Re: [LARTC] Is ESFQ working?
On Sun, 11 Feb 2007 13:01:45 +0100, Alejandro Lorenzo Gallego wrote Hi there, i am trying to shape a network for a college dorms... Hi Alejandro. INTERNET ETH0Nat Box---ETH1LAN I have set up classes of traffic (HTTP, FTP, MAIL, IM, OTHER) and i have assigned a rate for everyone with a HTB qdisc. The limit based in traffic is working flawlessly. However, under every HTB class i have set up a ESFQ queue discipline with hash value set to 'dst' int eth1 to control the rate of download of every user, but it appears to do nothing. and in eth0 there is a prio handler According to documentation, every user should get a fair amount of bandwidth but currently, users with some kind of download accelerator gets a higher amount of bandwidth Is ESFQ working right for someone? żShould i go for imq for this kind of shaping? Can you show a snippet of your script here? Bests, Tomasz Chilinski. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Is ESFQ working?
On Sun, 11 Feb 2007 14:15:49 +0100, Alejandro Lorenzo Gallego wrote [cut] $IPTABLES -F POSTROUTING $ANADIR -p tcp --sport 443 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 22 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 53 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 8080 -j CLASSIFY --set-class 1:100 $ANADIR -p tcp --sport 587 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 6667 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 1863 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 123 -j CLASSIFY --set-class 1:200 $ANADIR -p udp --sport 123 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 115 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 69 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 23 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 5223 -j CLASSIFY --set-class 1:300 $ANADIR -p tcp --sport 10025 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 3690 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 3306 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 143 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 995 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 990 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 110 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 993 -j CLASSIFY --set-class 1:200 $ANADIR -p tcp --sport 220 -j CLASSIFY --set-class 1:200 #$ANADIR -d 192.168.20.49 -j CLASSIFY --set-class 1:700 [cut] Have u tried to replace CLASSIFY target by MARK target and then using fw filter? I have got bad experience with CLASSIFY target. Bests, Tomasz Chilinski. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Is ESFQ working?
On Sun, 11 Feb 2007 16:19:54 +0100, Alejandro Lorenzo Gallego wrote [cut] Have u tried to replace CLASSIFY target by MARK target and then using fw filter? I have got bad experience with CLASSIFY target. Behaviour is identical if i use classify or mark, however, i expected this, because the packets do go to the right classes, it's just it looks that ESFQ is not assuring fairness between users Which version of ESFQ? Patch for 2.6.15.1 or 2.6.19.2? Bests, Tomasz Chilinski. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 2.6.17 kernels and equalize patch
On Fri, 19 Jan 2007 12:37:54 -0300, Luciano Ruete wrote Equalize is a patch for 2.4, it never get's mainline, and there is no 2.6 version AFAIK.The iproute option is there, but without the patch does nothing. Interesting. I used vanilla 2.4 and didn't need equalize patch. Are you sure equalize patch is needed for 2.4? -- Luciano Bests, Tomasz Chilinski. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IPP2P Problem
On Thu, 11 Jan 2007 16:26:18 +1300, Rangi Biddle wrote Hi Guys, Hi Rangi. I am currently using linux kernel 2.6.18.6 + l7filter patch, iptables 1.3.7 and have managed to compile the ipp2p shared object which is now sitting in /lib/iptables. However when I run the following I get this following error [EMAIL PROTECTED] ~]# iptables -m ipp2p --help iptables v1.3.7: Couldn't load match `ipp2p' Try `iptables -h' or 'iptables --help' for more information. In ipp2p Makefile find libipt_ipp2p.so make definition and make sure you've got: $(CC) -shared -o libipt_ipp2p.so libipt_ipp2p.o Probably there's ld -shared -o libipt_ipp2p.so libipt_ipp2p.o over there and it's mistake. Regards, Rangi Bests, Tomasz. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] IPP2P Problem
On Fri, 12 Jan 2007 08:33:17 +1300, Rangi Biddle wrote Hi Tomasz, Hi Rangi. Thank you for the reply. I have checked the Makefile and unfortunately it is using the respective gcc. Output of Makefile below: libipt_ipp2p.so: libipt_ipp2p.c ipt_ipp2p.h $(CC) $(CFLAGS) $(IPTABLES_OPTION) $(IPTABLES_INCLUDE) -fPIC -c libipt_ipp2p.c What about line below?! ;-) * ld -shared -o libipt_ipp2p.so libipt_ipp2p.o * Replace ld by $(CC). Any other suggestions? As above ;-) Rangi Bests, Tomasz. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] HFSC Advanced Limiting
On Fri, 14 Oct 2005 08:53:15 -0400, Eliot, Wireless and Server Administrator, Great Lakes Internet wrote So, then you're saying 1:10001 is equivilant to 110,001, which would be 0x1ADB1 -- as opposed to 10,001 = 0x2711 ? I would like to say that classids are not decimal numbers but hexadecimal, i.e. if you've got decimal class number 65535 you show write it down in tc command as . I hope now it's clear ;-) Eliot Gable Certified Wireless Network Administrator Cisco Certified Network Associate CompTIA Security+ Certified CompTIA Network+ Certified Network and Systems Administrator Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 810-679-3395 -- Kind regards, Tomasz Chilinski RHCX, RHCE, RedHat Academy Instructor Cisco Certified Academy Instructor LMS developer: http://lms.rulez.pl Kadu developer: http://www.kadu.net Director of Chilan.com network engineering department ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] same gw / load balancing
On Thu, 18 Nov 2004 18:25:47 -0400, Guillermo wrote Hi Hi 1.- If the request comes from the right source ip addres (dhcp provided) in my Linux box, it will go through the right dsl modem and ethernet interface. Then i need to use some kind of general ip- proxying if i want to build a load balancing gw with dsl lines in my country. 2.- The ip-proxy has to balance the traffic o i could use two proxies being balanced by a previous method (mangling, prerouting, redirecting, marking packets...) 3.- I don't think i can use iptables snat o masquerade because that occurs in postrouting chain. In fact the routing decision will always be use the def gw, the points is which interface to use. That's why i asked for the interface as routing criteria. Could someone give me a clue on how to deal with this in the simplest manner? (first time with this topic for me). Try to use nth match and connmark match and target from netfilter.org patch-o-matic. Guillermo -- Kind regards, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] mark
On Tue, 26 Oct 2004 01:43:43 -0200, James Lista wrote folks, Hello James. when marking a packet to band control , what is the diffent between: iptables -t mangle -A PREROUTING -m p2p --p2p all -j CONNMARK --set-mark $P2P_MARK iptables -t mangle -A PREROUTING -m connmark --mark $P2P_MARK -j CONNMARK --restore-mark and iptables -t mangle -A PREROUTING -m p2p --p2p all -j MARK --set-mark $P2P_MARK Each p2p connection is composed of many ip packets. p2p match is sensible for some specific data fields in some these packets. So if you mark only these packets all other packets (with p2p application data) wont be marked and you wont limit transfer. Second line in first example marks CONNECTIONs (not packets) belonged to p2p connection (detected by p2p match). Using second method has not effect as you would wish. ?? tried to patch-o-matic with connmark and didnot work out (kernel 2.6.9)... .. it works ok with 2.4.x It works for me with 2.4.x too. I didnt tried with 2.6.x. -- Kind regards, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Limit traffic that use to download a file
It seems OK for me (many months) on 2.4 - I haven't tried it on 2.6 yet. For me it is rock stable, too ;-). If you want connbytes and connmark you need more than POM though. Someone posted a patch to this list a while back that let you use both together. Someone wants connbytes and connmark at the same time? Here you have it again: http://www.chilan.com/pom-ng-connmarkbytes.tar.bz2 Andy. -- Kind regards, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] is round-robin on interface aliases possible?
On Fri, 15 Oct 2004 20:02:05 -0300, Stanislaw Pusep wrote Hello, I'm new to the list and iproute2 itself. I was searching for a way to simultaneously use several IPs on the *same network interface* for outbound traffic. Let me explain: I have eth0 interface to which I set 2 IP addresses; 192.168.0.1 and 192.168.0.2. Then I want to connect to Internet through 192.168.0.254 gateway using round-robin between those 2 addresses. The iproute2 usage that best fits my needs is following: http://lartc.org/howto/lartc.rpdb.multiple-links.html But I was unable to get it working, as it supposes I have 2 *interfaces* while I have only 1 interface with aliases. I'm simply unable to set the same gateway on both IPs as it seems to be per-device setting. I am aware that iptables is able to do it with: iptables -t nat -A POSTROUTING -o eth0 -j SNAT -to-source 192.168.0.1-192.168.0.2 This actually doesn't fits my needs as it only applies to masquerade networks. Any suggestions? Thanks for attention! You can use nth and connmark extensions (patch-o-matic from http://netfilter.org) with two route tables. This way you can get load balancing for ip dialogues. -- Kind regards, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Bandwidth Metering
On Tue, 28 Sep 2004 16:17:00 +0200, Daniel Frederiksen wrote Note: This solution is primarily for general host traffic accumulation based on a subnet. The stats are collected via libpcap and can be done in promiscuous mode. This is not for website stats, for that you need to parse your webserver log files. But I guess you already know that. This is not good solution cause of high load where you account many nets and/or hosts. In my opinion ACCOUNT/account from netfilter.org patch-o-matic-ng are the best solutions for mass accounting. Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] CONNMARK problem
On Fri, 24 Sep 2004 20:21:22 +0200, cvok wrote Hello everybody. Hello. i think when packet is passing trough my POSTROUTING in mangle table it can't match rule 2 or 3, but in the real life it is a little bit different iptables -t mangle -L PREROUTING -v shows following: Chain PREROUTING (policy ACCEPT 16M packets, 4534M bytes) pkts bytes target prot opt in out source destination 159K 53M CONNMARK all -- anyany anywhere anywhere CONNMARK set 0x0 1090 112Kall -- anyany anywhere anywhere CONNMARK match 0x5 22 1843all -- anyany anywhere anywhere CONNMARK match 0x6 i don't know if it is correct, so please tell me if it is normal. It's normal. CONNMARK target doesn't mean stopping traversing the chain. Matis Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] masquerade and mac problem
On Sat, 4 Sep 2004 05:19:39 -0700 (PDT), Sorin Capra wrote $ipt -t filter -N computer1 /dev/null 21 $ipt -t filter -N computer2 /dev/null 21 $ipt -t filter -N computer3 /dev/null 21 $ipt -t filter -N computer4 /dev/null 21 $ipt -t filter -N computer5 /dev/null 21 $ipt -A FORWARD -s 192.168.10.2 -j computer1 $ipt -A FORWARD -s 192.168.10.3 -j computer2 $ipt -A FORWARD -s 192.168.10.4 -j computer3 $ipt -A FORWARD -s 192.168.10.5 -j computer4 $ipt -A FORWARD -s 192.168.10.6 -j computer5 $ipt -A computer1 -m mac --mac-source 00:c0:df:f7:7c:3b -j ACCEPT $ipt -A computer2 -m mac --mac-source 00:06:4f:0f:3b:c1 -j ACCEPT $ipt -A computer3 -m mac --mac-source 00:0c:6e:90:39:6a -j ACCEPT $ipt -A computer4 -m mac --mac-source 00:90:27:5f:5e:78 -j ACCEPT $ipt -A computer5 -m mac --mac-source 00:90:27:9b:3c:a2 -j ACCEPT $ipt -A POSTROUTING -t nat -s 192.168.10.2 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.3 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.4 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.5 -j MASQUERADE $ipt -A POSTROUTING -t nat -s 192.168.10.6 -j MASQUERADE #$ipt -P FORWARD DROP Use mac source match in chain PREROUTING of nat table. Additionalny tests will be working for first packets of connections (less load). Thank you in advance, Sorin Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] masquerade and mac problem
On Sat, 4 Sep 2004 08:21:21 -0700 (PDT), Sorin Capra wrote Thank you for the quick reply It works now , but I still have one question : why didn't it work before (in FORWARD) ? It should have worked , shouldn't it ? 1) Have you tried to do: iptables -t filter -L -nv and check if counters are non-zero for rules with mac source matches? 2) In kernel source I have found something like this (net/ipv4/netfilter/ipt_mac.c file): static int ipt_mac_checkentry(const char *tablename, const struct ipt_ip *ip, void *matchinfo, unsigned int matchsize, unsigned int hook_mask) { /* FORWARD isn't always valid, but it's nice to be able to do --RR */ if (hook_mask ~((1 NF_IP_PRE_ROUTING) | (1 NF_IP_LOCAL_IN) | (1 NF_IP_FORWARD))) { printk(ipt_mac: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n); return 0; } if (matchsize != IPT_ALIGN(sizeof(struct ipt_mac_info))) return 0; return 1; } Maybe during traversing filter/FORWARD hook mac field in skb structure is not valid, because packet is beeing forwarded between two ifaces. Bests, Sorin Bests, Tomasz Chilinski ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] connmark+connbytes
Hello! Maybe someone needs connmark and connbytes working together? See attached file compatible with pom-ng-20040621 (I called it connmarkbytes :)). Kind Regards, Tomasz Chilinski pom-ng-connmarkbytes.tar.bz2 Description: application/tbz