Re: [LARTC] p2p marking, again
in the out chain you're marking them as mark 5, but only saving it as mark 7, that would cause you to possibly miss some tcp streams, but depending on the protocol a lot might be marked just from the incomming data. as for how much data was marked, look at the incomming counters, of the 100,854 packets, 78,910 had a mark restored, and 2904 were newly marked, that means 81814 out of 100,854 incomming packets were marked as p2p, that's 80% and a lot more than 625k. Beyond the mrk 5/7 mixup in the outgoing marking, you also didn't mention the IMQ rule in the previous email. Normally the iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPTrule is good as it makes sure the mark doesn't get rechanged after its been saved once and later restored. However in this case, it means it was leaving your chain before reaching the IMQ target. So for your case it should be safe to remove that rule. This will likely fix the problem you were really having of the incomming data not all going to the IMQ - JodyOn 2/7/06, Vaidas <[EMAIL PROTECTED]> wrote: Allright...tc qdisc add dev $DEV root handle 2:0 htb default 20 r2q 2tc class add dev $DEV parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbittc class add dev $DEV parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit ceil ${RATETOTAL}kbit prio 0tc class add dev $DEV parent 2:10 classid 2:21 htb rate 1kbit ceil${RATEUP}kbit prio 1tc qdisc add dev $DEV parent 2:20 handle 20:0 sfq perturb 10tc qdisc add dev $DEV parent 2:21 handle 21:0 sfq perturb 10 tc filter add dev $DEV parent 2:0 prio 1 protocol ip handle 5 fw flowid 2:21iptables -t mangle -N DSL-OUTiptables -t mangle -I POSTROUTING -o $DEV -j DSL-OUTiptables -t mangle -A DSL-OUT -p tcp -j CONNMARK --restore-mark iptables -t mangle -A DSL-OUT -p tcp -m mark ! --mark 0 -j ACCEPTiptables -t mangle -A DSL-OUT -m ipp2p --edk --dc --bit --soul -j MARK--set-mark 5iptables -t mangle -A DSL-OUT -p tcp -m mark --mark 7 -j CONNMARK --save-markip link set imq0 uptc qdisc add dev imq0 root handle 2:0 htb default 20 r2q 2tc class add dev imq0 parent 2:0 classid 2:10 htb rate ${RATETOTAL}kbittc class add dev imq0 parent 2:10 classid 2:20 htb rate ${RATETOTAL}kbit ceil ${RATETOTAL}kbit prio 0tc class add dev imq0 parent 2:10 classid 2:21 htb rate 2kbit ceil${RATEDN}kbit prio 1tc qdisc add dev imq0 parent 2:20 handle 20:0 sfq perturb 10tc qdisc add dev imq0 parent 2:21 handle 21:0 sfq perturb 10 tc filter add dev imq0 parent 2:0 prio 1 protocol ip handle 7 fw flowid 2:21iptables -t mangle -N DSL-INiptables -t mangle -I PREROUTING -i $DEV -j DSL-INiptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPTiptables -t mangle -A DSL-IN -m ipp2p --edk --dc --bit --soul -j MARK--set-mark 7iptables -t mangle -A DSL-IN -p tcp -m mark --mark 7 -j CONNMARK --save-mark iptables -t mangle -A DSL-IN -j IMQ --todev 0still not working :I don't know what to do else, tried everythink :/The uTorrent have downloading for half an hour, but the counters are... Chain DSL-OUT (1 references)pkts bytes target prot opt in out sourcedestination 80515 5464493 CONNMARK tcp -- anyany anywhereanywhereCONNMARK restore 52501 3402390 ACCEPT tcp -- anyany anywhere anywhereMARK match !0x03593 464055 MARK all -- anyany anywhereanywhereipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x5 00 CONNMARK tcp -- anyany anywhere anywhereMARK match 0x7 CONNMARK saveChain DSL-IN (1 references)pkts bytes target prot opt in out sourcedestination 100854 97487345 CONNMARK tcp -- anyany anywhere anywhereCONNMARK restore 78190 92347437 ACCEPT tcp -- anyany anywhereanywhereMARK match !0x02904 625681 MARK all -- anyany anywhereanywhereipp2p v0.8.0 --edk --dc --bit --soul MARK set 0x7 27439048 CONNMARK tcp -- anyany anywhereanywhereMARK match 0x7 CONNMARK save 30759 6358180 IMQall -- anyany anywhere anywhereIMQ: todev 0Only 625681 bytes marked as p2p :(---Original Message-From: Jody Shumaker [mailto:[EMAIL PROTECTED]]Sent: 2006 m. vasario 6 d. 21:23 To: VaidasCc: lartc@mailman.ds9a.nlSubject: Re: [LARTC] p2p marking, againBah, I don't know why I didn't notice this before in your previousemail. It's obvious now that you gave the states output: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK--restore-markthat line is horribly wrong, it should be:iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-markThe whole point is that ipp2p can't match on every packet! so you save the mark and then restore it. However, you were conditionallyrestoring the mark only when ipp2p matched, which completely defeatsthe purpose. There's also no reason to have the "-m ipp2p --ipp2p" when
Re: [LARTC] p2p marking, again
Bah, I don't know why I didn't notice this before in your previous email. It's obvious now that you gave the states output: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark that line is horribly wrong, it should be: iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark The whole point is that ipp2p can't match on every packet! so you save the mark and then restore it. However, you were conditionally restoring the mark only when ipp2p matched, which completely defeats the purpose. There's also no reason to have the "-m ipp2p --ipp2p" when saving the mark, as this adds more work than is neccasary. Instead of: iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark I'd suggets: iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark As this match would be much faster, and would mean no redundant work on matching ipp2p. I'd also suggest combining your tcp and udp matches for ipp2p into 1. I'd also suggest not using the -m ipp2p -ipp2p instead listing out the protocols to match, even if it's all of them. For some reason, -ipp2p doesn't match all of the safe to identify protocols. I used it at one point but then after updating it stopped including bittorrent. As listed on the ipp2p docs right now: -m ipp2p --ipp2p -m ipp2p --edk --kazaa --gnu --dc are identical, meaning --ipp2p only matches edonkey, kazaa, gnutella, and directconnect. Leaving out the very easy to match and common Bittorrent. I'd suggest using: -m ipp2p --edk --kazaa --gnu --dc --bit In the end this would result in this for your script: #restore mark iptables -t mangle -A DSL-IN -p tcp -j CONNMARK --restore-mark #skip rest of chain if packet already marked iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT #match p2p traffic. iptables -t mangle -A DSL-IN -m ipp2p --bit --edk --kazaa --gnu --dc -j MARK --set-mark 7 #save mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark - Jody On 2/6/06, Vaidas <[EMAIL PROTECTED]> wrote: > > > > Hey, one more question for ipp2p > > > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK > --restore-mark > > iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 > > iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark > > iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 > > by this set of commands, should all p2p packets mark well ? Because very > little of them are marked on my server… > > Chain DSL-IN (1 references) > > pkts bytes target prot opt in out source > destination > >13708 2260152 CONNMARK tcp -- anyany anywhere > anywhereipp2p v0.8.1_rc1 --ipp2p CONNMARK restore > >11456 2016247 ACCEPT tcp -- anyany anywhere > anywhereMARK match !0x0 > > 2252 243905 MARK tcp -- anyany anywhere > anywhereipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > 2252 243905 CONNMARK tcp -- anyany anywhere > anywhereipp2p v0.8.1_rc1 --ipp2p CONNMARK save > > 183300 3958 MARK udp -- anyany anywhere > anywhereipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 > > > > Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on > 320kbps all night > > __ > > Vaidas > > VDXnet sistemų administratorius > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] p2p marking, again
Hey, one more question for ipp2p iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --restore-mark iptables -t mangle -A DSL-IN -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j MARK --set-mark 7 iptables -t mangle -A DSL-IN -p tcp -m ipp2p --ipp2p -j CONNMARK --save-mark iptables -t mangle -A DSL-IN -p udp -m ipp2p --ipp2p -j MARK --set-mark 7 by this set of commands, should all p2p packets mark well ? Because very little of them are marked on my server… Chain DSL-IN (1 references) pkts bytes target prot opt in out source destination 13708 2260152 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK restore 11456 2016247 ACCEPT tcp -- any any anywhere anywhere MARK match !0x0 2252 243905 MARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 2252 243905 CONNMARK tcp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p CONNMARK save 183300 3958 MARK udp -- any any anywhere anywhere ipp2p v0.8.1_rc1 --ipp2p MARK set 0x7 Only few Kbytes of tcp, ant few mbytes of udp.. but downloading was up on 320kbps all night __ Vaidas VDXnet sistemų administratorius ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc