Re: [LARTC] Distro ready out of the box
Debian 4.0 has all I need including iptables and tc, but _not_ L7 filter or ipp2p :-( You should look into Zeroshell, which has L7 (haven't tried it) http://linuxdevices.com/news/NS9446520379.html http://www.zeroshell.net/eng Shorewall appears to have ipp2p (but apparently not L7?) and it looks like there are add ons to IPCop. It is sad it is not easier... I looked into L7 etc. and ended up deciding that is is such an imperfect way of classifying data that it is better (for me at least) to instead choose a different policy - prioritize ssh, VOIP and web by port and then prevent each host from hogging more than their fair share of the total bandwidth. But e.g. DD-WRT (embedded distro for wireless routers like the WRT54GL) seems to do a quite good job of it (with L7). sincerely, Nicolas Riccardo (SCASI) wrote: hi all, I'm writing not for technical problems but for a simple question. Do You know if there is a distro which is ready for traffic shaping etc. 'out of the box'? I mean a distro which does not require patching the kernel and/or iptables and/or installing from source etc. and gives the user most of the tools needed (imq, ipp2p, l7filter and so on). many thanks riki ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
PHP script to get MySQL data and make TC speed limit Re: [LARTC] (no subject)
Dear Anirudh,
You will probably get better help if you write your setup, what you have
tried, how it does not work, and write a subject.
Here is a PHP script which looks IP numbers and limits up in a database
and generates a simple TC HTB limit rule per host.
You may be able to modify it to be useful for you.
Notes:
- This script is run from the console, not a web server. You will need
command line PHP installed. Or you can rewrite it in a language of your
choice.
- We only have two limit options: limit everything to 255 Kbit/s, or
limit only packets that have been marked as "6" by some firewall rules
to 255 Kbit/s. You will want to rewrite this bit to get the speed value
from the database, but you can simplify the "marked as 6" bit away.
- Warning: we only limit download speed. You will probably want to limit
upload speed as well! You will probably want to do this by matching on
IP number on the way OUT of you INTERNET interface.
#!/usr/bin/php
$sql_query = "SELECT mac, last_seen_ip, `limit` FROM mac_info WHERE
`limit` > 0 AND expiry_date > NOW()";
$result = mysql_query($sql_query)
or die(mysql_error());
$i = 1;
while ($current_row = mysql_fetch_assoc($result)) {
$ip = $current_row['last_seen_ip'];
$limit = $current_row['limit'];
$mac = $current_row['mac'];
if (check_internal_ip($ip)) {
$out .= sprintf($cmd1,$i,$mac,$i);
if ($limit == 1)
$out .= sprintf($cmd2dkstream,$ip,$i);
elseif ($limit == 2)
$out .= sprintf($cmd2all,$ip,$i);
$i++;
}
unset($ip); unset($limit); unset($mac);
}
if($debug)
print $out;
else
logfile($out);
`$out`; // run everything in 'out'
?>
---
The output looks like this:
# delete all existing queue disciplines
tc qdisc del dev eth2 root
# attach queue discipline HTB to interface eth2 and give it handle 1:0
tc qdisc add dev eth2 root handle 1:0 htb
# host 1 mac x
tc class add dev eth2 parent 1:0 classid 1:1 htb rate 255kbit burst 255kbit
tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \
match ip dst 172.16.xxx.xxx \
flowid 1:1
# host 2 mac
tc class add dev eth2 parent 1:0 classid 1:2 htb rate 255kbit burst 255kbit
tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \
match mark 0x0006 0x \
match ip dst 172.16.xxx.xxx \
flowid 1:2
--
Anirudh Gottumukkala)me in Google Accounts (Anirudh Gottumukkala wrote:
Hello
I am anirudh, I need help to write script to fetch detail like ips,
speedlimit from mysql and add htb rules at the starting of the
server. it is for a small isp i am working for.
can any one help me out!, i had tried but fail to limit speed
--
Anirudh Chowdary
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] Operation failed: such conntrack doesn't exist - when it does?
Hi gurus I want to destroy all state table entries/reset all connections
for a particular client. When I issue conntrack -L -s , it
lists loads of state entries. When I issue conntrack -D -s number> it answers "NFNETLINK answers: No such file or directory
Operation failed: such conntrack doesn't exist."
I have googled the problem, but can find only either unanswered or
"there was actually really a bug in conntrack on that kernel verision,
it is now fixed" posts from a while back.
Is this an error or is my syntax wrong/I am doing something silly?
Debugging info, including kernel version and strace (I am root):
dragon:/home/nicolas# conntrack -L -s 172.16.98.255
tcp 6 431690 ESTABLISHED src=172.16.98.255 dst=209.85.135.xxx
sport=4956 dport=80 packets=4 bytes=1033 src=209.85.135.xxx
dst=130.226.169.xxx sport=80 dport=4956 packets=3 bytes=1091 [ASSURED]
mark=0 use=1
tcp 6 431983 ESTABLISHED src=172.16.98.255 dst=207.46.110.xxx
sport=1050 dport=1863 packets=327 bytes=16935 src=207.46.110.xxx
dst=130.226.169.xxx sport=1863 dport=1050 packets=177 bytes=17375
[ASSURED] mark=0 use=1
tcp 6 315337 ESTABLISHED src=172.16.98.255 dst=80.252.91.xxx
sport=4882 dport=80 packets=16 bytes=6768 src=80.252.91.xxx
dst=130.226.169.xxx sport=80 dport=4882 packets=13 bytes=8626 [ASSURED]
mark=0 use=2
... more cut for clarity ...
dragon:/home/nicolas# conntrack -D -s 172.16.98.255
NFNETLINK answers: No such file or directory
Operation failed: such conntrack doesn't exist
dragon:/home/nicolas# uname -a
Linux dragon 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux
(Debian Etch)
strace
dragon:/home/nicolas# strace conntrack -D -s 172.16.98.255
execve("/usr/sbin/conntrack", ["conntrack", "-D", "-s",
"172.16.98.255"], [/* 19 vars */]) = 0
uname({sys="Linux", node="dragon", ...}) = 0
brk(0) = 0x804e000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fde000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fdd000
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=17386, ...}) = 0
mmap2(NULL, 17386, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd8000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/usr/lib/libnetfilter_conntrack.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\\24\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=19232, ...}) = 0
mmap2(NULL, 22420, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7fd2000
mmap2(0xb7fd7000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0xb7fd7000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\f\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=9592, ...}) = 0
mmap2(NULL, 12404, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7fce000
mmap2(0xb7fd, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7fd
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240O\1"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=1241392, ...}) = 0
mmap2(NULL, 1247388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7e9d000
mmap2(0xb7fc4000, 28672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x127) = 0xb7fc4000
mmap2(0xb7fcb000, 10396, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fcb000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/usr/lib/libnfnetlink.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=10956, ...}) = 0
mmap2(NULL, 14252, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0xb7e99000
mmap2(0xb7e9c000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7e9c000
close(3)= 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7e98000
mprotect(0xb7fc4000, 20480, PROT_READ) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e98ae0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7fd8000, 17386) = 0
brk(0)
Re: [LARTC] limit bandwidth per host question
If you mean BrazilFW? http://www.brazilfw.com.br this is not an option - we have a well functioning firewall with 4 interfaces, VPN, logging, an advanced quota system etc. We do not want a micro-floppy distro - just need to add traffic control to the existing Debian box. Nicolas hareram wrote: Hi look at the BFW does the job of all you need hare - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Tuesday, May 08, 2007 7:21 AM Subject: [LARTC] limit bandwidth per host question EHLO tc gurus. New to traffic control. Unfortunately, the politicians here in Denmark have decided that a PC is the same as a television set - so anyone owning a PC and internet connection of over 255 kbit/s must pay DKR 2200/year = EUR 300 = USD 400 in television licence fees :-( This is a lot of money for poor students, so we want to offer the students the *option* of limiting their download speed to 255 kbit/s. Limit must be per internal IP number (or MAC address, even better). Situation: dorm rooms, 130 residents, Internet connection is 100 Mbit full duplex fiber Ethernet, never over 10% used. Router/firewall is a Debian/Etch box 650 Mhz, 160 Mb RAM, with kernel 2.6, iptables, netfilter iproute2 & everything necessary. eth0 = internet, eth1 = DMZ, eth2 = internal NATted network, 172.16.0.0/16 As far as I can see, this should do the trick?: # delete all existing queue disciplines tc qdisc del dev eth2 root # attach queue discipline HTB to interface eth2 and give it handle 1:0 tc qdisc add dev eth2 root handle 1:0 htb # host 1 tc class add dev eth2 parent 1:0 classid 1:1 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match ip dst 172.16.255.132 flowid 1:1 # host 2 tc class add dev eth2 parent 1:0 classid 1:2 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match ip dst 172.16.255.145 flowid 1:2 # etc etc etc Questions: 1) Is this a good way of doing it? 2) TBF or HTB? I just chose HTB because it seems more flexible and has sane defaults, so I don't have to think so much. Are there any disadvantages? 3) Any clever suggestions on how to best implement the stupid law with the least harm to our users (for example, maybe we could have a relatively high burst bandwidth, with the real limiting to 255 Kbit/s only kicking in after several seconds? This might make normal web surfing seem almost unaffected? Thanks, Nicolas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] limit bandwidth per host question
EHLO tc gurus. New to traffic control. Unfortunately, the politicians here in Denmark have decided that a PC is the same as a television set - so anyone owning a PC and internet connection of over 255 kbit/s must pay DKR 2200/year = EUR 300 = USD 400 in television licence fees :-( This is a lot of money for poor students, so we want to offer the students the *option* of limiting their download speed to 255 kbit/s. Limit must be per internal IP number (or MAC address, even better). Situation: dorm rooms, 130 residents, Internet connection is 100 Mbit full duplex fiber Ethernet, never over 10% used. Router/firewall is a Debian/Etch box 650 Mhz, 160 Mb RAM, with kernel 2.6, iptables, netfilter iproute2 & everything necessary. eth0 = internet, eth1 = DMZ, eth2 = internal NATted network, 172.16.0.0/16 As far as I can see, this should do the trick?: # delete all existing queue disciplines tc qdisc del dev eth2 root # attach queue discipline HTB to interface eth2 and give it handle 1:0 tc qdisc add dev eth2 root handle 1:0 htb # host 1 tc class add dev eth2 parent 1:0 classid 1:1 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match ip dst 172.16.255.132 flowid 1:1 # host 2 tc class add dev eth2 parent 1:0 classid 1:2 htb rate 255kbit burst 255kbit tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \ match ip dst 172.16.255.145 flowid 1:2 # etc etc etc Questions: 1) Is this a good way of doing it? 2) TBF or HTB? I just chose HTB because it seems more flexible and has sane defaults, so I don't have to think so much. Are there any disadvantages? 3) Any clever suggestions on how to best implement the stupid law with the least harm to our users (for example, maybe we could have a relatively high burst bandwidth, with the real limiting to 255 Kbit/s only kicking in after several seconds? This might make normal web surfing seem almost unaffected? Thanks, Nicolas ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
