PHP script to get MySQL data and make TC speed limit Re: [LARTC] (no subject)

[nic-lartc]

Dear Anirudh,

You will probably get better help if you write your setup, what you have 
tried, how it does not work, and write a subject.


Here is a PHP script which looks IP numbers and limits up in a database 
and generates a simple TC HTB limit rule per host.


You may be able to modify it to be useful for you.

Notes:

- This script is run from the console, not a web server. You will need 
command line PHP installed. Or you can rewrite it in a language of your 
choice.


- We only have two limit options: limit everything to 255 Kbit/s, or 
limit only packets that have been marked as "6" by some firewall rules 
to 255 Kbit/s. You will want to rewrite this bit to get the speed value 
from the database, but you can simplify the "marked as 6" bit away.


- Warning: we only limit download speed. You will probably want to limit 
upload speed as well! You will probably want to do this by matching on 
IP number on the way OUT of you INTERNET interface.



#!/usr/bin/php
$sql_query = "SELECT mac, last_seen_ip, `limit` FROM mac_info WHERE 
`limit` > 0 AND expiry_date > NOW()";

$result = mysql_query($sql_query)
   or die(mysql_error());

$i = 1;

while ($current_row = mysql_fetch_assoc($result)) {

   $ip = $current_row['last_seen_ip'];
   $limit = $current_row['limit'];
   $mac = $current_row['mac'];

   if (check_internal_ip($ip)) {

   $out .= sprintf($cmd1,$i,$mac,$i);

   if ($limit == 1)
   $out .= sprintf($cmd2dkstream,$ip,$i);
   elseif ($limit == 2)
   $out .= sprintf($cmd2all,$ip,$i);

   $i++;
   }
   unset($ip); unset($limit); unset($mac);
}


if($debug)
   print $out;
else
   logfile($out);
   `$out`; // run everything in 'out'

?>
---
The output looks like this:


# delete all existing queue disciplines
tc qdisc del dev eth2 root

# attach queue discipline HTB to interface eth2 and give it handle 1:0
tc qdisc add dev eth2 root handle 1:0 htb

# host 1 mac x
tc class add dev eth2 parent 1:0 classid 1:1 htb rate 255kbit burst 255kbit
tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \
   match ip dst 172.16.xxx.xxx \
   flowid 1:1

# host 2 mac 
tc class add dev eth2 parent 1:0 classid 1:2 htb rate 255kbit burst 255kbit
tc filter add dev eth2 protocol ip parent 1:0 prio 1 u32 \
   match mark 0x0006 0x \
   match ip dst 172.16.xxx.xxx \
   flowid 1:2

--


Anirudh Gottumukkala)me in Google Accounts (Anirudh Gottumukkala wrote:

Hello

I am anirudh, I need help to write script to fetch detail like ips, 
speedlimit  from mysql and add htb rules at the starting of the 
server. it is for a small isp i am working for.


can any one help me out!, i had tried but fail to limit speed

--
Anirudh Chowdary


___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] (no subject)

[Marek Kierdelewicz]

> Dear all,

Hi there!

> Please someone help me regarding how to merge 2 internet link
> connection. I need to double the speed into my LAN. Is it possible to
> do that?

Please read appropriate chapter of the Linux Advanced Routing and
Traffic Control Howto:

http://lartc.org/howto/lartc.loadshare.html

> KOMUNIKA SYSTEM
> Internet Solution Provider
> www.komunikasys.com

Marek Kierdelewicz
KoBa ISP
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] (no subject)

[Ed Wildgoose]

I want to block the IP traffic between any 2 hosts on a switched ethernet
LAN. Will setting all the possible IP addresses on a linux machine in the
LAN do the trick or there is another easier solution?
 

You need to arrange to have the linux machine running as that switch, 
which is unlikely to be practical.

See if your switch has such options (if it's a high end device).  
Otherwise your best option is to segregate the two LAN's and then route 
or bridge between then, the linux box will do filtering in the middle.

You haven't said what you are trying to achieve, so it's hard to offer 
better suggestions
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Roy]

Udp forwarding mostly cannnot be controled.
you can drop udp packets but server will not stop sending then to you
anyway.
(of course this depends on server software)

tcp can be controled so do not have this problem

- Original Message - 
From: "Ibrahim Cherri" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 07, 2004 5:12 PM
Subject: [LARTC] (no subject)


> Hello
>
> I was testing HTB using IPerf TCP traffic and the results were very good.
> Until I tried to add some UDP traffic the results were a little strange.
> this is my setup
>
> tc qdisc del dev eth1 root
> tc qdisc add dev eth1 handle 1:0 root htb default 2
>
> tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1mbit
> tc class add dev eth1 parent 1:1 classid 1:2 htb rate 500kbit ceil 1mbit
> tc class add dev eth1 parent 1:1 classid 1:3 htb rate 500kbit ceil 1mbit
>
> tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip protocol
> 17 0xff flowid 1:3
>
> tc qdisc add dev eth1 parent 1:2 handle 20 pfifo limit 10
> tc qdisc add dev eth1 parent 1:3 handle 30 pfifo limit 10
>
> This simple setup should split the 1mbit bandwidth between TCP and UDP.
> I run 2 IPerf clients simultaneously
> Server:
> iperf -s -p 200
> iperf -s -p 400 -u
> Client:
> iperf -c $ServerIP -p 200
> iperf -c $ServerIP -p 400 -u
>
> then UDP traffic takes about 750kbit and TCP traffic takes about 250kbit
> Can anyone tell me why is that?
>
> thanx,
> Ibrahim
>
> _
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] (no subject)

[Edmund Turner]

Thanks Stef!!!
Regards
edmund

-Original Message-
From: Stef Coene [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 30, 2003 6:12 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [LARTC] (no subject)

On Thursday 30 October 2003 06:51, Edmund Turner wrote:
> Hey everyone,
>
> I tried to mark traffic based on per subnet as to the usual per ip.
> Example:
> Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4
> Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst
> 192.168.0.0/24 classid 1:11
>
> After I enter this command, I did not get any errors.
> Does this mean that EACH IP belonging to that subnet will have a
maximum
> rate of 400kbit?
No.

> Or does it mean that ALL the IPs in that subnet have a total of
400kbit?
Yes.

Stef

-- 
[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.openprojects.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Thursday 30 October 2003 06:51, Edmund Turner wrote:
> Hey everyone,
>
> I tried to mark traffic based on per subnet as to the usual per ip.
> Example:
> Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4
> Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst
> 192.168.0.0/24 classid 1:11
>
> After I enter this command, I did not get any errors.
> Does this mean that EACH IP belonging to that subnet will have a maximum
> rate of 400kbit?
No.

> Or does it mean that ALL the IPs in that subnet have a total of 400kbit?
Yes.

Stef

-- 
[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.openprojects.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Monday 01 September 2003 20:05, Gabriel Corcodel wrote:
> Well,
> I came here with a strange problem.
> Let's have the following topology.
> Equipment A (IPAddr 192.168.1.x) - Interface 1 Linux Router
> (192.168.1.1)-Interface 2 Linux Router (192.168.2.1) - Equipment B (IPAddr
> 192.168.2.x)
> Quite simple, isn't it?
> What I want...
> I want a program onto the Linux Router which can modify the values of ping
> and packet loss which are obtained between equipments A and B.
> I want to ... shuffle the packets, to make, for example, that always
> packets 5,6 and 7 from a raw of 8 packets sent from device A to B to reach
> device B after the arrival of packet 8, etc.
> Whats the point?
> I want to inform the customers which are using those
> equipments/applications that if the ping is increasing, let's say, over 180
> ms, or, if the packet loss is increased over 30% or the jitter, or... they
> will loose
> connectivity/they will experience [...] problems.
> And, in order for me to have this informations, I have to emulate diferent
> aspects of a real network.
> So... how can I do this?
> Any ideas?
Only one :
http://snad.ncsl.nist.gov/itg/nistnet/

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Wednesday 30 July 2003 19:04, Daniel Ardelian wrote:

This can be fun :)  A windows guy playing with traffic shaping :)

>   I have a 64 Kbps leased line IDSL connection (with static IP address). My
> modem is connected to the server via a 10 Mbps Ethernet connection. The
> server currently runs Win2000 Pro with Internet Connection Sharing to
> provide Internet access to my private network (10 workstations). I also use
> an Apache Web server to host my company's web page on this server. This
> configuration provided good service until the number of workstations
> increased from 5 to 10 and Kazaa appeared. If a user starts a longer
> download, others cant access the Internet. So I'm considering switching
> from Win2000 to Linux and using some sort of traffic shaping. Furthermore,
> the internal network will have to be split into 2 subnets for privacy
> purposes.
>   What I want to achieve looks something like this:
>
>   1) Incoming traffic (outside surfers visiting the company web page) must
> have the highest priority, and probably, for some time, the web server will
> still have to run on Win2000, until some CGI web apps are ported to linux
You can put your web-server in your LAN and do port forwarding :

# Redirecting incoming traffic on port 80 to your web-server (eth1 is you 
internet NIC and 192.168.1.253 is you web-server ip address)
 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 
192.168.1.253:80

> 2) The two internal subnets should have the same download priority, lower
> than incoming traffic
No problem.

>   3) The available bandwidth should be equally split between any active
> internal users (if only 1 user is active, it should get all available
> bandwitdh).
No problem.

>   Can anyone tell me if I can achieve all that with a linux box and 3 NIC's
> ? I have no previous linux experience, but after googling for a day or two,
> I know this:
>   1) I will have to use IP Masquerading
>   2) It looks like i should use the Stochastic Fairness Queueing (SFQ) to
> shape outgoing traffic
Not really.

>   3) I have no idea how to achieve requirement no. 1 (regarding incoming
> traffic to my web site before any other traffic)
>
>   Thanks in advance. Any suggestions are welcome, I dont expect anyone to
> solve the problem for me, maybe just some hints as to where I should look
> next...
Ok, first of all, you can only shape outgoing traffic.  If you have 3 nic's 
and want to shape traffic from the internet to you, this can be problem.  But 
you can patch the kernel so you can create a virtial imq device.  And with 
simple iptables commands, you can redirect all incoming packets from the 
internet to this imq device.  The good news is you can shape on that imq 
device.

For the shaping part (once you have all the trafffic entering the imq device), 
you have to create 3 classes : one for the web-server, one for subnet 1 and 
one for subnet 2.  The only problem you will have is splitting the traffic.  
Incoming traffic has the src address of the firewall so you can not use the 
src address to filter.

The classes can be htb or cbq class.  But I suggest you go for htb.  
To create the htb classes, see lartc.org and docum.org

Good luck :)

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Nickola Kolev]

On Sat, 22 Mar 2003 04:03:22 +0100
"Kjell Chris. Flor" <[EMAIL PROTECTED]> wrote:

Hello, Chris,

[ cut ]
> >Because it serves as sort of a virtual bucket (literally), in which you are
> >collecting packets, comming from the physical devices, once you "-j IMQ"-ed
> them
> >whith iptables.
> 
> I've got three ADSL lines. ADSL1, ADSL2 and ADSL3.
> When packets arrives I mark them in IPtables with 1, 2 or 3 so I can
> know in my LAN interface what interface each packet arrived on at
> the INTERNET interfaces, so each packet can be put into a HTB class
> that represent each ADSL bandwidth.
> In addition to this I also match for dest IP in LAN, and put each IP
> in a different HTB class with different rates, ceil and prio. Also I
> use SFQ in HTB.
> 
> This is it for shaping incoming packets from Internet on ADSL 1-3,
> to my single LAN.

This is nice example of egress traffic control.

> Now I want to shape what is coming from LAN going out on Internet's
> ADSL lines. This I do by making three HTB qdiscs, one for each ADSL
> line. As my LAN is NATed I don't know from whom I got a packet,
> so I use mark in IPtables to identify an LAN IP with a HTB class.
> 
> This is how I shape. I don't know what is more clever, and I don't know
> how IMQ could help me to do this neater, but I really would like to know.

Well, if this is working for you, there's absolutely no need to use the IMQ
device, I think. :))

But nevertheless, you could use just one HTB, instead of three fo each ADSL,
if you use iptrables -j IMQ for packets coming from your LAN and going out
to the Internet, no matter to which line they're destined.

LAN
 |
ETH
 |
IMQ
 |
3xADSL

or sorta. :))) I really dont know if I made myself clear, but this is the idea
of using IMQ. In fact you'll be doing traffic control in a single point.

Hth,
Nickola


pgp0.pgp
Description: PGP signature

Re: [LARTC] (no subject)

[Kjell Chris. Flor]

 Where and how exactly do I tell that a HTB
 class should use which phy. dev.?
>>> You can do this with iptables + fw filter.  Mark the packets coming from
>>> each interface with a different mark and put the packets with the fw
filter
>>> in it's own class.
>>
>> But why do I need IMQ for this?
>
>Because it serves as sort of a virtual bucket (literally), in which you are
>collecting packets, comming from the physical devices, once you "-j IMQ"-ed
them
>whith iptables.

I've got three ADSL lines. ADSL1, ADSL2 and ADSL3.
When packets arrives I mark them in IPtables with 1, 2 or 3 so I can
know in my LAN interface what interface each packet arrived on at
the INTERNET interfaces, so each packet can be put into a HTB class
that represent each ADSL bandwidth.
In addition to this I also match for dest IP in LAN, and put each IP
in a different HTB class with different rates, ceil and prio. Also I
use SFQ in HTB.

This is it for shaping incoming packets from Internet on ADSL 1-3,
to my single LAN.

Now I want to shape what is coming from LAN going out on Internet's
ADSL lines. This I do by making three HTB qdiscs, one for each ADSL
line. As my LAN is NATed I don't know from whom I got a packet,
so I use mark in IPtables to identify an LAN IP with a HTB class.

This is how I shape. I don't know what is more clever, and I don't know
how IMQ could help me to do this neater, but I really would like to know.


regards,

Kjell

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Nickola Kolev]

On Fri, 21 Mar 2003 23:38:17 +0100
"Kjell Chris. Flor" <[EMAIL PROTECTED]> wrote:

[ cut ]
> > > Where and how exactly do I tell that a HTB
> > > class should use which phy. dev.?
> > You can do this with iptables + fw filter.  Mark the packets coming from
> each
> > interface with a different mark and put the packets with the fw filter in
> > it's own class.
> 
> But why do I need IMQ for this?

Because it serves as sort of a virtual bucket (literally), in which you are 
collecting packets, comming from the physical devices, once you "-j IMQ"-ed them
whith iptables.

Hth,
Nickola


pgp0.pgp
Description: PGP signature

Re: [LARTC] (no subject)

[Kjell Chris. Flor]

> > Hi
> >
> > In the introduction of IMQ ( http://luxik.cdi.cz/~patrick/imq/ )
> > it sais:
> >
> > Quote start.
> > "This allows you to treat network devices
> > as classes and distribute bandwidth among
> > them as well as doing real ingress traffic
> > control using egress qdiscs"
> > quote stop.
> >
> > Where and how exactly do I tell that a HTB
> > class should use which phy. dev.?
> You can do this with iptables + fw filter.  Mark the packets coming from
each
> interface with a different mark and put the packets with the fw filter in
> it's own class.

But why do I need IMQ for this?

Kjell


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Sunday 02 March 2003 11:51, Kjell Chris Flor wrote:
> Hi
>
> In the introduction of IMQ ( http://luxik.cdi.cz/~patrick/imq/ )
> it sais:
>
> Quote start.
> "This allows you to treat network devices
> as classes and distribute bandwidth among
> them as well as doing real ingress traffic
> control using egress qdiscs"
> quote stop.
>
> Where and how exactly do I tell that a HTB
> class should use which phy. dev.?
You can do this with iptables + fw filter.  Mark the packets coming from each 
interface with a different mark and put the packets with the fw filter in 
it's own class.

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Martin A. Brown]

Kjell,

 : Q1: How many different id's is possible for mark?
 : I would like to have about 2000. Is it possible?

fwmark is a u32, meaning it can accept values between 0 and 4294967295.

Is that large enough for you?  :)

 : Q1b: Is it possible to set an id as a fuction of the
 : src IP's? Could I mark with id 256*zzz+www when
 : src IP is xxx.yyy.zzz.www ?
 : This because I would like to help iptables not using
 : too much ticks, and it will reduse my code.

I wonder if you might make good use of the hashing functions supported by
tc filter:

  http://lartc.org/howto/lartc.adv-filter.hashing.html

I can't answer the performance question you imply here, but if the tc
filter hashing didn't work for me, then I'd use a little shell script loop
to create the entries.

Instead of doing this, though you might find it easier to put an SFQ qdisc
in the leaf HTB class and let SFQ do the hard work for you.  Then you
don't need the tc filter hashing.

You can separate your users by large classes, and make some special high
priority classes for picky users or yourself!

 : Q2: I am running 2.4.20 with static route patch,
 : and would like to patch this with
 : connbytes-1.0a-patches.tgz , any reason I shouldn't?

I don't know..

 : Q2b: Does it exist a connbytes patch for 2.4.20 that
 : is allready pached with static route?

I don't know this one either.

 : in adv.,
 : thnx for any answer that could lead to success.

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED]

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Ashok N N]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Saturday 16 November 2002 05:18 pm, Stef Coene wrote:
> On Saturday 16 November 2002 22:54, Waters wrote:
> > Hello all!
> >
> > I'm on the DSL 1Mbit/256Kbit sharing a connection with my friends.
> > There is one big problem with it - when someone is uploading a file to
> > the Internet, speed for others is falling down. I figured out, if I
> > limit the outgoing speed for about 70% it could be better. I have a
> > iproute2 and iptables on my router, is there already some ready script
> > for limiting outgoing traffic (for all services) to the Internet?
> You can try the wondershaper (www.lartc.org).
> You can adapt it to your needs if you want.  More info on www.lartc.org and 
> www.docum.org.
> 
> Good luck :)
> 
> Stef
> 

hi,
a section in the Linux Advanced Routing & Traffic Control HOWTO
(http://lartc.org/howto/lartc.cookbook.ultimate-tc.html) specifically about 
how to make sure that upload does not harm the downloads. the howto itself is 
a very instructive document.

thanks,
ashok
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE91zMNRhXpVty0Ty4RAtl9AJ9IoMZdVBecp3ACO0OAJ3cjg3HOEwCdEsDO
rtcByp2DPqyXm/5AZcw3w6w=
=xl4m
-END PGP SIGNATURE-

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Saturday 16 November 2002 22:54, Waters wrote:
> Hello all!
>
> I'm on the DSL 1Mbit/256Kbit sharing a connection with my friends.
> There is one big problem with it - when someone is uploading a file to
> the Internet, speed for others is falling down. I figured out, if I
> limit the outgoing speed for about 70% it could be better. I have a
> iproute2 and iptables on my router, is there already some ready script
> for limiting outgoing traffic (for all services) to the Internet?
You can try the wondershaper (www.lartc.org).
You can adapt it to your needs if you want.  More info on www.lartc.org and 
www.docum.org.

Good luck :)

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[raptor]

--mss value[:value]
  Match TCP SYN or SYN/ACK packets with the  specified  MSS  value
  (or  range), which control the maximum packet size for that con-
  nection.


TCPMSS
   This  target  allows to alter the MSS value of TCP SYN packets, to con-
   trol the maximum size for that connection (usually limiting it to  your
   outgoing  interface's  MTU minus 40). Of course, it can only be used in
   conjunction with -p tcp.
   This target is used to overcome criminally braindead  ISPs  or  servers
   which  block  ICMP  Fragmentation Needed packets.  The symptoms of this
   problem are that everything works fine from your Linux firewall/router,
   but machines behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
   Workaround:  activate  this option and add a rule to your firewall con-
   figuration like:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu



|Dear all,
|
|I found this command in the HOWTO:
|
|iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128
|
|It resolve (almost) all my problems with the voip traffic on my linux-based
|router.
|The question is: What does it make exactly? It is safe to use it?
|
|Thanks for your attention,
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Oskar Andreasson]

The headers in the mail tells you how to unsub:

List-Unsubscribe: ,



Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@;koffein.net



On 18 Oct 2002, Nandan Kaushik wrote:

> sir,
> 
> please  unsubscribe from your mailing list
> 
> thanks
> nandan
> 
> 
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

-- 

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Friday 11 October 2002 23:17, Albuquerque, Marcelo M wrote:
> Stef,
>
> Thanks for the reply.
>
> I want my bridge to "emulate" a rate limit on the transmitter of the device
> connected to that particular bridge interface. That's why I need an ingress
> qdisc on each and every interface of my Linux bridge. This is what I tried:

> tc qdisc add dev eth4 handle : ingress
> tc filter add dev eth4 parent : protocol ip prio 50 u32 match ip \
> src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1
>
> I didn't obeserve any rate reduction though. I suspect that on the bridge,
> packets are being forwarded and therefore the ip-related matches have no
> effect. How can I have the 'police rate 100kbit' portion of the command
> without the ip-related arguments?
All packets arriving are ip related, so the above command should work.  Can 
you test it without a switch?  Connect the box to a hub, send some data and 
record the speed.

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] (no subject)

[Albuquerque, Marcelo M]

Stef,

Thanks for the reply.

I want my bridge to "emulate" a rate limit on the transmitter of the device
connected to that particular bridge interface. That's why I need an ingress
qdisc on each and every interface of my Linux bridge. This is what I tried:

tc qdisc add dev eth4 handle : ingress
tc filter add dev eth4 parent : protocol ip prio 50 u32 match ip \
src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1

I didn't obeserve any rate reduction though. I suspect that on the bridge,
packets are being forwarded and therefore the ip-related matches have no
effect. How can I have the 'police rate 100kbit' portion of the command
without the ip-related arguments?

Thanks,

Marcelo.

> -Original Message-
> From: Stef Coene [mailto:stef.coene@;docum.org]
> Sent: Friday, October 11, 2002 12:37 PM
> To: Albuquerque, Marcelo M; '[EMAIL PROTECTED]'
> Subject: Re: [LARTC] (no subject)
> 
> 
> On Friday 11 October 2002 20:40, Albuquerque, Marcelo M wrote:
> > I am trying to limit the rate for all traffic on the incoming interface
of
> > a Linux bridge. So far I have only been able to limit the outgoing rate.
I
> > am assuming I will have to use an ingress qdisc. The example found on
the
> > documentation works without errors but I can't see any rate reduction
> > (maybe because it applies to SYN's only). Does anybody know if limiting
> > rate on the incoming interface is possible on a Linux bridge, and if so,
> > how to go about configuring it.
>
> If you shape on a bridge, why not shaping on both interfaces 
> ?  That way you 
> can shape in both directions.
> And you can use the ingress qdisc, but the shaping acutally 
> happens with the 
> policers in combination with the filters.  Policsers are a 
> sort of tbf, you 
> can specify a maximum rate to it.  So the filters will only 
> match packets at 
> a certain rate and you can drop packets exceeding that rate.  
> So you can 
> limit incoming packets.
> 
> 
> Stef
> 
> -- 
> 
> [EMAIL PROTECTED]
>  "Using Linux as bandwidth manager"
>  http://www.docum.org/
>  #lartc @ irc.oftc.net
> 
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Friday 11 October 2002 20:40, Albuquerque, Marcelo M wrote:
> I am trying to limit the rate for all traffic on the incoming interface of
> a Linux bridge. So far I have only been able to limit the outgoing rate. I
> am assuming I will have to use an ingress qdisc. The example found on the
> documentation works without errors but I can't see any rate reduction
> (maybe because it applies to SYN's only). Does anybody know if limiting
> rate on the incoming interface is possible on a Linux bridge, and if so,
> how to go about configuring it.
If you shape on a bridge, why not shaping on both interfaces ?  That way you 
can shape in both directions.
And you can use the ingress qdisc, but the shaping acutally happens with the 
policers in combination with the filters.  Policsers are a sort of tbf, you 
can specify a maximum rate to it.  So the filters will only match packets at 
a certain rate and you can drop packets exceeding that rate.  So you can 
limit incoming packets.


Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.oftc.net

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Eric Leblond]

Le dim 18/08/2002 à 13:28, [EMAIL PROTECTED] a écrit :

> In the normal operation I get 98Mbps ,but when I use cbq class ,and set the bandwith 
> 50Mbit I get 15Mbps, :(
> what is the TC buttleneck ?

The bandwith parameter has to be set to the physical bandwith (use in
internal computation), not to the deisirated one, use rate to specify
the bandwith of the class.

-- 
Eric Leblond
Mail: [EMAIL PROTECTED]
Tips and Linux: http://www.regit.org
*---*
 Computers are like air conditioners. They don't work when Windows are
open.
*---*

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Thursday 25 July 2002 04:31, Alfred Quah wrote:
> Hi,
> I'm currently doing some test on HTB and realised that cburst is a very
> important parameter that will shapes the throughput of the traffic. Also I
> realise that if all the traffic are given the same priority in HTB, there
> is a lot of pertubations in the bandwidth consumed by each traffic. As a
> result, the rate and ceil are not well-managed. Why is this so. 
Can you post the script you use to test this?  There are other parameters who 
are also important and that can explain the behaviour you get.  And also the 
results why you think there is a problem.
cburst is indeed an important paramater.  Ideal, cburst = packet size.  So 
there is no burst on the ceil and you _never_ exceed the burst.  But you can 
make surfing more attractive by allowing a cburst so small pages/images are 
loaded very quickly.

> I'm useing
> HTB2 code that i have downloaded from the home page. Is it because of the
> bug that is in HTB2?. Please Help!
I don't think so.

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.openprojects.net
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Alexey Talikov]

Try to recompile or even upgrade your kernel to 2.2.20
RH own kernel as I remember have some problem

23.05.2002 14:38:15, "Karasik, Vitaly" <[EMAIL PROTECTED]> wrote:

>We use   RH 7.0 [kernel 2.2.19-7 installed from Redhat's RPM].
>
>From time to time [time in a few days],   server is freezing [no
>ping].
>In the syslog I see a lot of
>
>"kernel: dst cache overflow"
>
>messages.
>
>
>I found a lot of recommendations about tuning parameters  under
>/proc/sys/net/ipv4/route, but I'd like to see some doc describing these
>parameters.
>
>Any help is welcome!
>
>Thanks,
>
>Vitaly  
>___
>LARTC mailing list / [EMAIL PROTECTED]
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

---
mailto:[EMAIL PROTECTED]
BR
Alexey Talikov
FORTEK
---


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Martin Devera]

equalize tries to probabilisticaly change between more
equal cost gateways for each packet while without equalize
it assigns one gateway for one src/dst pair for its life.
Latter is often better for more connections and slow links.
devik

On 18 May 2002, William L. Thomson Jr. wrote:

> What is the difference between
>
> ip route add default equalize
> and
> ip route add default
>
> when using more than one gateway?
>
> --
> Sincerely,
> William L. Thomson Jr.
> Obsidian-Studios, Inc.
> 439 Amber Way
> Petaluma, Ca. 94952
> Phone  707.766.9509
> Fax707.766.8989
> http://www.obsidian-studios.com
> --
> Sincerely,
> William L. Thomson Jr.
> Support Group
> Obsidian-Studios Inc.
> 439 Amber Way
> Petaluma, Ca. 94952
> Phone  707.766.9509
> Fax707.766.8989
> http://www.obsidian-studios.com
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Lei Bao]

the data transfer port of ftp (in most cases at least) is 20 at the service 
side.
try to match this. i have done this before.

bl

>From: Stef Coene <[EMAIL PROTECTED]>
>To: "Nandan Kaushik" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>Subject: Re: [LARTC] (no subject)
>Date: Fri, 3 May 2002 12:21:13 +0200
>
>On Friday 03 May 2002 11:09, Nandan Kaushik wrote:
> > hi all,
> > Iam using the following CBQs to limit the FTP bandwidth
> > pease tell what changes are rquired to make it work
>You are only matching port 21.  This is only the command path.  There is 
>also
>a data-path in an ftp-channel.  But the data-channel has no fixed ports.  
>So
>you can't match them.   But there is a iptables-hack that can mark all
>ftp-packets and after that you can use that mark with the fw filter to put
>all packets in a class.
>
>Stef
>
> >
> > tc qdisc del dev eth0  root
> > tc qdisc add dev eth0 root handle 1:0 cbq allot 1514 avpkt 1000
> > bandwidth 100Mbit
> > tc class add dev eth0 parent 1:0 classid 1:1 cbq allot 1514
> > bandwidth 100Mbit rate .4Mbit  weight .4 prio 2   maxburst 20 cell
> > 8 avpkt 1000
> >
> > tc class add dev eth0 parent 1:0  classid 1:2 cbq allot 1514
> > bandwidth 100Mbit rate .6Mbit weight .4 prio 4   cell 8 maxburst
> > 20 avpkt 1000
> >
> > tc qdisc add dev eth0 parent 1:1 handle 10:1 sfq
> >
> > tc qdisc add dev eth0 parent 1:2 handle 20:1 sfq
> >
> > tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip
> > sport 21  0x match ip dport 21 0x flowid 1:1
> >
> > ip route add172.17.1.0/24 via 172.17.1.0 dev eth0 realm 10
> >
> > tc filter add dev eth0 parent 1:0 prio 2 protocol ip route to 10
> > flowid 1:2
> >
> > Thanks
> > NAndan
> > _
> > Click below to visit monsterindia.com and review jobs in India or
> > Abroad
> > http://monsterindia.rediff.com/jobs
> >
> > ___
> > LARTC mailing list / [EMAIL PROTECTED]
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>--
>
>[EMAIL PROTECTED]
>  "Using Linux as bandwidth manager"
>  http://www.docum.org/
>  #lartc @ irc.openprojects.net
>___
>LARTC mailing list / [EMAIL PROTECTED]
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/




_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Adrian Chung]

On Fri, May 03, 2002 at 12:21:13PM +0200, Stef Coene wrote:
[...]
> you can't match them.   But there is a iptables-hack that can mark all 
> ftp-packets and after that you can use that mark with the fw filter to put 
> all packets in a class.

I searched for this a while back, and didn't see it in the standard
patch-o-matic stuff...  Do you know where it can be found (the patch
for marking ftp-packets)?

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 40 days, 20:27, 20 users

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Friday 03 May 2002 11:09, Nandan Kaushik wrote:
> hi all,
> Iam using the following CBQs to limit the FTP bandwidth
> pease tell what changes are rquired to make it work
You are only matching port 21.  This is only the command path.  There is also 
a data-path in an ftp-channel.  But the data-channel has no fixed ports.  So 
you can't match them.   But there is a iptables-hack that can mark all 
ftp-packets and after that you can use that mark with the fw filter to put 
all packets in a class.

Stef

>
> tc qdisc del dev eth0  root
> tc qdisc add dev eth0 root handle 1:0 cbq allot 1514 avpkt 1000
> bandwidth 100Mbit
> tc class add dev eth0 parent 1:0 classid 1:1 cbq allot 1514
> bandwidth 100Mbit rate .4Mbit  weight .4 prio 2   maxburst 20 cell
> 8 avpkt 1000
>
> tc class add dev eth0 parent 1:0  classid 1:2 cbq allot 1514
> bandwidth 100Mbit rate .6Mbit weight .4 prio 4   cell 8 maxburst
> 20 avpkt 1000
>
> tc qdisc add dev eth0 parent 1:1 handle 10:1 sfq
>
> tc qdisc add dev eth0 parent 1:2 handle 20:1 sfq
>
> tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip
> sport 21  0x match ip dport 21 0x flowid 1:1
>
> ip route add172.17.1.0/24 via 172.17.1.0 dev eth0 realm 10
>
> tc filter add dev eth0 parent 1:0 prio 2 protocol ip route to 10
> flowid 1:2
>
> Thanks
> NAndan
> _
> Click below to visit monsterindia.com and review jobs in India or
> Abroad
> http://monsterindia.rediff.com/jobs
>
> ___
> LARTC mailing list / [EMAIL PROTECTED]
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.openprojects.net
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[pof]

On Sat, 20 Apr 2002 12:18:37 +0300
"Waters" <[EMAIL PROTECTED]> wrote:

> Hello lartc,
> 
> I've got Linux Slackware 8.0, I need to compile IPROUTE2, but it gives
> out an error. What modules should be enabled? Or what should I compile
> into kernel?
> 
> -- 
> Best regards,
>  Waters  mailto:[EMAIL PROTECTED]
> 

Here you've an slackware package for iproute2:

http://pof.eslack.org/slackpacks/iproute2-2.4.7/

pof.

-- 
===
Name: Pau Oliva - Email: [EMAIL PROTECTED]
Linux user: #97195  - BSD user:  #BSD050609
WWW: www.eSlack.org - WWW:   pof.eSlack.org
===
:wq
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Stef Coene]

On Saturday 20 April 2002 15:10, Mihai RUSU wrote:
> On Sat, 20 Apr 2002, Waters wrote:
> > Hello lartc,
> >
> > I've got Linux Slackware 8.0, I need to compile IPROUTE2, but it gives
> > out an error. What modules should be enabled? Or what should I compile
> > into kernel?
>
> Hi
>
> First of all what kernel sources do you have in /usr/src/linux ?
> Second did you issued at least a make *config ?
> Then what version of iproute are trying to compile ?
Last question : what was the error ?

Stef

-- 

[EMAIL PROTECTED]
 "Using Linux as bandwidth manager"
 http://www.docum.org/
 #lartc @ irc.openprojects.net
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Mihai RUSU]

On Sat, 20 Apr 2002, Waters wrote:

> Hello lartc,
>
> I've got Linux Slackware 8.0, I need to compile IPROUTE2, but it gives
> out an error. What modules should be enabled? Or what should I compile
> into kernel?
>
Hi

First of all what kernel sources do you have in /usr/src/linux ?
Second did you issued at least a make *config ?
Then what version of iproute are trying to compile ?


Mihai RUSU

Disclaimer: Any views or opinions presented within this e-mail are solely
those of the author and do not necessarily represent those of any company,
unless otherwise specifically stated.

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[Alex Bennee]

Emil Terziev said:
> Hi ,
> I need to limit traffic from my LAN (172.16.1.x/24)
> every IP.
> 
>   I have BG_Traffic (couple LANs 212.50.16.0/24,
> 217.9.231.0/24, 195.24.39.0/24)
> and I have not_BG_Traffic (rest of Internet world).
> I want for example
> IP 172.16.1.10 to have 10K for BG_Traffic and 25K for
> not_BG_Traffic.
> IP 172.16.1.11 to have 6K for BG_Traffic and 64K for
> not_BG_Traffic.
> IP 172.16.1.12 to have 8K for BG_Traffic and 10K for
> not_BG_Traffic.
> 
> Can help me?  I’m newer with tc&iproute and this is
> very difficult for me.

If you look through the archive for this mailing list for an htb/tc script
you should an example of how to classify traffic useing iptables for tc
controlled shapers. As you want hard limits you may not want to use the
prio settings. Obviously you wont want to use the iptables classifications
I use (which go by traffic type) but use network matches instead.

You should also read the htb manual (http://luxik.cdi.cz/~devik/qos/htb/)
as it contains some useful worked examples that are pretty clear about the
paremeters for htb shapers.


Alex
www.bennee.com/~alex/



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] (no subject)

[martin f krafft]

also sprach Vahan Grigoryan <[EMAIL PROTECTED]> [2002.03.29.1203 +0100]:
> i have readed a HOWTO ... but if i wanted to apply any of its examples
> a received an error message
> 
> RTNETLINK answers: Invalid argument

have you compiled your kernel with the following options?

  CONFIG_IP_ADVANCED_ROUTER=y
  CONFIG_IP_MULTIPLE_TABLES=y

and the appropriate queuing disciplines under "QoS and fair queueing",
as well as enabled QoS and fair queueing there?

and btw: "i have readed a HOWTO" -- it's confusing but it's the
english language with all its exceptions... the past participle of "to
read" is "read", which is pronounced just like "red" -- ("to
read[reed]", but "to have read[red]").

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
this message represents the official view of the voices in my head.



msg00180/pgp0.pgp
Description: PGP signature