Re: [LARTC] Limiting speed of individual TCP sessions ?
Hi, I can't imagine a "clean" tc-only solution, but look at the extra-patch-o-matic matches in iptables: from http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connrate - Author: Nuutti Kotivuori <[EMAIL PROTECTED]> Status: Working, but received only minimal testing The connrate match is used to match against the current transfer speed of a connection. The algorithm averages transferred bytes over a time sliding window of constant size. The maximum and minimum rates measurable are explained in the code, along the algorithm used in the measurements. This match can easily be used to reclassify connections based on their current transfer rate, but is not meant for directly dropping packets, because packet drops affect the rate being estimated. The transfer rate per connection can also be viewed through /proc/net/ip_conntrack. Usage: --connrate [!] [FROM]:[TO] will match packet from a connection which is currently transferring more than FROM bytes per second and less than TO byte per second. 'inf' can be used to signify largest measurable transfer rate. If FROM is omitted, it defaults to zero. If TO is omitted, it defaults to infinity. "!" is used to match packets not falling in the range. Example: iptables .. -m connrate --connrate 1:10 ... => match packets in connections transferring faster than 10kbps, but slower than 100kbps. iptables .. -m tos --tos Minimize-Delay \ -m connrate --connrate 2:inf \ -j TOS --set-tos Maximize-Throughput => match packets in minimize-delay TOS connections that are transferring faster than 20kbps and change their tos to maximize-throughput instead. - you could re-classify every *single* connection exceeding your maximum to a "you get less than normal sessions"-htb/hfsc class perhaps this is what you want? (although it means you'll have to patch your kernel ;) Greetings Tobias Am Freitag, 10. September 2004 01:57 schrieb Simon Byrnand: > Hi All, > > Does anyone know of a way to limit the speed of *individual* TCP sessions, > but without placing any overall bandwidth limits, and without requiring an > explicit QoS entry for every ip address the machine is communicating with ? > > The scenario is a mailserver - say you want to limit individual TCP > sessions (pop3, smtp etc) to no more than 512Kbit so that an individual > session can't hog your bandwidth, but you don't want to place a maximum > limit on the TOTAL traffic. Also it's impossible to set up normal per-ip > address QoS classes, because there are potentially an almost infinite > number of possible ip addresses that might try to connect to the server. > > Any ideas ? > > Regards, > Simon > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ pgpxvwTFNeupy.pgp Description: PGP signature
Re: [LARTC] ESFQ patch not working with kernel 2.4.20
Hi, had also some errors, but the .config-option was available and the module compiled fine. i decided to ignore the errors and the module works perfectly. but perhaps someone can fix these errors ? greetings tobias Jesper Lund wrote: Hi, I have tried to patch a 2.4.20 kernel source with esfq 1.0a. But i get som patch errors. The patch do not apply clean. Will it maybe be available for the 2.4.20 kernel soon ? Regards, Jesper ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Where does the Bandwidth Management taking place after/beforerouting?
AFAIK: local stuff: Application -> IPTABLES (OUTPUT) -> ROUTING -> QDISC routing stuff: IPTABLES (PREROUTING/FORWARD) -> ROUTING -> IPTABLES-POSTROUTING -> QDISC these iptables-chains do sometimes a little wired stuff, depending on the jump-target/Chain (especially PREROUTING/NAT/...) sometimes routing-code is called to determine the route for iptables, but AFAIK ALL packets pass after the iptables-code the routing-code and ALWAYS as a LAST station the qdisc. off course only outgoing stuff. incoming is more or less :) other way round. Greetings Tobias Srikanth W wrote: Hi! I want to know exactly how the packet flow is occuring in BW management? and Where does the Bandwidth Management taking place after/before routing? Kindly let me know asap. tnr, Srikanth ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Depth-argument for sfq?
Steen Suder, privat wrote: I'm not a programmer per se (including C), but... I'd like to be able to give the define in sch_sfq.c (of, say, 2.4.20), SFS_DEPTH other values than 128 as an argument on the tc commandline. It could be powers of two up to 2^7 (128) as it seems that 128 is the current maximum. I'm a little anxious to ask the question "How do I do that?" ;-) Instead I'd like to hear if anyone has done something similar? AFAIK a qdisc named "esfq" allready exists where you can setup things like Depth and other parameter. search the mailling-list archive on lartc.org for the URL (last time i compilied it was for 2.4.18; i hope they made the code 2.4.20 ready ?) Greetings Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] strange htb behaviour
Hello List, I use HTB in a ~80 users serving router with kernel 2.4.20. eth0 is the internet interface (half-duplex 1Mbit), eth1 the internal interface (100Mbit full duplex) cause of the fact that the router also serves as a http-proxy (squid) i thought setting up the default class on eth1 with the real upload-speed (100Mbit) would do the job, i.e. shaping normal stuff to 1Mbit except local generated proxy-traffic which should be served with the full 100Mbit. All other, forwarded, traffic is marked and so filtered to other classes than the default. To make it short: It works. when i download s.th. directly from the server i get the full bw BUT: all other downloads from the internet absolutly break down and don"t regenerate after some time. i have to restart the qdiscs! Also i get these strange syslog messages: Jan 6 06:39:05 Q kernel: htb*c20007 m=2 t=79270 c=8311 pq=0 df=409600 ql=0 pa=0 f: Jan 6 06:39:05 Q kernel: htb*c20008 m=1 t=-5999 c=66950 pq=126192148 df=16359424 ql=22 pa=10 f: Jan 6 06:39:10 Q kernel: NET: 77 messages suppressed. Jan 6 06:39:10 Q kernel: HTB: mindelay=500, report it please ! Jan 6 06:39:10 Q kernel: htb*g j=126187316 Jan 6 06:39:10 Q kernel: htb*r7 m=0 Jan 6 06:39:10 Q kernel: htb*r6 m=0 later also: Jan 6 06:40:05 Q kernel: NET: 518 messages suppressed. Jan 6 06:40:05 Q kernel: HTB: suspicious delay in wait_tree d=-1644459092 cl=20008 h=1 Jan 6 06:40:10 Q kernel: NET: 518 messages suppressed. Jan 6 06:40:10 Q kernel: HTB: suspicious delay in wait_tree d=-1644459092 cl=20008 h=1 I can't really imagine what causes this strange behaviour, except perhaps the r2q/quantum settings with which i played around a little bit, but just because the defaults caused also warning-messages in syslog. perhaps these r2q/quantum parameters need tuning ?! I'll attach my shell-script so you can look at it yourself, thank you very much for any hint. Greetings Tobias tc qdisc add dev eth0 root handle 2:0 htb r2q 100 default 3 tc class add dev eth0 parent 2:0 classid 2:1 htb rate 128kbit ceil 256kbit quantum 1500 burst 30k cburst 50k tc class add dev eth0 parent 2:1 classid 2:3 htb rate 1bps ceil 256kbit prio 3 quantum 1500 tc qdisc add dev eth0 parent 2:3 handle 3:0 sfq # then a class for acks , maxiumum prio, but shouldnt eat up more than 1/3 of bw) tc class add dev eth0 parent 2:1 classid 2:4 htb rate 12kbit ceil 85kbit prio 0 quantum 1500 burst 5k tc qdisc add dev eth0 parent 2:4 handle 4:0 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 0 handle 0x1869f fw classid 2:4 # and a class for dns/other stuff which should be served fast tc class add dev eth0 parent 2:1 classid 2:5 htb rate 128kbit prio 1 quantum 1500 burst 10k tc qdisc add dev eth0 parent 2:5 handle 5:0 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 1 handle 0x1869d fw classid 2:5 # games-class: also shouldn exceed 1/3 tc class add dev eth0 parent 2:1 classid 2:6 htb rate 128kbit prio 2 quantum 1500 burst 30k tc qdisc add dev eth0 parent 2:6 handle 6:0 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 2 handle 0x1869c fw classid 2:6 # we guarantee here 80% tc class add dev eth0 parent 2:1 classid 2:7 htb rate 102kbit ceil 128kbit prio 3 quantum 1500 burst 10k tc qdisc add dev eth0 parent 2:7 handle 7:0 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 3 handle 0x1869b fw classid 2:7 # bulk-class. lower prio than all others, no reserved bw tc class add dev eth0 parent 2:1 classid 2:8 htb rate 1bps ceil 256kbit prio 4 quantum 1500 burst 5k cburst 10k tc qdisc add dev eth0 parent 2:8 handle 8:0 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 4 handle 0x1869a fw classid 2:8 tc qdisc add dev eth1 root handle 2:0 htb r2q 100 default 3 tc class add dev eth1 parent 2:0 classid 2:1 htb rate 1024kbit ceil 100240kbit quantum 1500 burst 30k cburst 50k tc class add dev eth1 parent 2:1 classid 2:3 htb rate 1bps ceil 100240kbit prio 3 quantum 1500 tc qdisc add dev eth1 parent 2:3 handle 3:0 sfq # then a class for acks , maxiumum prio, but shouldnt eat up more than 1/3 of bw) tc class add dev eth1 parent 2:1 classid 2:4 htb rate 102kbit ceil 512kbit prio 0 quantum 1500 burst 5k tc qdisc add dev eth1 parent 2:4 handle 4:0 sfq tc filter add dev eth1 parent 2:0 protocol ip prio 0 handle 0x1869f fw classid 2:4 # and a class for dns/other stuff which should be served fast tc class add dev eth1 parent 2:1 classid 2:5 htb rate 256kbit ceil 512kbit prio 1 quantum 1500 burst 10k tc qdisc add dev eth1 parent 2:5 handle 5:0 sfq tc filter add dev eth1 parent 2:0 protocol ip prio 1 handle 0x1869d fw classid 2:5 # games-class: also shouldn exceed 1/3 tc class add dev eth1 parent 2:1 classid 2:6 htb rate 256kbit ceil 512kbit prio 2 quantum 1500 burst 30k tc qdisc add dev eth1 parent 2:6 handle 6:0 sfq tc filter add dev eth1 parent 2:0 protocol ip prio 2 handle 0x1869c fw classid 2:6 # we guarantee here 80% of the bw for normal traffic tc class add dev eth1 parent 2:1 classid 2:7 h
Re: [LARTC] RE:u32 filters and compression
Hi, thanks for the thanks :) i looked at the whitepaper on www.peribit.com and it seems that they do much more than the standard (lzw-) compression: they use kind of proxy for cachable protocols, and their MSR ("Molecular Sequence Reduction", sounds great ! :) Algorithm to find repeating patterns even across multiple packets. although i can't really believe that this doesn't effect latency the technical approach sounds amazing. The great "disadvantage" is that u need such a box at both ends (obviously) unlike compressed pppd (at least i think windows understands compressed-pppd, or?) which is more platform independent. But i admit this is like comparing apples with pears... Allan Gee wrote: > Thanks: To Stef and Tobias Geiger for giving me the answer. I used > the prio to get the order right. Don't know why I did'nt think of it > myself. Compression: Another thing that might be useful to the list > is the use of compression (Deflate etc.) to get better bandwidth > across links. This requires a Linux router at both ends of the link. > I got the idea from a product called Peribit see www.peribit.com ( > and mainly from Martin Devera who pointed out to me that Linux does > compression already with ppp. ) I have now started to work on getting > compression built into my traffic shaping/router products that are > Linux based. Putting that in place of Cisco should be a much > better/cheaper solution do you not think? One could even shape the > port that the pppoe runs on. I have looked at Zebedee which also has > a solution for "Windows" boxes. Anyway I've just started to do this > and If anyone is interested I will let you know the outcome. > > Regards Allan Gee Equation 021 4181777 www.equation.co.za ,S > f??)?+-?L)??Y???=jya???f??f?v?Z?_?j)fj??b??ps?L?m??r??/=== ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] pfifo_fast dosnt work?
hi, just like Steve said in the previous mail, prioband is ok but it doesn't make sure that your bandwith is consumed by one service (even if it's in a lower class than interactive stuff) because it doesn't reserve bandwidth for its priomaps. to achieve what u want i suggest using htb (see previous mail). > Hep > > Trying to get pfifo to work. Setup : > >|--|<--->eth1 (192.168.10.0/24) > eth0---| GW |<--->eth2 (192.168.11.0/24) >|--|<--->eth3 (192.168.12.0/24) > > read all documentation : > > http://lartc.org/howto/lartc.cookbook.interactive-prio.html > > here is my TOS mangling rulse in iptables : > > $IPTABLES -A PREROUTING -i eth1 -t mangle -s 192.168.10.0/24 -p tcp > --dport ftp-data -m state --state NEW,ESTABLISHED -j TOS --set-tos > Maximize-Throughput $IPTABLES -A PREROUTING -i eth1 -t mangle -s > 192.168.10.0/24 -p tcp --sport 44100:44200 -m state --state > NEW,ESTABLISHED -j TOS --set-tos Maximize-Throughput $IPTABLES -A > PREROUTING -i eth1 -t mangle -s 192.168.10.0/24 -p tcp --dport ftp -m > state --state NEW,ESTABLISHED -j TOS --set-tos Minimize-Delay > > Im trying to limited the ftp-data throughoutput by putting all > ftp-data in band 2. Ive checked with tcpdump -v -v |grep tos and yes > ftp-data get [tos 0x8] which destination is band 2 if i read the > documentation right? > > Allthough everything is set ok all my interactiv traffic ssh/telnet etc > is very slow and sloppy when someone uploads to our ftpserver. > > Im running kernel 2.4.19 with latest patch-o-matic > > Please write to me for further information! You will find that im more > than willing to get this problem solved :) > > -- > Venlig hilsen/Kind regards > Thomas Kirk > ARKENA > thomas(at)arkena(dot)com > Http://www.arkena.com > > > BOFH excuse #212: > > Of course it doesn't work. We've performed a software upgrade. > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] An example of prio qdisc please...
correct me if im wrong, but couldn't u achieve the same goal only with htb? i mean by creating a leave-level with classes rate=1bps, ceil=maxbw, prio 0-6 and attaching sfq/pfifo as leave-qdiscs to these classes? s.th. like: tc qdisc root handle 1:0 htb tc class parent 1:0 handle 1:1 rate tc class parent 1:1 handle 1:10 rate 1bps ceil prio 0 tc class parent 1:1 handle 1:11 rate ... .. prio 1 and so on tc qdisc parent 1:10 handle 10:0 pfifo/sfq tc qdisc parent 1:11 handle 11:0 and so on tc filter 1:0 protocol ip prio 0 handle fw classid 1:10 (syntax is not correct :) and/or other filters doesn't do this setup the same as the priomap (in general)? Greetings Tobias > On Wednesday 25 September 2002 11:39, Rohan Almeida wrote: >> "Soulfly" <[EMAIL PROTECTED]> thus wrote: >> > tc qdisc add dev eth0 root handle 1: prio bands 5 priomap 2 3 2 2 3 >> 3 3 3 1 1 1 1 2 2 2 2 >> > tc qdisc add dev eth0 parent 1:1 handle 10: sfq perturb 10 >> > tc qdisc add dev eth0 parent 1:2 handle 20: sfq perturb 10 >> > tc qdisc add dev eth0 parent 1:3 handle 30: sfq perturb 10 >> > tc qdisc add dev eth0 parent 1:4 handle 40: sfq perturb 10 >> > tc filter add dev eth0 protocol ip parent 1: prio 10 u32 match ip >> protocol 0xXX 0xff flowid 1:1 >> >> Hi there >> This is ver infornmative >> I've long wanted priority of some protocol over the other. >> Now my question is: >> Can i use this with htb? >> >> I want: >> o ip 172.16.0.5 bandwidth restriction of 32 kbps (htb ceil) >> o ip 172.16.0.49 bandwidth restriction of 64 kbps (htb ceil) >> o protocol 23 priority over protocol 80 >> >> U see, I don't want to limit "protocol 80" to some bandwidth >> restriction so that "protocol 23" gets the rest available bandwidth I >> just want "proto 23" packets priority over "proto 80" >> >> In the above example u used the "prio" qdisc >> Can i use this with my htb as the roo qdisc and prio >> lower down in the class? > Yes, you can add the prio qdisc on a htb class. > > Stef > > -- > > [EMAIL PROTECTED] > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.oftc.net > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] u32 filter question
Hi, try to give the more specific filter a higher prio. if i understood "tc filter" right, the filters with higher prio are checked first. in you're setup giving the last filter line "prio 0" should do the job. > Hi guys I have a config as follows for one of my networks. I want to > give the xxx.xxx.xxx.xxx/xx network 64kbit for everything from the > internet but 8000kbit from our internal servers on yyy.yyy.yyy.yyy/yy > network. It does not work. I only want to use u32 filters. I think > what's happening is the first flowid of 1:21 is catching them and not > getting to the 1:40 flowid. Is this right? The box has to be between the > x network and the y network. > > tc qdisc del dev eth1 root handle 1: htb default 999 > tc qdisc add dev eth1 root handle 1: htb default 999 > tc class add dev eth1 parent 1: classid 1:1 htb rate 1kbit > tc class add dev eth1 parent 1:1 classid 1:999 htb rate 1000kbit ceil > 1kbit tc qdisc add dev eth1 parent 1:999 handle 1999: sfq perturb > 10 > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 1kbit quantum > 1514 tc class add dev eth1 parent 1:2 classid 1:21 htb rate 64kbit > ceil 64kbit quantum 1514 tc class add dev eth1 parent 1:2 classid 1:40 > htb rate 8000kbit ceil 8000kbit quantum 757000 tc qdisc add dev eth1 > parent 1:21 handle 2100: sfq perturb 10 > tc qdisc add dev eth1 parent 1:40 handle 4000: sfq perturb 10 > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dst > xxx.xxx.xxx.xxx.xx flowid 1:21 tc filter add dev eth1 protocol ip > parent 1:0 prio 1 u32 match ip src yyy.yyy.yyy.yyy/yy match ip dst > xxx.xxx.xxx.xxx/xx flowid 1:40 > > Regards Allan Gee > Equation > 021 4181777 > www.equation.co.za > ,SéX§éb²ß¿ø°L)YÛ=jya¶Úþf¢f§vÏZ_æj)fjåËbú?ªísáÎY3¾ÛiÿùZ®×(® ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: *****SPAM***** [LARTC] the range of HTB's prio
HTB Prios are 0-6 by default (htb 3.6), but afaik u can increase this number at compile-time. btw: is it true that you're a "Spamware site or vendor"? at least my Spam-Assasin (which consults 2 rbl-hosts...) declares you as such... > SPAM: Start SpamAssassin results > -- SPAM: This mail is probably spam. The original > message has been altered SPAM: so you can recognise or block similar > unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more > details. > SPAM: > SPAM: Content analysis details: (9.5 hits, 5 required) > SPAM: Hit! (2.0 points) Forged yahoo.com 'Received:' header found SPAM: > Hit! (2.0 points) Received via a relay in relays.osirusoft.com SPAM: > [RBL check: found 202.41.99.202.relays.osirusoft.com., > type: 127.0.0.6] SPAM: Hit! (0.5 points) Received via a relay in > ipwhois.rfc-ignorant.org SPAM:[RBL check: found > 141.128.135.61.ipwhois.rfc-ignorant.org., type: 127.0.0.6] SPAM: Hit! > (5.0 points) DNSBL: sender is a Spamware site or vendor SPAM: > SPAM: End of SpamAssassin results > - > > HTB and imq was used to control traffic. > AC="tc class add dev eth0 parent" > $AC 1: classid 1:1 htb rate 100kbps burst 2k > $AC 1:2 classid 1:10 htb rate 50kbps ceil 100kbps > burst 2k prio 1 > $AC 1:2 classid 1:11 htb rate 50kbps ceil 100kbps > burst 2k prio 1 > > please tell me the range of "prio" > > > > > _ > Do You Yahoo!? > ÐÂÏʵ½µ×,ÓéÀÖµ½¼Ò - ÑÅ»¢ÍƳöÃâ·ÑÓéÀÖµç×ÓÖܱ¨! > http://cn.ent.yahoo.com/newsletter/index.html > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] delete files
Hi, this is a little bit OT, so please ask such questions in irc-channels or other forums please. a quick "apt-cache show wipe" (on woody) brings up this: Package: wipe Priority: extra Section: utils Installed-Size: 124 Maintainer: Thomas Schoepf <[EMAIL PROTECTED]> Architecture: i386 Version: 0.16-8 Depends: libc6 (>= 2.2.4-4) Filename: pool/main/w/wipe/wipe_0.16-8_i386.deb Size: 30586 MD5sum: c294c13d07feeaee895539499af787fa Description: Secure file deletion Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent to recover the last two or three layers of data written to disk. Wipe repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access. . Homepage: http://gsu.linux.org.tr/wipe/ p.s.: thats the biggest reason why i just love debian :) Mark Donaldson wrote: > Does anyone know any software that runs under Linux that does a > military wipe, making file unreadable by deleting file then writing all > ones and zeros, when deleting files. > > _ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] reset /proc/net/dev
Hi, perhaps the only way (although untested) may be to "ip link set down" and to "rmmod " which is in my opinion impractible :) much nicer and easier: create a simple rule matching everything incoming/outgoing your desired device and insert it in the PREROUTING/POSTROUTING chain. (or a custom rule to which is jumped in INPUT and FORWARD / OUTPUT and FORWARD) e.g. iptables -t nat -I PREROUTING -i eth0 # for incoming iptables -t nat -I POSTROUTING -o eth0 # for outgoing or if u prefer not to use the nat table e.g. iptables -N eth0_out iptables -N eth0_in iptables -I INPUT -i eth0 -j eth0_in iptables -I FORWARD -i eth0 -j eth0_in iptables -I FORWARD -o eth0 -j eth0_out iptables -I INPUT -o eth0 -j eth0_out with "iptables -t nat -L -vx" / "iptables -L -vx" u can read bytes/packets and process this output in your script hope that helps tobias > > HI List, > How do i reset the values in /proc/net/dev ? > This file holds values for count of each (packet && byte), > (sent && received) through all interfaces. > > I'm using a monitor which reads values from this > file and prints out some nicely formatted output. > > But i need to reset the values. ie. set then to zero. > Restarting the network does not do what i want. > I guess a reboot should do it. > > Any other way? > > -- > arc_of_descent > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] htb3 & imq
Arindam Haldar wrote: > hi Alex, > thanx so much.. :) .. thanx to all > my IMQ & htb3 test rules are working ok.. the best part--> imq handling > both in & out traffic now.. :) I also had this setup, and i also thought of it as a "cool thing" :) but then Patrick told me, that it's not so clever: the incoming traffic must pass 2 qdiscs (interface-qdisc and imq-qdisc) and this is bad/not good because 1) cpu - overhead (but this could be negleted) AND 2) these 2 qdiscs COULD drop packets and no one would know of the other having dropped s.th. -> retransmit ok. case 2 is not so realistic, as the qdisc on the interface normaly is the qfifo but nevertheless point 1) and the possibility of 2) made me think that queing double unnecessary. > > Alexey Talikov wrote: > >> Hello Arindam, >> See imq faq http://luxik.cdi.cz/~patrick/imq/faq.html >> Saturday, August 10, 2002, 9:46:00 AM, you wrote: >> > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] failover problems
> > Hello, > > On Tue, 23 Jul 2002, Tobias Geiger wrote: > >> to be precisly: the problem is i have several nexthops (e.g. ppp0 >> +eth1 +eth2) for the same route and this WHOLE Route is deleted, >> although only the ppp0-device dissapears... >> and i cannot add several entries in different tables, cause this seems >> not to do failover > > Yes, similar behavior appeared in latest 2.4.19pre kernels, > it looks like a recommendation the users to recreate their routes > because a device in nexthop was unregistsred. Is this true for > your setup? > Yes. i used 2.4.19pre-10 kernel. This behaviour affects only ppp-devices (never tried ippp but i guess it's the same) i also wondered, why failover doesn't work when using different route-entries for each nexthop... another confusing thing: using "nexthop via dev ppp0" in a table made me think that i don't need a gateway address at all... but unfortunatly that's no the case :(seems that ip searches the gateway address itself so that after appp-reconnect (where i get another gateway address) the table-entries aren't valid anymore. Thanks Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] failover problems
addition: to be precisly: the problem is i have several nexthops (e.g. ppp0 +eth1 +eth2) for the same route and this WHOLE Route is deleted, although only the ppp0-device dissapears... and i cannot add several entries in different tables, cause this seems not to do failover > Hello LARTC, > > I'm testing Failover and i'm getting this problem: > > In the moment the device gets deleted (dissapears from /proc/net/dev) > e.g. pppd crashes all RULES regarding this device are flushed. > Is this a known bug/problem (i think so :) > is there a workaround/solution (except adding the rules again in > ip-up.d) ? > > Thanks in advance > > Tobias > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] failover problems
Hello LARTC, I'm testing Failover and i'm getting this problem: In the moment the device gets deleted (dissapears from /proc/net/dev) e.g. pppd crashes all RULES regarding this device are flushed. Is this a known bug/problem (i think so :) is there a workaround/solution (except adding the rules again in ip-up.d) ? Thanks in advance Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] tcng questions ?
> Hi Jacob, > > please can you post the htb tcng patch to LARTC list ? > [EMAIL PROTECTED] would test it in real environment ... I'd like to test tcng with htb, to :) Greetings Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Hammer protection
> Hi, > > Is it possible to use iptables as hammeprotection ? > > I want to deny a user who has just logged off .. for about 10seconds. > i think this is a application-logic-thing which can't be implemented that easy only by one iptables-line > I tried with this, but that didn't work. Maybe my mind is going > completely in the wrong direction today? =) > > iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit > --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT > this rule blocks (afaik) every request after the 10th/second, no matter s.o logged off or on ... i think what u want must be done on application-level or with an "magic) (and dirty) script which watches the ftp-log if s.o loggs off, grep's it's ip and then blocks it for 10 seconds but that not only sounds ugly :) > Greetings, > > Joachim > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Is it possible to measure / graph the bandwidth used for individual IP sessions to an FTP server?
Hi. Hm. accounting each ftp-session separately sounds impossible (for me :), but with ipac (-ng) @sourceforge.net it's possible to feed mrtg.So you can at least measure and graph the TOTAL ammount of (ftp-)traffic to/from your ftp-server. to measure and graph each ftp-session seperately u can try to find a tool which evaluates /var/log/xferlog, assuming your ftp-server writes such a log-file (e.g. with modlogan) Greetings Tobias > My office has an FTP server which is used by various "satellite sites" > to upload files to us. > > As part of the management of my local network & auditing network > resources, I want to try & measure (and hopefully) graph [like MRTG] > the bandwidth used by individual FTP upload connections (assuming each > file being uploaded only uses one connection). > > I am wondering whether it's possible to do this using Linux?? > > Regs > Rupert Heesom > Asst Distribution Engineer > Adventist World Radio ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Shaping and accounting
Hi. yes afaik you're right: the ipac (for 2.2) and ipac-ng (vor 2.4) "just" insert iptables-rules in INPUT/OUTPUT/FORWARD, and so they don't see the "droped/delayed-because-of-shaping" packets.. the only solution i know is ugly and/or unpractiable: read the interface-stats from /proc/net/dev. but that's only usable, if 1. you have 1. interface/customer 2. you don't need to account certain ports as i said: it's in most cases no solution... With Patrick's imq-devices you can at least compute the "droped/delayed-because-of-shaping" packets: these imq-devices display in /proc/net/dev the ammount of packets/bytes that SHOULD have deliverd as RX, and the actual REALLY ammount of packets/bytes delivered to the interface as TX. But that's not really useful for your setup :( Greetings Tobias > Hello, > > A while ago now I had to set up a traffic shaper for the ISP I work > for, and I used linux and cbq.init to accomplish this. It worked > reasonably well, too, but after a while and some double-checking it > turned out that the ipac accounting on the same machine was > consistently reporting higher usage than was actually the case by > roughly the same factor (not amount) for every client. > > After a lot of thinking about this, the only conclusion I could reach > that didn't involve a gross and so far completely undiscovered > programming flaw in ipac or TCP/IP gremlins was that the difference was > caused by traffic shaping occuring at the point where packets exit the > machine while ipac does its accounting of packets at the point where > they enter. > > Am I right, or am I just blowing smoke and moondust, and in either > case, is there any way to correctly shape and account traffic on one > machine? > > Thanks, > -- > Rens Houben |opinions are mine > Resident linux guru and sysadmin | if my employers have one > Systemec Internet Services. |they'll tell you themselves PGP > public key at http://suzaku.systemec.nl/shadur.key.asc -- new Dec 12 > 2001 ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Some questions concerning IPtables (& IMQ/SFQ)
On Fri, May 03, 2002 at 04:50:18PM +0200, Nils Lichtenfeld wrote: > Hi there! Hi Nils > > Some questions I couldn't find an answer for: > IPtables: > - Is it possible to filter those ACK-packets (to eleminate problems > with ADSL-connections) with IPtables? It wasn't possible with IPchains, > so u32 had to be used. Now there is this nice little --tcp-flags > option. But I just don't know if this is all I need. The u32 was > checking for packetsize too. So if there is a eqivalent to the u32 > ACK-filterrule, what would it look like? > > What I have found in the ML is this: > > # Set ACK as prioritized traffic (ACK's are less than 100 bytes) > $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j > MARK --set-mark 1 > $IPTABLES -t mangle -A MANGLE_MARK -p tcp -m length --length :100 -j > RETURN > > > Wouldn't that apply on a lot more packets than only the ACK ones? What > is the exact specification of an ACK-packet? I don't know the exact technical specification for ACK packets, but i use the example below, and it work's (i mean as far as i can see, no "other" packets get in my $ack-queue) > > - With IPchains it was possible to mark and return in one rule. Looking > at the example above this doesn't seem possible (two -j operators). Is > that right? > sorry, don't know > - Can I have for example one custom chain and have forward and output > send its packets to it? > well i think so. i use constructs like these: start_ingress_iptables() { $iptables -t mangle -N IMQ_INGRESS $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport ssh -j MARK --set-mark $high $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -p tcp --sport http -j MARK --set-mark $high $iptables -t mangle -A IMQ_INGRESS -m state --state ESTABLISHED -m length --length 40:100 -j MARK --set-mark $ack $iptables -t mangle -A IMQ_INGRESS -j IMQ --todev 0 $iptables -t mangle -A PREROUTING -i ${SHAPEDEV} -j IMQ_INGRESS } and i see no reason why i couln't add something like: iptables -t mangle -A POSTROUTING -o somedevice -j IMQ_INGRESS > - Is there a howto that explains -t mangel, -A PREROUTING/POSTROUTING > etc.? The only IPtables HowTo I have found is > http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSe > m/downloads/netfilter/iptables-HOWTO.html > netfilter.org ?! > - From Patricks' IMQ-page: > > SFQ is very useful as a leaf qdisc. But by default, its internal queue > length is 128 which is too much for small classes or even for > not-so-fast links. Changing SFQ_DEPTH in net/sched/ sch_sfq.c to about > 10-20 results in flows responding much faster to bandwidth changes. > > > Is that ment for SFQ in general or only in conjunction with IMQ? > I think it's meant for slower links in general. btw i made the experience that SFQ_DEPTH has to be a value dividable by 8 (i use 24 and in my subjective opinion i have better interactivity) > > Thank you. > Greetings, Nils > Greetings Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] howto spare the "tc filter" - lines with htb
On Tue, Apr 30, 2002 at 11:33:12AM +0200, Nils Lichtenfeld wrote: > Hello Tobias! > Hello Nils, > > unfortunatly it doesn't work with my setup. > > i add a "dummy" tc filter - line: > > > > tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid > 10:10 > > As far as I understood Devik, this should look like: > tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw output: "RTNETLINK answers: Invalid argument" i can try this in whatever stage of my script (before iptables, after qdiscs and classes, whatever), it's always that "answer" :) > > So no classid term (makes sense, since the classid term is incorporated into > the --mark statement). yes, i thought so too. that's why i wanted to call it "dummy"-line :) > > Greetings Nils > Greetings Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] howto spare the "tc filter" - lines with htb
On Mon, Apr 29, 2002 at 04:59:33PM +0200, Patrick McHardy wrote: > Hi :) > > Tobias Geiger wrote: > >Hi, > > > >recently Martin explained, how to avoid these "tc filter" lines in our > >scripts. > >unfortunatly it doesn't work with my setup. > >i add a "dummy" tc filter - line: > > > >tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid > >10:10 > > > >which of course works, but i have no fwmark "1", but as i thought it's > >just a "dummy" -line for tc filter to work, i gues/think that's ok. > > > >further i just set marks with iptables, and generate the right > >qdiscs/classes for them: > > > > ack=0x00100010 # for classid 10:10 > > high=0x00100011 # 10:11 > > norm=0x00100012 # and so > > low=0x00100013 # on > > > > I guess the problem are the encoded id's, in my opinion they have to be > calculated like this: > > (classid << 16) + leafid > So 10:10 would translate to 655370 decimal or 0xa000a hex. > > bye, > patrick > hi patrick :) hmm. here's a posting from martin: > > You can use only one > > tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw > > > > and set classid directly in iptables like: > > iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 > > iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 > > > > and so on .. > > devik > Thx. > Even I 'm learning from this list :) > But how do you translate xx:xx to HEX ? handle numbers in tc ARE in hex, so that: ... classid a23f:334d can be written as --set-mark 0xa23f334d devik but nevertheless i tried to convert the classid's to hex ... no success :( Greetings Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] howto spare the "tc filter" - lines with htb
Hi, recently Martin explained, how to avoid these "tc filter" lines in our scripts. unfortunatly it doesn't work with my setup. i add a "dummy" tc filter - line: tc filter add dev imq1 parent 10:0 protocol ip prio 1 handle 1 fw classid 10:10 which of course works, but i have no fwmark "1", but as i thought it's just a "dummy" -line for tc filter to work, i gues/think that's ok. further i just set marks with iptables, and generate the right qdiscs/classes for them: ack=0x00100010 # for classid 10:10 high=0x00100011 # 10:11 norm=0x00100012 # and so low=0x00100013 # on but it doesn't work :( am i missing something?! i gues it's the "not-really-dummy" tc-filter line ?! :) thank you very much Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Sharing incoming traffic
For me ingress works great. ok, i more or less copy/pasted from the "wondershaper" :) I guess it's not good to have a rate of 8000bps AND a burst of 10k I'm also not shure, if the iptables-marks get noticed, but it seems so, as you said there is a shaping effect. but as your iptable-rule is so generally i'd say there's no reason not to use the appropriate u32 filter instead of fw. VMWare shouldn't be the problem, at least i never had ones. Tell me, if tuning rate/burst helped Greetings Tobias On Thu, Mar 21, 2002 at 12:29:09PM +, Julián Muñoz wrote: > > I've done my first test with ingress, > > 2 ftps, and I've seen that the bandwidth is not shared "very well". > > From the point of view of a user, his transfer stops suddenly, and > restarts 20 seconds (or more!) later. Then the other has to wait !! I > observ a kind of feedback process, beeing the interval of stopped traffic > bigger each time, during the transference. > > The bandwidth is limited to 64.000 bit per second, killing packets. > > In fact it is not a real ethernet link, and the filter is on a vmware > machine computer, so maybe this test is not valid. > > Anyone knows more about this behaviour ?? > > Could I optimize it playing with burst and mpu ? > > Or am I doing something really bad ? > > Thank you, > > Here's my filter: > > iptables -A PREROUTING -i eth0 -t mangle --protocol all -j MARK --set-mark > 1 > > tc qdisc add dev eth0 handle : ingress > > tc filter add dev eth0 parent : protocol ip prio 5 handle 1 fw \ >police rate 8000bps burst 10k mpu 64b drop flowid :1 > > > -- > > __o > _ \<_ >(_)/(_) > > Saludos de Julián > EA4ACL > -.- > > Foro Wireless Madrid > http://opennetworks.rg3.net > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Sharing incoming traffic
the "wondershaper" by one of the authors of the LARTC-HOWTO: http://lartc.org/HOWTO//cvs/2.4routing/output/2.4routing-15.html at the very end of this html-page simply copy/paste the ingress-line and the next line which is the u32 filter for the ingress-qdisc. that worked perfect for me :) > Thank you Tobias, > > > For me ingress works great. > > ok, i more or less copy/pasted from the "wondershaper" :) > > Eh? > > > I guess it's not good to have a rate of 8000bps AND a burst of 10k > > I have set burst to 3k, and this has not helped, I still see the "not > nice" sharing at the input. > Maybe I should increase burst ?? > > well, what do you want? i guess i want to "test" the ingress-qdisc, and as far i understand the whole thing it's no good idea to set a specific rate but at the same time allow a burst that's x*specific-rate. i always set my burst to something like specific-rate/10 or so in your example with 8000bps rate, i'd test a burst of 800 or even less > > I'm also not shure, if the iptables-marks get noticed, but it seems so, > > as you said there is a shaping effect. > > You say the if I use u32 maybe this effect would disappear ? > > like i said: i dont' know exactly :) i'm not in this c / hardcore-kernelprogramming stuff, so i don't know for shure which code comes first in case of ingress: the qdisc-stuff or the iptables stuff. if the iptables stuff comes first (and it seems so) then everything's ok. let it be. the "effect" has nothing to do with your filter, more with your qdisc (i guess :) > > but as your iptable-rule is so > > generally i'd say there's no reason not to use the appropriate u32 > > filter instead of fw. > > The problem is that u32 is not well documented :-( > I had to install all the ipchains and after iptables, because was unable > to do anything "coherent" with u32... > > like mentioned above: the last line of code in the html-page is the u32-filter line you need (and which does the same as your iptables-mark-rule) good luck tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Sharing incoming traffic
I reread your Subject line and noticed you meant SHARING. i always read SHAPING. Make sure u can't actually SHARE your incoming bandwith. you can just throttle it down (to gain more interactivity on a heavy loaded link) I hope we didn't missunderstand each other Tobias ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] NAT statistics
Hello, you can use the ipac-ng (http://sourceforge.net/projects/ipac-ng/) toolset to implement counters with iptables. ipac-ng generates iptables-rulesjust for accounting, this data can be summarized and even be graphed. ( i use mrtg for graphing the data, but ipac-ng includes a graph-generator itself) i hope that's what you were looking for Tobias On Thu, Mar 14, 2002 at 03:43:09PM +0200, Sebastian Taralunga wrote: > > Thank you VaibhaV, > > Your script works just fine however my problem is to get traffic information > about both downlink and uplink on a NAT server. Do you know what iptables rules > should I use to be able to see such information? Right now my rules look like > this (generated by iptables-save): > > *nat > :PREROUTING ACCEPT [1372:944647] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A POSTROUTING -s 192.168.130.2 -j MASQUERADE > -A POSTROUTING -s 192.168.130.3 -j MASQUERADE > > - > > Regards, > > Sebastian > > On Thu, 14 Mar 2002, VaibhaV Sharma wrote: > > > Hello, > > See the -v option in man iptables > > > > > >-v, --verbose > > Verbose output. This option makes the list command > > show the interface address, the rule options (if > > any), and the TOS masks. The packet and byte coun > > ters are also listed, with the suffix 'K', 'M' or > > 'G' for 1000, 1,000,000 and 1,000,000,000 multipli > > ers respectively (but see the -x flag to change > > this). For appending, insertion, deletion and > > replacement, this causes detailed information on > > the rule or rules to be printed. > > > > > > This would give you the amount of data transferred for each rule that you > > have in ur firewall as one of the columns > > > > I wrote a small script to extract amount of data for each client I am > > allowing FORWARD. The script takes the IP address of the machine you wanna > > find info about as the command line parameter. > > > > > > #!/bin/sh > > > > details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v > > OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12` > > > > bytes=`echo $details | cut -d" " -f1` > > ip=`echo $details | cut -d" " -f2` > > > > echo "IP address $ip transferred $bytes bytes." > > > > > > > > The cut thingi's are customised to the output I get for my rules. Check > > urs and modify. > > > > VaibhaV > > > > > > On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga" > > <[EMAIL PROTECTED]> wrote: > > > > > > > > Hi, > > > > > > I want to be able to get statistics per IP address for both incoming and > > > outgoing traffic on a NAT server using iptables and kernel v2.4.18. I > > > actually have the same problem for a server running kernel v2.2.20, > > > using ipchains.. Can anyone help me? > > > > > > Regards, > > > > > > Sebastian > > > > > > \ \ > > \--\ > > \ |VaibhaV Sharma | [EMAIL PROTECTED] | L I N U X \ | > > \ |Exocore Consulting | http://www.exocore.com |\ | > > \|Bangalore, India | +91(80)3440397,3341137 | R O C K S \| > >\-/ > > ___ > > LARTC mailing list / [EMAIL PROTECTED] > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/