Re: [LARTC] Limiting speed of individual TCP sessions ?

2004-09-11 Thread Tobias Geiger 
Hi,

I can't imagine a "clean" tc-only solution, 
but look at the extra-patch-o-matic matches in iptables:

from http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connrate
-
Author: Nuutti Kotivuori <[EMAIL PROTECTED]>
Status: Working, but received only minimal testing

The connrate match is used to match against the current transfer speed of a
connection. The algorithm averages transferred bytes over a time sliding 
window
of constant size. The maximum and minimum rates measurable are explained in 
the
code, along the algorithm used in the measurements.

This match can easily be used to reclassify connections based on their current
transfer rate, but is not meant for directly dropping packets, because packet
drops affect the rate being estimated.

The transfer rate per connection can also be viewed through
/proc/net/ip_conntrack.

Usage:
--connrate [!] [FROM]:[TO]

will match packet from a connection which is currently transferring more than
FROM bytes per second and less than TO byte per second. 'inf' can be used to
signify largest measurable transfer rate. If FROM is omitted, it defaults to
zero. If TO is omitted, it defaults to infinity. "!" is used to match packets
not falling in the range.

Example:

iptables .. -m connrate --connrate 1:10 ...

 => match packets in connections transferring faster than 10kbps, but slower
    than 100kbps.

iptables .. -m tos --tos Minimize-Delay \
            -m connrate --connrate 2:inf \
            -j TOS --set-tos Maximize-Throughput

 => match packets in minimize-delay TOS connections that are transferring
    faster than 20kbps and change their tos to maximize-throughput instead.

-

you could re-classify every *single* connection exceeding your maximum to a 
"you get less than normal sessions"-htb/hfsc class

perhaps this is what you want?
(although it means you'll have to patch your kernel ;)

Greetings

Tobias


Am Freitag, 10. September 2004 01:57 schrieb Simon Byrnand:
> Hi All,
>
> Does anyone know of a way to limit the speed of *individual* TCP sessions,
> but without placing any overall bandwidth limits, and without requiring an
> explicit QoS entry for every ip address the machine is communicating with ?
>
> The scenario is a mailserver - say you want to limit individual TCP
> sessions (pop3, smtp etc) to no more than 512Kbit so that an individual
> session can't hog your bandwidth, but you don't want to place a maximum
> limit on the TOTAL traffic. Also it's impossible to set up normal per-ip
> address QoS classes, because there are potentially an almost infinite
> number of possible ip addresses that might try to connect to the server.
>
> Any ideas ?
>
> Regards,
> Simon
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


pgpxvwTFNeupy.pgp
Description: PGP signature

Re: [LARTC] ESFQ patch not working with kernel 2.4.20

2003-01-16 Thread Tobias Geiger 
Hi,

had also some errors, but the .config-option was available and the 
module compiled fine. i decided to ignore the errors and the module 
works perfectly.

but perhaps someone can fix these errors ?

greetings

tobias

Jesper Lund wrote:
Hi,

I have tried to patch a 2.4.20 kernel source with esfq 1.0a.

But i get som patch errors. The patch do not apply clean.

Will it maybe be available for the 2.4.20 kernel soon ?

Regards,
Jesper





___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Where does the Bandwidth Management taking place after/beforerouting?

2003-01-08 Thread Tobias Geiger 
AFAIK:
local stuff: Application -> IPTABLES (OUTPUT) -> ROUTING -> QDISC
	routing stuff: IPTABLES (PREROUTING/FORWARD) -> ROUTING -> 
IPTABLES-POSTROUTING -> QDISC

these iptables-chains do sometimes a little wired stuff, depending on 
the jump-target/Chain (especially PREROUTING/NAT/...) sometimes 
routing-code is called to determine the route for iptables, but AFAIK 
ALL packets pass after the iptables-code the routing-code and ALWAYS as 
a LAST station the qdisc.
off course only outgoing stuff. incoming is more or less :) other way round.

Greetings

Tobias

Srikanth W wrote:
Hi!
 
I want to know exactly how the packet flow is occuring in BW management?

and 

Where does the Bandwidth Management taking place after/before routing?

Kindly let me know asap.

tnr,
Srikanth

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/




___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Depth-argument for sfq?

2003-01-06 Thread Tobias Geiger 
Steen Suder, privat wrote:

I'm not a programmer per se (including C), but...

I'd like to be able to give the define in sch_sfq.c (of, say, 2.4.20), 
SFS_DEPTH other values than 128 as an argument on the tc commandline. It 
could be powers of two up to 2^7 (128) as it seems that 128 is the 
current maximum.

I'm a little anxious to ask the question "How do I do that?" ;-)
Instead I'd like to hear if anyone has done something similar?


AFAIK a qdisc named "esfq" allready exists where you can setup things 
like Depth and other parameter.
search the mailling-list archive on lartc.org for the URL (last time i 
compilied it was for 2.4.18; i hope they made the code 2.4.20 ready ?)

Greetings

Tobias

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] strange htb behaviour

2003-01-05 Thread Tobias Geiger 
Hello List,

I use HTB in a ~80 users serving router with kernel 2.4.20.

eth0 is the internet interface (half-duplex 1Mbit),
eth1 the internal interface (100Mbit full duplex)

cause of the fact that the router also serves as a http-proxy (squid) i
thought setting up the default class on eth1 with the real upload-speed
(100Mbit) would do the job, i.e. shaping normal stuff to 1Mbit except
local generated proxy-traffic which should be served with the full
100Mbit. All other, forwarded, traffic is marked and so filtered to
other classes than the default.
To make it short: It works. when i download s.th. directly from the
server i get the full bw BUT: all other downloads from the internet
absolutly break down and don"t regenerate after some time. i have to
restart the qdiscs! Also i get these strange syslog messages:

Jan  6 06:39:05 Q kernel: htb*c20007 m=2 t=79270 c=8311 pq=0 df=409600
ql=0 pa=0 f:
Jan  6 06:39:05 Q kernel: htb*c20008 m=1 t=-5999 c=66950
pq=126192148 df=16359424 ql=22 pa=10 f:
Jan  6 06:39:10 Q kernel: NET: 77 messages suppressed.
Jan  6 06:39:10 Q kernel: HTB: mindelay=500, report it please !
Jan  6 06:39:10 Q kernel: htb*g j=126187316
Jan  6 06:39:10 Q kernel: htb*r7 m=0
Jan  6 06:39:10 Q kernel: htb*r6 m=0

later also:

Jan  6 06:40:05 Q kernel: NET: 518 messages suppressed.
Jan  6 06:40:05 Q kernel: HTB: suspicious delay in wait_tree
d=-1644459092 cl=20008 h=1
Jan  6 06:40:10 Q kernel: NET: 518 messages suppressed.
Jan  6 06:40:10 Q kernel: HTB: suspicious delay in wait_tree
d=-1644459092 cl=20008 h=1


I can't really imagine what causes this strange behaviour, except
perhaps the r2q/quantum settings with which i played around a little
bit, but just because the defaults caused also warning-messages in
syslog. perhaps these r2q/quantum parameters need tuning ?!
I'll attach my shell-script so you can look at it yourself,
thank you very much for any hint.

Greetings

Tobias




tc qdisc  add dev eth0 root handle 2:0 htb r2q 100 default 3
tc class  add dev eth0 parent 2:0 classid 2:1 htb rate 128kbit ceil
256kbit quantum 1500 burst 30k cburst 50k
tc class  add dev eth0 parent 2:1 classid 2:3 htb rate 1bps ceil 256kbit
prio 3 quantum 1500
tc qdisc  add dev eth0 parent 2:3 handle 3:0 sfq
# then a class for acks , maxiumum prio, but shouldnt eat up more than
1/3 of bw)
tc class  add dev eth0 parent 2:1 classid 2:4 htb rate 12kbit ceil
85kbit prio 0 quantum 1500 burst 5k
tc qdisc  add dev eth0 parent 2:4 handle 4:0 sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 0 handle 0x1869f fw
classid 2:4
# and a class for dns/other stuff which should be served fast
tc class  add dev eth0 parent 2:1 classid 2:5 htb rate 128kbit prio 1
quantum 1500 burst 10k
tc qdisc  add dev eth0 parent 2:5 handle 5:0  sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 1 handle 0x1869d fw
classid 2:5
# games-class: also shouldn exceed 1/3
tc class  add dev eth0 parent 2:1 classid 2:6 htb rate 128kbit prio 2
quantum 1500 burst 30k
tc qdisc  add dev eth0 parent 2:6 handle 6:0  sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 2 handle 0x1869c fw
classid 2:6
# we guarantee here 80%
tc class  add dev eth0 parent 2:1 classid 2:7 htb rate 102kbit ceil
128kbit prio 3 quantum 1500 burst 10k
tc qdisc  add dev eth0 parent 2:7 handle 7:0  sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 3 handle 0x1869b fw
classid 2:7
# bulk-class. lower prio than all others, no reserved bw
tc class  add dev eth0 parent 2:1 classid 2:8 htb rate 1bps ceil 256kbit
prio 4 quantum 1500 burst 5k cburst 10k
tc qdisc  add dev eth0 parent 2:8 handle 8:0  sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 4 handle 0x1869a fw
classid 2:8

tc qdisc  add dev eth1 root handle 2:0 htb r2q 100 default 3
tc class  add dev eth1 parent 2:0 classid 2:1 htb rate 1024kbit ceil
100240kbit quantum 1500 burst 30k cburst 50k
tc class  add dev eth1 parent 2:1 classid 2:3 htb rate 1bps ceil
100240kbit prio 3 quantum 1500
tc qdisc  add dev eth1 parent 2:3 handle 3:0 sfq
# then a class for acks , maxiumum prio, but shouldnt eat up more than
1/3 of bw)
tc class  add dev eth1 parent 2:1 classid 2:4 htb rate 102kbit ceil
512kbit prio 0 quantum 1500 burst 5k
tc qdisc  add dev eth1 parent 2:4 handle 4:0 sfq
tc filter add dev eth1 parent 2:0 protocol ip prio 0 handle 0x1869f fw
classid 2:4
# and a class for dns/other stuff which should be served fast
tc class  add dev eth1 parent 2:1 classid 2:5 htb rate 256kbit ceil
512kbit prio 1 quantum 1500 burst 10k
tc qdisc  add dev eth1 parent 2:5 handle 5:0  sfq
tc filter add dev eth1 parent 2:0 protocol ip prio 1 handle 0x1869d fw
classid 2:5
# games-class: also shouldn exceed 1/3
tc class  add dev eth1 parent 2:1 classid 2:6 htb rate 256kbit ceil
512kbit prio 2 quantum 1500 burst 30k
tc qdisc  add dev eth1 parent 2:6 handle 6:0  sfq
tc filter add dev eth1 parent 2:0 protocol ip prio 2 handle 0x1869c fw
classid 2:6
# we guarantee here 80% of the bw for normal traffic
tc class  add dev eth1 parent 2:1 classid 2:7 h

Re: [LARTC] RE:u32 filters and compression

2002-09-30 Thread Tobias Geiger 

Hi,

thanks for the thanks :)
i looked at the whitepaper on www.peribit.com and it seems that they do
much more than the standard (lzw-) compression:
they use kind of proxy for cachable protocols, and their MSR ("Molecular 
Sequence Reduction", sounds great ! :) Algorithm to find repeating 
patterns even across multiple packets.

although i can't really believe that this doesn't effect latency the 
technical approach sounds amazing.

The great "disadvantage" is that u need such a box at both ends 
(obviously) unlike compressed pppd (at least i think windows understands 
  compressed-pppd, or?) which is more platform independent. But i admit 
this is like comparing apples with pears...


Allan Gee wrote:
 > Thanks: To Stef and Tobias Geiger for giving me the answer. I used
 > the prio to get the order right. Don't know why I did'nt think of it
 > myself. Compression: Another thing that might be useful to the list
 > is the use of compression (Deflate etc.) to get better bandwidth
 > across links. This requires a Linux router at both ends of the link.
 > I got the idea from a product called Peribit see www.peribit.com (
 > and mainly from Martin Devera who pointed out to me that Linux does
 > compression already with ppp. ) I have now started to work on getting
 > compression built into my traffic shaping/router products that are
 > Linux based. Putting that in place of Cisco should be a much
 > better/cheaper solution do you not think? One could even shape the
 > port that the pppoe runs on. I have looked at Zebedee which also has
 > a solution for "Windows" boxes. Anyway I've just started to do this
 > and If anyone is interested I will let you know the outcome.
 >
 > Regards Allan Gee Equation 021 4181777 www.equation.co.za ,S
 > f??)?+-?L)??Y???=jya???f??f?v?Z?_?j)fj??b??ps?L?m??r??/===

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] pfifo_fast dosnt work?

2002-09-25 Thread Tobias Geiger 

hi,

just like Steve said in the previous mail, prioband is ok but it doesn't
make sure that your bandwith is consumed by one service (even if it's in a
lower class than interactive stuff) because it doesn't reserve bandwidth
for its priomaps.

to achieve what u want i suggest using htb (see previous mail).

> Hep
>
> Trying to get pfifo to work. Setup :
>
>|--|<--->eth1 (192.168.10.0/24)
> eth0---|  GW  |<--->eth2 (192.168.11.0/24)
>|--|<--->eth3 (192.168.12.0/24)
>
> read all documentation :
>
> http://lartc.org/howto/lartc.cookbook.interactive-prio.html
>
> here is my TOS mangling rulse in iptables :
>
> $IPTABLES -A PREROUTING -i eth1 -t mangle -s 192.168.10.0/24 -p tcp
> --dport ftp-data -m state --state NEW,ESTABLISHED -j TOS --set-tos
> Maximize-Throughput $IPTABLES -A PREROUTING -i eth1 -t mangle -s
> 192.168.10.0/24 -p tcp --sport 44100:44200 -m state --state
> NEW,ESTABLISHED -j TOS --set-tos Maximize-Throughput $IPTABLES -A
> PREROUTING -i eth1 -t mangle -s 192.168.10.0/24 -p tcp --dport ftp -m
> state --state NEW,ESTABLISHED -j TOS --set-tos Minimize-Delay
>
> Im trying to limited the ftp-data throughoutput by putting all
> ftp-data in band 2. Ive checked with tcpdump -v -v |grep tos and yes
> ftp-data get [tos 0x8] which destination is band 2 if i read the
> documentation right?
>
> Allthough everything is set ok all my interactiv traffic ssh/telnet etc
> is very slow and sloppy when someone uploads to our ftpserver.
>
> Im running kernel 2.4.19 with latest patch-o-matic
>
> Please write to me for further information! You will find that im more
> than willing to get this problem solved :)
>
> --
> Venlig hilsen/Kind regards
> Thomas Kirk
> ARKENA
> thomas(at)arkena(dot)com
> Http://www.arkena.com
>
>
> BOFH excuse #212:
>
> Of course it doesn't work. We've performed a software upgrade.
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] An example of prio qdisc please...

2002-09-25 Thread Tobias Geiger 

correct me if im wrong, but couldn't u achieve the same goal only with htb?

i mean by creating a leave-level with classes rate=1bps, ceil=maxbw, prio 0-6

and attaching sfq/pfifo as leave-qdiscs to these classes?

s.th. like:
tc qdisc root handle 1:0 htb
tc class parent 1:0 handle 1:1 rate 
tc class parent 1:1 handle 1:10 rate 1bps ceil  prio 0
tc class parent 1:1 handle 1:11 rate  ... .. prio 1
and so on
tc qdisc parent 1:10 handle 10:0 pfifo/sfq
tc qdisc parent 1:11 handle 11:0 
and so on
tc filter 1:0 protocol ip prio 0 handle  fw classid 1:10
(syntax is not correct :)
and/or other filters

doesn't do this setup the same as the priomap (in general)?

Greetings

Tobias

> On Wednesday 25 September 2002 11:39, Rohan Almeida wrote:
>> "Soulfly" <[EMAIL PROTECTED]> thus wrote:
>> > tc qdisc add dev eth0 root handle 1: prio bands 5 priomap 2 3 2 2 3
>> 3 3 3 1 1 1 1 2 2 2 2
>> > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10
>> > tc qdisc add dev eth0 parent 1:2 handle 20: sfq perturb 10
>> > tc qdisc add dev eth0 parent 1:3 handle 30: sfq perturb 10
>> > tc qdisc add dev eth0 parent 1:4 handle 40: sfq perturb 10
>> > tc filter add dev eth0 protocol ip parent 1: prio 10 u32 match ip
>> protocol 0xXX 0xff flowid 1:1
>>
>> Hi there
>> This is ver infornmative
>> I've long wanted priority of some protocol over the other.
>> Now my question is:
>>  Can i use this with htb?
>>
>> I want:
>>  o ip 172.16.0.5 bandwidth restriction of 32 kbps (htb ceil)
>>  o ip 172.16.0.49 bandwidth restriction of 64 kbps (htb ceil)
>>  o protocol 23 priority over protocol 80
>>
>> U see, I don't want to limit "protocol 80" to some bandwidth
>> restriction so that "protocol 23" gets the rest available bandwidth I
>> just want "proto 23" packets priority over "proto 80"
>>
>> In the above example u used the "prio" qdisc
>> Can i use this with my htb as the roo qdisc and prio
>> lower down in the class?
> Yes, you can add the prio qdisc on a htb class.
>
> Stef
>
> --
>
> [EMAIL PROTECTED]
>  "Using Linux as bandwidth manager"
>  http://www.docum.org/
>  #lartc @ irc.oftc.net
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] u32 filter question

2002-09-20 Thread Tobias Geiger 

Hi,

try to give the more specific filter a higher prio. if i understood "tc
filter" right, the filters with higher prio are checked first.

in you're setup giving the last filter line "prio 0" should do the job.


> Hi guys I have a config as follows for one of my networks. I want to
> give the xxx.xxx.xxx.xxx/xx network 64kbit for everything from the
> internet but 8000kbit from our internal servers on yyy.yyy.yyy.yyy/yy
> network. It does not work. I only want to use u32 filters. I think
> what's happening is the first flowid of 1:21 is catching them and not
> getting to the 1:40 flowid. Is this right? The box has to be between the
> x network and the y network.

>
> tc qdisc del dev eth1 root handle 1: htb default 999
> tc qdisc add dev eth1 root handle 1: htb default 999
> tc class add dev eth1 parent 1: classid 1:1 htb rate 1kbit
> tc class add dev eth1 parent 1:1 classid 1:999 htb rate 1000kbit ceil
> 1kbit
 tc qdisc add dev eth1 parent 1:999 handle 1999: sfq perturb
> 10
> tc class add dev eth1 parent 1:1 classid 1:2 htb rate 1kbit quantum
> 1514
 tc class add dev eth1 parent 1:2 classid 1:21 htb rate 64kbit
> ceil 64kbit quantum 1514
 tc class add dev eth1 parent 1:2 classid 1:40
> htb rate 8000kbit ceil 8000kbit quantum 757000
 tc qdisc add dev eth1
> parent 1:21 handle 2100: sfq perturb 10
> tc qdisc add dev eth1 parent 1:40 handle 4000: sfq perturb 10
> tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dst
> xxx.xxx.xxx.xxx.xx flowid 1:21
 tc filter add dev eth1 protocol ip
> parent 1:0 prio 1 u32 match ip src yyy.yyy.yyy.yyy/yy match ip dst
> xxx.xxx.xxx.xxx/xx flowid 1:40

>
> Regards Allan Gee
> Equation
> 021 4181777
> www.equation.co.za
> ,S隊X§ƒéb²ß¿ø°L)šŠYšÛ=jya¶Úþf¢–f§vÏZž_æj)fjåŠËbú?•ªísáÎY3¾†ÛiÿùZ®×(®



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: *****SPAM***** [LARTC] the range of HTB's prio

2002-09-17 Thread Tobias Geiger 

HTB Prios are 0-6 by default (htb 3.6), but afaik u can increase this
number at compile-time.


btw: is it true that you're a "Spamware site or vendor"?
at least my Spam-Assasin (which consults 2 rbl-hosts...) declares you as
such...



> SPAM:  Start SpamAssassin results
> -- SPAM: This mail is probably spam.  The original
> message has been altered SPAM: so you can recognise or block similar
> unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more
> details.
> SPAM:
> SPAM: Content analysis details:   (9.5 hits, 5 required)
> SPAM: Hit! (2.0 points)  Forged yahoo.com 'Received:' header found SPAM:
> Hit! (2.0 points)  Received via a relay in relays.osirusoft.com SPAM:
> [RBL check: found 202.41.99.202.relays.osirusoft.com.,
> type: 127.0.0.6] SPAM: Hit! (0.5 points)  Received via a relay in
> ipwhois.rfc-ignorant.org SPAM:[RBL check: found
> 141.128.135.61.ipwhois.rfc-ignorant.org., type: 127.0.0.6] SPAM: Hit!
> (5.0 points)  DNSBL: sender is a Spamware site or vendor SPAM:
> SPAM:  End of SpamAssassin results
> -
>
> HTB and imq was used to control traffic.
> AC="tc class add dev eth0 parent"
> $AC 1: classid 1:1 htb rate 100kbps burst 2k
> $AC 1:2 classid 1:10 htb rate 50kbps ceil 100kbps
> burst 2k prio 1
> $AC 1:2 classid 1:11 htb rate 50kbps ceil 100kbps
> burst 2k prio 1
>
> please tell me the range of "prio"
>
>
>
>
> _
> Do You Yahoo!?
> ÐÂÏʵ½µ×,ÓéÀÖµ½¼Ò - ÑÅ»¢ÍƳöÃâ·ÑÓéÀÖµç×ÓÖܱ¨!
> http://cn.ent.yahoo.com/newsletter/index.html
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] delete files

2002-09-12 Thread Tobias Geiger 

Hi,

this is a little bit OT, so please ask such questions in irc-channels or 
  other forums please.

a quick "apt-cache show wipe" (on woody) brings up this:


Package: wipe
Priority: extra
Section: utils
Installed-Size: 124
Maintainer: Thomas Schoepf <[EMAIL PROTECTED]>
Architecture: i386
Version: 0.16-8
Depends: libc6 (>= 2.2.4-4)
Filename: pool/main/w/wipe/wipe_0.16-8_i386.deb
Size: 30586
MD5sum: c294c13d07feeaee895539499af787fa
Description: Secure file deletion
  Recovery of supposedly erased data from magnetic media is easier than what
  many people would like to believe. A technique called Magnetic Force
  Microscopy (MFM) allows any moderately funded opponent to recover the last
  two or three layers of data written to disk. Wipe repeatedly writes 
special
  patterns to the files to be destroyed, using the fsync() call and/or the
  O_SYNC bit to force disk access.
  .
  Homepage: http://gsu.linux.org.tr/wipe/



p.s.: thats the biggest reason why i just love debian :)



Mark Donaldson wrote:
> Does anyone know any software that runs under Linux that does a 
> military  wipe, making file unreadable by deleting file then writing all 
> ones and zeros, when deleting files.
> 
> _
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] reset /proc/net/dev

2002-09-12 Thread Tobias Geiger 

Hi,

perhaps the only way (although untested) may be to "ip link set
 down" and to "rmmod "
which is in my opinion impractible :)

much nicer and easier:
create a simple rule matching everything incoming/outgoing your desired
device and insert it in the PREROUTING/POSTROUTING chain. (or a custom
rule to which is jumped in INPUT and FORWARD / OUTPUT and FORWARD)

e.g.

iptables -t nat -I PREROUTING  -i eth0 # for incoming
iptables -t nat -I POSTROUTING -o eth0 # for outgoing

or if u prefer not to use the nat table

e.g.

iptables -N eth0_out
iptables -N eth0_in
iptables -I INPUT -i eth0 -j eth0_in
iptables -I FORWARD -i eth0 -j eth0_in
iptables -I FORWARD -o eth0 -j eth0_out
iptables -I INPUT -o eth0 -j eth0_out


with "iptables -t nat -L -vx" / "iptables -L -vx" u can read
bytes/packets and process this output in your script

hope that helps


tobias


>
> HI List,
> How do i reset the values in /proc/net/dev ?
> This file holds values for count of each (packet && byte),
> (sent && received) through all interfaces.
>
> I'm using a monitor which reads values from this
> file and prints out some nicely formatted output.
>
> But i need to reset the values. ie. set then to zero.
> Restarting the network does not do what i want.
> I guess a reboot should do it.
>
> Any other way?
>
> --
> arc_of_descent
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] htb3 & imq

2002-08-12 Thread Tobias Geiger 

Arindam Haldar wrote:
> hi Alex,
> thanx so much.. :) .. thanx to all
> my IMQ &  htb3 test rules are working ok.. the best part--> imq handling 
> both  in & out traffic now.. :)

I also had this setup, and i also thought of it as a "cool thing" :)
but then Patrick told me, that it's not so clever: the incoming traffic 
must pass 2 qdiscs (interface-qdisc and imq-qdisc) and this is bad/not 
good because
1) cpu - overhead (but this could be negleted) AND
2) these 2 qdiscs COULD drop packets and no one would know of the other 
having dropped s.th. -> retransmit
ok. case 2 is not so realistic, as the qdisc on the interface normaly
is the qfifo but nevertheless point 1) and the possibility of 2) made me 
think that queing double unnecessary.


> 
> Alexey Talikov wrote:
> 
>> Hello Arindam,
>> See imq faq http://luxik.cdi.cz/~patrick/imq/faq.html
>> Saturday, August 10, 2002, 9:46:00 AM, you wrote:
>>
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] failover problems

2002-07-24 Thread Tobias Geiger 

>
> Hello,
>
> On Tue, 23 Jul 2002,  Tobias Geiger wrote:
>
>> to be precisly: the problem is i have several nexthops (e.g. ppp0
>> +eth1 +eth2) for the same route and this WHOLE Route is deleted,
>> although only the ppp0-device dissapears...
>> and i cannot add several entries in different tables, cause this seems
>> not to do failover
>
> Yes, similar behavior appeared in latest 2.4.19pre kernels,
> it looks like a recommendation the users to recreate their routes
> because a device in nexthop was unregistsred. Is this true for
> your setup?
>

Yes. i used 2.4.19pre-10 kernel.
This behaviour affects only ppp-devices (never tried ippp but i guess it's
the same)

i also wondered, why failover doesn't work when using different
route-entries for each nexthop...

another confusing thing: using "nexthop via dev ppp0" in a table made me
think that i don't need a gateway address at all... but unfortunatly
that's no the case :(seems that ip searches the gateway address itself so
that after appp-reconnect (where i get another gateway address) the table-entries
aren't valid anymore.

Thanks

Tobias



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] failover problems

2002-07-23 Thread Tobias Geiger 

addition:

to be precisly: the problem is i have several nexthops (e.g. ppp0 +eth1
+eth2) for the same route and this WHOLE Route is deleted, although only
the ppp0-device dissapears...
and i cannot add several entries in different tables, cause this seems not
to do failover

> Hello LARTC,
>
> I'm testing Failover and i'm getting this problem:
>
> In the moment the device gets deleted (dissapears from /proc/net/dev)
> e.g. pppd crashes all RULES regarding this device are flushed.
> Is this a known bug/problem (i think so :)
> is there a workaround/solution (except adding the rules again in
> ip-up.d) ?
>
> Thanks in advance
>
> Tobias
>
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] failover problems

2002-07-23 Thread Tobias Geiger 

Hello LARTC,

I'm testing Failover and i'm getting this problem:

In the moment the device gets deleted (dissapears from /proc/net/dev) e.g.
pppd crashes all RULES regarding this device are flushed.
Is this a known bug/problem (i think so :)
is there a workaround/solution (except adding the rules again in ip-up.d) ?

Thanks in advance

Tobias


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tcng questions ?

2002-07-15 Thread Tobias Geiger 

> Hi Jacob,
>
> please can you post the htb tcng patch to LARTC list ?
> [EMAIL PROTECTED] would test it in real environment ...

I'd like to test tcng with htb, to :)

Greetings

Tobias



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Hammer protection

2002-07-01 Thread Tobias Geiger 

> Hi,
>
> Is it possible to use iptables as hammeprotection ?
>
> I want to deny a user who has just logged off .. for about 10seconds.
>

i think this is a application-logic-thing which can't be implemented that
easy only by one iptables-line
> I tried with this, but that didn't work. Maybe my mind is going
> completely in the wrong direction today? =)
>
> iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit
> --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT
>

this rule blocks (afaik) every request after the 10th/second, no matter
s.o logged off or on ...
i think what u want must be done on application-level
or with an "magic) (and dirty) script which watches the ftp-log if s.o
loggs off, grep's it's ip and then blocks it for 10 seconds
but that not only sounds ugly :)


> Greetings,
>
> Joachim
>
>
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Is it possible to measure / graph the bandwidth used for individual IP sessions to an FTP server?

2002-07-01 Thread Tobias Geiger 

Hi.

Hm. accounting each ftp-session separately sounds impossible (for me :),
but with ipac (-ng) @sourceforge.net it's possible to feed mrtg.So you can at least 
measure and graph the TOTAL ammount of (ftp-)traffic
to/from your ftp-server.
to measure and graph each ftp-session seperately u can try to find a tool
which evaluates /var/log/xferlog, assuming your ftp-server writes such a
log-file (e.g. with modlogan)
Greetings

Tobias

> My office has an FTP server which is used by various "satellite sites"
> to upload files to us.
>
> As part of the management of my local network & auditing network
> resources, I want to try & measure (and hopefully) graph [like MRTG]
> the bandwidth used by individual FTP upload connections (assuming each
> file being uploaded only uses one connection).
>
> I am wondering whether it's possible to do this using Linux??
>
> Regs
> Rupert Heesom
> Asst Distribution Engineer
> Adventist World Radio



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Shaping and accounting

2002-05-31 Thread Tobias Geiger 

Hi. yes afaik you're right: the ipac (for 2.2) and ipac-ng (vor 2.4) "just"
insert iptables-rules in INPUT/OUTPUT/FORWARD, and so they don't see the
"droped/delayed-because-of-shaping" packets..

the only solution i know is ugly and/or unpractiable: read the
interface-stats from /proc/net/dev. but that's only usable, if
1. you have 1. interface/customer
2. you don't need to account certain ports

as i said: it's in most cases no solution...

With Patrick's imq-devices you can at least compute the
"droped/delayed-because-of-shaping" packets: these imq-devices display
in /proc/net/dev the ammount of packets/bytes that SHOULD have deliverd as
RX, and the actual REALLY ammount of packets/bytes delivered to the
interface as TX.

But that's not really useful for your setup :(

Greetings

Tobias

> Hello,
>
>   A while ago now I had to set up a traffic shaper for the ISP I work
> for, and I used linux and cbq.init to accomplish this. It worked
> reasonably well, too, but after a while and some double-checking it
> turned out that the ipac accounting on the same machine was
> consistently reporting higher usage than was actually the case by
> roughly the same factor (not amount) for every client.
>
>   After a lot of thinking about this, the only conclusion I could reach
> that didn't involve a gross and so far completely undiscovered
> programming flaw in ipac or TCP/IP gremlins was that the difference was
> caused by traffic shaping occuring at the point where packets exit the
> machine while ipac does its accounting of packets at the point where
> they enter.
>
>   Am I right, or am I just blowing smoke and moondust, and in either
> case, is there any way to correctly shape and account traffic on one
> machine?
>
> Thanks,
> --
> Rens Houben   |opinions are mine
> Resident linux guru and sysadmin  | if my employers have one
> Systemec Internet Services.   |they'll tell you themselves PGP
> public key at http://suzaku.systemec.nl/shadur.key.asc  -- new Dec 12
> 2001



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Some questions concerning IPtables (& IMQ/SFQ)

2002-05-03 Thread Tobias Geiger 

On Fri, May 03, 2002 at 04:50:18PM +0200, Nils Lichtenfeld wrote:
> Hi there!
Hi Nils
> 
> Some questions I couldn't find an answer for:
> IPtables:
> - Is it possible to filter those ACK-packets (to eleminate problems
> with ADSL-connections) with IPtables? It wasn't possible with IPchains,
> so u32 had to be used. Now there is this nice little --tcp-flags
> option. But I just don't know if this is all I need. The u32 was
> checking for packetsize too. So if there is a eqivalent to the u32
> ACK-filterrule, what would it look like?
> 
> What I have found in the ML is this:
> 
> # Set ACK as prioritized traffic (ACK's are less than 100 bytes)
> $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j
> MARK --set-mark 1
> $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j
> RETURN
> 
> 
> Wouldn't that apply on a lot more packets than only the ACK ones? What
> is the exact specification of an ACK-packet?

I don't know the exact technical specification for ACK packets, but i
use the example below, and it work's (i mean as far as i can see, no
"other" packets get in my $ack-queue)

> 
> - With IPchains it was possible to mark and return in one rule. Looking
> at the example above this doesn't seem possible (two -j operators). Is
> that right?
>
sorry, don't know
 
> - Can I have for example one custom chain and have forward and output
> send its packets to it?
> 
well i think so. 
i use constructs like these:

start_ingress_iptables() {

$iptables -t mangle -N IMQ_INGRESS
$iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport 
ssh -j MARK --set-mark $high
$iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport 
http -j MARK --set-mark $high
$iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -m length 
--length 40:100 -j MARK --set-mark $ack
$iptables -t mangle -A IMQ_INGRESS -j IMQ --todev 0
$iptables -t mangle -A PREROUTING -i ${SHAPEDEV} -j IMQ_INGRESS

}

and i see no reason why i couln't add something like:
iptables -t mangle -A POSTROUTING -o somedevice -j IMQ_INGRESS


> - Is there a howto that explains -t mangel, -A PREROUTING/POSTROUTING
> etc.? The only IPtables HowTo I have found is
> http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSe
> m/downloads/netfilter/iptables-HOWTO.html
>
netfilter.org ?!
 
> - From Patricks' IMQ-page:
> 
> SFQ is very useful as a leaf qdisc. But by default, its internal queue
> length is 128 which is too much for small classes or even for
> not-so-fast links. Changing SFQ_DEPTH in net/sched/ sch_sfq.c to about
> 10-20 results in flows responding much faster to bandwidth changes.
> 
> 
> Is that ment for SFQ in general or only in conjunction with IMQ?
> 
I think it's meant for slower links in general. 
btw i made the experience that SFQ_DEPTH has to be a value dividable by 8
(i use 24 and in my subjective opinion i have better interactivity)

> 
> Thank you.
> Greetings, Nils
>

Greetings

Tobias 
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] howto spare the "tc filter" - lines with htb

2002-04-30 Thread Tobias Geiger 

On Tue, Apr 30, 2002 at 11:33:12AM +0200, Nils Lichtenfeld wrote:
> Hello Tobias!
> 
Hello Nils,

> > unfortunatly it doesn't work with my setup.
> > i add a "dummy" tc filter - line:
> >
> > tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid
> 10:10
> 
> As far as I understood Devik, this should look like:
> tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw
output:
"RTNETLINK answers: Invalid argument"
i can try this in whatever stage of my script (before iptables, after
qdiscs and classes, whatever), it's always that "answer" :)
> 
> So no classid term (makes sense, since the classid term is incorporated into
> the --mark statement).
yes, i thought so too. that's why i wanted to call it "dummy"-line :)
> 
> Greetings Nils
> 
Greetings Tobias
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] howto spare the "tc filter" - lines with htb

2002-04-29 Thread Tobias Geiger 

On Mon, Apr 29, 2002 at 04:59:33PM +0200, Patrick McHardy wrote:
> Hi :)
> 
> Tobias Geiger wrote:
> >Hi,
> >
> >recently Martin explained, how to avoid these "tc filter" lines in our
> >scripts.
> >unfortunatly it doesn't work with my setup.
> >i add a "dummy" tc filter - line:
> >
> >tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid 
> >10:10
> >
> >which of course works, but i have no fwmark "1", but as i thought it's
> >just a "dummy" -line for tc filter to work, i gues/think that's ok.
> >
> >further i just set marks with iptables, and generate the right
> >qdiscs/classes for them:
> >
> >  ack=0x00100010 # for classid 10:10
> > high=0x00100011 #  10:11
> > norm=0x00100012 # and so
> >  low=0x00100013 # on
> >
> 
> I guess the problem are the encoded id's, in my opinion they have to be 
> calculated like this:
> 
> (classid << 16) + leafid
> So 10:10 would translate to 655370 decimal or 0xa000a hex.
> 
> bye,
> patrick
> 

hi patrick :)

hmm. here's a posting from martin:



> > You can use only one
> > tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw
> >
> > and set classid directly in iptables like:
> > iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010
> > iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020
> >
> > and so on ..
> > devik
> Thx.
> Even I 'm learning from this list :)
> But how do you translate xx:xx to HEX ?

handle numbers in tc ARE in hex, so that:

... classid a23f:334d

can be written as --set-mark 0xa23f334d
devik



but nevertheless i tried to convert the classid's to hex ... no success :(

Greetings

Tobias
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] howto spare the "tc filter" - lines with htb

2002-04-29 Thread Tobias Geiger 

Hi,

recently Martin explained, how to avoid these "tc filter" lines in our
scripts.
unfortunatly it doesn't work with my setup.
i add a "dummy" tc filter - line:

tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid 10:10

which of course works, but i have no fwmark "1", but as i thought it's
just a "dummy" -line for tc filter to work, i gues/think that's ok.

further i just set marks with iptables, and generate the right
qdiscs/classes for them:

  ack=0x00100010 # for classid 10:10
 high=0x00100011 # 10:11
 norm=0x00100012 # and so
  low=0x00100013 # on

but it doesn't work :(

am i missing something?! i gues it's the "not-really-dummy" tc-filter
line ?! :)

thank you very much

Tobias

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Sharing incoming traffic

2002-03-21 Thread Tobias Geiger 

For me ingress works great.
ok, i more or less copy/pasted from the "wondershaper" :)

I guess it's not good to have a rate of 8000bps AND a burst of 10k 

I'm also not shure, if the iptables-marks get noticed, but it seems so,
as you said there is a shaping effect. but as your iptable-rule is so
generally i'd say there's no reason not to use the appropriate u32
filter instead of fw.

VMWare shouldn't be the problem, at least i never had ones.

Tell me, if tuning rate/burst helped

Greetings 

Tobias




On Thu, Mar 21, 2002 at 12:29:09PM +, Julián Muñoz wrote:
> 
> I've done my first test with ingress,
> 
> 2 ftps, and I've seen that the bandwidth is not shared "very well".
> 
> From the point of view of a user, his transfer stops suddenly, and
> restarts 20 seconds (or more!) later. Then the other has to wait !! I
> observ a kind of feedback process, beeing the interval of stopped traffic
> bigger each time, during the transference.
> 
> The bandwidth is limited to 64.000 bit per second, killing packets.
> 
> In fact it is not a real ethernet link, and the filter is on a vmware
> machine computer, so maybe this test is not valid.
> 
> Anyone knows more about this behaviour ??
> 
> Could I optimize it playing with burst and mpu ?
> 
> Or am I doing something really bad ?
> 
> Thank you,
> 
> Here's my filter:
> 
> iptables -A PREROUTING -i eth0 -t mangle --protocol all -j MARK --set-mark
> 1
> 
> tc qdisc add dev eth0 handle : ingress
> 
> tc filter add dev eth0 parent : protocol ip prio 5 handle 1 fw  \
>police rate 8000bps burst 10k mpu 64b drop flowid :1
> 
> 
> -- 
> 
>   __o
> _ \<_
>(_)/(_)
> 
> Saludos de Julián
> EA4ACL
> -.-
> 
> Foro Wireless Madrid
> http://opennetworks.rg3.net
> 
> 
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Sharing incoming traffic

2002-03-21 Thread Tobias Geiger 

the "wondershaper" by one of the authors of the LARTC-HOWTO:
http://lartc.org/HOWTO//cvs/2.4routing/output/2.4routing-15.html
at the very end of this html-page simply copy/paste the ingress-line and
the next line which is the u32 filter for the ingress-qdisc. 
that worked perfect for me :)




> Thank you Tobias,
> 
> > For me ingress works great.
> > ok, i more or less copy/pasted from the "wondershaper" :)
> 
> Eh?
> 
> > I guess it's not good to have a rate of 8000bps AND a burst of 10k
> 
> I have set burst to 3k, and this has not helped, I still see the "not
> nice" sharing at the input.
> Maybe I should increase burst ??
> 
> 

well, what do you want? i guess i want to "test" the ingress-qdisc, and
as far i understand the whole thing it's no good idea to set a specific
rate but at the same time allow a burst that's x*specific-rate. 
i always set my burst to something like specific-rate/10 or so
in your example with 8000bps rate, i'd test a burst of 800 or even less



> > I'm also not shure, if the iptables-marks get noticed, but it seems so,
> > as you said there is a shaping effect.
> 
> You say the if I use u32 maybe this effect would disappear ?
> 
> 

like i said: i dont' know exactly :) i'm not in this c /
hardcore-kernelprogramming stuff, so i don't know for shure which code
comes first in case of ingress: the qdisc-stuff or the iptables stuff.
if the iptables stuff comes first (and it seems so) then everything's
ok. let it be. 
the "effect" has nothing to do with your filter, more with your qdisc (i
guess :)

> > but as your iptable-rule is so
> > generally i'd say there's no reason not to use the appropriate u32
> > filter instead of fw.
> 
> The problem is that u32 is not well documented :-(
> I had to install all the ipchains and after iptables, because was unable
> to do anything "coherent" with u32...
> 
> 
like mentioned above: the last line of code in the html-page is the
u32-filter line you need (and which does the same as your
iptables-mark-rule)

good luck

tobias

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Sharing incoming traffic

2002-03-21 Thread Tobias Geiger 


I reread your Subject line and noticed you meant SHARING. i always read
SHAPING. 
Make sure u can't actually SHARE your incoming bandwith. you can just
throttle it down (to gain more interactivity on a heavy loaded link)

I hope we didn't missunderstand each other

Tobias

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT statistics

2002-03-14 Thread Tobias Geiger 

Hello,

you can use the ipac-ng (http://sourceforge.net/projects/ipac-ng/) toolset to 
implement counters with iptables.
ipac-ng generates iptables-rulesjust for accounting, this data can be
summarized and even be graphed. ( i use mrtg for graphing the data, but
ipac-ng includes a graph-generator itself)

i hope that's what you were looking for

Tobias

On Thu, Mar 14, 2002 at 03:43:09PM +0200, Sebastian Taralunga wrote:
> 
> Thank you VaibhaV,
> 
> Your script works just fine however my problem is to get traffic information
> about both downlink and uplink on a NAT server. Do you know what iptables rules
> should I use to be able to see such information? Right now my rules look like
> this (generated by iptables-save):
> 
> *nat
> :PREROUTING ACCEPT [1372:944647]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.130.2 -j MASQUERADE
> -A POSTROUTING -s 192.168.130.3 -j MASQUERADE
> 
> -
> 
> Regards,
> 
> Sebastian
> 
> On Thu, 14 Mar 2002, VaibhaV Sharma wrote:
> 
> > Hello,
> > See the -v option in man iptables
> >
> >
> >-v, --verbose
> >   Verbose output.  This option makes the list command
> >   show the interface address, the  rule  options  (if
> >   any), and the TOS masks.  The packet and byte coun­
> >   ters are also listed, with the suffix 'K',  'M'  or
> >   'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
> >   ers respectively (but see the  -x  flag  to  change
> >   this).   For  appending,  insertion,  deletion  and
> >   replacement, this causes  detailed  information  on
> >   the rule or rules to be printed.
> >
> >
> > This would give you the amount of data transferred for each rule that you
> > have in ur firewall as one of the columns
> >
> > I wrote a small script to extract amount of data for each client I am
> > allowing FORWARD. The script takes the IP address of the machine you wanna
> > find info about as the command line parameter.
> >
> > 
> > #!/bin/sh
> >
> > details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v
> > OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`
> >
> > bytes=`echo $details | cut -d" " -f1`
> > ip=`echo $details | cut -d" " -f2`
> >
> > echo "IP address $ip transferred $bytes bytes."
> >
> > 
> >
> > The cut thingi's are customised to the output I get for my rules. Check
> > urs and modify.
> >
> > VaibhaV
> >
> >
> > On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
> > <[EMAIL PROTECTED]> wrote:
> >
> > >
> > > Hi,
> > >
> > > I want to be able to get statistics per IP address for both incoming and
> > > outgoing traffic on a NAT server using iptables and kernel v2.4.18. I
> > > actually have the same problem for a server running kernel v2.2.20,
> > > using ipchains.. Can anyone help me?
> > >
> > > Regards,
> > >
> > > Sebastian
> >
> >
> >  \  \
> >   \--\
> > \  |VaibhaV Sharma | [EMAIL PROTECTED]  |   L I N U X   \  |
> >  \ |Exocore Consulting |  http://www.exocore.com  |\ |
> >   \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S \|
> >\-/
> > ___
> > LARTC mailing list / [EMAIL PROTECTED]
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/