total+n
done
for n in $weight ; do
probability=$((n*100/weight_total))
echo iptables.. -m statistic --mode random --probability
$probability
done


but the problem arraise when you have lets say 101 links, cause mode
random 
takes a 2 digit number right?, but this can be changed in the code (use
the 
source...)

> But if we only have 2 gateways to the internet - are there 
> any advantages in letting the kernel multipath scheduler do the
> balancing (with all the downsides of route caching), as opposed to the
> pure random approach described above?

Well, the disvantage i see is that you have to move all your routing
rules to 
iptables space, but in the end you always need the routing table, but it
is a 
mather of change old habits...

-- 
Luciano
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

iptables -t mangle -A PREROUTING -j ISP2

Doesn't it need to check for state NEW? Or packets will not reach the
restore-mark rule.

You may have to manually populate the routing tables when an interface
comes up, after being down for some time. (Kernel would have removed the
routing entries for this interface after it found the interface down.
This happens only if its nexthop is down)

I tend to favor this approach, because it is more flexible in selecting
the interface. You can use different weights/probability depending on
different factors. I have seen a variation of this method, used with
'recent' (-m recent) match, instead of CONNMARK.
The only downside in using this method, as far as I can see, is the need
to reconfigure rules and routing tables, in case of a failure/coming-up.
But lately, I have found that even with multipath method, there IS a
need for reconfiguration.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
Sent: Monday, May 14, 2007 3:16 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter

Salim S I wrote:
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
>> Sent: Monday, May 14, 2007 1:57 PM
>> To: lartc@mailman.ds9a.nl
>> Subject: [LARTC] Multihome load balancing - kernel vs netfilter
>> 
>> Hi,
>> I have searched the archives on the topic, and it seems that the list
>> gurus favor load balancing to be done in the kernel as opposed to
other
>> means. I have been using a home-grown approach, which splits traffic
>> based on `-m statistic --mode random --probability X`, then CONNMARKs
>> the individual connections and the kernel happily routes them. I
>> understand that for > 2 links it will become impractical to calculate
a
>> correct X. But if we only have 2 gateways to the internet - are there
>> any advantages in letting the kernel multipath scheduler do the
>> balancing (with all the downsides of route caching), as opposed to
the
>> pure random approach described above?
> 
> I have thought about this approach, but, I think, this approach does
not
> handle failover/dead-gateway-detection well. Because you need to alter
> all your netfilter routing rules if you find a link down. And then
> reconfigure again when the link comes up. I am interested to know how
> you handle that.
> 

Certainly. What I am doing is NATing a large company network, which gets
load balanced and receives fail over protection. I also have a number of
services running on the router which must not be balanced nor failed
over, as they are expected to respond on a specific IP only. All
remaining traffic on the server itself is not balanced but fails over
when the designated primary link goes down.

I start with a simple pinger app, that pings several well known remote
sites once a minute using a large icmp packet (1k of payload). The rtt
times are averaged out and are used to calculate the current "quality"
of the link (the large packet makes congestion a visible factor). If one
of the interface responses is 0 (meaning not a single one of the pinged
hosts has responded) - the link is dead.

In iproute I have two separate tables, each using one of the links as
default gw, matching a certain mark. The default route is set to a
single gateway (not a multipath), either by hardcoding, or by using the
first input of the pinger (it can run without a default gw set,
explanation follows)

In iptables I have two user defined chains:
iptables -t mangle -A ISP1 -j CONNMARK --set-mark 11
iptables -t mangle -A ISP1 -j MARK --set-mark 11
iptables -t mangle -A ISP1 -j ACCEPT

iptables -t mangle -A ISP2 -j CONNMARK --set-mark 12
iptables -t mangle -A ISP2 -j MARK --set-mark 12
iptables -t mangle -A ISP2 -j ACCEPT

The rules that reference those chains are:

For all locally originating traffic:
iptables -t mangle -A OUTPUT -o $I1 -j ISP1
iptables -t mangle -A OUTPUT -o $I2 -j ISP2

For all incoming traffic from the internet:
iptables -t mangle -A PREROUTING -i $I1 -m state --state NEW -j ISP1
iptables -t mangle -A PREROUTING -i $I2 -m state --state NEW -j ISP2

For all other traffic (nat)
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic
--mode random --probability $X -j ISP1
iptables -t mangle -A PREROUTING -j ISP2

At the end of the PREROUTING cain I have
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

The NATing is trivially solved by:
iptables -t nat -A POSTROUTING -s 10.0.58.0/24 -j SOURCE_NAT
iptables -t nat -A POSTROUTING -s 192.168.58.0/24 -j SOURCE_NAT
iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SOURCE_NAT

iptables -t nat -A SOURCE_NAT -o $I1 -j SNAT --to $I1_IP
iptables -t nat -A SOURCE_N

RE: [LARTC] Multihome load balancing - kernel vs netfilter

[Salim S I]

I have thought about this approach, but, I think, this approach does not
handle failover/dead-gateway-detection well. Because you need to alter
all your netfilter routing rules if you find a link down. And then
reconfigure again when the link comes up. I am interested to know how
you handle that.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
Sent: Monday, May 14, 2007 1:57 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Multihome load balancing - kernel vs netfilter

Hi,
I have searched the archives on the topic, and it seems that the list
gurus favor load balancing to be done in the kernel as opposed to other
means. I have been using a home-grown approach, which splits traffic
based on `-m statistic --mode random --probability X`, then CONNMARKs
the individual connections and the kernel happily routes them. I
understand that for > 2 links it will become impractical to calculate a
correct X. But if we only have 2 gateways to the internet - are there
any advantages in letting the kernel multipath scheduler do the
balancing (with all the downsides of route caching), as opposed to the
pure random approach described above?

Thanks

Peter
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] DGD patch not detecting dead gateway

[Salim S I]

I had followed that discussion, but my doubt remains. For MASQUERADE
too, it depends on the 'src' parameter, which was configured statically.
But after the interface comes up with a new address, the initial
configuration will be invalid because 'src' is not correct anymore, it
seems...Or have I have misunderstood the concept?

-Original Message-
From: Manish Kathuria [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 14, 2007 1:36 PM
To: Salim S I
Cc: lartc@mailman.ds9a.nl; [EMAIL PROTECTED]
Subject: Re: [LARTC] DGD patch not detecting dead gateway

On 5/11/07, Salim S I <[EMAIL PROTECTED]> wrote:

>
> I have a doubt. If you use such a script monitoring the link status
with
> ping and then reconfiguring, why do you need the DGD patch? You need
to do
> some reconfiguration (change multipath to a single default route)
anyway if
> you use the script, right?

The patches take care of many other issues also. Please refer to the
archives here:

http://mailman.ds9a.nl/pipermail/lartc/2007q1/020403.html


-- 
Manish Kathuria
Tux Technologies
http://www.tuxtechnologies.co.in/


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] PRIO and TBF is much better than HTB??

[Salim S I]

That is why I said 'in theory'. Using PRIO qdisc, I have never been able
to achieve starvation of low priority traffic. I have tested with same
rates for both high and low prio traffic, and did not see high priority
traffic really dominating. Maybe a high rate of high prio traffic
combined with a low rate of low prio traffic will achieve this, I don't
know. 
The cumulative effect you see is more likely due to the errant behavior,
not the intended behavior of PRIO qdisc. I may be wrong here; I am
speaking only from my experience. You make a decision whether to depend
on this unintentional, but very common, behavior or not. Another thing
is, PRIO qdisc lists a known bug: High rate of low priority traffic will
starve High priority traffic. So if all goes according to the known
documentation, 'some' of your traffic will starve under 'some'
condition. :-)
 
But yes, TBF+PRIO is the preferred solution for latency sensitive
applications, like Voice/Video. In such cases, one doesn't care if the
non-realtime traffic is starved or not. The PRIO algorithm is designed
to 'empty' high priority queue first. HTB only ensures that high
priority queue is 'serviced' first. 
HTB has a fair queuing algorithm. It is not really suited for
prioritizing traffic, i.e to give absolute priority. Still, you may take
a look at the wondershaper script, which prioritizes some traffic using
HTB.
 
-Original Message-
From: Simo [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 11, 2007 4:37 PM
To: 'Salim S I'; lartc@mailman.ds9a.nl
Subject: RE: [LARTC] PRIO and TBF is much better than HTB??
 
Hi,
Thanks for your answer.
You are right concerning the PRIO QDisc, but which I did not understand
is that the combination (PRIO+TBF) made a Shaping nearly exactly the
same as with HTB only with better latency. One sees this with the
comparison of the two following illustrations of my simulation: 
HTB with prio parameter cumulative:
http://simo.mix4web.de/up/htb_cumul_prio_paramter.jpg
PRIO and TBF cumulative: http://simo.mix4web.de/up/prio_tbf_cumul.jpg

>
> theory it will even starve the low priority traffic, if high prio
traffic is waiting to go out.
>

In the first illustration you can see that  the low priority traffic
also has been served (nearly exactly the same as with HTB). Because of
the use of PRIO in combination with TBF.
But the latency is much better, if you compares the following
illustrations:
HTB with prio parameter delay:
http://simo.mix4web.de/up/htb_delay_prio_parameter.jpg
PRIO and TBF delay: http://simo.mix4web.de/up/prio_tbf_delay.jpg

I think that the overhead with the HTB algorithm is larger and the
scheduler keeps the packets a little longer in the queues.

Simo
 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] PRIO and TBF is much better than HTB??

[Salim S I]

HTB’s priority and PRIO qdisc are very different.
 
PRIO qdisc will definitely give better latency for your high priority
traffic, since the qdisc is designed for the purpose of ‘priority’. In
theory it will even starve the low priority traffic, if high prio
traffic is waiting to go out.
 
HTB’s priority is different, it only gives relative priority. High prio
class in a level is de-queued first during the roundrobin/wrr cycle, but
lower priority classes will also be fairly serviced, unlike PRIO qdisc.
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simo
Sent: Thursday, May 10, 2007 11:13 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] PRIO and TBF is much better than HTB??
 
Hello mailing list,
i stand bevor a mystery and cannot explain it :-). I want to do shaping
and prioritization and I have done these following configurations and
simulations. I can´t explain, that the combination of PRIO and TBF is
much better than the  HTB (with the prio parameter) alone or  in
combination with the SFQ.
Here are my example configurations: 2 Traffic Classes http (80 = 0x50)
and ssh (22 = 0x16), and in my example, I want to prioritize the
http-Traffic:
HTB: the results of the simulation ist here: 
HTB cumulative: http://simo.mix4web.de/up/htb_cumul.jpg
HTB delay: http://simo.mix4web.de/up/htb_delay.jpg
HTB with prio parameter cumulative:
http://simo.mix4web.de/up/htb_cumul_prio_paramter.jpg
HTB with prio parameter delay:
http://simo.mix4web.de/up/htb_delay_prio_parameter.jpg
 
#define UPLOAD 1000kbps
dev eth0 1000 {
egress {
class ( <$high> )  if tcp_dport == 80;
class(<$low>) if  tcp_dport == 22;
htb () {
class ( rate UPLOAD, ceil UPLOAD) {
/* with the prio parameter : $high   = class ( rate 700kbps, ceil
UPLOAD, prio 0); */
$high   = class ( rate 700kbps, ceil UPLOAD);
/* with the prio parameter : $low   = class ( rate
300kbps, ceil UPLOAD, prio 0); */
$low  = class ( rate 300kbps, ceil UPLOAD, prio 1);
}
}
}
}
 
/* 1Mbit 0.0008 = 100*8/10^6  */
every 0.0008s send TCP_PCK($tcp_dport=22) 0 x 60
/* 800kbit/s  */
every 0.001s send TCP_PCK($tcp_dport=80) 0 x 60
time 2s
 
 
 
 
PRIO and TBF:
PRIO and TBF cumulative: http://simo.mix4web.de/up/prio_tbf_cumul.jpg
PRIO and TBF delay: http://simo.mix4web.de/up/prio_tbf_delay.jpg
 
#define UPLOAD 1000kbps
 
dev eth0 1000 {
egress {
class ( <$high> )  if tcp_dport == 80;
class(<$low>) if  tcp_dport == 22;
prio{
  $high = class{ tbf (rate 700kbps, burst 1510B, mtu 1510B,
limit 3000B);  }
  $low = class{ tbf (rate 300kbps, burst 1510B, mtu 1510B,
limit 3000B); }
 }
}
 
}
 
/* 1Mbit 0.0008 = 100*8/10^6  */
every 0.0008s send TCP_PCK($tcp_dport=22) 0 x 60
/* 800kbit/s  */
every 0.001s send TCP_PCK($tcp_dport=80) 0 x 60
time 2s
 
 
 
the delay by the combination of PRIO and TBF is much better than by the
HTB. (is it possible that pakets maybe dropped by the combination of
PRIO and TBF, that´s why the latency is so good???)
 
Have you an idea???
 
thanks
simo
 

-
In a world without walls who needs gates and windows?
 
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] DGD patch not detecting dead gateway

[Salim S I]

I have a doubt. If you use such a script monitoring the link status with
ping and then reconfiguring, why do you need the DGD patch? You need to
do some reconfiguration (change multipath to a single default route)
anyway if you use the script, right?
 
Also, the DGD patch uses src to lookup the routing table entry, but if
you have a dynamic IP for the WAN interface (PPPoE, DHCP etc), this
approach is bound to fail, right?
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load balancing using connmark

[Salim S I]

Let me explain why the marking is done in POSTROUTING.

The first packet of any connection get routed by the multipath routing
entry. This happens AFTER PREROUTING, as you know. And this is what we
want, letting the kernel decide based on the weights. (some people do
think that we shouldn't let multipath decide routing, but thatz a
different story).

So where can this packet be marked? Obviously in POSTROUTING (so that
local pkts also can be caught). We mark it and save it.(connmark).The
mark is decoded by the chosen interface. (eg:-o WAN1 --set mark 1,-o
WAN2 --set-mark 2)

In PREROUTING, there is a restore-mark. You see

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark.

If this packet belong to a connection that has already sent a
packet,this will restore the mark set in POSTROUTING. Then it will be
routed by the corresponding routing table.(wan1 table lookup mark1 and
wan2 table lookup mark2)
If it is a new pkt, it will be routed by multipath routing
statement,since no mark exists.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
Sent: Thursday, May 10, 2007 6:51 PM
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load balancing using connmark

Salim S I wrote:
> Francis Brosnan Blazquez wrote:
> 
>> Hi,
> 
>> 
> 
>> I've been implementing a load balancing solution using CONNMARK,
based
> 
>> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> 
>> apuntar en la dirección correcta Luciano!
> 
>> 
> 
>> Once implemented, I've found that due to some reason packets aren't
> 
>> properly marked (or improperly remarked) and sent out using the wrong
> 
>> interface. 
> 
>> 
> 
>> 
> 
>> 
> 
>> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> 
>> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> 
>> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> 
>> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
> 
>  
> 
> This is wrong. POSTROUTING is exactly what is is _POST_ routing. By
the
> 
> time you do your marks and stuff the kernel has _already_ assigned a
> 
> packet to an interface, and you can not alter this anymore.
> 
>  
> 
>> After a bit of testing with the second solution, it seems to behave
> 
>> better, doing all marking job at the PREROUTING and OUTPUT.
> 
>  
> 
> This is flawed too. OUTPUT suffers from the very same problem as
> 
> POSTROUTING - by the time the packets hit the NF stack the process has
> 
> already bound itself to an interface, which you can not change
anymore.
> 
>  
> 
> Peter
> 
>  
> 
> Disagree with Peter. The marking in postrouting table is CONNMARK.
This
> is for marking the connection, which has already had a route decided
for
> it, so that all packets of the connection passes through this
interface.
> This marking is done for packets with NEW state, see the check for
> mark==0 in the prev. line. The restore mark in PREROUTING will restore
> the connmark and route the subsequent packets.
> 
> This approach will work, but you need some sort of stateful-ness in
> netfilter.
> 

Connmark is exactly the statefullness you are talking about. The problem
is that the marks by themselves do not mean anything. You mark packets
and expect iproute to classify the packet in the correct routing table
etc. CONNMARK is invisible to iproute - this is why you have only
--save-mark and --restore-mark, and the rest of the rules deal with real
MARKs.

Further you (and the OP) seem to be confused by a mix of routing tasks.
In the case of _forwarded_ traffic, you need to make sure that all
packets within a connection leave to WAN over the same interface, and
are SNATed to the same ip, so that they will come bak the same
interface. The SNATting is trivial (as it can be done in POSTROUTING
only), but you need to set all marks before the routing takes place
(which is anywhere _but_ POSTROUTING). You might mark the connection
with the proper CONNMARK. and subsequent packets might get routed
correctly, but the _first_ packet (the one that you use to set the mark)
is already assigned to an interface, and there is nothing you can do
about it.

In the case of _local_ traffic - it becomes even trickier. The problem
is that when sockets are created they already have a source IP (the
kernel determines that by looking at the default routing table, your
marks do not exist yet). So since you can not alter the socket binding,
the only way to make it leave on a different interface is by treating it
as a forwarded connection and performing NAT on it. It is arguable if
NATting locally originating connections is a good idea, but it can be
done in OUTPUT just like it is 

FW: [LARTC] Load balancing using connmark

[Salim S I]

-Original Message-
From: Salim S I [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 10, 2007 5:22 PM
To: 'Francis Brosnan Blazquez'
Subject: RE: [LARTC] Load balancing using connmark

"I think the main advantage of shorewall solution is that it applies
connmark to incoming packets from the wan as you point, leaving load
balancing to outgoing connections to the main table"

Actually, the main table/multipath route only routes the first packet of
a connection. The subsequent routing for that connection is done based
on connmark, for outgoing packets too. Otherwise replies to packets
coming from WAN1 may go through WAN2. The difference in the two
solutions is only in where packets are marked and which packets are
marked. Routing is the same.

For a detailed discussion on the first approach, you can refer to this
thread. 

http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html


-Original Message-
From: Francis Brosnan Blazquez [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 10, 2007 5:07 PM
To: Salim S I
Cc: lartc@mailman.ds9a.nl
Subject: RE: [LARTC] Load balancing using connmark

El jue, 10-05-2007 a las 16:01 +0800, Salim S I escribió:
Hi Salim,

Thanks for your reply,

> On closer look, I am wrong about shorewall. It seems to be a different
> approach to load balancing. They connmark the incoming packets from
> WAN, rather than outgoing packets. I think it should work well, but I
> wonder why this approach is not popular. There must be some drawback
> to it. I can’t think of one,though.

I think the main advantage of shorewall solution is that it applies
connmark to incoming packets from the wan as you point, leaving load
balancing to outgoing connections to the main table.

In any case, with this second solution I don't see wrong routed packages
on wan interfaces using tcpdump, whereas with the first solution I do.
More testing is required.

Regarding to your previous reply, can you elaborate more on "...This
approach will work, but you need some sort of stateful-ness in
netfilter..."

Cheers!

-- 
Francis Brosnan Blazquez <[EMAIL PROTECTED]>
Advanced Software Production Line, S.L.


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Load balancing using connmark

[Salim S I]

On closer look, I am wrong about shorewall. It seems to be a different
approach to load balancing. They connmark the incoming packets from WAN,
rather than outgoing packets. I think it should work well, but I wonder
why this approach is not popular. There must be some drawback to it. I
can’t think of one,though.
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salim S I
Sent: Thursday, May 10, 2007 2:15 PM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Load balancing using connmark
 
Francis Brosnan Blazquez wrote:
> Hi,
> 
> I've been implementing a load balancing solution using CONNMARK, based
> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> apuntar en la dirección correcta Luciano!
> 
> Once implemented, I've found that due to some reason packets aren't
> properly marked (or improperly remarked) and sent out using the wrong
> interface. 
> 
> 
> 
> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
 
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
 
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.
 
Peter
 
Disagree with Peter. The marking in postrouting table is CONNMARK. This
is for marking the connection, which has already had a route decided for
it, so that all packets of the connection passes through this interface.
This marking is done for packets with NEW state, see the check for
mark==0 in the prev. line. The restore mark in PREROUTING will restore
the connmark and route the subsequent packets.
This approach will work, but you need some sort of stateful-ness in
netfilter.
 
The second point in Brosnan Blazquez’s mail about shorewall: They seem
to be doing Policy Routing, not real load balancing.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Load balancing using connmark

[Salim S I]

Francis Brosnan Blazquez wrote:
> Hi,
> 
> I've been implementing a load balancing solution using CONNMARK, based
> on solution described by Luciano Ruete at [1]. Gracias por el post y
por
> apuntar en la dirección correcta Luciano!
> 
> Once implemented, I've found that due to some reason packets aren't
> properly marked (or improperly remarked) and sent out using the wrong
> interface. 
> 
> 
> 
> iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
> iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
> iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
> iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
 
This is wrong. POSTROUTING is exactly what is is _POST_ routing. By the
time you do your marks and stuff the kernel has _already_ assigned a
packet to an interface, and you can not alter this anymore.
 
> After a bit of testing with the second solution, it seems to behave
> better, doing all marking job at the PREROUTING and OUTPUT.
 
This is flawed too. OUTPUT suffers from the very same problem as
POSTROUTING - by the time the packets hit the NF stack the process has
already bound itself to an interface, which you can not change anymore.
 
Peter
 
Disagree with Peter. The marking in postrouting table is CONNMARK. This
is for marking the connection, which has already had a route decided for
it, so that all packets of the connection passes through this interface.
This marking is done for packets with NEW state, see the check for
mark==0 in the prev. line. The restore mark in PREROUTING will restore
the connmark and route the subsequent packets.
This approach will work, but you need some sort of stateful-ness in
netfilter.
 
The second point in Brosnan Blazquez’s mail about shorewall: They seem
to be doing Policy Routing, not real load balancing.
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] ULOGD and Snort Inline

[Salim]

Hi All,

   I am facing a problem when using ULOG daemon and SNORT (inline mode)
with iptables.

My set up is like this.

1. I need ULOG daemon to log firewall logs to MYSQL database.
2. I need SNORT in inline mode for intrusion prevention.

Both can work fine induvidually with iptables. But ULOG daemon cannot work
when SNORT is also running.

Probably the reason is that snort also hooks to netfilter along with ULOG.
So the packet does not come to ULOG. Is it so?

Does anybody have such a setup up and running ?? Can somebody please help me
with some suggestions as to how to run snort inline and ULOGD together ?

Thanks a lot.
Regards
Navaneeth

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ip_queue module issue

[Salim]

it does work when iptables as a whole is built as a module.

- Original Message -
From: "Patrick McHardy" <[EMAIL PROTECTED]>
To: "Salim" <[EMAIL PROTECTED]>
Cc: ; "Netfilter Development Mailinglist"
<[EMAIL PROTECTED]>
Sent: Tuesday, January 03, 2006 8:58 PM
Subject: Re: [LARTC] ip_queue module issue


> Salim wrote:
> > Hi All,
> >I am adding ip_queue module for snort inline IDS.
> >
> > I am using snort2.4.0
> > And iptables-1.3.4.
> >
> > Userspace Queuing(queue target) is enabled. It is built-in and not built
as
> > a module.
> > The output of /proc/net/ip_queue is shown below:
> >
> > cat /proc/net/ip_queue>
> > Peer PID  : 0
> > Copy mode : 0
> > Copy range: 0
> > Queue length  : 0
> > Queue max. length : 1024
> >
> >
> > IPTABLES 1.3.4 is being used and it is built with install-devel option
> > And libipq.a is seen in /lib directory.
> >
> > SNORT is also built in with following options:
> > ./configure --prefix=/usr/local/snort \
> > --with-libpcap-includes=/usr/local/snort-lib/include \
> > --with-libpcap-libraries=/usr/local/snort-lib/lib \
> > --with-libpcre-includes=/usr/local/snort-lib/include \
> > --with-libpcre-libraries=/usr/local/snort-lib/lib \
> > --with-libnet-includes=/usr/local/snort-lib/include \
> > --with-libnet-libraries=/usr/local/snort-lib/lib \
> > --with-libipq-includes=/usr/local/iptables/include \
> > --with-libipq-libraries=/usr/local/iptables/lib \
> > --enable-inline
> >
> > cat /proc/net/netlink>
> > sk   Eth PidGroups   Rmem Wmem Dump Locks
> > c11c8040 0   0   00 2
> > c7ec0140 3   0   00 7
> > c11c8780 4   0   00 2
> > c7e74c40 5   0   00 2
> >
> > Starting SNORT now:
> > /usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
> > /var/log/snortlog -s -D>
> > Initializing Inline mode
> > Reading from iptables
> > InitInline: : Failed to send netlink message: Connection refused
> > Starting snortd: FAILED
> >
> > cat /proc/net/netlink>
> > sk   Eth PidGroups   Rmem Wmem Dump Locks
> > c11c8040 0   0   00 2
> > c7ec0140 3   0   00 8  >>>Locks
> > increasing
> > c11c8780 4   0   00 2
> > c7e74c40 5   0   00 2
> >
> > Can anybody please point me as to what could be the issue. As it is the
> > ip_queue
> > Is built in kernel and it is running as can be seen from cat
> > /proc/net/ip_queue
>
> Does it work if you build it as a module? If not please send the output
> of strace -s 1000 -f snort ...

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] ip_queue module issue

[Salim]

Hi All,
   I am adding ip_queue module for snort inline IDS.

I am using snort2.4.0
And iptables-1.3.4.

Userspace Queuing(queue target) is enabled. It is built-in and not built as
a module.
The output of /proc/net/ip_queue is shown below:

cat /proc/net/ip_queue>
Peer PID  : 0
Copy mode : 0
Copy range: 0
Queue length  : 0
Queue max. length : 1024


IPTABLES 1.3.4 is being used and it is built with install-devel option
And libipq.a is seen in /lib directory.

SNORT is also built in with following options:
./configure --prefix=/usr/local/snort \
--with-libpcap-includes=/usr/local/snort-lib/include \
--with-libpcap-libraries=/usr/local/snort-lib/lib \
--with-libpcre-includes=/usr/local/snort-lib/include \
--with-libpcre-libraries=/usr/local/snort-lib/lib \
--with-libnet-includes=/usr/local/snort-lib/include \
--with-libnet-libraries=/usr/local/snort-lib/lib \
--with-libipq-includes=/usr/local/iptables/include \
--with-libipq-libraries=/usr/local/iptables/lib \
--enable-inline

cat /proc/net/netlink>
sk   Eth PidGroups   Rmem Wmem Dump Locks
c11c8040 0   0   00 2
c7ec0140 3   0   00 7
c11c8780 4   0   00 2
c7e74c40 5   0   00 2

Starting SNORT now:
/usr/local/snort/bin/snort -Q -N -l /var/log/snortlog -t
/var/log/snortlog -s -D>
Initializing Inline mode
Reading from iptables
InitInline: : Failed to send netlink message: Connection refused
Starting snortd: FAILED

cat /proc/net/netlink>
sk   Eth PidGroups   Rmem Wmem Dump Locks
c11c8040 0   0   00 2
c7ec0140 3   0   00 8  >>>Locks
increasing
c11c8780 4   0   00 2
c7e74c40 5   0   00 2

Can anybody please point me as to what could be the issue. As it is the
ip_queue
Is built in kernel and it is running as can be seen from cat
/proc/net/ip_queue

Any pointers would be greatly appreciated.

regards
Salim

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] exact rate

[Salim]

What confuses me is, how the popular HTB script 
'wondershaper' works! The sum of its subclasses' rates is way over the 
parent's rate.

  - Original Message - 
  From: 
  Jody 
  Shumaker 
  To: Anton Glinkov 
  Cc: lartc@mailman.ds9a.nl 
  Sent: Friday, December 23, 2005 4:22 
  AM
  Subject: Re: [LARTC] exact rate
  Your subclass's combined rate's should never exceed your parent 
  class's rate, and in this case your parent class is 5mbit, yet your subclasses 
  have a combined guarenteed bandwidth of 6mbit.  In my setup,  the 
  root classes rate is followed strictly.   With burst, it may go over 
  temporarily but over say a minute's time, the bandwidth is pretty close to the 
  set rate, usualy within ~0.4%. I'm unsure on what the behavior is when you 
  allocate more bandwidth to subclasses than the root, but it may be the reason 
  you're not seeing accurate results. - Jody
  On 12/14/05, Anton 
  Glinkov <[EMAIL PROTECTED]> 
  wrote:
  HelloI 
am using htb (krenel 2.6.14.3 + esfq patch 
from fatooh.org) to limit thebandwidth. 
But I want the absolute maximum rate to be for example 5Mbitand not to 
exceed it.here is the script:$tc qdisc add dev ${NETIF} root 
handle 1 htb r2q 4$tc class add dev ${NETIF} parent 1: classid 1:21 htb 
rate 5Mbit ceil 5Mbit$tc class add dev ${NETIF} parent 1:21 classid 
1:101 htb rate 2Mbit ceil 5Mbit prio 1$tc class add dev ${NETIF} 
parent 1:21 classid 1:102 htb rate 1Mbit ceil5Mbit prio 2$tc class 
add dev ${NETIF} parent 1:21 classid 1:103 htb rate 3Mbit ceil5Mbit prio 
3when I don't specify burst the flow always exceeds 5Mbit when I 
try to play with it (the burst) for example turning it off 
completelyburst 0 cburst 0 for parent and children classes the rate 
falls ot 2-3 Mbitsremoving the esfq qdiscs doesn't change 
anything...I want exact rate of 5Mbit for the parent class and no 
more?any suggestions are welcome :)--Anton 
Glinkovnetwork 
administrator___LARTC 
mailing list LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
  
  

  ___LARTC mailing 
  listLARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] MARK: targinfosize 8 != 4

[Salim]

It worked when I changed to NO_SHARED_LIBS=0.
thanks guys.
will try out the patch today.

the command that was failing was a simple --set-mark. Let me know if anyone
still wants an strace. Will send it.

- Original Message -
From: "Patrick McHardy" <[EMAIL PROTECTED]>
To: "DervishD" <[EMAIL PROTECTED]>
Cc: "Salim" <[EMAIL PROTECTED]>; ; "Netfilter
Development Mailinglist" <[EMAIL PROTECTED]>
Sent: Tuesday, December 13, 2005 8:01 PM
Subject: Re: [LARTC] MARK: targinfosize 8 != 4


> DervishD wrote:
> > Hi Salim :)
> >
> >  * Salim <[EMAIL PROTECTED]> dixit:
> >
> >>   I got this problem while trying to shape traffic with iptables MARK
and
> >>HTB.
> >>
> >>MARK: targinfosize 8 != 4
> >>
> >>--set-mark gives "invalid argument" error message.
> >>
> >>Kernel version is 2.4.29 (some patches from patch o matic applied)
> >>Iptables version 1.3.4
> >>
> >>Intel x86 architecture.
> >>
> >>I saw this problem discussed in a few places, but the discussions didn't
> >>come to a conclusion or solution.
> >
> >
> > You've hit a bug in iptables :( I've notified in the bugzilla but
> > I have had no answers. You're building iptables with no shared
> > libraries (NO_SHARED_LIBS=1). This means that the code in iptables,
> > when loading the "modules" for the matches and targets is taking a
> > slightly different code path. The problem is that the MARK target
> > has two versions, 0 and 1, and kernel 2.4.x (at least until 31)
> > supports only version 0. If you don't use share libraries in
> > iptables, both versions are loaded and v1 is used instead of v2.
> > Unfortunately, v1 has a bigger data structure than v0 and your kernel
> > complaints.
>
> That can't be the reason, all revisions of a single match/target are
> in the same object file and the supported revision is (supposed to be)
> probed. Salim, can you send a strace of the failing iptables command?

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] MARK: targinfosize 8 != 4

[Salim]

Hello all,
   I got this problem while trying to shape traffic with iptables MARK and
HTB.

MARK: targinfosize 8 != 4

--set-mark gives "invalid argument" error message.

Kernel version is 2.4.29 (some patches from patch o matic applied)
Iptables version 1.3.4

Intel x86 architecture.

I saw this problem discussed in a few places, but the discussions didn't
come to a conclusion or solution.

please help...

thanks
Salim


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] ftp connmark

[Salim]

I saw this snippet from 
Daniel Chemko [EMAIL PROTECTED] Mon, 31 May 
2004 09:30:43 -0700 
 
 
# Egress marking (mostly for QOS operations)iptables -t mangle -A 
POSTROUTING -j CONNMARK --restore-markiptables -t mangle -A POSTROUTING -m 
mark ! --mark 0 -j ACCEPTiptables -t mangle -A POSTROUTING -o ${if_inet} 
--dport 21 -j MARK--set-mark 0x111iptables -t mangle -A POSTROUTING -j 
CONNMARK --save-mark
 
 
I want to mark many packets, including 
FTP.
 
So above these lines, I have a few more lines in my 
script. Like the following...
 
iptables -t mangle -A POSTROUTING  -p icmp -j MARK 
--set-mark 0x110
 
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-markiptables -t 
mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPTiptables -t mangle -A 
POSTROUTING -o ${if_inet} --dport 21 -j MARK--set-mark 0x111iptables -t 
mangle -A POSTROUTING -j CONNMARK --save-mark
 
So, when an ICMP packet comes to the 2nd 
('restore-mark') line, it is already marked with 0x110. Will the restore-mark 
mark the packet with 0 since there is no connmark set for ICMP? Or it will leave 
the packet untouched?
In that case, I can not redirect the ICMP packet to 
the class I defined for it. 
What is the solution for this issue? What to do if 
I have different classification marks, some use connmark and some does not(just 
fw mark)?
 
regards
Salim

___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[LARTC] relation b/w uplink and downlink rate control

[Salim]

Hello all,
   I have browsed archives and real all 
available HOWTOs, but I still have a few doubts.
My set up is a router, as below.
 
 
LAN(100MB)-(eth1)Linux-Router(eth0)---WAN(2MB/512)
 
My aim is to cotrol both uplink and downlink 
bandwidth. 
For uplink control, I will use HTB on WAN 
interface. For downlink, I plan to attach HTB on LAN interface(both 
egress/outgoing). No ingress policing, no IMQ.
 
On WAN interface, like in wondershaper and 
myshaper, I plan to have classes which handles interactive and bulk traffic 
seperately. ACK packets and small packets also in interactive 
class.
 
This setup guarantees that 
a) interactive traffic wont be drowned 
out
b) uploads won't slow downloads
 
But this set up does not guarantee that one bulk 
traffic will not drown another bulk traffic, right? For example, FTP traffic 
might affect HTTP. If 
Am I right?
 
So I plan to have a downlink control, achieved by 
shaping on LAN interface(eth1).My idea is to 
filter different protocols into different classes having different rate and 
ciel. In this way, I maybe able to ensure that FTP downloads will not slow down 
the HTTP traffic too much.
 
My doubt is, if I do this, will it work well with 
the different filtering scheme of uplink(WAN)? i.e, the traffic is controlled in 
the uplink and downlink in different ways, one based on protocol(LAN) and the 
other based on latency issues(WAN). Will they affect each other? Can 
they exist together and give the desired results?
I know it maybe a good idea to test it myself, 
hands-on. But I am not able to simulate all the combinations. If my idea is bad 
in theory, I do not need to spend too much time on it. 
 
On a different note, why the sum of child classes 
in wondershaper is more than its parent? Why it still works?
 
regards
Salim
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc