[LARTC] layer7 http
hello, I try to use layer7 filter to classify packets. I have a proble with http match. This protocol seems to work well with l7-filter (http://l7-filter.sourceforge.net/protocols) but for me nothing is filtering in http class. Someone can help me ? Here is my script : #!/bin/bash IPT_BIN=/sbin/iptables TC_BIN=/sbin/tc INTER_OUT=ppp0 LINK_RATE_UP=1000Kbit RATE_ACK=200Kbit RATE_DEFAULT=100Kbit RATE_12=12Kbit RATE_13=13Kbit RATE_14=14Kbit NB_filtre_12=1 NB_filtre_13=2 NB_filtre_14=4 PROTO_12_1=http PROTO_13_1=skypeout PROTO_13_2=skypetoskype PROTO_14_1=edonkey PROTO_14_2=gnutella PROTO_14_3=applejuice PROTO_14_4=bittorrent # Delete all qdisc on $INTER_IN and $INTER_OUT $TC_BIN qdisc del dev $INTER_IN root 2 /dev/null /dev/null $TC_BIN qdisc del dev $INTER_IN ingress 2 /dev/null /dev/null $TC_BIN qdisc del dev $INTER_OUT root 2 /dev/null /dev/null $TC_BIN qdisc del dev $INTER_OUT ingress 2 /dev/null /dev/null # Delete magle's rules $IPT_BIN -t mangle -F $IPT_BIN -t mangle -X $IPT_BIN -t mangle -Z # TC Rules # initRules $TC_BIN qdisc add dev $INTER_OUT handle 1: root htb default 1 $TC_BIN class add dev $INTER_OUT parent 1: classid 1:1 htb rate $LINK_RATE_UP $TC_BIN filter add dev $INTER_OUT parent 1:0 protocol all u32 match u32 0 0 classid 1:1 ## BuildInChains $TC_BIN class add dev $INTER_OUT parent 1:1 classid 1:11 htb rate $LINK_RATE_UP ceil $LINK_RATE_UP quantum 1532 NUM_file=12 NB_class=$NB_file while [ $NB_class -ge 0 ] do PRIO=$((5-$NB_class)) case $NUM_file in 12) RATE_PIPE=$RATE_12 ;; 13) RATE_PIPE=$RATE_13 ;; 14) RATE_PIPE=$RATE_14 ;; esac $TC_BIN class add dev $INTER_OUT parent 1:11 classid 1:$NUM_file htb rate $RATE_PIPE ceil $LINK_RATE_UP prio $PRIO quantum 1532 $TC_BIN qdisc add dev $INTER_OUT handle $NUM_file: parent 1:$NUM_file sfq NUM_file=$(($NUM_file + 1)) NB_class=$(($NB_class - 1)) done ## default pipe $TC_BIN class add dev $INTER_OUT parent 1:11 classid 1:199 htb rate $RATE_DEFAULT ceil $LINK_RATE_UP prio 4 quantum 1532 $TC_BIN qdisc add dev $INTER_OUT handle 199: parent 1:199 sfq # iptables rules # # initRules $IPT_BIN -t mangle -N ms-all $IPT_BIN -t mangle -N ms-all-chains $IPT_BIN -t mangle -N ms-prerouting $IPT_BIN -t mangle -A PREROUTING -j ms-prerouting $IPT_BIN -t mangle -A ms-prerouting -j CONNMARK --restore-mark $IPT_BIN -t mangle -A FORWARD -o $INTER_OUT -j ms-all $IPT_BIN -t mangle -A POSTROUTING -o $INTER_OUT -j ms-all-chains # buildInChains $IPT_BIN -t mangle -N ms-chain-$INTER_OUT-1:11 $IPT_BIN -t mangle -A ms-all-chains -m connmark --mark 0xc0ed4017 -j ms-chain-$INTER_OUT-1:11 $IPT_BIN -t mangle -A ms-all -o $INTER_OUT -j ms-chain-$INTER_OUT-1:11 NUM_file=12 while [ $NB_file -ge 0 ] do while [ $((NB_filtre_$NUM_file)) -ge 1 ] do case $NUM_file in 12) case $NB_filtre_12 in 1) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_12_1 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_12_1 -j RETURN ;; esac NB_filtre_12=$(($NB_filtre_12 - 1)) ;; 13) case $NB_filtre_13 in 1) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_13_1 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_13_1 -j RETURN ;; 2) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_13_2 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_13_2 -j RETURN ;; esac NB_filtre_13=$(($NB_filtre_13 - 1)) ;; 14) case $NB_filtre_14 in 1) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_1 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_1 -j RETURN ;; 2) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_2 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_2 -j RETURN ;; 3) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_3 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_3 -j RETURN ;; 4) $IPT_BIN -t mangle -A ms-chain-$INTER_OUT-1:11 -m layer7 --l7proto $PROTO_14_4 -j CLASSIFY --set-class 1:$NUM_file $IPT_BIN -t mangle -A
Re : [LARTC] HFSC traffic loss bug, kernel 2.6.16.24
hello, Could you please explain what is a non-work-conserving qdisc and why it doesn't make sense ? Gérald - Message d'origine De : Patrick McHardy [EMAIL PROTECTED] À : Leo Wetz [EMAIL PROTECTED] Cc : lartc@mailman.ds9a.nl Envoyé le : Mercredi, 13 Septembre 2006, 4h38mn 16s Objet : Re: [LARTC] HFSC traffic loss bug, kernel 2.6.16.24 Leo Wetz wrote: Hello, I have finally managed to understand HFSC up to a level which allowed me to create a QoS script which maintains low VoIP latency while running stuff like eMule. Unfortunately, HFSC seems to have a severe bug. Why do I consider this as a bug defenitely? Well, my script runs without any errors, then QoS works perfectly for some hours, no error messages in kernel log. Then randomly the kernel starts saying this: Sep 10 17:14:51 router kernel: HFSC: Non-work-conserving qdisc ? Sep 10 17:14:56 router kernel: printk: 266 messages suppressed. Sep 10 17:14:56 router kernel: HFSC: Non-work-conserving qdisc ? Sep 10 17:15:01 router kernel: printk: 259 messages suppressed. Sep 10 17:15:01 router kernel: HFSC: Non-work-conserving qdisc ? Sep 10 17:15:06 router kernel: printk: 294 messages suppressed. Sep 10 17:15:06 router kernel: HFSC: Non-work-conserving qdisc ? It floods the whole kernel log with this. Traffic is also heavily affected by package loss when this happens, thus I cannot ignore it. I have to check my kernel log when I notice that I cannot access websites anymore and then restart QoS manually. My complete QoS script is attached to this mail. If this is not the right location for the bug report please tell me whom I should contact. This is not a bug. You can't attach non-work-conserving qdiscs to HFSC (and it doesn't make any sense). Just use classes instead of adding HTB qdiscs. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables u32 kernel 2.6.17
hi everybody, I used to test this rules on my gateway : iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 '270x8f=7' --u32 '31=0x527c4833' -j DROP This was working with a 2.6.16 kernel but now i upgraded to 2.6.17 it give me the following message : [ 5333.87] ip_tables: u32 match: invalid size 0 != 2028 iptables: Unknown error -1 I tried to do some modifications on ipt_u32.c following modifications which work for ipp2p (http://www.sieglitzhof.net/~doc/ipp2p/) without any succes. Does anyone have an explication why the problem occurs whith the new kernel and how to solve it ? Thanks in advance ___ Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. http://fr.answers.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] iptables match u32
hello, I try to use iptables rules to drop skype trafic. The iptables rule is : iptables -I FORWARD -p udp -m length --length 39 -m u32 --u32 '270x8f=7' --u32 '31=0x01020304' -j ACCEPT the problem I encounter is that i can't have the match u32 for iptables. Could someone help me ? ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] ipp2p
Hello, I'm trying to use iptables rules to prioritize p2p trafic. I use ipp2p-0.8 but it give me errors : Ipt-ipp2p : unknow symbol ntohl Ipt-ipp2p : unknow symbol ntohs When i compiled ipp2p it gave me warnings : ntohs /ipt-ipp2p.ko undefined ntohl /ipt-ipp2p.ko undefined Any suggestion ? gege ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc