Re: [LARTC] U32 Port Range
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 oops it's rather sport 0 0xfc00 than sport 0 0xfbff if it worked the way I think it would. - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBY9qtZx4hBtWQhl4RAtvCAJ41eu0Obnx0GjA6g1/krgQ+6ovXCACfZLVL S0c0r0rvd6zZJSuzjy0S2Kw= =XmFZ -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] U32 Port Range
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 05 October 2004 13:06, [EMAIL PROTECTED] wrote: - I know that is something about the 0x parameter I guess it is some kind of bitmask and works similarly to a netmask. If you only want to categorise traffic from port 1-1024, using sport 0 0xfbff *might* work, though I am not sure about that. Some core QoS developers on the kernel may give you more insight than I am able to do. But you can still try it, better than nothing :). - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBYq6JZx4hBtWQhl4RAsKvAKDVX5mv6HurtkNCuTqt8RNZg1lUTQCeP5NS TF7X0Qhn7GkIXhnviZ2rQTw= =L6y/ -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Trafic monitor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 17 June 2004 16:10, Thilo Schulz wrote: Anyways, I'll be working on doing a small release package, for those who are interested in this thing. Don't expect too much from it, I hardly sat a week at this system. It was my goal to just have a convenient way of getting traffic statistics for my root server and be warned if I go over the traffic limit I have, not add as many nifty features as possible. You can do that yourself if you find my package worth of your precious attention and really want to ;) My package is available for download from: http://thilo.kickchat.com/taccounter-0.99.tar.bz2 - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1bbkZx4hBtWQhl4RAh9aAJ9KcctKv+LxhDc1VmZTVS3TMNZE5wCg29/k 6Q10pVJTQ2yTdtVFY/Z5cT4= =7x3+ -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Trafic monitor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 17 June 2004 09:59, Morten Nilsen wrote: - How will your solution scale? can it handle 200Mb traffic full duplex on a Xeon 2.8GHz without choking? what about 100Mb on an AMD 800MHz? This is a very good question. I think, the kernel should do guiding the traffic through iptables pretty efficiently and fast. I rather suspect the accounting daemon to be the bottleneck. At the moment, I have my traffic accounter daemon, say: the one logging the traffic, linked against electricfence, which should have very negative effects on performance. I will run a transfer from my server that has a 100Mbit connection later today, and monitor CPU usage. If the electricfence-version does well, you can be sure the productive version will do definitely. My C program is actually written in a way to store produced traffic at first internally, and not use the database functions every time a packet comes in. It should be clear, that the more traffic categories you have though, the more CPU usage is going to be required. I'll keep you updated on my findings :) - Could it affect latency? I doubt it would have much of an impact on latency, as the accounting is being done in userspace, not on kernel level. - why not use sudo instead of setuid root? Because I must say to my own embarassement, I haven't used sudo yet. But: you should only have to modify a line in the php script, I think, to make this work using sudo. - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0YXEZx4hBtWQhl4RAnGJAJ4v+lc2XxZTwRDbAynGHXSzqYKTLQCgjiKM 34ytH/wFsTRQUXz5nGf4Qdg= =1ldg -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Trafic monitor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 17 June 2004 13:51, Thilo Schulz wrote: At the moment, I have my traffic accounter daemon, say: the one logging the traffic, linked against electricfence, which should have very negative effects on performance. I will run a transfer from my server that has a 100Mbit connection later today, and monitor CPU usage. If the electricfence-version does well, you can be sure the productive version will do definitely. Okay, This seems to work really well. 226 33.268 seconds (measured here), 5.03 Mbytes per second 175560916 bytes received in 33.27 secs (5153.0 kB/s) The daemon used for logging never came above a top CPU usage of 1.8% at this throughput, and this value only got that high when my program was updating the mysql databases. Really the thing eating most of the CPU was the reading from disk and the ftp program. Here is the CPU in use for this little experiment: model name : Intel(R) Pentium(R) 4 CPU 2.66GHz Anyways, I'll be working on doing a small release package, for those who are interested in this thing. Don't expect too much from it, I hardly sat a week at this system. It was my goal to just have a convenient way of getting traffic statistics for my root server and be warned if I go over the traffic limit I have, not add as many nifty features as possible. You can do that yourself if you find my package worth of your precious attention and really want to ;) - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0aZFZx4hBtWQhl4RAkLVAJ4upDEUOpj267v0kLnTkg+nZpmEeACgnHkb 3LESGamMy4jjogJOIrbkBOw= =6PCt -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Trafic monitor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 16 June 2004 09:51, Ionut Gogu wrote: I search for a tool show-me on real time the trafic made by all/one IPon the interface eth1, somethings simple ; EX: 192.168.1.10 ... x kbit/s 192.168.1.11 ... y kbit/s 192.168.1.12 ... z kbit/s 192.168.1.13 ... x kbit/s 192.168.1.14 ... x kbit/s 192.168.1.15 ... x kbit/s 192.168.1.16 ... x kbit/s 192.168.1.17 ... x kbit/s 192.168.1.18 ... x kbit/s 192.168.1.19 ... x kbit/s I'm working on one _RIGHT_NOW_ and expect it to be usable today. It will be configurable over a webinterface, and will manipulate the iptables using a small setuid C-Program I wrote. (I know, setuid root sucks, but you'll have to make sure noone else on this server can access or run the executable file using the webserver .. that's your job.) It uses ulogd and stores the traffic in a webinterface, it also does update the statistics database once a given limit of traffic has been reached, or a certain timeout has been hit. I might give out a usable version tomorrow, but I cannot guarantee for its bugfreeness. Though, most of the parts are done and they also seem to work the way I want them to. Plus, it won't destroy any already-present firewall setups. - -- Thilo Schulz My public PGP key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0CmeZx4hBtWQhl4RAtm6AJ9ZnZGEaqqEVen4bhj2dp3zHQuBXwCg0mLh xUIkFG3likAGC9G4lk4rlxg= =LxT8 -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] beta-release of H-FSC port for Linux 2.6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 01 November 2003 15:45, Patrick McHardy wrote: So why would you want to use H-FSC .. you're right, a major feature of H-FSC is decoupling of bandwidth and delay, but it also offers delay _guarantees_ if configured correctly. This is very important for streaming, VoIP, .. (and gamers of course). Exactly. I was able to shape the ping latency down from 2000 ms on large uploads to 60-150 ms using HTB, this is good for ssh - but not good enough for quake3. - -- - Thilo Schulz My public GnuPG key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/pCESZx4hBtWQhl4RAvJPAJ4m+J+B2o2LSeaOKbykGoHyiWIgRgCg6enN 1oYZvSyTYC1sQgk2MBfqMEU= =WKzh -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Classifying IPv6 tunnel traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 01 September 2003 21:27, Jose Luis Domingo Lopez wrote: 6to4 IP traffic (I think this is its name, IPv6 traffic encapsulated into IPv4 packets) can be easily identified. They are regular IPv4 packets, with a protocol field of 0x29, or decimal 41. Thank you, that was exactly the information I needed, though I could probably also have consulted /etc/protocols myself d'oh .. So use iptables and match packets on protocol. u32 match ip protocol 41 0xff does the job pretty well :) What you can't do (to the best of my knowledge) if going deeper into the packets, and see if IPv6 pakects inside the IPv4 ones are of some kind or another. 2. I wasn't planning on doing that ;) - -- - Thilo Schulz My public GnuPG key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VIe/Zx4hBtWQhl4RAp47AKCD8PdEO3b7Qmfe3wNN2B0/mpb/RACghi7C j3QnJTzFhmp7WsbA/CmO15U= =9QBS -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Classifying IPv6 tunnel traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Currently, I have got an ipv6 tunnel, that has sit0 as interface. Since the Tunnel wrapping stuff is still ipv4 traffic that goes over the ppp0 interface, i wondered whether I can classify this kind of traffic and put into a class. (i dont need to do any ipv6 shaping), So I wondered, whether someone here can give me the filter directive to match these tunnel packets. - -- - Thilo Schulz My public GnuPG key is available at http://home.bawue.de/~arny/public_key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/U4D/Zx4hBtWQhl4RAig1AKChZ22l8wm9nGYMr2Lt99turSfp2QCglOiC mmOC4ZF/GLkQhERPbMeHgY8= =YHH6 -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] CBQ-wondershaper superior over HTB-wondershaper?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 16 June 2003 17:18, Griem, Hans T wrote: Hello Thilo, What did you find superior with CBQ-wondershaper over HTB-wondershaper? We have not been using wondershaper specifically but our simple tests so far seem to show that htb is much easier to configure for a given target shape (i.,e accurate) compared to CBQ. I did not set up the cbq wondershaper, my father actually set the cbq-wondershaper respectively the htb-wondershaper up, and the ping latencies while large uploads were considerably better when using the cbq version. I haven't run any large-scaled tests, but this is the experience I had in practice. - Thilo Schulz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+7ec7Zx4hBtWQhl4RAohkAJ4sKA6j0u8g5RdOh/IDtLeDWAoC+gCfdlIw lvirBt6tswiWrggv/vzxZHA= =SPWK -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Low latency on large uploads - almost done but not quite.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 15 June 2003 11:09, you wrote: Here's still my script, if you are interested to look at it. I'm interested and I have some remarks. Your burst is too low. I understand you want a minimum burst, but you have to follow some rules. The best you can do is to remove the burst/cburst option so htb can calculate the minimum burst/cburst for you. yes, sounds reasonable now that I spend a second thought about it. And don't you get quantum errors in your kernel log? That's because your quantum is too low for the classes. There is a long explanation for this, see www.docum.org on the faq page. hmm .. quantum? I have never set quantum with any parameter, or have I? You also use different prio's. This can be ok in most cases, except if you have a low prio class that's sending more data then the configured rate. If you do so, the latency can go up for that class. I (still) didn't test it myself, but you can find prove of it on the htb homepage. The solution for this is to make sure you never put too much traffic in a low prio class. I have given plenty of bandwidth to the 1:10 class. Quake3 streams are max. 1500 bytes/s. And ssh does not use that much either. # now make all qdiscs simple pfifo # small queues for minimum latency tc qdisc add dev $DEV parent 1:10 handle 20: pfifo limit 0 tc qdisc add dev $DEV parent 1:11 handle 30: pfifo limit 0 Are you sure limit 0 is possible Yes, at least the status command showed me, that the limit was set to 0. - Thilo Schulz -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+7FwPZx4hBtWQhl4RAn8XAKDSJR6E7w3Q6I0ki4bVpDGfH//anwCfestd aj5fVwoC9ANATJ1CA50N5P4= =9XOi -END PGP SIGNATURE- ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] owner based policy routing
Hello, WHAT WE TRIED: we tried using iptables owner based rules marked packets( as one can see in rules above), but it didnt help. iptables -I OUTPUT -t mangle -m owner --uid-owner squid -d 202.0.0.0/8 -j MARK --set-mark 50 iptables -I OUTPUT -t mangle -m owner --uid-owner squid -d 204.0.0.0/7 -j MARK --set-mark 50 iptables -I OUTPUT -t mangle -m owner --uid-owner squid -d 203.0.0.0/8 -j MARK --set-mark 75 iptables -I OUTPUT -t mangle -m owner --uid-owner squid -d 216.0.0.0/8 -j MARK --set-mark 75 Yes, I addressed once in the past this list with the very same problem. Owner based policy routing seems not to be possible. - Thilo Schulz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Collect iproute2 traffic stat
I have written a very small and simple C program parsing traffic byte values out of the iptables output, and then storing the values into a MySQL Database. Combined with a PHP webinterface for example you can also generate statistics like these ... If anyone wants the source of the small C program, just ask me for it. - Thilo Schulz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Fwmark problem - policy routing does not work.
Actually, it is more subtle than that. The 'src' *does* specify the source IP to put in the packet *if* the packet doesn't have a source IP yet. This only holds true for packets generated locally. Then why does it not work together with the fwmark policer? It does not. The ip rule does that. Routing does not mangle packets, unless the packet is locally generated and incomplete. it is generated locally in my case. - Thilo Schulz ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Fwmark problem - policy routing does not work.
I can only help you with the marking stuff :( Well, any address i can contact to get further information about this? I'm pretty much at the end with my latin ... ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/