From vadiraj c s" Hi all, Has any one used dead gateway detection patch. Any one worked on it. What do you feel about it regards vadiraj ___________________________________________________ Television meets Accounts; Jyoti Weds Rajaram. Rediff Matchmaker strikes another interesting match !! Visit http://matchmaker.rediff.com?1 From rvk@gsecone.com Wed Oct 1 09:42:48 2003 From: rvk@gsecone.com (Raghuveer) Date: Wed, 01 Oct 2003 14:12:48 +0530 Subject: [LARTC] Linux router configuration?? In-Reply-To: References: Message-ID: <3F7A9388.1040401@gsecone.com> Ryan Johnson wrote: >Could you send me the output of route -n? > >Your two network cards should not be in the same network, if they are, it is not a rotuer. The whole purpose of a router is a gateway for clients on a network to get to another network that they (clients) do not know how to reach. > >Ryan > > Anyway thanks Ryan, I just wanted to confirm from you, whether we can have two NIC's in a m/c connected to a same network. Output of route -n is :- Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0 what I was expecting was:- Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0 Regards -Raghu > > >>Ryan Johnson wrote: >> >> >> >>>I am going to assume you want the most basic router, just two interfaces. >>> >>>1.) Make sure both network cards have been detected. >>>ifconfig eth0 >>>ifconfig eth1 >>> >>> >>> >>Can I have both the network cards in the same n/w...? Becoz If I try to >>use both NIC's with the same n/w, running <$ route -n> we can see either >>eth1 or eth0 repeated twice. Pls let me know where is the problem..? >> >>Regards >>-Raghu >> >> >> >>>2.) Set up each interface on its own network, make sure the interface has been activated, you can use ifconfig for this. >>>3.) issue the command >>>echo 1 > /proc/sys/net/ipv4/ip_forward >>>to enable ip fowarding, w/o this the kernel will not send packets between interfaces >>>4.) set the clients behind the router to point to the internal ip of your router >>> >>>Any changes made to the system will have to be initialized during the boot process. >>> >>>Of course if you have ip addresses that you would like to nat/masq behind the router, you will have to use iptables. >>> >>>You really should be more specific on your needs. >>> >>>Good luck. >>> >>> >>> >>> >>> >>> >>>>Good morning at all, thanks for previous help, but I have another ask. I have a few experience of Linux world's, and I need to configure a Linux PC as router, what are the steps? What do I do? >>>>Thanks. >>>> >>>> >>>> >>>> >>>_______________________________________________ >>>LARTC mailing list / LARTC@mailman.ds9a.nl >>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >>> >>> >>> >>> >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> > > > > -- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** From stef.coene@docum.org Wed Oct 1 10:59:27 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 1 Oct 2003 11:59:27 +0200 Subject: [LARTC] Re: HTB and metro+int. limits In-Reply-To: <002501c38788$e0db5b40$96fea8c0@admin> References: <005f01c3877d$75c5b9a0$96fea8c0@admin> <20030930180707.5699.qmail@zulu.avenirsolutions.com> <002501c38788$e0db5b40$96fea8c0@admin> Message-ID: <200310011159.27435.stef.coene@docum.org> On Tuesday 30 September 2003 21:27, Alex wrote: > Thanks for your replay, it really helps, but to take the question further, > from what you have seen in my sample script, how should I classify packets > with "tc" ? I don't know how to put them in separate classes,. What I have > in my script will only shape metro traffic, but for international how would > the "tc" command be? > Something like: > /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil > 100kbit prio 5 > /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst > 192.168.254.10 flowid 1:11 > Would this be the correct commands? No. You create a class with a wrong number. If the parent class is 1:x, the class name has to be 1:y. > Thanks again. > > Alex > ---begin my script---- > sbin/tc qdisc add dev eth2 root handle 1: htb default 10 > /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M > #metro > /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M > /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid > 1:10 This filter will not do much (typo?). You attach it to class 1:10 (the parent parameter). This should be 1: so all packets leaving eth2 will be checked against this filter. And is 10M working? Normally 10mbit is used. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From madhuri@cc.iitb.ac.in Wed Oct 1 11:07:56 2003 From: madhuri@cc.iitb.ac.in (Madhuri Patwardhan) Date: Wed, 1 Oct 2003 15:37:56 +0530 (IST) Subject: [LARTC] dead gateway detection in linux Message-ID: Hi, Few questions: 1] How does dead gateway detection happen in Linux? 2] I am using multipath default routes and I want the kernel to detect when a particular default route is down and stop using it. I would also like the kernel to detect when that particular default route is up and start reusing it. From the reading that I have done so far I realized there are two options. a] One option is to use Juliano's patches (http://www.ssi.bg/~ja/nano.txt). From what I understand Juliano's patches provide following. The patches let a static route be marked as 'dead' when it goes down. Also it detects that when the route is up and starts using it. However, it requires that we use NAT. I do not want to use NAT. In that case will his patches work for me? Another question regarding his patches is how does kernel detect when a route is dead? b] second option is put together a simple script which pings and find out when routes are dead and changes the multipath default routes accordingly. That is what I am doing now. I would like to know if there is a better option. I would appreciate if more pointers/information/options are provided for failover mechanism in mutipath default routes. Thanks, Madhuri From zen30267@zen.co.uk Wed Oct 1 12:52:19 2003 From: zen30267@zen.co.uk (zen30267@zen.co.uk) Date: Wed, 1 Oct 2003 11:52:19 GMT Subject: [LARTC] Trying to understand Routing for muliple networks Message-ID: Hi All, I am trying to understand how to setup routing for multiple uplinks using a Bering firewall. Using this document http://lartc.org/howto/lartc.rpdb.multiple-links.html 1) Am I correct in that I can safely leave out these commands, since these routes are automatically setup by Bering? ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 2) I am also struggling to understand which of the commands are responsible for ensuring that packets arriving on one interface, are equally returned on the same interface. Is it achieved by this? ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 or this? ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 Regards, Simon Chalk. From lpz@ornl.gov Wed Oct 1 14:29:17 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Wed, 01 Oct 2003 09:29:17 -0400 Subject: [LARTC] RTP packet filtering In-Reply-To: <200309302113.h8ULDbsO024630@beta.pucpr.br> References: <200309302113.h8ULDbsO024630@beta.pucpr.br> Message-ID: <1065014957.28805.16.camel@nautique> --=-gDTzfrhEKTbSAEfKdyj8 Content-Type: text/plain; charset= Content-Transfer-Encoding: quoted-printable I havent't tested this, but it should work: tc filter ... \ match ip protocol 17 0xff \ match u16 0x8000 0xffff at nexthdr + 8 The first match selects udp and the second selects the protocol information and payload type. Note that there is more info there than just the protocol version (no padding, no extension, no CSIDs). Also, why is the type 00? On Tue, 2003-09-30 at 17:13, Rafael Gustavo Gassner wrote: > Hi all, >=20 > I need to allow RTP packages on my network, but don=C2=B4t want to=20 > allow all UDP (And then ill try to priorize it), so i think i could do=20 > that using u32. I can see that all packages that are RTP have a field=20 > 80 00, as shown below (It is the protocol version and payload type): >=20 > 0000 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx > 0010 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx > 0020 xx xx xx xx xx xx xx xx xx xx 80 00 xx xx xx xx >=20 > Could someone give me a tip on how should the u32 filter look like? >=20 > Thanks a lot, >=20 > Rafael Gustavo Gassner >=20 >=20 >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-gDTzfrhEKTbSAEfKdyj8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/etatCNjP8rawCW4RAnSYAJ44Ilx2pCBma6X+jE6mScO1htqkHACfVZhE I4OL0JMRZfswaemDxDqmvZY= =Ud94 -----END PGP SIGNATURE----- --=-gDTzfrhEKTbSAEfKdyj8-- From hare ram" Message-ID: <055c01c38820$d5a817c0$c2bf09ca@Housecall> Hi Please check the Julian Anastasov site http://www.ssi.bg/~ja/ he has this patch regards hare ----- Original Message ----- From: "vadiraj c s" To: Sent: Wednesday, October 01, 2003 11:04 AM Subject: [LARTC] dead gateway > Hi all, > > > Has any one used dead gateway detection patch. Any one worked on > it. > What do you feel about it > > regards > vadiraj > ___________________________________________________ > Television meets Accounts; Jyoti Weds Rajaram. > Rediff Matchmaker strikes another interesting match !! > Visit http://matchmaker.rediff.com?1 > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From alex@hostingcenter.ro Wed Oct 1 17:00:09 2003 From: alex@hostingcenter.ro (Alex) Date: Wed, 1 Oct 2003 19:00:09 +0300 Subject: [LARTC] Re: HTB and metro+int. limits References: <005f01c3877d$75c5b9a0$96fea8c0@admin> <20030930180707.5699.qmail@zulu.avenirsolutions.com> <002501c38788$e0db5b40$96fea8c0@admin> <200310011159.27435.stef.coene@docum.org> Message-ID: <001701c38835$1cf6b3c0$96fea8c0@admin> I'm sorry, but I'm still confused about assigning separate limits for metro and international traffic. After I mark metro traffic with --set-mark 6 and int. traffic with --set-mark 5 what's the next step? Can someone give me an example? It seems that my approach is somehow wrong after marking of the packets. Thanks again. Alex ----- Original Message ----- From: "Stef Coene" To: "Alex" ; "Lartc" ; Sent: Wednesday, October 01, 2003 12:59 PM Subject: Re: [LARTC] Re: HTB and metro+int. limits > On Tuesday 30 September 2003 21:27, Alex wrote: > > Thanks for your replay, it really helps, but to take the question further, > > from what you have seen in my sample script, how should I classify packets > > with "tc" ? I don't know how to put them in separate classes,. What I have > > in my script will only shape metro traffic, but for international how would > > the "tc" command be? > > Something like: > > /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil > > 100kbit prio 5 > > /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst > > 192.168.254.10 flowid 1:11 > > Would this be the correct commands? > No. You create a class with a wrong number. If the parent class is 1:x, the > class name has to be 1:y. > > > Thanks again. > > > > Alex > > ---begin my script---- > > sbin/tc qdisc add dev eth2 root handle 1: htb default 10 > > /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M > > #metro > > /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M > > /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid > > 1:10 > This filter will not do much (typo?). You attach it to class 1:10 (the parent > parameter). This should be 1: so all packets leaving eth2 will be checked > against this filter. > And is 10M working? Normally 10mbit is used. > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From alex@hostingcenter.ro Wed Oct 1 17:04:41 2003 From: alex@hostingcenter.ro (Alex) Date: Wed, 1 Oct 2003 19:04:41 +0300 Subject: [LARTC] Re: HTB and metro+int. limits part2 References: <005f01c3877d$75c5b9a0$96fea8c0@admin> <20030930180707.5699.qmail@zulu.avenirsolutions.com> <002501c38788$e0db5b40$96fea8c0@admin> <200310011159.27435.stef.coene@docum.org> Message-ID: <003201c38835$bad0b4b0$96fea8c0@admin> I forgot to say that I have put my script on http://retea.hostingcenter.ro/htb.txt Maybe someone could lead to to the correct sintax if there's something wrong. Alex ----- Original Message ----- From: "Stef Coene" To: "Alex" ; "Lartc" ; Sent: Wednesday, October 01, 2003 12:59 PM Subject: Re: [LARTC] Re: HTB and metro+int. limits > On Tuesday 30 September 2003 21:27, Alex wrote: > > Thanks for your replay, it really helps, but to take the question further, > > from what you have seen in my sample script, how should I classify packets > > with "tc" ? I don't know how to put them in separate classes,. What I have > > in my script will only shape metro traffic, but for international how would > > the "tc" command be? > > Something like: > > /sbin/tc class add dev eth2 parent 1:2 classid 2:11 htb rate 50kbit ceil > > 100kbit prio 5 > > /sbin/tc filter add dev eth2 parent 1:0 protocol ip prio 5 u32 match ip dst > > 192.168.254.10 flowid 1:11 > > Would this be the correct commands? > No. You create a class with a wrong number. If the parent class is 1:x, the > class name has to be 1:y. > > > Thanks again. > > > > Alex > > ---begin my script---- > > sbin/tc qdisc add dev eth2 root handle 1: htb default 10 > > /sbin/tc class add dev eth2 parent 1: classid 1:1 htb rate 10M > > #metro > > /sbin/tc class add dev eth2 parent 1:1 classid 1:10 htb rate 10M > > /sbin/tc filter add dev eth2 protocol ip parent 1:10 prio 3 handle 6 flowid > > 1:10 > This filter will not do much (typo?). You attach it to class 1:10 (the parent > parameter). This should be 1: so all packets leaving eth2 will be checked > against this filter. > And is 10M working? Normally 10mbit is used. > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From jean-rene.cormier@cipanb.ca Wed Oct 1 18:46:19 2003 From: jean-rene.cormier@cipanb.ca (Jean-Rene Cormier) Date: Wed, 01 Oct 2003 14:46:19 -0300 Subject: [LARTC] Error compiling iproute Message-ID: <1065030379.6645.18.camel@forbidden.cipanb.ca> I'm trying to compile iproute2-2.4.7-now-ss020116-try.tar.gz with the htb3.6-020525 tc patch against a Linux 2.4.22 kernel. At first I would get an error message in the first lines and I found a workaround by removing the -I../include-glibc from the GLIBCFIX and the -O2 from the CCOPTS. But now I'm getting errors when it tries to compile arpd.c gcc -D_GNU_SOURCE -Wstrict-prototypes -Wall -g -I/usr/include/db3 -include ../include-glibc/glibc-bugs.h -I/usr/src/linux/include -I../include -DRESOLVE_HOSTNAMES -c -o arpd.o arpd.c arpd.c: In function `do_one_request': arpd.c:342: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:342: error: too few arguments to function arpd.c:366: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:366: error: too few arguments to function arpd.c:392: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:392: error: too few arguments to function arpd.c:410: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:410: error: too few arguments to function arpd.c:422: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:422: error: too few arguments to function arpd.c: In function `get_arp_pkt': arpd.c:520: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:520: error: too few arguments to function arpd.c:530: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:530: error: too few arguments to function arpd.c: In function `main': arpd.c:670: warning: implicit declaration of function `dbopen' arpd.c:670: warning: assignment makes pointer from integer without a cast arpd.c:716: warning: passing arg 2 of pointer to function from incompatible pointer type arpd.c:716: error: too few arguments to function arpd.c:729: error: structure has no member named `seq' arpd.c:729: error: `R_NEXT' undeclared (first use in this function) arpd.c:729: error: (Each undeclared identifier is reported only once arpd.c:729: error: for each function it appears in.) arpd.c:840: error: too few arguments to function arpd.c:844: error: too few arguments to function make[1]: *** [arpd.o] Error 1 make[1]: Leaving directory `/usr/src/iproute2/misc' make: *** [all] Error 2 Anybody know what I can do for this? I'm using GCC-3.3.1 and Glibc-2.3.2 Jean-Rene Cormier From kristiadi_himawan@dtp.net.id Wed Oct 1 19:41:52 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Thu, 2 Oct 2003 01:41:52 +0700 Subject: [LARTC] Htb on trunked line Message-ID: <007e01c3884b$ae9dae80$0ea02bca@sapari> This is a multi-part message in MIME format. ------=_NextPart_000_007B_01C38886.5AF07890 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear All, I have configuration like this : DVB Modem | | ___Link A \ / trunk /=20 CiscoRouter ------------CiscoSwitch-------Link B \___ Link C Now i want to put a linux bandwith manager using htb to controll Link = A-C bandwith, but i don't know where to put the linux pc. I ever try to put the linux pc at the trunked line between CiscoRouter and CiscoSwitch but found that all traffic always go to default class = not to appropriate class=20 and i think that's because of VLAN 802.1Q data format at that line so = the filter always miss. Any suggestion abt this kind of configuration? =20 ------=_NextPart_000_007B_01C38886.5AF07890 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dear All,
 
I have configuration like this = :
 
DVB     = Modem
|       =20        =20 |            =             &= nbsp;        ___Link=20 A
\          &nb= sp;    /    =20 trunk           &n= bsp;        /=20
CiscoRouter = ------------CiscoSwitch-------Link=20 B
          &nbs= p;            = ;            =             &= nbsp;=20 \___
          &nbs= p;            = ;            =             &= nbsp;        Link=20 C
 
Now i want to put a linux = bandwith manager=20 using htb to controll Link A-C bandwith,
but i don't know where to put the linux = pc.
I ever try to put the linux pc at the = trunked line=20 between CiscoRouter
and CiscoSwitch but found that all = traffic=20 always go to default class not to appropriate class
and i think that's because of VLAN = 802.1Q data=20 format at that line so the filter always miss.
 
Any suggestion abt this kind of=20 configuration?
 
 
 
 
      =20
------=_NextPart_000_007B_01C38886.5AF07890-- From paua@quicksilver.net.nz Wed Oct 1 19:55:50 2003 From: paua@quicksilver.net.nz (Steve Wright) Date: 02 Oct 2003 06:55:50 +1200 Subject: [LARTC] Htb on trunked line In-Reply-To: <007e01c3884b$ae9dae80$0ea02bca@sapari> References: <007e01c3884b$ae9dae80$0ea02bca@sapari> Message-ID: <1065034549.29469.17.camel@linuxathome.ath.cx> On Thu, 2003-10-02 at 06:41, Kristiadi Himawan wrote: > Dear All, > > I have configuration like this : > > DVB Modem > | | ___Link A > \ / trunk / > CiscoRouter ------------CiscoSwitch-------Link B > \___ > Link C > > Now i want to put a linux bandwith manager using htb to controll Link > A-C bandwith, > but i don't know where to put the linux pc. > I ever try to put the linux pc at the trunked line between CiscoRouter > and CiscoSwitch but found that all traffic always go to default class > not to appropriate class > and i think that's because of VLAN 802.1Q data format at that line so > the filter always miss. > > Any suggestion abt this kind of configuration? remove all the cisco equipment and replace with Linux.. 8-) Linux+iproute2+tc will easily do what you ask, and the cisco will not. The answer is that simple. I wish there was a nice GUI config for this, but there is not, and it is very complicated for me to make. I see your earlier question about "how to make this in Linux", and I would suggest you replace your VLAN config with a new Linux IPRoute2+tc config. There will be a lot of reading for you to do, however. 8-/ Google for "policy routing" and read about policy routing theory. I think cisco should be very concerned about the day that Linux IPRoute2+tc has a GUI... Perhaps, after that day cisco will suddenly design routers that will run Linux. 8-)) best regards, Steve From kristiadi_himawan@dtp.net.id Wed Oct 1 21:39:15 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Thu, 2 Oct 2003 03:39:15 +0700 Subject: [LARTC] Htb on trunked line References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> Message-ID: <00e301c3885c$144104c0$0ea02bca@sapari> About your first option to plug the linux box to the switch and create vlan interfaces on it, i have try that before and the result some network can't reach because of arp uncomplete. And the second option to put linux box between router and switch is the better choice but i face new problem on it. I already create transparent bridge (using eth0 and eth1) on the linux box and it's work. But the problem occur when i try to shape the link using HTB or CBQ, the filter always miss. I will try your suggestion to bridge every vlan interfaces in the linux box. I hope this is the solution. Btw, do you already try this kind of configuration? Thnx ----- Original Message ----- From: "Ryan Goldberg" To: "Kristiadi Himawan" Sent: Thursday, October 02, 2003 1:43 AM Subject: Re: [LARTC] Htb on trunked line > On Wed, 2003-10-01 at 13:41, Kristiadi Himawan wrote: > > Dear All, > > > > I have configuration like this : > > > > DVB Modem > > | | ___Link A > > \ / trunk / > > CiscoRouter ------------CiscoSwitch-------Link B > > \___Link C > > Plug the linux box into the switch, set the link to dot1q, add > subinterfaces on the linux box, set As and Cs routes to each other via > the IPs on those subinterfaces, and do the shaping on those > subinterfaces. Should work no problem. > > Or are you trying to put the linux box in between the switch and > router? Then you'd have to talk dot1q to both devices and bridge each > corresponding valn to each othter (e.g eth0.3 bridged with eth1.3) and > do the shaping on those interfaces. That should also work. > > Ryan > > > > I don't about trying to shape on a "raw" trunked link... > > From kristiadi_himawan@dtp.net.id Wed Oct 1 21:48:01 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Thu, 2 Oct 2003 03:48:01 +0700 Subject: [LARTC] Htb on trunked line References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065034549.29469.17.camel@linuxathome.ath.cx> Message-ID: <00f501c3885d$4e14fc00$0ea02bca@sapari> Ya, i already use linux+iproute2+tc.The shaping is fine but not with the filter. I already read a lot of docs but can't found the same case so if you have appropriate document links, i will be glad to read that... :) Yeah...abt cisco i hope they hear that too :)) ----- Original Message ----- From: "Steve Wright" To: "Kristiadi Himawan" Cc: "lartc" Sent: Thursday, October 02, 2003 1:55 AM Subject: Re: [LARTC] Htb on trunked line > On Thu, 2003-10-02 at 06:41, Kristiadi Himawan wrote: > > Dear All, > > > > I have configuration like this : > > > > DVB Modem > > | | ___Link A > > \ / trunk / > > CiscoRouter ------------CiscoSwitch-------Link B > > \___ > > Link C > > > > Now i want to put a linux bandwith manager using htb to controll Link > > A-C bandwith, > > but i don't know where to put the linux pc. > > I ever try to put the linux pc at the trunked line between CiscoRouter > > and CiscoSwitch but found that all traffic always go to default class > > not to appropriate class > > and i think that's because of VLAN 802.1Q data format at that line so > > the filter always miss. > > > > Any suggestion abt this kind of configuration? > > > remove all the cisco equipment and replace with Linux.. 8-) > > Linux+iproute2+tc will easily do what you ask, and the cisco will not. > The answer is that simple. > I wish there was a nice GUI config for this, but there is not, and it is > very complicated for me to make. > > I see your earlier question about "how to make this in Linux", and I > would suggest you replace your VLAN config with a new Linux IPRoute2+tc > config. There will be a lot of reading for you to do, however. 8-/ > Google for "policy routing" and read about policy routing theory. > > I think cisco should be very concerned about the day that Linux > IPRoute2+tc has a GUI... Perhaps, after that day cisco will suddenly > design routers that will run Linux. 8-)) > > > best regards, > Steve > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From jamie@jharris.homeip.net Wed Oct 1 22:06:13 2003 From: jamie@jharris.homeip.net (Jamie Harris) Date: Wed, 1 Oct 2003 22:06:13 +0100 (BST) Subject: [LARTC] Packet mangling latency Message-ID: <33751.192.168.1.2.1065042373.squirrel@rincewind.jharris.homeip.net> Firstly... sorry to those of you on both the netfilter and lartc list who'll end up with this message twice... I am trying to find out what kind of latency I can expect when dNAT'ing UDP packets on (probably) a mid-range P3 server, 32-bit 33MHz PCI bus with Intel EEPro NICs. It'll most likely be running whatever the latest 2.4 kernel will be at the time, unless there are significant boosts in packet mangling performace in 2.6. Sorry that this is such vague set of specs, but this is just a vague idea at the moment. Any suggestions for hardware that would be particuarly suited to shifting packets with the lowest possibly latency would be much appreciated. cheers. Jamie... PS Thanks to the Netfilter team for producing such a cracking frame work, thanks to the LARTC guys for making me feel like a newbie again :) -- ** This message was transmitted on 100% recycled electrons ** From gomi@perezoso.net Wed Oct 1 23:23:24 2003 From: gomi@perezoso.net (GoMi) Date: Thu, 2 Oct 2003 00:23:24 +0200 Subject: [LARTC] MSN Messenger automatically disconnects In-Reply-To: <00e301c3885c$144104c0$0ea02bca@sapari> Message-ID: =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am doing traffic shaping with HTB, and my msn messenger version 6 = automatically disconnects every 5 minutes or so. Anyboyd had the same = problem? I am driving myself mad. Thank you! -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP3tT3H7diNnrrZKsEQKtvgCgyDFKqKXfhWr/ESGMp6/n5ivDpBIAoPa6 BwDoMvpcalwTekHxcgwb1fy5 =3DVaRw -----END PGP SIGNATURE----- From rgoldber-list-lartc@bitburst.com Thu Oct 2 00:02:13 2003 From: rgoldber-list-lartc@bitburst.com (Ryan Goldberg) Date: Wed, 01 Oct 2003 18:02:13 -0500 Subject: [LARTC] Htb on trunked line In-Reply-To: <00e301c3885c$144104c0$0ea02bca@sapari> References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> <00e301c3885c$144104c0$0ea02bca@sapari> Message-ID: <1065049333.12478.88.camel@big> On Wed, 2003-10-01 at 15:39, Kristiadi Himawan wrote: > About your first option to plug the linux box to the switch and create vlan > interfaces on it, i have try that before and the result some network can't > reach because of arp uncomplete. Are A and C on different IP networks? With routes to each other via the IPs on the subinterfaces on the linux box and they can arp for those IPs, I don't see where the arp issue would come from. > And the second option to put linux box between router and switch is the > better choice but i face new problem on it. > I already create transparent bridge (using eth0 and eth1) on the linux box > and it's work. > But the problem occur when i try to shape the link using HTB or CBQ, the > filter always miss. > I will try your suggestion to bridge every vlan interfaces in the linux box. > I hope this is the solution. Yeah we do this it works fine. That is, with a bridge per VLAN. If you want to share bandwidth amond the interfaces though, you need to set up IMQ, which I have not done. > > On Wed, 2003-10-01 at 13:41, Kristiadi Himawan wrote: > > > Dear All, > > > > > > I have configuration like this : > > > > > > DVB Modem > > > | | ___Link A > > > \ / trunk / > > > CiscoRouter ------------CiscoSwitch-------Link B > > > \___Link C > > > > Ryan Goldberg wrote: > > Plug the linux box into the switch, set the link to dot1q, add > > subinterfaces on the linux box, set As and Cs routes to each other via > > the IPs on those subinterfaces, and do the shaping on those > > subinterfaces. Should work no problem. > > > > Or are you trying to put the linux box in between the switch and > > router? Then you'd have to talk dot1q to both devices and bridge each > > corresponding valn to each othter (e.g eth0.3 bridged with eth1.3) and > > do the shaping on those interfaces. That should also work. From kristiadi_himawan@dtp.net.id Thu Oct 2 00:40:18 2003 From: kristiadi_himawan@dtp.net.id (DTPNet Support) Date: Thu, 2 Oct 2003 06:40:18 +0700 Subject: [LARTC] Htb on trunked line References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> <00e301c3885c$144104c0$0ea02bca@sapari> <1065049333.12478.88.camel@big> Message-ID: <013401c38875$5f712e70$0ea02bca@sapari> Yah, A and C on different ip networks and also different vlan. It's only example, in the real test i use zebra with a lot of vlan interfaces and connect to some cisco switch. And discover that some networks in different vlan can't reach, when i try to see unreachable networks using arp, i found uncomplete arp from it. Until now i don't know why some vlans works fine but the others not.. :( I think it's because arp, may be need to wait for long time before arp get complete. I try this just for half an hour. ----- Original Message ----- From: "Ryan Goldberg" To: "Kristiadi Himawan" Cc: "lartc" Sent: Thursday, October 02, 2003 6:02 AM Subject: Re: [LARTC] Htb on trunked line > On Wed, 2003-10-01 at 15:39, Kristiadi Himawan wrote: > > About your first option to plug the linux box to the switch and create vlan > > interfaces on it, i have try that before and the result some network can't > > reach because of arp uncomplete. > > Are A and C on different IP networks? With routes to each other via the > IPs on the subinterfaces on the linux box and they can arp for those > IPs, I don't see where the arp issue would come from. > > > And the second option to put linux box between router and switch is the > > better choice but i face new problem on it. > > I already create transparent bridge (using eth0 and eth1) on the linux box > > and it's work. > > But the problem occur when i try to shape the link using HTB or CBQ, the > > filter always miss. > > I will try your suggestion to bridge every vlan interfaces in the linux box. > > I hope this is the solution. > > Yeah we do this it works fine. That is, with a bridge per VLAN. If you > want to share bandwidth amond the interfaces though, you need to set up > IMQ, which I have not done. > > > > On Wed, 2003-10-01 at 13:41, Kristiadi Himawan wrote: > > > > Dear All, > > > > > > > > I have configuration like this : > > > > > > > > DVB Modem > > > > | | ___Link A > > > > \ / trunk / > > > > CiscoRouter ------------CiscoSwitch-------Link B > > > > \___Link C > > > > > > Ryan Goldberg wrote: > > > Plug the linux box into the switch, set the link to dot1q, add > > > subinterfaces on the linux box, set As and Cs routes to each other via > > > the IPs on those subinterfaces, and do the shaping on those > > > subinterfaces. Should work no problem. > > > > > > Or are you trying to put the linux box in between the switch and > > > router? Then you'd have to talk dot1q to both devices and bridge each > > > corresponding valn to each othter (e.g eth0.3 bridged with eth1.3) and > > > do the shaping on those interfaces. That should also work. > > > From wdwrn@friendlycity.net Thu Oct 2 05:57:43 2003 From: wdwrn@friendlycity.net (Walter D. Wyndroski) Date: Thu, 2 Oct 2003 00:57:43 -0400 Subject: [LARTC] MSN Messenger automatically disconnects References: Message-ID: <016301c388a1$b6e99760$0201a8c0@mother> I am running MSN Messenger v6 and also running HTB with traffic shaping. I'm not having any problems with Messenger. Do you have a firewall which might be interfering with your Messenger connection? WDW ----- Original Message ----- From: "GoMi" To: "'lartc'" Sent: Wednesday, October 01, 2003 6:23 PM Subject: [LARTC] MSN Messenger automatically disconnects > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am doing traffic shaping with HTB, and my msn messenger version 6 automatically disconnects every 5 minutes or so. Anyboyd had the same problem? I am driving myself mad. Thank you! > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBP3tT3H7diNnrrZKsEQKtvgCgyDFKqKXfhWr/ESGMp6/n5ivDpBIAoPa6 > BwDoMvpcalwTekHxcgwb1fy5 > =VaRw > -----END PGP SIGNATURE----- > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** From jamie@jharris.homeip.net Thu Oct 2 08:36:55 2003 From: jamie@jharris.homeip.net (Jamie Harris) Date: Thu, 2 Oct 2003 08:36:55 +0100 (BST) Subject: [LARTC] Packet mangling latency In-Reply-To: <7C9884991ADAE0479C14F10C858BCDF52E3708@alderaan.smgtec.com> References: <7C9884991ADAE0479C14F10C858BCDF52E3708@alderaan.smgtec.com> Message-ID: <63929.195.188.238.252.1065080215.squirrel@jharris.homeip.net> > The server should be fine. What network bandwidths are you looking into? Nothing wild, ~10Mb tops > The more the bandwidth, the higher the requirements. Also, ram is useful > if you have a lot of smaller connections passing through the server at > once. Memory should be a problem from what I've been reading, but at todays prices I can just fill the box to capacity. > In my experience I have never felt latency on the line. What kind of applications and at what bandwidth yourself? Some of the traffic will be going to/from game servers so latency can become noticable. cheers Jamie... -- ** This message was transmitted on 100% recycled electrons ** From miller69@gmx.net Thu Oct 2 10:38:28 2003 From: miller69@gmx.net (Mike Miller) Date: Thu, 2 Oct 2003 11:38:28 +0200 (MEST) Subject: [LARTC] Packet mangling latency References: <33751.192.168.1.2.1065042373.squirrel@rincewind.jharris.homeip.net> Message-ID: <14667.1065087508@www67.gmx.net> > I am trying to find out what kind of latency I can expect when dNAT'ing > UDP packets on (probably) a mid-range P3 server, 32-bit 33MHz PCI bus with > Intel EEPro NICs. It'll most likely be running whatever the latest 2.4 > kernel will be at the time, unless there are significant boosts in packet > mangling performace in 2.6. It's not exactly what you want to know but have a look at http://ilabws13.informatik.uni-leipzig.de/~mai97bwf/delay.html Hope that helps a little. Mike -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ From jamie@jharris.homeip.net Thu Oct 2 12:58:56 2003 From: jamie@jharris.homeip.net (Jamie Harris) Date: Thu, 2 Oct 2003 12:58:56 +0100 (BST) Subject: [LARTC] Packet mangling latency In-Reply-To: <14667.1065087508@www67.gmx.net> References: <33751.192.168.1.2.1065042373.squirrel@rincewind.jharris.homeip.net> <14667.1065087508@www67.gmx.net> Message-ID: <64557.195.188.238.252.1065095936.squirrel@jharris.homeip.net> > It's not exactly what you want to know but have a look at > http://ilabws13.informatik.uni-leipzig.de/~mai97bwf/delay.html Looks pretty good to me! thanks Jamie... -- ** This message was transmitted on 100% recycled electrons ** From vadiraj c s" This is a multipart mime message --Next_1065168774---0-203.199.83.248-29875 Content-type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

=0AHi,
=0A
=0A  I'm working on multiple links routing strateg= y. Atleast one link is always up, this is asured. I'm using julian's dead g= ateway detection patch
=0Ato detect the gateway is down.
=0A  =0A  What is the patch doing here. I'm not clear with the patch...=0A
=0A1] It cant detect the dead link by itself. got to do it using p= ing or  anything.
=0A
=0A2]Ok we ping and tell the kernel the li= nk is down, but it wont switch to the other up link immediately. we have to= flush the cache for it to happen.
=0A3] It wont come to the link if its= up again... we have to flush the cache again..
=0A
=0AMy question is=
=0A1]Is there any way I can switch without flushing manully?
=0A
= =0A2]What is the patch doing here?
=0A
=0APlease do respond soon as I= 'm in need of it immediately..
=0A
=0Aregards
=0Avadiraj
=0A=0A
=0A
=0A=0A

=0A

=0A=0A --Next_1065168774---0-203.199.83.248-29875 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi,=0A=0A I'm working on multiple links routing strategy. Atleast one link= is always up, this is asured. I'm using julian's dead gateway detection pa= tch=0Ato detect the gateway is down.=0A =0A What is the patch doing here.= I'm not clear with the patch...=0A=0A1] It cant detect the dead link by it= self. got to do it using ping or anything.=0A=0A2]Ok we ping and tell the = kernel the link is down, but it wont switch to the other up link immediatel= y. we have to flush the cache for it to happen.=0A3] It wont come to the li= nk if its up again... we have to flush the cache again..=0A=0AMy question i= s=0A1]Is there any way I can switch without flushing manully?=0A=0A2]What i= s the patch doing here?=0A=0APlease do respond soon as I'm in need of it im= mediately..=0A=0Aregards =0Avadiraj=0A=0A=0A=0A --Next_1065168774---0-203.199.83.248-29875-- From kristiadi_himawan@dtp.net.id Fri Oct 3 09:11:42 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Fri, 3 Oct 2003 15:11:42 +0700 Subject: [LARTC] Htb on trunked line References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> Message-ID: <004401c38985$fb026640$04a02bca@melati> I have try to create vlan from both side, eth0.106 and eth1.106 also br0.106 but why traffic from vlan 106 didn't enter into eth0.106,eth1.106,br0.106 although there's traffic. Here's the interfaces statistic : br0 Link encap:Ethernet HWaddr 00:04:75:DA:26:34 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4101545 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:255233879 (243.4 Mb) TX bytes:0 (0.0 b) br0.106 Link encap:Ethernet HWaddr 00:04:75:DA:26:34 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) eth0 Link encap:Ethernet HWaddr 00:04:75:E9:58:B3 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2064270 errors:0 dropped:0 overruns:1 frame:0 TX packets:2377003 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:152157356 (145.1 Mb) TX bytes:342126806 (326.2 Mb) Interrupt:5 Base address:0xd800 eth0.106 Link encap:Ethernet HWaddr 00:04:75:E9:58:B3 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) eth1 Link encap:Ethernet HWaddr 00:04:75:DA:26:34 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2462723 errors:0 dropped:0 overruns:1 frame:0 TX packets:1976909 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:348059246 (331.9 Mb) TX bytes:146839806 (140.0 Mb) Interrupt:9 Base address:0xd880 eth1.106 Link encap:Ethernet HWaddr 00:04:75:DA:26:34 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Here is tcpdump result from br0 : 14:47:00.374281 802.1Q vlan#106 P0 noc5.xxx.xxx.xx.33288 > IP-160-227.xxx.xxx.xx.ssh: . ack 112 win 63712 (DF) [tos 0x10] 14:47:00.578201 802.1d config 8001.00:0a:b7:ea:fa:00.8002 root 8001.00:0a:b7:ea:fa:00 pathcost 0 age 0 max 20 hello 2 fdelay 15 14:47:00.579819 0:a:b7:ea:fa:2 > 1:0:c:cc:cc:cd snap ui/C len=39 14:47:00.698593 802.1Q vlan#102 P7 1:0:c:cc:cc:cd > 0:a:b7:ea:fa:2 snap ui/C len=39 14:47:00.710374 802.1Q vlan#106 P7 1:0:c:cc:cc:cd > 0:a:b7:ea:fa:2 snap ui/C len=39 14:47:01.215717 802.1Q vlan#1 P2 CDP v2, ttl=180s DevID 'sw2-customer-5thfl' Addr (1): IPv4 192.168.2.6 PortID 'FastEthernet0/8' CAP 0x28[|cdp] Any suggestion why ? ----- Original Message ----- From: "Ryan Goldberg" To: "Kristiadi Himawan" Sent: Thursday, October 02, 2003 1:43 AM Subject: Re: [LARTC] Htb on trunked line > On Wed, 2003-10-01 at 13:41, Kristiadi Himawan wrote: > > Dear All, > > > > I have configuration like this : > > > > DVB Modem > > | | ___Link A > > \ / trunk / > > CiscoRouter ------------CiscoSwitch-------Link B > > \___Link C > > Plug the linux box into the switch, set the link to dot1q, add > subinterfaces on the linux box, set As and Cs routes to each other via > the IPs on those subinterfaces, and do the shaping on those > subinterfaces. Should work no problem. > > Or are you trying to put the linux box in between the switch and > router? Then you'd have to talk dot1q to both devices and bridge each > corresponding valn to each othter (e.g eth0.3 bridged with eth1.3) and > do the shaping on those interfaces. That should also work. > > Ryan > > > > I don't about trying to shape on a "raw" trunked link... > > From alhakeem@blueyonder.co.uk Fri Oct 3 11:21:05 2003 From: alhakeem@blueyonder.co.uk (Abdul Hakeem) Date: Fri, 3 Oct 2003 11:21:05 +0100 Subject: [LARTC] RE: IP over UDP Tunnel In-Reply-To: <20031002083002.14870.89131.Mailman@outpost.ds9a.nl> Message-ID: <04a401c38998$0deb8900$6500a8c0@solo> Hello, Can anyone spare tips on setting up a UDP tunnel over a DVB-S link ? I am toying with the idea of an IP over UDP tunnel over a simplex or forward only DVB-S link. Cheers, Abdul Hakeem From util@deuroconsult.ro Fri Oct 3 11:25:42 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Fri, 3 Oct 2003 13:25:42 +0300 (EEST) Subject: [LARTC] RE: IP over UDP Tunnel In-Reply-To: <04a401c38998$0deb8900$6500a8c0@solo> References: <04a401c38998$0deb8900$6500a8c0@solo> Message-ID: On Fri, 3 Oct 2003, Abdul Hakeem wrote: > > > Hello, > Can anyone spare tips on setting up a UDP tunnel over a DVB-S link ? I > am toying with the idea of an IP over UDP tunnel over a simplex or > forward only DVB-S link. > Cheers, > Abdul Hakeem http://vtun.sf.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From vadiraj c s" This is a multipart mime message --Next_1065183961---0-203.199.83.246-6622 Content-type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

=0AHi all,
=0A
=0A
=0A  I've been working on this dead gat= eway detection, I've encountered the following problem
=0A
=0A
=0A= 1]I have 2 interfaces with 2 public IPs
=0A2]My DNS server is configured= to one of the IP.
=0A
=0AI have used julian's patch and loadbalance = between two links, now I dont know which link will be used every time I acc= ess the global links..
=0A
=0AHere is a funny thing happening..
= =0A
=0Asay
=0AIP1 is first interface ip address
=0AIP2 is second = interfaceip address
=0A
=0AIP1 is used to resolve DNS.
=0A
=0Aw= hen IP2 gets selected I tries to resolve through IP1 and no result..
=0A=
=0A
=0AIf any one has used this kind of setup and has clear with con= cept please mail back..
=0A
=0Athanks in advance..
=0A
=0A
= =0Aragards
=0Avadiraj
=0Adeeproot linux Ltd
=0A
=0A
=0A=0A<= /P>=0A

=0A=0A --Next_1065183961---0-203.199.83.246-6622 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi all,=0A=0A=0A I've been working on this dead gateway detection, I've en= countered the following problem=0A=0A=0A1]I have 2 interfaces with 2 public= IPs=0A2]My DNS server is configured to one of the IP.=0A=0AI have used jul= ian's patch and loadbalance between two links, now I dont know which link w= ill be used every time I access the global links..=0A=0AHere is a funny thi= ng happening..=0A=0Asay =0AIP1 is first interface ip address=0AIP2 is secon= d interfaceip address=0A=0AIP1 is used to resolve DNS.=0A=0Awhen IP2 gets s= elected I tries to resolve through IP1 and no result..=0A=0A=0AIf any one h= as used this kind of setup and has clear with concept please mail back..=0A= =0Athanks in advance..=0A=0A=0Aragards =0Avadiraj=0Adeeproot linux Ltd=0A= =0A=0A --Next_1065183961---0-203.199.83.246-6622-- From =?ISO-8859-5?B?vdjW3djaILTV3djh?= Fri Oct 3 17:36:56 2003 From: =?ISO-8859-5?B?vdjW3djaILTV3djh?= (=?ISO-8859-5?B?vdjW3djaILTV3djh?=) Date: Fri, 3 Oct 2003 20:36:56 +0400 Subject: [LARTC] Re: LARTC digest, Vol 1 #1392 - 4 msgs In-Reply-To: <20031003044437.11924.90014.Mailman@outpost.ds9a.nl> References: <20031003044437.11924.90014.Mailman@outpost.ds9a.nl> Message-ID: <25302476.20031003203656@bibirevo.net> ·ÔàÐÒáâÒãÙâÕ lartc-request, Friday, October 03, 2003, 8:44:37 AM, you wrote: lrmdn> Send LARTC mailing list submissions to lrmdn> lartc@mailman.ds9a.nl lrmdn> To subscribe or unsubscribe via the World Wide Web, visit lrmdn> http://mailman.ds9a.nl/mailman/listinfo/lartc lrmdn> or, via email, send a message with subject or body 'help' to lrmdn> lartc-request@mailman.ds9a.nl lrmdn> You can reach the person managing the list at lrmdn> lartc-admin@mailman.ds9a.nl lrmdn> When replying, please edit your Subject line so it is more specific lrmdn> than "Re: Contents of LARTC digest..." lrmdn> Today's Topics: lrmdn> 1. Re: MSN Messenger automatically disconnects (Walter D. Wyndroski) lrmdn> 2. RE: Packet mangling latency (Jamie Harris) lrmdn> 3. Re: Packet mangling latency (Mike Miller) lrmdn> 4. Re: Packet mangling latency (Jamie Harris) lrmdn> --__--__-- lrmdn> Message: 1 lrmdn> From: "Walter D. Wyndroski" lrmdn> To: "GoMi" , "'lartc'" lrmdn> Subject: Re: [LARTC] MSN Messenger automatically disconnects lrmdn> Date: Thu, 2 Oct 2003 00:57:43 -0400 lrmdn> I am running MSN Messenger v6 and also running HTB with traffic shaping. I'm lrmdn> not having any problems with Messenger. Do you have a firewall which might lrmdn> be interfering with your Messenger connection? lrmdn> WDW lrmdn> ----- Original Message ----- lrmdn> From: "GoMi" lrmdn> To: "'lartc'" lrmdn> Sent: Wednesday, October 01, 2003 6:23 PM lrmdn> Subject: [LARTC] MSN Messenger automatically disconnects >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am doing traffic shaping with HTB, and my msn messenger version 6 lrmdn> automatically disconnects every 5 minutes or so. Anyboyd had the same lrmdn> problem? I am driving myself mad. Thank you! >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP 8.0 >> >> iQA/AwUBP3tT3H7diNnrrZKsEQKtvgCgyDFKqKXfhWr/ESGMp6/n5ivDpBIAoPa6 >> BwDoMvpcalwTekHxcgwb1fy5 >> =VaRw >> -----END PGP SIGNATURE----- >> >> >> _______________________________________________ >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> lrmdn> **************************************************************************** lrmdn> ****************** >> * This message has been scanned by CityNET's email scanner for viruses and lrmdn> dangerous content * >> * and is believed to be clean. CityNET is proud to use MailScanner. For lrmdn> more information * >> * concerning MailScanner, visit http://www.mailscanner.info lrmdn> * >> lrmdn> **************************************************************************** lrmdn> ****************** >> >> lrmdn> ********************************************************************************************** lrmdn> * This message has been scanned by CityNET's email scanner for viruses and dangerous content * lrmdn> * and is believed to be clean. CityNET is proud to use MailScanner. For more information * lrmdn> * concerning MailScanner, visit http://www.mailscanner.info * lrmdn> ********************************************************************************************** lrmdn> --__--__-- lrmdn> Message: 2 lrmdn> Date: Thu, 2 Oct 2003 08:36:55 +0100 (BST) lrmdn> Subject: RE: [LARTC] Packet mangling latency lrmdn> From: "Jamie Harris" lrmdn> To: "Daniel Chemko" lrmdn> Cc: lartc@mailman.ds9a.nl >> The server should be fine. What network bandwidths are you looking into? lrmdn> Nothing wild, ~10Mb tops >> The more the bandwidth, the higher the requirements. Also, ram is useful >> if you have a lot of smaller connections passing through the server at >> once. lrmdn> Memory should be a problem from what I've been reading, but at todays lrmdn> prices I can just fill the box to capacity. >> In my experience I have never felt latency on the line. lrmdn> What kind of applications and at what bandwidth yourself? Some of the lrmdn> traffic will be going to/from game servers so latency can become lrmdn> noticable. lrmdn> cheers lrmdn> Jamie... -- Á ÝÐØÛãçèØÜØ ßÞÖÕÛÐÝØïÜØ, ´ÕÝØá mailto:denis@bibirevo.net Powered by The Bat! 1.53d From alex@hostingcenter.ro Sat Oct 4 01:52:54 2003 From: alex@hostingcenter.ro (Alex) Date: Sat, 4 Oct 2003 03:52:54 +0300 Subject: [LARTC] htb errors, wrong patch? Message-ID: <000701c38a11$d8a5fda0$96fea8c0@admin> I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb script I get just errors. I did not patch the kernel, since I use kernel 2.4.21 and I saw on - HTB Homepage that I need to patch it only if I run version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is something else wrong? RTNETLINK answers: No such file or directory Deleted old root disk on eth0 Unknown filter "flowid", hence option "1:10" is unparsable Unknown filter "flowid", hence option "1:2" is unparsable RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Thanks! Alex From stef.coene@docum.org Sat Oct 4 10:41:08 2003 From: stef.coene@docum.org (Stef Coene) Date: Sat, 4 Oct 2003 11:41:08 +0200 Subject: [LARTC] htb errors, wrong patch? In-Reply-To: <000701c38a11$d8a5fda0$96fea8c0@admin> References: <000701c38a11$d8a5fda0$96fea8c0@admin> Message-ID: <200310041141.09189.stef.coene@docum.org> On Saturday 04 October 2003 02:52, Alex wrote: > I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with > the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb > script I get just errors. I did not patch the kernel, since I use kernel > 2.4.21 and I saw on - HTB Homepage that I need to patch it only if I run > version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is > something else wrong? > > RTNETLINK answers: No such file or directory > Deleted old root disk on eth0 > Unknown filter "flowid", hence option "1:10" is unparsable > Unknown filter "flowid", hence option "1:2" is unparsable > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument Can you post us your commands and do you have the htb qdisc enabled in your kernel config? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Dragoº C." Hi Here’s the deal: I have a LAN behind a linux box. The Linux box acts as a NAT to all the hosts behind it. I'm classifying my hosts with iptables: /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.168.1.1 -j MARK --set-mark 1 ... /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.168.1.7 -j MARK --set-mark 7 Then I want to give everybody a rate of 18kbit # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 10: htb tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 128kbit burst 4k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 128kbit prio 2 burst 4k tc qdisc add dev eth1 parent 10:1 handle 1: sfq perturb 10 tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 ... with hosts 2 to 7 works fine, while bandwidth of host 1 it is not shaped at all (all pakets go to default-root qdisc) The 192.168.1 is runing win xp and Zone Alarm firewall. Most of the hosts are runing WinXP with no problem. My question: Can it be that the packets are not being identified corectly because of the ZA firewall on Host 1? I had problems before with host 1 that blocked some ports with ZA that had the result of freazing the workgroup while it was online. that problem was fixed anyway. Now please dont ask me to try to disable the ZA firewall because i have no access to host1. And another thing: iptraf shows corectly that trafic is made from host 1 and its rate. Thanks From alex@hostingcenter.ro Sat Oct 4 16:52:36 2003 From: alex@hostingcenter.ro (Alex) Date: Sat, 4 Oct 2003 18:52:36 +0300 Subject: [LARTC] htb errors, wrong patch? References: <000701c38a11$d8a5fda0$96fea8c0@admin> <200310041141.09189.stef.coene@docum.org> Message-ID: <003701c38a8f$88453820$96fea8c0@admin> I have everything cbq/htb and all the QoS stuff compiled directly in the kernel, not as a module. The script is at http://retea.hostingcenter.ro/htb.txt since is about 46k and is too big to post here. Thanks. Alex ----- Original Message ----- From: "Stef Coene" To: "Alex" ; "Lartc" Sent: Saturday, October 04, 2003 12:41 PM Subject: Re: [LARTC] htb errors, wrong patch? > On Saturday 04 October 2003 02:52, Alex wrote: > > I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with > > the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb > > script I get just errors. I did not patch the kernel, since I use kernel > > 2.4.21 and I saw on - HTB Homepage that I need to patch it only if I run > > version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is > > something else wrong? > > > > RTNETLINK answers: No such file or directory > > Deleted old root disk on eth0 > > Unknown filter "flowid", hence option "1:10" is unparsable > > Unknown filter "flowid", hence option "1:2" is unparsable > > RTNETLINK answers: Invalid argument > > RTNETLINK answers: Invalid argument > > RTNETLINK answers: Invalid argument > > RTNETLINK answers: Invalid argument > Can you post us your commands and do you have the htb qdisc enabled in your > kernel config? > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From stormlabs@gmx.net Sun Oct 5 02:20:07 2003 From: stormlabs@gmx.net (Ricardo Jorge da Fonseca Marques Ferreira) Date: Sun, 5 Oct 2003 02:20:07 +0100 Subject: [LARTC] Layer 7 support for tcng ? Message-ID: <200310050220.07999.stormlabs@gmx.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yep, thats right. Does it exist somewhere ? Will it ever ? Currently i use tcng for my bandwidth shaping and i really didnt want to=20 change to bare tc scripts. =2D --=20 +-------------------------------------------------------------------------+ |PGP Public Key: http://sys49152.net/pubkey.asc | +-------------------------------------------------------------------------+ =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/f3HHRslfH2ZQjFARArZFAKDmAOz0u0t2M+Rd8UIAah1FouwzLACdHnVW zALy7xbns/KUZYk+87l8LwI=3D =3DJIhc =2D----END PGP SIGNATURE----- From dong@sunyard.net.tw Sun Oct 5 05:39:16 2003 From: dong@sunyard.net.tw (Nguyen Dang Phuoc Dong) Date: Sun, 5 Oct 2003 11:39:16 +0700 Subject: [LARTC] HTB qdisc, why quantum <= 200000? Message-ID: <001b01c38afa$a25b5ee0$d901a8c0@desknote> Hi, Can anybody explain to me why the upper limit of quantum of a HTB class is 200000? Why the author choose this number? What if we expand this number, for instant, 500000? Thank you in advance Dong From stef.coene@docum.org Sun Oct 5 09:26:50 2003 From: stef.coene@docum.org (Stef Coene) Date: Sun, 5 Oct 2003 10:26:50 +0200 Subject: [LARTC] HTB qdisc, why quantum <= 200000? In-Reply-To: <001b01c38afa$a25b5ee0$d901a8c0@desknote> References: <001b01c38afa$a25b5ee0$d901a8c0@desknote> Message-ID: <200310051026.50850.stef.coene@docum.org> On Sunday 05 October 2003 06:39, Nguyen Dang Phuoc Dong wrote: > Hi, > > Can anybody explain to me why the upper limit of quantum of a HTB class is > 200000? Why the author choose this number? What if we expand this number, > for instant, 500000? 500000 = 500000 byte = 500kilo byte. So that means that 1 class can send 500kilobyte before an other class can send something (this is only if they are asking for more bandwidth then the rate). It depends on your link bandwidth how long this will take, but in most cases it will take a few seconds and that's too long. If you have a very fast link (100mbit or so), you can use a higher quantum. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From hare ram" Hi all Iam running now, Cisco Route-map using Multiple gateways so iam manually forwarding the source ip address to different gateways using routemap of cisco Due to Limitation of the Router and process is High, i can not afford to go for high end router. So i have decided to Go for Linux Router with Multiple gateways I have router 1 co-located at provider 1 I have router 2 co-located at provider 2 I have router 3 co-located at my NOC >From Provider 1 to My NOC and provider 2 to NOC are connected via Fiber and its terminated to My Switch Router 3 is also terminated to same Switch All my other Aggrigate router and Dialup and other Servers gateway is My router 3 ( x.x.x.2) My router 3 will decide which link the packets should go out using Route-map Router3 ip address x.x.x.2 Router 2 ip address x.x.x.3 Router 1 ip address x.x.x.4 Now I have Introduced My linux Box with all patches mention in nano.txt I have Linux box with 4 interface Eth1 connected to router 3 ( x.x.x.2) Eth2 connected to router 2 ( x.x.x.3) Eth3 connected to router 1 ( x.x.x.4) Eth0 is connected to My LAN and allocated IP x.x.x.5 , So all my local network should keep gateway of Eth0 ( x.x.x.5) Now my linux box should decide the routes depend on the source IP address Now my Queations are 1. can i make eth1, eth2, eth3 in bridge mode, so i no need to mention any ip address to those interface 2. so eth0 and router1,2,3, are in same subnet 3. iam running in BGP in cisco router, need to shift to this Linux box, is this zebra is stable, any expert coment. 4. if except eth0 have ip, rest all bridgemode, how does the iptables take care of routings 5, or i should use etables 6. is this possible that this linux box act as a bridge mode with out any IP on all interfaces and act as a router and decide the routes ( if yes, how ?) 7. how does the Link failure detects take place, since the router Ethernet Link will be up, becoz its connected to fiber, but if the wan link go down at the co-located router, how does the routes will take place and detect the link is down. and send them to other active Links. thanks some one will comment on this setup before i deploy, i want to take some suggestions and go for live thanks hare From gymer@odense.kollegienet.dk Mon Oct 6 07:12:43 2003 From: gymer@odense.kollegienet.dk (Lasse B. Jensen) Date: Mon, 6 Oct 2003 08:12:43 +0200 (CEST) Subject: [LARTC] Connection timeout on multipath Message-ID: Hey all I have 5 adsl lines and have the following setup INTERNET ------------------------ ADSL lines 192.168.1.1-5 ------------------------ | | | | | --------- switch --------- | --------- eth1 linux nat box eth0 --------- | --------- LAN Right now i do the following, which are working correctly: I mark incoming packets via mark in iptables, connection are marked 1-5 Then i via 5 ip route tables adsl1-5 in each of them i specify the gateway (one of the adsl lines 192.168.1.1-5) This all works correctly. However i would like to have all adsllines i on multipath. i have tried: Marking all traffic with mark 1 ip route table adsl1 ip route add table adsl1 default equalize proto static nexthop via 192.168.1.1 dev eth1 nexthop via 192.168.1.2 dev eth1 nexthop via 192.168.1.3 dev eth1 nexthop via 192.168.1.4 dev eth1 nexthop via 192.168.1.5 dev eth1 I have applied the patches to the kernel from http://www.ssi.bg/~ja/#routes I have a "ping-operation" in the background as descripted in the dgd-usage.txt All traffic now is now sent via on of the adsl lines, everything seems to work, but !!!! Programs from the lan-computer seems to timeout, i have tried quite some thing but nothing seems to work! Please help ;) -- Lasse B. Jensen From rgoldber-list-lartc@bitburst.com Mon Oct 6 11:58:21 2003 From: rgoldber-list-lartc@bitburst.com (Ryan Goldberg) Date: Mon, 06 Oct 2003 05:58:21 -0500 Subject: [LARTC] Htb on trunked line In-Reply-To: <004301c38bd1$19c51d00$0aa02bca@sapari> References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> <00e301c3885c$144104c0$0ea02bca@sapari> <1065049333.12478.88.camel@big> <004301c38bd1$19c51d00$0aa02bca@sapari> Message-ID: <1065437901.12478.115.camel@big> On Mon, 2003-10-06 at 01:14, Kristiadi Himawan wrote: > So you already succeed on bridging per vlan, > could you tell me how to make such kind of configuration I'll see if I can remember to grab the config from work today. But there shouldn't be much do it. For instance our linux box sits between a router and a 2924. We trunk on port 24, and bridge 23 vlans across into ports 1 - 23. The linux box has eth0 and eth1, and interfaces eth0.1, eth1.1 through eth0.23, eth1.23 are configured (vlans), and then we create 23 bridges br1 through br23 and apply shaping to eth0.x and eth1.x. Ryan From le-hen_j@epita.fr Mon Oct 6 15:44:58 2003 From: le-hen_j@epita.fr (jeremie le-hen) Date: Mon, 6 Oct 2003 16:44:58 +0200 Subject: [LARTC] LIST_FIND in netfilter_ipv4/listhelp.h Message-ID: <20031006144458.GD24864@carpediem.epita.fr> Hi folks, I'm currently trying to make a patch on conntrack module. While reading some code I saw the following in include/linux/netfilter_ipv4/listhelp.h : /* Works on circular linked list. */ #define LIST_FIND(head, cmpfn, type, args...) \ ({ \ const struct list_head *__i = (head); \ \ ASSERT_READ_LOCK(head); \ do { \ __i = __i->next; \ if (__i == (head)) { \ __i = NULL; \ break; \ } \ } while (!cmpfn((const type)__i , ## args)); \ (type)__i; \ }) Unless I really drank too much yesterday evening, I'm pretty sure this algorithm will fail if the list has only one element, returning NULL immediately without even trying to compare the element. On the other hand, it seems to work pretty well for months, since it is widely used accross the NetFilter conntrack code. So where am I wrong ? Thanks in advance. Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From lartc@mailman.ds9a.nl Mon Oct 6 16:48:29 2003 From: lartc@mailman.ds9a.nl (Lee Lists) Date: Mon, 06 Oct 2003 17:48:29 +0200 Subject: [LARTC] Little script to save and restore ip rules In-Reply-To: <20031006144458.GD24864@carpediem.epita.fr> References: <20031006144458.GD24864@carpediem.epita.fr> Message-ID: <3F818ECD.2080501@aacom.fr> Hello, I would like to have some testers for this script which should save and restore ip rules and associated tables. Thanks #!/bin/bash # # chkconfig: 2345 85 15 # description: save and restore ip rules settings # config: /etc/sysconfig/iprules # source function library . /etc/rc.d/init.d/functions CONFIG=/etc/sysconfig/iprules RETVAL=0 case "$1" in save) echo -n "Saving ip rules:" rm $CONFIG > /dev/null 2>&1 ip ru ls | grep -v "^3276.:" | grep -v "^0:" | sed -e "s/://" -e "s/from all//" -e "s/^/ip ru add preference /" | echo $LINE >> $CONFIG done ip ru ls | grep -v "lookup local" | grep -v "lookup main" | grep -v "lookup default" | sed -e "s/^.*lookup //" | ip ro ls ta $LINE | sed -e "s/$/ ta $LINE/" -e "s/^/ip ro add /" >> $CONFIG done echo ;; stop) echo -n "Stopping ip rules:" ip ru ls | grep -v "lookup local" | grep -v "lookup main" | grep -v "lookup default" | sed -e "s/^.*lookup //" | ip ro flush ta $LINE done ip ru ls | grep -v "^3276.:" | grep -v "^0:" | sed -e "s/://" -e "s/from all//" -e "s/^/ip ru del preference /" /sbin/$LINE done rm -f /var/lock/subsys/rules echo ;; start) echo -n "Starting ip rules:" if [ -f /var/lock/subsys/rules ] ; then $0 stop fi # real start cat $CONFIG | while read LINE ; do /sbin/$LINE done touch /var/lock/subsys/rules echo ;; restart|reload) $0 stop $0 start RETVAL=$? ;; status) status gpm RETVAL=$? ;; *) echo "Usage: gpm {start|stop|status|restart|reload}" exit 1 esac exit $RETVAL From kristiadi_himawan@dtp.net.id Tue Oct 7 04:08:51 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Tue, 7 Oct 2003 10:08:51 +0700 Subject: [LARTC] Htb on trunked line References: <007e01c3884b$ae9dae80$0ea02bca@sapari> <1065033820.12478.74.camel@big> <00e301c3885c$144104c0$0ea02bca@sapari> <1065049333.12478.88.camel@big> <004301c38bd1$19c51d00$0aa02bca@sapari> <1065437901.12478.115.camel@big> Message-ID: <003d01c38c80$55804cc0$0aa02bca@sapari> Here is my scenario, # create bridge 0 brctl addbr br0 brctl stp br0 off brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 up ifconfig eth1 up ifconfig br0 up #create vlan 106 vconfig add eth0 106 vconfig add eth1 106 #create bridge 106 (vlan 106) brctl addbr br106 brctl addif br106 eth0.106 brctl addif br106 eth1.106 I expect packet with vlan 106 would go to br106 and the others to br0. Am I right? ----- Original Message ----- From: "Ryan Goldberg" To: "Kristiadi Himawan" Cc: Sent: Monday, October 06, 2003 5:58 PM Subject: Re: [LARTC] Htb on trunked line > On Mon, 2003-10-06 at 01:14, Kristiadi Himawan wrote: > > So you already succeed on bridging per vlan, > > could you tell me how to make such kind of configuration > > I'll see if I can remember to grab the config from work today. But > there shouldn't be much do it. For instance our linux box sits between > a router and a 2924. We trunk on port 24, and bridge 23 vlans across > into ports 1 - 23. The linux box has eth0 and eth1, and interfaces > eth0.1, eth1.1 through eth0.23, eth1.23 are configured (vlans), and then > we create 23 bridges br1 through br23 and apply shaping to eth0.x and > eth1.x. > > Ryan > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From xinli@hanwang.net.cn Tue Oct 7 07:10:53 2003 From: xinli@hanwang.net.cn (=?GB2312?Q?=C0=EE=EA=BF?=) Date: Tue, 7 Oct 2003 14:10:53 +0800 Subject: [LARTC] RED question. Message-ID: Hi, How does the RED algorithm detect that a queue enter the idle period? It seems there must be a mechanism.Can anybody explain it to me? Thank you in advance. Cong Lu From tgr@reeler.org Tue Oct 7 15:25:08 2003 From: tgr@reeler.org (Thomas Graf) Date: Tue, 7 Oct 2003 16:25:08 +0200 Subject: [LARTC] LIST_FIND in netfilter_ipv4/listhelp.h In-Reply-To: <20031006144458.GD24864@carpediem.epita.fr> References: <20031006144458.GD24864@carpediem.epita.fr> Message-ID: <20031007142508.GH11250@rei.reeler.org> Hi * jeremie le-hen <20031006144458.GD24864@carpediem.epita.fr> 2003-10-06 16:44 > Unless I really drank too much yesterday evening, I'm pretty sure this > algorithm will fail if the list has only one element, returning NULL > immediately without even trying to compare the element. > On the other hand, it seems to work pretty well for months, since it is > widely used accross the NetFilter conntrack code. So where am I wrong ? The code is correct. Check include/linux/list.h, it's a cyclic list: head->next points to first element head->prev points to last element the list iteration code will make it clear: #define __list_for_each(pos, head) \ for (pos = (head)->next; pos != (head); pos = pos->next) Regards -- Thomas GRAF From john@jupiter.com Tue Oct 7 20:55:56 2003 From: john@jupiter.com (John Klingler) Date: Tue, 07 Oct 2003 12:55:56 -0700 Subject: [LARTC] IP Failover Message-ID: <3F831A4C.3090800@jupiter.com> This is a multi-part message in MIME format. --------------020109000608090606030901 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit If anyone is interested, in my quest for a networking solution which provides IP Failover on heterogenous redundant networks, I have listed the solutions I found below. I would welcome comments from anyone who is familiar with these. 1. faild - I have included a description below of a program daemon which monitors the Ethernet connections and changes the routing tables when a failure is detected. IP Failover is all this simple program does. Being simple, however, makes it small and easy to port. 2. High Availability Linux Project (HAL) (http://linux-ha.org/) has code available for FreeBsd and Solaris (and probably reasonably portably to other UNIX platforms. It supports virtual (redundant) servers but could probably therefore be configured to support redundant LANs. 3. Advanced Network Services (ANS 2.3.x) for Linux* Operating Systems. which is available from Intel on both PCs and UNIX OS's. ANS provides IP Failover and much more, such as switch failover, load leveling, etc. See: http://www.intel.com/support/network/adapter/onlineguide/PRO1000/DOCS/SERVER/index.htm. 4. Linux Virtual Server Project (LVS) - VRRPD, Virtual Router Redundancy Protocol (http://off.net/~jme/vrrpd/) which also provides IP Failover. It implements RFC2338 but is only available on Linux but may be portable. As with HAL, it is probably configureable to provide redundant LAN. It seems the days of industry-wide standards and interoperability are becoming casualties of war. John Klingler Automatic IP Failover: faild Figure 1 shows a typical redundant network configuration where all nodes are connected to two, separate Ethernet LANs (here referred to as Ethernet A and Ethernet B). Each node must have two Ethernet interfaces, one for each LAN. Distinct IP addresses are assigned to all Ethernet interfaces. _____________________ . . . | | Host 1 Host 2 ____|________ __|______ . . . Figure 1: Typical Redundant Network Configuration A route monitor daemon is started on all nodes. Each daemon is configured to be either a responder or both a requestor and responder. Typically the host daemons are requestor/responders. Requestor daemons broadcast inquiry (INQ) packets on all available networks at a specified interval. Upon receiving an INQ each responder daemon sends back an acknowledgment (ACK) via the same route. These packets are all sent using UDP (Unreliable Datagram Protocol) so the daemons can quickly detect if a route is active. If the requestor daemon does not get ACKs from a given node and if the responder daemon does not get INQs as expected, then each daemon independently determines that the particular route has become unreliable, or more likely, has gone dead. Each daemon then changes its local system routing tables so future traffic will be routed over the alternate (and presumably healthy) LAN. This detection and failover occurs very quickly, in a matter of a few seconds, depending on how the daemon's timing parameters are set. When a route fails, network traffic carried by reliable protocols (such as X Window traffic via TCP -- Transmission Control Protocol) is held in abeyance until the IP stack recognizes that packets are not getting through. When the IP stack times out packets waiting for delivery will be retransmitted. Since the daemon has changed the routing tables the retransmitted packets will go via the new route. The IP time-out time is the critical parameter determining how long it will take from initial route failure to establishing communication over the new route. This parameter may or may not be user-settable on your system. Field experience so far indicates lag times of 20-40 seconds before communication resumes. As soon as the original route becomes reliable again, the daemon will restore the routing tables and communication resumes over the original interface. There should be no noticeable delay on the switchback. Request packet interval, failover interval, and switchback interval are all configurable. To initiate a failover daemon on your host system, use the following convention: faild [-r] [-t ] [-f ] [-s ] [-p ] [-l

] -r should launch requestor -t : timer interval (in secs) for sending of pkts -f : num missed pkts before if is invalidated -s : num good pkts before if is revalidated -p : port number to use -l

: full path to message log file * Note: This daemon currently runs on VxWorks, Digital UNIX and Solaris, and is being ported to OpenVMS. Any other platforms would require porting the daemon to the target OS. --------------020109000608090606030901 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

If anyone is interested, in my quest for a networking solution which provides IP Failover on heterogenous redundant networks, I have listed the solutions I found below. I would welcome comments from anyone who is familiar with these.
  1. faild - I have included a description below of a program daemon which monitors the Ethernet connections and changes the routing tables when a failure is detected. IP Failover is all this simple program does. Being simple, however, makes it small and easy to port.
  2. High Availability Linux Project (HAL) (http://linux-ha.org/) has code available for FreeBsd and Solaris (and probably reasonably portably to other UNIX platforms. It supports virtual (redundant) servers but could probably therefore be configured to support redundant LANs.
  3. Advanced Network Services (ANS 2.3.x) for Linux* Operating Systems.  which is available from Intel on both PCs and UNIX OS's. ANS provides IP Failover and much more, such as switch failover, load leveling, etc. See: http://www.intel.com/support/network/adapter/onlineguide/PRO1000/DOCS/SERVER/index.htm.
  4. Linux Virtual Server Project (LVS) - VRRPD, Virtual Router Redundancy Protocol (http://off.net/~jme/vrrpd/) which also provides IP Failover. It implements RFC2338 but is only available on Linux but may be portable. As with HAL, it is probably configureable to provide redundant LAN.
It seems the days of industry-wide standards and interoperability are becoming casualties of war.


John Klingler
Automatic IP Failover: faild

Figure 1 shows a typical redundant network configuration where all nodes are connected to two, separate Ethernet LANs (here referred to as Ethernet A and Ethernet B). Each node must have two Ethernet interfaces, one for each LAN. Distinct IP addresses are assigned to all Ethernet interfaces.
_____________________ . . .
        |                     |
    Host 1           Host 2
____|________ __|______ . . .
Figure 1: Typical Redundant Network Configuration

A route monitor daemon is started on all nodes. Each daemon is configured to be either a responder or both a requestor and responder. Typically the host daemons are requestor/responders.

Requestor daemons broadcast inquiry (INQ) packets on all available networks at a specified interval. Upon receiving an INQ each responder daemon sends back an acknowledgment (ACK) via the same route. These packets are all sent using UDP (Unreliable Datagram Protocol) so the daemons can quickly detect if a route is active.

If the requestor daemon does not get ACKs from a given node and if the responder daemon does not get INQs as expected, then each daemon independently determines that the particular route has become unreliable, or more likely, has gone dead. Each daemon then changes its local system routing tables so future traffic will be routed over the alternate (and presumably healthy) LAN. This detection and failover occurs very quickly, in a matter of a few seconds, depending on how the daemon's timing parameters are set.

When a route fails, network traffic carried by reliable protocols (such as X Window traffic via TCP -- Transmission Control Protocol) is held in abeyance until the IP stack recognizes that packets are not getting through. When the IP stack times out packets waiting for delivery will be retransmitted. Since the daemon has changed the routing tables the retransmitted packets will go via the new route.

The IP time-out time is the critical parameter determining how long it will take from initial route failure to establishing communication over the new route. This parameter may or may not be user-settable on your system. Field experience so far indicates lag times of 20-40 seconds before communication resumes.

As soon as the original route becomes reliable again, the daemon will restore the routing tables and communication resumes over the original interface. There should be no noticeable delay on the switchback. Request packet interval, failover interval, and switchback interval are all configurable.

To initiate a failover daemon on your host system, use the following convention:
faild [-r] [-t <n>] [-f <n>] [-s <n>] [-p <n>] [-l <p>]
-r should launch requestor
-t <n> : timer interval (in secs) for sending of pkts
-f <n> : num missed pkts before if is invalidated
-s <n> : num good pkts before if is revalidated
-p <n> : port number to use -l <p> : full path to message log file
  • Note: This daemon currently runs on VxWorks, Digital UNIX and Solaris, and is being ported to OpenVMS. Any other platforms would require porting the daemon to the target OS.
--------------020109000608090606030901-- From gymer@odense.kollegienet.dk Tue Oct 7 20:59:09 2003 From: gymer@odense.kollegienet.dk (Lasse B. Jensen) Date: Tue, 7 Oct 2003 21:59:09 +0200 (CEST) Subject: [LARTC] Connection timeout on multipath In-Reply-To: References: Message-ID: Cant anyons help on this ? -- Lasse B. Jensen On Mon, 6 Oct 2003, Lasse B. Jensen wrote: > Hey all > > I have 5 adsl lines and have the following setup > > INTERNET > ------------------------ > ADSL lines 192.168.1.1-5 > ------------------------ > | | | | | > --------- > switch > --------- > | > --------- > eth1 > linux nat box > eth0 > --------- > | > --------- > LAN > > Right now i do the following, which are working correctly: > > I mark incoming packets via mark in iptables, connection are marked 1-5 > > Then i via 5 ip route tables adsl1-5 in each of them i specify the gateway > (one of the adsl lines 192.168.1.1-5) > > This all works correctly. > > However i would like to have all adsllines i on multipath. i have tried: > > Marking all traffic with mark 1 > > ip route table adsl1 > > ip route add table adsl1 default equalize proto static nexthop via > 192.168.1.1 dev eth1 nexthop via 192.168.1.2 dev eth1 nexthop via > 192.168.1.3 dev eth1 nexthop via 192.168.1.4 dev eth1 nexthop via > 192.168.1.5 dev eth1 > > I have applied the patches to the kernel from > http://www.ssi.bg/~ja/#routes > > I have a "ping-operation" in the background as descripted in the > dgd-usage.txt > > All traffic now is now sent via on of the adsl lines, everything seems to > work, but !!!! Programs from the lan-computer seems to timeout, i have > tried quite some thing but nothing seems to work! Please help ;) > > -- > Lasse B. Jensen > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From alex@hostingcenter.ro Tue Oct 7 22:13:06 2003 From: alex@hostingcenter.ro (Alex) Date: Wed, 8 Oct 2003 00:13:06 +0300 Subject: [LARTC] What's wrong here? HELP PLEASE!!!! Message-ID: <002501c38d17$cd938ff0$96fea8c0@admin> (this is a repost, nobody said anything about this so maybe it did not go throu the list) I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb script I get just errors. I did not patch the kernel, since I use kernel 2.4.22 and I saw on - HTB Homepage that I need to patch it only if I run version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is something else wrong? (I also used the precompiled "tc" but the situation is the same) Errors: ------- RTNETLINK answers: No such file or directory Deleted old root disk on eth1 Unknown filter "flowid", hence option "1:10" is unparsable Unknown filter "flowid", hence option "1:2" is unparsable RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument .....etc (same error over and over...) Part of my script (the full script is accesible on http://retea.hostingcenter.ro/htb.txt ..is too long to post here) : ------- /sbin/tc qdisc add dev eth1 root handle 1: htb default 10 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 5mbit /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 6 flowid 1:10 /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 5mbit /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 5 flowid 1:2 /sbin/tc class add dev eth1 parent 1:10 classid 4:11 htb rate 128kbit ceil 256kbit prio 5 /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip dst 192.168.254.10 flowid 4:11 /sbin/tc class add dev eth1 parent 1:10 classid 4:12 htb rate 128kbit ceil 256kbit prio 5 /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip dst 192.168.254.11 flowid 4:12 ....etc (full script at http://retea.hostingcenter.ro/htb.txt) Thanks! Alex From stef.coene@docum.org Tue Oct 7 23:03:40 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 8 Oct 2003 00:03:40 +0200 Subject: [LARTC] What's wrong here? HELP PLEASE!!!! In-Reply-To: <002501c38d17$cd938ff0$96fea8c0@admin> References: <002501c38d17$cd938ff0$96fea8c0@admin> Message-ID: <200310080003.40645.stef.coene@docum.org> On Tuesday 07 October 2003 23:13, Alex wrote: > (this is a repost, nobody said anything about this so maybe it did not go > throu the list) > I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc with > the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb > script I get just errors. I did not patch the kernel, since I use kernel > 2.4.22 and I saw on - HTB Homepage that I need to patch it only if I run > version 2.4.20 or earlier. Do also need the kernel patch ? Or maybe is > something else wrong? (I also used the precompiled "tc" but the situation > is the same) Try to add set -x to your script on the second line. This will display all commands executed so you know exactly which command is going wrong. You miss something in your filter statement. You have to specify the type of filter you want to use and in your case, that's the fw filter. See lartc.org and/or docum.org for fw filter examples. Stef > > Errors: > ------- > RTNETLINK answers: No such file or directory > Deleted old root disk on eth1 > Unknown filter "flowid", hence option "1:10" is unparsable > Unknown filter "flowid", hence option "1:2" is unparsable > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > .....etc (same error over and over...) > > Part of my script (the full script is accesible on > http://retea.hostingcenter.ro/htb.txt ..is too long to post here) : > ------- > /sbin/tc qdisc add dev eth1 root handle 1: htb default 10 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit > > /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 5mbit > /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 6 flowid > 1:10 > > /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 5mbit > /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 5 flowid > 1:2 > > > /sbin/tc class add dev eth1 parent 1:10 classid 4:11 htb rate 128kbit ceil > 256kbit prio 5 > /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip > dst 192.168.254.10 flowid 4:11 > > /sbin/tc class add dev eth1 parent 1:10 classid 4:12 htb rate 128kbit ceil > 256kbit prio 5 > /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match ip > dst 192.168.254.11 flowid 4:12 > > ....etc (full script at http://retea.hostingcenter.ro/htb.txt) > > Thanks! > > Alex > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Tue Oct 7 23:08:03 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 8 Oct 2003 00:08:03 +0200 Subject: [LARTC] IP Failover In-Reply-To: <3F831A4C.3090800@jupiter.com> References: <3F831A4C.3090800@jupiter.com> Message-ID: <200310080008.03644.stef.coene@docum.org> On Tuesday 07 October 2003 21:55, John Klingler wrote: > If anyone is interested, in my quest for a networking solution which > provides IP Failover on heterogenous redundant networks, I have listed > the solutions I found below. I would welcome comments from anyone who is > familiar with these. > > 1. faild - I have included a description below of a program daemon > which monitors the Ethernet connections and changes the routing > tables when a failure is detected. IP Failover is all this simple > program does. Being simple, however, makes it small and easy to port. > 2. High Availability Linux Project (HAL) (http://linux-ha.org/) has > code available for FreeBsd and Solaris (and probably reasonably > portably to other UNIX platforms. It supports virtual (redundant) > servers but could probably therefore be configured to support > redundant LANs. > 3. Advanced Network Services (ANS 2.3.x) for Linux* Operating > Systems. which is available from Intel on both PCs and UNIX OS's. > ANS provides IP Failover and much more, such as switch failover, > load leveling, etc. See: > > http://www.intel.com/support/network/adapter/onlineguide/PRO1000/DOCS/SERVE >R/index.htm. > > 4. Linux Virtual Server Project (LVS) - VRRPD, Virtual Router > Redundancy Protocol (http://off.net/~jme/vrrpd/) which also > provides IP Failover. It implements RFC2338 but is only available > on Linux but may be portable. As with HAL, it is probably > configureable to provide redundant LAN. If I was you, I should go for keepalived. This is part of LVS but you can also use it just for the ip Failover. Companies like IBM, RH, are using this so I think it can be trusted. http://freshmeat.net/projects/keepalived/ "In addition, it implements a VRRPv2 stack to handle director failover. " Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stormlabs@gmx.net Wed Oct 8 00:06:03 2003 From: stormlabs@gmx.net (Ricardo Jorge da Fonseca Marques Ferreira) Date: Wed, 8 Oct 2003 00:06:03 +0100 Subject: [LARTC] Layer 7 support for tcng ? In-Reply-To: References: <200310050220.07999.stormlabs@gmx.net> Message-ID: <200310080006.15486.stormlabs@gmx.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 07 October 2003 21:15, Matthew Strait wrote: >=20 > The plan is to port l7-filter to Netfilter. Once this is done, Netfilter > can put marks on the packets that the pre-existing fw filter can use. > This approach requires no changes to tcng (or tc). However, it does > complicate shaping, since two steps are needed rather than one (i.e. > "mark HTTP as 6; limit 6 to 1mbps", rather than "limit HTTP to 1mbps"). > In the long term, I'd like to have full layer7 support in both QoS and > Netfilter. This would be perfect. It doesn't really complicate my setup since i alread= y=20 use shorewall as firewall and that has support for marking packets already. Is this anywhere near to being usable ? Will it be 2.6 only ? =2D --=20 +-------------------------------------------------------------------------+ |PGP Public Key: http://sys49152.net/pubkey.asc | +-------------------------------------------------------------------------+ =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/g0bjRslfH2ZQjFARAkgzAKCOuq5likCa+mSomisEAmBHw6+xlQCeMcSU UqsaFBqzpqWMw1v2/QWHi0Y=3D =3DFWZT =2D----END PGP SIGNATURE----- From pcaritj@riovia.net Wed Oct 8 00:58:55 2003 From: pcaritj@riovia.net (Paul Caritj) Date: Tue, 07 Oct 2003 19:58:55 -0400 Subject: [LARTC] Scenario Message-ID: <3F83533F.1000809@riovia.net> Gents, I've been thinking about shit for awhile, but thought I might defer to the group: What is the best wat to establish per-user bandwidth throttles in an ISP-like environment using TC? I am going to have to support something like 4000 users and I get kernel panics if I create that many QDISCs :) -Paul From s042@euroluce.com.au Wed Oct 8 05:08:01 2003 From: s042@euroluce.com.au (Daniel Horth) Date: Wed, 8 Oct 2003 14:08:01 +1000 Subject: [LARTC] ADSL with PPP failover Message-ID: Hi - I've been looking around for simple answers to this for a while now, but haven't been able to find any HOW-TO type documentation. I am administering a site with a remote location connected primarily via a cipe tunnel over a SHDSL connection. We also have a direct PSTN connection between the sites. Seeing as phone calls here are not timed I plan to keep the PSTN connection alive even when the cipe tunel is active. I am looking for information as to the best way to set up this network, so that if the cipe connection goes down all traffic is automatically routed over the ppp connection, and when the cipe connection comes back up the traffic is once again routed via the cipe connection. We currently only have one remote location to worry about, but may soon be expanding to multiple sites, with multiple links. I originally thought that I'd be setting this up using weighting in the routing table, but now believe that methodology is out of date even if it would work - more recently I have been thinking that this sort of failover setup would best be implemented using RIP (or is that out of date too?). I was hoping that someone could tell me if I was headed in the right direction before I set out reconfiguring the routing on all our servers. I'd also be grateful for any pointers towards relevant reading or HOW-TOs that relate. Using Linux 2.4 (Redhat 9) Thanks in advance! - Dan. __________________________________ Euroluce Lighting Australia PTY LTD 92-94 Tennyson Road, Mortlake, NSW 2137 Ph: (02) 9743 6099 Fx: (02) 9743 6406 http://www.euroluce.com.au/ The contents of this email are confidential. If you are not, or believe you may not be, the intended recipient of this email, please let us know by reply and then delete it from your system. You should not copy the message or disclose its contents to anyone. No warranty or other assurance is given by us that this email is free of any virus or any other defect or error. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. If verification is required please request a hard-copy version. Scanned by Inflex - Queries to: postmaster@euroluce.com.au From pcaritj@riovia.net Wed Oct 8 05:39:31 2003 From: pcaritj@riovia.net (Paul Caritj) Date: Wed, 08 Oct 2003 00:39:31 -0400 Subject: [LARTC] Scenario (I should learn to proof read!) Message-ID: <3F839503.2030509@riovia.net> Uh, yeah...that word was supposed to be "this'. *blush* Sorry about that :) From lpz@ornl.gov Wed Oct 8 13:00:37 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Wed, 08 Oct 2003 08:00:37 -0400 Subject: [LARTC] What's wrong here? HELP PLEASE!!!! In-Reply-To: <002501c38d17$cd938ff0$96fea8c0@admin> References: <002501c38d17$cd938ff0$96fea8c0@admin> Message-ID: <1065614437.1357.100.camel@nautique> --=-ozlR5IDh8Nv/5EJ55oFr Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I'm grasping at straws here, but is it possible that you put your new tc in, for example, /usr/local/sbin/tc and your script is calling the original version in /sbin/tc ? You shouldn't have to patch the kernel, and the patched tc should work.=20 When you run the script, is the first error (RTNETLINK answers: No such file or directory) coming from the first line in your script (/sbin/tc qdisc add dev eth1 root handle 1: htb default 10)? It would be helpful if you could give us the errors interspersed with the commands If you add sh -x to the beginning of the command running the script, it will do that. example: [root@castor root]# sh -x /etc/tc.conf + /usr/local/bin/tc qdisc add dev eth0 root handle 1: htb default 12 + /usr/local/bin/tc class add dev eth0 parent 1: classid 1:1 htb rate 13Mbit ceil 10Mbit + /usr/local/bin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 12Mbit ceil 10Mbit + /usr/local/bin/tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1Mbit ceil 10Mbit + /usr/local/bin/tc qdisc add dev eth0 parent 1:10 handle 20: sfq + /usr/local/bin/tc qdisc add dev eth0 parent 1:11 handle 30: sfq + /usr/local/bin/tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 1234 0xffff flowid 1:10 + /usr/local/bin/tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 5001 0xffff flowid 1:11 When I try the old tc on my machine (red hat 8.0), I get this: tc qdisc add dev eth0 root handle 1: htb default 12 Unknown qdisc "htb", hence option "default" is unparsable Which version of linux are you using? On Tue, 2003-10-07 at 17:13, Alex wrote: > (this is a repost, nobody said anything about this so maybe it did not > go > throu the list) > I downloaded iproute2-2.4.7-now-ss010824.tar.gz and I did patched tc > with > the htb3.6_tc.diff from htb3.6-020525.tgz and when I try to use a htb > script > I get just errors. I did not patch the kernel, since I use kernel > 2.4.22 and > I saw on - HTB Homepage that I need to patch it only if I run version > 2.4.20 > or earlier. Do also need the kernel patch ? Or maybe is something else > wrong? (I also used the precompiled "tc" but the situation is the > same) >=20 > Errors: > ------- > RTNETLINK answers: No such file or directory > Deleted old root disk on eth1 > Unknown filter "flowid", hence option "1:10" is unparsable > Unknown filter "flowid", hence option "1:2" is unparsable > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > RTNETLINK answers: Invalid argument > .....etc (same error over and over...) >=20 > Part of my script (the full script is accesible on > http://retea.hostingcenter.ro/htb.txt ..is too long to post here) : > ------- > /sbin/tc qdisc add dev eth1 root handle 1: htb default 10 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit >=20 > /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 5mbit > /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 6 > flowid > 1:10 >=20 > /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 5mbit > /sbin/tc filter add dev eth1 protocol ip parent 1:10 prio 5 handle 5 > flowid > 1:2 >=20 >=20 > /sbin/tc class add dev eth1 parent 1:10 classid 4:11 htb rate 128kbit > ceil > 256kbit prio 5 > /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match > ip dst > 192.168.254.10 flowid 4:11 >=20 > /sbin/tc class add dev eth1 parent 1:10 classid 4:12 htb rate 128kbit > ceil > 256kbit prio 5 > /sbin/tc filter add dev eth1 parent 1:10 protocol ip prio 5 u32 match > ip dst > 192.168.254.11 flowid 4:12 >=20 > ....etc (full script at http://retea.hostingcenter.ro/htb.txt) >=20 > Thanks! >=20 > Alex >=20 >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-ozlR5IDh8Nv/5EJ55oFr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/g/xkCNjP8rawCW4RAqK/AKCUaZNDeXwcsbb4jSF0NO/mLIcFSACfTqwu FaPsWDe/xJzJEJpHUlLh6Po= =EXDL -----END PGP SIGNATURE----- --=-ozlR5IDh8Nv/5EJ55oFr-- From olexat@post.cz Wed Oct 8 14:08:03 2003 From: olexat@post.cz (Tom Olexa) Date: Wed, 08 Oct 2003 15:08:03 +0200 (CEST) Subject: [LARTC] Excess bandwidth sharing Message-ID: <4a86fa4ed37169339da1fa72e792c7ec@www3.mail.post.cz> Hello there, I do tc qdisc add dev eth0 root handle 1: htb r2q 1 default 12 tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 256kbit ceil 512kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 195.28.103.7 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 195.28.103.5 flowid 1:11 and I expect both streams to share the total 512kbit in proportion of their rates (1/4). Unfortunately the rates are some 100/120, total 512kbit. Can anyone tell me whatsda problem? This behavior may vary when all rates are different. Thanks, Tom Olexa -- Potrebujete vice prostoru pro vase stranky? Ptejte se na http://sluzby.volny.cz/cs/product/ftp_paid From somesh@hclcomnet.co.in Wed Oct 8 14:47:52 2003 From: somesh@hclcomnet.co.in (Somesh Banerji) Date: Wed, 8 Oct 2003 19:17:52 +0530 Subject: [LARTC] Tc - Class HTB - Filter u32 - Match ip dport Message-ID: <341F8F7FCD8AD5118FD300306E06BB651092D5D1@HO-MS1> My setup.... [A]FTP Server ----> [B]QOS Server ----> [C]Host What I want to do..... Setup a HTB class for 32kbps with a u32 filter to match a Destination IP. I get a perfect result for a ftp `get' on [C]. ftp> get test local: test remote: test 227 Entering Passive Mode (203,200,72,102,12,231) 150 Opening BINARY mode data connection for test (1025830 bytes). ############################################################## ########...................################ 226 Transfer complete. 1025830 bytes received in 262 secs (3.8 Kbytes/sec) ftp> The working cfg on [B] is as under... tc qdisc add dev eth0 root handle 10: htb tc class add dev eth0 parent 10 classid 10:10 htb rate 32kbit ceil 32kbit tc filter add dev eth0 parent 10: protocol ip prio 100 u32 match ip dst 203.200.72.91 flowid 10:10 But download becomes out of control when I delete, just the filter to replace it with... tc filter add dev eth0 parent 10: protocol ip prio 100 u32 match ip sport 20 0xffff flowid 10:10 ---OR--- any sport/dport with a valu of 20,21,22 14,15,16 0014,0015,0016 When the test setup & the test procedure is the same. It should work for the Protocol if it worked for the IP !!!What could be wrong!!!! I only change from `u32 match ip dst 203.200.72.91' to 'u32 match ip 0xffff' I tried with all known as `sport' & `dport' both in decimal & Hex. Regards, Somesh Banerji Sr. Engineer HCL Comnet System & Services NOIDA U.P. INDIA From phila@dg.net.ua Wed Oct 8 14:49:30 2003 From: phila@dg.net.ua (Anton Yurchenko) Date: Wed, 08 Oct 2003 16:49:30 +0300 Subject: [LARTC] htb v3 not as good as htb v2? Message-ID: <3F8415EA.8080401@dg.net.ua> Hello, I`ve been using htb v2 for more then a year without any major problems. Recently I needed to upgrade to newer kernel becouse of non LARTC related issues. After installing 2.4.22 when the htb qdisc was attached to the interface even without any rules, I was not able to send more ~1mbit through the interface. After I reversed the htb3 patch and rebuild with htb2 everything works as normal. Has anyone experienced the same issue? thanks -- Anton Yurchenko Digital Generation From nuclearcat@nuclearcat.com Wed Oct 8 15:03:24 2003 From: nuclearcat@nuclearcat.com (nuclearcat@nuclearcat.com) Date: Wed, 8 Oct 2003 17:03:24 +0300 Subject: [LARTC] htb v3 not as good as htb v2? In-Reply-To: <3F8415EA.8080401@dg.net.ua> References: <3F8415EA.8080401@dg.net.ua> Message-ID: <1273683640.20031008170324@ams-sat.com> Hello Anton, Wednesday, October 8, 2003, 4:49:30 PM, you wrote: I am using HTB3 with more than 10 megabits customers, and amount of classes about 100-200 without any problem. Only one what i do - i make filter with lowest priority, to not pass ass unclassified traffic to default class, just to drop it. I think you just need review your classes, because also if you have any rate more 468 Kbit, you need change r2q or quantum. AY> Hello, AY> I`ve been using htb v2 for more then a year without any major problems. AY> Recently I needed to upgrade to newer kernel becouse of non LARTC AY> related issues. After installing 2.4.22 when the htb qdisc was attached AY> to the interface even without any rules, I was not able to send more AY> ~1mbit through the interface. After I reversed the htb3 patch and AY> rebuild with htb2 everything works as normal. Has anyone experienced the AY> same issue? thanks -- Best regards, Denis mailto:admin@ams-sat.com From artur@gmx.net Wed Oct 8 15:05:43 2003 From: artur@gmx.net (Jan Gerritsen) Date: Wed, 8 Oct 2003 16:05:43 +0200 Subject: AW: [LARTC] Tc - Class HTB - Filter u32 - Match ip dport In-Reply-To: <341F8F7FCD8AD5118FD300306E06BB651092D5D1@HO-MS1> Message-ID: SGksDQoNCj4gIGZ0cD4gZ2V0IHRlc3QNCj4gIGxvY2FsOiB0ZXN0IHJlbW90ZTogdGVzdA0KPiAg MjI3IEVudGVyaW5nIFBhc3NpdmUgTW9kZSAoMjAzLDIwMCw3MiwxMDIsMTIsMjMxKQ0KICAgICAg ICAgICAgICAgIF5eXl5eXl5eXl5eXg0KPiAgMTUwIE9wZW5pbmcgQklOQVJZIG1vZGUgZGF0YSBj b25uZWN0aW9uIGZvciB0ZXN0ICgxMDI1ODMwIGJ5dGVzKS4NCj4gICMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjDQo+ICAjIyMjIyMj Iy4uLi4uLi4uLi4uLi4uLi4uLi4jIyMjIyMjIyMjIyMjIyMjDQo+ICAyMjYgVHJhbnNmZXIgY29t cGxldGUuDQo+ICAxMDI1ODMwIGJ5dGVzIHJlY2VpdmVkIGluIDI2MiBzZWNzICgzLjggS2J5dGVz L3NlYykNCj4gIGZ0cD4NCg0KVGhpcyBsb2cgc2hvd3MgdGhhdCB5b3UgYXJlIHVzaW5nIFBhc3Np dmUgRlRQDQoNCj4gdGMgZmlsdGVyIGFkZCBkZXYgZXRoMCBwYXJlbnQgMTA6IHByb3RvY29sIGlw IHByaW8gMTAwIHUzMiBtYXRjaCBpcCBzcG9ydA0KPiAyMCAweGZmZmYgZmxvd2lkIDEwOjEwDQoN Cm5vdyB5b3UgcHV0IHVwIGEgcnVsZSBmb3Igc3BvcnQgMjAuDQpQYXNzaXYgRlRQIGRvZXMgbm90 IHVzZSBzcG9ydCAyMCwgaXQgdXNlcyBhbnkgcG9ydCA+IDEwMjQsIA0Kb25seSAiYWN0aXZlIiBG VFAgdXNlcyBwb3J0IDIwIGFzIHNwb3J0IGZvciBkYXRhIHRyYW5zZmFyZSwuLg0KDQpKYW4gR2Vy cml0c2VuDQo= From lpz@ornl.gov Wed Oct 8 15:11:30 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Wed, 08 Oct 2003 10:11:30 -0400 Subject: [LARTC] htb v3 not as good as htb v2? In-Reply-To: <3F8415EA.8080401@dg.net.ua> References: <3F8415EA.8080401@dg.net.ua> Message-ID: <1065622290.1341.175.camel@nautique> --=-jX/ixBOU2tlP47rnNhoX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've used HTB and CBQ to protect MPEG2 traffic streams from UDP traffic over 100 Mb/s interfaces. I have not yet attempted this with 1000 Mb/s interfaces, but I hope to get to that this year (it it much more difficult to measure accurately at this speed). On Wed, 2003-10-08 at 09:49, Anton Yurchenko wrote: > Hello, >=20 > I`ve been using htb v2 for more then a year without any major problems.=20 > Recently I needed to upgrade to newer kernel becouse of non LARTC=20 > related issues. After installing 2.4.22 when the htb qdisc was attached=20 > to the interface even without any rules, I was not able to send more=20 > ~1mbit through the interface. After I reversed the htb3 patch and=20 > rebuild with htb2 everything works as normal. Has anyone experienced the=20 > same issue? thanks --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-jX/ixBOU2tlP47rnNhoX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/hBsSCNjP8rawCW4RAjBCAJ0YY475kAd2CG3Uhdhh1WxfEohxlACfbwTt rMSRTHCMsY485UaW55zlgkw= =8YzZ -----END PGP SIGNATURE----- --=-jX/ixBOU2tlP47rnNhoX-- From PedroPhill@seznam.cz Wed Oct 8 16:25:18 2003 From: PedroPhill@seznam.cz (Phill) Date: Wed, 8 Oct 2003 17:25:18 +0200 Subject: [LARTC] Shaping services and users (2nd time) Message-ID: <003d01c38db0$621c05b0$0a02a8c0@phill> This is a multi-part message in MIME format. ------=_NextPart_000_003A_01C38DC1.25184D20 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Hello, I am making a HTB script for a few people and I wanted to ask a = question. Now I have a nice script with this hierarchy of classes. root(128/128) +---WWW(32/128) +---Default(32/128) +---P2P(1/64) #P2P Programs like DC and Kazza +---.... How should I implement limiting the speed of some users (by IP = addresses)? I had an idea, but it looks too compicated. What do you think?=20 Let's say I want IP2 To be limited to have the speed max. 64kbits. Will this idea work? root(128/128) +IP1(32/128)-----WWW(32/128) | +---Default(10/128) | +---P2P(1/64) | +---... =20 | +IP2(32/64)------WWW(32/64) | +---Default(10/64) | +---P2P(1/64) | +---... +IP2(32/64)--.... ... Thanks, Phill PS: Sorry if I posted this twice (that was my mistake). ------=_NextPart_000_003A_01C38DC1.25184D20 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable
Hello,
    I am making a HTB = script for a=20 few people and I wanted to ask a question.
 
Now I have a nice script with this = hierarchy of=20 classes.
 
root(128/128)
+---WWW(32/128)
+---Default(32/128)
+---P2P(1/64)     = #P2P=20 Programs like DC and Kazza
+---....
 
How should I implement limiting the = speed of some=20 users (by IP addresses)?
I had an idea, but it looks = too=20 compicated. What do you think?
 
Let's say I want IP2 To be limited to = have the=20 speed max. 64kbits.
 
Will this idea work?
 
root(128/128)
+IP1(32/128)-----WWW(32/128)
|          &nb= sp;=20 +---Default(10/128)
|          &nb= sp;=20 +---P2P(1/64)
|          &nb= sp; +---...       
|
+IP2(32/64)------WWW(32/64)
|      =20      +---Default(10/64)
|     =20       +---P2P(1/64)
|    =20        +---...
+IP2(32/64)--....
...
 
 
Thanks,
    Phill
 
PS: Sorry if I posted this twice (that was my=20 mistake).
------=_NextPart_000_003A_01C38DC1.25184D20-- From stef.coene@docum.org Wed Oct 8 18:15:53 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 8 Oct 2003 19:15:53 +0200 Subject: [LARTC] Excess bandwidth sharing In-Reply-To: <4a86fa4ed37169339da1fa72e792c7ec@www3.mail.post.cz> References: <4a86fa4ed37169339da1fa72e792c7ec@www3.mail.post.cz> Message-ID: <200310081915.53819.stef.coene@docum.org> On Wednesday 08 October 2003 15:08, Tom Olexa wrote: > Hello there, > > I do > tc qdisc add dev eth0 root handle 1: htb r2q 1 default 12 > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit > ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:11 htb > rate 256kbit ceil 512kbit > > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ > match ip dst 195.28.103.7 flowid 1:10 > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ > match ip dst 195.28.103.5 flowid 1:11 > > and I expect both streams to share the total 512kbit in > proportion of their rates (1/4). Unfortunately the rates are some > 100/120, total 512kbit. > Can anyone tell me whatsda problem? Your commands : tc qdisc add dev eth0 root handle 1: htb r2q 1 default 12 tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 256kbit ceil 512kbit And I think you miss this rule : tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit 12 is your default class, but you never defined a 1:12 class. This will happen : 1:10 : 64kbit (the configured rate) 1:11 : 256kbit (the configured rate) Together : 320kbit But the total is 512kbit, so 512-320 = 192kbit. So class 1:10 get's an additional 192 * 64 / (64 + 256 ) = 38.4 kbit So class 1:11 get's an additional 192 * 256 / (64 + 256 ) = 153.6 kbit Actually, this is related to the quantum of the class. But you never overruled the quantum, so the quantum of the class is rate / 1 (r2q parameter. But 512kbit means a quantum of 512 / 8 = 64kilo byte and I think this is maybe too big. Don't you have htb errors in your kernel log files ?? If you are interested in more tests and extra information, see www.docum.org on my tests pages. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From victor@ambra.ro Thu Oct 9 11:45:28 2003 From: victor@ambra.ro (Victor) Date: Thu, 9 Oct 2003 13:45:28 +0300 (EEST) Subject: [LARTC] filter Message-ID: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> The difrence betwen these 2 configurations is only the prio parameter from the second filter, from each configutation. (tc filter add dev eth0 parent 1: prio 5 protocol ip u32 ht 800:: match ip src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2:) Configuration 1 tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 500Kbit prio 1 quantum 2000 tc class add dev eth0 parent 1:1 classid 1:201 htb rate 4Kbit ceil 500Kbit prio 0 quantum 2000 tc filter add dev eth0 parent 1: prio 1 handle 2: protocol ip u32 divisor 256 tc filter add dev eth0 parent 1: prio 5 protocol ip u32 ht 800:: match ip src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2: tc filter add dev eth0 prio 1 protocol ip u32 ht 2:01 match ip src 80.97.24.1 flowid 1:201 Configuration 2 tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 500Kbit prio 1 quantum 2000 tc class add dev eth0 parent 1:1 classid 1:201 htb rate 4Kbit ceil 500Kbit prio 0 quantum 2000 tc filter add dev eth0 parent 1: prio 1 handle 2: protocol ip u32 divisor 256 tc filter add dev eth0 parent 1: prio 1 protocol ip u32 ht 800:: match ip src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2: tc filter add dev eth0 prio 1 protocol ip u32 ht 2:01 match ip src 80.97.24.1 flowid 1:201 Configuration 1 tc filter show dev eth1 shows the next lines: filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 1 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:201 match 50611801/ffffffff at 12 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: match 50611800/ffffff00 at 12 hash mask 000000ff at 12 filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:201 match 50611801/ffffffff at 12 filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: match 50611800/ffffff00 at 12 hash mask 000000ff at 12 Configuration 1 tc filter show dev eth1 shows the next lines: filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 1 u32 fh 2:1:800 order 2048 key ht 2 bkt 1 flowid 1:201 match 50611801/ffffffff at 12 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: match 50611800/ffffff00 at 12 hash mask 000000ff at 12 Why the configutaion1 has many filters than configuration2? How can the prio paramenter influence this? What is the range for the prio parameter in the filter context? Thank you. Victor ----------------------------------------- This email was sent using SquirrelMail. "Webmail for nuts!" http://squirrelmail.org/ Random Thought: -------------- Integrity has no need for rules. From util@deuroconsult.ro Thu Oct 9 06:08:33 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Thu, 9 Oct 2003 08:08:33 +0300 (EEST) Subject: [LARTC] filter In-Reply-To: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> References: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> Message-ID: Don't worry. It's tc fault (or maybe kernel). The filters are once in the kernel but are showed no_of_prios_used times. On Thu, 9 Oct 2003, Victor wrote: > The difrence betwen these 2 configurations is only the prio parameter from > the second filter, from each configutation. > (tc filter add dev eth0 parent 1: prio 5 protocol ip u32 ht 800:: match ip > src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2:) > > Configuration 1 > > tc qdisc add dev eth0 root handle 1: htb > tc class add dev eth0 parent 1: classid 1:1 htb rate 500Kbit prio 1 > quantum 2000 > tc class add dev eth0 parent 1:1 classid 1:201 htb rate 4Kbit ceil 500Kbit > prio 0 quantum 2000 > tc filter add dev eth0 parent 1: prio 1 handle 2: protocol ip u32 divisor 256 > tc filter add dev eth0 parent 1: prio 5 protocol ip u32 ht 800:: match ip > src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2: > tc filter add dev eth0 prio 1 protocol ip u32 ht 2:01 match ip src > 80.97.24.1 flowid 1:201 > > Configuration 2 > > tc qdisc add dev eth0 root handle 1: htb > tc class add dev eth0 parent 1: classid 1:1 htb rate 500Kbit prio 1 > quantum 2000 > tc class add dev eth0 parent 1:1 classid 1:201 htb rate 4Kbit ceil 500Kbit > prio 0 quantum 2000 > tc filter add dev eth0 parent 1: prio 1 handle 2: protocol ip u32 divisor 256 > tc filter add dev eth0 parent 1: prio 1 protocol ip u32 ht 800:: match ip > src 80.97.24.0/24 hashkey mask 0x000000ff at 12 link 2: > tc filter add dev eth0 prio 1 protocol ip u32 ht 2:01 match ip src > 80.97.24.1 flowid 1:201 > > Configuration 1 > tc filter show dev eth1 > shows the next lines: > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 1 u32 fh 2:1:800 order 2048 key ht 2 bkt > 1 flowid 1:201 > match 50611801/ffffffff at 12 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 > bkt 0 link 2: > match 50611800/ffffff00 at 12 > hash mask 000000ff at 12 > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:1:800 order 2048 key ht 2 bkt > 1 flowid 1:201 > match 50611801/ffffffff at 12 > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 > bkt 0 link 2: > match 50611800/ffffff00 at 12 > hash mask 000000ff at 12 > > > > Configuration 1 > tc filter show dev eth1 > shows the next lines: > > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 1 u32 fh 2:1:800 order 2048 key ht 2 bkt > 1 flowid 1:201 > match 50611801/ffffffff at 12 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 > bkt 0 link 2: > match 50611800/ffffff00 at 12 > hash mask 000000ff at 12 > > Why the configutaion1 has many filters than configuration2? > How can the prio paramenter influence this? > What is the range for the prio parameter in the filter context? > Thank you. > > Victor > > > ----------------------------------------- > This email was sent using SquirrelMail. > "Webmail for nuts!" > http://squirrelmail.org/ > > > Random Thought: > -------------- > Integrity has no need for rules. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From nielsvc@ostenfeld.dk Thu Oct 9 06:53:36 2003 From: nielsvc@ostenfeld.dk (Niels Vorgaard Christensen) Date: Thu, 09 Oct 2003 07:53:36 +0200 Subject: [LARTC] tc filter expression Message-ID: <873ce37y8v.fsf@niels.ostenfeld.dtu.dk> Hi. I am working on a router with three interfaces. eth2 and eth0 are connected to two different Internet providers. The interface eth1 are connected to an internal network. Now I need a tc filter expression that will determine which interface the packet was routed in through to be able classify packets going out eth1 based on provider. I know I could mark packets with netfilter, but if it is possible to construct a tc filter expression to do the job I would much prefere that. Regards, Niels V. Christensen From util@deuroconsult.ro Thu Oct 9 06:58:58 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Thu, 9 Oct 2003 08:58:58 +0300 (EEST) Subject: [LARTC] tc filter expression In-Reply-To: <873ce37y8v.fsf@niels.ostenfeld.dtu.dk> References: <873ce37y8v.fsf@niels.ostenfeld.dtu.dk> Message-ID: On Thu, 9 Oct 2003, Niels Vorgaard Christensen wrote: > Hi. > > I am working on a router with three interfaces. eth2 and eth0 are > connected to two different Internet providers. The interface eth1 are > connected to an internal network. Now I need a tc filter expression > that will determine which interface the packet was routed in through > to be able classify packets going out eth1 based on provider. I know I > could mark packets with netfilter, but if it is possible to construct > a tc filter expression to do the job I would much prefere that. I think you can use ingress + policy + ds to mark packets (DSCP IP field) on eth0 and eth2. Then on eth1 you can classify base on this field. > > > Regards, > Niels V. Christensen > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From PedroPhill@seznam.cz Thu Oct 9 08:02:36 2003 From: PedroPhill@seznam.cz (Phill) Date: Thu, 9 Oct 2003 09:02:36 +0200 Subject: [LARTC] Shaping services and users (2nd time) References: <341F8F7FCD8AD5118FD300306E06BB651098AB46@HO-MS1> Message-ID: <003301c38e33$522f8c70$0a02a8c0@phill> Oh, I am sorry, I knew that, it's jsut that I was playing with the numbers and I didn't check the sums. I know how to shape traffic coming from different users, ..protocol ip dst IP...etc, And I know how to shape traffic from each service. I just don't know how to glue them together. So what abou this? The point is that I want to be able to shape both the services and the IPs. root(128/128) +IP1(32/128)-----WWW(20/128) | +---Default(10/128) | +---P2P(1/64) | +---... | +IP2(32/64)------WWW(20/64) | +---Default(10/64) | +---P2P(1/64) | +---... +IP3(32/64)--.... ... -Phill > You could nest class... > It is desirable that the sum of rates of a Child Class = to the Parent > Class. From thomas@arkena.dk Thu Oct 9 09:42:51 2003 From: thomas@arkena.dk (Thomas Kirk) Date: Thu, 9 Oct 2003 10:42:51 +0200 Subject: [LARTC] Wondershaper modifications Message-ID: <20031009084251.GB17072@thomas.arkena.com> Hep Dear Listmembers and Stef! Setup Internet eth0 | | ----------------- | | | | eth1 eth2 eth3 eth4 <--- Lan .10/24 .11/24 etc All Lans are natted to eth0 Now i use wondershaper (1.1a) on eth0 to shap interactive traffic (work allready thanks!) But i have a special requirments for priorities samba traffic from eth1 to internet. Ive done this with the following lines in iptables and wondershaper : iptables : $IPTABLES -A PREROUTING -t mangle -p tcp --dport 137:139 -i eth1 -j MARK --set-mark 2 $IPTABLES -A PREROUTING -t mangle -p udp --dport 137:139 -i eth1 -j MARK --set-mark 2 wondershaper : tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 2 fw classid 1:10 This setup seems to work partly. When i browser network on anohter host over internet i get no lag and fast response (low latency). But when i try to edit file (3kb) it takes around 10 seconds to save the file? Since my connection is 2048/512 and ive set my UPLINK=450 it should take no more than 1-2 secs to update a file over internet? What am i overlooking here? -- Venlig hilsen/Kind regards Thomas Kirk ARKENA tlf/phone +4570233456 thomas(at)arkena(dot)com Http://www.arkena.com "It's naive to think you can change a person--except maybe that boy who works in the library." -- Lisa Simpson From phila@dg.net.ua Thu Oct 9 09:44:16 2003 From: phila@dg.net.ua (Anton Yurchenko) Date: Thu, 09 Oct 2003 11:44:16 +0300 Subject: [LARTC] htb v3 not as good as htb v2? In-Reply-To: <1273683640.20031008170324@ams-sat.com> References: <3F8415EA.8080401@dg.net.ua> <1273683640.20031008170324@ams-sat.com> Message-ID: <3F851FE0.6020506@dg.net.ua> nuclearcat@nuclearcat.com wrote: >Hello Anton, > >Wednesday, October 8, 2003, 4:49:30 PM, you wrote: > >I am using HTB3 with more than 10 megabits customers, and >amount of classes about 100-200 without any problem. >Only one what i do - i make filter with lowest priority, to not pass >ass unclassified traffic to default class, just to drop it. I think >you just need review your classes, because also if you have any rate >more 468 Kbit, you need change r2q or quantum. > > the problem was observed even when only adding a qdisc, no classes. how can this be? >AY> Hello, > >AY> I`ve been using htb v2 for more then a year without any major problems. >AY> Recently I needed to upgrade to newer kernel becouse of non LARTC >AY> related issues. After installing 2.4.22 when the htb qdisc was attached >AY> to the interface even without any rules, I was not able to send more >AY> ~1mbit through the interface. After I reversed the htb3 patch and >AY> rebuild with htb2 everything works as normal. Has anyone experienced the >AY> same issue? thanks > > > > > > -- Anton Yurchenko Digital Generation From aris.santillan@summitmedia.com.ph Thu Oct 9 12:38:41 2003 From: aris.santillan@summitmedia.com.ph (Aris Santillan) Date: Thu, 9 Oct 2003 19:38:41 +0800 Subject: [LARTC] 2 ISP Message-ID: <831411C4CBD37C4A91DBEC9B98A64C8B6C44D1@spmail.summitmedia.com.ph> This is a multi-part message in MIME format. ------_=_NextPart_001_01C38E59.E3550CC2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hi guys im a newbie we are planning to have 2 ISP connected to a single linux box we be servering clients using Squid Proxy server? (only one linux box) is this possible on which the proxy will load balance to the 2 ISP.??? or can be failover ??? thanks in advance ------_=_NextPart_001_01C38E59.E3550CC2 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 2 ISP

hi guys

im a newbie

we are planning to have 2 ISP connected = to a single linux box
we be servering clients using Squid = Proxy server? (only one linux box)
is this possible on which the proxy = will load balance to the 2 ISP.???

or can be failover ???

thanks in advance

------_=_NextPart_001_01C38E59.E3550CC2-- From reza@mra.co.id Thu Oct 9 12:45:25 2003 From: reza@mra.co.id (Muhammad Reza) Date: Thu, 09 Oct 2003 18:45:25 +0700 Subject: [LARTC] newbie question Message-ID: <3F854A55.1080306@mra.co.id> hi all in this schema in what device i should implement shapping (htb) ISP-----eth0 -eth1----LAN eth0 or eth1 cheers .:NewBie:. From le-hen_j@epita.fr Thu Oct 9 12:43:43 2003 From: le-hen_j@epita.fr (jeremie le-hen) Date: Thu, 9 Oct 2003 13:43:43 +0200 Subject: [LARTC] 2 ISP In-Reply-To: <831411C4CBD37C4A91DBEC9B98A64C8B6C44D1@spmail.summitmedia.com.ph> References: <831411C4CBD37C4A91DBEC9B98A64C8B6C44D1@spmail.summitmedia.com.ph> Message-ID: <20031009114343.GA7375@carpediem.epita.fr> > we are planning to have 2 ISP connected to a single linux box > we be servering clients using Squid Proxy server? (only one linux box) > is this possible on which the proxy will load balance to the 2 ISP.??? > or can be failover ??? I would suggest you to have a look into the archives. This topic is discussed at least twice a week. I think you should find all what you need. http://lists.netfilter.org/pipermail/netfilter/ Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From le-hen_j@epita.fr Thu Oct 9 12:46:59 2003 From: le-hen_j@epita.fr (jeremie le-hen) Date: Thu, 9 Oct 2003 13:46:59 +0200 Subject: [LARTC] newbie question In-Reply-To: <3F854A55.1080306@mra.co.id> References: <3F854A55.1080306@mra.co.id> Message-ID: <20031009114659.GB7375@carpediem.epita.fr> > in this schema in what device i should implement shapping (htb) > > ISP-----eth0 -eth1----LAN If you implement your shaping/scheduling on eth1, then your LAN will be affected, but not the Linux box itself. If you want your gateway to be affected too, then put it on eth0. Furthermore, if one day you choose to add another LAN on eth2, shapping will also work for the latter without any additional configuration. Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From reza@mra.co.id Thu Oct 9 13:15:19 2003 From: reza@mra.co.id (Muhammad Reza) Date: Thu, 09 Oct 2003 19:15:19 +0700 Subject: [LARTC] newbie question In-Reply-To: <20031009114659.GB7375@carpediem.epita.fr> References: <3F854A55.1080306@mra.co.id> <20031009114659.GB7375@carpediem.epita.fr> Message-ID: <3F855157.6090606@mra.co.id> thanks eth1 i guess..can I do shapping/scheduling on my LAN based on subnet ?. |--subnet 10kbit ISP---eth0-eth1---LAN---subnet 20kbit |--subnet 15kbit can htb or any tc do that for me..and how can i know my actual ceiling b/w traffic at eth1, so i can set it ass parent ? i have a 10/100 ethernet. cheers .:NewBie:. jeremie le-hen wrote: >>in this schema in what device i should implement shapping (htb) >> >>ISP-----eth0 -eth1----LAN >> >> > >If you implement your shaping/scheduling on eth1, then your LAN will >be affected, but not the Linux box itself. If you want your gateway >to be affected too, then put it on eth0. Furthermore, if one day you >choose to add another LAN on eth2, shapping will also work for the >latter without any additional configuration. > >Regards, > > From stef.coene@docum.org Thu Oct 9 17:40:39 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 9 Oct 2003 18:40:39 +0200 Subject: [LARTC] filter In-Reply-To: References: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> Message-ID: <200310091840.39525.stef.coene@docum.org> On Thursday 09 October 2003 07:08, Catalin BOIE wrote: > Don't worry. It's tc fault (or maybe kernel). It's a bug in the tc routing that displays the filters. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 9 17:43:32 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 9 Oct 2003 18:43:32 +0200 Subject: [LARTC] Shaping services and users (2nd time) In-Reply-To: <003301c38e33$522f8c70$0a02a8c0@phill> References: <341F8F7FCD8AD5118FD300306E06BB651098AB46@HO-MS1> <003301c38e33$522f8c70$0a02a8c0@phill> Message-ID: <200310091843.32796.stef.coene@docum.org> On Thursday 09 October 2003 09:02, Phill wrote: > Oh, I am sorry, I knew that, it's jsut that I was playing with the numbers > and I didn't check the sums. > > I know how to shape traffic coming from different users, > ..protocol ip dst IP...etc, And I know how to shape traffic > from each service. I just don't know how to glue them together. > > So what abou this? The point is that I want to be able to shape > both the services and the IPs. > > root(128/128) > +IP1(32/128)-----WWW(20/128) > > | +---Default(10/128) > | +---P2P(1/64) > | +---... > > +IP2(32/64)------WWW(20/64) > > | +---Default(10/64) > | +---P2P(1/64) > | +---... > > +IP3(32/64)--.... > ... You need a set of filters attached to the root qdisc so the traffic for the different IP's are placed in the IPx class. Then you need a second set of filters attached to the IPx classes and redirect all traffic to the different sub classes. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 9 17:45:22 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 9 Oct 2003 18:45:22 +0200 Subject: [LARTC] htb v3 not as good as htb v2? In-Reply-To: <3F851FE0.6020506@dg.net.ua> References: <3F8415EA.8080401@dg.net.ua> <1273683640.20031008170324@ams-sat.com> <3F851FE0.6020506@dg.net.ua> Message-ID: <200310091845.22457.stef.coene@docum.org> On Thursday 09 October 2003 10:44, Anton Yurchenko wrote: > nuclearcat@nuclearcat.com wrote: > >Hello Anton, > > > >Wednesday, October 8, 2003, 4:49:30 PM, you wrote: > > > >I am using HTB3 with more than 10 megabits customers, and > >amount of classes about 100-200 without any problem. > >Only one what i do - i make filter with lowest priority, to not pass > >ass unclassified traffic to default class, just to drop it. I think > >you just need review your classes, because also if you have any rate > >more 468 Kbit, you need change r2q or quantum. > > the problem was observed even when only adding a qdisc, no classes. how > can this be? What's the output of tc -s -d qdisc show dev eth0 tc -s -d class show dev eth0 Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 9 17:51:14 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 9 Oct 2003 18:51:14 +0200 Subject: [LARTC] Wondershaper modifications In-Reply-To: <20031009084251.GB17072@thomas.arkena.com> References: <20031009084251.GB17072@thomas.arkena.com> Message-ID: <200310091851.14849.stef.coene@docum.org> On Thursday 09 October 2003 10:42, Thomas Kirk wrote: > Hep Dear Listmembers and Stef! > > Setup > > Internet > eth0 > > > ----------------- > > eth1 eth2 eth3 eth4 <--- Lan .10/24 .11/24 etc > > > All Lans are natted to eth0 > > Now i use wondershaper (1.1a) on eth0 to shap interactive traffic > (work allready thanks!) But i have a special requirments for > priorities > samba traffic from eth1 to internet. Ive done this with the following > lines in iptables and wondershaper : > > iptables : > > $IPTABLES -A PREROUTING -t mangle -p tcp --dport 137:139 -i eth1 -j > MARK --set-mark 2 > $IPTABLES -A PREROUTING -t mangle -p udp --dport 137:139 -i eth1 -j > MARK --set-mark 2 > > wondershaper : > > tc filter add dev $DEV parent 1:0 protocol ip prio 1 handle 2 fw > classid 1:10 > > This setup seems to work partly. When i browser network on anohter > host over internet i get no lag and fast response (low latency). > But when i try to edit file (3kb) it takes around 10 seconds to save > the file? Since my connection is 2048/512 and ive set my UPLINK=450 it > should take no more than 1-2 secs to update a file over internet? What > am i overlooking here? Can you check the timeout with a simple ping? And what about making a directory or copying a file ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From wen@us.ibm.com Thu Oct 9 19:41:22 2003 From: wen@us.ibm.com (Wen-Jiunn Chin) Date: Thu, 9 Oct 2003 14:41:22 -0400 Subject: [LARTC] Wen-Jiunn Chin/Endicott/IBM is out of the office. Message-ID: I will be out of the office starting October 9, 2003 and will not return until October 14, 2003. I am out of the office from 10/09/03, returning 10/14/03. You will receive only this notification of my absence prior to my return, at which time I will respond. Please contact Syed Abuthagir for GWA. Please contact my manager David Albright, for emergencies. On Deamand Project - Larry Sackette GWA Linux Servers - Vikas Paul Treve Project - Anand Banerjee Team Lead - Steve Bernstein From mehrotra_praveen@yahoo.com Thu Oct 9 22:58:01 2003 From: mehrotra_praveen@yahoo.com (Praveen Mehrotra) Date: Thu, 9 Oct 2003 14:58:01 -0700 (PDT) Subject: [LARTC] Problem with tc filter (tc qdisc/class works ok) Message-ID: <20031009215801.56347.qmail@web40102.mail.yahoo.com> Hello, I'm having problem adding filters using tc. I get the response back RTNETLINK answers-invalis argument. Though the tc qdisc and tc class commands work fine. In my kernel config, QoS related parameters are enabled (CONFIG_NET_SCHED, CONFIG_NET_QOS, CONFIG_NET_CLS, CONFIG_NET_CLS_U32, CONFIG_NET_SCH_HTB). Also CONFIG_NETLINK, CONFIG_RTNETLINK and CONFIG_NETLINK_DEV are set to 'y' __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From util@deuroconsult.ro Fri Oct 10 06:09:49 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Fri, 10 Oct 2003 08:09:49 +0300 (EEST) Subject: [LARTC] filter In-Reply-To: <200310091840.39525.stef.coene@docum.org> References: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> <200310091840.39525.stef.coene@docum.org> Message-ID: On Thu, 9 Oct 2003, Stef Coene wrote: > On Thursday 09 October 2003 07:08, Catalin BOIE wrote: > > Don't worry. It's tc fault (or maybe kernel). > It's a bug in the tc routing that displays the filters. Thanks for clarification, Stef. > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > --- Catalin(ux) BOIE catab@deuroconsult.ro From wen@us.ibm.com Fri Oct 10 06:18:37 2003 From: wen@us.ibm.com (Wen-Jiunn Chin) Date: Fri, 10 Oct 2003 01:18:37 -0400 Subject: [LARTC] Wen-Jiunn Chin/Endicott/IBM is out of the office. Message-ID: I will be out of the office starting October 9, 2003 and will not return until October 14, 2003. I am out of the office from 10/09/03, returning 10/14/03. You will receive only this notification of my absence prior to my return, at which time I will respond. Please contact Syed Abuthagir for GWA. Please contact my manager David Albright, for emergencies. From kristiadi_himawan@dtp.net.id Fri Oct 10 07:09:25 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Fri, 10 Oct 2003 13:09:25 +0700 Subject: [LARTC] Shape on trunked line Message-ID: <00c001c38ef5$0e55edb0$0aa02bca@sapari> This is a multi-part message in MIME format. ------=_NextPart_000_00BD_01C38F2F.BAB00AC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi All, Any idea how to shape on trunked line. I have try to both devices (eth0 and eth1) but fail=20 and i assume because tag vlan on data frame that makes tc filter always missed. Thnx Kris ------=_NextPart_000_00BD_01C38F2F.BAB00AC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi All,
 
Any idea how to shape on trunked = line.
I have try to both devices (eth0 and = eth1) but fail=20
and i assume because tag vlan on = data=20 frame
that makes tc filter always = missed.
 
Thnx
 
Kris
------=_NextPart_000_00BD_01C38F2F.BAB00AC0-- From alek19@unet.com.mk Fri Oct 10 10:19:11 2003 From: alek19@unet.com.mk (Aleksandar Simonovski) Date: Fri, 10 Oct 2003 11:19:11 +0200 Subject: [LARTC] trafic shaping with aliases Message-ID: <3f86798f923c50.29795769@unet.com.mk> Hi, This is my scenario 1.--------- | 2.--------- | <-------> HUB <-----> ETH1 <--- SHAPER ---> ETH0 <-----> INTERNET 3.--------- | 4.--------- 1,2,3 and 4 are all different networks ETH1 has four aliases whic are gateways for 1,2,3 and 4 can some help me with using HTB or CBQ for limiting the four diferent networks 1. 128KBit 2. 64KBit 3. 512Kbit 4. 192KBit thaks, Aleksandar From nik@varna.net Fri Oct 10 12:18:02 2003 From: nik@varna.net (Nikolay Datchev) Date: Fri, 10 Oct 2003 14:18:02 +0300 (EEST) Subject: [LARTC] trafic shaping with aliases In-Reply-To: <3f86798f923c50.29795769@unet.com.mk> Message-ID: Think about the four networks like networks, all the four are at the same physical interface - eth1, and aliases doesn't matter. So, you put the root class and qdisc at eth1, create four subclasses for each network, attach qdiscs and create four filters, each filter for one network. -- Nikolay Datchev On Fri, 10 Oct 2003, Aleksandar Simonovski wrote: > Hi, > This is my scenario > > 1.--------- > | > 2.--------- > | <-------> HUB <-----> ETH1 <--- SHAPER ---> ETH0 <-----> INTERNET > 3.--------- > | > 4.--------- > > 1,2,3 and 4 are all different networks > ETH1 has four aliases whic are gateways for 1,2,3 and 4 > can some help me with using HTB or CBQ for limiting the four diferent networks > > 1. 128KBit > 2. 64KBit > 3. 512Kbit > 4. 192KBit > > thaks, > Aleksandar > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From angelripper@cable.net.co Fri Oct 10 15:54:30 2003 From: angelripper@cable.net.co (Randolph Carter) Date: Fri, 10 Oct 2003 09:54:30 -0500 (COT) Subject: [LARTC] Bandwidth bounding in a Shared Channel (reused bandwidth) Message-ID: Sometimes (especially with DSL) in my location when you bought a channel say 128Kbps, there are some "peak" times when you can get even 256Kbps, and another times the channel can go down to least than 128Kbps(in that case the queuing discipline in the box would be doin't but nothing, and the queue would fall into the DSL router). When I used TC + HTB the users complain the speed has dramaticly decreased, and somehow they are right, the channel are not using the peaks(call bursts if you want). How can I do the queing discipline be aware of those changes, any idea; any suggestion? This problem could be present also in the VSATs where the channel is shared, and the bandwidth allocated by use. Thanx in advance, The new Congressmen say they're going to turn the government around. I hope I don't get run over again. eject the proposal. From yi@ece.utexas.edu Fri Oct 10 19:36:30 2003 From: yi@ece.utexas.edu (Yung Yi) Date: Fri, 10 Oct 2003 13:36:30 -0500 Subject: [LARTC] using RED and TBF simultaneously Message-ID: <002201c38f5d$6bf0cea0$b6c45380@engr.utexas.edu> Dear all, Can I use RED and TBF simulatanesouly, so that the output packet of RED queue will be filtered by TBF? What I would like to do is that using RED queue disc I want to limit the output capacity of the corresponding interface. I'm a little worried about the scenario that TBF is first applied and then RED is used, which I do not want. Thanks. - Yung From stef.coene@docum.org Fri Oct 10 20:46:46 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 21:46:46 +0200 Subject: [LARTC] using RED and TBF simultaneously In-Reply-To: <002201c38f5d$6bf0cea0$b6c45380@engr.utexas.edu> References: <002201c38f5d$6bf0cea0$b6c45380@engr.utexas.edu> Message-ID: <200310102146.47035.stef.coene@docum.org> On Friday 10 October 2003 20:36, Yung Yi wrote: > Dear all, > > Can I use RED and TBF simulatanesouly, so that the output packet of RED > queue will be filtered by TBF? > What I would like to do is that using RED queue disc I want to limit the > output capacity of the corresponding interface. > > I'm a little worried about the scenario that TBF is first applied and then > RED is used, which I do not want. You can use htb. Htb is like tbf but it supports classes. You can add the RED qdisc to a limit htb class. A limited htb class is a tbf qdisc. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Fri Oct 10 20:48:06 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 21:48:06 +0200 Subject: [LARTC] Bandwidth bounding in a Shared Channel (reused bandwidth) In-Reply-To: References: Message-ID: <200310102148.06313.stef.coene@docum.org> On Friday 10 October 2003 16:54, Randolph Carter wrote: > Sometimes (especially with DSL) in my location when you bought a channel > say 128Kbps, there are some "peak" times when you can get even 256Kbps, > and another times the channel can go down to least than 128Kbps(in that > case the queuing discipline in the box would be doin't but nothing, and > the queue would fall into the DSL router). When I used TC + HTB the users > complain the speed has dramaticly decreased, and somehow they are right, > the channel are not using the peaks(call bursts if you want). How can I do > the queing discipline be aware of those changes, any idea; any > suggestion? This is allmot impossible to implement. You can not 'sense' the speed of the link on your shaping box in real time. And that's what you need. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Fri Oct 10 20:49:07 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 21:49:07 +0200 Subject: [LARTC] Problem with tc filter (tc qdisc/class works ok) In-Reply-To: <20031009215801.56347.qmail@web40102.mail.yahoo.com> References: <20031009215801.56347.qmail@web40102.mail.yahoo.com> Message-ID: <200310102149.07345.stef.coene@docum.org> On Thursday 09 October 2003 23:58, Praveen Mehrotra wrote: > Hello, > > I'm having problem adding filters using tc. I get the > response back RTNETLINK answers-invalis argument. > > Though the tc qdisc and tc class commands work fine. > In my kernel config, QoS related parameters are > enabled (CONFIG_NET_SCHED, CONFIG_NET_QOS, > CONFIG_NET_CLS, CONFIG_NET_CLS_U32, > CONFIG_NET_SCH_HTB). Also CONFIG_NETLINK, > CONFIG_RTNETLINK and CONFIG_NETLINK_DEV are set to 'y' Can you post your tc commands? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Fri Oct 10 20:49:56 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 21:49:56 +0200 Subject: [LARTC] filter In-Reply-To: References: <3230.80.97.24.235.1065696328.squirrel@www.sqmail.ambra.ro> <200310091840.39525.stef.coene@docum.org> Message-ID: <200310102149.56837.stef.coene@docum.org> On Friday 10 October 2003 07:09, Catalin BOIE wrote: > On Thu, 9 Oct 2003, Stef Coene wrote: > > On Thursday 09 October 2003 07:08, Catalin BOIE wrote: > > > Don't worry. It's tc fault (or maybe kernel). > > > > It's a bug in the tc routing that displays the filters. Read : > > It's a bug in the tc printing routine that displays the filters. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From angelripper@cable.net.co Fri Oct 10 20:59:38 2003 From: angelripper@cable.net.co (Randolph Carter) Date: Fri, 10 Oct 2003 14:59:38 -0500 (COT) Subject: [LARTC] Bandwidth bounding in a Shared Channel (reused bandwidth) In-Reply-To: <200310102148.06313.stef.coene@docum.org> References: <200310102148.06313.stef.coene@docum.org> Message-ID: Sure stef, no aproximation methods? some probabilistic/statistical approach to the problem? "The two most common things in the universe are hydrogen and stupidity." On Fri, 10 Oct 2003, Stef Coene wrote: > On Friday 10 October 2003 16:54, Randolph Carter wrote: > > Sometimes (especially with DSL) in my location when you bought a channel > > say 128Kbps, there are some "peak" times when you can get even 256Kbps, > > and another times the channel can go down to least than 128Kbps(in that > > case the queuing discipline in the box would be doin't but nothing, and > > the queue would fall into the DSL router). When I used TC + HTB the users > > complain the speed has dramaticly decreased, and somehow they are right, > > the channel are not using the peaks(call bursts if you want). How can I do > > the queing discipline be aware of those changes, any idea; any > > suggestion? > This is allmot impossible to implement. You can not 'sense' the speed of the > link on your shaping box in real time. And that's what you need. > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > From mehrotra_praveen@yahoo.com Fri Oct 10 21:06:52 2003 From: mehrotra_praveen@yahoo.com (Praveen Mehrotra) Date: Fri, 10 Oct 2003 13:06:52 -0700 (PDT) Subject: [LARTC] Problem with tc filter (tc qdisc/class works ok) In-Reply-To: <200310102149.07345.stef.coene@docum.org> Message-ID: <20031010200652.24837.qmail@web40107.mail.yahoo.com> --- Stef Coene wrote: > On Thursday 09 October 2003 23:58, Praveen Mehrotra > wrote: > > Hello, > > > > I'm having problem adding filters using tc. I get > the > > response back RTNETLINK answers-invalis argument. > > > > Though the tc qdisc and tc class commands work > fine. > > In my kernel config, QoS related parameters are > > enabled (CONFIG_NET_SCHED, CONFIG_NET_QOS, > > CONFIG_NET_CLS, CONFIG_NET_CLS_U32, > > CONFIG_NET_SCH_HTB). Also CONFIG_NETLINK, > > CONFIG_RTNETLINK and CONFIG_NETLINK_DEV are set to > 'y' > Can you post your tc commands? > > Stef Hi Stef, I'm using following commands (i'm trying to use it with IMQ). I'm trying the example given in IMQ section of adv-routing-howto doc. # tc qdisc add dev imq0 root handle 1: htb default 11 # tc class add dev imq0 parent 1: classid 1:1 htb \ rate 4mbit burst 10k # tc class add dev imq0 parent 1:1 classid 1:10 \ htb rate 2mbit # tc class add dev imq0 parent 1:1 classid 1:11 \ htb rate 2mbit # tc qdisc add dev imq0 parent 1:10 handle 10 pfifo #tc qdisc add dev imq0 parent 1:11 handle 11: pfifo # tc filter add dev imq0 parent 10:0 protocol ip \ prio 1 u32 match u32 00100000 00ff0000 at 0 \ flowid 1:10 All commands except the last one work fine. Thanks for your help, Praveen __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From stef.coene@docum.org Fri Oct 10 21:45:45 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 22:45:45 +0200 Subject: [LARTC] Bandwidth bounding in a Shared Channel (reused bandwidth) In-Reply-To: References: <200310102148.06313.stef.coene@docum.org> Message-ID: <200310102245.45130.stef.coene@docum.org> On Friday 10 October 2003 21:59, Randolph Carter wrote: > Sure stef, no aproximation methods? some probabilistic/statistical > approach to the problem? You can control the bandwidth even if you send more data then your modem can handle. But you will have less control then the situation of where YOU are the bottleneck. To make sure YOU are the bottleneck, you need to kow the speed of the bottleneck of the link. So I'm afraid you are out of luck if you don't know the exact modem speed. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Fri Oct 10 21:49:43 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 10 Oct 2003 22:49:43 +0200 Subject: [LARTC] Problem with tc filter (tc qdisc/class works ok) In-Reply-To: <20031010200652.24837.qmail@web40107.mail.yahoo.com> References: <20031010200652.24837.qmail@web40107.mail.yahoo.com> Message-ID: <200310102249.43463.stef.coene@docum.org> On Friday 10 October 2003 22:06, Praveen Mehrotra wrote: > # tc filter add dev imq0 parent 10:0 protocol ip \ > prio 1 u32 match u32 00100000 00ff0000 at 0 \ > flowid 1:10 > > All commands except the last one work fine. soyou have an error in your filter statement. I have the same error if I execute it on my box. I'm not familiar with the u32 syntax, but check out the docs for examples. I think you copied this filter command from the lartc howto, but it's not working for me either. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From vadiraj@anubhav.deeproot.co.in Sat Oct 11 06:27:42 2003 From: vadiraj@anubhav.deeproot.co.in (Vadiraj C S) Date: Sat, 11 Oct 2003 10:57:42 +0530 (IST) Subject: [LARTC] flushing cache In-Reply-To: <831411C4CBD37C4A91DBEC9B98A64C8B6C44D1@spmail.summitmedia.com.ph> Message-ID: Hi, I have these two questions, 1] what is the minimum time for the route cache to get updated? 2] How do I change that time? regards Vadiraj C S From blackoutz@yahoo.com Sat Oct 11 07:16:41 2003 From: blackoutz@yahoo.com (zain arrifa'i) Date: Fri, 10 Oct 2003 23:16:41 -0700 (PDT) Subject: [LARTC] which executed first, tc or netfilter In-Reply-To: <002201c38f5d$6bf0cea0$b6c45380@engr.utexas.edu> Message-ID: <20031011061641.18111.qmail@web40801.mail.yahoo.com> I have several local networks connected to internet via a gateway, acting as SNAT box as well as shaper box. in some occasions, I got confused about which one is executed first inside the kernel; the SNAT rules postrouting chain, or the tc filter rules that classify packet for shaping/queueing. I need to know which source address I should use in the tc filter rules, the local IP source, or the public IP that used for SNAT. I have tried to look at tc -s ..show command result, or iptables -L result, but I'm not convinced yet. anybody has nice explanations about that? thank you. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From =?ISO-8859-2?B?VmxhZGlt7XIgVPhlYmlja/0=?= Sat Oct 11 09:23:14 2003 From: =?ISO-8859-2?B?VmxhZGlt7XIgVPhlYmlja/0=?= (Vladimir Trebicky) Date: Sat, 11 Oct 2003 10:23:14 +0200 Subject: [LARTC] How to get router involved in QoS? Message-ID: <971097015.20031011102314@xhost.cz> Hi, I have a router which QoSes traffic for local network (both in and out direction). I would also download traffic generated by router to be involved in QoS. Link capacity is st about 800kbps and we shape it with htb to 512. Is it possible? Thanks, -- Regards, Vladimir Trebicky mailto:trebicky@xhost.cz From stef.coene@docum.org Sat Oct 11 10:45:01 2003 From: stef.coene@docum.org (Stef Coene) Date: Sat, 11 Oct 2003 11:45:01 +0200 Subject: [LARTC] which executed first, tc or netfilter In-Reply-To: <20031011061641.18111.qmail@web40801.mail.yahoo.com> References: <20031011061641.18111.qmail@web40801.mail.yahoo.com> Message-ID: <200310111145.01087.stef.coene@docum.org> On Saturday 11 October 2003 08:16, zain arrifa'i wrote: > I have several local networks connected to internet > via a gateway, acting as SNAT box as well as shaper > box. > > in some occasions, I got confused about which one is > executed first inside the kernel; the SNAT rules > postrouting chain, or the tc filter rules that > classify packet for shaping/queueing. > > I need to know which source address I should use in > the tc filter rules, the local IP source, or the > public IP that used for SNAT. > > I have tried to look at tc -s ..show command result, > or iptables -L result, but I'm not convinced yet. > > anybody has nice explanations about that? Tc is the last thing that's done with a packet. So after SNAT and postrouting. Also see the KPTD (Kernel Packet Traveling Diagram) page at docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From kristiadi_himawan@dtp.net.id Sat Oct 11 14:01:04 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Sat, 11 Oct 2003 20:01:04 +0700 Subject: [LARTC] >10Mbit on HTB Message-ID: <009001c38ff7$ba52aba0$0aa02bca@sapari> This is a multi-part message in MIME format. ------=_NextPart_000_008D_01C39032.669744E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I want to try to shape 20-30Mbps traffic using HTB. It's possible? Anyone already try this? Thanks. ------=_NextPart_000_008D_01C39032.669744E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I want to try to shape 20-30Mbps = traffic using=20 HTB.
It's possible? Anyone already try this?
 
Thanks.
------=_NextPart_000_008D_01C39032.669744E0-- From tgr@reeler.org Sat Oct 11 15:09:09 2003 From: tgr@reeler.org (Thomas Graf) Date: Sat, 11 Oct 2003 16:09:09 +0200 Subject: [LARTC] Problem with tc filter (tc qdisc/class works ok) In-Reply-To: <20031010200652.24837.qmail@web40107.mail.yahoo.com> References: <200310102149.07345.stef.coene@docum.org> <20031010200652.24837.qmail@web40107.mail.yahoo.com> Message-ID: <20031011140909.GA1302@rei.reeler.org> Hi > # tc filter add dev imq0 parent 10:0 protocol ip \ > prio 1 u32 match u32 00100000 00ff0000 at 0 \ > flowid 1:10 > > All commands except the last one work fine. I assume you're trying to match the tos field. u32 uses strtol to read numeric values. Values prefixed with a 0 are assumed to be octal you have to write 0x0011... and 0x00ff.... in order to have it interpreted in hex. Try this: tc filter add dev imq parent 10:0 protocol ip \ prio 1 u32 match ip tos 0x10 0xff flowid 1:10 Regards -- Thomas GRAF From kristiadi_himawan@dtp.net.id Sat Oct 11 15:28:10 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Sat, 11 Oct 2003 21:28:10 +0700 Subject: [LARTC] >10Mbit on HTB Message-ID: <00c801c39003$e5b32390$0aa02bca@sapari> This is a multi-part message in MIME format. ------=_NextPart_000_00C5_01C3903E.920ACFA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Below is the script: tc qdisc del dev eth2 root tc qdisc add dev eth2 root handle 1 htb default 10 r2q 100 tc class add dev eth2 parent 1: classid 1:2 htb rate 100Mbit tc class add dev eth2 parent 1:2 classid 1:10 htb rate 20Mbit ceil = 20Mbit tc filter add dev eth2 parent 1:0 protocol ip prio 100 u32 match ip dst = 202.xx.xxx.xx/26 classid 1:10 When i try to shape 20Mbit, there's dropped packet but i see the = bandwidth not shaped to 20Mbit. But when shape to 10Mbit, i see the bandwidth down to 13Mbit. Any comment with this? Thanks. ------=_NextPart_000_00C5_01C3903E.920ACFA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Below is the script:
 
tc qdisc del dev eth2 root
tc qdisc = add dev eth2=20 root handle 1 htb default 10 r2q 100
 
tc class add dev eth2 parent 1: classid = 1:2 htb=20 rate 100Mbit
 
tc class add dev eth2 parent 1:2 = classid 1:10 htb=20 rate 20Mbit ceil 20Mbit
tc filter add dev eth2 parent 1:0 protocol ip = prio=20 100 u32 match ip dst 202.xx.xxx.xx/26 classid 1:10
 
When i try to shape 20Mbit, there's = dropped packet=20 but i see the bandwidth not shaped to 20Mbit.
But when shape to 10Mbit, i see the = bandwidth down=20 to 13Mbit.
 
Any comment with this?
 
Thanks.
 
 
------=_NextPart_000_00C5_01C3903E.920ACFA0-- From lartc@24x7linux.com Sat Oct 11 16:51:49 2003 From: lartc@24x7linux.com (Jose Luis Domingo Lopez) Date: Sat, 11 Oct 2003 17:51:49 +0200 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <009001c38ff7$ba52aba0$0aa02bca@sapari> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> Message-ID: <20031011155148.GA5781@localhost> On Saturday, 11 October 2003, at 20:01:04 +0700, Kristiadi Himawan wrote: > I want to try to shape 20-30Mbps traffic using HTB. > It's possible? Anyone already try this? > Very well possible, and you don't need great hardware for this, if you don't have a rather complex classification scenario. Just for the record, in the middle of some network performance test for some sort of appliance I capped outgoing speed to 25 Mbps on my PIII 600 MHz with a 3Com 100 Mbps card, and the box barely spends 1-2 % of CPU transmitting at "full" speed (full = 25 Mbps). Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test6-mm4-lirc) From lartc@24x7linux.com Sat Oct 11 16:57:59 2003 From: lartc@24x7linux.com (Jose Luis Domingo Lopez) Date: Sat, 11 Oct 2003 17:57:59 +0200 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <00c801c39003$e5b32390$0aa02bca@sapari> References: <00c801c39003$e5b32390$0aa02bca@sapari> Message-ID: <20031011155759.GB5781@localhost> On Saturday, 11 October 2003, at 21:28:10 +0700, Kristiadi Himawan wrote: > Below is the script: > [snipped] > The script seems correct, and very similar to what I use, except I don't even need to set up a "filter" to direct traffic, because in my tests I just need to limit the output to some speed. > When i try to shape 20Mbit, there's dropped packet but i see the bandwidth not shaped to 20Mbit. > But when shape to 10Mbit, i see the bandwidth down to 13Mbit. > Some time ago there was a report from someone who tried HTB in 2.5.x kernels and saw a strange behaviour. For details, check: http://bugme.osdl.org/show_bug.cgi?id=657 In short, it seems bandwidth limiting behaves strange for different outgoing packet sizes. Regards. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test6-mm4-lirc) From Dragoº C." Salut lartc (lartc@mailman.ds9a.nl), 18:12:52 kernel HTB init, kernel part version 3.10 18:12:52 kernel HTB: quantum of class 100001 is small. Consider r2q change. 18:12:52 kernel HTB: quantum of class 100002 is small. Consider r2q change. 18:12:52 kernel HTB: quantum of class 100003 is small. Consider r2q change. 18:12:52 kernel HTB: quantum of class 100004 is small. Consider r2q change. 18:12:53 kernel HTB: quantum of class 100005 is small. Consider r2q change. 18:12:53 kernel HTB: quantum of class 100006 is small. Consider r2q change. 18:12:53 kernel HTB: quantum of class 100007 is small. Consider r2q change. I get this in my logs . I tried to specify another r2q But i did not succed. Can anyone help me please? Here's my script: tc qdisc add dev eth1 root handle 10: htb tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit burst 1k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:1 handle 1: sfq perturb 10 tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:2 handle 2: sfq perturb 10 tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2 ..... tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:7 handle 7: sfq perturb 10 tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7 EOF TheBat! 2.00.6 natural e-mail system™ From stef.coene@docum.org Sat Oct 11 19:10:10 2003 From: stef.coene@docum.org (Stef Coene) Date: Sat, 11 Oct 2003 20:10:10 +0200 Subject: [LARTC] HTB: quantum of class 100001 is small. Consider r2q change In-Reply-To: <18322577715.20031011205419@web.de> References: <18322577715.20031011205419@web.de> Message-ID: <200310112010.10379.stef.coene@docum.org> On Saturday 11 October 2003 19:54, Drago=BA Cintez=E3 wrote: > Salut lartc (lartc@mailman.ds9a.nl), > > > 18:12:52 kernel HTB init, kernel part version 3.10 > 18:12:52 kernel HTB: quantum of class 100001 is small. Consider r2q chang= e. > 18:12:52 kernel HTB: quantum of class 100002 is small. Consider r2q chang= e. > 18:12:52 kernel HTB: quantum of class 100003 is small. Consider r2q chang= e. > 18:12:52 kernel HTB: quantum of class 100004 is small. Consider r2q chang= e. > 18:12:53 kernel HTB: quantum of class 100005 is small. Consider r2q chang= e. > 18:12:53 kernel HTB: quantum of class 100006 is small. Consider r2q chang= e. > 18:12:53 kernel HTB: quantum of class 100007 is small. Consider r2q chang= e. > > I get this in my logs . I tried to specify another r2q But i did not > succed. Can anyone help me please? > > Here's my script: > > tc qdisc add dev eth1 root handle 10: htb > tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil > 125kbit burst 1k > > tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil > 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:1 handle 1: sfq > perturb 10 > tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 > tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src > 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio > 3 u32 match ip dst 192.168.1.1 flowid 10:1 > > tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil > 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:2 handle 2: sfq > perturb 10 > tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 > tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src > 192.168.1.2 flowid 10:2 tc filter add dev eth1 parent 10: protocol ip prio > 3 u32 match ip dst 192.168.1.2 flowid 10:2 > > ..... > > tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil > 125kbit prio 2 burst 1k tc qdisc add dev eth1 parent 10:7 handle 7: sfq > perturb 10 > tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7 > tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src > 192.168.1.7 flowid 10:7 tc filter add dev eth1 parent 10: protocol ip prio > 3 u32 match ip dst 192.168.1.7 flowid 10:7 I have some info on the faq page on docum.org about r2q and quantum. The rules (for each class) : quantum =3D rate (in byte) / r2q and 1500 < quantum < 60000. Stef =2D-=20 stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From sufcrusher@zonnet.nl Sat Oct 11 22:51:22 2003 From: sufcrusher@zonnet.nl (sufcrusher) Date: Sat, 11 Oct 2003 23:51:22 +0200 Subject: [LARTC] Plz comment on my ezshaper script References: <20031010200652.24837.qmail@web40107.mail.yahoo.com> <200310102249.43463.stef.coene@docum.org> Message-ID: <003901c39041$e408c5c0$3303a8c0@p951> This is a multi-part message in MIME format. ------=_NextPart_000_0036_01C39052.931E7270 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi I finally had some time to clean up (read: completely re-write) the shaper script I've been using for over a year now. I was hoping it would be useful to others, but before I "release" it, I would like some comments from you guys. Please let me know about any bugs, annoyances or ideas. The script (ezshaper) is a "simple" bash script (although pretty large) with very few extra dependencies (I'm planning on running it on a IPCop box soon). Basically all it really needs are iptables and tc (htb version). At the moment ezshaper is intended for simple situations like this: LAN <-----> Linux Firewall/router <------> Internet But I believe it could be used in (or adapted to) other situations as well. Ezshaper reads a simple config file (ezshaper.cfg) that contains the definitions for the tc classes (with prio, rates and ceils) and the rules to mark packets for each class. Ezshaper generates iptables and tc commands from that. I believe I have made the syntax in the cfg file as easy as possible, but you can also include more complex iptables options (matches etc) for more advanced rules. There are some resctrictions I might fix some day. The ezshaper script itself can be run with several options (e.g.: -h for help; -d for debugmode) and then a command (start, stop, status, ...). In the "status" command I added a nice easy-to-read table showing all classes and the most important statistics. Any comments are welcome! Thanks, Jannes Faber ------=_NextPart_000_0036_01C39052.931E7270 Content-Type: application/x-gzip; name="ezshaper-1.0rc.tar.gz" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="ezshaper-1.0rc.tar.gz" H4sIAEl6iD8AA+xbbXfbxrHOZ/6KFSQnost3S3HKa6aRJcpmI4mqSMW9dX1UEFiSW4EAjQVMKa7u b7/PzC5eSFNK2pPec+65l61MAtidnZmdeeZlEfmznrtLGdfbjVbsNb/6d3xarYPWy8NDfPNn89v8 fvnyoINRrYPOV612p/Oi/ZU4/Ldws/FJdeLGQnwVR1Hy1Lhfev6/9CPX9z+7bHjT2W+2Rqvdan17 cPDI/rdfvHzZzvb/4Ns2xrUPDg8OvxKt34yDJz7/x/d/V/R/HvGWC7aAyq7A/8dzpYUXhVM1E1MV SIHLiauV5wbBvUjmUkShFAORalkTKvlGi08yvheBupX83E3EfZSKlQoCUAul9EUSCdf/O7SN8XSB 57GIVqHQKkndREWhcEOfSKhwphuGj5GUvNrr4Xg8PBfRFFdghVmaRrHQ92Hi3vFEXyYubvtChTqJ U48oEpnf9FMhnpbSU1OjBb2EaFqspFi5YSL2Wb409KFNeux6EC0QC/dOLdIFZAtvzZRq5Wxw8aMQ 7XbrdgJ90GdXnEOU2E2k2I/SZBZBD1WWkkjRXFr9RE4VVL+MVaTFvhe4WktdhaaTOY1TMVPQrBJP qkB3K+dHV1iqJQ5bz8Tv8Vd8dsWVBH+JWmDNmbsAJTu6LTpbRg/CRMYQSn3CeK3n2eiOaG8ZfRHF C1Df12k8JVns4BdbB59FK7Hvwx6CyPVLow/EIQbS6JP+6dH12diyDT3vX3Yuq6STQgjWhxWl+SlS y2aj0ahiyHGUEu+jJIaJktlCQzCjO9iLhiF60GgUg2TnZat1WK2x2iPoMxZMi615oWbzBLTmLsSH BS/cxJvD7nSiQmPARKOBbbw1VmsGuFqEbhxDPvxaRlqrSUDPo3Q2BzUQWsbyk4T5LFxvjs3VTXe5 DOBrTHMaRwvhuJ6nfIwJ7h1wD/0Y8wNvhnFsN9Gap1rMZCLmYJVtJFbJfcOoslX5XBHi+uQSg++x ZyRp5YH0V95W1iDuDVl4naTTqfHnkC09gBgBDCz07sX+JMXtKCG5PCxE6EC/y4bU5kXHx3ZR++/J xagthB8tXBXSdh6lCX4nFl5i6WKlpky8Zix1FHxqEBJtJ9PJyGx//KK8ykkUfpOIVRQDqdSUt5S3 MgqxaGc7gYMSfau9877IR5h/JwgNS6/GX5rt8+T47aVRXqVC1yMZAyCtGbn3YiJFnIYh9rG7ti58 qpbIIJTJ+jzYAe23oo3Cw+4WZjcJ1MghauR4Mn50+DRZ1lTs8diycawPymgMjs8vjcVY184sDHdO CY2No9cgogpqRNwYQYeN4F+QZp6AP/pH175rfdd6XOoFxi2j5Qv+R5u9GlyO+seGXQIX4pUiW+Fu U5fAekmAo42befOIoo/1/AyNNOjDMMXS9W5lAng5Ov4RkAti5GouoDlJ4NGLKDa4bP3txYbUv7T3 hbBrt6HFuu8mbi1GsPOeVsHGWF6eQzn+z+wtJIUpl8KDkHfuYgm+EVTlXRK7Qi0TF9CE/Vly8CS/ D8kbySkBmdM0eHyr6N86QpwMZ4hE9br90epi23gPjsJ7xG4oVwZaNtPwNqTgj+BgIJKwXMwirA7V S6vCA5o4Ho6gt3CGCDgjsPpmwaADY5Nijo1dEIVZFPmUWPhEAbunpfDde10ThFGKvJ58f54Cn0Hj XIVqoX6W9RMZYEfa34r91l27RYHinGI1PRrPY0LoJeZ/R49b3609vpKBcicKe3+PGEXPD6plyscR jKvDDzrV3GPqZAwK0abFT7BihcRb52cNpw1MF77Hw7/kcQ1mS38lSuW7mVfYPIX+zm2SMpKzBXnH CAtwGCSqmekjWKnFMo6AmlkUAKEiWNpxuJcbk4kbIHI+Ggmk2uQzJqlRTA94fLtT2bUDDlutyu5n 2vUtsuwy2yMQIIbH4zOy3SxVKtzTmSNUOuLs6CKPqJwOQXMGyuCkYaKrW7gEySdYxNNvLXvG6G0y CCT0XC27xvrIOJOIjNJySFtX0gxfbsoGj1HeYllP7pdS7IgXLZMVmZBlqMFFPYn9Rn6YE2OFvAN7 wsUTyNg/vhCTAI/nEcSi1UqBjh7KkAT2jWP4SnvYyxhYCa+PoYWEZNUm4vtxtOQ5IGNXrCFbB2jc 29QG27Aw/sro1W02kUpB4Q3pxsm8EaimN1P1iQqb0gsby+BLjRP5xzWOp19aw2q1asyjhGIMEoMF K6H/58G48lvn+lvKIPzWSsPIsK0aUSTG1k+CyIPKqPbpVmjWKyPQ9+L9KwbW7z/g5mfx+IfQwchP YcbMttDlBivAGEVMFxpbURkgoRhMev8qTgPJtDcukPLi++GfXZB5f0e7WUjgIQBMTLHHtRdwtUtr cPXyiiqN759chn01SqAlrn1oAk1ncH9FsZKUZMi8omoFlzbN//AB099QRsqmVnZwNhIbzjNgefXJ DdLHmUEBgFg2s0iH8ZCGbAq7M50qjwkNf5FKmRAN59E8F47+z8zF8HzuydXw8olJ+dwT8sZNXRAB cqFfQ+BJmBDn4+tfRWVEqVCB9GxEAQcSGxBYpv7r6zfnw5P+LxGj+sXVXZG1nUTdZ5Hgzr+KmSRC wr10Y1sRrXuraSEg7xDWD/PEZiKhRN+EPgM+5FdQDv6WS4n6nfsV9HwmQ0kG6pexC7CDjMTPuhTk DTXSYK0kOUUcloOo3iAo3EBXAanKFxMgGRDhwWBHw/hD7oY8w7DKqdej0/4TwE4eaqsYSRDOad4G vaw5YOpF43c1yp0IwTg8aFSjgW8qoZwaT7PeaepL66NaJgk1acQ+bZmhV20wfhwBT4op2YRM73YZ FXpB6kPXIg2Rm+2nOmVBuRVCMuC7WrOJhU1Tu6LdamUDKIEVWNtDouLOMmwyqESLd8V31F64kgu5 mKB02TUBjfeb0Yi7LJhF8Gd7KLSpiFRQMyXpF8MxAV9AOoxNIoz1n4kda1SYR4irqduEbINJ5zsD h4huOSCwTTJikpqiBHj3KnDDG7VsLlx9a6+ogtf4jdWT0iO+zJ4ZC84QmklmFJVeB2iOkoRulPlx tsGlkI0LGwworgXUUri+j2obe1rkAVWKO9ynYxnxhGlXn+dkLHcg0s6Nj+89MpMnrou5wcAX65cr xU0WyhrazsPa7C28WGBQtiLaUgYV5ulSgQMlGhSusr0/B75Avbn2yB3dQEdkPA61OZwaf3fwTVNX c4W8ifqiXAfKJUAYJkeuxlZC/HIyZiwaM+Ftpn7kCvWLrgibI6K5NCbu5Ep3xH4gp0mVaz5t+1Gc DWflpwFM7cWQmL2KUux8kFUeZdEWLlXSEM6aMrFGTE2xbJENhTcqRfmZxKkpJyaoFAgBogWxQCCx mcFbHxtFX5oqg5jp12Ua5+Jjg4LJnTAYZMr9ufKcnAU7p1HqfHOuZ8EKSg0kdQqg7oQ6Sa7BGeLc FVPkZGW0zalAWBVjFqEEbA41NvRKoSpRXgpYsROqZtvYohhNSg1ufFMwoF6g9H/zTrbt/z92/qPn v90ZA53/vHz0/Ofg5beHL4vzn85LOv85ePHy/89//ic+uztNqs/0nOEsz8PYGijJ2j+uij+6IdXQ py5iqei0Wp0a/fvCmDp1u7O0K40ZVkxSLYgUd9NCbpKF6R2c/w6OoO8b4p0EBOa9M8AtJSrwSNP4 pgKVnJTSw/AeJVBDMH9X8mOqYkkNCg6rdXHGdDuNg8bdnclY3o5fi3260Wn9jmANYMwpDd2fpCpI 4GVVdt8M6RtM6UgkHh1jaUIKz13SI8Jh027H7IbYHyRZC69o5NO5lrtM2HEZw+ljUbXojHykWtu2 1ECrata81nnykoedEpwAOEIOPAQzYUq5jK42spqe09WAuuWcdFtGeXqpI5PGYFUCEvMjDHNWRVU2 F/EATx5PWwjlGwwT+dHb8PR01B/fXF4NhihaYuVaob1SQUVLWvaoUciZao4kxkzeRivTh4tveecG YhWbqFXEoOysyyS8JAyfOVK+mS67gtmiePSqXq9/X7KoLJ4BceUKofp3F0djO2hgQxHm2k5gBusU pIkbMk9AQOjX3YDSqLxlBH2E0kuKUkAVtMh6dATrNEp2uCuCcJifZWaBID9c5ZCPZFHGCfIUjgoA ew6GHLKH1+PL6zETPh1evTu6OiENq5BTgXLtwQd72HQ65FOU5KxCM1Ls9/8yent02b8i9fty6qZB QtaSdT8XFPrSpbDtq2hqVg5NLz9Tns1raRnm2UP0C2klGUxpdqg8OuNdzSVneCCGHRdOjhwaNZlD 7prFwZwrw6WJboFNeozt8JI1mxzd26oGOKGwkDbHraQCk12UX1HgQLlV1QnxB8Mhll1zjbTSgwrc +J483Yo5I56KEzUVTqmtwLkWXZfKyXKCwEvYVhgyipRBBX46TybG041wxnFtgVEzKUBxUgtitHnZ IUrNVCXZwW1eZdl1rze07CapdswhOBkiMZ7lX14ax9TCzUCZLbLBFECoIFKflwjAnf17JmMX5NN9 ANEEgv4sAbGZ/G54q8UMPhEZCD6npCYUJ9wPY4IAOHZW2xQM0jt12/B81fB+bv6XLz+p2+bHSDeh LSYw5jzzanws3g7fjYesAmrv0aYESidlWtT9Q/qUeI0onvHsUSKn4jhCnb45zo+8dGHHUeWk9JzI iaYYD0+G4ocffrD8o1Cz2hZx5yOt34QUH1PgZLqwh6CMdwx+kHXDLOoQvu5FKR2n0HaaTaRtVwhk fMfCzoSq3mwtfluAy0Ta+SbtehPrsxj7LmFg3mTMitTEBrPi9BfEq1SP0uB0UrcDu5Rqkg2YdZlk VpcUDHB9TUbJs4wkp+qOm0FG6n1rS9TylcwB/IntZc24uJlep9o0c6aild41bQV5Z4r+UhubOt41 c4JM4IgrE4hZGF9Np5JFMJ5KvBb3CIunIIR6MTGHIGIBL1S0Axku6D9wjYf9VSG3UWLxJzoDwPdP lxeYqZZaeiYVYDew+UpeGdhEplHiauPsnVkDyJDjraK8/ORIYdhz6SHKFbufzNDg9IbCmC0oiGB7 y9RSirCWHxwPLy7KOQK/iWBaDdSTYSqS+FZ8yEmljp1qDIv1nR3rTWDFSmtbm9lQUEQxU0itMtMl 7I+r1mnuccNPbb7GO1hguUG5+t/FVX98fXVBORjXOaUOGr+PYViiRMaLYGceV/iMOwsXodmeMsB7 kIyoKZ/cmtip+eSVBlk1DSgA88EVHw6qGeKh2BFV9lZrENtPCCr8Ug0FS739uQ2ler9qT3Tt8HUX 4BVqefTScikNngeUNbj0coU2HTyNilPWmBI1TyX5MxITuVgmyHOPRB7YNhp3IXdL6VUnRaqKEMdc 2w1nYjaLypoLnIhBaWHRHKI+EXU/yRJta39K/eAG5sOsTgdvTgdn/R43Gcph1hyo2xdF2DgrbMWD i/64Z1ux9q0oTinyJkFuzYWkLKY5e0iTqO7LBLJUMqfo2c4unU+wAMYsVwsLlmvKytnK+y987F+m M+Z+Sp7r/CuM8RL9O+ml1otojfHR67P+qOdkBu3w8WvPSTyHn9MTZ0vHehias3Q/X8isQyBgFQqo oD3mfgYBsUm0NYWrKuvJ7BRWmBoDdH4N7UumnYlz5Pv5WRtn9vvIiMzLU8pfq42MU5OxkF9N6OR6 Z4f4KNUFvXYrI8wnHBlEmkyo/GagOfTDZinT3c6Fsym2MeGdHdD608lgBIUiR3Ay4hf8KtZmvWTT ZFCA7GTIb48GF5D2soe/63F+Bxl2z2TZ+a3Lq34Pf1e4Pbh4U9wejnr4G2/eR2Les8l5fq//l16e 4BYmx65qGfVguMgm1/nNRPrJ1pvmXSEhfupfjQbDi57DBbhT3Dk5Gvd7DpXd9Xar3vp9rpR33NmO YDAUCunFh6xK0wysnANz1LKnFuasw7bkKfzyrjCttbLOnOzSVueHGr2WYej1cGR+/+l6AASgXyfD m6Ozs17b/MwdxD6Ca9hf747Gx2975p2Q7WB8TkYzTUPzBudjo66kfe9NyDjm5qWPFEMlFb60UC29 eSTqyJv7V1fDq+5fk73njvj+a3rXi8aKtnkR4o8ELS7K4ZiCccV+WxrvxR5LKXow/Q/i668LqjCE C9hHV4CsoWRgglOsOTU4rMprfLgO/+GqCRHJl5N0toB/NviEiiBdL+lVFFNzmH3az0bDgyYRxURM qFZQ7Ras2c2A4fWQRBTs7T03z4vzqJx9PDIv5PjUwLxVQVQT53LmEo9vFL41TBFJIDU2bFVfgcea u8XKu2KnJzqGZIwCPSabDiJ6B7CuxE9HZ729dvnO6yPYzF4nvzW6Pj0d/LmHa0Irc0XCNsStOBfk dH5UIY8iKY/ORB0Bd4+ImCUnSGBu+Tkv9Z7HNM2IDzw5lMyos2doO9CA03DM7GLxjPosWd/eEBPx IJtsVHaanRqWTxmnuHljbljtGAEplI56e0VcXXvSWw+5xptJE3RJetjj+YUaEMnfi/oUbNEDyPEf XONWTGQpkdqza9Gn0NJUrSulmMCKsXoxvuQcl155CPlNgZSMOImV9Lt/zXhjpbD0anpDRzFr4hN4 9nt/20P0Ndk+l14mo2s1+H9/s7zw0DIbuT0ReJnHuFjNiR+a0HbI+BxUko6ou8UNTC8UpudqmhRC Z+mKs9dx7Lr21lYFUMbLomdbXmQMjzaGGjYr5lTDjiJwR5yldwn/sGlFasmvB9mwTy6/ND0qFWYB 23YAKYXT6ZIgr8iJTEZgNmBZ3gB6/m54dcJmtL+XZQwiE7hadi5n7zON7ba6hw+sCUqlulYdloue HXP4UHY9VixL9EYyErtx7HJf6aljK2nOrZhtP9Q5oOyQcW8eb22Yg7EA6njSGUx/XQy6U95KKq9U mEpjDGRIdo7IbAhjKVAbTu0ssP5+7/MufT3/8PDBIBZJKl59efjGwo9jN9T08oNwzsEAbSOd+N05 9p3S8n9FEcJiStnqrbxfRbHfUUurBnZyLN9+AHMHxrY/t7E3L8zegO665xuw/2y4bndfdNsPHx4o vAVMKhPzvL9tWpEU0juZpQcE3AAMiAdP9m6ojlnzbSQ7x7CJ9rNnzx4yrp09umv8kFb9crn3tAE/ 3lwhk7khzH0ueApQu91qfSg9vL4YPMmUnkermzmsQK4FeqfUA9yzaVP+g/InJ5+8BtfZ5GubJeX7 hcBegslN0NgpoYalMPiivOjmTufYlXIeUu3O5BoL13QHMz63dnefNx/E+/re5+HlGNyPmt3mwwfx mc6qkn9Qi/UfMCB7QZ3AB+eJjOrSjXWe8T09qJx/lPNEsaS2kkW8vGPfqNC7N/LGDvoi/MFGWs8a ev5gi8hSlCpHIBNPRKO595l+sPB5fkv9j65wp1AoYYw9lAcfgWSs5HYYg88s5frfcsq1M71dwi8V s+ftQZlHV2+qVO5avfYcf66STx+dHF1mEtpNtHC6e3aMYwcXcENvewr7WKgsBs9FtVLUeiUj3bzL O1+6yWaxfimc4kzfNuvXT0ayfTm/HvGbKqZNjvgsXvdRo/TLO7njfEG97osiCa2ZDp3NQYvXm0jL IC1NUutvoTIXxhyQ7C63PFaksaLyodNvXmrL0ISHogp9atAnkefC+6TJxzhtmjc5jGvY/zJMV7cQ /CjEx1T9dzvH2pzWrfzuX6HCccZ2cwIHO0nr1JmxgfZ6QoAaPO29wTd+4dQtBjdg3/FQ/nu1D0kr nQckTeZ+sZIxRzqrlbRarVar3QMXbbC7om8Aa/9p8FTtuh8fN7N3/sYTh/Sm3VS7cHbQZ5G5WwGV iqoMBuPBYLaQ0EK1TLduDbN4usttxZdgJtkt1aRXrzhzqTZV2fHGrj2aGLGAPEkmQVx758Ph2FJe YHSnxkSUmtNjktX2NbbdIK3qULKNxCuOl4lfDifQahbimUTcr2eg1CfUVZHdI7KDoeHFVUf3p6nH LDeeOGYT8HSmzsAwnJ5dOH0W1Vut3m2gHGo3VKySzU0UmW/BP9/JwwnuRrBExnpdPCPBSpoGDZPO jmK/TpPYUQgPEmshb+ao0/J0YKC6OVC3BmqNBSyqESxdca8zVBLnXnvqFeLWZr2Vw+z7HjGteYSF /fQL4Z7c+qh5l/7S2AsHA0LPNJjehQopo2v62LaWIJJbGZtURH3k2Hy9pM4SBQeWCSOH7kwPgj0d Gc0uY8hEcHqtU7JwswuCWKVbQNwl/dIg3LHL4cUIDG5aaa+39ns9vXa4bUA5GsHthvQ3BUutrHZt Ilyx9l51tWpWazaNKTqOWX97eQrJqgeqONvwwXJJfulZcKCV71k48twFh9xNf+z6KGK7gtD/mqC7 xUieCo380AdAkEVu6mDz92r/co2Rd043dYaXJXMMk7fSJAPTL5tlDbM6//EyKu4dwOR3L+Vqng0Y NOop4KSeGhtXKHX4bUnF96AXfLwbw3mQBxXHaKyJjIlbxTMKwdMzPGa9FzrvrTluHOug3WcVZKr2 unI5vK+M70ajU3eURFh7xBI7Uzns6OVQnwOGBvthuyvR/+5aJWlcWLlz3P/8ylrnLqqcieFqdDf9 TRDGIShoMCY3mpxadED2F9RXmxi92lNrAct8o7M0BKB5rR6MgJ3YYAOZgvPuxdkYL3Gh80/V2fkE /Es+fCNNAnoBow+U81gkssCS/v3u5hYjFWlntJqOv2Y982lIagi1yqTwmpFLYQ127VqND9MN+tWX cOKy6kt4ETU4Zkn8eMKlZ6QCEpqoFyeH8Fqf5lCr+mr7B2kbwdvHW30MKP14DW5w6Bs9xUv4q0u1 TZPxzLVqLwW0hi2FfQssDnTloDbQOQX5BTxPtJrBSg1VBluev8/wgYjMFhtoi5QV4OTPt9VBBfKj SIH+KnbUJp4nzZkbvSXzKuOFaGbH4I0H2OnzPUQAyBcw0AyGeFxMRmQ494n39hButY6OW01UFvrk DsI+A2CjGbK/JbkZQiDhruI1Mrmb+cjazV6/3jlu92FGBG3ctbAPT0pKmpYBPP4JzLbqhyfbWH5p ztR4gdP6NjkxeZjcaA4/6+vlrQW1AR/vuMUNEdx/1UbZadVLrL+h/VdagLPh3XuI4SqFd05Gqliq SUnHJAEXBo4OOjO+OhQe9DB0h08yJSVwzimDQV+9tW5WcG2CV+nkiTwmv6vpw3Q2vJlyMA+nt/3j TZE13aup+MMQrKsolnVO40meV51MllWEwmK1BJYzfIPDd8PsD6N/7611U93M7nQLHkIU1n4LfL3S s8YqcHDYiGqb6IU8udIaK7TwTnc5ho6elDwEWnLJrD1ZM8+8kcdoJVRjNOJnvEDdF/mM8pXKu/9W k9r2zvMXL7/7/qSyyKmGqrBfL7+a10vwpvB7ifIi6KAxqOtXhke97SogZ3vifDecHRDEBzpv6CWP MjFqKc8SKLZTl2hd6+UIjX8bCS+PkwCSBWoJ24hjvcJidNqKEEUpgCZzRS0odZcUaVVPJpzFU3sZ oRfMaQqm3jxseTC1DBg6mMENj3nEW54SdVpF0JAegUYVDiBvCHIQcENDZ7j8obiLyTB5x78o6GOc hPS3G7lMZuvC+/8C2CDr8ShEJPs8aqYa3vh0IZokGdCpPojtKoE8u1KjO9+ybSqznxT6nd1TDgtn ttRLg259w47XVum42KhLcTy7uNWK+9mHqer9u/30qNeH39JXHmm/lTPMfkuPcTYbxbjBff4Y/eY6 eVTtGJLOJv+IpF+cQs16O7vLEOkex8OLMU7cx+HN5H6Y0e1PptF8UwUJFBQwX8it3qvvVKwkH++W PwyW8INxG712789GWsZzC6g1kGgvRy30y0AtKA8524/x0b8eXlhxBbou0PpKBsf7QxGaoi0z1HZt S+XUFsqVVBKlege0ediTQtKGhM5Uqyw+p16TC5Is7R125WbLhV0NuR0UNgByJywEyOe2kLSsMnoP Pc+Q+LQiHHyw37IJv2yLhFSm9pq/9o/29e60VVoL3gBlE0lFV1zTxUClPQJSN9fAROJuxoFuZ2PY 8TBs52F4q3erw27nCCfeJ0op0pQWdoJSNNcFu9XdZEGlVb94m4vPxg9ZWydM26nzllCAXe7utsFc hR4S0ywismhBRpHEWDMAqzFYDe0uLoLYh9XzlRp2tx8Mu9vPHDYWLxl2dodj9HzEllbrtawganCP oSvlrafcExpAlvIiZju+4WgLjde/rywiTSPkiEY2RzRW4YhGyBGNNEc0PpkjvKluFLOF4Z7GEo5o hBzRyOaIxudwRHqWG8Vs4bFQI4cjGh5HNL4aR6B484mDRYI85eVUYDS5gw7fZ3QENgtyfgOyxxOv aDTK6oOhFW19zkVLq2TZ1MINqRTfqm/woxzefX14DiPYHEIG0BYvdTlzmEwwMAVSfwmY/rLvbWSn UxnCsiJU8vDUPhFPLQNPsIMWG2chlVXHfOPBfLPJvfStoUrFh8ZS/b75n1QUxiDj6GWSs5pmpcKa E2cL+bSaROyMZehUKM1YmrOSbL4CtzM/YM17HZiK/x+kuf5HpKnlihPvgd0ijH369ZM4ha6s6iPw HQKbtLBGo5u8O3o7T/kVDuR035JziQfG0MLrO76L5gsanKl+ncNmLocj38IGH6CAxszlpnfZ526P 96K5tXLIAZysr6stsEzp/0fNHkCe+i2eXV6mW8S4YDAb7lZVhDE51v5n0GPMbKJqr58kp8DGzL7U SJZlh/w56T2HY7AnMpWB+GdpeszfCcUe8j5uOIbPRj9j57lvtx8n52fnEGmEnwg1HtPnD2QSh8Hy Jx6eDcaDWf234cUfGOeyu0KwsokdMS4whnxkfEuRjyNwgXIcC6yfE9NTslFZEyJhdOZ1PCOS4XwG H7uG7+esWZM5s6Sb6frJwlKR7G9C8UG79SvH8GgrQCiH7LBhDkvSYoo2NT4akaHyXcTgcdo2uEaL DAJLRsOzK+OygMWr0ipJiQRHO9O0IWGeECHSoikvNwVtQMA9mv1WrXF+B55+YFq/cI+FNTAMPLKX QJ4l24Saa3Wi/v7n4/022V9PFilsTOMfr0fo08WfWjFuuUB2j9xXBFfEm6lu8o2TVqpdl4sGxhLC zs5y4l39T12BH6ucVDe6OnIZ3QaZGAPrMyEcpvUPDDGesvwaTb0xWlHkOz8IOcS1iSXD2m6Z06Kk eESbNYvGFnT3j5rtvsjDcrE5XFSuMiwrmzs4PuqJivUg39NoD/xs12XBJNttin509Ggl8m5P9Elm Dvbrb1qdn1xBy+v/gVY9Or+4/E+H++1+b0+SBHv2Puga5hFIeKHyGh7M4N9Uc575C9+YvR3qF/AZ Wnh5PoFP5ZdkdeLVwUxt4McOBjNY3xqnXrMa/kGLx8GMP+IlHkbXN9f4S3UhkQuzxRtTGsy+8AO7 rvf6+5pep0VMZgKgEDQdhtSemJ3ZfE5iCPWv8CuF8DWUC9BiUJojhqIdIxU85UdOIXbcpe2lrDTt W+UqdW/q7kTxD60Ss3uYjYU2ENYLdrA66BahPnvU6TjbKK+n2GSFkVAcgLCKMTDa9ub8VN7aXfjo rPGOdrOX3li3rYAqwwcgmwoDka2GSRvj/EXlTeWPhSzBK8Dz61nlPKNY82flYCF20/l3DgGXwI9E 4BULBCQZonlSZThbUKMCkhU6v+PyXci/oLyRFrrk+/X1p1RIEiOa15L19c2FnKp5rUZqGKy4cLZA smiI7YVHQ6OtexiAw0b4WdVdc8635ed6wY4mH9Jnm26AP7xs4lnhn7DHOWiN0MvrOGNDUehgWBbq gudUwMJQF7xcCL2KuKjqHy2I5Hiq4GOFE9kIgfRXSkBYGa7EPbCIN6LFoDbwDQcquPl/v3dq43V1 WYSFWj+p7Zw6psgC6oISUz21FAhgtLaqCwUMD8QDs+N1YDiasD0atAMiEvtQERUKKKJ7AEWFAoqE hBHzES19CIUgqYBU01lYn1CqV5n+IdLxQxcezPD0Iw1BPyBZ9C93t8QqivpLTcGiFo9VXBTaDi5q FDpV/KkRP64KQrbRubq6tvyDfo/pMT2mx/SYHtNjekyP6TEVpL8BNUDFLQB4AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== ------=_NextPart_000_0036_01C39052.931E7270-- From Dragoº C." Hy lartc members, I only ACCEPT 7 IP's in FORWARD chain, filtering by IP and MAC. Everything worked fine until i needed to forward ports. The problem is that the nat PREROUTING chain is traversed before the filter FORWARD chain and this way the packets change their source and are not allowed to pass FORWARD that is restricted to only 7 IPs. I use this rules to forward the port: iptables -t nat -A PREROUTING -p tcp --dport -i -j DNAT --to : -d iptables -t nat -A PREROUTING -p udp --dport -i -j DNAT --to : -d and this on the FORWARD chain that has a default policy to DROP iptables -A FORWARD -i -s 192.168.1.1 -m mac --mac-source xx-xx-xx-xx-xx-xx -j ACCEPT Can I identify the marked packets to use them in iptables rules? This would help in this situation because the pakets traverse first the mangle table, get marked, then traverse the nat table where the source ip is changed and in the filter table if would be posible to use the marks i wowld identify the packets even if the source ip is changed. Regards From mnovo@redisis.com Sun Oct 12 12:08:39 2003 From: mnovo@redisis.com (Miguel A. Novo) Date: Sun, 12 Oct 2003 13:08:39 +0200 Subject: [LARTC] couldn't get available bandwith Message-ID: <000001c390b1$311de600$0100a8c0@redisis.com> Hello all. We have three tunnels over the internet between our "central" gateway and some branch office gateway. Each gateway has eth0 on its LAN an eth1 on the internet. We use DSL lines and eth1's have the internet IP directly attached on it. Each gateway, also, acts as iptables NAT gateway. The outgoing bandwith is 300 kbit, and we tried this (i.e.) on each tunnel: tc qdisc add dev tun2 handle 1:0 root dsmark indices 4 default_index 0 tc qdisc add dev tun2 handle 2:0 parent 1:0 htb tc class add dev tun2 parent 2:0 classid 2:1 htb rate 4000bps ceil 4000bps tc class add dev tun2 parent 2:1 classid 2:2 htb rate 250bps ceil 1000bps tc qdisc add dev tun2 handle 3:0 parent 2:2 sfq tc class add dev tun2 parent 2:1 classid 2:3 htb rate 250bps ceil 3500bps tc qdisc add dev tun2 handle 4:0 parent 2:3 sfq tc class add dev tun2 parent 2:1 classid 2:4 htb rate 3250bps ceil 4000bps tc qdisc add dev tun2 handle 5:0 parent 2:4 sfq tc filter add dev tun2 parent 2:0 protocol all prio 1 tcindex mask 0x3 shift 0 tc filter add dev tun2 parent 2:0 protocol all prio 1 handle 3 tcindex classid 2:4 tc filter add dev tun2 parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:3 tc filter add dev tun2 parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:2 tc filter add dev tun2 parent 1:0 protocol all prio 1 handle 1:0:0 u32 divisor 1 tc filter add dev tun2 parent 1:0 protocol all prio 1 u32 match u8 0x6 0xff at 9 offset at 0 mask 0f00 shift 6 eat link 1:0:0 tc filter add dev tun2 parent 1:0 protocol all prio 1 handle 1:0:1 u32 ht 1:0:0 match u16 0x16 0xffff at 0 classid 1:1 tc filter add dev tun2 parent 1:0 protocol all prio 1 handle 2:0:0 u32 divisor 1 tc filter add dev tun2 parent 1:0 protocol all prio 1 u32 match u8 0x6 0xff at 9 offset at 0 mask 0f00 shift 6 eat link 2:0:0 tc filter add dev tun2 parent 1:0 protocol all prio 1 handle 2:0:1 u32 ht 2:0:0 match u16 0x19 0xffff at 2 classid 1:2 tc filter add dev tun2 parent 1:0 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:3 We try classify SSH and SMTP and limit it to 2 kbytes/sec. It could get more bandwith if available. Other traffics must get more bandwith in all cirscumstances. Also, tc -s "says": tc -s -d class show dev tun2 class htb 2:1 root rate 4000bps ceil 4000bps burst 1639b/8 mpu 0b cburst 1639b/8 mpu 0b level 7 Sent 1671352 bytes 2143 pkts (dropped 0, overlimits 0) lended: 937 borrowed: 0 giants: 0 tokens: 319488 ctokens: 319488 class htb 2:2 parent 2:1 leaf 3: prio 0 quantum 1000 rate 250bps ceil 1000bps burst 1601b/8 mpu 0b cburst 1609b/8 mpu 0b level 0 Sent 73221 bytes 99 pkts (dropped 0, overlimits 0) lended: 52 borrowed: 47 giants: 0 tokens: -4594059 ctokens: 1132136 class htb 2:3 parent 2:1 leaf 4: prio 0 quantum 1000 rate 250bps ceil 3500bps burst 1601b/8 mpu 0b cburst 1634b/8 mpu 0b level 0 Sent 1227729 bytes 857 pkts (dropped 0, overlimits 0) lended: 70 borrowed: 787 giants: 0 tokens: -265392 ctokens: 360214 class htb 2:4 parent 2:1 leaf 5: prio 0 quantum 1000 rate 3250bps ceil 4000bps burst 1631b/8 mpu 0b cburst 1639b/8 mpu 0b level 0 Sent 370402 bytes 1187 pkts (dropped 0, overlimits 0) lended: 1084 borrowed: 103 giants: 0 tokens: 391201 ctokens: 319488 AND tc -s -d qdisc show dev tun2 qdisc sfq 5: quantum 1450b limit 128p flows 128/1024 Sent 370402 bytes 1187 pkts (dropped 0, overlimits 0) qdisc sfq 4: quantum 1450b limit 128p flows 128/1024 Sent 1227729 bytes 857 pkts (dropped 0, overlimits 0) qdisc sfq 3: quantum 1450b limit 128p flows 128/1024 Sent 73221 bytes 99 pkts (dropped 0, overlimits 0) qdisc htb 2: r2q 10 default 0 direct_packets_stat 0 ver 3.7 Sent 1671352 bytes 2143 pkts (dropped 0, overlimits 2823) qdisc dsmark 1: indices 0x0004 default_index 0x0000 Sent 1671352 bytes 2143 pkts (dropped 0, overlimits 0) but if we send big emails, when it "passes" trough tun2, and in absebce of other traffic, it only gets about 45 kbit/sec. Apparently, SMTP gets bandwith limitation, but it doesn't get available bandwith. Any light on it? --Miguel From gymer@odense.kollegienet.dk Sun Oct 12 19:01:21 2003 From: gymer@odense.kollegienet.dk (Lasse B. Jensen) Date: Sun, 12 Oct 2003 20:01:21 +0200 (CEST) Subject: [LARTC] Timeout problem ! Message-ID: Hey all I have 5 adsl lines and have the following setup INTERNET ------------------------ ADSL lines 192.168.1.1-5 ------------------------ | | | | | --------- switch --------- | --------- eth1 linux nat box eth0 --------- | --------- LAN Right now i do the following, which are working correctly: I mark incoming packets via mark in iptables, connection are marked 1-5 Then i via 5 ip route tables adsl1-5 in each of them i specify the gateway (one of the adsl lines 192.168.1.1-5) This all works correctly. However i would like to have all adsllines i on multipath. i have tried: Marking all traffic with mark 1 ip route table adsl1 ip route add table adsl1 default equalize proto static nexthop via 192.168.1.1 dev eth1 nexthop via 192.168.1.2 dev eth1 nexthop via 192.168.1.3 dev eth1 nexthop via 192.168.1.4 dev eth1 nexthop via 192.168.1.5 dev eth1 I have applied the patches to the kernel from http://www.ssi.bg/~ja/#routes I have a "ping-operation" in the background as descripted in the dgd-usage.txt All traffic now is now sent via on of the adsl lines, everything seems to work, but !!!! Programs from the lan-computer seems to timeout, i have tried quite some thing but nothing seems to work! Please help ;) LBJ From Wilfried.Weissmann@gmx.at Wed Oct 8 17:56:31 2003 From: Wilfried.Weissmann@gmx.at (Wilfried Weissmann) Date: Wed, 08 Oct 2003 18:56:31 +0200 Subject: [LARTC] htb v3 not as good as htb v2? References: <3F8415EA.8080401@dg.net.ua> Message-ID: <3F8441BF.5070706@gmx.at> Anton Yurchenko wrote: > Hello, > > I`ve been using htb v2 for more then a year without any major problems. > Recently I needed to upgrade to newer kernel becouse of non LARTC > related issues. After installing 2.4.22 when the htb qdisc was attached > to the interface even without any rules, I was not able to send more > ~1mbit through the interface. After I reversed the htb3 patch and > rebuild with htb2 everything works as normal. Has anyone experienced the > same issue? thanks > check your burst and quantum settings. maybe they are too low. bye, wilfried From damion@snapgear.com Mon Oct 13 04:48:19 2003 From: damion@snapgear.com (Damion de Soto) Date: Mon, 13 Oct 2003 13:48:19 +1000 Subject: PATCH : [Re: [Fwd: [LARTC] broadcast over gre tunnel?]] Message-ID: <3F8A2083.80903@snapgear.com> This is a multi-part message in MIME format. --------------070109030507080103090709 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi Guys, Here is our patch to allow broadcast packets over a GRE tunnel. Hopefully it might be accepted into the source someday. You need to enabled bridging and GRE tunnels in your kernel. No other options are required. The gre patch determines what type of protocol type to put in the GRE header based on the whether the packet is forwarded from a bridge or not. To use the patch: # Create your GRE tunnel ip tunnel add gre1 mode gre remote 10.4.4.1 local 10.4.4.2 ifconfig gre1 up # Bring the ethernet device up ifconfig eth1 up #create the bridge and add the devices: brctl addbr br0 brctl addif br0 gre1 brctl addif br0 eth1 ifconfig br0 10.4.1.1 netmask 255.255.255.0 broadcast 10.4.1.255 regards -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- --------------070109030507080103090709 Content-Type: text/x-patch; name="gre_bridging.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gre_bridging.diff" diff -ru linux-2.4.22/include/linux/if_tunnel.h linux-2.4.22.patched/include/linux/if_tunnel.h --- linux-2.4.22/include/linux/if_tunnel.h Mon Dec 1 08:00:38 1997 +++ linux-2.4.22.patched/include/linux/if_tunnel.h Wed Oct 8 15:26:00 2003 @@ -15,6 +15,8 @@ #define GRE_FLAGS __constant_htons(0x00F8) #define GRE_VERSION __constant_htons(0x0007) +#define GRE_P_ETH_BR __constant_htons(0x6558) + struct ip_tunnel_parm { char name[IFNAMSIZ]; diff -ru linux-2.4.22/net/bridge/br_if.c linux-2.4.22.patched/net/bridge/br_if.c --- linux-2.4.22/net/bridge/br_if.c Mon Aug 25 21:44:44 2003 +++ linux-2.4.22.patched/net/bridge/br_if.c Wed Oct 8 14:45:46 2003 @@ -226,8 +226,10 @@ if (dev->br_port != NULL) return -EBUSY; +#if 0 if (dev->flags & IFF_LOOPBACK || dev->type != ARPHRD_ETHER) return -EINVAL; +#endif if (dev->hard_start_xmit == br_dev_xmit) return -ELOOP; diff -ru linux-2.4.22/net/ipv4/ip_gre.c linux-2.4.22.patched/net/ipv4/ip_gre.c --- linux-2.4.22/net/ipv4/ip_gre.c Mon Aug 25 21:44:44 2003 +++ linux-2.4.22.patched/net/ipv4/ip_gre.c Wed Oct 8 14:45:46 2003 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -119,6 +120,14 @@ static int ipgre_fb_tunnel_init(struct net_device *dev); + +/* + * we need a special function to be able to be able to pull the ethernet + * buffer out. It is nearly the same as the eth_type_trans structure except + * the header size is adjusted. + */ +unsigned short gre_eth_type_trans(struct sk_buff *skb, struct net_device *dev); + static struct net_device ipgre_fb_tunnel_dev = { "gre0", 0x0, 0x0, 0x0, 0x0, 0, 0, 0, 0, 0, NULL, ipgre_fb_tunnel_init, }; @@ -566,6 +575,7 @@ u32 seqno = 0; struct ip_tunnel *tunnel; int offset = 4; + unsigned short proto; if (!pskb_may_pull(skb, 16)) goto drop_nolock; @@ -573,6 +583,7 @@ iph = skb->nh.iph; h = skb->data; flags = *(u16*)h; + proto = *(u16*)(h+2); if (flags&(GRE_CSUM|GRE_KEY|GRE_ROUTING|GRE_SEQ|GRE_VERSION)) { /* - Version must be 0. @@ -606,23 +617,6 @@ read_lock(&ipgre_lock); if ((tunnel = ipgre_tunnel_lookup(iph->saddr, iph->daddr, key)) != NULL) { - skb->mac.raw = skb->nh.raw; - skb->nh.raw = __pskb_pull(skb, offset); - memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); - if (skb->ip_summed == CHECKSUM_HW) - skb->csum = csum_sub(skb->csum, - csum_partial(skb->mac.raw, skb->nh.raw-skb->mac.raw, 0)); - skb->protocol = *(u16*)(h + 2); - skb->pkt_type = PACKET_HOST; -#ifdef CONFIG_NET_IPGRE_BROADCAST - if (MULTICAST(iph->daddr)) { - /* Looped back packet, drop it! */ - if (((struct rtable*)skb->dst)->key.iif == 0) - goto drop; - tunnel->stat.multicast++; - skb->pkt_type = PACKET_BROADCAST; - } -#endif if (((flags&GRE_CSUM) && csum) || (!(flags&GRE_CSUM) && tunnel->parms.i_flags&GRE_CSUM)) { @@ -639,6 +633,70 @@ } tunnel->i_seqno = seqno + 1; } + + if (proto == GRE_P_ETH_BR) { + struct sk_buff *skb2; + + /* Pull off the offset. */ + skb->mac.raw = __pskb_pull(skb, offset); +//#define OLD_WAY +#ifndef OLD_WAY + /* ensure it is linear so we can simply copy the data out */ + skb_linearize(skb, GFP_ATOMIC); + + skb2 = dev_alloc_skb(skb->len+2); + if (!skb2) { + printk(KERN_ERR "Memory squeeze.\n"); + goto drop; + } + + skb2->dev = tunnel->dev; + + /* Packet allignment apparently. */ + skb_reserve(skb2, 2); + + /* copy data and then set length */ + memcpy(skb2->data, skb->data, skb->len); + skb_put(skb2, skb->len); + + /* setup protocol */ + skb2->protocol = gre_eth_type_trans(skb2, tunnel->dev); + + /* update counters */ + tunnel->stat.rx_packets++; + tunnel->stat.rx_bytes += skb->len; + +#ifdef CONFIG_NETFILTER + nf_conntrack_put(skb->nfct); +#endif + kfree_skb(skb); + + netif_rx(skb2); + + read_unlock(&ipgre_lock); + return(0); +#else + skb->protocol = gre_eth_type_trans(skb, tunnel->dev); +#endif + } else { + skb->mac.raw = skb->nh.raw; + skb->nh.raw = __pskb_pull(skb, offset); + memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); + if (skb->ip_summed == CHECKSUM_HW) + skb->csum = csum_sub(skb->csum, + csum_partial(skb->mac.raw, skb->nh.raw-skb->mac.raw, 0)); + skb->protocol = *(u16*)(h + 2); + skb->pkt_type = PACKET_HOST; +#ifdef CONFIG_NET_IPGRE_BROADCAST + if (MULTICAST(iph->daddr)) { + /* Looped back packet, drop it! */ + if (((struct rtable*)skb->dst)->key.iif == 0) + goto drop; + tunnel->stat.multicast++; + skb->pkt_type = PACKET_BROADCAST; + } +#endif + } tunnel->stat.rx_packets++; tunnel->stat.rx_bytes += skb->len; skb->dev = tunnel->dev; @@ -687,6 +745,8 @@ u32 dst; int mtu; +// printk(KERN_INFO "xmit - %d\n", skb->len); + if (tunnel->recursion++) { tunnel->stat.collisions++; goto tx_error; @@ -736,7 +796,7 @@ dst = addr6->s6_addr32[3]; } #endif - else + else goto tx_error; } @@ -765,38 +825,44 @@ else mtu = skb->dst ? skb->dst->pmtu : dev->mtu; - if (skb->protocol == htons(ETH_P_IP)) { - if (skb->dst && mtu < skb->dst->pmtu && mtu >= 68) - skb->dst->pmtu = mtu; - - df |= (old_iph->frag_off&htons(IP_DF)); - - if ((old_iph->frag_off&htons(IP_DF)) && - mtu < ntohs(old_iph->tot_len)) { - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); - ip_rt_put(rt); - goto tx_error; + /* + * If we are not being used as an ethernet bridge, then we want to + * honour fragmentation stuff. + */ + if (!dev->br_port) { + if (skb->protocol == __constant_htons(ETH_P_IP)) { + if (skb->dst && mtu < skb->dst->pmtu && mtu >= 68) + skb->dst->pmtu = mtu; + + df |= (old_iph->frag_off&__constant_htons(IP_DF)); + + if ((old_iph->frag_off&__constant_htons(IP_DF)) && + mtu < ntohs(old_iph->tot_len)) { + icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); + ip_rt_put(rt); + goto tx_error; + } } - } #ifdef CONFIG_IPV6 - else if (skb->protocol == htons(ETH_P_IPV6)) { - struct rt6_info *rt6 = (struct rt6_info*)skb->dst; + else if (skb->protocol == __constant_htons(ETH_P_IPV6)) { + struct rt6_info *rt6 = (struct rt6_info*)skb->dst; - if (rt6 && mtu < rt6->u.dst.pmtu && mtu >= IPV6_MIN_MTU) { - if ((tunnel->parms.iph.daddr && !MULTICAST(tunnel->parms.iph.daddr)) || - rt6->rt6i_dst.plen == 128) { - rt6->rt6i_flags |= RTF_MODIFIED; - skb->dst->pmtu = mtu; + if (rt6 && mtu < rt6->u.dst.pmtu && mtu >= IPV6_MIN_MTU) { + if ((tunnel->parms.iph.daddr && !MULTICAST(tunnel->parms.iph.daddr)) || + rt6->rt6i_dst.plen == 128) { + rt6->rt6i_flags |= RTF_MODIFIED; + skb->dst->pmtu = mtu; + } } - } - if (mtu >= IPV6_MIN_MTU && mtu < skb->len - tunnel->hlen + gre_hlen) { - icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, dev); - ip_rt_put(rt); - goto tx_error; + if (mtu >= IPV6_MIN_MTU && mtu < skb->len - tunnel->hlen + gre_hlen) { + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, dev); + ip_rt_put(rt); + goto tx_error; + } } - } #endif + } if (tunnel->err_count > 0) { if (jiffies - tunnel->err_time < IPTUNNEL_ERR_TIMEO) { @@ -807,7 +873,10 @@ tunnel->err_count = 0; } - skb->h.raw = skb->nh.raw; + /* + * This is only the case for ethernet frames!! + */ + skb->h.raw = skb->mac.raw; max_headroom = ((tdev->hard_header_len+15)&~15)+ gre_hlen; @@ -831,6 +900,7 @@ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); dst_release(skb->dst); skb->dst = &rt->u.dst; +// printk("%d-%s", skb->len, rt->u.dst.dev->name); /* * Push down and install the IPIP header. @@ -839,7 +909,7 @@ iph = skb->nh.iph; iph->version = 4; iph->ihl = sizeof(struct iphdr) >> 2; - iph->frag_off = df; + iph->frag_off = 0;//__constant_htons(IP_DF); iph->protocol = IPPROTO_GRE; iph->tos = ipgre_ecn_encapsulate(tos, old_iph, skb); iph->daddr = rt->rt_dst; @@ -857,7 +927,11 @@ } ((u16*)(iph+1))[0] = tunnel->parms.o_flags; - ((u16*)(iph+1))[1] = skb->protocol; + + if (dev->br_port) + ((u16*)(iph+1))[1] = GRE_P_ETH_BR; + else + ((u16*)(iph+1))[1] = skb->protocol; if (tunnel->parms.o_flags&(GRE_KEY|GRE_CSUM|GRE_SEQ)) { u32 *ptr = (u32*)(((u8*)iph) + tunnel->hlen - 4); @@ -1254,6 +1328,63 @@ dev_hold(dev); tunnels_wc[0] = &ipgre_fb_tunnel; return 0; +} + +unsigned short gre_eth_type_trans(struct sk_buff *skb, struct net_device *dev) +{ + struct ethhdr *eth; + unsigned char *rawp; + + skb->mac.raw=skb->data; + + /* + * hack - we don't actually want to pull the hard header length, we + * want to pull the ethernet frame header. + */ + skb_pull(skb, ETH_HLEN); + eth= skb->mac.ethernet; + + if(*eth->h_dest&1) + { + if(memcmp(eth->h_dest,dev->broadcast, ETH_ALEN)==0) + skb->pkt_type=PACKET_BROADCAST; + else + skb->pkt_type=PACKET_MULTICAST; + } + + /* + * This ALLMULTI check should be redundant by 1.4 + * so don't forget to remove it. + * + * Seems, you forgot to remove it. All silly devices + * seems to set IFF_PROMISC. + */ + + else if(1 /*dev->flags&IFF_PROMISC*/) + { + if(memcmp(eth->h_dest,dev->dev_addr, ETH_ALEN)) + skb->pkt_type=PACKET_OTHERHOST; + } + + if (ntohs(eth->h_proto) >= 1536) + return eth->h_proto; + + rawp = skb->data; + + /* + * This is a magic hack to spot IPX packets. Older Novell breaks + * the protocol design and runs IPX over 802.3 without an 802.2 LLC + * layer. We look for FFFF which isn't a used 802.2 SSAP/DSAP. This + * won't work for fault tolerant netware but does for the rest. + */ + if (*(unsigned short *)rawp == 0xFFFF) + return htons(ETH_P_802_3); + + /* + * Real 802.2 LLC + */ + return htons(ETH_P_802_2); + } --------------070109030507080103090709-- From util@deuroconsult.ro Mon Oct 13 06:16:48 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Mon, 13 Oct 2003 08:16:48 +0300 (EEST) Subject: [LARTC] >10Mbit on HTB In-Reply-To: <009001c38ff7$ba52aba0$0aa02bca@sapari> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> Message-ID: On Sat, 11 Oct 2003, Kristiadi Himawan wrote: > I want to try to shape 20-30Mbps traffic using HTB. > It's possible? Anyone already try this? Yes. It's working very good. You may want to use hashes if you have a lot of filters. > > Thanks. > --- Catalin(ux) BOIE catab@deuroconsult.ro From =?Windows-1251?B?z+Di5esgzODr/Oru4g==?= Mon Oct 13 06:36:30 2003 From: =?Windows-1251?B?z+Di5esgzODr/Oru4g==?= (=?Windows-1251?B?z+Di5esgzODr/Oru4g==?=) Date: Mon, 13 Oct 2003 09:36:30 +0400 Subject: [LARTC] kernel panic with using IMQ - why? Message-ID: <1695176821.20031013093630@bmu.ru> Hi, All! I have kernel panic with using IMQ on my linux router. In archive of this mailing list i found reason of this truble: i used PREROUTING -j IMQ and POSTROUTING -j IMQ in one time but i don't understand why this configuration is broken? I want to control all traffic on my external interface, for example i want to lease 30kbit/sec (inbound+outbound, without dividing) for encrypting channel between the host of my LAN and some host of Internet. Please, explain to me reasons of this behavior or send me links to this explanation. Sorry for my bad English WBR Pavel Malkov From rio@martin.mu Mon Oct 13 07:07:39 2003 From: rio@martin.mu (Rio Martin) Date: Mon, 13 Oct 2003 13:07:39 +0700 Subject: [LARTC] >10Mbit on HTB In-Reply-To: References: <009001c38ff7$ba52aba0$0aa02bca@sapari> Message-ID: <200310131307.39881.rio@martin.mu> On Monday 13 October 2003 12:16, Catalin BOIE wrote: > On Sat, 11 Oct 2003, Kristiadi Himawan wrote: > > I want to try to shape 20-30Mbps traffic using HTB. > > It's possible? Anyone already try this? > Yes. It's working very good. > You may want to use hashes if you have a lot of filters. > > Thanks. Mine also, Here goes the result: ### eth1: traffic classes class htb 1:10 root leaf 10: prio 0 rate 20Mbit ceil 20Mbit burst 27810b cburst 27810b Sent 290896540 bytes 192377 pkts (dropped 0, overlimits 0) rate 2545587bps 1683pps backlog 4p lended: 192373 borrowed: 0 giants: 0 tokens: -8887 ctokens: -8887 Regards, Rio Martin. -- NOC ITENAS-net www.itenas.ac.id From dong@sunyard.net.tw Mon Oct 13 07:07:37 2003 From: dong@sunyard.net.tw (Nguyen Dang Phuoc Dong) Date: Mon, 13 Oct 2003 13:07:37 +0700 Subject: [LARTC] Priorizing bandwidth share Message-ID: <001c01c39150$5a5ef690$1c01a8c0@desknote> Hi folks, I have tested Priorizing bandwidth share feature of HTB and it results very bad. My test environment is something like below. There only 2 PCs on my LAN Internet | ADSL | eth1 Linux box (iptables + HTB) | eth0 (192.168.1.254) ---------------------------- | LAN | PC1 PC2 (192.168.1.1) (192.168.1.2) My ADSL is 512K up/down. Infact, the real bandwidth is about 450K in almost time. Below is my tc script: /bin/tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 2: htb r2q 1 tc class add dev eth0 parent 2: classid 2:1 htb rate 512Kbit ceil 512Kbit iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.1.1 -j MARK --set-mark 12 iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.1.2 -j MARK --set-mark 14 tc class add dev eth0 parent 2:1 classid 2:12 htb rate 400Kbit ceil 512Kbit prio 0 tc qdisc add dev eth0 parent 2:12 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 0 handle 12 fw classid 2:12 tc class add dev eth0 parent 2:1 classid 2:14 htb rate 100Kbit ceil 512Kbit prio 7 tc qdisc add dev eth0 parent 2:14 sfq tc filter add dev eth0 parent 2:0 protocol ip prio 7 handle 14 fw classid 2:14 Firstly, I start downloading an iso image from PC1, it can reach 448K. Then I start downloading from PC2, then the bandwidth of class 12 (PC1) is down to about 216K and bandwidth of class 14 (PC2) is about 220K. So it's not what I've expected. Since I set the priority of class 12 ( = 0 ) higher than priority of class 14 ( = 7 ). In addition, the bandwidth of class 12 is assigned 4 time bigger than class 14. As I've expect, class 12 should be assigned enough bandwidth (400K), and class 14 only get about 50K. I've tried with both HTB2 (I've removed HTB3 code from kernel 2.4.22, and patched it with HTB2 source code from HTB home page) and HTB3 (used original kernel 2.4.22). The result above is of HTB2. The result of HTB3 even worse. Any idea? regards, Dong From gomi@perezoso.net Mon Oct 13 08:37:17 2003 From: gomi@perezoso.net (GoMi) Date: Mon, 13 Oct 2003 09:37:17 +0200 Subject: [LARTC] Bridge with load balancing In-Reply-To: <000001c390b1$311de600$0100a8c0@redisis.com> Message-ID: =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a question here, i am wondering if changing my setup. I have a = linux firewall doing QoS and load balancing with 3 ethernets.=20 I have to DSL connections running at 2Mbit each. So, i was wondering, = can i change this setup to set up to bridges on top of the ethernets = connected to the dsl routers and still be capable of doing load = balancing? -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP4pWLX7diNnrrZKsEQL+vgCgw+nOyrSjKyawUX94QCIt5x/K0ncAoJsK UOIQLBXB6y+dt+wtDo3ahjTD =3DELwG -----END PGP SIGNATURE----- From stef.coene@docum.org Mon Oct 13 09:16:46 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 10:16:46 +0200 Subject: [LARTC] Priorizing bandwidth share In-Reply-To: <001c01c39150$5a5ef690$1c01a8c0@desknote> References: <001c01c39150$5a5ef690$1c01a8c0@desknote> Message-ID: <200310131016.46801.stef.coene@docum.org> On Monday 13 October 2003 08:07, Nguyen Dang Phuoc Dong wrote: > Hi folks, > > I have tested Priorizing bandwidth share feature of HTB and it results very > bad. > > My test environment is something like below. There only 2 PCs on my LAN > > Internet > > ADSL > > | eth1 > > Linux box (iptables + HTB) > > | eth0 (192.168.1.254) > > ---------------------------- > > | LAN | > > PC1 PC2 > (192.168.1.1) (192.168.1.2) > > My ADSL is 512K up/down. Infact, the real bandwidth is about 450K in almost > time. > > Below is my tc script: > > /bin/tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 2: htb r2q 1 > tc class add dev eth0 parent 2: classid 2:1 htb rate 512Kbit ceil 512Kbit > > iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.1.1 -j MARK --set-mark > 12 > iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.1.2 -j MARK --set-mark > 14 > > tc class add dev eth0 parent 2:1 classid 2:12 htb rate 400Kbit ceil 512Kbit > prio 0 > tc qdisc add dev eth0 parent 2:12 sfq > tc filter add dev eth0 parent 2:0 protocol ip prio 0 handle 12 fw classid > 2:12 > > tc class add dev eth0 parent 2:1 classid 2:14 htb rate 100Kbit ceil 512Kbit > prio 7 > tc qdisc add dev eth0 parent 2:14 sfq > tc filter add dev eth0 parent 2:0 protocol ip prio 7 handle 14 fw classid > 2:14 > > Firstly, I start downloading an iso image from PC1, it can reach 448K. Then > I start downloading from PC2, then the bandwidth of class 12 (PC1) is down > to about 216K and bandwidth of class 14 (PC2) is about 220K. > So it's not what I've expected. Since I set the priority of class 12 ( = 0 > ) higher than priority of class 14 ( = 7 ). In addition, the bandwidth of > class 12 is assigned 4 time bigger than class 14. As I've expect, class 12 > should be assigned enough bandwidth (400K), and class 14 only get about > 50K. > > I've tried with both HTB2 (I've removed HTB3 code from kernel 2.4.22, and > patched it with HTB2 source code from HTB home page) and HTB3 (used > original kernel 2.4.22). The result above is of HTB2. The result of HTB3 > even worse. > > Any idea? Yes. You said yourself that your link is 450K, so limit all traffic to 445K so YOU are the bottleneck and not your ADSL router. Also, your r2q setting is too low. And for more htb tests, info and a faq, see www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 09:20:10 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 10:20:10 +0200 Subject: [LARTC] kernel panic with using IMQ - why? In-Reply-To: <1695176821.20031013093630@bmu.ru> References: <1695176821.20031013093630@bmu.ru> Message-ID: <200310131020.10996.stef.coene@docum.org> On Monday 13 October 2003 07:36, =CF=E0=E2=E5=EB =CC=E0=EB=FC=EA=EE=E2 wrot= e: > Hi, All! > I have kernel panic with using IMQ on my linux router. > In archive of this mailing list i found reason of this truble: > i used PREROUTING -j IMQ and POSTROUTING -j IMQ in one time > but i don't understand why this configuration is broken? > I want to control all traffic on my external interface, > for example i want to lease 30kbit/sec (inbound+outbound, > without dividing) for encrypting channel between the host of my LAN > and some host of Internet. > Please, explain to me reasons of this behavior or send me links > to this explanation. I thought this issue was solved in the latest imq versions, but I'm not sur= e. Stef =2D-=20 stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From lanre@q4networks.com Mon Oct 13 12:23:14 2003 From: lanre@q4networks.com (Lanre Eke) Date: Mon, 13 Oct 2003 06:23:14 -0500 Subject: [LARTC] Linux bandwidth arbitrator Message-ID: <200310130623.AA319094864@q4networks.com> Hi, i will like to use the linux bandwidth arbitrator so i downloaded "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system but i dont know how to install it and run it. I will like to use it for traffic shapping and try it for on my network. Please can anyone help me at this Thanks lanre From gomi@perezoso.net Mon Oct 13 12:50:27 2003 From: gomi@perezoso.net (GoMi) Date: Mon, 13 Oct 2003 13:50:27 +0200 Subject: [LARTC] MSN messenger 6 keeps disconnecting after a few minutes In-Reply-To: <200310130623.AA319094864@q4networks.com> Message-ID: =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i actually already told you about this problem, but i cant = find a way to solve it. Let me explain my self again: - -I have 2 dsl connections, so i do load balacing. - -My QoS setup is based on htb on both ethernets: iptables -t mangle -N msn iptables -t mangle -A msn -m string --string 'x-msn' -j MARK = --set-mark 2 iptables -t mangle -A msn -m string --string 'MSNMSGR' -j MARK = --set-mark 2 iptables -t mangle -A msn -m string --string 'Content-Type: = text/x-msmsgscontrol.' -j MARK --set-mark 2 iptables -t mangle -A msn -m string --string '@hotmail.com' -j MARK = --set-mark 2 iptables -t mangle -A msn -m string --string 'MSG' -j MARK = --set-mark 2 iptables -t mangle -A msn -j RETURN iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark --mark 0 -j msn iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark That goes trough a filter to the attachech qdisc. When my users begin to use msn messenger, after a while (5 minutes or = so) the program automatically disconnects.=20 This is worse depending on the hour of the day, and hence depending on = the amount of users on my network.=20 I have an average of 60 users during noon time, and an average of 25 = during daytime. When 60 users are accesing the net through this QoS, the problem gets = really bad. I thought that might be because the box was only running = with 64Mb RAM and could not handle many tcp connections at once, and so = i added another 128 so the number of tcp_max_conntrack connections went = from 6000 to 12000. But it made no difference. Does anybody has any = idea. Or how could i investigate this? Is it maybe because linux thinks the connection is lost and hence closes = down the socket? Anybody? Thank you!! -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP4qRgn7diNnrrZKsEQLLcACg+tGdbsr9JdGh9Q1bAAfEzT+dEnUAn3ay G6+ITOPi5MycKbbEtcEtpRW3 =3DCEuH -----END PGP SIGNATURE----- From reza@mra.co.id Mon Oct 13 12:38:38 2003 From: reza@mra.co.id (Muhammad Reza) Date: Mon, 13 Oct 2003 18:38:38 +0700 Subject: [LARTC] newbie question Message-ID: <3F8A8EBE.1080806@mra.co.id> hi All. this my script for shapping with htb, to shapping my network subnet ISP--eth--eth1---lan with 4 subnet cat /etc/shorewall/tcstart #!/bin/bash /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit ceil 2mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 512kbps ceil 2mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:11 htb rate 512kbps ceil 2mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:12 htb rate 512kbps ceil 2mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:13 htb rate 512kbps ceil 2mbit /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 172.16.0.0/24 flowid 1:10 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 172.16.32.0/24 flowid 1:11 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 172.16.64.0/24 flowid 1:12 /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip dst 172.16.128.0/24 flowid 1:13 /sbin/tc qdisc sh qdisc htb 1: dev eth1 r2q 10 default 20 direct_packets_stat 0 when i test with iperf from 172.16.0.227 /usr/local/bin/iperf -c 172.16.0.226 ------------------------------------------------------------ Client connecting to 172.16.0.226, TCP port 5001 TCP window size: 32.5 KByte (default) ------------------------------------------------------------ [ 5] local 172.16.0.228 port 49192 connected with 172.16.0.226 port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0-10.0 sec 111 MBytes 92.8 Mbits/sec i dont see bandwith limited that i excpected... did my step correct..or i did something stupid..(again) cheers .:NeWBie:. From vadiraj@deeproot.co.in Mon Oct 13 13:54:40 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Mon, 13 Oct 2003 18:24:40 +0530 (IST) Subject: [LARTC] VPN-Masquerade In-Reply-To: <200310130623.AA319094864@q4networks.com> Message-ID: Hello, I'm working on VPN now, I need VPN-Masquerade patch for linux 2.4.22 kernel. Please give me the links that provide the above. Thanks in advance ---------- Vadiraj C S From paras@bajranet.com.np Mon Oct 13 14:04:33 2003 From: paras@bajranet.com.np (Paras pradhan) Date: Mon, 13 Oct 2003 18:49:33 +0545 (NPT) Subject: [LARTC] Mangaing uplinks Message-ID: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> hi all: my network is like this: Linux Router ----> Remote access server ( RAS) ----> Dialup users (x.x.x.1) (x.x.x.11) (x.x.x.20 - x.x.x.100) Now i want to control bandwidth from Linux router. What sud be done is: x.x.x.30 ( let's assume) sud not get uplink more than 2Kbps, same for all the dail up users. NOt a single users get uplink more than 2Kbps. if u have some scripts which is easier for me will be a great help. Thanks Paras. Paras pradhan Systems Dept. Bajranet PVT LTD Kathmandu Nepal. From kristiadi_himawan@dtp.net.id Mon Oct 13 15:17:50 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Mon, 13 Oct 2003 21:17:50 +0700 Subject: [LARTC] >10Mbit on HTB References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <200310131307.39881.rio@martin.mu> Message-ID: <018501c39194$c90dd4a0$03a02bca@mobile> Oh ok, it's working now. The script is fine. My test tool isn't accurate. Now i have test with iperf and get accurate result. Other question ...:) which ingress qdisc that accurate like htb? Thnx ----- Original Message ----- From: "Rio Martin" To: Sent: Monday, October 13, 2003 1:07 PM Subject: Re: [LARTC] >10Mbit on HTB > On Monday 13 October 2003 12:16, Catalin BOIE wrote: > > On Sat, 11 Oct 2003, Kristiadi Himawan wrote: > > > I want to try to shape 20-30Mbps traffic using HTB. > > > It's possible? Anyone already try this? > > Yes. It's working very good. > > You may want to use hashes if you have a lot of filters. > > > Thanks. > > Mine also, > Here goes the result: > > ### eth1: traffic classes > class htb 1:10 root leaf 10: prio 0 rate 20Mbit ceil 20Mbit burst 27810b > cburst 27810b > Sent 290896540 bytes 192377 pkts (dropped 0, overlimits 0) > rate 2545587bps 1683pps backlog 4p > lended: 192373 borrowed: 0 giants: 0 > tokens: -8887 ctokens: -8887 > > Regards, > Rio Martin. > -- > NOC ITENAS-net > www.itenas.ac.id > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From artur@gmx.net Mon Oct 13 15:50:36 2003 From: artur@gmx.net (Jan Gerritsen) Date: Mon, 13 Oct 2003 16:50:36 +0200 Subject: [LARTC] Traffic shaping over two different lines Message-ID: SGkgYWxsLA0KDQpJIHdhbnQgdG8gY29ubmVjdCBteSBMQU4gdG8gdGhlIEludGVybmV0IG92ZXIg dHdvIGRpZmZlcmVudCBDb25uZWN0aW9ucy4gT25lIGlzIGEgc3RhdGljIEUxICgyTWJpdCkgY29u bmVjdGlvbiB3aXRoIGEgcGVybWFuZW50IElQLCB0aGUgb3RoZXIgb25lIGlzIGEgc28gY2FsbGVk IERTTC1MaWdodCBjb25uZWN0aW9uIChBRFNMIHdpdGggNjRrYml0IHVwIGFuZCAzODRrYml0IGRv d25zdHJlYW0pIHdpdGggYSBkeW5hbWljIElQLiBUaGUgcmVhc29uIGlzIHRoYXQgSSBoYXZlIHRv IHBheSB0aGUgdHJhZmZpYyBvbiB0aGUgRTEgYW5kIHRoZSBEU0wgaXMgZmxhdCBmZWUuIFNvIG9m IGNvdXJzZSBJIHdhbnQgdG8gcHVzaCBhcyBtdXNoIGFzIHRyYWZmaWMgb3ZlciB0aGUgRFNMIGxp bmUuDQogICAgICAgICAgICAgICAgIF9fX19fX19fDQogICAgICAgICAgICBFMSAgfCAgICAgICAg fCBFdGhlcm5ldA0KIEludGVybmV0IDwtLS0tPnwgUm91dGVyIHw8LS0tLS0tLS0tPiBMQU4NCiAg ICAgICAgICA8LS0tLT58ICAgICAgICB8DQogICAgICAgICAgIERTTCAgfF9fX19fX19ffA0KDQpX aGF0IEkgd2FudCB0byBkbyBpcyBzb21ldGhpbmcgbGlrZSB0aGUgZm9sbG93aW5nOg0KDQpCYXNp YyBtb2RlbDoNCkJlY2F1c2UgdGhlIHVwc3RyZWFtIGZyb20gdGhlIERTTCBjb25uZWN0aW9uIGlz IHJlYWxseSB0byBzbG93LCBJIHdhbnQgdG8gdXNlIHRoZSBFMSBmb3IgdXBsaW5rIGFuZCB0aGUg RFNMIGFzIGRvd25saW5rLiAoQ2FuIEkgZG8gdGhpcyBieSBNYXNxdWVyYWRpbmcgd2l0aCB0aGUg SVAgb2YgdGhlIERTTC1MaW5lIGFuZCBzZW5kaW5nIG92ZXIgdGhlIEUxLCBzbyB0aGUgQW5zd2Vy IGNvbWVzIGJhY2sgb3ZlciB0aGUgRFNMLUxpbmU/KQ0KDQpFeGVtcHRpb25zOg0KLSBTb21lIHNl cnZpY2VzLCBsaWtlIFNNVFAsIHNob3VsZCBhbHdheXMgdXNlIHRoZSBEU0wtTGluZSBhcyB1cGxp bmsuDQotIFNvbWUgc2VydmljZXMsIGxpa2UgSFRUUCBvciBTU0gsIHNob3VsZCB1c2UgdGhlIEUx LUxpbmUgYXMgZG93bmxpbmsuDQotIEFuZCBteSBsYXN0IHdpc2gsIGlmIHRoZSBEU0wtVXBsaW5r IGlzIG5vdCBpbiB1c2UsIHRoaXMgbGluayBzaG91bGQgYmUgdXNlZCBmb3Igc2VuZGluZyBkYXRh LCB1bnRpbCBpdHMgYmFuZHdpZHRoIGxpbWl0IGlzIHJlYWNoZWQsIGFuZCBvbmx5IHRoZW4gdHJh ZmZpYyBzaG91bGQgYmUgc2VuZCBvdmVyIHRoZSBFMSwgdG9vLg0KDQpJIGtub3cgaXRzIHN0aWxs IHNvbWUgZGF5cyB0aWxsIENocmlzdG1hcywgYnV0IEkgZG9uJ3Qgd2FudCB0byBzaG9ydGVuIG15 IHdpc2ggbGlzdCB1bnRpbCB5b3UgYWxsIHRlbGwgbWUgaXRzIG5vdCBwb3NzaWJsZSwuLiBidXQg bXkgcHJvYmxlbSBpcyBJIGRvbid0IGtub3cgd2hlcmUgdG8gc3RhcnQuDQpJIGFtIGdvb2QgYXQg dXNpbmcgaXB0YWJsZXMvbmV0ZmlsdGVyIGFuZCBhbHJlYWR5IHVzZWQgdGMgZm9yIHNldHRpbmcg dXAgc29tZSBRb1MgcnVsZXMgZm9yIHRyYWZmaWMgc2hhcGluZyBvbiBkaWZmZXJlbnQgc2Vydmlj ZXMsLi4gYnV0IEkgZGlkbid0IGRvIHNvbWV0aGluZyBsaWtlIEkgd2FudCB0byBkbyBub3cuDQoN ClNvIEkgd2FudCB0byBhc2sgeW91LCB0byBnaXZlIHNvbWUgdGlwcyB3aGF0IHRlY2huaXF1ZXMg LyBzZXJ2aWNlcyB0byB1c2UsIHRvIGRvIHNvbWV0aGluZyBsaWtlIHRoaXMuIEhvdyB0byBzZXQg dXAgdGhlIGJhc2ljIG1vZGVsIGFuZCBob3cgdG8gYnJlYWsgaXQgdG8gY29tcGxldGUgbXkgd2hp c2ggbGlzdCA7KS4NCg0KVGhhbmtzLA0KSmFuIEdlcnJpdHNlbg== From sblank@cms-forex.com Mon Oct 13 16:45:47 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Mon, 13 Oct 2003 11:45:47 -0400 Subject: [LARTC] Redundant Internet connections Message-ID: <3F8AC8AB.2080300@cms-forex.com> I have a firewall with two redundant internet connections coming in (eth0 and eth1) and an intranet behind eth2. What I am trying to do is have data off of eth2 split evenly between eth0 and eth1, and if one interface goes down, to fully utilize the other. What I'm trying to do is have all data from eth0 be passed on to eth2 (unless it's stopped by the firewall), same with eth1, and all data from eth2 be split evenly between eth0 and eth1. currently I have the following routes and rules to accomplish this: ip route add 10.0.0.0/8 via GATEWAY0 table 1 proto static ip route add 10.0.0.0/8 via GATEWAY1 table 2 proto static ip route add default table default scope global nexthop via GATEWAY0 dev eth0 weight 1 nexthop via GATEWAY1 dev eth1 weight 1 ip rule add pref 1500 iif eth0 table 1 ip rule add pref 1501 iif eth1 table 2 ip rule add pref 100 iif eth2 table default This does NOT work properly. From localhost, everything works perfectly. I can bring up and down interfaces and everything works properly and transparently. But, from the intranet, everything stops. With a different default route: ip route add default via GATEWAY0 dev eth0 table default everything is fine from both localhost and the intranet. Same with GATEWAY1 eth1. Can anyone offer advice on how to resolve this problem? The only way I can think of so far is a remarkably simple but stupid hack, where I just ping -I eth0 GATEWAY0 and ping -I eth1 GATEWAY1 every thirty seconds or so and switch default routes if an interface is down. This obviously does not solve the problem, nor allow bandwidth to be shared across both lines. Any help would be greatly appreciated. Seth J. Blank Systems Operations Capital Market Services, LLC From sblank@cms-forex.com Mon Oct 13 17:24:08 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Mon, 13 Oct 2003 12:24:08 -0400 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8AC8AB.2080300@cms-forex.com> References: <3F8AC8AB.2080300@cms-forex.com> Message-ID: <3F8AD1A8.8@cms-forex.com> Sorry, I really wasn't paying attention when I wrote this (i.e. I've had no sleep). I have the routing tables working properly for the internal network. What I need to do is have the routing tables update the gateways when a line is down. i.e. intranet ----- firewall ----- router1 ----- internet \-- router2 ----- internet Currently, I have the gateway from the firewall being nexthops between router1 and router2. This works fine. But what I need to do is have the firewall check the links between router1/2 and the internet and switch gateways if a line is down. What I want to do, but can't figure out how to, is send out a packet through router1 and see if it gets an arbitrary number of hops (probably 3) out. If not, switch the default route to use the other gateway. This needs to be done for both gateways, and there also needs to be a route to restore the gateways when the line goes back up. Any help would be greatly appreciated. Thanks so much, Seth J. Blank Systems Operations Capital Market Services, LLC Seth J. Blank wrote: > I have a firewall with two redundant internet connections coming in > (eth0 and eth1) and an intranet behind eth2. > > What I am trying to do is have data off of eth2 split evenly between > eth0 and eth1, and if one interface goes down, to fully utilize the > other. > > What I'm trying to do is have all data from eth0 be passed on to eth2 > (unless it's stopped by the firewall), same with eth1, and all data > from eth2 be split evenly between eth0 and eth1. > > currently I have the following routes and rules to accomplish this: > > ip route add 10.0.0.0/8 via GATEWAY0 table 1 proto static > ip route add 10.0.0.0/8 via GATEWAY1 table 2 proto static > > ip route add default table default scope global nexthop via GATEWAY0 > dev eth0 weight 1 nexthop via GATEWAY1 dev eth1 weight 1 > > ip rule add pref 1500 iif eth0 table 1 > ip rule add pref 1501 iif eth1 table 2 > ip rule add pref 100 iif eth2 table default > > This does NOT work properly. > From localhost, everything works perfectly. I can bring up and down > interfaces and everything works properly and transparently. > But, from the intranet, everything stops. With a different default route: > ip route add default via GATEWAY0 dev eth0 table default > everything is fine from both localhost and the intranet. Same with > GATEWAY1 eth1. > > Can anyone offer advice on how to resolve this problem? > The only way I can think of so far is a remarkably simple but stupid > hack, where I just ping -I eth0 GATEWAY0 and ping -I eth1 GATEWAY1 > every thirty seconds or so and switch default routes if an interface > is down. This obviously does not solve the problem, nor allow > bandwidth to be shared across both lines. > > Any help would be greatly appreciated. > > Seth J. Blank > Systems Operations > Capital Market Services, LLC > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From lartc@manchotnetworks.net Mon Oct 13 17:28:46 2003 From: lartc@manchotnetworks.net (lartc@manchotnetworks.net) Date: 13 Oct 2003 18:28:46 +0200 Subject: [LARTC] failover-overload Message-ID: <1066062527.5812.16.camel@drs0.manchotnetworks.net> hi all, curious if anyone can comment on the existence (or perhaps) non existence of an overload feature -- when one line to an isp is at its peek, the second line starts getting the new sessions? also, i noticed in an earlier thread the keepalive daemon for just failover (the first line is an adsl, the second and third are vsat) -- given the extra delay that a vsat imposes, i prefer to keep them for an overload or failover condition. could someone post their cfg from keepalive and/or comment on its efficacy? thanks a million charles From Robert Kurjata Mon Oct 13 18:58:30 2003 From: Robert Kurjata (Robert Kurjata) Date: Mon, 13 Oct 2003 19:58:30 +0200 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8AD1A8.8@cms-forex.com> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> Message-ID: <16822037928.20031013195830@ire.pw.edu.pl> Witaj Seth, W Twoim liœcie datowanym 13 paŸdziernika 2003 (18:24:08) mo¿na przeczytaæ: SJB> Sorry, I really wasn't paying attention when I wrote this (i.e. I've had SJB> no sleep). SJB> I have the routing tables working properly for the internal network. SJB> What I need to do is have the routing tables update the gateways when a SJB> line is down. SJB> i.e. intranet ----- firewall ----- router1 ----- internet SJB> \-- router2 ----- internet SJB> Currently, I have the gateway from the firewall being nexthops between SJB> router1 and router2. This works fine. But what I need to do is have the SJB> firewall check the links between router1/2 and the internet and switch SJB> gateways if a line is down. SJB> What I want to do, but can't figure out how to, is send out a packet SJB> through router1 and see if it gets an arbitrary number of hops (probably SJB> 3) out. If not, switch the default route to use the other gateway. This SJB> needs to be done for both gateways, and there also needs to be a route SJB> to restore the gateways when the line goes back up. I have a load balancing setup for 3 uplinks (3 different providers and technologies) w/failover set with http://www.ssi.bg/~ja/ Nano-HOWTO (carefully done By-The-Book - any shortcut and it's gone). When you need to check if the net is reachable with either of the links just try to ping some machines outside (a set would be nice) forcing an output address to be one or the other and decide if you need to change normal multihop gateway to single hop one via link 1 or 2. Should work with nano, because it's preserving output address thus preserving the routes. Works for me (after some sleepless nights, tons of caffe :). I can pull the plug out and nothing bad happens (only the traffic shaping needs some correction). [cut the rest] -- Pozdrowienia, Robert From stef.coene@docum.org Mon Oct 13 19:46:54 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:46:54 +0200 Subject: [LARTC] Linux bandwidth arbitrator In-Reply-To: <200310130623.AA319094864@q4networks.com> References: <200310130623.AA319094864@q4networks.com> Message-ID: <200310132046.54213.stef.coene@docum.org> On Monday 13 October 2003 13:23, Lanre Eke wrote: > Hi, > i will like to use the linux bandwidth arbitrator so i downloaded > "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system but i dont > know how to install it and run it. > > I will like to use it for traffic shapping and try it for on my network. What's "linux bandwidth arbitrator" ??? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 19:48:04 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:48:04 +0200 Subject: [LARTC] VPN-Masquerade In-Reply-To: References: Message-ID: <200310132048.04392.stef.coene@docum.org> On Monday 13 October 2003 14:54, Vadiraj C S wrote: > Hello, > > I'm working on VPN now, I need VPN-Masquerade patch for linux 2.4.22 > kernel. > Please give me the links that provide the above. This is a mailing list to discuss lartc : Linux Advanced Routing and Traffic Control (http://lartc.org). Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 19:51:30 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:51:30 +0200 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <018501c39194$c90dd4a0$03a02bca@mobile> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <200310131307.39881.rio@martin.mu> <018501c39194$c90dd4a0$03a02bca@mobile> Message-ID: <200310132051.30214.stef.coene@docum.org> On Monday 13 October 2003 16:17, Kristiadi Himawan wrote: > Oh ok, it's working now. The script is fine. > My test tool isn't accurate. > Now i have test with iperf and get accurate result. > > Other question ...:) > which ingress qdisc that accurate like htb? None. Htb is an egress qdisc so it shapes outgoing traffic. An ingress qdisc handles the incoming packets. And there is no queue for the incoming packets, so you can't use htb. You can use filteres + policers to rate limit traffic. Or you may take a look at the imq device. This is a virtual device. You can redirect all incoming packets to it and use htb on the imq device. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 19:41:58 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:41:58 +0200 Subject: [LARTC] Mangaing uplinks In-Reply-To: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> References: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> Message-ID: <200310132041.58712.stef.coene@docum.org> On Monday 13 October 2003 15:04, Paras pradhan wrote: > hi all: > > my network is like this: > > Linux Router ----> Remote access server ( RAS) ----> Dialup users > (x.x.x.1) (x.x.x.11) (x.x.x.20 - x.x.x.100) > > Now i want to control bandwidth from Linux router. > What sud be done is: > > x.x.x.30 ( let's assume) sud not get uplink more than 2Kbps, same for all > the dail up users. > NOt a single users get uplink more than 2Kbps. > > if u have some scripts which is easier for me will be a great help. I don't have a script for you, I can only point you to http://www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 19:46:27 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:46:27 +0200 Subject: [LARTC] newbie question In-Reply-To: <3F8A8EBE.1080806@mra.co.id> References: <3F8A8EBE.1080806@mra.co.id> Message-ID: <200310132046.27139.stef.coene@docum.org> On Monday 13 October 2003 13:38, Muhammad Reza wrote: > hi All. > this my script for shapping with htb, to shapping my network subnet > > ISP--eth--eth1---lan with 4 subnet > > cat /etc/shorewall/tcstart > #!/bin/bash > /sbin/tc qdisc add dev eth1 root handle 1: htb default 20 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit ceil 2mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 512kbps > ceil 2mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:11 htb rate 512kbps > ceil 2mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:12 htb rate 512kbps > ceil 2mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:13 htb rate 512kbps > ceil 2mbit > /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip > dst 172.16.0.0/24 flowid 1:10 > /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip > dst 172.16.32.0/24 flowid 1:11 > /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip > dst 172.16.64.0/24 flowid 1:12 > /sbin/tc filter add dev eth1 protocol ip parent 1: prio 1 u32 match ip > dst 172.16.128.0/24 flowid 1:13 > > > /sbin/tc qdisc sh > qdisc htb 1: dev eth1 r2q 10 default 20 direct_packets_stat 0 > > when i test with iperf from 172.16.0.227 /usr/local/bin/iperf -c > 172.16.0.226 > ------------------------------------------------------------ > Client connecting to 172.16.0.226, TCP port 5001 > TCP window size: 32.5 KByte (default) > ------------------------------------------------------------ > [ 5] local 172.16.0.228 port 49192 connected with 172.16.0.226 port 5001 > [ ID] Interval Transfer Bandwidth > [ 5] 0.0-10.0 sec 111 MBytes 92.8 Mbits/sec > > i dont see bandwith limited that i excpected... > did my step correct..or i did something stupid..(again) You are mixing bytes and bites. 512kbps is 512kiobyte/s and 2mbit is 2megabit/s. So 512kbps = 512 * 8 = 4mbit/s. It's still not 92.8 Mbit/sec. Can you also post the output of tc -s -d class show dev eth0 For more info about htb and the tests I did, see www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 13 19:52:24 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 20:52:24 +0200 Subject: [LARTC] How to get router involved in QoS? In-Reply-To: <971097015.20031011102314@xhost.cz> References: <971097015.20031011102314@xhost.cz> Message-ID: <200310132052.24164.stef.coene@docum.org> On Saturday 11 October 2003 10:23, Vladimir Trebicky wrote: > Hi, > > I have a router which QoSes traffic for local network (both in and > out direction). I would also download traffic generated by router to > be involved in QoS. Link capacity is st about 800kbps and we shape it > with htb to 512. Is it possible? Thanks, It's only possible if you know the difference between the normal traffic and the traffic generated on the box. If this box is also natting, you have a problem because the src ip address of all packets are rewritten. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Robert Kurjata Mon Oct 13 21:05:02 2003 From: Robert Kurjata (Robert Kurjata) Date: Mon, 13 Oct 2003 22:05:02 +0200 Subject: Re[2]: [LARTC] Linux bandwidth arbitrator In-Reply-To: <200310132046.54213.stef.coene@docum.org> References: <200310130623.AA319094864@q4networks.com> <200310132046.54213.stef.coene@docum.org> Message-ID: <5629629645.20031013220502@ire.pw.edu.pl> Hi Stef, W Twoim liœcie datowanym 13 paŸdziernika 2003 (20:46:54) mo¿na przeczytaæ: SC> On Monday 13 October 2003 13:23, Lanre Eke wrote: >> Hi, >> i will like to use the linux bandwidth arbitrator so i downloaded >> "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system but i dont >> know how to install it and run it. >> >> I will like to use it for traffic shapping and try it for on my network. SC> What's "linux bandwidth arbitrator" ??? SC> Stef it's low level arbitration (shaping) done by BRIDGE software not an iproute+tc+iptables based. (Isn't it out of scope here?) -- Greetings, Robert From stef.coene@docum.org Mon Oct 13 22:10:45 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 13 Oct 2003 23:10:45 +0200 Subject: [LARTC] Linux bandwidth arbitrator In-Reply-To: <5629629645.20031013220502@ire.pw.edu.pl> References: <200310130623.AA319094864@q4networks.com> <200310132046.54213.stef.coene@docum.org> <5629629645.20031013220502@ire.pw.edu.pl> Message-ID: <200310132310.45421.stef.coene@docum.org> On Monday 13 October 2003 22:05, Robert Kurjata wrote: > Hi Stef, > > W Twoim li=9Ccie datowanym 13 pa=9Fdziernika 2003 (20:46:54) mo=BFna prze= czyta=E6: > > SC> On Monday 13 October 2003 13:23, Lanre Eke wrote: > >> Hi, > >> i will like to use the linux bandwidth arbitrator so i downloaded > >> "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system but i > >> dont know how to install it and run it. > >> > >> I will like to use it for traffic shapping and try it for on my networ= k. > > SC> What's "linux bandwidth arbitrator" ??? > > SC> Stef > > it's low level arbitration (shaping) done by BRIDGE > software not an iproute+tc+iptables based. (Isn't it out of scope here?) I never heard of it. This is list is for iproute2+tc problems/questions. Stef =2D-=20 stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From paua@quicksilver.net.nz Mon Oct 13 22:20:35 2003 From: paua@quicksilver.net.nz (Steve Wright) Date: 14 Oct 2003 10:20:35 +1300 Subject: [LARTC] scripts posted to the list was: Mangaing uplinks In-Reply-To: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> References: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> Message-ID: <1066080035.14283.14.camel@linuxathome.ath.cx> On Tue, 2003-10-14 at 02:04, Paras pradhan wrote: > hi all: > > my network is like this: > > Linux Router ----> Remote access server ( RAS) ----> Dialup users > (x.x.x.1) (x.x.x.11) (x.x.x.20 - x.x.x.100) > > Now i want to control bandwidth from Linux router. > What sud be done is: > > x.x.x.30 ( let's assume) sud not get uplink more than 2Kbps, same for all > the dail up users. > NOt a single users get uplink more than 2Kbps. > > if u have some scripts which is easier for me will be a great help. Many scripts are posted to this list, and they are very interesting to read. Often these scripts are very good solutions that have never been seen before, and now that they are gone are unlikely to be seen again unless they are built once again from scratch. I wonder if some of this material might be archived somewhere, complete with a short explanation. This would be very valuable to the list. best, Steve From drew@technteach.com Mon Oct 13 23:09:36 2003 From: drew@technteach.com (drew einhorn) Date: Mon, 13 Oct 2003 16:09:36 -0600 Subject: [LARTC] scripts posted to the list In-Reply-To: <1066080035.14283.14.camel@linuxathome.ath.cx> References: <47823.202.174.152.73.1066050273.squirrel@mail.bajranet.com.np> <1066080035.14283.14.camel@linuxathome.ath.cx> Message-ID: <1066082976.2978.57.camel@lo> http://marc.theaimsgroup.com/?l=lartc&w=2 On Tue, 2003-10-14 at 04:20, Steve Wright wrote: > Many scripts are posted to this list, and they are very interesting to > read. Often these scripts are very good solutions that have never been > seen before, and now that they are gone are unlikely to be seen again > unless they are built once again from scratch. > > I wonder if some of this material might be archived somewhere, complete > with a short explanation. This would be very valuable to the list. -- drew einhorn Technology and Teaching From rio@martin.mu Tue Oct 14 04:59:36 2003 From: rio@martin.mu (Rio Martin) Date: Tue, 14 Oct 2003 10:59:36 +0700 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <200310132051.30214.stef.coene@docum.org> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <018501c39194$c90dd4a0$03a02bca@mobile> <200310132051.30214.stef.coene@docum.org> Message-ID: <200310141059.36708.rio@martin.mu> On Tuesday 14 October 2003 01:51, Stef Coene wrote: > On Monday 13 October 2003 16:17, Kristiadi Himawan wrote: > > Oh ok, it's working now. The script is fine. > > My test tool isn't accurate. > > Now i have test with iperf and get accurate result. > > Other question ...:) > > which ingress qdisc that accurate like htb? > None. Htb is an egress qdisc so it shapes outgoing traffic. An ingress > qdisc handles the incoming packets. And there is no queue for the incoming > packets, so you can't use htb. You can use filteres + policers to rate > limit traffic. Or you may take a look at the imq device. This is a > virtual device. You can redirect all incoming packets to it and use htb on > the imq device. Hi Stef, What do you mean by ' no queue for the incoming packets, so you can't use HTB'? For now i am not applying IMQ for the ingress, but using packet mangling under iptables to handle both incoming packets from internet and outgoing packets to internet. Is this not right? give me your opinion please, as far as i can see, there were no troubles using packet mangling to handle those situation. Regards, Rio Martin. From hostmaster@cyberlab.de Tue Oct 14 10:47:42 2003 From: hostmaster@cyberlab.de (Astrid Jekat) Date: Tue, 14 Oct 2003 11:47:42 +0200 Subject: [LARTC] lartc on dual CPU Opteron 64 bit machine? Message-ID: <20031014114742.Z61985@mail.dmz.cyberlab.de> Greetings, lartc experts! ;-) I am presently researching if it is possible to *efficiently* use a machine with 2 AMD Opteron CPUs for traffic shaping with lartc. 1) OS: ATM it looks as if I can only use SUSE Linux 8 Enterprise Server for AMD 64bit platforms. Debian, OpenBSD and NetBSD are working on ports, but are not done yet or still experimental. Suse at least is stable (but costs real money! *sigh* so much for open source) and has a 64bit compiler. 2) Is lartc 64bit capable? I.e., can I compile lartc only to run as a 32 bit application or 64bit, too? Any experience here? 3) Is lartc capable of making use of 2 CPUs? This is probably a question (kernel?) threading. I managed to find a reference in the ML archives that it might be possible to "assign" ine CPU to one ethernet interface, but I don't think this is quite what I need. I'd like to know if the process can actually use both CPUs. In a nutshell: I need to find out if lartc can make use of the nice resources on this dual Opteron 64bit machine. If yes, this would save the machine from the terrible fate of becoming a Windoze file server! So please advise ;-) Cheers, -- Astrid Jekat Fa. Secnetix jekat@secnetix.de From Joel" This is a multi-part message in MIME format. ------=_NextPart_000_01E3_01C39270.E5010E70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ----- Original Message -----=20 From: Joel=20 To: lartc@mailman.ds9a.nl=20 Sent: Tuesday, October 14, 2003 12:12 PM Subject: ~Restriction Problem~ Dear all, I have rehat 9.0 server connected to router. The link is 1 mbps Now i want to share only 260 kbps bandwidth through the linux server to = the clients. I have wrote the script. but with it i can restrict the total bandwidth = to 260 kbps. i dont want to give more than 260 thats it. all clients are given individual bandwidht from 260 total. plz tell me where i m wrong and if u could little modify the script that = would be really great. Stef ...i wish u will help me out to solve the problem. thanks Joel this the script. #!/bin/sh =20 D2VCABLE=3D260 cmnGp=3D37 jcom=3D50 ultra=3D64 collector=3D40 lakhanpal=3D40 ashwin=3D60 prabhu=3D35 helpdesk=3D45 quantam=3D40 cms=3D40 siddharth=3D60 TC=3D` which tc` ADDFILTER=3D"$TC filter add dev eth4" =20 $TC qdisc del dev eth4 root =20 =20 ### Root Qdisc $TC qdisc add dev eth4 root handle 5: htb default 12 =20 $TC class add dev eth4 parent 5: classid 5:1 htb rate 256kbit ceil = $[D2VCABLE]kbit quantum 3000 =20 =20 ### jcom $TC class add dev eth4 parent 5:1 classid 5:2001 htb rate $[jcom]kbit = ceil $[jcom+10]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2001 handle 2001 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 2 u32 match ip dst = 202.160.162.208/29 flowid 5:2001 $ADDFILTER protocol ip parent 5: prio 2 u32 match ip dst 10.255.2.16/30 = flowid 5:2001 =20 ### collector $TC class add dev eth4 parent 5:1 classid 5:2002 htb rate = $[collector]kbit ceil $[collector+5]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2002 handle 2002 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.40 = flowid 5:2002 =20 ### lakhanpal $TC class add dev eth4 parent 5:1 classid 5:2003 htb rate = $[lakhanpal]kbit ceil $[lakhanpal+5]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2003 handle 2003 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.255.0.17 = flowid 5:2003 =20 ### ashwin $TC class add dev eth4 parent 5:1 classid 5:2004 htb rate $[ashwin]kbit = ceil $[ashwin+5]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2004 handle 2004 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.1.1.8/29 = flowid 5:2004 =20 ### prabhu 202 $TC class add dev eth4 parent 5:1 classid 5:2005 htb rate $[prabhu]kbit = ceil $[prabhu+5]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2005 handle 2005 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.202 = flowid 5:2005 =20 ### 203 $TC class add dev eth4 parent 5:1 classid 5:2006 htb rate 35kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2006 handle 2006 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.203 = flowid 5:2006 =20 ### 204 $TC class add dev eth4 parent 5:1 classid 5:2007 htb rate 35kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2007 handle 2007 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.204 = flowid 5:2007 =20 ### 205 $TC class add dev eth4 parent 5:1 classid 5:2008 htb rate 35kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2008 handle 2008 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.205 = flowid 5:2008 =20 ### 206 $TC class add dev eth4 parent 5:1 classid 5:2009 htb rate 35kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2009 handle 2009 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.206 = flowid 5:2009 =20 ### quantam=20 $TC class add dev eth4 parent 5:1 classid 5:2010 htb rate 40kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2010 handle 2010 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.1.5.34 = flowid 5:2010 =20 ### Siddharth $TC class add dev eth4 parent 5:1 classid 5:2011 htb rate = $[siddharth]kbit ceil $[siddharth]kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2011 handle 2011 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.18 = flowid 5:2011 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.19 = flowid 5:2011 =20 ### 250 $TC class add dev eth4 parent 5:1 classid 5:2012 htb rate 35kbit ceil = 40kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2012 handle 2012 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.250 = flowid 5:2012 =20 ### helpdesk $TC class add dev eth4 parent 5:1 classid 5:2013 htb rate 40kbit ceil = 45kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2013 handle 2013 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 2 u32 match ip dst 10.2.5.15 = flowid 5:2013 =20 ### Joel test $TC class add dev eth4 parent 5:1 classid 5:2014 htb rate 40kbit ceil = 50kbit quantum 3000 $TC qdisc add dev eth4 parent 5:2014 handle 2014 sfq perturb 10 $ADDFILTER protocol ip parent 5: prio 2 u32 match ip dst 10.10.10.10 = flowid 5:2014 =20 ------=_NextPart_000_01E3_01C39270.E5010E70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 
----- Original Message -----=20
From: Joel =
Sent: Tuesday, October 14, 2003 12:12 PM
Subject: ~Restriction Problem~

Dear all,
 
I have rehat 9.0 server connected to = router. The=20 link is 1 mbps
 
Now i want to share only 260 kbps = bandwidth through=20 the linux server to the clients.
 
I have wrote the script. but with it i = can restrict=20 the total bandwidth to 260 kbps.
i dont want to give more than 260 thats = it.
 
all clients are given individual = bandwidht from 260=20 total.
plz tell me where i m wrong and if u = could little=20 modify the script that would be really great.
 
Stef ...i wish  u will help = me=20 out to solve the problem.
 
thanks
Joel
 
 
this the script.
 

#!/bin/sh

 

D2VCABLE=3D260

cmnGp=3D37

jcom=3D50

ultra=3D64

collector=3D40

lakhanpal=3D40

ashwin=3D60

prabhu=3D35

helpdesk=3D45

quantam=3D40

cms=3D40

siddharth=3D60

TC=3D` which=20 tc`

ADDFILTER=3D"$TC filter add dev=20 eth4"

 

$TC qdisc=20 del dev eth4 root

 

 

### Root=20 Qdisc

$TC qdisc=20 add dev eth4 root handle 5: htb default 12

 

$TC class=20 add dev eth4 parent 5: classid 5:1 htb rate 256kbit ceil $[D2VCABLE]kbit = quantum=20 3000

 

 

###=20 jcom

$TC class=20 add dev eth4 parent 5:1 classid 5:2001 htb rate $[jcom]kbit ceil = $[jcom+10]kbit=20 quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2001 handle 2001 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 2 u32 match ip dst 202.160.162.208/29 flowid=20 5:2001

$ADDFILTER=20 protocol ip parent 5: prio 2 u32 match ip dst 10.255.2.16/30 flowid=20 5:2001

 

###=20 collector

$TC class=20 add dev eth4 parent 5:1 classid 5:2002 htb rate $[collector]kbit ceil=20 $[collector+5]kbit quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2002 handle 2002 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.40 flowid=20 5:2002

 

###=20 lakhanpal

$TC class=20 add dev eth4 parent 5:1 classid 5:2003 htb rate $[lakhanpal]kbit ceil=20 $[lakhanpal+5]kbit quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2003 handle 2003 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.255.0.17 flowid=20 5:2003

 

###=20 ashwin

$TC class=20 add dev eth4 parent 5:1 classid 5:2004 htb rate $[ashwin]kbit ceil=20 $[ashwin+5]kbit quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2004 handle 2004 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.1.1.8/29 flowid=20 5:2004

 

### prabhu=20 202

$TC class=20 add dev eth4 parent 5:1 classid 5:2005 htb rate $[prabhu]kbit ceil=20 $[prabhu+5]kbit quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2005 handle 2005 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.202 flowid=20 5:2005

 

###=20 203

$TC class=20 add dev eth4 parent 5:1 classid 5:2006 htb rate 35kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2006 handle 2006 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.203 flowid=20 5:2006

 

###=20 204

$TC class=20 add dev eth4 parent 5:1 classid 5:2007 htb rate 35kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2007 handle 2007 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.204 flowid=20 5:2007

 

###=20 205

$TC class=20 add dev eth4 parent 5:1 classid 5:2008 htb rate 35kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2008 handle 2008 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.205 flowid=20 5:2008

 

###=20 206

$TC class=20 add dev eth4 parent 5:1 classid 5:2009 htb rate 35kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2009 handle 2009 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.206 flowid=20 5:2009

 

###=20 quantam

$TC class=20 add dev eth4 parent 5:1 classid 5:2010 htb rate 40kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2010 handle 2010 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.1.5.34 flowid=20 5:2010

 

###=20 Siddharth

$TC class=20 add dev eth4 parent 5:1 classid 5:2011 htb rate $[siddharth]kbit ceil=20 $[siddharth]kbit quantum 3000

$TC qdisc=20 add dev eth4 parent 5:2011 handle 2011 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.18 flowid=20 5:2011

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.2.1.19 flowid=20 5:2011

 

###=20 250

$TC class=20 add dev eth4 parent 5:1 classid 5:2012 htb rate 35kbit ceil 40kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2012 handle 2012 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 3 u32 match ip dst 10.0.0.250 flowid=20 5:2012

 

###=20 helpdesk

$TC class=20 add dev eth4 parent 5:1 classid 5:2013 htb rate 40kbit ceil 45kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2013 handle 2013 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 2 u32 match ip dst 10.2.5.15 flowid=20 5:2013

 

### Joel=20 test

$TC class=20 add dev eth4 parent 5:1 classid 5:2014 htb rate 40kbit ceil 50kbit = quantum=20 3000

$TC qdisc=20 add dev eth4 parent 5:2014 handle 2014 sfq perturb=20 10

$ADDFILTER=20 protocol ip parent 5: prio 2 u32 match ip dst 10.10.10.10 flowid=20 5:2014

 

------=_NextPart_000_01E3_01C39270.E5010E70-- From sblank@cms-forex.com Tue Oct 14 17:56:08 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Tue, 14 Oct 2003 12:56:08 -0400 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <16822037928.20031013195830@ire.pw.edu.pl> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> Message-ID: <3F8C2AA8.8000400@cms-forex.com> Robert Kurjata wrote: >I have a load balancing setup for 3 uplinks (3 different providers and >technologies) w/failover set with http://www.ssi.bg/~ja/ Nano-HOWTO >(carefully done By-The-Book - any shortcut and it's gone). > > I have finished implementing this step by step, and things still do not appear to be working. During the testing phase, I have two problems (output which differs from what the howto says I should get). 1) When I run "ip route list table main", only the proper entries for NWE1/NME1 and NWE2/NME2 come up, not the one for NWI/NMI. 2) "ip route get from (IPE1|IPE2) to 204.152.189.113" both return "network unreachable" All the other output matches exactly. My only thoughts are that I've swapped an IP or two somewhere, but I've been over the script a ton of times already, and nothing presents itself to me. Any help or troubleshooting hints would be greatly appreciated. Seth J. Blank Systems Operations Capital Market Services, LLC >When you need to check if the net is reachable with either of the >links just try to ping some machines outside (a set would be nice) >forcing an output address to be one or the other and decide if you >need to change normal multihop gateway to single hop one via link 1 or >2. Should work with nano, because it's preserving output address thus >preserving the routes. Works for me (after some sleepless nights, tons >of caffe :). I can pull the plug out and nothing bad happens >(only the traffic shaping needs some correction). > > >[cut the rest] > > > From tviera@arnaldocastro.com.uy Tue Oct 14 19:05:58 2003 From: tviera@arnaldocastro.com.uy (Toshiro Viera) Date: 14 Oct 2003 15:05:58 -0300 Subject: [LARTC] traffic shaping help Message-ID: <1066154758.4257.16.camel@mdk.arnaldocastro.com.uy> I'm trying to shape bandwidth but with no success. I have a Linux server with 3 networks (WAN, LAN and DMZ). In the DMZ I have a server (IP 172.21.1.2) that I wish to grant a 25kbit bandwidth (from a total of 256kbit coming from the WAN). To accomplish this, I setup Linux to allow the use of IMQ devices. I wrote the following script (eth1 is WAN, eth2 is DMZ): #!/bin/sh modprobe imq numdevs=1 tc qdisc add dev imq0 root handle 1: htb default 20 r2q 1 tc class add dev imq0 parent 1: classid 1:1 htb rate 256kbit ceil 256kbit tc class add dev imq0 parent 1:1 classid 1:10 htb rate 25kbit ceil 256kbit tc class add dev imq0 parent 1:1 classid 1:20 htb rate 231kbit ceil 256kbit tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src 172.21.1.2 flowid 1:10 tc filter add dev imq0 protocol ip parent 1:0 prio 2 u32 match ip dst 172.21.1.2 flowid 1:10 iptables -t mangle -A POSTROUTING -o eth1 -j IMQ --todev 0 iptables -t mangle -A POSTROUTING -o eth2 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i eth2 -j IMQ --todev 0 The output of 'tc -s -d qdisc ls dev imq0' is: qdisc htb 1: r2q 1 default 20 direct_packets_stat 0 ver 3.10 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) This output is after running the script for a while, the statistics shouldn't be 0, should they? Anybody know what I did wrong? Any help will be appreciated :) Toshiro. -- Toshiro Viera From stef.coene@docum.org Tue Oct 14 19:25:36 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 14 Oct 2003 20:25:36 +0200 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <200310141059.36708.rio@martin.mu> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <200310132051.30214.stef.coene@docum.org> <200310141059.36708.rio@martin.mu> Message-ID: <200310142025.36371.stef.coene@docum.org> On Tuesday 14 October 2003 05:59, Rio Martin wrote: > > None. Htb is an egress qdisc so it shapes outgoing traffic. An ingress > > qdisc handles the incoming packets. And there is no queue for the > > incoming packets, so you can't use htb. You can use filteres + policers > > to rate limit traffic. Or you may take a look at the imq device. This > > is a virtual device. You can redirect all incoming packets to it and use > > htb on the imq device. > > Hi Stef, > What do you mean by ' no queue for the incoming packets, so you can't use > HTB'? For now i am not applying IMQ for the ingress, but using packet > mangling under iptables to handle both incoming packets from internet and > outgoing packets to internet. Is this not right? give me your opinion > please, as far as i can see, there were no troubles using packet mangling > to handle those situation. What do you mean with packet mangling? And it's not because there is no queue for incoming packets that you can't do anything with time. The filter + policer setup can rate limit incoming packets. Iptables can also do rate limiting. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gypsy@iswest.com Wed Oct 15 02:27:33 2003 From: gypsy@iswest.com (gypsy) Date: Tue, 14 Oct 2003 18:27:33 -0700 Subject: [LARTC] Redundant Internet connections [Updated] References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> <3F8C2AA8.8000400@cms-forex.com> Message-ID: <3F8CA285.9B4BC209@iswest.com> "Seth J. Blank" wrote: > I have finished implementing this step by step, and things still do not > appear to be working. > > During the testing phase, I have two problems (output which differs from > what the howto says I should get). > 1) When I run "ip route list table main", only the proper entries for > NWE1/NME1 and NWE2/NME2 come up, not the one for NWI/NMI. The placement within the script of the line: ip route del default table main is probably what is killing this. When the interface is brought up, an entry is made into the main table. You're purging that entry. So arrange things so that IFI comes up AFTER the del The lo device should be in main also. Another possibility is that the original main table did not have the IFI entry when you ran ip rule add prio ### table main The final thing that comes to mind is that you did not even execute ip link set $IFI up ip addr flush dev $IFI ip addr add $IPI/$NMI brd + dev $IFI (or ip addr add $IPI/$NMI brd $BRDI dev $IFI) # this is the line that populates main > 2) "ip route get from (IPE1|IPE2) to 204.152.189.113" both return > "network unreachable" IS the network reachable?!! My $0.25 is on IFI1 being dead. Try ping -c1 -I eth# 204.152.189.113 where "#" is set to the first interface. > Any help or troubleshooting hints would be greatly appreciated. > > Seth J. Blank buck From rio@martin.mu Wed Oct 15 04:42:59 2003 From: rio@martin.mu (Rio Martin) Date: Wed, 15 Oct 2003 10:42:59 +0700 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <200310142025.36371.stef.coene@docum.org> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <200310141059.36708.rio@martin.mu> <200310142025.36371.stef.coene@docum.org> Message-ID: <200310151042.59649.rio@martin.mu> On Wednesday 15 October 2003 01:25, Stef Coene wrote: > On Tuesday 14 October 2003 05:59, Rio Martin wrote: > > > None. Htb is an egress qdisc so it shapes outgoing traffic. An > > > ingress qdisc handles the incoming packets. And there is no queue for > > > the incoming packets, so you can't use htb. You can use filteres + > > > policers to rate limit traffic. Or you may take a look at the imq > > > device. This is a virtual device. You can redirect all incoming > > > packets to it and use htb on the imq device. > > Hi Stef, > > What do you mean by ' no queue for the incoming packets, so you can't use > > HTB'? For now i am not applying IMQ for the ingress, but using packet > > mangling under iptables to handle both incoming packets from internet and > > outgoing packets to internet. Is this not right? give me your opinion > > please, as far as i can see, there were no troubles using packet mangling > > to handle those situation. > > What do you mean with packet mangling? > And it's not because there is no queue for incoming packets that you can't > do anything with time. The filter + policer setup can rate limit incoming > packets. Iptables can also do rate limiting. iptables -t mangle -A bla bla bla .. i classified all the traffic both for incoming and outgoing to mangle table. correct me if this is wrong stef .. Regards, Rio Martin. From rachelcy@hotmail.com Wed Oct 15 10:18:56 2003 From: rachelcy@hotmail.com (rAcHeL ^cY) Date: Wed, 15 Oct 2003 17:18:56 +0800 Subject: [LARTC] Outgoing link slow down Message-ID: Dear all, I have run cbq on my network to control both incoming and outgoing traffic. I have my redhat with two network interface installed, eth0 (LAN interface) and eth1 (WAN interface). As for my current configuration is, outgoing traffic controlled on eth1 and incoming will be controll on eth0. But then my upload link started to slow down badly, which i have no idea why this happen, can anyone help on this? Thank you very much!!! Rachel _________________________________________________________________ Using a handphone prepaid card? Reload your credit online! http://www.msn.com.my/reloadredir/default.asp From olexat@post.cz Wed Oct 15 11:42:10 2003 From: olexat@post.cz (Tom Olexa) Date: Wed, 15 Oct 2003 12:42:10 +0200 (CEST) Subject: [LARTC] Excess BW again Message-ID: <1e94371f1deca9437f45a2f68ac8a460@www3.mail.post.cz> Hello there, I've already posted st similar, but anyway... can anyone tell me, why the following setup tc qdisc add dev eth0 root handle 1: htb r2q 5 tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 64kbit ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 256kbit ceil 512kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 195.28.103.7 flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ match ip dst 195.28.103.5 flowid 1:11 doesn't distribute the excess bw in proportion of allocated bw? Ratio I expect is 64/256, but I get some 1/2.1 or similar. This varies according to r2q, but anyway it never gets close to 1/4. kernel 2.4.21, htb 3.12, but also tested on 2.4.18, htb 3.6 with similar results... Can anyone try this setup? Thanks, Tom -- Potrebujete vice prostoru pro vase stranky? Ptejte se na http://sluzby.volny.cz/cs/product/ftp_paid From sblank@cms-forex.com Wed Oct 15 17:12:44 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Wed, 15 Oct 2003 12:12:44 -0400 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8CA285.9B4BC209@iswest.com> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> <3F8C2AA8.8000400@cms-forex.com> <3F8CA285.9B4BC209@iswest.com> Message-ID: <3F8D71FC.6050007@cms-forex.com> Yeah, I figured out the problem (stupid mistake on my end) and everything is working now. With one exception. If I pull the cat5 out of eth0 (external interface 1) then everything just hangs. No connections can be made, etc. Pulling the cat5 out of eth1 (external interface 2) has no effect. The connection stays like this until eth0 is plugged back in (it picks back up immediately) What this suggests to me is that , even though I'm using the two nexthops, all the data is trying to go over eth0, and nothing is being sent over eth1. ... And I just confirmed this with iptraf. So the question now is, why aren't the nexthops working? I patched the kernel, followed the nano howto precisely, and can use both interfaces just fine (ping -I eth0/1, etc.). If I set the default route to either eth0 or eth1, everything works fine. But with the nexthops, it does not appear as if the load is being balanced. Here is my table): default proto static nexthop via GW1 dev eth0 weight 1 nexthop via GW2 dev eth1 weight 1 Any thoughts? Thanks a ton for all your help so far, Seth gypsy wrote: >"Seth J. Blank" wrote: > > >>I have finished implementing this step by step, and things still do not >>appear to be working. >> >>During the testing phase, I have two problems (output which differs from >>what the howto says I should get). >>1) When I run "ip route list table main", only the proper entries for >>NWE1/NME1 and NWE2/NME2 come up, not the one for NWI/NMI. >> >> > >The placement within the script of the line: > ip route del default table main >is probably what is killing this. When the interface is brought up, an >entry is made into the main table. You're purging that entry. So >arrange things so that IFI comes up AFTER the del > >The lo device should be in main also. > >Another possibility is that the original main table did not have the IFI >entry when you ran > ip rule add prio ### table main > >The final thing that comes to mind is that you did not even execute > ip link set $IFI up > ip addr flush dev $IFI > ip addr add $IPI/$NMI brd + dev $IFI > (or ip addr add $IPI/$NMI brd $BRDI dev $IFI) # this is the line >that populates main > > > >>2) "ip route get from (IPE1|IPE2) to 204.152.189.113" both return >>"network unreachable" >> >> > >IS the network reachable?!! My $0.25 is on IFI1 being dead. Try > ping -c1 -I eth# 204.152.189.113 >where "#" is set to the first interface. > > > >>Any help or troubleshooting hints would be greatly appreciated. >> >>Seth J. Blank >> >> >buck > > From sblank@cms-forex.com Wed Oct 15 17:47:32 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Wed, 15 Oct 2003 12:47:32 -0400 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8D71FC.6050007@cms-forex.com> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> <3F8C2AA8.8000400@cms-forex.com> <3F8CA285.9B4BC209@iswest.com> <3F8D71FC.6050007@cms-forex.com> Message-ID: <3F8D7A24.2070300@cms-forex.com> Another weird piece of information to add. If I ifdown eth0, everything starts being routed over eth1. But if I just yank the cord out of eth0, the system sits there trying to route over eth0. This persists for much longer than the 60 seconds it should take, max, for the kernel to update the routing tables. And it's still confusing me why the traffic isn't being split evenly between eth0 and eth1 (iptraf shows everything going over eth0, no traffic at all on eth1). Thank you all so much for your help, Seth From lpz@ornl.gov Wed Oct 15 18:34:50 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Wed, 15 Oct 2003 13:34:50 -0400 Subject: [LARTC] bridge In-Reply-To: <3109.80.97.24.235.1031297701.squirrel@www.sqmail.ambra.ro> References: <3109.80.97.24.235.1031297701.squirrel@www.sqmail.ambra.ro> Message-ID: <1066239290.1584.74.camel@nautique> --=-CI7SsYHOhPfjCSbycsV+ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable We'll need a lot more information to help you... Why do you say the bridge is working? What DOES work? What is the configuration of your bridge? On Fri, 2002-09-06 at 03:35, Victor wrote: > I belive I missed something >=20 > | br0 | > test ----------|eth0 eth1 |----- network > ftp | tc | >=20 > If I ping a machine from "network" from the "test ftp" she doen't answers= . > If I skip the bridge, and I put the "test ftp" in the "network", the ping > is working. > I have no firewall on the bridge, and the bridge is working. > Trafic is shaped through this bridge. >=20 >=20 >=20 > ----------------------------------------- > This email was sent using SquirrelMail. > "Webmail for nuts!" > http://squirrelmail.org/ >=20 >=20 > Random Thought: > -------------- > Love makes fools, marriage cuckolds, and patriotism malevolent imbeciles. > -- Paul Leautaud, "Passe-temps" > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-CI7SsYHOhPfjCSbycsV+ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/jYU6CNjP8rawCW4RAtz6AJ0S2ZqT1jWzbfZymcDx9DZ1OounnQCgkE6B RcIE+lac7JM08xbfyz3EDtI= =UsFk -----END PGP SIGNATURE----- --=-CI7SsYHOhPfjCSbycsV+-- From stef.coene@docum.org Wed Oct 15 19:49:27 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 15 Oct 2003 20:49:27 +0200 Subject: [LARTC] ~Restriction Problem~ In-Reply-To: <01e601c39242$cd536f80$61a1a0ca@lin> References: <01e601c39242$cd536f80$61a1a0ca@lin> Message-ID: <200310152049.27744.stef.coene@docum.org> On Tuesday 14 October 2003 13:03, Joel wrote: > ----- Original Message ----- > From: Joel > To: lartc@mailman.ds9a.nl > Sent: Tuesday, October 14, 2003 12:12 PM > Subject: ~Restriction Problem~ > > > Dear all, > > I have rehat 9.0 server connected to router. The link is 1 mbps > > Now i want to share only 260 kbps bandwidth through the linux server to the > clients. > > I have wrote the script. but with it i can restrict the total bandwidth to > 260 kbps. i dont want to give more than 260 thats it. > > all clients are given individual bandwidht from 260 total. > plz tell me where i m wrong and if u could little modify the script that > would be really great. You don't tell us what's the problem. Is the script not working like expected? Also check out my faq page on www.docum.org. Some tips. Limit the total bandwidth to less then your link bandwidth. And make sure that the sum of the rate of the child classes <= rate of the parent. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Oct 15 19:44:53 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 15 Oct 2003 20:44:53 +0200 Subject: [LARTC] >10Mbit on HTB In-Reply-To: <200310151042.59649.rio@martin.mu> References: <009001c38ff7$ba52aba0$0aa02bca@sapari> <200310142025.36371.stef.coene@docum.org> <200310151042.59649.rio@martin.mu> Message-ID: <200310152044.53731.stef.coene@docum.org> On Wednesday 15 October 2003 05:42, Rio Martin wrote: > On Wednesday 15 October 2003 01:25, Stef Coene wrote: > > On Tuesday 14 October 2003 05:59, Rio Martin wrote: > > > > None. Htb is an egress qdisc so it shapes outgoing traffic. An > > > > ingress qdisc handles the incoming packets. And there is no queue > > > > for the incoming packets, so you can't use htb. You can use filteres > > > > + policers to rate limit traffic. Or you may take a look at the imq > > > > device. This is a virtual device. You can redirect all incoming > > > > packets to it and use htb on the imq device. > > > > > > Hi Stef, > > > What do you mean by ' no queue for the incoming packets, so you can't > > > use HTB'? For now i am not applying IMQ for the ingress, but using > > > packet mangling under iptables to handle both incoming packets from > > > internet and outgoing packets to internet. Is this not right? give me > > > your opinion please, as far as i can see, there were no troubles using > > > packet mangling to handle those situation. > > > > What do you mean with packet mangling? > > And it's not because there is no queue for incoming packets that you > > can't do anything with time. The filter + policer setup can rate limit > > incoming packets. Iptables can also do rate limiting. > > iptables -t mangle -A bla bla bla .. > i classified all the traffic both for incoming and outgoing to mangle > table. correct me if this is wrong stef .. But what has this to do with traffic shaping ???? You can mangle incoming and outgoing packets with iptables, but tc kicks in just before the packets are placed on the wire. So after all iptables stuff and only for the outgoing packets. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Robert Kurjata Wed Oct 15 22:00:58 2003 From: Robert Kurjata (Robert Kurjata) Date: Wed, 15 Oct 2003 23:00:58 +0200 Subject: Re[2]: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8D7A24.2070300@cms-forex.com> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> <3F8C2AA8.8000400@cms-forex.com> <3F8CA285.9B4BC209@iswest.com> <3F8D71FC.6050007@cms-forex.com> <3F8D7A24.2070300@cms-forex.com> Message-ID: <9016803181.20031015230058@ire.pw.edu.pl> Hi Seth, I cant find anything more than posting my working script for load balancing over two links (it was for three links and I home I didn't remove too much). It has been done strictly by the rules on Nano-HOWTO and works. The main part is the PING section at the end. This ensures that kernel sees dead gateways and recovers. But of course it WILL NOT work without some kernel patching (dead gateway detection, static routes - just use a Jumbo Patch from http://www.ssi.bg/~ja/ ). A final word is: the routers didn't even have to respond to pings. They need to respond to ARPS. This stuff doesn't work properly for PPP or PPPoE connections as they usually are NoARP. I also have some shaping done with TC/CBQ on both links. VERY IMPORTANT: all the testing is USELESS if you have less than 40-50 users doing lots of requests to different sites as a routes are just cached in kernel. In my system even with 10-20 users balancing is usually poor improving greatly with number of users - the diference between links lowers down to 10%. Hopefully I will get some free time to write a step-by-step howto because it took me some time to understand the thing. Home this helped someone, Greetings to the list ---------------------------cut here------------------------------------------ #!/bin/bash # This script is done by : Robert Kurjata Sep, 2003. # feel free to use it in any usefull way # CONFIGURATION IP=/sbin/ip PING=/bin/ping #--------------- LINK PART ----------------- # EXTIFn - interface name # EXTIPn - outgoing IP # EXTMn - netmask length (bits) # EXTGWn - outgoing gateway #------------------------------------------- # LINK 1 EXTIF1=eth2 EXTIP1= EXTM1= EXTGW1= # LINK 2 EXTIF2=eth1 EXTIP2= EXTM2= EXTGW2= #ROUTING PART # removing old rules and routes echo "removing old rules" ${IP} rule del prio 50 table main ${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} rule del prio 221 table 221 echo "flushing tables" ${IP} route flush table 201 ${IP} route flush table 202 ${IP} route flush table 221 echo "removing tables" ${IP} route del table 201 ${IP} route del table 202 ${IP} route del table 221 # setting new rules echo "Setting new routing rules" # main table w/o default gateway here ${IP} rule add prio 50 table main ${IP} route del default table main # identified routes here ${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} proto static table 201 ${IP} route append prohibit default table 201 metric 1 proto static ${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} proto static table 202 ${IP} route append prohibit default table 202 metric 1 proto static # mutipath ${IP} rule add prio 221 table 221 ${IP} route add default table 221 proto static \ nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\ nexthop via ${EXTGW2} dev ${EXTIF2} weight 3 ${IP} route flush cache while : ; do ${PING} -c 1 ${EXTGW1} ${PING} -c 1 ${EXTGW2} sleep 60 done ---------------------------cut here------------------------------------------ -- Pozdrowienia, Robert Kurjata From sblank@cms-forex.com Wed Oct 15 23:01:51 2003 From: sblank@cms-forex.com (Seth J. Blank) Date: Wed, 15 Oct 2003 18:01:51 -0400 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <9016803181.20031015230058@ire.pw.edu.pl> References: <3F8AC8AB.2080300@cms-forex.com> <3F8AD1A8.8@cms-forex.com> <16822037928.20031013195830@ire.pw.edu.pl> <3F8C2AA8.8000400@cms-forex.com> <3F8CA285.9B4BC209@iswest.com> <3F8D71FC.6050007@cms-forex.com> <3F8D7A24.2070300@cms-forex.com> <9016803181.20031015230058@ire.pw.edu.pl> Message-ID: <3F8DC3CF.8000708@cms-forex.com> Thanks Robert, that's almost exactly what I had (I didn't have ip route flush cache). The problem is, everything is routing fine, and the data is being split evenly over eth0 and eth1, but as soon as I pull the cable out of eth0 (pulling it out of eth1 doesn't seem to matter) the connection goes out and the routes never recover until I plug the cable back in (at which point things start flowing perfectly again without any prompting from me). On the other hand, if I ifdown eth0, the routes switch over silently. As soon as I bring eth0 back up, data's going over both eth0 and eth1 again. In other words, things are working almost exactly as they should be, but when the cat5 comes out, things just die. Someone suggested that I use mii tools and just ifdown eth0 if it's out, and that might work, but I'd really rather have a solution done solely within routing tables if possible. The other reason I want to do this from the routing tables is because I expect any problems to be further down the line than the cable into the firewall. The network will be set up like this: intranet eth2 --- firewall --- eth0 --- router1 --- internet \-- eth1 --- router2 --- internet When the connection from router1 to the internet goes down, I need the firewall to stop sending data over eth0 and commit fully to eth1. When that link comes back up, I need the routes restored. Same for the other way around. The way I was thinking of doing this was by sending out an ICMP packet (say, to google.com) over each interface with a TTL of 3, and if it didn't come back, change the route. But both the nano howto and the dead gateway detection howto seem to say that the routes as I have them (and you put them) should be able to handle this problem already. My problem is that it obviously doesn't. If it did, pulling the cable out of eth0 wouldn't cause such an issue. So I guess what I'm asking is, does anyone have any suggestions about how to troubleshoot this problem? Thanks so much everyone, Seth Robert Kurjata wrote: >Hi Seth, > >I cant find anything more than posting my working script for load >balancing over two links (it was for three links and I home I didn't >remove too much). It has been done strictly by the rules on >Nano-HOWTO and works. The main part is the PING section at the end. >This ensures that kernel sees dead gateways and recovers. >But of course it WILL NOT work without some kernel patching (dead >gateway detection, static routes - just use a Jumbo Patch from >http://www.ssi.bg/~ja/ ). > >A final word is: the routers didn't even have to respond to pings. >They need to respond to ARPS. This stuff doesn't work properly for PPP >or PPPoE connections as they usually are NoARP. > >I also have some shaping done with TC/CBQ on both links. > >VERY IMPORTANT: all the testing is USELESS if you have less than 40-50 >users doing lots of requests to different sites as a routes are just >cached in kernel. In my system even with 10-20 users balancing is >usually poor improving greatly with number of users - the diference >between links lowers down to 10%. > >Hopefully I will get some free time to write a step-by-step howto >because it took me some time to understand the thing. > >Home this helped someone, Greetings to the list >---------------------------cut here------------------------------------------ > >#!/bin/bash ># This script is done by : Robert Kurjata Sep, 2003. ># feel free to use it in any usefull way > ># CONFIGURATION >IP=/sbin/ip >PING=/bin/ping > >#--------------- LINK PART ----------------- ># EXTIFn - interface name ># EXTIPn - outgoing IP ># EXTMn - netmask length (bits) ># EXTGWn - outgoing gateway >#------------------------------------------- > ># LINK 1 >EXTIF1=eth2 >EXTIP1= >EXTM1= >EXTGW1= > ># LINK 2 >EXTIF2=eth1 >EXTIP2= >EXTM2= >EXTGW2= > >#ROUTING PART ># removing old rules and routes > >echo "removing old rules" >${IP} rule del prio 50 table main >${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 >${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 >${IP} rule del prio 221 table 221 >echo "flushing tables" >${IP} route flush table 201 >${IP} route flush table 202 >${IP} route flush table 221 >echo "removing tables" >${IP} route del table 201 >${IP} route del table 202 >${IP} route del table 221 > ># setting new rules >echo "Setting new routing rules" > ># main table w/o default gateway here >${IP} rule add prio 50 table main >${IP} route del default table main > ># identified routes here >${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 >${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202 > >${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} proto static table 201 >${IP} route append prohibit default table 201 metric 1 proto static > >${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} proto static table 202 >${IP} route append prohibit default table 202 metric 1 proto static > ># mutipath >${IP} rule add prio 221 table 221 > >${IP} route add default table 221 proto static \ > nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\ > nexthop via ${EXTGW2} dev ${EXTIF2} weight 3 > >${IP} route flush cache > > > >while : ; do > ${PING} -c 1 ${EXTGW1} > ${PING} -c 1 ${EXTGW2} > sleep 60 >done > >---------------------------cut here------------------------------------------ > > > From dgomes@av.it.pt Wed Oct 15 18:41:32 2003 From: dgomes@av.it.pt (Diogo Nuno P. Gomes) Date: Wed, 15 Oct 2003 18:41:32 +0100 Subject: [LARTC] Redundant Internet connections [Updated] In-Reply-To: <3F8D8385.2040504@cms-forex.com> Message-ID: <000001c39343$925260b0$64010a0a@spark> Why not google for it ;) ? First hit should take you here -> http://www.scyld.com/diag/ Check you linux distribution, most of then come with mii-tools package already. =Diogo Gomes email: dgomes@av.it.pt homepage: http://sweet.ua.pt/~etdgomes Eng. Computadores e Telematica - Instituto Telecomunicacoes (Aveiro) -----Original Message----- From: Seth J. Blank [mailto:sblank@cms-forex.com] Sent: quarta-feira, 15 de Outubro de 2003 18:28 To: dgomes@av.it.pt Subject: Re: [LARTC] Redundant Internet connections [Updated] I'm not aware of mii tools, could you give me more information on them? Thanks a lot, Seth Diogo Nuno P. Gomes wrote: >Hi! > >This might seam of topic but why don't you use mii tools to ifdown eth0 >if the cord is unplugged ? > >=Diogo Gomes >email: dgomes@av.it.pt >homepage: http://sweet.ua.pt/~etdgomes >Eng. Computadores e Telematica - Instituto Telecomunicacoes (Aveiro) > > >-----Original Message----- >From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] >On Behalf Of Seth J. Blank >Sent: quarta-feira, 15 de Outubro de 2003 17:48 >To: lartc@mailman.ds9a.nl >Subject: Re: [LARTC] Redundant Internet connections [Updated] > > >Another weird piece of information to add. > >If I ifdown eth0, everything starts being routed over eth1. But if I >just yank the cord out of eth0, the system sits there trying to route >over eth0. This persists for much longer than the 60 seconds it should >take, max, for the kernel to update the routing tables. > >And it's still confusing me why the traffic isn't being split evenly >between eth0 and eth1 (iptraf shows everything going over eth0, no >traffic at all on eth1). > >Thank you all so much for your help, >Seth > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > From nielsvc@ostenfeld.dk Thu Oct 16 12:22:28 2003 From: nielsvc@ostenfeld.dk (Niels Vorgaard Christensen) Date: Thu, 16 Oct 2003 13:22:28 +0200 Subject: [LARTC] tc filter expression In-Reply-To: (Catalin BOIE's message of "Thu, 9 Oct 2003 08:58:58 +0300 (EEST)") References: <873ce37y8v.fsf@niels.ostenfeld.dtu.dk> Message-ID: <87y8vlo2a3.fsf@niels.ostenfeld.dtu.dk> Catalin BOIE writes: > On Thu, 9 Oct 2003, Niels Vorgaard Christensen wrote: > >> Hi. >> >> I am working on a router with three interfaces. eth2 and eth0 are >> connected to two different Internet providers. The interface eth1 are >> connected to an internal network. Now I need a tc filter expression >> that will determine which interface the packet was routed in through >> to be able classify packets going out eth1 based on provider. I know I >> could mark packets with netfilter, but if it is possible to construct >> a tc filter expression to do the job I would much prefere that. > > I think you can use ingress + policy + ds to mark packets (DSCP IP field) > on eth0 and eth2. Then on eth1 you can classify base on this field. Could you give me an example of how this could be done? The DSMARK documentation that I have found is a bit difficult. I can't find any examples of marking in ingress, and if I understand you right, you think that it is possible to mark all packets in ingress on let's say eth0 (provider 1), and then classify based on that mark in egress of eth1 (internal iface). Regards, Niels V. Christensen From util@deuroconsult.ro Thu Oct 16 13:28:04 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Thu, 16 Oct 2003 15:28:04 +0300 (EEST) Subject: [LARTC] tc filter expression In-Reply-To: <87y8vlo2a3.fsf@niels.ostenfeld.dtu.dk> References: <873ce37y8v.fsf@niels.ostenfeld.dtu.dk> <87y8vlo2a3.fsf@niels.ostenfeld.dtu.dk> Message-ID: > > I think you can use ingress + policy + ds to mark packets (DSCP IP field) > > on eth0 and eth2. Then on eth1 you can classify base on this field. > > Could you give me an example of how this could be done? The DSMARK > documentation that I have found is a bit difficult. I can't find any > examples of marking in ingress, and if I understand you right, you > think that it is possible to mark all packets in ingress on let's say > eth0 (provider 1), and then classify based on that mark in egress of > eth1 (internal iface). Hi, Niels! I have no working example. I said that in theory. I didn't tried myself. [10 minutes passed] I check a little more and seems it's not possible to set the mark using ingress. Stef, am I wrong? > > > Regards, > Niels V. Christensen > --- Catalin(ux) BOIE catab@deuroconsult.ro From ken@encode.com Thu Oct 16 15:50:11 2003 From: ken@encode.com (Ken Scott) Date: Thu, 16 Oct 2003 10:50:11 -0400 Subject: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 References: <20031016144545.3117.14961.Mailman@outpost.ds9a.nl> Message-ID: <000901c393f4$ccbd7ee0$35bd82ce@encode.com> Hello, i have just started using "The Wonder Shaper" for my cable connection, when i run ./wshaper status i get: qdisc ingress ffff: Sent 1842 bytes 31 pkts (dropped 0, overlimits 0) qdisc sfq 30: quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 1514b perturb 10sec Sent 133 bytes 2 pkts (dropped 0, overlimits 0) qdisc sfq 10: quantum 1514b perturb 10sec Sent 3592 bytes 28 pkts (dropped 0, overlimits 0) qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit Sent 3725 bytes 30 pkts (dropped 0, overlimits 1) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:10 parent 1:1 leaf 10: rate 250Kbit prio 1 Sent 3780 bytes 30 pkts (dropped 0, overlimits 1) borrowed 0 overactions 1 avgidle 624 undertime 0 class cbq 1:1 parent 1: rate 250Kbit (bounded,isolated) prio 5 Sent 3913 bytes 32 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:20 parent 1:1 leaf 20: rate 225Kbit prio 2 Sent 133 bytes 2 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 class cbq 1:30 parent 1:1 leaf 30: rate 200Kbit prio 2 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 624 undertime 0 is this good? or could some one please explain to me what some of this information means to me? thanks in advance for your time! ken ----- Original Message ----- From: To: Sent: Thursday, October 16, 2003 10:45 AM Subject: LARTC -- confirmation of subscription -- request 626047 > LARTC -- confirmation of subscription -- request 626047 > > We have received a request from 206.130.189.53 for subscription of > your email address, , to the lartc@mailman.ds9a.nl > mailing list. To confirm the request, please send a message to > lartc-request@mailman.ds9a.nl, and either: > > - maintain the subject line as is (the reply's additional "Re:" is > ok), > > - or include the following line - and only the following line - in the > message body: > > confirm 626047 > > (Simply sending a 'reply' to this message should work from most email > interfaces, since that usually leaves the subject line in the right > form.) > > If you do not wish to subscribe to this list, please simply disregard > this message. Send questions to lartc-admin@mailman.ds9a.nl. > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] From stef.coene@docum.org Thu Oct 16 18:11:36 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:11:36 +0200 Subject: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 In-Reply-To: <000901c393f4$ccbd7ee0$35bd82ce@encode.com> References: <20031016144545.3117.14961.Mailman@outpost.ds9a.nl> <000901c393f4$ccbd7ee0$35bd82ce@encode.com> Message-ID: <200310161911.36998.stef.coene@docum.org> On Thursday 16 October 2003 16:50, Ken Scott wrote: > Hello, > i have just started using "The Wonder Shaper" for my cable connection, > when i run ./wshaper status > i get: > > qdisc ingress ffff: > Sent 1842 bytes 31 pkts (dropped 0, overlimits 0) > > qdisc sfq 30: quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 20: quantum 1514b perturb 10sec > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > > qdisc sfq 10: quantum 1514b perturb 10sec > Sent 3592 bytes 28 pkts (dropped 0, overlimits 0) > > qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit > Sent 3725 bytes 30 pkts (dropped 0, overlimits 1) > borrowed 0 overactions 0 avgidle 624 undertime 0 > > class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > borrowed 0 overactions 0 avgidle 624 undertime 0 > class cbq 1:10 parent 1:1 leaf 10: rate 250Kbit prio 1 > Sent 3780 bytes 30 pkts (dropped 0, overlimits 1) > borrowed 0 overactions 1 avgidle 624 undertime 0 > class cbq 1:1 parent 1: rate 250Kbit (bounded,isolated) prio 5 > Sent 3913 bytes 32 pkts (dropped 0, overlimits 0) > borrowed 0 overactions 0 avgidle 624 undertime 0 > class cbq 1:20 parent 1:1 leaf 20: rate 225Kbit prio 2 > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > borrowed 0 overactions 0 avgidle 624 undertime 0 > class cbq 1:30 parent 1:1 leaf 30: rate 200Kbit prio 2 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > is this good? > or could some one please explain to me what some of this information means > to me? You ask us to explain everything :) You can find all needed information on http://lartc.org and http://docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From szymans@agh.edu.pl Thu Oct 16 17:50:25 2003 From: szymans@agh.edu.pl (Andrzej Szymanski) Date: Thu, 16 Oct 2003 18:50:25 +0200 Subject: [LARTC] tc filter problem with 2.4.22 Message-ID: <3F8ECC51.8DFFD47F@agh.edu.pl> Hi, I have a problem with 'tc filter' on a 2.4.22 kernel from Slackware 9.1 distribution. The tc command binary is from htb3.6-020525.tgz (http://luxik.cdi.cz/~devik/qos/htb) I'm trying the following command sequence: tc qdisc add dev eth0 root handle 1: htb default 1 r2q 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 1200kbit ceil 1200kbit tc class add dev eth0 parent 1:1 classid 1:1002 htb rate 20kbit ceil 1200kbit burst 1600 cburst 1600 tc qdisc add dev eth0 handle 1002 parent 1:1002 sfq perturb 10 tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 match ip src 10.0.0.2 flowid 1:1002 'tc filter' command returns: RTNETLINK answers: Invalid argument moreover, 'tc filter show' returns: RTNETLINK answers: Invalid argument Dump terminated Everything worked OK on another linux with older (2.4.20) kernel. Do you have an idea what's wrong? Andrzej. From stef.coene@docum.org Thu Oct 16 18:31:40 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:31:40 +0200 Subject: [LARTC] tc filter problem with 2.4.22 In-Reply-To: <3F8ECC51.8DFFD47F@agh.edu.pl> References: <3F8ECC51.8DFFD47F@agh.edu.pl> Message-ID: <200310161931.40046.stef.coene@docum.org> On Thursday 16 October 2003 18:50, Andrzej Szymanski wrote: > Hi, > > I have a problem with 'tc filter' on a 2.4.22 kernel from Slackware 9.1 > distribution. > The tc command binary is from htb3.6-020525.tgz > (http://luxik.cdi.cz/~devik/qos/htb) > > I'm trying the following command sequence: > > tc qdisc add dev eth0 root handle 1: htb default 1 r2q 1 > tc class add dev eth0 parent 1: classid 1:1 htb rate 1200kbit ceil > 1200kbit > tc class add dev eth0 parent 1:1 classid 1:1002 htb rate 20kbit ceil > 1200kbit burst 1600 cburst 1600 > tc qdisc add dev eth0 handle 1002 parent 1:1002 sfq perturb 10 > tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 match ip src > 10.0.0.2 flowid 1:1002 > > 'tc filter' command returns: > RTNETLINK answers: Invalid argument > > moreover, 'tc filter show' returns: > RTNETLINK answers: Invalid argument > Dump terminated > > Everything worked OK on another linux with older (2.4.20) kernel. > > Do you have an idea what's wrong? Mhh. I have a tc binary on www.docum.org, can you try that one? http://www.docum.org/stef.coene/qos/download/ Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 16 18:36:44 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:36:44 +0200 Subject: [LARTC] quantum clarification In-Reply-To: <1035.80.97.24.235.1031346565.squirrel@www.sqmail.ambra.ro> References: <1035.80.97.24.235.1031346565.squirrel@www.sqmail.ambra.ro> Message-ID: <200310161936.44499.stef.coene@docum.org> On Friday 06 September 2002 23:09, Victor wrote: > Quantum = how mutch a class can send at a turn. > But a class can sent at a turn at least how mutch his rate is. > So the quantum should be higher than the rate. > Then why the default quantum=rate/r2q? > > I belive there is something wrong in my deduction. > Can someoan plese clarify these things? Quantum is only used if the class is already sending it's rate and the parent has some bandwidth left to distribute. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From szymans@agh.edu.pl Thu Oct 16 18:42:35 2003 From: szymans@agh.edu.pl (Andrzej Szymanski) Date: Thu, 16 Oct 2003 19:42:35 +0200 Subject: [LARTC] tc filter problem with 2.4.22 References: <3F8ECC51.8DFFD47F@agh.edu.pl> <200310161931.40046.stef.coene@docum.org> Message-ID: <3F8ED88B.637FA28@agh.edu.pl> I've tried it - exactly the same problem. # ./tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 match ip src 10.0.0.2 flowid 1:1002 RTNETLINK answers: Invalid argument Andrzej. Stef Coene wrote: > Mhh. I have a tc binary on www.docum.org, can you try that one? > http://www.docum.org/stef.coene/qos/download/ > > Stef From ken@encode.com Thu Oct 16 18:33:06 2003 From: ken@encode.com (Ken Scott) Date: Thu, 16 Oct 2003 13:33:06 -0400 Subject: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 References: <20031016144545.3117.14961.Mailman@outpost.ds9a.nl> <000901c393f4$ccbd7ee0$35bd82ce@encode.com> <200310161911.36998.stef.coene@docum.org> Message-ID: <002201c3940b$8f5c2e40$35bd82ce@encode.com> ----- Original Message ----- From: "Stef Coene" To: "Ken Scott" ; Sent: Thursday, October 16, 2003 1:11 PM Subject: Re: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 > On Thursday 16 October 2003 16:50, Ken Scott wrote: > > Hello, > > i have just started using "The Wonder Shaper" for my cable connection, > > when i run ./wshaper status > > i get: > > > > qdisc ingress ffff: > > Sent 1842 bytes 31 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 30: quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 20: quantum 1514b perturb 10sec > > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 10: quantum 1514b perturb 10sec > > Sent 3592 bytes 28 pkts (dropped 0, overlimits 0) > > > > qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit > > Sent 3725 bytes 30 pkts (dropped 0, overlimits 1) > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > > class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > class cbq 1:10 parent 1:1 leaf 10: rate 250Kbit prio 1 > > Sent 3780 bytes 30 pkts (dropped 0, overlimits 1) > > borrowed 0 overactions 1 avgidle 624 undertime 0 > > class cbq 1:1 parent 1: rate 250Kbit (bounded,isolated) prio 5 > > Sent 3913 bytes 32 pkts (dropped 0, overlimits 0) > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > class cbq 1:20 parent 1:1 leaf 20: rate 225Kbit prio 2 > > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > class cbq 1:30 parent 1:1 leaf 30: rate 200Kbit prio 2 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > > > > is this good? > > or could some one please explain to me what some of this information means > > to me? > You ask us to explain everything :) > You can find all needed information on http://lartc.org and http://docum.org. > > Stef No, i didn't ask u to explain everything, i asked if some one could tell me what "some" of this information is, and weather or not it is working correctly according that the information that i have posted above. oh and the documentation on the lartc.org site sux. > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- > [This E-mail scanned for viruses by Declude Virus] > > --- [This E-mail scanned for viruses by Declude Virus] From stef.coene@docum.org Thu Oct 16 18:48:35 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:48:35 +0200 Subject: [LARTC] tc filter problem with 2.4.22 In-Reply-To: <3F8ED88B.637FA28@agh.edu.pl> References: <3F8ECC51.8DFFD47F@agh.edu.pl> <200310161931.40046.stef.coene@docum.org> <3F8ED88B.637FA28@agh.edu.pl> Message-ID: <200310161948.35754.stef.coene@docum.org> On Thursday 16 October 2003 19:42, Andrzej Szymanski wrote: > I've tried it - exactly the same problem. > > # ./tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 match ip > src 10.0.0.2 flowid 1:1002 > RTNETLINK answers: Invalid argument Are you running a kernel with u32 filter support ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 16 18:29:06 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:29:06 +0200 Subject: [LARTC] Excess BW again In-Reply-To: <1e94371f1deca9437f45a2f68ac8a460@www3.mail.post.cz> References: <1e94371f1deca9437f45a2f68ac8a460@www3.mail.post.cz> Message-ID: <200310161929.06406.stef.coene@docum.org> On Wednesday 15 October 2003 12:42, Tom Olexa wrote: > Hello there, > > I've already posted st similar, but anyway... > can anyone tell me, why the following setup > > tc qdisc add dev eth0 root handle 1: htb r2q 5 > > tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit ceil > 512kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate > 64kbit ceil 512kbit tc class add dev eth0 parent 1:1 classid 1:11 > htb rate 256kbit ceil 512kbit > > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ > match ip dst 195.28.103.7 flowid 1:10 > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 \ > match ip dst 195.28.103.5 flowid 1:11 > > doesn't distribute the excess bw in proportion of allocated bw? > > Ratio I expect is 64/256, but I get some 1/2.1 or similar. This > varies according to r2q, but anyway it never gets close to 1/4. > > kernel 2.4.21, htb 3.12, but also tested on 2.4.18, htb 3.6 with > similar results... > > Can anyone try this setup? I tried it myself and this is the result (in bytes and the output is not like it should be): 2.884 KB/s 4.258 KB/s T 7.143 KB/s G 75.41 KB/s 40.38% 40.38% 18.66 KB/s 41.64 KB/s T 60.31 KB/s G 67.82 KB/s 30.95% 36.17% 21.54 KB/s 43.08 KB/s T 64.62 KB/s G 66.75 KB/s 33.33% 35.25% 22.97 KB/s 45.95 KB/s T 68.92 KB/s G 67.30 KB/s 33.33% 34.76% 21.54 KB/s 44.52 KB/s T 66.06 KB/s G 67.05 KB/s 32.61% 34.33% 21.54 KB/s 43.08 KB/s T 64.62 KB/s G 66.64 KB/s 33.33% 34.17% 21.54 KB/s 44.51 KB/s T 66.06 KB/s G 66.56 KB/s 32.61% 33.95% 21.53 KB/s 43.07 KB/s T 64.61 KB/s G 66.32 KB/s 33.33% 33.88% 24.41 KB/s 43.07 KB/s T 67.48 KB/s G 66.45 KB/s 36.17% 34.13% 17.23 KB/s 44.53 KB/s T 61.76 KB/s G 65.98 KB/s 27.91% 33.55% 22.97 KB/s 41.64 KB/s T 64.62 KB/s G 65.85 KB/s 35.56% 33.73% 21.54 KB/s 44.51 KB/s T 66.06 KB/s G 65.87 KB/s 32.61% 33.64% 24.41 KB/s 44.51 KB/s T 68.93 KB/s G 66.11 KB/s 35.42% 33.78% 17.23 KB/s 41.64 KB/s T 58.87 KB/s G 65.59 KB/s 29.27% 33.49% 22.97 KB/s 44.52 KB/s T 67.50 KB/s G 65.72 KB/s 34.04% 33.53% 20.09 KB/s 43.06 KB/s T 63.16 KB/s G 65.56 KB/s 31.82% 33.42% 24.42 KB/s 44.54 KB/s T 68.96 KB/s G 65.76 KB/s 35.42% 33.55% 18.66 KB/s 43.08 KB/s T 61.74 KB/s G 65.53 KB/s 30.23% 33.37% 21.50 KB/s 41.58 KB/s T 63.09 KB/s G 65.40 KB/s 34.09% 33.41% 21.57 KB/s 44.58 KB/s T 66.16 KB/s G 65.44 KB/s 32.61% 33.37% 12.92 KB/s 43.08 KB/s T 56.00 KB/s G 64.99 KB/s 23.08% 32.95% 15.79 KB/s 43.07 KB/s T 58.87 KB/s G 64.71 KB/s 26.83% 32.69% 18.67 KB/s 45.95 KB/s T 64.62 KB/s G 64.71 KB/s 28.89% 32.53% (10 rate) (11 rate) (10 + 11) (average 10+11) (10/11) (average 10/11) So the ratio is 32.53%. Ideally, this should be 64/256 = 25% Not that bad. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 16 18:32:49 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 19:32:49 +0200 Subject: [LARTC] Outgoing link slow down In-Reply-To: References: Message-ID: <200310161932.49451.stef.coene@docum.org> On Wednesday 15 October 2003 11:18, rAcHeL ^cY wrote: > Dear all, > > I have run cbq on my network to control both incoming and outgoing traffic. > I have my redhat with two network interface installed, eth0 (LAN interface) > and eth1 (WAN interface). As for my current configuration is, outgoing > traffic controlled on eth1 and incoming will be controll on eth0. > > But then my upload link started to slow down badly, which i have no idea > why this happen, can anyone help on this? Try to install a traffic monitor to find out what's using your link. Do you have the same problem if you delete the tc setup? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From lpz@ornl.gov Thu Oct 16 18:57:45 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Thu, 16 Oct 2003 13:57:45 -0400 Subject: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 In-Reply-To: <002201c3940b$8f5c2e40$35bd82ce@encode.com> References: <20031016144545.3117.14961.Mailman@outpost.ds9a.nl> <000901c393f4$ccbd7ee0$35bd82ce@encode.com> <200310161911.36998.stef.coene@docum.org> <002201c3940b$8f5c2e40$35bd82ce@encode.com> Message-ID: <1066327065.1600.246.camel@nautique> --=-6C9BK+2UCcyWrE8YfUlF Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Ken: Insulting Stef is a loser, as far as techniques to get free support go.=20 To understand the output that you gave us, you have to know which class is devoted to which streams. Stef isn't the wondershaper guy. Try asking whoever wrote it. If you want to know if its "working", you have to ask yourself "what do I want it to do?". I'm guessing you want to be able to use some real-time app (game or gnomemeeting) or surf while a network backup runs or while someone transfers a large file. If you can do that, then it's working. If you can't, then it isn't. Try it with and without the shaper. See if you can tell the difference. The output you included implies that you really haven't done much in the way of competing flows (1 dropped packet, 1 overlimit) so it's impossible to say whether it works for you. On Thu, 2003-10-16 at 13:33, Ken Scott wrote: > ----- Original Message -----=20 > From: "Stef Coene" > To: "Ken Scott" ; > Sent: Thursday, October 16, 2003 1:11 PM > Subject: Re: [LARTC] Re: LARTC -- confirmation of subscription -- request > 626047 >=20 >=20 > > On Thursday 16 October 2003 16:50, Ken Scott wrote: > > > Hello, > > > i have just started using "The Wonder Shaper" for my cable connection= , > > > when i run ./wshaper status > > > i get: > > > > > > qdisc ingress ffff: > > > Sent 1842 bytes 31 pkts (dropped 0, overlimits 0) > > > > > > qdisc sfq 30: quantum 1514b perturb 10sec > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > > qdisc sfq 20: quantum 1514b perturb 10sec > > > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > > > > > > qdisc sfq 10: quantum 1514b perturb 10sec > > > Sent 3592 bytes 28 pkts (dropped 0, overlimits 0) > > > > > > qdisc cbq 1: rate 10Mbit (bounded,isolated) prio no-transmit > > > Sent 3725 bytes 30 pkts (dropped 0, overlimits 1) > > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > > > > class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > class cbq 1:10 parent 1:1 leaf 10: rate 250Kbit prio 1 > > > Sent 3780 bytes 30 pkts (dropped 0, overlimits 1) > > > borrowed 0 overactions 1 avgidle 624 undertime 0 > > > class cbq 1:1 parent 1: rate 250Kbit (bounded,isolated) prio 5 > > > Sent 3913 bytes 32 pkts (dropped 0, overlimits 0) > > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > class cbq 1:20 parent 1:1 leaf 20: rate 225Kbit prio 2 > > > Sent 133 bytes 2 pkts (dropped 0, overlimits 0) > > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > class cbq 1:30 parent 1:1 leaf 30: rate 200Kbit prio 2 > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > borrowed 0 overactions 0 avgidle 624 undertime 0 > > > > > > > > > is this good? > > > or could some one please explain to me what some of this information > means > > > to me? > > You ask us to explain everything :) > > You can find all needed information on http://lartc.org and > http://docum.org. > > > > Stef >=20 > No, i didn't ask u to explain everything, i asked if some one could tell = me > what "some" of this information is, > and weather or not it is working correctly according that the information > that i have posted above. >=20 > oh and the documentation on the lartc.org site sux. > > > > --=20 > > stef.coene@docum.org > > "Using Linux as bandwidth manager" > > http://www.docum.org/ > > #lartc @ irc.openprojects.net > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > --- > > [This E-mail scanned for viruses by Declude Virus] > > > > >=20 > --- > [This E-mail scanned for viruses by Declude Virus] >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-6C9BK+2UCcyWrE8YfUlF Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/jtwZCNjP8rawCW4RArZHAJ0XpsoJAsM2IBJBoXCTMoQgI/zKMgCeKOlT Sl+QHkC7JRliiWmFwTH4HgQ= =Ub8E -----END PGP SIGNATURE----- --=-6C9BK+2UCcyWrE8YfUlF-- From szymans@agh.edu.pl Thu Oct 16 19:20:08 2003 From: szymans@agh.edu.pl (Andrzej Szymanski) Date: Thu, 16 Oct 2003 20:20:08 +0200 Subject: [LARTC] tc filter problem with 2.4.22 References: <3F8ECC51.8DFFD47F@agh.edu.pl> <200310161931.40046.stef.coene@docum.org> <3F8ED88B.637FA28@agh.edu.pl> <200310161948.35754.stef.coene@docum.org> Message-ID: <3F8EE158.3A0C04EC@agh.edu.pl> Hmmm, I guess no. I'm compiling a new kernel, but this will take a while. I'll let you know afterwards. Thanks, Andrzej. Stef Coene wrote: > > On Thursday 16 October 2003 19:42, Andrzej Szymanski wrote: > > I've tried it - exactly the same problem. > > > > # ./tc filter add dev eth0 protocol ip parent 1:0 prio 10 u32 match ip > > src 10.0.0.2 flowid 1:1002 > > RTNETLINK answers: Invalid argument > Are you running a kernel with u32 filter support ? > > Stef -- Andrzej Szymañski, M.Sc. tel. +48 12 6174035 fax. +48 12 6342372 e-mail: szymans@agh.edu.pl AGH University of Science and Technology Department of Telecommunications Al. Mickiewicza 30 30-059 Kraków POLAND From stef.coene@docum.org Thu Oct 16 19:05:21 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 16 Oct 2003 20:05:21 +0200 Subject: [LARTC] Re: LARTC -- confirmation of subscription -- request 626047 In-Reply-To: <002201c3940b$8f5c2e40$35bd82ce@encode.com> References: <20031016144545.3117.14961.Mailman@outpost.ds9a.nl> <200310161911.36998.stef.coene@docum.org> <002201c3940b$8f5c2e40$35bd82ce@encode.com> Message-ID: <200310162005.21168.stef.coene@docum.org> On Thursday 16 October 2003 19:33, Ken Scott wrote: > No, i didn't ask u to explain everything, i asked if some one could tell me > what "some" of this information is, > and weather or not it is working correctly according that the information > that i have posted above. > > oh and the documentation on the lartc.org site sux. If lartc.org sux, check out docum.org. If that sux also and if you think you can do it better, go ahead. Good luck. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From mike@netmaster.com Thu Oct 16 21:29:01 2003 From: mike@netmaster.com (Mike Taekema) Date: Thu, 16 Oct 2003 13:29:01 -0700 Subject: [LARTC] Split Access Problems Message-ID: <006f01c39424$232ef7c0$cd7c7b0a@laptop> This is a multi-part message in MIME format. ------=_NextPart_000_006B_01C393E9.762CB3D0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_006C_01C393E9.762CB3D0" ------=_NextPart_001_006C_01C393E9.762CB3D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Good day, I've searched through the mailman lists and no one seems to have had my = problem yet. Here goes: I've wrote a script that goes through and creates the split access = steps. However I have changed somethings. I've declared all my variables at the top of the shell script. I only have one physical external ip address. So i created a virtual = addess at eth0:0 My first problem is when I run the line: ip route add $P1_NET dev $IF1 = src $IP1 table T1 I get the error: Error: argument "T1" is wrong: "table" value is invalid = For reference sake here is my script: IF1=3Deth0 IF2=3Deth0:0 IP1=3D10.123.124.52 IP2=3D10.123.124.53 P1=3D10.123.124.253 P2=3D10.123.124.251 P1_NET=3D10.123.124.0/24 P2_NET=3D10.123.124.0/24 # Now lets add routes to two separate tables (T1, T2). This just tidy's = things up a bit. ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 # Now we setup our main routing table. ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 # Now we prefrence our default route ip route add default via $P1 # Next, setup the routing rules. These choose what routing table to = route with. Make sure you # route out a given interface if you already have the corresponding = address. ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 exit 0 Intelligent Digital Security.=20 =20 Mike Taekema =20 mike@netmaster.com www.netmaster.com Page Me! =20 =20 =20 =20 =20 ------=_NextPart_001_006C_01C393E9.762CB3D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Good day,
 
I've searched through the mailman = lists and no one=20 seems to have had my problem yet. Here goes:
 
I've wrote a script that goes through = and creates=20 the split access steps. However I have changed somethings.
 
I've declared all my variables at the = top of the=20 shell script.
 
I only have one physical external ip = address. So i=20 created a virtual addess at eth0:0
 
My first problem is when I run the = line: ip route=20 add $P1_NET dev $IF1 src $IP1 table T1
 
I get the error: Error: argument "T1" = is wrong:=20 "table" value is invalid
 
 
For reference sake here is my = script:
 
IF1=3Deth0
IF2=3Deth0:0
IP1=3D10.123.124.52
IP2=3D10.12= 3.124.53
P1=3D10.123.124.253
P2=3D10.123.124.251
P1_NET=3D10.123= .124.0/24
P2_NET=3D10.123.124.0/24
 
# Now lets add routes to two separate = tables (T1,=20 T2). This just tidy's things up a bit.
 
ip route add $P1_NET dev $IF1 src $IP1 = table=20 T1
ip route add default via $P1 table T1
ip route add $P2_NET dev = $IF2 src=20 $IP2 table T2
ip route add default via $P2 table T2
 
# Now we setup our main routing=20 table.
 
ip route add $P1_NET dev $IF1 src = $IP1
ip route=20 add $P2_NET dev $IF2 src $IP2
 
# Now we prefrence our default = route
 
ip route add default via = $P1
 
# Next, setup the routing rules. These = choose what=20 routing table to route with. Make sure you
# route out a given = interface if=20 you already have the corresponding address.
 
ip rule add from $IP1 table T1
ip = rule add from=20 $IP2 table T2
 
exit 0
 
 
 
=
Intelligent Digital=20 Security.
Mike Taekema
mike@netmaster.com
www.netmaster.com

Page=20 Me!
------=_NextPart_001_006C_01C393E9.762CB3D0-- ------=_NextPart_000_006B_01C393E9.762CB3D0 Content-Type: image/gif; name="Netmaster-Main Logo.gif" Content-Transfer-Encoding: base64 Content-ID: <006a01c39424$227ac2f0$cd7c7b0a@laptop> R0lGODlh5wA5AOYAAICAgMDAwEBAQPDw8BAQEODg4GBgYNDQ0CAgIDAwMKCgoHBwcJCQkFBQULCw sFmrzfL4+yeWw8jj7jCWwJHH3j6dxESky0ykyfD4+4zH3+Tx93W51W+517vc6tbq86nV5+Lx963V 5sbj74PA2Wey0Z/O4hqPvjWdx/H4+yGPvFOrz9Xq8zadx3C517fc6+Px96jV58Xj7yCPvJrO4xmP vlKrz33A2z2dxNPq86zV5cfj7nS51fH4+h6PvZvO41mrzLjc64LA2WCy0xyPvS+WwOPx9mGy07nc 6kukyGey0B+PvH7A2xuPvpDH3cXj7p7O4R2PvdXq8pDH3p3O4tbq8rnc64zH3hmPvyKPvAAAAP// /wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwA AAAA5wA5AAAH/4BagoOEhYaHiIYYLjYcHxCJkZKTlJWWl5iZmpucnYYgSxZMV6RGkJ6oqaqrrK2u hyAtNLM0JqQ0Ga+6u7y9vpgQFEw0ERcWPaRXNDenv87P0NGaEjc0Qi4YgiIRNKQRGtLh4uPRGREc HoZC3crp5O/w8ZfghCBCKjiIHOw0TvL/AAOCuOFOSwchMCLV4JcvoMOH4ZLQICHowwh6iDBwSwYC osePvJwMkfFDQpUqk6rw+waypUtUEJDQYDGBRcdJ+25deMmz56UZNFKkUELjySQNG5VR9Mm0aTMt IIgowUJVyQSMHjAOApqMRsKmYHniuGAFB4QNQalSpbFDwogLWP8kFILAgh2pgloOMFDAV8EBRA76 8nWQl4GDAIgRBxasYEABBYcTBzhwQDJivgMC7BU8QNJjxgUSFQAA4GmiAQ4AGFgNQEFoQQcgW6Zs OQBfLbYjJ17c18EACIMvM1YQ4PUmDVhoYEGCRYZatTKI0rhaqIRdGjUKMSDwp/sfBMYJNeDenUAD Ldu9q1//BzX78u//jCbvHYAkA+sR/EWE/w9hSQAgUB59BCwgCADv0bceARCkF593BBQwgAAPeocA A51cQIMSIz2nllDJ/TBXNV3lUsgACqgnACIF4GeAcQMgWN5mfAVIAG5/CEAaaQl418COCwjYWYzq IdAZiwQGcOT/IQOQt2IkC3QnQHEFFMCAgAYIkuKPOwrYnQE7GkAAAoKMZiFjC4wpyAAHePmHAZf1 6N1/muygnId4JrdBddcxcVMhByho4CEM/IEhIQd4l4AhAeIYACFRdqcAIQAQcGQA6x16iIzlSVKo d/sd4kB3RgL6h33oyUcIhd09OogAiwoyanexEmIAmYPIaeggPOj6pCbW5YknDSUQgkFdXQmB5HqT GpIiqoMkKqWz52EaqhaR7jpIpadgql4Cpq3p5nfhDgKBrn8MekgD3UE7yAB/NLvdklqw+oerghhQ 66w5MprlIOxKSgi/4G4iUgrCPqdEQ4JkYJcyHSDSZAJuEoDv/yCFuovjtIZAktlT2WqqRQH4YtqA m81q98d4tEaCacXhveulxlpM+B/JT9l7cQGhervyJPamnJeinIAwARQJV0WdICAkpYwFpxEAZ5Ex pyjy0FI+pWQi2QpdyKgMZFurzAgEQN7YhuDngK5Xr3k2vZTonIi0P5u7tXjeicwvzZcgMUTSyalA SE5dhSDam1pwmiO9hXrt83nvxst13olgCkAB6tGp5amYt8ziH4tyWvCJbibgF9yJyI0I3ZCXeW8h QdtKK+qJYGDaPoDTsKcgEijTFdRRnwdBwF8SkqLXdAtQpYQpal5IyJWfqgXxv2pxrqV0o03prgXQ 53y+7CGQgP8BDMQMu3cXmyrl8o+9jrfANcvYgPmRdLD7IFPcmTCxgyyUjDKGOw3iaoYuaB2vED4b EHm+NwjoAUZ6CaRTigyUPURAAAGWEgTxWocoBS2oba9C39zUQ4ASkuda9UIfA/T1BwIwcBAa6EBW CCEBGlCAEB3Qnwxo4ZyqNMQFD6OB4LSAAQngpUzmGUQBxiUvySEKQkCi0Aux5R2vEcJyGvTOk64X mgqKKl2D8BkBUAgbAXhQPekLYatGSCoALMCNFEof8TQDoSlqQQNESMENLmCEEXyAAhsKIFSkggWk /WADP0gB0qwCDroE0QZW+AELoOCPE0ntiknSwgGvqEVCYM7/ig2cU/RQlcBHjWpQXjQEuwIAgVYO QFd8g01qGoCuuhlCdYdg3RPTpzMI2As8kRgBDYYwBFr8bSqV1EIFiMkCuQiiA0cTYsMedoUhQIEW OzEEvKqnSRK2D3labIbNEtEf/yRiVNCy13l69JpUepI7CIhnPOlTqkkcgHjaEwQuDfE4TwoAhXPc WPES4QEsTAVPQyBCQ0iwoYgRAgbF3JMHfJcMEyBsLYJ8JzcT9y0EOa6ThCgXwESJCCwKQowuihbR GPWdBMAKVuhCHv0G4CVc3VKED+wOB6130+78R3F2lIiwaFCBjgCyAqbBwARoEDH//a8HalHCDbJh iERtVAvl/6yi+nIUrgPQj3hTNKk+1xMquiHANDSNUNpAKogLqqsQAbuqL3H6RZ0eojgjhV+vLES7 Zw7hosO6AARyOMSQToAiDvvfFZjwHBqMYHX9OoS94BfGlYaUAHwjHghlJb1B8GuAsIGQaSZ4VzSa CwFvXVV3QPhKuhqCXzutmROnp9WTqudfiLDA34aahIJOgKqD8MAPIOCEWfzPolHFQhEge1UCqsdr /Noo5hhIPFBuzl3nAtUTSWWaHqXRerpq3QXrycnv0C67a0REijy3SzV2VhDZMicigrU/ElSABk0I aVkwQARqHnQtO4je6AyxxNoOYr3fcQBlKhMA/KQRve9lKf9uN2dLzpYnPCkaIyLi66rOIcA1a1KA gCy2LMoa4lPfmQxtGvyH/UB4wjS1EBnvSAEoABZPF1VCCgpChaZSc7dqGUIS/uTZBJAHAcq7K3mE 5oAzsudaBxDAuEBngKcwQFfjk5l8cWNkEiqvALoiQAKudWX2JKBK9hIzxaQ04wBImYQJoJkCnOzN 4U05Aer6LGbrMYK6AA4LQpGqVrRAuGQwFqFEaAHDtOAAMIWJfrihpcjCtqNKq4Y14TnAAt5Y6U0/ RQGcdmNpMFa9RltaNVUKtRuvBepTv+ikAKBlPAWwAFaW1NGdbpuoT31p8v1m05Z+IyEYACShSWCp /82diAj/AUhq9nBYWHBBJ1oZFpiERQMSSfb+HjuIEBj3f9quCg1+QORqm3scPkjOn2lwhEGIoAfU hCq0b3juer9DB/e9cZ5usgKnkQJpHtohEpzJir5OwuCdKIBvwoLwVEAAJURkaLipMgQkQAIEyPof kIOshCCIVIkLWI3IG1DrRFzpu5IIAAJiyQNN3JM7kD5pA2C1gJiHQ8QvbHglKOBQQZRA3QGnQQug coIfeygFM5H2JCBwgB414DICimUcM1Go1I7MAA34eCIggKl8buvDAUCQHaXBru/dc8KbwEENTCOB fDe2AhrAQdEftvFC0iAJg5ZEj1IWqC0Tgk2aYDrqUoR2/0uccoR0MsCMx8GmcOFns5e4wP2MZSek 7VBEMfD3FSJwY2IU6xJNarFqC4+bGaPIL1WqKhkHEKXL0c4BDKgM6jyaCATh6wDlgkBgIG2buylx 4VwnI8ny8j28FqIAUpRQSB3wmszEvLhKP8TPh/lYGFA0GXUfwgWokAlMqXUQ+NnpPcGoHTz3yKVL Yj3oECimHJnu+FjvEQJaDldVIQJBUzK4m8VkUyXSkjuhMgDpQRiFIjINMiaYMmEFwC5opwBxNWbR QiGDUnaJsBBHVAg4gAQhAAGyEG8eMhGbMCoDhlUV1mB79zW7YjLptwAMOBfdYyQF8BRtYiAJqE1q Ej3l0f8AZIQpGGJGCHRJyLckYYdBocEu19JoOQIrmnIALHQ1XLcyjqFEpCE9TZJBh4ADxJB3hoAD FvBtyRBuUAB3moAgO9Uj7vIbFBIz+BEamPJWPEAkVpQopMcuoRElVlSDLnMrpEJ/bWVk3XQ1aWg9 KDQxNSNmLvgdCgAB6Tc8olcIVjMX3TQpeHgIwnQCwHUIGLAE16cMNIA01tR5Q5cJ+OEu3dOISgQ6 pkGHJEhGgeiI2uJJ/VKKZFSAlKB7MPdEqNUAzoM5Xsdo0oMgVjcqsVWIZ7VW3yV2JGhdWqACxFBu g4ABMzB3XUEDJ4AEE4AFFcACO2RMNJBRlXCC2wJaBxb/YSflUgYwJQQWWYXgYK8lPfy3LqZIYEJj RvQyQTM2KqQHX/dSYGlkh19kdVpgZLRDh4nyfYdQF934CRkgjV0RATOQDSRwAxoQdyFAATvwAxWA BRNwgZEQej2TI3wIfoaiACHJaASwWYTHfIXQI3pxMQhCbAGii+FxQS70Qg7QOt2jMS+pJaxWN4ER UkY2S4bCSwYJKSMZkrw4GjFDIQogJr2oBV1IDBkgATjQAVKgAtwQRNhREEkwAeECAUUgAhwpMfLT GguAZ+VCIQLwPRSSAMf4HQxAL6FnOk+BICeJOQUilzq1eCkiAMSGZ+24MjqSaTrVAK/2LtzxIhSi g7DY/394kwDOIy1reVMC8CyRwIyc2A20oJUs8BWDQALKlQp60RcMsBcxpwAAADcFEHIUQgB3WHOE cjlVtQCEwXoP1hqRoHssCAAo15QA0GYGUHKMEpfokYiAwpvqJZsnAgDE6SwLIIDxaAhApFjUOQsR kAGXKAiguVzxsESDEiVWaG8Q4VKSAAH7QE2baQEPiQig6YziUChL0iM6J57RoJJms3iFEI2bSQNM YAEbEAOS0J7ykIBeNWexRJ/igDlw0gDKaAgoIAIwUAIw0AHueQgCOqANYJgGMHYIKg0MQGso1woq gAUV2qEmyhMyMZYnuqIgIRMEx6Iw2hItUFQxWqO7EAEIADs= ------=_NextPart_000_006B_01C393E9.762CB3D0-- From subscribeamit@yahoo.com Thu Oct 16 22:26:35 2003 From: subscribeamit@yahoo.com (Amit Gandhi) Date: Thu, 16 Oct 2003 14:26:35 -0700 (PDT) Subject: [LARTC] Forwarded traffic bypassing filter Message-ID: <20031016212635.40454.qmail@web14410.mail.yahoo.com> Please consider the following scenario & corresponding question..... Machine1 Machine2 _________________ _________________ MachineX | | | | HTTP(1) | | | HTTP Server | ------>-------->| -----|------------------| | eth0| / |eth1 |eth0 | 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| | HTTP(2) | | | |_______________| |_______________| 10.20.246.247 dev eth1 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx proxy_arp =1 ip_forward=1 Here are my shaping rules (primary goal is to send the web traffic through a seperate queue) tc qdisc add dev eth1 root handle 1: htb default 20 tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil 2mbit burst 15k tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst 15k tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport 0x50 0xffff flowid 1:10 Now, after all of this configuration I've observed that: a) All the web requests comming from "MachineX" go thru the default queue 20 b) Web traffic generated from "Machine1" does gets send thru queue 10 Why, is the forwarded traffic bypassing the filter? I inserted debug messages in the 'u32_classify' function inside the kernel, just to make sure that the filter is not failing, but the function never gets called for HTTP(1) traffic!!! Regards, +Amit email: subscribeamit@yahoo.com __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From gypsy@iswest.com Fri Oct 17 03:59:53 2003 From: gypsy@iswest.com (gypsy) Date: Thu, 16 Oct 2003 19:59:53 -0700 Subject: [LARTC] Split Access Problems References: <006f01c39424$232ef7c0$cd7c7b0a@laptop> Message-ID: <3F8F5B29.61E79B4B@iswest.com> > Mike Taekema wrote: > > Good day, Please do not post in html format. > My first problem is when I run the line: ip route add $P1_NET dev $IF1 > src $IP1 table T1 You have not edited /etc/iproute2/rt_tables. For reference, here's mine( minus the comments): 255 local 254 main 253 default 0 unspec 2 eth1 4 eth2 6 eth3 8 ppp0 9 mpath and I specify these as "eth2", Etc. Where your above is T1, I use $IFE1 and IFE1="eth1" appears in my definitions at the top of the script. > I get the error: Error: argument "T1" is wrong: "table" value is > invalid Gypsy From gdamjan@mail.net.mk Fri Oct 17 11:15:26 2003 From: gdamjan@mail.net.mk (Damjan) Date: Fri, 17 Oct 2003 12:15:26 +0200 Subject: [LARTC] Linux bandwidth arbitrator In-Reply-To: <200310132310.45421.stef.coene@docum.org> References: <200310130623.AA319094864@q4networks.com> <200310132046.54213.stef.coene@docum.org> <5629629645.20031013220502@ire.pw.edu.pl> <200310132310.45421.stef.coene@docum.org> Message-ID: <20031017101526.GE6261@legolas.on.net.mk> > > >> Hi, > > >> i will like to use the linux bandwidth arbitrator so i downloaded > > >> "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system but i > > >> dont know how to install it and run it. > > >> > > >> I will like to use it for traffic shapping and try it for on my network. > > > > SC> What's "linux bandwidth arbitrator" ??? > > > > SC> Stef > > > > it's low level arbitration (shaping) done by BRIDGE > > software not an iproute+tc+iptables based. (Isn't it out of scope here?) > I never heard of it. This is list is for iproute2+tc problems/questions. Its bizzare how the "linux bandwidth arbitrator" authors have never heard of HTB, LARTC people have not heard of "arbitrator". :) arbitrator has some nice features, it acctually tracks the bandwidth usage and can limit the big spenders - so its more dynamic than pure "tc". The problem is its completelly different than "tc" and requires a number of strange kernel patches (that perhaps are not tested enough). I wish I could see an integration of the solutions ... btw, this list is about LARTC so the arbitrator still somehow belongs in this categorry, although it doesn't use "tc". -- Damjan Georgievski jabberID: damjan@bagra.net.mk From raptor@tvskat.net Fri Oct 17 11:41:46 2003 From: raptor@tvskat.net (raptor) Date: Fri, 17 Oct 2003 13:41:46 +0300 Subject: [LARTC] [htb] strange problems !? Message-ID: <20031017134146.6c79a533.raptor@tvskat.net> hi, I have strange problems with HTB and several hundred classes flat structure i.e. root |--50kbps |--30kbps |--50kbps |--80kbps |--100kbps .... several hundred classes like this Ceil is the same as rate. The machine get no more than 2-3% average cpu(2.4Ghz pentium). What happens is that from time to time the traffic got "stalled". I tried numerous things to solve the problem - cable-wiring, different cards the problem still persist. My kernel is 2.4.20, as seen in the list I got the sch_htb.c from 2.4.22 kernel yestarday it seems that it behave better now but still have traffic starvation. I was on the devik page, but cant understand which patch is applied and which not..!?hope that 2.4.22 is the last..cant make many experiments cause it is working server. Nothing suspicious in the logs. Does someone have a setup with hundered of channels ! I spotted the problem 'cause a machine on the one side of the qos box does a snmp queries (mrtg) to the router on the other side and I see big holes into the graphics which mean that packets are droped for some reason.. then i found that there is a problem.. your ideas very appricated tia From jaroslav.brandis@softec.sk Fri Oct 17 12:21:17 2003 From: jaroslav.brandis@softec.sk (Brandis Jaroslav) Date: Fri, 17 Oct 2003 13:21:17 +0200 Subject: [LARTC] Linux bandwidth arbitrator Message-ID: <5E415169BC383A4EB17C22078E27D5B276FCAB@dcba01.softec.sk> >=20 > Its bizzare how the "linux bandwidth arbitrator" authors have=20 > never heard of HTB, LARTC people have not heard of "arbitrator". :) >=20 > arbitrator has some nice features, it acctually tracks the=20 > bandwidth usage and can limit the big spenders - so its more=20 > dynamic than pure "tc".=20 But it's very useful function isn't it ?=20 > The problem is its completelly different than "tc" and=20 > requires a number of strange kernel patches (that perhaps are=20 > not tested enough).=20 >=20 From mstavrev@it-academy.bg Fri Oct 17 13:33:13 2003 From: mstavrev@it-academy.bg (Marin Stavrev) Date: Fri, 17 Oct 2003 15:33:13 +0300 (EEST) Subject: [LARTC] SQUID- cache Zero Penalty Hit patch - new revision available ! Message-ID: <10916.217.10.240.146.1066393993.squirrel@oldmail.it-academy.bg> ALOHA to all readers ! I have released a new version of the Zero Penalty Hit patch for SQUID caching engine (ZPH). Now it is possible to mark HIT packets leaving the proxy with an IP option - this means the packets can later be classified on the SQUID engine machine itself (via a simple tc filter command), or on any other machine through which the packet happens to pass. The official site of the ZPH patch is: http://www.it-academy.bg/zph/ A direct link to the new version documentation is avalable here: http://www.it-academy.bg/zph/latest_patch_doc.html M. Stavrev From subscribeamit@yahoo.com Fri Oct 17 14:25:30 2003 From: subscribeamit@yahoo.com (Amit Gandhi) Date: Fri, 17 Oct 2003 06:25:30 -0700 (PDT) Subject: [LARTC] Forwarded traffic bypassing filter In-Reply-To: <1066394320.1609.284.camel@nautique> Message-ID: <20031017132530.55195.qmail@web14402.mail.yahoo.com> The netmask is /8 in my config, but it can be /24 (doesn't matter a whole lot). The traffic is not being bridged at Machine1, its simple routing coz I've setup a route & ARP entry for Machine2 on Machine1 and IP Forwarding, Proxy ARP is enabled on Machine1. Thanks --- Lawrence MacIntyre wrote: > Is the netmask actually /24 instead of /8 or are you bridging the > traffic with Machine1? > > On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote: > > Please consider the following scenario & corresponding question..... > > > > > > Machine1 Machine2 > > _________________ _________________ > > MachineX | | | | > > HTTP(1) | | | HTTP Server | > > ------>-------->| -----|------------------| | > > eth0| / |eth1 |eth0 | > > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > > | HTTP(2) | | | > > |_______________| |_______________| > > > > 10.20.246.247 dev eth1 > > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > > proxy_arp =1 > > ip_forward=1 > > > > Here are my shaping rules (primary goal is to send the web traffic > > through a seperate queue) > > > > tc qdisc add dev eth1 root handle 1: htb default 20 > > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k > > > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil > 2mbit > > burst 15k > > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst > 15k > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip > dport > > 0x50 0xffff flowid 1:10 > > > > > > Now, after all of this configuration I've observed that: > > > > a) All the web requests comming from "MachineX" go thru the default > > queue 20 > > b) Web traffic generated from "Machine1" does gets send thru queue > 10 > > > > > > Why, is the forwarded traffic bypassing the filter? > > > > I inserted debug messages in the 'u32_classify' function > > inside the kernel, just to make sure that the filter is not > > failing, but the function never gets called for HTTP(1) > > traffic!!! > > > > > > Regards, > > +Amit > > email: subscribeamit@yahoo.com > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product search > > http://shopping.yahoo.com > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > -- > Lawrence MacIntyre 865.574.8696 lpz@ornl.gov > Oak Ridge National Laboratory > High Performance Information Infrastructure Technology Group > > > ATTACHMENT part 2 application/pgp-signature name=signature.asc __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From lpz@ornl.gov Fri Oct 17 14:31:55 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Fri, 17 Oct 2003 09:31:55 -0400 Subject: [LARTC] Forwarded traffic bypassing filter In-Reply-To: <20031017132530.55195.qmail@web14402.mail.yahoo.com> References: <20031017132530.55195.qmail@web14402.mail.yahoo.com> Message-ID: <1066397515.1584.290.camel@nautique> --=-AhPnCXUjXTO5Gp6eZ/x3 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I haven't looked at the code, but the path these packets take through the IP stack may be "unusual". You have configured your network in a very strange manner. Generally, for ethernet networks, you want all interfaces in the same subnet to be on the same broadcast network. You might have better luck if you make Machine1 a bridge or a normal IP router. Is there a reason why you have configured your network in this way? On Fri, 2003-10-17 at 09:25, Amit Gandhi wrote: > The netmask is /8 in my config, but it can be /24 (doesn't matter a > whole lot). The traffic is not being bridged at Machine1, its simple > routing coz I've setup a route & ARP entry for Machine2 on Machine1 and > IP Forwarding, Proxy ARP is enabled on Machine1. >=20 > Thanks >=20 > --- Lawrence MacIntyre wrote: > > Is the netmask actually /24 instead of /8 or are you bridging the > > traffic with Machine1? > >=20 > > On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote: > > > Please consider the following scenario & corresponding question..... > > >=20 > > >=20 > > > Machine1 Machine2 > > > _________________ _________________ > > > MachineX | | | | > > > HTTP(1) | | | HTTP Server | > > > ------>-------->| -----|------------------| | > > > eth0| / |eth1 |eth0 | > > > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > > > | HTTP(2) | | | > > > |_______________| |_______________| > > >=20 > > > 10.20.246.247 dev eth1 > > > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > > > proxy_arp =3D1 > > > ip_forward=3D1 > > >=20 > > > Here are my shaping rules (primary goal is to send the web traffic > > > through a seperate queue) > > >=20 > > > tc qdisc add dev eth1 root handle 1: htb default 20 > > >=20 > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k > > >=20 > > > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil > > 2mbit > > > burst 15k > > > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst > > 15k > > >=20 > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > >=20 > > > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip > > dport > > > 0x50 0xffff flowid 1:10 > > >=20 > > >=20 > > > Now, after all of this configuration I've observed that: > > >=20 > > > a) All the web requests comming from "MachineX" go thru the default > > > queue 20 > > > b) Web traffic generated from "Machine1" does gets send thru queue > > 10 > > >=20 > > >=20 > > > Why, is the forwarded traffic bypassing the filter? > > >=20 > > > I inserted debug messages in the 'u32_classify' function > > > inside the kernel, just to make sure that the filter is not > > > failing, but the function never gets called for HTTP(1) > > > traffic!!! > > >=20 > > >=20 > > > Regards, > > > +Amit > > > email: subscribeamit@yahoo.com > > >=20 > > > __________________________________ > > > Do you Yahoo!? > > > The New Yahoo! Shopping - with improved product search > > > http://shopping.yahoo.com > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > > --=20 > > Lawrence MacIntyre 865.574.8696 lpz@ornl.gov > > Oak Ridge National Laboratory > > High Performance Information Infrastructure Technology Group > >=20 > >=20 >=20 > > ATTACHMENT part 2 application/pgp-signature name=3Dsignature.asc >=20 >=20 >=20 > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-AhPnCXUjXTO5Gp6eZ/x3 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/j+9LCNjP8rawCW4RAlhsAJ4n1VrIapWOn4+AJPPSh9QCHwJ/UQCfXZA1 orL1LCDshJjwB4SduKYo6m4= =BXGw -----END PGP SIGNATURE----- --=-AhPnCXUjXTO5Gp6eZ/x3-- From subscribeamit@yahoo.com Fri Oct 17 15:59:51 2003 From: subscribeamit@yahoo.com (Amit Gandhi) Date: Fri, 17 Oct 2003 07:59:51 -0700 (PDT) Subject: [LARTC] Forwarded traffic bypassing filter In-Reply-To: <1066397515.1584.290.camel@nautique> Message-ID: <20031017145951.55543.qmail@web14405.mail.yahoo.com> I think there are ways to apply filters to PreRouting/Forward/PostRouting stages, I might need to MARK these packets using 'iptables' & then maybe use the FW filter, but what I want to understand is if u32 filter can do the same job without marking the packets? The reason for such a configuration is to make it look like one flat network & all these address are managed by one single central DHCP server. There are reasons for not using it as a bridge, but that drifts us away from the problem at hand. Suffice to say, all this works, machineX can get to machine2 & machine2 can get to any of the machineX. Thanks, +Amit --- Lawrence MacIntyre wrote: > > > I haven't looked at the code, but the path these packets take through > the IP stack may be "unusual". You have configured your network in a > very strange manner. Generally, for ethernet networks, you want all > interfaces in the same subnet to be on the same broadcast network. > You > might have better luck if you make Machine1 a bridge or a normal IP > router. Is there a reason why you have configured your network in > this > way? > > On Fri, 2003-10-17 at 09:25, Amit Gandhi wrote: > > The netmask is /8 in my config, but it can be /24 (doesn't matter a > > whole lot). The traffic is not being bridged at Machine1, its simple > > routing coz I've setup a route & ARP entry for Machine2 on Machine1 > and > > IP Forwarding, Proxy ARP is enabled on Machine1. > > > > Thanks > > > > --- Lawrence MacIntyre wrote: > > > Is the netmask actually /24 instead of /8 or are you bridging the > > > traffic with Machine1? > > > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From gdamjan@mail.net.mk Fri Oct 17 16:40:01 2003 From: gdamjan@mail.net.mk (Damjan) Date: Fri, 17 Oct 2003 17:40:01 +0200 Subject: [LARTC] tc filter problem with 2.4.22 In-Reply-To: <3F8EE158.3A0C04EC@agh.edu.pl> References: <3F8ECC51.8DFFD47F@agh.edu.pl> <200310161931.40046.stef.coene@docum.org> <3F8ED88B.637FA28@agh.edu.pl> <200310161948.35754.stef.coene@docum.org> <3F8EE158.3A0C04EC@agh.edu.pl> Message-ID: <20031017154001.GG6261@legolas.on.net.mk> > Hmmm, I guess no. I'm compiling a new kernel, but this will take a > while. > I'll let you know afterwards. Slackware-9.1's kernel by default doesn't have support for anything TC, you'll have to compil your own kernel. -- Damjan Georgievski jabberID: damjan@bagra.net.mk From dante@tvnet.hu Fri Oct 17 16:22:08 2003 From: dante@tvnet.hu (Debreczeni Peter) Date: Fri, 17 Oct 2003 17:22:08 +0200 Subject: [LARTC] lartc on dual CPU Opteron 64 bit machine? In-Reply-To: <20031014114742.Z61985@mail.dmz.cyberlab.de> References: <20031014114742.Z61985@mail.dmz.cyberlab.de> Message-ID: <3F900920.8050507@tvnet.hu> 1. try redhat taroon or gingin , taroon beta2 looks stable 2. maybe with a compiler in a 64bit OS, but no experience yet, because i waiting for a memory to my new dual opteron server :) 3. yes, but i think 1 opteron is enough for a real large traffic bye Dante Astrid Jekat wrote: > Greetings, lartc experts! ;-) > > I am presently researching if it is possible to *efficiently* use a machine > with 2 AMD Opteron CPUs for traffic shaping with lartc. > > 1) OS: > ATM it looks as if I can only use SUSE Linux 8 Enterprise Server for > AMD 64bit platforms. > Debian, OpenBSD and NetBSD are working on ports, but are not done yet or > still experimental. > Suse at least is stable (but costs real money! *sigh* so much for open source) > and has a 64bit compiler. > > 2) Is lartc 64bit capable? > I.e., can I compile lartc only to run as a 32 bit application or 64bit, too? > Any experience here? > > 3) Is lartc capable of making use of 2 CPUs? > This is probably a question (kernel?) threading. > I managed to find a reference in the ML archives that it might be > possible to "assign" ine CPU to one ethernet interface, but I don't > think this is quite what I need. > I'd like to know if the process can actually use both CPUs. > > In a nutshell: > I need to find out if lartc can make use of the nice resources on > this dual Opteron 64bit machine. > If yes, this would save the machine from the terrible fate of becoming a > Windoze file server! > > So please advise ;-) > > Cheers, > From lpz@ornl.gov Fri Oct 17 13:38:41 2003 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Fri, 17 Oct 2003 08:38:41 -0400 Subject: [LARTC] Forwarded traffic bypassing filter In-Reply-To: <20031016212635.40454.qmail@web14410.mail.yahoo.com> References: <20031016212635.40454.qmail@web14410.mail.yahoo.com> Message-ID: <1066394320.1609.284.camel@nautique> --=-4kGLDei8ndPyL3KV9j8Q Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Is the netmask actually /24 instead of /8 or are you bridging the traffic with Machine1? On Thu, 2003-10-16 at 17:26, Amit Gandhi wrote: > Please consider the following scenario & corresponding question..... >=20 >=20 > Machine1 Machine2 > _________________ _________________ > MachineX | | | | > HTTP(1) | | | HTTP Server | > ------>-------->| -----|------------------| | > eth0| / |eth1 |eth0 | > 10.20.253.242/8| / |10.20.255.238/8 |10.20.246.247/8| > | HTTP(2) | | | > |_______________| |_______________| >=20 > 10.20.246.247 dev eth1 > 10.20.246.247 dev eth1 lladdr xx:xx:xx:xx:xx:xx > proxy_arp =3D1 > ip_forward=3D1 >=20 > Here are my shaping rules (primary goal is to send the web traffic > through a seperate queue) >=20 > tc qdisc add dev eth1 root handle 1: htb default 20 >=20 > tc class add dev eth1 parent 1: classid 1:1 htb rate 2mbit burst 15k >=20 > tc class add dev eth1 parnet 1:1 classid 1:10 htb rate 1mbit ceil 2mbit > burst 15k > tc class add dev eth1 parnet 1:1 classid 1:20 htb rate 1mbit burst 15k >=20 > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 >=20 > tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dport > 0x50 0xffff flowid 1:10 >=20 >=20 > Now, after all of this configuration I've observed that: >=20 > a) All the web requests comming from "MachineX" go thru the default > queue 20 > b) Web traffic generated from "Machine1" does gets send thru queue 10 >=20 >=20 > Why, is the forwarded traffic bypassing the filter? >=20 > I inserted debug messages in the 'u32_classify' function > inside the kernel, just to make sure that the filter is not > failing, but the function never gets called for HTTP(1) > traffic!!! >=20 >=20 > Regards, > +Amit > email: subscribeamit@yahoo.com >=20 > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group --=-4kGLDei8ndPyL3KV9j8Q Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA/j+LQCNjP8rawCW4RAudqAJwKmAqiMSGlG6p03omJNNTwWTMovQCfe937 oA/ndxu7i+m6NhkLcQ3YNRQ= =Yt4a -----END PGP SIGNATURE----- --=-4kGLDei8ndPyL3KV9j8Q-- From yi@ece.utexas.edu Fri Oct 17 18:19:32 2003 From: yi@ece.utexas.edu (Yung Yi) Date: Fri, 17 Oct 2003 12:19:32 -0500 Subject: [LARTC] Getting dynamics or behavior of queue Message-ID: <003401c394d2$d48d7830$b6c45380@engr.utexas.edu> Dear all, In using the specific queue (for example, simply bfifo or red), is there any method to get the dynamics or behavior of queue? Sepcifically, I'm interested in the occupied queue size of the corresponding queue. I expect that may be tc command can do that or there is some system call (maybe using netlink socket) for it. Please post it if you know how to do it. Thanks. Regards, -Yung From subscribeamit@yahoo.com Fri Oct 17 22:17:38 2003 From: subscribeamit@yahoo.com (Amit Gandhi) Date: Fri, 17 Oct 2003 14:17:38 -0700 (PDT) Subject: [LARTC] Forwarded traffic bypassing filter In-Reply-To: <1066397515.1584.290.camel@nautique> Message-ID: <20031017211738.29878.qmail@web14409.mail.yahoo.com> I found out the culprit piece of code in the u32 filter classifier. Some foundation first. I am using 2.4.18 kernel on MPC855T the powerpc version. Now the following code snippet from 'cls_u32.c' static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_result *res) { struct { struct tc_u_knode *knode; u8 *ptr; } stack[TC_U32_MAXDEPTH]; struct tc_u_hnode *ht = (struct tc_u_hnode*)tp->root; u8 *ptr = skb->nh.raw; struct tc_u_knode *n; int sdepth = 0; int off2 = 0; int sel = 0; int i; /********* CULPRIT CODE *******/ #if !defined(__i386__) && !defined(__mc68000__) if ( (unsigned long)ptr & 3 ) return -1; #endif /********* CULPRIT CODE *******/ ...... ......... The above code checks for word alignment of a packet on PowerPC platforms and it somehow fails for forwarded packets then packets generated by the local host. Now, I checked newer versions of kernel & it seems that this piece of code has been removed from them. So, this issue is closed. Thanks, +Amit __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From nuclearcat@nuclearcat.com Fri Oct 17 23:56:51 2003 From: nuclearcat@nuclearcat.com (nuclearcat@nuclearcat.com) Date: Sat, 18 Oct 2003 01:56:51 +0300 Subject: [LARTC] [htb] strange problems !? In-Reply-To: <20031017134146.6c79a533.raptor@tvskat.net> References: <20031017134146.6c79a533.raptor@tvskat.net> Message-ID: <639603283.20031018015651@ams-sat.com> Hello raptor, Friday, October 17, 2003, 1:41:46 PM, you wrote: I have before similar problem, for me it is looks problem - when traffic coming to default class (possible with small rate). I am doing simple solution, last with last-in-check (highest number) priority - filter with police drop. Try this, if this help on your case, maybe we need make bugreport about this. r> hi, r> I have strange problems with HTB and several hundred classes flat structure i.e. r> root r> |--50kbps r> |--30kbps r> |--50kbps r> |--80kbps r> |--100kbps r> .... several hundred classes like this r> Ceil is the same as rate. The machine get no more than 2-3% average cpu(2.4Ghz pentium). r> What happens is that from time to time the traffic got "stalled". r> I tried numerous things to solve the problem - cable-wiring, different cards the problem still persist. r> My kernel is 2.4.20, as seen in the list I got the sch_htb.c from 2.4.22 r> kernel yestarday it seems that it behave better now but still have traffic starvation. r> I was on the devik page, but cant understand which patch is applied and r> which not..!?hope that 2.4.22 is the last..cant make many experiments r> cause it is working server. r> Nothing suspicious in the logs. r> Does someone have a setup with hundered of channels ! r> I spotted the problem 'cause a machine on the one side of the qos box does a snmp queries (mrtg) to the router on the other side and I see big r> holes into the graphics which mean that packets are droped for some reason.. then i found that there is a problem.. r> your ideas very appricated r> tia r> _______________________________________________ r> LARTC mailing list / LARTC@mailman.ds9a.nl r> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Best regards, Denis mailto:admin@ams-sat.com From pcaritj@riovia.net Sat Oct 18 18:09:16 2003 From: pcaritj@riovia.net (Paul Caritj) Date: Sat, 18 Oct 2003 13:09:16 -0400 Subject: [LARTC] add filter -> invalid argument Message-ID: <3F9173BC.2070807@riovia.net> Hello, Perhaps I am mising something; I am trying to implement a hashing filter nearly identical to that outlined in the iproute2 docs at http://www.opens.com.br/documentacao/IPRoute2/lartc.adv-filter.hashing.html However, I dont get very far because I get "invalid argument" whenever I issue any filtering commands, eg: [root@localhost root]# tc filter add dev eth1 parent 1:0 prio 5 protocol ip u32 RTNETLINK answers: Invalid argument This is obviously bothersome :) I am using RedHat linux 9.0 with (stock) kernel ver 2.4.20. Any help would be appreciated as always! Thanks, Paul From raptor@tvskat.net Sat Oct 18 22:23:16 2003 From: raptor@tvskat.net (raptor) Date: Sun, 19 Oct 2003 00:23:16 +0300 Subject: [LARTC] [htb] strange problems !? In-Reply-To: <639603283.20031018015651@ams-sat.com> References: <20031017134146.6c79a533.raptor@tvskat.net> <639603283.20031018015651@ams-sat.com> Message-ID: <20031019002316.5b3badc4.raptor@tvskat.net> U mean to place a class at the end with police to drop packets with highest priority ? Is that the way ?! I have such class but it is not with highest priority... Now I'm certain this is a problem with HTB... I have dumped the snmp traffic and what is seen is that as u know mrtg via crontab makes queries every five minutes... there is 6 queries ... the graphics show problems in the first three graphics and no problems at second third.. what happens is the following : time 0 sec snmp query for interface 1, (nothing is returned) snmp query for interface 1, (nothing is returned) snmp query for interface 1, (nothing is returned) snmp query for interface 1, (nothing is returned) snmp query for interface 1, (nothing is returned) timeout snmp query for interface 2, (nothing is returned) .... five times... timeout snmp query for interface 3, (nothing is returned) .... five times... timeout snmp query for interface 4, (response recieved) snmp query for interface 5, (response recieved) snmp query for interface 6, (response recieved) aprox time passed 27sec i have shaping only on downstream.. So this is ~30sec downstream traffic starvation atleast 5-10 times per hour... it is a real problem !! PLS HELP ME... | |Friday, October 17, 2003, 1:41:46 PM, you wrote: | |I have before similar problem, for me it is looks problem - when |traffic coming to default class (possible with small rate). | |I am doing simple solution, last with last-in-check (highest number) |priority - filter with police drop. Try this, if this help on your |case, maybe we need make bugreport about this. | | |r> hi, | |r> I have strange problems with HTB and several hundred classes flat structure i.e. | |r> root |r> |--50kbps |r> |--30kbps |r> |--50kbps |r> |--80kbps |r> |--100kbps |r> .... several hundred classes like this | |r> Ceil is the same as rate. The machine get no more than 2-3% average cpu(2.4Ghz pentium). |r> What happens is that from time to time the traffic got "stalled". |r> I tried numerous things to solve the problem - cable-wiring, different cards the problem still persist. |r> My kernel is 2.4.20, as seen in the list I got the sch_htb.c from 2.4.22 |r> kernel yestarday it seems that it behave better now but still have traffic starvation. |r> I was on the devik page, but cant understand which patch is applied and |r> which not..!?hope that 2.4.22 is the last..cant make many experiments |r> cause it is working server. |r> Nothing suspicious in the logs. | |r> Does someone have a setup with hundered of channels ! |r> I spotted the problem 'cause a machine on the one side of the qos box does a snmp queries (mrtg) to the router on the other side and I see big |r> holes into the graphics which mean that packets are droped for some reason.. then i found that there is a problem.. | |r> your ideas very appricated |r> tia From raptor@tvskat.net Sat Oct 18 23:22:58 2003 From: raptor@tvskat.net (raptor) Date: Sun, 19 Oct 2003 01:22:58 +0300 Subject: [LARTC] [htb] strange problems !? In-Reply-To: <20031019002316.5b3badc4.raptor@tvskat.net> References: <20031017134146.6c79a533.raptor@tvskat.net> <639603283.20031018015651@ams-sat.com> <20031019002316.5b3badc4.raptor@tvskat.net> Message-ID: <20031019012258.4c84146b.raptor@tvskat.net> On Sun, 19 Oct 2003 00:23:16 +0300 raptor wrote: |U mean to place a class at the end with police to drop packets with highest priority ? Is that the way ?! |I have such class but it is not with highest priority... | oopsi I mean to do this : root |--50kbps |--30kbps |--50kbps |--80kbps |--100kbps .... several hundred classes like this |--- class(rate 10kbps, prio 7, default) --> drop Is that what u mean ?! tia From raptor@tvskat.net Sun Oct 19 00:53:19 2003 From: raptor@tvskat.net (raptor) Date: Sun, 19 Oct 2003 02:53:19 +0300 Subject: [LARTC] MORE ON : [htb] strange problems !? Message-ID: <20031019025319.06320796.raptor@tvskat.net> hello again, I got some just preliminary results .... hope someone can explain them to me... As I already told I have the following config : egress { class (30kbps) {sfq}; class (50kbps) {sfq}; class (80kbps) {sfq}; class (30kbps) {sfq}; class (50kbps) {sfq}; ...hundreds like this... class (10kbps,default) {sfq}; } What I got is traffic starvation very often for a period of ~30 sec.. as proposed I've done : egress { ...hundreds classes... class (10kbps, prio 7, default) {sfq}; } It seemed a litlle bit better the starvation seemed to be just ~10sec but this time happen much often... then I made a final touch : egress { ...hundreds classes... class (55kbps, prio 7, default); } No "sfq" this time and it seemed much much better now... I have done my tests mostly with : hping2 host-behind-qos --fast --icmp fping host1 host2 -l I made second and third test for very short periods of time so this is not a final "say" of the success... ------------ ?! SO COULD U EXPLAIN ME WHY THIS HAPPEN ?! -------------------------- And most importantly is there a better solution, I don't know what will happen if I want more complex solution but not this flat structure... Or at least give me some directions how to go further and eradicate this "STARVATION" problem.. Can I lower "class (55kbps, prio 7, default);" to "class (10kbps, prio 7, default);" .... Giving more bandwith to DEFAULT class is not solution but a ANTI-SOLUTION, my idea is not to give all my bandwith to spammers and viruses :") Expecting explanation :")) tia From nuclearcat@nuclearcat.com Sat Oct 18 23:05:15 2003 From: nuclearcat@nuclearcat.com (nuclearcat@nuclearcat.com) Date: Sun, 19 Oct 2003 01:05:15 +0300 Subject: [LARTC] MORE ON : [htb] strange problems !? In-Reply-To: <20031019025319.06320796.raptor@tvskat.net> References: <20031019025319.06320796.raptor@tvskat.net> Message-ID: <123064230.20031019010515@ams-sat.com> Hello raptor, Sunday, October 19, 2003, 2:53:19 AM, you wrote: At me latest class: tc filter add dev eth1 parent 1:0 protocol ip prio 200 u32 match ip dst 0.0.0.0/0 police rate 1kbit burst 1k drop flowid 1:0 r> hello again, r> I got some just preliminary results .... hope someone can explain them to me... r> As I already told I have the following config : r> egress { r> class (30kbps) {sfq}; r> class (50kbps) {sfq}; r> class (80kbps) {sfq}; r> class (30kbps) {sfq}; r> class (50kbps) {sfq}; r> ...hundreds like this... r> class (10kbps,default) {sfq}; r> } r> What I got is traffic starvation very often for a period of ~30 sec.. as proposed I've done : r> egress { r> ...hundreds classes... r> class (10kbps, prio 7, default) {sfq}; r> } r> It seemed a litlle bit better the starvation seemed to be just ~10sec but this time happen much often... r> then I made a final touch : r> egress { r> ...hundreds classes... r> class (55kbps, prio 7, default); r> } r> No "sfq" this time and it seemed much much better now... r> I have done my tests mostly with : r> hping2 host-behind-qos --fast --icmp r> fping host1 host2 -l r> I made second and third test for very short periods of time so this is not a final "say" of the success... r> ------------ ?! SO COULD U EXPLAIN ME WHY THIS HAPPEN ?! -------------------------- r> And most importantly is there a better solution, I don't know what will happen if I want more complex solution but not this flat structure... r> Or at least give me some directions how to go further and eradicate this "STARVATION" problem.. r> Can I lower "class (55kbps, prio 7, default);" to "class (10kbps, prio 7, default);" .... r> Giving more bandwith to DEFAULT class is not solution but a ANTI-SOLUTION, my idea is not to give all my bandwith to spammers and viruses :") r> Expecting explanation :")) r> tia r> _______________________________________________ r> LARTC mailing list / LARTC@mailman.ds9a.nl r> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Best regards, nuclearcat mailto:nuclearcat@nuclearcat.com From Dragoº C." Hello lartc users,

I mark pakets (by MAC and IP), works on my lan except for 1 single host.
This host is able to fuck-up the entire network because not a single bit of
his traffic is shaped. this way when he is downloading there is no more
internet in the entire LAN.


Here is what I get:

~ # iptables -L -n -v
Chain INPUT (policy DROP 129 packets, 18244 bytes)
pkts bytes target prot opt in out source destination
121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0
129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0
198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '

Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes)
pkts bytes target prot opt in out source destination
141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0

Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination

The bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all.

~ # tc -d -s class show dev eth1
class htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7
Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0)
rate 90bps 1pps
lended: 35284 borrowed: 0 giants: 0
tokens: 2086912 ctokens: 79872

class htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0)
rate 5bps
lended: 6804 borrowed: 0 giants: 0
tokens: 14344532 ctokens: 58573

class htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0)
rate 37bps
lended: 66742 borrowed: 35284 giants: 0
tokens: 14518044 ctokens: 83560

class htb 10:5 parent 10:10 prio 2 quantum 1500 rate 20Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0)
rate 60bps
lended: 1153 borrowed: 0 giants: 0
tokens: 12304384 ctokens: 79872

class htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 8528 bytes 101 pkts (dropped 0, overlimits 0)
lended: 101 borrowed: 0 giants: 0
tokens: 14546488 ctokens: 87655

And this is the version I use
kernel HTB init, kernel part version 3.10 From marko@buuri.name Sun Oct 19 15:46:41 2003 From: marko@buuri.name (Marko Buuri) Date: Sun, 19 Oct 2003 17:46:41 +0300 Subject: [LARTC] Missing parameter descriptions Message-ID: <1066574801.3f92a3d196588@www2.helsinki.fi> I've been looking for descriptions of qdisc parameter "estimator" and u32 parameter "police" (defined by POLICE_SPEC), but in vain. I hope someone on this list can explain these. Thank you! Marko Buuri marko at buuri dot name From Dragoº C." Sorry for the non-mime-encoded 8bit iso-8859-1 characters in the from header.
I resend this as an answer to the problem Harald Welte told me about.
I hope it's ok and goes to the maillist now.

Hello lartc users,

I mark pakets (by MAC and IP), works on my lan except for 1 single host.
This host is able to fuck-up the entire network because not a single bit of
his traffic is shaped. this way when he is downloading there is no more
internet in the entire LAN.


Here is what I get:

~ # iptables -L -n -v
Chain INPUT (policy DROP 129 packets, 18244 bytes)
pkts bytes target prot opt in out source destination
121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0
129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0
198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30
1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E
429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40
6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12
478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995
0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48
72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16
0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '

Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes)
pkts bytes target prot opt in out source destination
141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0

Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination

The bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all.

~ # tc -d -s class show dev eth1
class htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7
Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0)
rate 90bps 1pps
lended: 35284 borrowed: 0 giants: 0
tokens: 2086912 ctokens: 79872

class htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0)
rate 5bps
lended: 6804 borrowed: 0 giants: 0
tokens: 14344532 ctokens: 58573

class htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0)
rate 37bps
lended: 66742 borrowed: 35284 giants: 0
tokens: 14518044 ctokens: 83560

class htb 10:5 parent 10:10 prio 2 quantum 1500 rate 20Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0)
rate 60bps
lended: 1153 borrowed: 0 giants: 0
tokens: 12304384 ctokens: 79872

class htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
tokens: 14563554 ctokens: 90112

class htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0
Sent 8528 bytes 101 pkts (dropped 0, overlimits 0)
lended: 101 borrowed: 0 giants: 0
tokens: 14546488 ctokens: 87655

And this is the version I use
kernel HTB init, kernel part version 3.10 From raptor@tvskat.net Sun Oct 19 23:40:41 2003 From: raptor@tvskat.net (raptor) Date: Mon, 20 Oct 2003 01:40:41 +0300 Subject: [LARTC] [htb] how do u calculate the Burst ? Message-ID: <20031020014041.007fb0ed.raptor@tvskat.net> how do u decide how big BURST to use for a class ?! tia From marko@buuri.name Sun Oct 19 15:25:31 2003 From: marko@buuri.name (Marko Buuri) Date: Sun, 19 Oct 2003 17:25:31 +0300 Subject: [LARTC] Missing parameter definitions Message-ID: <1066573531.3f929edb91406@www2.helsinki.fi> I've been trying to find explanations to qdisc parameter "estimator" (INTERVAL TIME_CONSTANT) and u32 parameter "police" (defined by POLICE_SPEC) , but in vain. I hope that someone on this list could explain these. Thank you! Marko Buuri marko at buuri dot name From damion@snapgear.com Mon Oct 20 01:43:23 2003 From: damion@snapgear.com (Damion de Soto) Date: Mon, 20 Oct 2003 10:43:23 +1000 Subject: [LARTC] Missing parameter descriptions References: <1066574801.3f92a3d196588@www2.helsinki.fi> Message-ID: <3F932FAB.6050908@snapgear.com> Marko Buuri wrote: > I've been looking for descriptions of qdisc parameter "estimator" and u32 > parameter "police" (defined by POLICE_SPEC), but in vain. I hope someone on > this list can explain these. Have you seen : http://lartc.org/howto/lartc.adv-filter.policing.html with examples for 'police' http://lartc.org/howto/lartc.cookbook.synflood-protect.html and http://lartc.org/howto/lartc.cookbook.ultimate-tc.html I'm not sure where examples are of 'estimator' usage. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From andy.furniss@dsl.pipex.com Mon Oct 20 11:25:04 2003 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Mon, 20 Oct 2003 11:25:04 +0100 Subject: [LARTC] Linux bandwidth arbitrator In-Reply-To: <20031017101526.GE6261@legolas.on.net.mk> References: <200310130623.AA319094864@q4networks.com> <200310132310.45421.stef.coene@docum.org> <20031017101526.GE6261@legolas.on.net.mk> Message-ID: <03102011250400.00667@MBC> On Friday 17 October 2003 11:15 am, Damjan wrote: > > > >> Hi, > > > >> i will like to use the linux bandwidth arbitrator so i downloaded > > > >> "arbitrator6.2.tar.gz" from their site unto my redhat 9.0 system > > > >> but i dont know how to install it and run it. > > > >> > > > >> I will like to use it for traffic shapping and try it for on my > > > >> network. > > > > > > SC> What's "linux bandwidth arbitrator" ??? > > > > > > SC> Stef > > > > > > it's low level arbitration (shaping) done by BRIDGE > > > software not an iproute+tc+iptables based. (Isn't it out of scope > > > here?) > > > > I never heard of it. This is list is for iproute2+tc > > problems/questions. > > Its bizzare how the "linux bandwidth arbitrator" authors have never > heard of HTB, LARTC people have not heard of "arbitrator". :) > > arbitrator has some nice features, it acctually tracks the bandwidth > usage and can limit the big spenders - so its more dynamic than pure > "tc". The problem is its completelly different than "tc" and requires a > number of strange kernel patches (that perhaps are not tested enough). > > I wish I could see an integration of the solutions ... > > btw, this list is about LARTC so the arbitrator still somehow belongs in > this categorry, although it doesn't use "tc". Just to add confusion there's a Linux bandwidth controller called arbiter, which works by delaying acks :-) Andy. From tatooin@kelkoo.com Mon Oct 20 13:11:01 2003 From: tatooin@kelkoo.com (Vincent Jaussaud) Date: Mon, 20 Oct 2003 14:11:01 +0200 Subject: [LARTC] iprvss 0.2c Message-ID: <1066651861.13433.102.camel@tatooin.kelkoo.net> Hello guys; FYI; iprvss 0.2c is out at: http://washington.kelkoo.net/iprvss/ IP Route Very Simple Script is a shell script which can be used to save/restore all or part of your policy routing setup. It works well for me since several months now on different configurations. In case it helps... Cheers, -- Vincent Jaussaud Kelkoo.com Security Manager email: tatooin@kelkoo.com "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one." -- President Thomas Jefferson. 1743-1826 From stef.coene@docum.org Mon Oct 20 15:52:46 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 20 Oct 2003 16:52:46 +0200 Subject: [LARTC] [htb] how do u calculate the Burst ? In-Reply-To: <20031020014041.007fb0ed.raptor@tvskat.net> References: <20031020014041.007fb0ed.raptor@tvskat.net> Message-ID: <200310201652.46048.stef.coene@docum.org> On Monday 20 October 2003 00:40, raptor wrote: > how do u decide how big BURST to use for a class ?! If you don't specify a burst, htb will calculate the smallest one for you. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Dragoº C." Here it is now in plain text, just pls help me understand, cuz seems verry ilogic what happends. Sorry for sending this 3 times. I hope it is ok now. Hello lartc users, I mark pakets (by MAC and IP), works on my lan except for 1 single host. This host is able to fuck-up the entire network because not a single bit of his traffic is shaped. this way when he is downloading there is no more internet in the entire LAN. Here is what I get: ~ # iptables -L -n -v Chain INPUT (policy DROP 129 packets, 18244 bytes) pkts bytes target prot opt in out source destination 121K 89M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 2106 103K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 121K 89M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 117K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 215 7951 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 21 1260 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 671 40197 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 54 4471 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E 1417 87806 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 734 56195 ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 394 28308 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B 0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 109 11947 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 129 18244 RED all -- * * 0.0.0.0/0 0.0.0.0/0 129 18244 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 113 16529 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT ' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 198K 62M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 198K 62M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 198K 62M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 190K 61M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 * 192.168.1.1 0.0.0.0/0 MAC 00:02:44:67:30:30 1 48 ACCEPT all -- eth0 * 192.168.1.2 0.0.0.0/0 MAC 00:02:44:67:30:5E 429 54514 ACCEPT all -- eth0 * 192.168.1.3 0.0.0.0/0 MAC 00:02:44:59:71:40 6831 832K ACCEPT all -- eth0 * 192.168.1.4 0.0.0.0/0 MAC 00:D0:09:D5:6B:12 478 28669 ACCEPT all -- eth0 * 192.168.1.5 0.0.0.0/0 MAC 00:50:FC:9D:7A:5B 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.1.5 tcp dpt:19995 0 0 ACCEPT all -- eth0 * 192.168.1.6 0.0.0.0/0 MAC 00:80:5F:8F:C2:48 72 5774 ACCEPT all -- eth0 * 192.168.1.7 0.0.0.0/0 MAC 00:06:4F:05:FB:16 0 0 ACCEPT all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DMZHOLES all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT ' Chain OUTPUT (policy ACCEPT 141K packets, 85M bytes) pkts bytes target prot opt in out source destination 141K 85M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CUSTOMFORWARD (1 references) pkts bytes target prot opt in out source destination The bad host is 192.168. 1.1. As you can see his pakets are marked, but then the shapeing is not done at all. ~ # tc -d -s class show dev eth1 class htb 10:10 root rate 125Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 7 Sent 45405999 bytes 110084 pkts (dropped 0, overlimits 0) rate 90bps 1pps lended: 35284 borrowed: 0 giants: 0 tokens: 2086912 ctokens: 79872 class htb 10:1 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 14563554 ctokens: 90112 class htb 10:2 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 14563554 ctokens: 90112 class htb 10:3 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 446562 bytes 6804 pkts (dropped 0, overlimits 0) rate 5bps lended: 6804 borrowed: 0 giants: 0 tokens: 14344532 ctokens: 58573 class htb 10:4 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 44734592 bytes 102026 pkts (dropped 0, overlimits 0) rate 37bps lended: 66742 borrowed: 35284 giants: 0 tokens: 14518044 ctokens: 83560 class htb 10:5 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 216317 bytes 1153 pkts (dropped 0, overlimits 0) rate 60bps lended: 1153 borrowed: 0 giants: 0 tokens: 12304384 ctokens: 79872 class htb 10:6 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 14563554 ctokens: 90112 class htb 10:7 parent 10:10 prio 2 quantum 1500 rate 18Kbit ceil 125Kbit burst 40Kb/8 mpu 0b cburst 1759b/8 mpu 0b level 0 Sent 8528 bytes 101 pkts (dropped 0, overlimits 0) lended: 101 borrowed: 0 giants: 0 tokens: 14546488 ctokens: 87655 And this is the version I use kernel HTB init, kernel part version 3.10 From rontombontom@freestart.hu Mon Oct 20 17:04:59 2003 From: rontombontom@freestart.hu (Szalka Tamas) Date: Mon, 20 Oct 2003 18:04:59 +0200 Subject: [LARTC] tc option rate limits traffic?? Message-ID: <3F9407AB.6090301@freestart.hu> Hi! I have a tc ruleset for shaping ingress traffic (with imq): // root qdisc tc qdisc add dev imq0 root handle 1 htb default 13 tc class add dev imq0 parent 1: classid 1:2 htb rate 384Kbit ceil 2Mbit burst 15k // www traffic tc class add dev imq0 parent 1:2 classid 1:11 htb rate 256Kbit ceil 2Mbit burst 15k tc qdisc add dev imq0 parent 1:11 handle 11 sfq perturb 10 tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip sport 80 0xffff match ip dst 10.0.8.0/24 classid 1:11 // default class tc class add dev imq0 parent 1:2 classid 1:13 htb rate 56Kbit ceil 2Mbit burst 15k tc qdisc add dev imq0 parent 1:13 handle 13 sfq perturb 10 I can download only with ~40 Kbyte/s (~256Kbit), as if the RATE parameter gives a limit for downloading, not a guaranteed bandwidth... The tc should give the total 2Mbit bandwidth, while there's no other traffic on the link. Have you experienced similar? Tom From stef.coene@docum.org Mon Oct 20 19:47:24 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 20 Oct 2003 20:47:24 +0200 Subject: [LARTC] Pakets marked but no shapeing is done In-Reply-To: <1644514561.20031020184000@web.de> References: <1644514561.20031020184000@web.de> Message-ID: <200310202047.24542.stef.coene@docum.org> On Monday 20 October 2003 17:40, Dragos Cinteza wrote: > Here it is now in plain text, just pls help me understand, cuz seems > verry ilogic what happends. Sorry for sending this 3 times. I hope it > is ok now. Euh. I don't see a tc filter statement. And where is the iptables line that matches the packets ??? Also, post your tc commands and your iptables rules. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Oct 20 19:42:48 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 20 Oct 2003 20:42:48 +0200 Subject: [LARTC] tc option rate limits traffic?? In-Reply-To: <3F9407AB.6090301@freestart.hu> References: <3F9407AB.6090301@freestart.hu> Message-ID: <200310202042.48877.stef.coene@docum.org> On Monday 20 October 2003 18:04, Szalka Tamas wrote: > Hi! > > I have a tc ruleset for shaping ingress traffic (with imq): > // root qdisc > tc qdisc add dev imq0 root handle 1 htb default 13 > tc class add dev imq0 parent 1: classid 1:2 htb rate 384Kbit ceil 2Mbit > burst 15k > > // www traffic > tc class add dev imq0 parent 1:2 classid 1:11 htb rate 256Kbit ceil > 2Mbit burst 15k > tc qdisc add dev imq0 parent 1:11 handle 11 sfq perturb 10 > tc filter add dev imq0 parent 1:0 protocol ip prio 100 u32 match ip > sport 80 0xffff match ip dst 10.0.8.0/24 classid 1:11 > > // default class > tc class add dev imq0 parent 1:2 classid 1:13 htb rate 56Kbit ceil 2Mbit > burst 15k > tc qdisc add dev imq0 parent 1:13 handle 13 sfq perturb 10 > > I can download only with ~40 Kbyte/s (~256Kbit), as if the RATE > parameter gives a limit for downloading, not a guaranteed bandwidth... > The tc should give the total 2Mbit bandwidth, while there's no other > traffic on the link. > Have you experienced similar? Try to remove the burst parameter. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From wdwrn@friendlycity.net Tue Oct 21 05:10:45 2003 From: wdwrn@friendlycity.net (Walter D. Wyndroski) Date: Tue, 21 Oct 2003 00:10:45 -0400 Subject: Fw: [LARTC] kernel panic with using IMQ - why? Message-ID: <002401c39789$4cf60090$0201a8c0@mother> I run into this problem as well. Has anyone found a reason why? If so please post an answer or a link. Many, many thanks in advance on this issue. Walt Wyndroski ----- Original Message ----- From: "Ïàâåë Ìàëüêîâ" To: Sent: Monday, October 13, 2003 1:36 AM Subject: [LARTC] kernel panic with using IMQ - why? > Hi, All! > I have kernel panic with using IMQ on my linux router. > In archive of this mailing list i found reason of this truble: > i used PREROUTING -j IMQ and POSTROUTING -j IMQ in one time > but i don't understand why this configuration is broken? > I want to control all traffic on my external interface, > for example i want to lease 30kbit/sec (inbound+outbound, > without dividing) for encrypting channel between the host of my LAN > and some host of Internet. > Please, explain to me reasons of this behavior or send me links > to this explanation. > > Sorry for my bad English > > WBR Pavel Malkov > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** From rachelcy@hotmail.com Tue Oct 21 09:25:31 2003 From: rachelcy@hotmail.com (rAcHeL ^cY) Date: Tue, 21 Oct 2003 16:25:31 +0800 Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) Message-ID: Hi, I need some help from everyone. How can i install the IMQ on redhat 9? I downloaded the patch from http://trash.net/~kaber/imq/index.html#sources, which include : IMQ patch - http://trash.net/~kaber/imq/linux-2.4.21-imq-1.diff Patch against netfilter - http://trash.net/~kaber/imq/pom-20030625.diff I try to get the src.rpm of kernel-2.4.20 and run it (rpm -i kernel-2.4.20.20-9.src.rpm) and i added both patches i downloaded earlier into the /usr/src/redhat/SPEC/kernel-2.4.spec. Then i run rpmbuild -ba kernel-2.4.spec, and i got the new rpm files under /usr/src/redhat/RPMS folder. I had install the new kernel rpm in that folder, but seems still can't get IMQ to work, please help! Is there any easier way to make the IMQ work on Redhat 9? I will appreciate if someone can help me on this, thank you very much!!!!! Rachel _________________________________________________________________ Using a handphone prepaid card? Reload your credit online! http://www.msn.com.my/reloadredir/default.asp From le-hen_j@epita.fr Tue Oct 21 09:50:51 2003 From: le-hen_j@epita.fr (jeremie le-hen) Date: Tue, 21 Oct 2003 10:50:51 +0200 Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) In-Reply-To: References: Message-ID: <20031021085051.GC5546@carpediem.epita.fr> > [a lot of RPM junk...] > > Is there any easier way to make the IMQ work on Redhat 9? I think this is off-topic question. It has no matter with the LARTC mailing-list. Please contact RedHat support or a RedHat specific list. Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From PedroPhill@seznam.cz Tue Oct 21 10:09:19 2003 From: PedroPhill@seznam.cz (Phill) Date: Tue, 21 Oct 2003 11:09:19 +0200 Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) References: Message-ID: <00a001c397b3$0547d640$0a02a8c0@phill> Hi, here is a nice page :-), http://alfa.tailor.com.pl/imqhtb/imq_htb.html Hope it will help you even though it's in polish :( -Phill> > > I need some help from everyone. > > How can i install the IMQ on redhat 9? > I downloaded the patch from http://trash.net/~kaber/imq/index.html#sources, > which include : > IMQ patch - http://trash.net/~kaber/imq/linux-2.4.21-imq-1.diff > Patch against netfilter - http://trash.net/~kaber/imq/pom-20030625.diff > > I try to get the src.rpm of kernel-2.4.20 and run it (rpm -i > kernel-2.4.20.20-9.src.rpm) and i added both patches i downloaded earlier > into the /usr/src/redhat/SPEC/kernel-2.4.spec. > > Then i run rpmbuild -ba kernel-2.4.spec, and i got the new rpm files under > /usr/src/redhat/RPMS folder. > > I had install the new kernel rpm in that folder, but seems still can't get > IMQ to work, please help! > > Is there any easier way to make the IMQ work on Redhat 9? > > I will appreciate if someone can help me on this, thank you very much!!!!! > > > Rachel From wdwrn@friendlycity.net Tue Oct 21 14:44:30 2003 From: wdwrn@friendlycity.net (Walter D. Wyndroski) Date: Tue, 21 Oct 2003 09:44:30 -0400 Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) References: Message-ID: <004d01c397d9$7468d2b0$0201a8c0@mother> I also use RH9 and ran into the same problem. Here are my fragments notes and thoughts about how I got to work on my system which by the way, IMQ is running great for me. :) Some of these notes I copied from other websites, some I wrote myself. I hope the following notes help you out. Walt Wyndroski Adding IMQ support to RH9 kernel and iptables AND LAYER7 support to kernel and iproute2: rpm -q iptables rpm -e iptables-<> download & decompress latest version of iptables download & decompress latest version of patch-o-matic copy the imq diff patch to the patch-o-matic directory run -> patch -p1 < <> (in patch-o-matic directory) NOW FOLLOW THIS CLOSELY BEFORE DOING ANY PATCH-O-MATIC STUFF!!!: 1. apply the patch imq2-2.4.21.diff to Linux source tree 2. extract the patch-o-matic-20030107 source tree on the same physical partition where your kernel source resides 3. within patch-o-matic-20030107, extract this tarball 4. extract the iptables-1.2.8 source tree in the same directory prefix as patch-o-matic-20030107 5. rename iptables-1.2.8 toplevel directory to 'userspace' Now, proceed with the standard patch-o-matic patch-installation instructions. Note, this tarball offers two NETFILTER patches, both within the 'userspace' suite (since they also patch userland source - iptables): 'IMQ.patch' and 'IMQ2.patch'. So, for example, if you need to install them non-interactively, then from within the 'patch-o-matic-20030107' toplevel directory, issue: USE FOR KERNEL_DIR: /usr/src/linux- WHEN ASKED FOR KERNEL_DIR!!! ./runme --batch userspace/IMQ.patch ./runme --batch userspace/IMQ.ipv6.patch After that, please be sure to do the following (unfortunately, patch-o-matic does not handle this itself): chmod 0755 ../userspace/extensions/.IMQ* run -> KERNEL_DIR=<> ./runme userspace/IMQ.patch --this places ipt_IMQ.so in /usr/src/linux-2.4.20-20.9/net/ipv4/netfilter --will need to copy this file to /usr/src/redhat/BUILD/ run -> KERNEL_DIR=<> ./runme base (this will allow addition of any other iptables patches) Copy the config matching your kernel from /boot to /usr/src/linux/2.4.20-20.9/configs Append the following lines to the config you copied over CONFIG_NET_CLS_LAYER7=m CONFIG_IMQ=m CONFIG_IP_NF_TARGET_IMQ=m RPM Kernel Compiling Instructions: (Forget it! - see below) NOTE: I successfully got the kernel patched when using the rpmbuild method, but could never get the netfilter modules to build correctly after everything was said and done. So I opted to take someone else's advice and use the manual method while maintaining a stock RH kernel. See below. On Redhat, instead of using 'make' commands you can use rpm command to build kernel. If you want to build binary RPMs (kernel*.i386.rpm), do this: 1.. Install kernel*.src.rpm 2.. cd /usr/src/redhat/SPECS 3.. Copy the IMQ patch and Layer7 patches to the /usr/src/redhat/SOURCES directory 4.. Edit the kernel*.spec file to include the following: place the patch definition entries in the 5200 section, follow the syntax and use the patch filename for the entry place the "patch command" further down in the file also following the surrounding syntax 5.. rpmbuild -ba kernel*.spec # or rpm -ba kernel*.spec # for old systems 6.. cd /usr/src/redhat/i386; rpm -ivh kernel*.rpm (you may have to use --force --nodeps) Manual Compiling Instructions: First patch your kernel with the imq kernel patch and layer7 patch Now copy the config of the kernel (which you boot with) from /boot to /usr/src/linux-x.x.x.x/configs Just make sure to load that specific config when you run make xconfig. 1) cd /usr/src/linux/ 2) edit Makefile, pick a good name for your kernel with the EXTRAVERSION var. 3) make mrproper && make clean # start fresh 4) cp configs/kernel-2.4.20-athlon.config .config # (I have an athlon) this step didn't work for me. I simply moved all the configs to another directory and copied the one I wanted from /boot to the configs dir. That way I only had one config to worry with. 5) make xconfig make sure to manually load the config you copied over from /boot 6) make dep && make clean && make bzImage 7) make modules && make modules_install && make install 8) cp .config /boot/config-2.4.20-8_YOUR_KERNEL_NAME The "make install" step might be controversial because I don't see it mentioned much. It might be new (?). It worked for me, however, neatly updating /boot with the image and system map, as well as updating /etc/lilo.conf The "make clean" after "make dep" may be unnecessary but it doesn't seem to hurt. Note that the resulting image fails to binary-compare to the stock image, so strictly speaking I haven't recreated the image. Not sure of reasons for the differences - possibilities include a different environment at RedHat, timestamps within the image, and kernel name within the image. But it seems to boot the same. Download, compile, and install the layer7 patched version of iproute2 ( more specifically, tc) also get the latest layer7 definitions download Walt Wyndroski ----- Original Message ----- From: "rAcHeL ^cY" To: Sent: Tuesday, October 21, 2003 4:25 AM Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) > Hi, > > I need some help from everyone. > > How can i install the IMQ on redhat 9? > I downloaded the patch from http://trash.net/~kaber/imq/index.html#sources, > which include : > IMQ patch - http://trash.net/~kaber/imq/linux-2.4.21-imq-1.diff > Patch against netfilter - http://trash.net/~kaber/imq/pom-20030625.diff > > I try to get the src.rpm of kernel-2.4.20 and run it (rpm -i > kernel-2.4.20.20-9.src.rpm) and i added both patches i downloaded earlier > into the /usr/src/redhat/SPEC/kernel-2.4.spec. > > Then i run rpmbuild -ba kernel-2.4.spec, and i got the new rpm files under > /usr/src/redhat/RPMS folder. > > I had install the new kernel rpm in that folder, but seems still can't get > IMQ to work, please help! > > Is there any easier way to make the IMQ work on Redhat 9? > > I will appreciate if someone can help me on this, thank you very much!!!!! > > > Rachel > > _________________________________________________________________ > Using a handphone prepaid card? Reload your credit online! > http://www.msn.com.my/reloadredir/default.asp > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** From nixo@nixo.com.ar Tue Oct 21 21:56:32 2003 From: nixo@nixo.com.ar (nixo@nixo.com.ar) Date: Tue, 21 Oct 2003 17:56:32 -0300 (ART) Subject: [LARTC] "Help with routing" Message-ID: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> the scheme of my LAN is the next: eth0 isp1 /32 eth1 lan de isp1 (LAN With public IP /24) eth2 isp2 /32 eth3 lan de isp2 (LAN With public IP /26) ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 ip route add default via 200.47.4.x table 1 ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 ip route add default via 200.80.32.x table 2 ip rule add from 200.47.4.x table 1 ip rule add from 200.80.32.x table 2 ip route add default scope global nexthop via 200.47.4.x dev eth0 nexthop via 200.80.32.x dev eth2 ****** My problem is this: when I trace from the NETWORK of ISP1, sometimes the tracer go out from the gateway of ISP2 and vice versa And when someone trace an IP from my LAN of ISP1, it`s showme as before complete the gateway from ISP2 y vice versa. Mi question is: what is wrong in my config...??? What I need to put or is anything wrong with this config???. THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. From marko@buuri.name Tue Oct 21 13:56:56 2003 From: marko@buuri.name (Marko Buuri) Date: Tue, 21 Oct 2003 15:56:56 +0300 Subject: [LARTC] Missing parameter descriptions In-Reply-To: <3F932FAB.6050908@snapgear.com> References: <1066574801.3f92a3d196588@www2.helsinki.fi> <3F932FAB.6050908@snapgear.com> Message-ID: <1066741016.3f952d185f6cc@www2.helsinki.fi> >Damion de Soto wrote: >Marko Buuri wrote: >> I've been looking for descriptions of qdisc parameter >"estimator" and u32 >> parameter "police" (defined by POLICE_SPEC), but in vain. I >hope someone on >> this list can explain these. >Have you seen : >http://lartc.org/howto/lartc.adv-filter.policing.html >with examples for 'police' >http://lartc.org/howto/lartc.cookbook.synflood-protect.html >and >http://lartc.org/howto/lartc.cookbook.ultimate-tc.html Thank you for replying! I find that POLICE_SPEC (term from tc command syntax, not found in the HOWTO) isn't very well or perhaps clearly documented. I figure the first page you sent is trying to say is that the syntax is more or less: POLICE_SPEC = police [buffer [buffer] | maxburst [maxburst]] [mtu [mtu] | minburst [minburst]] [mpu [mpu]] [rate [rate]] (continue | drop | pass | reclassify) However, the examples you sent are using parameter "burst" not listed above. A novice as myself can find learning Linux traffic control a bit confusing with this kind of discrepancies between the HOWTO, the command syntax and the man pages. >I'm not sure where examples are of 'estimator' usage. If someone else here knows, please do tell. Marko From chaos@swi.com.br Tue Oct 21 23:24:55 2003 From: chaos@swi.com.br (Raul Dias) Date: Tue, 21 Oct 2003 19:24:55 -0300 Subject: [LARTC] wrong link in the howto Message-ID: <1066775095.14862.14.camel@speedy.swi> Hi, In chapter 11, the link to Rusty's post does not exists anymore. The correct url now is http://lists.netfilter.org/pipermail/netfilter/2000-November/006089.html Regards, Raul Dias From Dragoº C." References: <1644514561.20031020184000@web.de> <200310202047.24542.stef.coene@docum.org> Message-ID: <811901684.20031021224935@web.de> --====----====----====----====----====----====----====----====----====----===-- Stef> On Monday 20 October 2003 17:40, Dragos Cinteza wrote: >> Here it is now in plain text, just pls help me understand, cuz seems >> verry ilogic what happends. Sorry for sending this 3 times. I hope it >> is ok now. Stef> Euh. I don't see a tc filter statement. And where is the iptables line that Stef> matches the packets ??? Also, post your tc commands and your iptables rules. Stef> Stef ================================================================================ In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs "Xmas" and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7 /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID /sbin/iptables -t nat -N PORTFW /sbin/iptables -t nat -A PREROUTING -j PORTFW # last rule in input and forward chain is for logging. /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT $GREEN_DEV is the LAN interface and here are the tc commands: # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 10: htb r2q 1 tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2 tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3 tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4 tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5 tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6 tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7 From andy.furniss@dsl.pipex.com Wed Oct 22 00:45:57 2003 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 22 Oct 2003 00:45:57 +0100 Subject: [LARTC] libipq and IMQ Message-ID: <03102200455700.00668@MBC> Hi. Does anyone know if it is possible to use ip_queue and IMQ at the same time - if I modprobe one then the other will fail to modprobe with init_module: Device or resource busy TIA Andy. From eric@regit.org Wed Oct 22 01:14:51 2003 From: eric@regit.org (Eric Leblond) Date: Wed, 22 Oct 2003 02:14:51 +0200 Subject: [LARTC] NuFW and user based QOS Message-ID: <1066781691.13217.11.camel@porky> --=-WSu+u+HyizXSI62pVxEE Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi everyone, The NuFW team is proud to announce you that NuFW is now able to mark packets based on the userid. Thus, using the fwmark classifier you can classify paquet by using the userid. This means, for example, that you can trully reserved bandwith per user even if you have a multiusers system. As the userid in NuFW is 16 bits long and as the mark is 32 bis long, you can even do a sub classification of packets. So, for each user, you can differenciate services. More informations are available at : http://www.nufw.org BR, --=20 Eric Leblond Nufw, Now User Filtering Works (http://www.nufw.org) --=-WSu+u+HyizXSI62pVxEE Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/lcv7nxA7CdMWjzIRArFfAJ0QdqHk5r3yY4IgcouQ6hb3e4WXwQCgiXRV STn3r04Xp+06GKLO/XYOM2k= =m2Kh -----END PGP SIGNATURE----- --=-WSu+u+HyizXSI62pVxEE-- From rachelcy@hotmail.com Wed Oct 22 05:40:13 2003 From: rachelcy@hotmail.com (rAcHeL ^cY) Date: Wed, 22 Oct 2003 12:40:13 +0800 Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) Message-ID: Walt Wyndroski, Thank you very much on the reply, I'll try it and update you on the progress. Rachel >I also use RH9 and ran into the same problem. Here are my fragments notes >and thoughts about how I got to work on my system which by the way, IMQ is >running great for me. :) Some of these notes I copied from other websites, >some I wrote myself. I hope the following notes help you out. > >Walt Wyndroski > >Adding IMQ support to RH9 kernel and iptables AND LAYER7 support to kernel >and iproute2: > >rpm -q iptables >rpm -e iptables-<> . . . >Walt Wyndroski > >----- Original Message ----- >From: "rAcHeL ^cY" >To: >Sent: Tuesday, October 21, 2003 4:25 AM >Subject: [LARTC] Installing IMQ on Redhat 9 (Kernel version 2.4.20) > > > > Hi, > > > > I need some help from everyone. > > > > How can i install the IMQ on redhat 9? > > I downloaded the patch from >http://trash.net/~kaber/imq/index.html#sources, > > which include : > > IMQ patch - http://trash.net/~kaber/imq/linux-2.4.21-imq-1.diff > > Patch against netfilter - http://trash.net/~kaber/imq/pom-20030625.diff > > > > I try to get the src.rpm of kernel-2.4.20 and run it (rpm -i > > kernel-2.4.20.20-9.src.rpm) and i added both patches i downloaded >earlier > > into the /usr/src/redhat/SPEC/kernel-2.4.spec. > > > > Then i run rpmbuild -ba kernel-2.4.spec, and i got the new rpm files >under > > /usr/src/redhat/RPMS folder. > > > > I had install the new kernel rpm in that folder, but seems still can't >get > > IMQ to work, please help! > > > > Is there any easier way to make the IMQ work on Redhat 9? > > > > I will appreciate if someone can help me on this, thank you very >much!!!!! > > > > > > Rachel _________________________________________________________________ Using a handphone prepaid card? Reload your credit online! http://www.msn.com.my/reloadredir/default.asp From Robert Kurjata Wed Oct 22 07:59:05 2003 From: Robert Kurjata (Robert Kurjata) Date: Wed, 22 Oct 2003 08:59:05 +0200 Subject: [LARTC] "Help with routing" In-Reply-To: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> References: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> Message-ID: <124749988.20031022085905@ire.pw.edu.pl> Hi nixo, I suppose you don't preserve properly output address see my postting with script from 15th October this year :) (append prohibit default:) nnca> the scheme of my LAN is the next: nnca> eth0 isp1 /32 nnca> eth1 lan de isp1 (LAN With public IP /24) nnca> eth2 isp2 /32 nnca> eth3 lan de isp2 (LAN With public IP /26) nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 nnca> ip route add default via 200.47.4.x table 1 nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 nnca> ip route add default via 200.80.32.x table 2 nnca> ip rule add from 200.47.4.x table 1 nnca> ip rule add from 200.80.32.x table 2 nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 nexthop nnca> via nnca> 200.80.32.x dev eth2 nnca> ****** nnca> My problem is this: when I trace from the NETWORK of ISP1, sometimes the nnca> tracer go out from the gateway of ISP2 and vice versa nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as before nnca> complete the gateway from ISP2 y vice versa. nnca> Mi question is: what is wrong in my config...??? What I need to put or is nnca> anything wrong with this config???. nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. nnca> _______________________________________________ nnca> LARTC mailing list / LARTC@mailman.ds9a.nl nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Greetings, Robert mailto:rkurjata@ire.pw.edu.pl From Raghuveer K Wed Oct 22 08:42:21 2003 From: Raghuveer K (Raghuveer K) Date: Wed, 22 Oct 2003 13:12:21 +0530 Subject: [LARTC] Need Suggestion on CBQ Rules. In-Reply-To: <200309232146.09807.stef.coene@docum.org> References: <5.1.0.14.2.20030910115658.02813c78@mail.axelero.hu> <200309222025.05016.stef.coene@docum.org> <3F6FE0A7.5090001@gsecone.com> <200309232146.09807.stef.coene@docum.org> Message-ID: <3F9634DD.2020707@gsecone.com> Stef Coene wrote: >On Tuesday 23 September 2003 07:56, Raghuveer wrote: > > >>Here are the rules Iam applying to control outgoing traffic at WAN(eth0) >>interface for public hosted services. >>Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is >>192.168.1.2 >> >>tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell >>8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate >>497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>bounded >>/* Hosted http server bandwidth = 64Kbit */ >>tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>192.168.1.2 match ip sport 80 0xffff classid 1:2 >> >>/* Hosted ftp server bandwidth = 64Kbit */ >>tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>192.168.1.2 match ip sport 21 0xffff classid 1:3 >> >>/* Default : Rest/Other traffic */ >>tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate >>369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>/* Here I want replace the below rule with a simple rule based only on >>port i.e by using some default port other than 80, 21 as sport, which >>according to your last mail is not possible, hence pls check whether the >>below rule will do for remaining traffic */ >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:4 >> >>Pls let me know whether the above rules are framed correctly or can be >>done in a better way. >> >> >I can't do it better then you did :) > > Stef, Traffic Control is not taking place after applying the above rules. Here follows the test setup:- 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL and eth1 to the LAN. 2. I tried doing traffic control for incoming(at eth1) and outgoing(at eth0) traffic using CBQ(above rules). 3. In LAN, I connected 3 m/c's(all linux). 4. The ISP rate taken is 97% of 128Kbits. 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. I have few observations and queries, as follows:-- 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits for 128Kbits ADSL. 2. I have not added any filter for the parent class. Is it required...? What happens if I add...? 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on each LAN m/c. 4. Whether shall I take outgoing and incoming ISP rate's in 30:70 ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). Can you pls guide me where amI going wrong..? Regards -Raghu >Stef > > > -- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** From warwick@thusa.co.za Wed Oct 22 10:39:51 2003 From: warwick@thusa.co.za (Warwick Chapman) Date: Wed, 22 Oct 2003 11:39:51 +0200 Subject: [LARTC] Per host Traffic Shaping bridge, using DSCP Message-ID: <3F965067.2060707@thusa.co.za> Howdy We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box doing shaping. Currently, we can only chape per IP/protocol on the FreeBSD box, and not by type of traffic (local/international). Our upstream provider, Internet Solutions (www.is.co.za) differentiates between Local and International Bandwidth as follows: "Local traffic DSCP bit is set to 20. International is set to 18." What steps would be involved in, say, setting up shaping to a host to give it a 32kb International and 64 local. Would it be possible to allow bursting when bandwidth is available? I have read the LARTC Guide at lartc.org, which has an example of how to shape an particular host, but not how to incorporate matching the DSCP bit. I'm assuming iptables is used to match the DSCP bit, something like the following: # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? Once it is matched, though, how does on force it into a queue? Or am I thinking of this in the wrong way? Regards Warwick Chapman Marketing and Operations Thusa Business Support cc Cellular: +27 83 7797 094 Telephone: +27 31 563 1180 Facsimile: +27 31 563 1182 Website: http://www.thusa.co.za -- There are 10 types of people in this world. Those who understand binary, and those who don't. From vadiraj@deeproot.co.in Wed Oct 22 12:19:39 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Wed, 22 Oct 2003 16:49:39 +0530 (IST) Subject: [LARTC] nexthop reachability In-Reply-To: <124749988.20031022085905@ire.pw.edu.pl> Message-ID: Hello all, I was just wondering If i could do this.. Local___ public_________Gateway1 Subnet IP local net |------192.168.1.1--| Internet 192.168.1.0-----| |-------202.202.1.1 |------202.202.1.6--| here goes my routing table at any subnet say 192.168.1.2 i want some thing like this 1] route to 202.202.1.0/24 via 192.168.1.1 2] default gateway via 202.202.1.1 but at second routing configuration I get host unreachable error by both route and ip route command.. Though there is route to 202 network via 192.168.1.1 it says unreachable but I can ping to 202 network.. what should I do to achieve this? Why I need to do is for dead gateway detection, I do not want to check the nexthop reachable or not, i need to know if ISP is reachable.. Any support will be grateful!! regards Vadiraj C S From nixo@nixo.com.ar Wed Oct 22 19:13:29 2003 From: nixo@nixo.com.ar (nixo@nixo.com.ar) Date: Wed, 22 Oct 2003 15:13:29 -0300 (ART) Subject: [LARTC] 'Help with routing' In-Reply-To: <124749988.20031022085905@ire.pw.edu.pl> References: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> <124749988.20031022085905@ire.pw.edu.pl> Message-ID: <1198.200.80.32.199.1066846409.squirrel@www.argentec.com.ar> Thank you very much for the solution, but I still have a problem and I need help :) . The problem number one has been solved. When I trace from any computer of my LAN, It`s go out from the right ISP. But after a short time, is like if the rute was chached and it back to the same problem. (I´m getting paranoic :-P ) The Problem number two still happens when someone from outside trace an IP from mi LAN. Always the before complete jump is responded for the interface who correnspond to the other ISP. Do you have an idea what can be the failure... or, can I call this a failure in my config? THANKS VERY MUCH Nicolas Fillon Argentina > Hi nixo, > > I suppose you don't preserve properly output address see my postting > with script from 15th October this year :) > (append prohibit default:) > > > nnca> the scheme of my LAN is the next: > > nnca> eth0 isp1 /32 > nnca> eth1 lan de isp1 (LAN With public IP /24) > nnca> eth2 isp2 /32 > nnca> eth3 lan de isp2 (LAN With public IP /26) > > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 > nnca> ip route add default via 200.47.4.x table 1 > > > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 > nnca> ip route add default via 200.80.32.x table 2 > > > > nnca> ip rule add from 200.47.4.x table 1 > nnca> ip rule add from 200.80.32.x table 2 > > nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 > nexthop nnca> via > nnca> 200.80.32.x dev eth2 > > nnca> ****** > > nnca> My problem is this: when I trace from the NETWORK of ISP1, > sometimes the nnca> tracer go out from the gateway of ISP2 and vice > versa > > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as > before nnca> complete the gateway from ISP2 y vice versa. > > > nnca> Mi question is: what is wrong in my config...??? What I need to > put or is nnca> anything wrong with this config???. > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. > > > nnca> _______________________________________________ > nnca> LARTC mailing list / LARTC@mailman.ds9a.nl > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > > > > -- > Greetings, > Robert mailto:rkurjata@ire.pw.edu.pl From mike@netmaster.com Wed Oct 22 20:03:56 2003 From: mike@netmaster.com (Mike Taekema) Date: Wed, 22 Oct 2003 12:03:56 -0700 Subject: [LARTC] Split access problems. Message-ID: <006501c398cf$3e288140$cd7c7b0a@laptop> Good day, I seem to be having getting my split access scripts to run properly. Here is my split_access script: IF1=eth0 IF2=eth1 IP1=10.123.124.52 IP2=10.123.124.240 P1=10.123.124.1 P2=10.123.124.251 P1_NET=10.123.124.0/25 P2_NET=10.123.124.128/25 IFE0=eth0 IFE1=eth1 ip route flush all ip route add $P1_NET dev $IF1 src $IP1 table $IFE0 ip route add default via $P1 table $IFE0 ip route add $P2_NET dev $IF2 src $IP2 table $IFE1 ip route add default via $P2 table $IFE1 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P1 ip rule add from $IP1 table $IFE0 ip rule add from $IP2 table $IFE1 exit 0 Now here is my rt_tables file: # # reserved values # 255 local 254 main 253 default 0 unspec 2 eth0 4 eth1 # # local # 1 inr.ruhep Now when I run the script I get these errors: (run script using sh -x split_access) + IF1=eth0 + IF2=eth1 + IP1=10.123.124.52 + IP2=10.123.124.240 + P1=10.123.124.1 + P2=10.123.124.251 + P1_NET=10.123.124.0/25 + P2_NET=10.123.124.128/25 + IFE0=eth0 + IFE1=eth1 + ip route flush all + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 table eth0 + ip route add default via 10.123.124.1 table eth0 + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 table eth1 + ip route add default via 10.123.124.251 table eth1 RTNETLINK answers: File exists + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 RTNETLINK answers: File exists + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 RTNETLINK answers: File exists + ip route add default via 10.123.124.1 RTNETLINK answers: File exists + ip rule add from 10.123.124.52 table eth0 RTNETLINK answers: Invalid argument + ip rule add from 10.123.124.240 table eth1 RTNETLINK answers: Invalid argument + exit 0 Why am I getting "file exists and Invalid arguments again? Thanks in advance -Mike T. From stef.coene@docum.org Wed Oct 22 21:06:04 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 22 Oct 2003 22:06:04 +0200 Subject: [LARTC] Per host Traffic Shaping bridge, using DSCP In-Reply-To: <3F965067.2060707@thusa.co.za> References: <3F965067.2060707@thusa.co.za> Message-ID: <200310222206.04852.stef.coene@docum.org> On Wednesday 22 October 2003 11:39, Warwick Chapman wrote: > Howdy > > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box > doing shaping. Currently, we can only chape per IP/protocol on the > FreeBSD box, and not by type of traffic (local/international). > > Our upstream provider, Internet Solutions (www.is.co.za) differentiates > between Local and International Bandwidth as follows: > "Local traffic DSCP bit is set to 20. International is set to 18." > > What steps would be involved in, say, setting up shaping to a host to > give it a 32kb International and 64 local. Would it be possible to > allow bursting when bandwidth is available? > > I have read the LARTC Guide at lartc.org, which has an example of how to > shape an particular host, but not how to incorporate matching the DSCP bit. > > I'm assuming iptables is used to match the DSCP bit, something like the > following: > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? > > Once it is matched, though, how does on force it into a queue? Or am I > thinking of this in the wrong way? If the packets are marked with iptables, you can use the fw filter to put the packets in a class. iptables -t mangle -A INPUT -m dscp --dscp 16 -j MARK --set-mark 2 Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gregoriandres@yahoo.com.ar Wed Oct 22 21:45:22 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Wed, 22 Oct 2003 17:45:22 -0300 Subject: [LARTC] esfq Message-ID: hi, I want to try esfq in order to make a load balance in my linux router, (both, lan side and interent side) I want that all hosts of my lan haves the same bandwidth avaible. Since linux router are connected to an ISP which privide a variable bandwidth, I think that can't use HTB. Also, in this situation, how can I do to priorize some LAN hosts from others ? Thanks you very much in advance. Andres. From marko@buuri.name Mon Oct 20 08:53:34 2003 From: marko@buuri.name (Marko Buuri) Date: Mon, 20 Oct 2003 10:53:34 +0300 Subject: [LARTC] Missing parameter descriptions In-Reply-To: <3F932FAB.6050908@snapgear.com> Message-ID: <5A565B86C0C9884AB8283BE53D44346673285A@dom1-mb2-hki.dom1.epnet> >Damion de Soto wrote: >Marko Buuri wrote: >> I've been looking for descriptions of qdisc parameter >"estimator" and u32 >> parameter "police" (defined by POLICE_SPEC), but in vain. I >hope someone on >> this list can explain these. >Have you seen : >http://lartc.org/howto/lartc.adv-filter.policing.html >with examples for 'police' >http://lartc.org/howto/lartc.cookbook.synflood-protect.html >and >http://lartc.org/howto/lartc.cookbook.ultimate-tc.html Thank you for replying! I find that POLICE_SPEC (term from tc command syntax, not found in the HOWTO) isn't very well or perhaps clearly documented. I figure the first page you sent is trying to say is that the syntax is more or less: POLICE_SPEC = police [buffer [buffer] | maxburst [maxburst]] [mtu [mtu] | minburst [minburst]] [mpu [mpu]] [rate [rate]] (continue | drop | pass | reclassify) However, the examples you sent are using parameter "burst" not listed above. A novice as myself can find learning Linux traffic control a bit confusing with this kind of discrepancies between the HOWTO, the command syntax and the man pages. >I'm not sure where examples are of 'estimator' usage. If someone else here knows, please do tell. Marko From wdwrn@friendlycity.net Thu Oct 23 04:45:01 2003 From: wdwrn@friendlycity.net (Walter D. Wyndroski) Date: Wed, 22 Oct 2003 23:45:01 -0400 Subject: [LARTC] iptables question Message-ID: <010a01c39918$09f4f860$0201a8c0@mother> This is a multi-part message in MIME format. ------=_NextPart_000_0107_01C398F6.82AC90F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable First off, I know this is the LARTC list, but I've been living on this list= for over a year now. :) Now with that said, I'm probably going to get flam= ed for my question. :) I've read that iptables is a first match wins system. My recent experience = is showing that it is a last match wins. I understand that if a packet is m= atched in prerouting chain, it may be matched again in a subsequent chain u= nless the jump target was drop. NOTE: I am not using iptables as a true firewall, much as most people on th= is list do not. I'm primarily using iptables to mark packets and drop them = for securing my network and to deny all traffic to my router except for a f= ew exclusive port.s The following is an excerpt from my router script on how I'm handling certa= in traffic to my router and this works: (This example is a last match wins) #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT = #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP = #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22= -j DROP #CMTS Link ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= -p udp --dport 161 -j ACCEPT $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= -p udp --dport 162 -j ACCEPT This is how I was doing it and it worked: (This example is a first match wi= ns) (note: I was routing the fwmark 1 to blackhole) ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= 0.5 -p udp --dport 161 -j ACCEPT $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= 0.5 -p udp --dport 162 -j ACCEPT #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEP= T #CMTS Link $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j MARK= --set-mark 1 #CMTS Link $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport != 22 -j MARK --set-mark 1 #CMTS Link I just need someone to tell me when is iptables using first match wins vers= us last match wins. I think I am missing something but I am not sure. I sta= y so busy with other tasks that I cannot devote the time that I need and wo= uld like to this. Anyway, many thanks in advance. Walt Wyndroski ***************************************************************************= ******************* * This message has been scanned by CityNET's email scanner for viruses and = dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For m= ore information * * concerning MailScanner, visit http://www.mailscanner.info = * ***************************************************************************= ******************* ------=_NextPart_000_0107_01C398F6.82AC90F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
First off, I know this is the LARTC list, = but I've=20 been living on this list for over a year now. :) Now with that said, I'm=20 probably going to get flamed for my question. :)
 
I've read that iptables is a first match w= ins=20 system. My recent experience is showing that it is a last match wins. I=20 understand that if a packet is matched in prerouting chain, it may be match= ed=20 again in a subsequent chain unless the jump target was drop.
 
NOTE: I am not using iptables as a true fi= rewall,=20 much as most people on this list do not. I'm primarily using iptables to ma= rk=20 packets and drop them for securing my network and to deny all traffic to my= =20 router except for a few exclusive port.s
 
 
 
The following is an excerpt from my router= script=20 on how I'm handling certain traffic to my router and this works: (This exam= ple=20 is a last match wins)
 
#Deny All Traffic to Interface except SSH and ICMP
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j=20 ACCEPT           &nb= sp; =20 #CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j=20 DROP            = ;    =20   #CMTS Link
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport= ! 22=20 -j DROP    #CMTS Link
 
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A FOR= WARD=20 -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -= j=20 ACCEPT
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst= =20 172.20.0.5 -p udp --dport 162 -j ACCEPT
This is how I was doing it and it worked: (This example is a firs= t=20 match wins)
(note: I was routing the fwmark 1 to blackhole)
 
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A=20 PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --= dport=20 161 -j ACCEPT
$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.= 226=20 --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT
#Deny All Traffic to Interface except SSH and ICMP
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icm= p -j=20 ACCEPT           &nb= sp;            =        =20 #CMTS Link
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp=20 -j MARK --set-mark=20 1            &n= bsp;    =20 #CMTS Link
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dp= ort !=20 22 -j MARK --set-mark 1    #CMTS Link
 
I just need someone to tell me when is iptables using first match wins= =20 versus last match wins. I think I am missing something but I am not sure. I= stay=20 so busy with other tasks that I cannot devote the time that I need and woul= d=20 like to this. Anyway, many thanks in advance.
 
 
Walt Wyndroski


 This message has been scanned by CityNET's = email scanner for viruses and dangerous content 
 and is believed to be clean. CityNET is proud to use MailScann= er. For more information 
 concerning MailScanner, visit http://www.mailscanner.info
------=_NextPart_000_0107_01C398F6.82AC90F0-- From Robert Kurjata Thu Oct 23 08:13:45 2003 From: Robert Kurjata (Robert Kurjata) Date: Thu, 23 Oct 2003 09:13:45 +0200 Subject: Re[2]: [LARTC] 'Help with routing' In-Reply-To: <1198.200.80.32.199.1066846409.squirrel@www.argentec.com.ar> References: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> <124749988.20031022085905@ire.pw.edu.pl> <1198.200.80.32.199.1066846409.squirrel@www.argentec.com.ar> Message-ID: <241054856.20031023091345@ire.pw.edu.pl> Witaj nixo, W Twoim liœcie datowanym 22 paŸdziernika 2003 (20:13:29) mo¿na przeczytaæ: Seems like I didn't read your posting deeply enough. Before I can help I need to know some more details. Why are you using multipath default gateway? If you just need to make a proper routing for two separate lans going through one machine, not mixing them you should never use it. It's usefull for NAT-ed lan inside, not for public IP's. Just create simple routes without multipath. eth0 <-> eth1 and eth2 <-> eth3. nnca> Thank you very much for the solution, but I still have a problem and I nnca> need help :) . The problem number one has been solved. When I trace from nnca> any computer of my LAN, It`s go out from the right ISP. But after a short nnca> time, is like if the rute was chached and it back to the same problem. nnca> (I´m getting paranoic :-P ) nnca> The Problem number two still happens when someone from outside trace an IP nnca> from mi LAN. Always the before complete jump is responded for the nnca> interface who correnspond to the other ISP. nnca> Do you have an idea what can be the failure... or, can I call this a nnca> failure in my config? nnca> THANKS VERY MUCH nnca> Nicolas Fillon nnca> Argentina >> Hi nixo, >> >> I suppose you don't preserve properly output address see my postting >> with script from 15th October this year :) >> (append prohibit default:) >> >> >> nnca> the scheme of my LAN is the next: >> >> nnca> eth0 isp1 /32 >> nnca> eth1 lan de isp1 (LAN With public IP /24) >> nnca> eth2 isp2 /32 >> nnca> eth3 lan de isp2 (LAN With public IP /26) >> >> nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 >> nnca> ip route add default via 200.47.4.x table 1 >> >> >> nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 >> nnca> ip route add default via 200.80.32.x table 2 >> >> >> >> nnca> ip rule add from 200.47.4.x table 1 >> nnca> ip rule add from 200.80.32.x table 2 >> >> nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 >> nexthop nnca> via >> nnca> 200.80.32.x dev eth2 >> >> nnca> ****** >> >> nnca> My problem is this: when I trace from the NETWORK of ISP1, >> sometimes the nnca> tracer go out from the gateway of ISP2 and vice >> versa >> >> nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as >> before nnca> complete the gateway from ISP2 y vice versa. >> >> >> nnca> Mi question is: what is wrong in my config...??? What I need to >> put or is nnca> anything wrong with this config???. >> nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. >> >> -- Pozdrowienia, Robert mailto:rkurjata@ire.pw.edu.pl From devik@cdi.cz Thu Oct 23 09:42:00 2003 From: devik@cdi.cz (devik) Date: Thu, 23 Oct 2003 10:42:00 +0200 (CEST) Subject: [LARTC] New overhead and MPU features in HTB Message-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --8323328-1481714261-1066898520=:1003 Content-Type: TEXT/PLAIN; charset=US-ASCII I just wanted to inform that there is new patch donated by Walter Karshat which implements packet overhead and MPU computations to the rate table. See diff for details on arguments. No tc binary available yet at I have to compile it on system with older glibc (not everyone use 2.3.2). ------------------------------- Martin Devera aka devik Linux kernel QoS/HTB maintainer http://luxik.cdi.cz/~devik/ --8323328-1481714261-1066898520=:1003 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="htb_tc_overhead.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="htb_tc_overhead.diff" LS0tIHRjL3FfaHRiLmMJU3VuIE1heSAxMiAyMjoxODoyNyAyMDAyDQorKysg L3RtcC9xX2h0Yi5jCVNhdCBPY3QgMTggMDA6MDU6MTggMjAwMw0KQEAgLTM0 LDEwICszNCwxNCBAQA0KIAkJIiBkZWZhdWx0ICBtaW5vciBpZCBvZiBjbGFz cyB0byB3aGljaCB1bmNsYXNzaWZpZWQgcGFja2V0cyBhcmUgc2VudCB7MH1c biINCiAJCSIgcjJxICAgICAgRFJSIHF1YW50dW1zIGFyZSBjb21wdXRlZCBh cyByYXRlIGluIEJwcy9yMnEgezEwfVxuIg0KIAkJIiBkZWJ1ZyAgICBzdHJp bmcgb2YgMTYgbnVtYmVycyBlYWNoIDAtMyB7MH1cblxuIg0KLQkJIi4uLiBj bGFzcyBhZGQgLi4uIGh0YiByYXRlIFIxIGJ1cnN0IEIxIFtwcmlvIFBdIFtz bG90IFNdIFtwc2xvdCBQU11cbiINCisJCSIuLi4gY2xhc3MgYWRkIC4uLiBo dGIgcmF0ZSBSMSBbYnVyc3QgQjFdIFttcHUgQl0gW292ZXJoZWFkIE9dXG4i DQorCQkiICAgICAgICAgICAgICAgICAgICAgIFtwcmlvIFBdIFtzbG90IFNd IFtwc2xvdCBQU11cbiINCiAJCSIgICAgICAgICAgICAgICAgICAgICAgW2Nl aWwgUjJdIFtjYnVyc3QgQjJdIFttdHUgTVRVXSBbcXVhbnR1bSBRXVxuIg0K IAkJIiByYXRlICAgICByYXRlIGFsbG9jYXRlZCB0byB0aGlzIGNsYXNzIChj bGFzcyBjYW4gc3RpbGwgYm9ycm93KVxuIg0KIAkJIiBidXJzdCAgICBtYXgg Ynl0ZXMgYnVyc3Qgd2hpY2ggY2FuIGJlIGFjY3VtdWxhdGVkIGR1cmluZyBp ZGxlIHBlcmlvZCB7Y29tcHV0ZWR9XG4iDQorCQkiIG1wdSAgICAgIG1pbmlt dW0gcGFja2V0IHNpemUgdXNlZCBpbiByYXRlIGNvbXB1dGF0aW9uc1xuIg0K KwkJIiBvdmVyaGVhZCBwZXItcGFja2V0IHNpemUgb3ZlcmhlYWQgdXNlZCBp biByYXRlIGNvbXB1dGF0aW9uc1xuIg0KKw0KIAkJIiBjZWlsICAgICBkZWZp bml0ZSB1cHBlciBjbGFzcyByYXRlIChubyBib3Jyb3dzKSB7cmF0ZX1cbiIN CiAJCSIgY2J1cnN0ICAgYnVyc3QgYnV0IGZvciBjZWlsIHtjb21wdXRlZH1c biINCiAJCSIgbXR1ICAgICAgbWF4IHBhY2tldCBzaXplIHdlIGNyZWF0ZSBy YXRlIG1hcCBmb3IgezE2MDB9XG4iDQpAQCAtMTAyLDcgKzEwNiw5IEBADQog CXN0cnVjdCB0Y19odGJfb3B0IG9wdDsNCiAJX191MzIgcnRhYlsyNTZdLGN0 YWJbMjU2XTsNCiAJdW5zaWduZWQgYnVmZmVyPTAsY2J1ZmZlcj0wOw0KLQlp bnQgY2VsbF9sb2c9LTEsY2NlbGxfbG9nID0gLTEsbXR1Ow0KKwlpbnQgY2Vs bF9sb2c9LTEsY2NlbGxfbG9nID0gLTE7DQorCXVuc2lnbmVkIG10dSwgbXB1 Ow0KKwl1bnNpZ25lZCBjaGFyIG1wdTggPSAwLCBvdmVyaGVhZCA9IDA7DQog CXN0cnVjdCBydGF0dHIgKnRhaWw7DQogDQogCW1lbXNldCgmb3B0LCAwLCBz aXplb2Yob3B0KSk7IG10dSA9IDE2MDA7IC8qIGV0aCBwYWNrZXQgbGVuICov DQpAQCAtMTE5LDYgKzEyNSwxNiBAQA0KIAkJCWlmIChnZXRfdTMyKCZtdHUs ICphcmd2LCAxMCkpIHsNCiAJCQkJZXhwbGFpbjEoIm10dSIpOyByZXR1cm4g LTE7DQogCQkJfQ0KKwkJfSBlbHNlIGlmIChtYXRjaGVzKCphcmd2LCAibXB1 IikgPT0gMCkgew0KKwkJCU5FWFRfQVJHKCk7DQorCQkJaWYgKGdldF91OCgm bXB1OCwgKmFyZ3YsIDEwKSkgew0KKwkJCQlleHBsYWluMSgibXB1Iik7IHJl dHVybiAtMTsNCisJCQl9DQorCQl9IGVsc2UgaWYgKG1hdGNoZXMoKmFyZ3Ys ICJvdmVyaGVhZCIpID09IDApIHsNCisJCQlORVhUX0FSRygpOw0KKwkJCWlm IChnZXRfdTgoJm92ZXJoZWFkLCAqYXJndiwgMTApKSB7DQorCQkJCWV4cGxh aW4xKCJvdmVyaGVhZCIpOyByZXR1cm4gLTE7DQorCQkJfQ0KIAkJfSBlbHNl IGlmIChtYXRjaGVzKCphcmd2LCAicXVhbnR1bSIpID09IDApIHsNCiAJCQlO RVhUX0FSRygpOw0KIAkJCWlmIChnZXRfdTMyKCZvcHQucXVhbnR1bSwgKmFy Z3YsIDEwKSkgew0KQEAgLTE5MCwxNCArMjA2LDE4IEBADQogCWlmICghYnVm ZmVyKSBidWZmZXIgPSBvcHQucmF0ZS5yYXRlIC8gSFogKyBtdHU7DQogCWlm ICghY2J1ZmZlcikgY2J1ZmZlciA9IG9wdC5jZWlsLnJhdGUgLyBIWiArIG10 dTsNCiANCi0JaWYgKChjZWxsX2xvZyA9IHRjX2NhbGNfcnRhYmxlKG9wdC5y YXRlLnJhdGUsIHJ0YWIsIGNlbGxfbG9nLCBtdHUsIDApKSA8IDApIHsNCisv KiBlbmNvZGUgb3ZlcmhlYWQgYW5kIG1wdSwgOCBiaXRzIGVhY2gsIGludG8g bG93ZXIgMTYgYml0cyAqLw0KKwltcHUgPSAodW5zaWduZWQpbXB1OCB8ICh1 bnNpZ25lZClvdmVyaGVhZCA8PCA4Ow0KKwlvcHQuY2VpbC5tcHUgPSBtcHU7 IG9wdC5yYXRlLm1wdSA9IG1wdTsNCisNCisJaWYgKChjZWxsX2xvZyA9IHRj X2NhbGNfcnRhYmxlKG9wdC5yYXRlLnJhdGUsIHJ0YWIsIGNlbGxfbG9nLCBt dHUsIG1wdSkpIDwgMCkgew0KIAkJZnByaW50ZihzdGRlcnIsICJodGI6IGZh aWxlZCB0byBjYWxjdWxhdGUgcmF0ZSB0YWJsZS5cbiIpOw0KIAkJcmV0dXJu IC0xOw0KIAl9DQogCW9wdC5idWZmZXIgPSB0Y19jYWxjX3htaXR0aW1lKG9w dC5yYXRlLnJhdGUsIGJ1ZmZlcik7DQogCW9wdC5yYXRlLmNlbGxfbG9nID0g Y2VsbF9sb2c7DQogCQ0KLQlpZiAoKGNjZWxsX2xvZyA9IHRjX2NhbGNfcnRh YmxlKG9wdC5jZWlsLnJhdGUsIGN0YWIsIGNlbGxfbG9nLCBtdHUsIDApKSA8 IDApIHsNCisJaWYgKChjY2VsbF9sb2cgPSB0Y19jYWxjX3J0YWJsZShvcHQu Y2VpbC5yYXRlLCBjdGFiLCBjZWxsX2xvZywgbXR1LCBtcHUpKSA8IDApIHsN CiAJCWZwcmludGYoc3RkZXJyLCAiaHRiOiBmYWlsZWQgdG8gY2FsY3VsYXRl IGNlaWwgcmF0ZSB0YWJsZS5cbiIpOw0KIAkJcmV0dXJuIC0xOw0KIAl9DQpA QCAtMjIxLDYgKzI0MSw3IEBADQogCWRvdWJsZSBidWZmZXIsY2J1ZmZlcjsN CiAJU1BSSU5UX0JVRihiMSk7DQogCVNQUklOVF9CVUYoYjIpOw0KKwlTUFJJ TlRfQlVGKGIzKTsNCiANCiAJaWYgKG9wdCA9PSBOVUxMKQ0KIAkJcmV0dXJu IDA7DQpAQCAtMjQzLDEwICsyNjQsMTYgQEANCiAJICAgIGZwcmludGYoZiwg ImNlaWwgJXMgIiwgc3ByaW50X3JhdGUoaG9wdC0+Y2VpbC5yYXRlLCBiMSkp Ow0KIAkgICAgY2J1ZmZlciA9ICgoZG91YmxlKWhvcHQtPmNlaWwucmF0ZSp0 Y19jb3JlX3RpY2sydXNlYyhob3B0LT5jYnVmZmVyKSkvMTAwMDAwMDsNCiAJ ICAgIGlmIChzaG93X2RldGFpbHMpIHsNCi0JCWZwcmludGYoZiwgImJ1cnN0 ICVzLyV1IG1wdSAlcyAiLCBzcHJpbnRfc2l6ZShidWZmZXIsIGIxKSwNCi0J CQkxPDxob3B0LT5yYXRlLmNlbGxfbG9nLCBzcHJpbnRfc2l6ZShob3B0LT5y YXRlLm1wdSwgYjIpKTsNCi0JCWZwcmludGYoZiwgImNidXJzdCAlcy8ldSBt cHUgJXMgIiwgc3ByaW50X3NpemUoY2J1ZmZlciwgYjEpLA0KLQkJCTE8PGhv cHQtPmNlaWwuY2VsbF9sb2csIHNwcmludF9zaXplKGhvcHQtPmNlaWwubXB1 LCBiMikpOw0KKwkJZnByaW50ZihmLCAiYnVyc3QgJXMvJXUgbXB1ICVzIG92 ZXJoZWFkICVzICIsDQorCQkJc3ByaW50X3NpemUoYnVmZmVyLCBiMSksDQor CQkJMTw8aG9wdC0+cmF0ZS5jZWxsX2xvZywNCisJCQlzcHJpbnRfc2l6ZSho b3B0LT5yYXRlLm1wdSYweEZGLCBiMiksDQorCQkJc3ByaW50X3NpemUoKGhv cHQtPnJhdGUubXB1Pj44KSYweEZGLCBiMykpOw0KKwkJZnByaW50ZihmLCAi Y2J1cnN0ICVzLyV1IG1wdSAlcyBvdmVyaGVhZCAlcyAiLA0KKwkJCXNwcmlu dF9zaXplKGNidWZmZXIsIGIxKSwNCisJCQkxPDxob3B0LT5jZWlsLmNlbGxf bG9nLA0KKwkJCXNwcmludF9zaXplKGhvcHQtPmNlaWwubXB1JjB4RkYsIGIy KSwNCisJCQlzcHJpbnRfc2l6ZSgoaG9wdC0+Y2VpbC5tcHU+PjgpJjB4RkYs IGIzKSk7DQogCQlmcHJpbnRmKGYsICJsZXZlbCAlZCAiLCAoaW50KWhvcHQt PmxldmVsKTsNCiAJICAgIH0gZWxzZSB7DQogCQlmcHJpbnRmKGYsICJidXJz dCAlcyAiLCBzcHJpbnRfc2l6ZShidWZmZXIsIGIxKSk7DQotLS0gdGMvdGNf Y29yZS5jCVNhdCBNYXkgIDkgMTg6NDY6NTggMTk5OA0KKysrIC90bXAvdGNf Y29yZS5jCUZyaSBPY3QgMTcgMjM6NDk6MjcgMjAwMw0KQEAgLTUwLDYgKzUw LDggQEAgaW50IHRjX2NhbGNfcnRhYmxlKHVuc2lnbmVkIGJwcywgX191MzIg Kg0KIAkJICAgdW5zaWduZWQgbXB1KQ0KIHsNCiAJaW50IGk7DQorCXVuc2ln bmVkIG92ZXJoZWFkID0gKG1wdSA+PiA4KSAmIDB4RkY7DQorCW1wdSA9IG1w dSAmIDB4RkY7DQogDQogCWlmIChtdHUgPT0gMCkNCiAJCW10dSA9IDIwNDc7 DQpAQCAtNjEsNiArNjMsOCBAQCBpbnQgdGNfY2FsY19ydGFibGUodW5zaWdu ZWQgYnBzLCBfX3UzMiAqDQogCX0NCiAJZm9yIChpPTA7IGk8MjU2OyBpKysp IHsNCiAJCXVuc2lnbmVkIHN6ID0gKGk8PGNlbGxfbG9nKTsNCisJCWlmIChv dmVyaGVhZCkNCisJCQlzeiArPSBvdmVyaGVhZDsNCiAJCWlmIChzeiA8IG1w dSkNCiAJCQlzeiA9IG1wdTsNCiAJCXJ0YWJbaV0gPSB0Y19jb3JlX3VzZWMy dGljaygxMDAwMDAwKigoZG91YmxlKXN6L2JwcykpOw0K --8323328-1481714261-1066898520=:1003-- From Kurniawan" Message-ID: <000001c39946$824164b0$8201a8c0@kurniawan> ----- Original Message ----- From: To: Sent: Thursday, October 23, 2003 11:05 AM Subject: LARTC digest, Vol 1 #1420 - 10 msgs > Send LARTC mailing list submissions to > lartc@mailman.ds9a.nl > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ds9a.nl/mailman/listinfo/lartc > or, via email, send a message with subject or body 'help' to > lartc-request@mailman.ds9a.nl > > You can reach the person managing the list at > lartc-admin@mailman.ds9a.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of LARTC digest..." > > > Today's Topics: > > 1. Re: "Help with routing" (Robert Kurjata) > 2. Need Suggestion on CBQ Rules. (Raghuveer K) > 3. Per host Traffic Shaping bridge, using DSCP (Warwick Chapman) > 4. nexthop reachability (Vadiraj C S) > 5. Re: 'Help with routing' (nixo@nixo.com.ar) > 6. Split access problems. (Mike Taekema) > 7. Re: Per host Traffic Shaping bridge, using DSCP (Stef Coene) > 8. esfq (ThE PhP_KiD) > 9. RE: Missing parameter descriptions (Marko Buuri) > 10. iptables question (Walter D. Wyndroski) > > --__--__-- > > Message: 1 > Date: Wed, 22 Oct 2003 08:59:05 +0200 > From: Robert Kurjata > Reply-To: Robert Kurjata > To: nixo@nixo.com.ar > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] "Help with routing" > > Hi nixo, > > I suppose you don't preserve properly output address see my postting > with script from 15th October this year :) > (append prohibit default:) > > > nnca> the scheme of my LAN is the next: > > nnca> eth0 isp1 /32 > nnca> eth1 lan de isp1 (LAN With public IP /24) > nnca> eth2 isp2 /32 > nnca> eth3 lan de isp2 (LAN With public IP /26) > > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 > nnca> ip route add default via 200.47.4.x table 1 > > > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 > nnca> ip route add default via 200.80.32.x table 2 > > > > nnca> ip rule add from 200.47.4.x table 1 > nnca> ip rule add from 200.80.32.x table 2 > > nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 nexthop > nnca> via > nnca> 200.80.32.x dev eth2 > > nnca> ****** > > nnca> My problem is this: when I trace from the NETWORK of ISP1, sometimes the > nnca> tracer go out from the gateway of ISP2 and vice versa > > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as before > nnca> complete the gateway from ISP2 y vice versa. > > > nnca> Mi question is: what is wrong in my config...??? What I need to put or is > nnca> anything wrong with this config???. > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. > > > nnca> _______________________________________________ > nnca> LARTC mailing list / LARTC@mailman.ds9a.nl > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > -- > Greetings, > Robert mailto:rkurjata@ire.pw.edu.pl > > > --__--__-- > > Message: 2 > Date: Wed, 22 Oct 2003 13:12:21 +0530 > From: Raghuveer K > Reply-To: Raghuveer K > Organization: Global Security One Ltd. > To: Stef Coene > Cc: lartc@mailman.ds9a.nl, > "Martin A. Brown" > Subject: [LARTC] Need Suggestion on CBQ Rules. > > Stef Coene wrote: > > >On Tuesday 23 September 2003 07:56, Raghuveer wrote: > > > > > >>Here are the rules Iam applying to control outgoing traffic at WAN(eth0) > >>interface for public hosted services. > >>Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is > >>192.168.1.2 > >> > >>tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell > >>8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > >>497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>bounded > >>/* Hosted http server bandwidth = 64Kbit */ > >>tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate > >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>192.168.1.2 match ip sport 80 0xffff classid 1:2 > >> > >>/* Hosted ftp server bandwidth = 64Kbit */ > >>tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate > >>64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>192.168.1.2 match ip sport 21 0xffff classid 1:3 > >> > >>/* Default : Rest/Other traffic */ > >>tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate > >>369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > >>/* Here I want replace the below rule with a simple rule based only on > >>port i.e by using some default port other than 80, 21 as sport, which > >>according to your last mail is not possible, hence pls check whether the > >>below rule will do for remaining traffic */ > >>tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src > >>0/0 match ip dst 0/0 classid 1:4 > >> > >>Pls let me know whether the above rules are framed correctly or can be > >>done in a better way. > >> > >> > >I can't do it better then you did :) > > > > > Stef, > Traffic Control is not taking place after applying the above rules. Here > follows the test setup:- > 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL > and eth1 to the LAN. > 2. I tried doing traffic control for incoming(at eth1) and outgoing(at > eth0) traffic using CBQ(above rules). > 3. In LAN, I connected 3 m/c's(all linux). > 4. The ISP rate taken is 97% of 128Kbits. > 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. > > I have few observations and queries, as follows:-- > 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits > for 128Kbits ADSL. > 2. I have not added any filter for the parent class. Is it required...? > What happens if I add...? > 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on > each LAN m/c. > 4. Whether shall I take outgoing and incoming ISP rate's in 30:70 ratio, > i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming > Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). > > Can you pls guide me where amI going wrong..? > > Regards > -Raghu > > >Stef > > > > > > > > > -- > ****** This email is confidential and is intended for the original recipient(s) > only. If you have erroneously received this mail, please delete it immediately > and notify the sender. Unauthorized copying, disclosure or distribution of the > material in this mail is prohibited. Views expressed in this mail are those of > the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless > the sender has done so expressly with due authority of Gsec1.****** > > > > > --__--__-- > > Message: 3 > Date: Wed, 22 Oct 2003 11:39:51 +0200 > From: Warwick Chapman > To: lartc@mailman.ds9a.nl > Cc: anthon@ws.co.za > Subject: [LARTC] Per host Traffic Shaping bridge, using DSCP > > Howdy > > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box > doing shaping. Currently, we can only chape per IP/protocol on the > FreeBSD box, and not by type of traffic (local/international). > > Our upstream provider, Internet Solutions (www.is.co.za) differentiates > between Local and International Bandwidth as follows: > "Local traffic DSCP bit is set to 20. International is set to 18." > > What steps would be involved in, say, setting up shaping to a host to > give it a 32kb International and 64 local. Would it be possible to > allow bursting when bandwidth is available? > > I have read the LARTC Guide at lartc.org, which has an example of how to > shape an particular host, but not how to incorporate matching the DSCP bit. > > I'm assuming iptables is used to match the DSCP bit, something like the > following: > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? > > Once it is matched, though, how does on force it into a queue? Or am I > thinking of this in the wrong way? > > Regards > > Warwick Chapman > Marketing and Operations > Thusa Business Support cc > > Cellular: +27 83 7797 094 > Telephone: +27 31 563 1180 > Facsimile: +27 31 563 1182 > Website: http://www.thusa.co.za > > -- There are 10 types of people in this world. Those > who understand binary, and those who don't. > > > > --__--__-- > > Message: 4 > Date: Wed, 22 Oct 2003 16:49:39 +0530 (IST) > From: Vadiraj C S > To: lartc@mailman.ds9a.nl > Subject: [LARTC] nexthop reachability > > Hello all, > > I was just wondering If i could do this.. > > > Local___ public_________Gateway1 > Subnet IP > > > local net |------192.168.1.1--| Internet > 192.168.1.0-----| |-------202.202.1.1 > |------202.202.1.6--| > > here goes my routing table > > at any subnet say 192.168.1.2 i want some thing like this > > 1] route to 202.202.1.0/24 via 192.168.1.1 > > 2] default gateway via 202.202.1.1 > > but at second routing configuration I get host unreachable error by both > route and ip route command.. > Though there is route to 202 network via 192.168.1.1 it says unreachable > but I can ping to 202 network.. > > what should I do to achieve this? > > Why I need to do is for dead gateway detection, I do not want to check > the nexthop reachable or not, i need to know if ISP is reachable.. > > Any support will be grateful!! > > > regards > Vadiraj C S > > > --__--__-- > > Message: 5 > Date: Wed, 22 Oct 2003 15:13:29 -0300 (ART) > Subject: Re: [LARTC] 'Help with routing' > From: > To: > Cc: , > > Thank you very much for the solution, but I still have a problem and I > need help :) . The problem number one has been solved. When I trace from > any computer of my LAN, It`s go out from the right ISP. But after a short > time, is like if the rute was chached and it back to the same problem. > (I´m getting paranoic :-P ) > > The Problem number two still happens when someone from outside trace an IP > from mi LAN. Always the before complete jump is responded for the > interface who correnspond to the other ISP. > > Do you have an idea what can be the failure... or, can I call this a > failure in my config? > > THANKS VERY MUCH > Nicolas Fillon > Argentina > > > Hi nixo, > > > > I suppose you don't preserve properly output address see my postting > > with script from 15th October this year :) > > (append prohibit default:) > > > > > > nnca> the scheme of my LAN is the next: > > > > nnca> eth0 isp1 /32 > > nnca> eth1 lan de isp1 (LAN With public IP /24) > > nnca> eth2 isp2 /32 > > nnca> eth3 lan de isp2 (LAN With public IP /26) > > > > nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 > > nnca> ip route add default via 200.47.4.x table 1 > > > > > > nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 > > nnca> ip route add default via 200.80.32.x table 2 > > > > > > > > nnca> ip rule add from 200.47.4.x table 1 > > nnca> ip rule add from 200.80.32.x table 2 > > > > nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 > > nexthop nnca> via > > nnca> 200.80.32.x dev eth2 > > > > nnca> ****** > > > > nnca> My problem is this: when I trace from the NETWORK of ISP1, > > sometimes the nnca> tracer go out from the gateway of ISP2 and vice > > versa > > > > nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as > > before nnca> complete the gateway from ISP2 y vice versa. > > > > > > nnca> Mi question is: what is wrong in my config...??? What I need to > > put or is nnca> anything wrong with this config???. > > nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. > > > > > > nnca> _______________________________________________ > > nnca> LARTC mailing list / LARTC@mailman.ds9a.nl > > nnca> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > > > > > > > > -- > > Greetings, > > Robert mailto:rkurjata@ire.pw.edu.pl > > > > > --__--__-- > > Message: 6 > From: "Mike Taekema" > To: > Date: Wed, 22 Oct 2003 12:03:56 -0700 > Subject: [LARTC] Split access problems. > > Good day, > > I seem to be having getting my split access scripts to run properly. Here is > my split_access script: > > IF1=eth0 > IF2=eth1 > IP1=10.123.124.52 > IP2=10.123.124.240 > P1=10.123.124.1 > P2=10.123.124.251 > P1_NET=10.123.124.0/25 > P2_NET=10.123.124.128/25 > IFE0=eth0 > IFE1=eth1 > > > ip route flush all > > ip route add $P1_NET dev $IF1 src $IP1 table $IFE0 > ip route add default via $P1 table $IFE0 > ip route add $P2_NET dev $IF2 src $IP2 table $IFE1 > ip route add default via $P2 table $IFE1 > > ip route add $P1_NET dev $IF1 src $IP1 > ip route add $P2_NET dev $IF2 src $IP2 > > ip route add default via $P1 > > ip rule add from $IP1 table $IFE0 > ip rule add from $IP2 table $IFE1 > > exit 0 > > Now here is my rt_tables file: > > # > # reserved values > # > 255 local > 254 main > 253 default > 0 unspec > 2 eth0 > 4 eth1 > # > # local > # > 1 inr.ruhep > > Now when I run the script I get these errors: (run script using sh -x > split_access) > > + IF1=eth0 > + IF2=eth1 > + IP1=10.123.124.52 > + IP2=10.123.124.240 > + P1=10.123.124.1 > + P2=10.123.124.251 > + P1_NET=10.123.124.0/25 > + P2_NET=10.123.124.128/25 > + IFE0=eth0 > + IFE1=eth1 > + ip route flush all > + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 table eth0 > + ip route add default via 10.123.124.1 table eth0 > + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 table eth1 > + ip route add default via 10.123.124.251 table eth1 > RTNETLINK answers: File exists > + ip route add 10.123.124.0/25 dev eth0 src 10.123.124.52 > RTNETLINK answers: File exists > + ip route add 10.123.124.128/25 dev eth1 src 10.123.124.240 > RTNETLINK answers: File exists > + ip route add default via 10.123.124.1 > RTNETLINK answers: File exists > + ip rule add from 10.123.124.52 table eth0 > RTNETLINK answers: Invalid argument > + ip rule add from 10.123.124.240 table eth1 > RTNETLINK answers: Invalid argument > + exit 0 > > > Why am I getting "file exists and Invalid arguments again? > > > Thanks in advance > > > -Mike T. > > > > > --__--__-- > > Message: 7 > From: Stef Coene > To: Warwick Chapman , lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Per host Traffic Shaping bridge, using DSCP > Date: Wed, 22 Oct 2003 22:06:04 +0200 > Cc: anthon@ws.co.za > > On Wednesday 22 October 2003 11:39, Warwick Chapman wrote: > > Howdy > > > > We would like to set up a Linux Bridge to replace a FreeBSD/ipfw box > > doing shaping. Currently, we can only chape per IP/protocol on the > > FreeBSD box, and not by type of traffic (local/international). > > > > Our upstream provider, Internet Solutions (www.is.co.za) differentiates > > between Local and International Bandwidth as follows: > > "Local traffic DSCP bit is set to 20. International is set to 18." > > > > What steps would be involved in, say, setting up shaping to a host to > > give it a 32kb International and 64 local. Would it be possible to > > allow bursting when bandwidth is available? > > > > I have read the LARTC Guide at lartc.org, which has an example of how to > > shape an particular host, but not how to incorporate matching the DSCP bit. > > > > I'm assuming iptables is used to match the DSCP bit, something like the > > following: > > # iptables -t mangle -A INPUT -m dscp --dscp 16 -j ???? > > > > Once it is matched, though, how does on force it into a queue? Or am I > > thinking of this in the wrong way? > If the packets are marked with iptables, you can use the fw filter to put the > packets in a class. > iptables -t mangle -A INPUT -m dscp --dscp 16 -j MARK --set-mark 2 > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > > --__--__-- > > Message: 8 > From: "ThE PhP_KiD" > To: > Date: Wed, 22 Oct 2003 17:45:22 -0300 > Subject: [LARTC] esfq > > hi, > > I want to try esfq in order to make a load balance > in my linux router, (both, lan side and interent side) > > I want that all hosts of my lan haves the same bandwidth > avaible. > > Since linux router are connected to an ISP which privide > a variable bandwidth, I think that can't use HTB. > > Also, in this situation, how can I do to priorize some > LAN hosts from others ? > > Thanks you very much in advance. > > Andres. > > > > > --__--__-- > > Message: 9 > Reply-To: > From: "Marko Buuri" > To: > Subject: RE: [LARTC] Missing parameter descriptions > Date: Mon, 20 Oct 2003 10:53:34 +0300 > > >Damion de Soto wrote: > >Marko Buuri wrote: > >> I've been looking for descriptions of qdisc parameter > >"estimator" and u32 > >> parameter "police" (defined by POLICE_SPEC), but in vain. I > >hope someone on > >> this list can explain these. > >Have you seen : > >http://lartc.org/howto/lartc.adv-filter.policing.html > >with examples for 'police' > >http://lartc.org/howto/lartc.cookbook.synflood-protect.html > >and > >http://lartc.org/howto/lartc.cookbook.ultimate-tc.html > > Thank you for replying! > > I find that POLICE_SPEC (term from tc command syntax, not found in the > HOWTO) isn't very well or perhaps clearly documented. I figure the first > page you sent is trying to say is that the syntax is more or less: > > POLICE_SPEC = police [buffer [buffer] | maxburst [maxburst]] [mtu [mtu] > | minburst [minburst]] [mpu [mpu]] [rate [rate]] (continue | drop | pass > | reclassify) > > However, the examples you sent are using parameter "burst" not listed > above. A novice as myself can find learning Linux traffic control a bit > confusing with this kind of discrepancies between the HOWTO, the command > syntax and the man pages. > > >I'm not sure where examples are of 'estimator' usage. > > If someone else here knows, please do tell. > > > Marko > > > --__--__-- > > Message: 10 > From: "Walter D. Wyndroski" > To: > Date: Wed, 22 Oct 2003 23:45:01 -0400 > Subject: [LARTC] iptables question > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0107_01C398F6.82AC90F0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > First off, I know this is the LARTC list, but I've been living on this list= > for over a year now. :) Now with that said, I'm probably going to get flam= > ed for my question. :) > > I've read that iptables is a first match wins system. My recent experience = > is showing that it is a last match wins. I understand that if a packet is m= > atched in prerouting chain, it may be matched again in a subsequent chain u= > nless the jump target was drop. > > NOTE: I am not using iptables as a true firewall, much as most people on th= > is list do not. I'm primarily using iptables to mark packets and drop them = > for securing my network and to deny all traffic to my router except for a f= > ew exclusive port.s > > > > The following is an excerpt from my router script on how I'm handling certa= > in traffic to my router and this works: (This example is a last match wins) > > #Deny All Traffic to Interface except SSH and ICMP > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT = > #CMTS Link > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP = > #CMTS Link > $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22= > -j DROP #CMTS Link > > ##Allow SNMP Calls Via MRTG To This Interface Only > $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= > -p udp --dport 161 -j ACCEPT > $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5= > -p udp --dport 162 -j ACCEPT > > This is how I was doing it and it worked: (This example is a first match wi= > ns) > (note: I was routing the fwmark 1 to blackhole) > > ##Allow SNMP Calls Via MRTG To This Interface Only > $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= > 0.5 -p udp --dport 161 -j ACCEPT > $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.= > 0.5 -p udp --dport 162 -j ACCEPT > > #Deny All Traffic to Interface except SSH and ICMP > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEP= > T #CMTS Link > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j MARK= > --set-mark 1 #CMTS Link > $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport != > 22 -j MARK --set-mark 1 #CMTS Link > > I just need someone to tell me when is iptables using first match wins vers= > us last match wins. I think I am missing something but I am not sure. I sta= > y so busy with other tasks that I cannot devote the time that I need and wo= > uld like to this. Anyway, many thanks in advance. > > > Walt Wyndroski > ***************************************************************************= > ******************* > * This message has been scanned by CityNET's email scanner for viruses and = > dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For m= > ore information * > * concerning MailScanner, visit http://www.mailscanner.info = > * > ***************************************************************************= > ******************* > > > ------=_NextPart_000_0107_01C398F6.82AC90F0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > > > > > > >
First off, I know this is the LARTC list, = > but I've=20 > been living on this list for over a year now. :) Now with that said, I'm=20 > probably going to get flamed for my question. :)
>
 
>
I've read that iptables is a first match w= > ins=20 > system. My recent experience is showing that it is a last match wins. I=20 > understand that if a packet is matched in prerouting chain, it may be match= > ed=20 > again in a subsequent chain unless the jump target was drop.
>
 
>
NOTE: I am not using iptables as a true fi= > rewall,=20 > much as most people on this list do not. I'm primarily using iptables to ma= > rk=20 > packets and drop them for securing my network and to deny all traffic to my= > =20 > router except for a few exclusive port.s
>
 
>
 
>
 
>
The following is an excerpt from my router= > script=20 > on how I'm handling certain traffic to my router and this works: (This exam= > ple=20 > is a last match wins)
>
 
>
#Deny All Traffic to Interface except SSH and ICMP
>
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j=20 > ACCEPT           &nb= > sp; =20 > #CMTS Link
>
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j=20 > DROP            = > ;    =20 >   #CMTS Link
>
$IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport= > ! 22=20 > -j DROP    #CMTS Link
>
 
>
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A FOR= > WARD=20 > -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -= > j=20 > ACCEPT
$IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst= > =20 > 172.20.0.5 -p udp --dport 162 -j ACCEPT
>
This is how I was doing it and it worked: (This example is a firs= > t=20 > match wins)
>
>
>
(note: I was routing the fwmark 1 to blackhole)
>
 
>
##Allow SNMP Calls Via MRTG To This Interface Only
$IPTABLES -A=20 > PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --= > dport=20 > 161 -j ACCEPT
$IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.= > 226=20 > --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT
>
#Deny All Traffic to Interface except SSH and ICMP
>
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icm= > p -j=20 > ACCEPT           &nb= > sp;            = >        =20 > #CMTS Link
>
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp=20 > -j MARK --set-mark=20 > 1            &n= > bsp;    =20 > #CMTS Link
>
$IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dp= > ort !=20 > 22 -j MARK --set-mark 1    #CMTS Link
>
 
>
I just need someone to tell me when is iptables using first match wins= > =20 > versus last match wins. I think I am missing something but I am not sure. I= > stay=20 > so busy with other tasks that I cannot devote the time that I need and woul= > d=20 > like to this. Anyway, many thanks in advance.
>
 
>
 
>
Walt Wyndroski

>
> ercolor=3D"#800000"> > > > >
>

 This message has been scanned by CityNET's = > email scanner for viruses and dangerous content 
>  and is believed to be clean. CityNET is proud to use MailScann= > er. For more information 
>  concerning MailScanner, visit http://www.mailscanner.info

> > > ------=_NextPart_000_0107_01C398F6.82AC90F0-- > > > > > --__--__-- > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc > > > End of LARTC Digest > From skoylu@gizemcafe.net Thu Oct 23 10:25:41 2003 From: skoylu@gizemcafe.net (skoylu@gizemcafe.net) Date: Thu, 23 Oct 2003 12:25:41 +0300 (EEST) Subject: [LARTC] possible classifier problem.. Message-ID: <32809.212.174.154.129.1066901141.squirrel@mail.gizemcafe.net> I'm using MDK 9.1 with stock kernel (2.4.21) and tc/iproute2 tools from distro CD.. I create a simple script for bandwith shaping: #!/bin/bash INET_DEV=eth0 MTU=1500 ifconfig $INET_DEV mtu $MTU # root qdisc tc qdisc del dev eth0 root tc qdisc add dev $INET_DEV root handle 1:0 htb default 0 # leased lines pool tc class add dev $INET_DEV parent 1:0 classid 1:1 htb rate 1mbit burst 64k # shared pool #1 tc class add dev $INET_DEV parent 1:0 classid 1:1000 htb rate 128kbit burst 32k # leased lines for pool #1 TC="tc class add dev $INET_DEV parent 1:1 classid" P2_CIR=128kbit P2_EIR=512kbit P1_CIR=64kbit P1_EIR=384kbit $TC 1:10 htb rate $P2_CIR ceil $P2_EIR $TC 1:20 htb rate $P2_CIR ceil $P2_EIR $TC 1:30 htb rate $P2_CIR ceil $P2_EIR $TC 1:40 htb rate $P1_CIR ceil $P1_EIR $TC 1:50 htb rate $P1_CIR ceil $P1_EIR $TC 1:60 htb rate $P1_CIR ceil $P1_EIR $TC 1:70 htb rate $P1_CIR ceil $P1_EIR $TC 1:80 htb rate $P1_CIR ceil $P1_EIR $TC 1:90 htb rate $P1_CIR ceil $P1_EIR $TC 1:100 htb rate $P1_CIR ceil $P1_EIR for i in 1 2 3 4 5 6 7 8 9 10; do tc qdisc add dev $INET_DEV parent 1:${i}0 handle ${i}0: sfq perturb 10 done FILTER="tc filter add dev $INET_DEV parent 1:0 protocol ip prio 1 u32 match ip src" $FILTER 212.175.109.80/28 flowid 1:10 $FILTER 212.174.154.130/32 flowid 1:10 $FILTER 212.175.109.192/30 flowid 1:40 $FILTER 212.175.109.196/30 flowid 1:20 $FILTER 212.175.109.200/30 flowid 1:30 $FILTER 212.175.109.204/30 flowid 1:50 $FILTER 212.175.109.208/30 flowid 1:60 $FILTER 212.175.109.212/30 flowid 1:70 $FILTER 212.175.109.216/30 flowid 1:80 $FILTER 212.175.109.220/30 flowid 1:90 $FILTER 212.175.109.224/30 flowid 1:100 Script run OK. No problem (for first run, tc qdisc del.. a small problem, but this normal situation (?)) This pools and IP blocks always used. For 3-5 minutes later, "tc -s -d qdisc show" output : qdisc sfq 100: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 162 bytes 3 pkts (dropped 0, overlimits 0) qdisc sfq 90: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 162 bytes 3 pkts (dropped 0, overlimits 0) qdisc sfq 80: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 70: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 60: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 50: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 40: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 162 bytes 3 pkts (dropped 0, overlimits 0) qdisc sfq 30: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 10: quantum 590b limit 128p flows 128/1024 perturb 10sec Sent 162 bytes 3 pkts (dropped 0, overlimits 0) qdisc htb 1: r2q 10 default 0 direct_packets_stat 136364 ver 3.7 Sent 53087429 bytes 136376 pkts (dropped 0, overlimits 0) I'm refused !. I tried original HTB/LARTC documentation samples, but this samples show same output: classifiers don't run.. I'm can completely failed or tc filter (qdisc/filter/class etc..) failed.. Thanks and excuse me for poor english.. From y.huang@cs.ucl.ac.uk Thu Oct 23 10:59:28 2003 From: y.huang@cs.ucl.ac.uk (Yangcheng HUANG) Date: Thu, 23 Oct 2003 10:59:28 +0100 Subject: [LARTC] Short Packets Dropping Problems when using linux router Message-ID: <3F97A680.7080702@cs.ucl.ac.uk> When using redhat8 as routers to forward short udp packets(40 bytes length),I found 40 % of all packets has been dropped by the router. Iperf is used to generate the UDP traffic. Any information about this? Thanks a lot! H From rmocius@auste.elnet.lt Thu Oct 23 11:00:28 2003 From: rmocius@auste.elnet.lt (Remus) Date: Thu, 23 Oct 2003 11:00:28 +0100 Subject: [LARTC] IMQ and kernel 2.6 again References: Message-ID: <00e401c3994c$8fa1b690$6e69690a@RIMAS> Hi folks I'm just writing about the same, sorry. :-) Does anybody have chenge IMQ sourec code to patch 2.6 kernel? I know somebody did it, because I asked Patrick McHardy about patch and he told he got it from a few users but he is not at home yet (maybe holiday, business trip or whatever). and cannot send to me yet. Can anybode can share the updated IMQ patch for the 2.6 kernel, please? Regards Remus From eturner@monash.edu.my Thu Oct 23 11:47:45 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Thu, 23 Oct 2003 18:47:45 +0800 Subject: [LARTC] (no subject) Message-ID: <000001c39953$18279b50$de0018ac@admin.monash.edu.my> Hey guys and gals, Sorry for the 'newbie' question, but I would like to get some help on configuring my HTB qdiscs form my network. My network setup: LAN --> Firewall --> Router -->Internet | | --> DMZ So much for the Ascii artist in me. :) The firewall has 3 interfaces: Eth0 = LAN --> 100Mbps NIC Eth1 = DMZ --> 100Mbps NIC Eth2 = Internet --> 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) I notice that users download A LOT of data at high transfer rates from a servers in DMZ zone. WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! How do I make the firewall Eth0 become the bottleneck???? My objectives: 1.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? I would like to limit the max amount of bandwidth on Eth0 to 10MB I would like to limit the max amount of bandwidth on Eth0 to 3840kbps I would like to limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? Any help in anyway is appreciated! Regards edmund From le-hen_j@epita.fr Thu Oct 23 13:42:53 2003 From: le-hen_j@epita.fr (jeremie le-hen) Date: Thu, 23 Oct 2003 14:42:53 +0200 Subject: [LARTC] IMQ and kernel 2.6 again In-Reply-To: <00e401c3994c$8fa1b690$6e69690a@RIMAS> References: <00e401c3994c$8fa1b690$6e69690a@RIMAS> Message-ID: <20031023124253.GC1094@carpediem.epita.fr> Hi, please avoid using "reply to" on a message when you want to start a new thread. This is annoying when you use a thread view of mails. Thank you. :-) -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From wdwrn@friendlycity.net Thu Oct 23 15:50:27 2003 From: wdwrn@friendlycity.net (Walter D. Wyndroski) Date: Thu, 23 Oct 2003 10:50:27 -0400 Subject: [LARTC] iptables question References: <010a01c39918$09f4f860$0201a8c0@mother> <181762173.20031023092532@ire.pw.edu.pl> Message-ID: <011f01c39974$ffc0fe40$0201a8c0@mother> Yes I see that. But what I am concerned with is the two snmp rules that follow those. If I put the snmp rules ahead, they don't match. If I put them after, then they do match. I pasted the rules again to make it easier to see. #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22 -j DROP #CMTS Link ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -j ACCEPT $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT Walt Wyndroski ----- Original Message ----- From: "Robert Kurjata" To: "Walter D. Wyndroski" Sent: Thursday, October 23, 2003 3:25 AM Subject: Re: [LARTC] iptables question > Witaj Walter, > > W Twoim liœcie datowanym 23 paŸdziernika 2003 (05:45:01) mo¿na przeczytaæ: > > WDW> First off, I know this is the LARTC list, but I've > WDW> been living on this list for over a year now. :) Now with that said, I'm > WDW> probably going to get flamed for my question. :) > > No flames, but direct answer :) > > WDW> > > WDW> I've read that iptables is a first match wins > WDW> system. My recent experience is showing that it is a last match wins. I > WDW> understand that if a packet is matched in prerouting chain, it may be matched > WDW> again in a subsequent chain unless the jump target was drop. > > I think you should consider it like First Matched Wins :) so It's > working fine. I don't see why you're saying that first example is last > match wins. It just depends on packet: > > (lets see the example where only first three lines are in the script) > > icmp - first matched and accepted > not tcp - (udp) - matched and droped > tcp dst port other than 22 - matched and dropped > > tcp dst port 22 matched by default chain policy (dropped or accepted) > > > > > WDW> > WDW> NOTE: I am not using iptables as a true firewall, > WDW> much as most people on this list do not. I'm primarily using iptables to mark > WDW> packets and drop them for securing my network and to deny all traffic to my > WDW> router except for a few exclusive port.s > WDW> The following is an excerpt from my router script > WDW> on how I'm handling certain traffic to my router and this works: (This example > WDW> is a last match wins) > WDW> #Deny All Traffic to Interface except SSH and ICMP > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j > WDW> ACCEPT > WDW> #CMTS Link > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j > WDW> DROP > WDW> #CMTS Link > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22 > WDW> -j DROP #CMTS Link > WDW> ##Allow SNMP Calls Via MRTG To This Interface Only > WDW> $IPTABLES -A FORWARD > WDW> -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -j > WDW> ACCEPT > WDW> $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst > WDW> 172.20.0.5 -p udp --dport 162 -j ACCEPT > WDW> This is how I was doing it and it worked: (This example is a first > WDW> match wins) > WDW> (note: I was routing the fwmark 1 to blackhole) > WDW> ##Allow SNMP Calls Via MRTG To This Interface Only > WDW> $IPTABLES -A > WDW> PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport > WDW> 161 -j ACCEPT > WDW> $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 > WDW> --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT > WDW> #Deny All Traffic to Interface except SSH and ICMP > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j > WDW> ACCEPT > WDW> #CMTS Link > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp > WDW> -j MARK --set-mark > WDW> 1 > WDW> #CMTS Link > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! > WDW> 22 -j MARK --set-mark 1 #CMTS Link > > WDW> > > WDW> I just need someone to tell me when is iptables using first match wins > WDW> versus last match wins. I think I am missing something but I am not sure. I stay > WDW> so busy with other tasks that I cannot devote the time that I need and would > WDW> like to this. Anyway, many thanks in advance. > > WDW> > > WDW> > > WDW> Walt Wyndroski > > > > > > > > WDW> This message has been scanned by CityNET's email > WDW> scanner for viruses and dangerous content > WDW> and is believed to be clean. CityNET is proud to use > WDW> MailScanner. For more information > WDW> concerning MailScanner, visit http://www.mailscanner.info > > > > > > -- > Pozdrowienia, > Robert mailto:rkurjata@ire.pw.edu.pl > > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** From ionut@topall.ro Fri Oct 24 01:49:54 2003 From: ionut@topall.ro (ionut@topall.ro) Date: Thu, 23 Oct 2003 20:49:54 -0400 (EDT) Subject: [LARTC] quantum for classes Message-ID: <1232.80.97.103.2.1066956594.squirrel@ns2.topall.ro> i use this scripts for traffic shaping but in dont understand how to use quantum and burst #!/bin/bash echo "####sterge regula veche###########" tc qdisc del dev eth0 root ################################## echo "#########aqdauga regula noua######" tc qdisc add dev eth0 root handle 1: htb default 1 ######################################### #########banda totala############# tc class add dev eth0 parent 1: classid 1:1 htb rate 640Kbit ceil 640Kbit prio 5 ################################################################################ echo "#####missnet########" tc class add dev eth0 parent 1:1 classid 1:201 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:202 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:203 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:204 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:205 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:206 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:207 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:208 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:209 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:210 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:211 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:212 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:213 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:247 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:248 htb rate 1Kbit ceil 64Kbit prio 8 ################################################################################ echo "#####home user############" tc class add dev eth0 parent 1:1 classid 1:214 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:215 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:216 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:217 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:218 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:222 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:223 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:224 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:225 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:226 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:227 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:228 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:229 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:230 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:231 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:232 htb rate 1Kbit ceil 64Kbit prio 6 tc class add dev eth0 parent 1:1 classid 1:233 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:234 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:235 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:236 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:237 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:238 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:239 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:240 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:241 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:242 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:243 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:244 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:245 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:246 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:249 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:250 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:251 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:252 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:253 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:254 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:255 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:256 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:257 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:258 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:259 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:260 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:261 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:262 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:263 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:264 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:265 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:266 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:267 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:268 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:270 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:271 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:272 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:273 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:274 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:275 htb rate 1Kbit ceil 84Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:276 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:277 htb rate 4Kbit ceil 128Kbit prio 6 tc class add dev eth0 parent 1:1 classid 1:278 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:279 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:280 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:281 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:282 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:283 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:284 htb rate 4Kbit ceil 128Kbit prio 6 tc class add dev eth0 parent 1:1 classid 1:285 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:286 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:287 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:288 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:289 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:290 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:293 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:294 htb rate 4Kbit ceil 128Kbit prio 6 tc class add dev eth0 parent 1:1 classid 1:295 htb rate 1Kbit ceil 40Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:296 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:297 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:298 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:299 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:300 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:301 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:303 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:304 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:305 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:306 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:308 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:309 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:310 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:311 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:312 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:313 htb rate 1Kbit ceil 128Kbit prio 7 tc class add dev eth0 parent 1:1 classid 1:314 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:315 htb rate 4Kbit ceil 128Kbit prio 6 tc class add dev eth0 parent 1:1 classid 1:316 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:317 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:318 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:319 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:320 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:321 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:322 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:323 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:324 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:325 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:326 htb rate 1Kbit ceil 64Kbit prio 8 ############################################################################### echo "####topall computers######" tc class add dev eth0 parent 1:1 classid 1:292 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:291 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:219 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:269 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:220 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:302 htb rate 1Kbit ceil 64Kbit prio 8 tc class add dev eth0 parent 1:1 classid 1:307 htb rate 1Kbit ceil 64Kbit prio 8 echo "############squid########" tc class add dev eth0 parent 1:1 classid 1:221 htb rate 64Kbit ceil 256Kbit prio 8 ################################################################################### echo "####divizarea benzii####" tc filter add dev eth0 parent 1: prio 5 handle 1: protocol ip u32 divisor 256 echo "####" tc filter add dev eth0 parent 1: prio 5 protocol ip u32 match ip src 80.97.103.0/24 hashkey mask 0x0000ffff at 12 link 1: #tc filter add dev eth0 parent 1: prio 5 protocol ip u32 match ip src 80.97.103.0/16 hashkey mask 0x00ffffff at 12 link 1: ################################################################################ echo "#####flitre missnet####" tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.74 flowid 1:201 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.64 flowid 1:202 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.65 flowid 1:203 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.66 flowid 1:204 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.67 flowid 1:205 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.68 flowid 1:206 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.69 flowid 1:207 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.70 flowid 1:208 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.71 flowid 1:209 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.72 flowid 1:211 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.73 flowid 1:212 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.75 flowid 1:213 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.76 flowid 1:247 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.77 flowid 1:248 ########################################################################################## echo "###########home user############" tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.89 flowid 1:326 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.90 flowid 1:325 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.91 flowid 1:324 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.92 flowid 1:323 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.93 flowid 1:322 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.94 flowid 1:321 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.95 flowid 1:320 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.96 flowid 1:319 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.97 flowid 1:318 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.98 flowid 1:317 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.99 flowid 1:316 tc filter add dev eth0 prio 6 parent 1: protocol ip u32 match ip src 80.97.103.100 flowid 1:315 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.101 flowid 1:314 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.102 flowid 1:313 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.103 flowid 1:312 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.104 flowid 1:311 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.105 flowid 1:310 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.106 flowid 1:309 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.107 flowid 1:308 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.108 flowid 1:306 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.109 flowid 1:305 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.110 flowid 1:304 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.111 flowid 1:303 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.112 flowid 1:301 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.113 flowid 1:300 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.114 flowid 1:299 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.115 flowid 1:298 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.116 flowid 1:297 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.117 flowid 1:296 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.118 flowid 1:295 tc filter add dev eth0 prio 6 parent 1: protocol ip u32 match ip src 80.97.103.119 flowid 1:294 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.120 flowid 1:293 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.121 flowid 1:290 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.122 flowid 1:289 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.123 flowid 1:288 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.124 flowid 1:287 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.125 flowid 1:286 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.126 flowid 1:285 tc filter add dev eth0 prio 6 parent 1: protocol ip u32 match ip src 80.97.103.127 flowid 1:284 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.128 flowid 1:283 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.129 flowid 1:282 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.130 flowid 1:281 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.131 flowid 1:280 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.132 flowid 1:279 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.133 flowid 1:278 tc filter add dev eth0 prio 6 parent 1: protocol ip u32 match ip src 80.97.103.134 flowid 1:277 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.135 flowid 1:276 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.136 flowid 1:275 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.137 flowid 1:274 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.138 flowid 1:273 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.139 flowid 1:272 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.140 flowid 1:271 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.141 flowid 1:270 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.142 flowid 1:268 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.143 flowid 1:267 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.144 flowid 1:266 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.145 flowid 1:265 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.147 flowid 1:264 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.148 flowid 1:263 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.149 flowid 1:262 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.150 flowid 1:261 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.151 flowid 1:260 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.152 flowid 1:259 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.153 flowid 1:258 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.154 flowid 1:257 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.155 flowid 1:256 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.156 flowid 1:255 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.157 flowid 1:254 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.158 flowid 1:253 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.159 flowid 1:252 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.160 flowid 1:251 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.161 flowid 1:250 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.162 flowid 1:249 tc filter add dev eth0 prio 7 parent 1: protocol ip u32 match ip src 80.97.103.163 flowid 1:246 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.164 flowid 1:245 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.165 flowid 1:244 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.166 flowid 1:243 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.167 flowid 1:242 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.168 flowid 1:241 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.169 flowid 1:240 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.170 flowid 1:239 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.171 flowid 1:238 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.172 flowid 1:237 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.173 flowid 1:236 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.174 flowid 1:235 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.175 flowid 1:234 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.176 flowid 1:233 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.177 flowid 1:232 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.178 flowid 1:231 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.179 flowid 1:230 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.180 flowid 1:229 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.181 flowid 1:226 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.182 flowid 1:227 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.183 flowid 1:228 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.184 flowid 1:225 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.185 flowid 1:224 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.186 flowid 1:223 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.187 flowid 1:222 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.188 flowid 1:214 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.189 flowid 1:215 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.190 flowid 1:216 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.191 flowid 1:217 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.192 flowid 1:218 ################################################################################### echo "############topall computers#######" tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.5 flowid 1:219 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.4 flowid 1:220 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.78 flowid 1:269 tc filter add dev eth0 prio 8 parent 1: protocol ip u32 match ip src 80.97.103.2 flowid 1:221 this clsses are for outgoing interface i use the same script for download but is used for lan interfaceand the diference is eth1 an ip adress and that script is working on dst 10.0.0.* pls tel me witch quantum i need to use for 1Kbit ceil 64 and 1Kbit ceil 128Kbit and witch burst for that tipe of traf From Robert Kurjata Fri Oct 24 07:46:29 2003 From: Robert Kurjata (Robert Kurjata) Date: Fri, 24 Oct 2003 08:46:29 +0200 Subject: Re[4]: [LARTC] 'Help with routing' In-Reply-To: <004201c399de$8f354bd0$7ec5e818@nixocasa> References: <58232.200.80.32.193.1066769792.squirrel@www.argentec.com.ar> <124749988.20031022085905@ire.pw.edu.pl> <1198.200.80.32.199.1066846409.squirrel@www.argentec.com.ar> <241054856.20031023091345@ire.pw.edu.pl> <004201c399de$8f354bd0$7ec5e818@nixocasa> Message-ID: <1771097207.20031024084629@ire.pw.edu.pl> Witaj Nicolas, W Twoim liœcie datowanym 24 paŸdziernika 2003 (05:26:05) mo¿na przeczytaæ: NF> HI ROBERT: NF> I apologise for mi ugly and diagrama thank you for the help. NF> This is the scheme of my network [cut out] NF> I`m using multipath default gateway because I want to balance the traffic NF> of my squid server (Is the proxy too). But I need the two networks go out NF> from its corresponding gateway. Ok, I understand that the squid proxy server resides on your gateway and you only want to load balance a proxy, not the lans. So you have to distinguish between traffic from-to proxy and from your lans and apply different routing policies. I thing the best Idea is to use classical firewall marking (-j MARK --set-mark xx) depending on type of traffic and then use policy routing selecting different scenarios using ip rule add prio fwmark table Should work. I use similar setup for limiting selected traffic to single interface only in multipath router. NF> My problem is this: I can`t make everything that go out from one of the ISP NF> go out from the gateway that correspond to it. For example everything that NF> comes from ETH1 go out from ETH2. NF> I think the correct thing is everything comes from ETH1 go out from ETH0 NF> ---------------------------------------------------------------------------- NF> ------ NF> Esta es mi Conf NF> #removing old rules NF> echo "removing old rules" NF> ip rule del prio 50 table main NF> ip rule del prio 201 from 200.47.4.98/32 table 201 NF> ip rule del prio 202 from 200.80.32.158/32 table 202 NF> ip rule del prio 221 table 221 NF> echo "flushing tables" NF> ip route flush table 201 NF> ip route flush table 202 NF> ip route flush table 221 NF> echo "removing tables" NF> ip route del table 201 NF> ip route del table 202 NF> ip route del table 221 NF> # setting new rules NF> echo "Setting new routing rules" NF> # main table w/o default gateway here NF> ip rule add prio 50 table main NF> ip route del default table main NF> # identified routes here NF> ip rule add prio 201 from 200.47.4.98/32 table 201 NF> ip rule add prio 202 from 200.80.32.158/32 table 202 NF> ip route add default via 200.47.4.97 dev eth0 src 200.47.4.98 proto static NF> table 201 NF> ip route append prohibit default table 201 metric 1 proto static NF> ip route add default via 200.80.32.157 dev eth2 src 200.80.32.158 proto NF> static table 202 NF> ip route append prohibit default table 202 metric 1 proto static NF> # mutipath NF> ip rule add prio 221 table 221 NF> ip route add default table 221 proto static nexthop via 200.47.4.97 dev eth0 NF> weight 2 nexthop via NF> 200.80.32.157 dev eth2 weight 3 NF> ip route flush cache NF> exit NF> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH NF> ---------------------------------------------------------------------------- NF> --------------------------------- NF> Nicolas Fillon NF> Argentina NF> ----- Original Message ----- NF> From: "Robert Kurjata" NF> To: NF> Cc: NF> Sent: Thursday, October 23, 2003 4:13 AM NF> Subject: Re[2]: [LARTC] 'Help with routing' >> Witaj nixo, >> >> W Twoim liœcie datowanym 22 paŸdziernika 2003 (20:13:29) mo¿na przeczytaæ: >> >> Seems like I didn't read your posting deeply enough. Before I can help >> I need to know some more details. >> >> Why are you using multipath default gateway? If you just need to make >> a proper routing for two separate lans going through one machine, not >> mixing them you should never use it. It's usefull for NAT-ed lan >> inside, not for public IP's. Just create simple routes without >> multipath. eth0 <-> eth1 and eth2 <-> eth3. >> >> >> nnca> Thank you very much for the solution, but I still have a problem and NF> I >> nnca> need help :) . The problem number one has been solved. When I trace NF> from >> nnca> any computer of my LAN, It`s go out from the right ISP. But after a NF> short >> nnca> time, is like if the rute was chached and it back to the same NF> problem. >> nnca> (I´m getting paranoic :-P ) >> >> nnca> The Problem number two still happens when someone from outside trace NF> an IP >> nnca> from mi LAN. Always the before complete jump is responded for the >> nnca> interface who correnspond to the other ISP. >> >> nnca> Do you have an idea what can be the failure... or, can I call this a >> nnca> failure in my config? >> >> nnca> THANKS VERY MUCH >> nnca> Nicolas Fillon >> nnca> Argentina >> >> >> Hi nixo, >> >> >> >> I suppose you don't preserve properly output address see my postting >> >> with script from 15th October this year :) >> >> (append prohibit default:) >> >> >> >> >> >> nnca> the scheme of my LAN is the next: >> >> >> >> nnca> eth0 isp1 /32 >> >> nnca> eth1 lan de isp1 (LAN With public IP /24) >> >> nnca> eth2 isp2 /32 >> >> nnca> eth3 lan de isp2 (LAN With public IP /26) >> >> >> >> nnca> ip route add 200.47.x.x/24 dev eth0 src 200.47.4.x table 1 >> >> nnca> ip route add default via 200.47.4.x table 1 >> >> >> >> >> >> nnca> ip route add 200.80.32.x/26 dev eth2 src 200.80.32.x table 2 >> >> nnca> ip route add default via 200.80.32.x table 2 >> >> >> >> >> >> >> >> nnca> ip rule add from 200.47.4.x table 1 >> >> nnca> ip rule add from 200.80.32.x table 2 >> >> >> >> nnca> ip route add default scope global nexthop via 200.47.4.x dev eth0 >> >> nexthop nnca> via >> >> nnca> 200.80.32.x dev eth2 >> >> >> >> nnca> ****** >> >> >> >> nnca> My problem is this: when I trace from the NETWORK of ISP1, >> >> sometimes the nnca> tracer go out from the gateway of ISP2 and vice >> >> versa >> >> >> >> nnca> And when someone trace an IP from my LAN of ISP1, it`s showme as >> >> before nnca> complete the gateway from ISP2 y vice versa. >> >> >> >> >> >> nnca> Mi question is: what is wrong in my config...??? What I need to >> >> put or is nnca> anything wrong with this config???. >> >> nnca> THANKS VERY MUCH AND SORRY FOR MI HIGHSCHOOL ENGLISH. >> >> >> >> >> >> -- >> Pozdrowienia, >> Robert mailto:rkurjata@ire.pw.edu.pl >> >> _______________________________________________ >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> -- Pozdrowienia, Robert mailto:rkurjata@ire.pw.edu.pl From darklight@jambolnet.com Fri Oct 24 15:24:01 2003 From: darklight@jambolnet.com (Ilian Zarov) Date: Fri, 24 Oct 2003 16:24:01 +0200 Subject: [LARTC] Delay pools (squid like) shaping ? Message-ID: <20031024141424.M11775@jambolnet.com> Hello, I need to limit users, so that they are shaped at a lower transfer rate after, let's say, the first 10 MBs per day. I know this can be done with squid and delay pools, but how can I do it to all tcp traffic ? Is it only availabe through squid or is there any queueing discipline that can do it ? Thanks. From gregoriandres@yahoo.com.ar Fri Oct 24 16:31:58 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Fri, 24 Oct 2003 12:31:58 -0300 Subject: [LARTC] dynamic bandwidth Message-ID: Hi, I have a linux router with eth0 (ADSL ISP connection), and eth1 (LAN, 10 hosts). I want to all hosts get equal bandwidth, but the problem is that ADSL connection bandwidth is very variable. How can I do to get a fairness bandwidth policy to upload and download from LAN hosts ? I think that I can't use HTB because it works with a fixed bandwidth. I must use ESFQ ? Also, how must I do if I want to privilege a particular host over others LAN hosts ? Thank you very much ! Andres. From ivo@unilans.net Fri Oct 24 16:51:58 2003 From: ivo@unilans.net (Ivo Vachkov) Date: Fri, 24 Oct 2003 18:51:58 +0300 Subject: [LARTC] dynamic bandwidth In-Reply-To: References: Message-ID: <3F994A9E.8030609@unilans.net> ThE PhP_KiD wrote: > Hi, > > I have a linux router with eth0 (ADSL ISP connection), and > eth1 (LAN, 10 hosts). > > I want to all hosts get equal bandwidth, but the problem > is that ADSL connection bandwidth is very variable. > > How can I do to get a fairness bandwidth policy to upload > and download from LAN hosts ? > > I think that I can't use HTB because it works with a > fixed bandwidth. > > I must use ESFQ ? I think SFQ is the rght solution if want to share bandwidth between host > > Also, how must I do if I want to privilege a particular > host over others LAN hosts ? CBQ or priority queueing > Thank you very much ! > > Andres. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > From gregoriandres@yahoo.com.ar Fri Oct 24 18:57:20 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Fri, 24 Oct 2003 14:57:20 -0300 Subject: [LARTC] dynamic bandwidth In-Reply-To: <3F994A9E.8030609@unilans.net> Message-ID: Hi, -> > I must use ESFQ ? -> -> I think SFQ is the rght solution if want to share bandwidth between host Why not eSFQ (SFQ enhanced) ? eSFQ haves filter traffic Fairness by host (src / dst), or by classic SFQ behaviour -> > Also, how must I do if I want to privilege a particular -> > host over others LAN hosts ? -> -> CBQ or priority queueing Can I use HTB instead CBQ ? How? Thank you very much. Andres. From pcaritj@riovia.net Sat Oct 25 01:53:54 2003 From: pcaritj@riovia.net (Paul J. Caritj) Date: Fri, 24 Oct 2003 20:53:54 -0400 Subject: [LARTC] Completely baffled.. Message-ID: <3F99C9A2.8020203@riovia.net> Hello again, I am completely stumped. I have the following configuration bound to both the ingress and egress adapters of a firewall (the only difference between them being that the external interface matches by source ip, the internal by destination), the goal of which is to throttle traffic to and from the local network on a host-by-host basis. Now, with this configuration throttling works perfectly for uploading (ie host -> eth2 -> eth1 -> *). However, downloading is not throttled at all *except* when the machine is uploading and downloading simultaneously; only then does the download throttle have any effect. I tested this using IPerf, with the throttle set to 256kbit both ways. Upload always yields the expected results. Download tops out at about 4.5Mbit - its a wireless link, ie no throttling evident. However, when the test machine is running iperf as a client and server simultaneously (ie uploading and downloading about the same amount of data simultaneously), both directions are throttled as they should be around 256kbit. "tc -s class show dev eth2" shows that no packets are being referred to this class; this is not the case for the same class on eth1. Let me know if you would like to see the setup for eth1 (external interface) as well; this is the setup on eth2 (internal interface). qdisc htb 1: r2q 10 default 0 direct_packets_stat 3 class htb 1:fffe root prio 0 rate 256Kbit ceil 256Kbit burst 6Kb cburst 3565b filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 1 u32 fh 2:fe:800 order 2048 key ht 2 bkt fe flowid 1:fffe match 0a00fffe/ffffffff at 16 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: match 0a000000/ffff0000 at 16 hash mask 000000ff at 12 filter parent 1: protocol ip pref 5 u32 filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 filter parent 1: protocol ip pref 5 u32 fh 2:fe:800 order 2048 key ht 2 bkt fe flowid 1:fffe match 0a00fffe/ffffffff at 16 filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht 800 bkt 0 link 2: match 0a000000/ffff0000 at 16 hash mask 000000ff at 12 Please help; I am completely confused. Thanks, Paul From pcaritj@riovia.net Fri Oct 24 00:59:58 2003 From: pcaritj@riovia.net (Paul J. Caritj) Date: Thu, 23 Oct 2003 19:59:58 -0400 Subject: [LARTC] Deleting filters from a hashtable Message-ID: <3F986B7E.8030909@riovia.net> Hi, I'm trying to delete filters from a hashtable programatically, but am being foiled by one small problem: I can delete the rule with no difficulty given the full handle like so: tc filter del dev eth2 pref 5 handle 2:fe:800 u32 First, my understanding is that, in this case: 2 => table fe => column 800 =>row (or vice versa) Is this correct? Given that, I suppose I need to know how to delete an entry without knowing which row it was inserted into. Alternatively, can I explicitly set the row into which I am inserting? Here is what I'm doing now: tc filter add dev eth2 parent 1:0 protocol ip prio 1 u32 ht 2:fe: match ip dst 192.168.255.254/32 flowid 1:fe; (Where, notably, "fffe" is the last two octets of the IP, and fe is the last.) Any help would be *much* appreciated. My brain is starting to melt ;) -Paul From ewan@fragworld.co.uk Sun Oct 26 01:42:31 2003 From: ewan@fragworld.co.uk (ewan) Date: Sat, 25 Oct 2003 17:42:31 -0700 Subject: [LARTC] Deleting filters from a hashtable References: <3F986B7E.8030909@riovia.net> Message-ID: <003d01c39b5a$0a54fe10$04744fd9@e1> sorry paul, meant to answer in list..... an alternate approach to this problem might be to keep your rules in a database such as mysql and have a simple script file which builds and runs the filter script. this would allow you to add extra id and comment fields in the database which can be used by your program to decide which rules should be applied at any given time. such a setup makes the task of identifing, deleting and adding rules much easier as you can use complex programs and sql statements on the database. You no longer have to worry about how to pick out a certian rule from a textfile or installed ruleset as your build script simple replaces all rules with a set selected from the DB ----- Original Message ----- From: "Paul J. Caritj" To: Sent: Thursday, October 23, 2003 4:59 PM Subject: [LARTC] Deleting filters from a hashtable > Hi, > I'm trying to delete filters from a hashtable programatically, but am > being foiled by one small problem: > > I can delete the rule with no difficulty given the full handle like so: > tc filter del dev eth2 pref 5 handle 2:fe:800 u32 > > First, my understanding is that, in this case: > 2 => table > fe => column > 800 =>row (or vice versa) > Is this correct? > > Given that, I suppose I need to know how to delete an entry without > knowing which row it was inserted into. Alternatively, can I explicitly > set the row into which I am inserting? Here is what I'm doing now: > > tc filter add dev eth2 parent 1:0 protocol ip prio 1 u32 ht 2:fe: match > ip dst 192.168.255.254/32 flowid 1:fe; (Where, notably, "fffe" is the > last two octets of the IP, and fe is the last.) > > Any help would be *much* appreciated. My brain is starting to melt ;) > > -Paul > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From raptor@tvskat.net Sat Oct 25 21:09:16 2003 From: raptor@tvskat.net (raptor) Date: Sat, 25 Oct 2003 23:09:16 +0300 Subject: [LARTC] [htb] how do u calculate the Burst ? In-Reply-To: <200310201652.46048.stef.coene@docum.org> References: <20031020014041.007fb0ed.raptor@tvskat.net> <200310201652.46048.stef.coene@docum.org> Message-ID: <20031025230916.35db3c67.raptor@tvskat.net> |On Monday 20 October 2003 00:40, raptor wrote: |> how do u decide how big BURST to use for a class ?! |If you don't specify a burst, htb will calculate the smallest one for you. ]- yep i know ... why i ask this ? I was thinking along the lines of using burst to give some better behaviour for web-browsing.. what I mean ? Normally users when browsing click on link a html page is loaded which in most of the cases are not bigger than 50kBytes. What I want to know is how this burst is paid off on subsequent seconds ? Other question - when, at what speed, the htb calculated burst become bigger than 50kBytes.. Does someone made some test to see if such scenario works...etc.etc.. your comments tia From gregoriandres@yahoo.com.ar Sat Oct 25 23:00:27 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Sat, 25 Oct 2003 19:00:27 -0300 Subject: [LARTC] esfq testing ! Message-ID: Hi, I'm have a linux router like this: ADSL modem-->(eth0) Linux Router (eth1)<--->LAN (6 hosts) Since I want to apply fairness to 6 hosts LAN, I have compiled kernel 2.4.20-8 with patch esfq 0.2 (and iproute2 with patch esfq too.) Next, I run folow script: -------------------------------------------- #!/usr/bin TC="/sbin/tc" $TC qdisc del dev eth1 root 2> /dev/null > /dev/null $TC qdisc add dev eth1 root handle 1:0 esfq perturb 0 hash dst $TC class show dev eth1 $TC qdisc show dev eth1 $TC filter show dev eth1 -------------------------------------------- And it shows me: qdisc esfq 1: quantum 1514b hash: dst Next, I make test from server to LAN hosts, and put iptraf in order to make measures. when I do: # nohup ping 192.168.1.3 -f & (a LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) iptraf shows me equal bandwidth to that hosts. but if I repeat pings for one of that hosts: # nohup ping 192.168.1.6 -f & (other LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) # nohup ping 192.168.1.6 -f & (other LAN HOST) iptraf shows me that 192.168.1.6 get more bandwidth that 192.168.1.3 Then seems ESFQ behaviour is like SFQ... what is wrong ???? I have ESFQ compiled like module. Also I've tried put ESFQ inside a HTB class but ESFQ behaviour is equal like above example. Where is the problem ? Thank you !!! Mac From afornieles@free.fr Sun Oct 26 16:08:30 2003 From: afornieles@free.fr (Alex) Date: Sun, 26 Oct 2003 17:08:30 +0100 (CET) Subject: [LARTC] Can't use fwmark filters Message-ID: <33232.192.168.45.3.1067184510.squirrel@fakir.dyndns.org> Hello, I'm facing an issue that i have reported on Debian's BTS as a bug against iproute package. Prior to this i have been looking around trying to find out what could be wrong but had no success to get it to work. Below is a what i've reported on Debian's BTS as http://bugs.debian.org/215629 Here goes the story, thanks for any tip on the subject. Alex ---- I would like to add a fwmark filter to the original HTB based LARTC "WonderShaper" script (http://lartc.org/wondershaper/). I am using a self compiled kernel from latest sarge kernel-source-2.4.22 and based on kernel-image-2.4.22-k7 provided config file. The idea is to add a single additionnal fwmark filter : tc filter add dev ppp0 parent 1: protocol ip prio 10 \ handle 1 fw classid 1:30 When adding this line i get the following error message : RTNETLINK answers: Invalid argument If i modify the WonderShaper script, remove all "tc filter" lines but the fwmark filter one i get no such error. The filter seems to get declared just fine. >From here i can start uncommenting some of the "tc filter" lines provided in WonderShaper without getting any error. At some point when having enabled again 4 or 5 "tc filter" original lines the reported error strikes again. I have tried simplifying the script to something like this : tc qdisc add dev ppp0 root handle 1: htb default 60 tc class add dev ppp0 parent 1: classid 1:1 htb rate 450kbit tc class add dev ppp0 parent 1:1 classid 1:10 htb rate 450kbit tc class add dev ppp0 parent 1:1 classid 1:60 htb rate 450kbit tc qdisc add dev ppp0 parent 1:10 handle 10: sfq tc qdisc add dev ppp0 parent 1:60 handle 60: sfq tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 6 fw classid 1:60 Which works fine. Adding this single line triggers the error again : tc filter add dev ppp0 parent 1: protocol ip prio 1 u32 \ match ip tos 0x10 0xff flowid 1:10 ---> RTNETLINK answers: Invalid argument I am stucked here... i haven't been able to find anything related to this on the net and i hope not to be misusing 'tc'. Thank you. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux routeur 2.4.22-routeur3 #1 Sat Oct 11 11:40:45 CEST 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages iproute depends on: ii libc6 2.3.2-7 GNU C Library: Shared libraries an From stef.coene@docum.org Sun Oct 26 17:25:45 2003 From: stef.coene@docum.org (Stef Coene) Date: Sun, 26 Oct 2003 18:25:45 +0100 Subject: [LARTC] quantum for classes In-Reply-To: <1232.80.97.103.2.1066956594.squirrel@ns2.topall.ro> References: <1232.80.97.103.2.1066956594.squirrel@ns2.topall.ro> Message-ID: <200310261825.45847.stef.coene@docum.org> On Friday 24 October 2003 02:49, ionut@topall.ro wrote: > i use this scripts for traffic shaping but in dont understand how to use > quantum and burst > #!/bin/bash .... > this clsses are for outgoing interface > i use the same script for download but is used for lan interfaceand the > diference is eth1 an ip adress and that script is working on dst 10.0.0.* > pls tel me witch quantum i need to use for 1Kbit ceil 64 and 1Kbit ceil > 128Kbit and witch burst for that tipe of traf Each keyboard has a shift key so you can type a capital as the first letter of a word. Try to use it like we all do. For your problem, rate 1kbit is too low. 12kbit is the minimum. If you provide no burst or quantum, htb will calculate them for you. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Sun Oct 26 17:20:21 2003 From: stef.coene@docum.org (Stef Coene) Date: Sun, 26 Oct 2003 18:20:21 +0100 Subject: [LARTC] Completely baffled.. In-Reply-To: <3F99C9A2.8020203@riovia.net> References: <3F99C9A2.8020203@riovia.net> Message-ID: <200310261820.21164.stef.coene@docum.org> On Saturday 25 October 2003 02:53, Paul J. Caritj wrote: > Hello again, > I am completely stumped. I have the following configuration bound to > both the ingress and egress adapters of a firewall (the only difference > between them being that the external interface matches by source ip, the > internal by destination), the goal of which is to throttle traffic to > and from the local network on a host-by-host basis. Now, with this > configuration throttling works perfectly for uploading (ie host -> eth2 > -> eth1 -> *). However, downloading is not throttled at all *except* > when the machine is uploading and downloading simultaneously; only then > does the download throttle have any effect. > > I tested this using IPerf, with the throttle set to 256kbit both ways. > Upload always yields the expected results. Download tops out at about > 4.5Mbit - its a wireless link, ie no throttling evident. However, when > the test machine is running iperf as a client and server simultaneously > (ie uploading and downloading about the same amount of data > simultaneously), both directions are throttled as they should be around > 256kbit. > > "tc -s class show dev eth2" shows that no packets are being referred to > this class; this is not the case for the same class on eth1. > > Let me know if you would like to see the setup for eth1 (external > interface) as well; this is the setup on eth2 (internal interface). > > qdisc htb 1: r2q 10 default 0 direct_packets_stat 3 > > class htb 1:fffe root prio 0 rate 256Kbit ceil 256Kbit burst 6Kb cburst > 3565b > > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 1 u32 fh 2:fe:800 order 2048 key ht 2 > bkt fe flowid 1:fffe > match 0a00fffe/ffffffff at 16 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht > 800 bkt 0 link 2: > match 0a000000/ffff0000 at 16 > hash mask 000000ff at 12 > filter parent 1: protocol ip pref 5 u32 > filter parent 1: protocol ip pref 5 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 2: ht divisor 256 > filter parent 1: protocol ip pref 5 u32 fh 2:fe:800 order 2048 key ht 2 > bkt fe flowid 1:fffe > match 0a00fffe/ffffffff at 16 > filter parent 1: protocol ip pref 5 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 5 u32 fh 800::800 order 2048 key ht > 800 bkt 0 link 2: > match 0a000000/ffff0000 at 16 > hash mask 000000ff at 12 > > Please help; I am completely confused. You are working on a a firewall. So the box is natting the packets. That means that the source address of the packets you send to the internet is rewritten. So you can't use the source address to classify the packets. You can use iptables and the fw filtter to mark the packets and classify them based on the source address. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Sun Oct 26 17:21:30 2003 From: stef.coene@docum.org (Stef Coene) Date: Sun, 26 Oct 2003 18:21:30 +0100 Subject: [LARTC] Delay pools (squid like) shaping ? In-Reply-To: <20031024141424.M11775@jambolnet.com> References: <20031024141424.M11775@jambolnet.com> Message-ID: <200310261821.30209.stef.coene@docum.org> On Friday 24 October 2003 16:24, Ilian Zarov wrote: > Hello, > I need to limit users, so that they are shaped at a lower transfer rate > after, let's say, the first 10 MBs per day. I know this can be done with > squid and delay pools, but how can I do it to all tcp traffic ? Is it only > availabe through squid or is there any queueing discipline that can do it ? Take a look at the wrr qdisc http://wipl-wrr.sourceforge.net/ Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From kaber@trash.net Sun Oct 26 18:04:48 2003 From: kaber@trash.net (Patrick McHardy) Date: Sun, 26 Oct 2003 19:04:48 +0100 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 Message-ID: <3F9C0CC0.1020706@trash.net> I've done a port of the altq H-FSC packet scheduler for linux 2.6. It's still in beta stage but it's running for about two weeks here without problems (and excellent shaping results). There is no documentation, so it's at best for the playful at the moment. The patches are available at http://trash.net/~kaber/hfsc If you are looking for 2.4 patches, there are none at the moment but it's a 5 minute effort so if you need them please ask. Please note due to a lack of time I will only answer basic usage questions at this point and for sure I won't review tc scripts without detailed bug reports. Have Fun, Patrick BTW: on a related issue, IMQ is looking for a new maintainer. If you are interested please contact me. From lists@chincogan.net.au Mon Oct 27 00:51:45 2003 From: lists@chincogan.net.au (Chincogan Network Services Lists) Date: Mon, 27 Oct 2003 11:51:45 +1100 Subject: [LARTC] Limiting Inbound packets. Message-ID: <20031027115145.3da471ee.lists@chincogan.net.au> Hi all, I have been using htb3 for a while to limit the speed of the clients connected to my lan. To separatly limit the upload and download speed for each lan host I have been limiting their download speed on the interface they are attached to and limiting their upload speed on my internet facing interface. Now the problem, We have just taken a separate internet feed from another provider so giving a user a say 1024k limit on EACH outbound interface would if the user could figure out the routes correctly let them upload at 2048k and then 3072k if we were to get a 3rd feed (which is likely to happen in the next 6 months). So, if possible I need to be able to limit a lan hosts upload speed on the receiving interface of my router instead of the transmit of the outbound interface, in my research 18-24 months ago when first implementing this solution this was uncharted territory. Can someone please point me toward some docuemntation for this. Thanks, Aaron Daniels Chincogan Network Services http://www.chincogan.net.au/ From rio@martin.mu Mon Oct 27 02:30:09 2003 From: rio@martin.mu (Rio Martin) Date: Mon, 27 Oct 2003 09:30:09 +0700 Subject: [LARTC] dynamic bandwidth In-Reply-To: <3F994A9E.8030609@unilans.net> References: <3F994A9E.8030609@unilans.net> Message-ID: <200310270930.09692.rio@martin.mu> On Friday 24 October 2003 22:51, Ivo Vachkov wrote: > ThE PhP_KiD wrote: > > I have a linux router with eth0 (ADSL ISP connection), and > > eth1 (LAN, 10 hosts). > > I want to all hosts get equal bandwidth, but the problem > > is that ADSL connection bandwidth is very variable. > > How can I do to get a fairness bandwidth policy to upload > > and download from LAN hosts ? > > I think that I can't use HTB because it works with a > > fixed bandwidth. > > I must use ESFQ ? > I think SFQ is the rght solution if want to share bandwidth between host > > Also, how must I do if I want to privilege a particular > > host over others LAN hosts ? > CBQ or priority queueing > > Thank you very much ! > > Andres. The main problem for situation like this, is in the bandwidth alocated to parent class which is unpredictable because ADSL burstable. According to previous post to this list, there were no solutions for this. I am also looking somekind of trick to solve this one. Regards, Rio Martin. From Raghuveer K Mon Oct 27 06:33:03 2003 From: Raghuveer K (Raghuveer K) Date: Mon, 27 Oct 2003 12:03:03 +0530 Subject: [LARTC] Please check my CBQ Rules. In-Reply-To: <3F9634DD.2020707@gsecone.com> References: <5.1.0.14.2.20030910115658.02813c78@mail.axelero.hu> <200309222025.05016.stef.coene@docum.org> <3F6FE0A7.5090001@gsecone.com> <200309232146.09807.stef.coene@docum.org> <3F9634DD.2020707@gsecone.com> Message-ID: <3F9CBC1F.40709@gsecone.com> Hi Stef, Iam stucked as my traffic control is not working, I just tried first with incoming traffic shaping, below is the test setup and rules applied. Your valuable suggestion will surely help me and make it right. Traffic Control is not taking place after applying the below rules. Here follows the test setup:- 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL and eth1 to the LAN. 2. I tried doing traffic control for incoming(at eth1). 3. In LAN, I connected 3 m/c's(all linux). 4. The ISP rate taken is 97% of 128Kbits. 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. Here are the rules Iam applying to control incoming traffic at LAN interface(eth1) for LAN users. Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is 192.168.5.1 /* root qdisc */ tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell 8 /* Parent Class */ tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 bounded /* Whether should I place the below filter for Parent class..??? tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:1 */ /* Child Classes */ /* 1st LAN user<192.168.5.2> = 37Kbit */ tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.2 classid 1:2 /* 2nd LAN user<192.168.5.3> = 24Kbit */ tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.3 classid 1:3 /* 3rd LAN user<192.168.5.4> = 12Kbit */ tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate 12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.4 classid 1:4 /* Default : Rest/Other traffic = 51Kbit*/ tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate 51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:5 I have few observations and queries, as follows:-- 1.In my test setup the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits for 128Kbits ADSL. 2. I have not added any filter for the parent class. Is it required...? What happens if I add...? 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on each LAN m/c. 4. In case, if I shape outgoing traffic on eth0 interface, whether shall I take outgoing and incoming ISP rate's in 30:70 ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). Can you pls guide me where amI going wrong..? Regards -Raghu Raghuveer K wrote: > Stef Coene wrote: > >> On Tuesday 23 September 2003 07:56, Raghuveer wrote: >> >> >>> Here are the rules Iam applying to control outgoing traffic at >>> WAN(eth0) >>> interface for public hosted services. >>> Here actual Isp rate = 512Kbit, rate taken = 97% of 512Kbit, eth0 ip is >>> 192.168.1.2 >>> >>> tc qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt >>> 1000 cell >>> 8 tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit >>> rate >>> 497Kbit weight 49Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>> bounded >>> /* Hosted http server bandwidth = 64Kbit */ >>> tc class add dev eth0 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate >>> 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>> 192.168.1.2 match ip sport 80 0xffff classid 1:2 >>> >>> /* Hosted ftp server bandwidth = 64Kbit */ >>> tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate >>> 64Kbit weight 6Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>> 192.168.1.2 match ip sport 21 0xffff classid 1:3 >>> >>> /* Default : Rest/Other traffic */ >>> tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate >>> 369Kbit weight 40Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>> /* Here I want replace the below rule with a simple rule based only on >>> port i.e by using some default port other than 80, 21 as sport, which >>> according to your last mail is not possible, hence pls check whether >>> the >>> below rule will do for remaining traffic */ >>> tc filter add dev eth0 parent 1:1 protocol ip prio 3 u32 match ip src >>> 0/0 match ip dst 0/0 classid 1:4 >>> >>> Pls let me know whether the above rules are framed correctly or can be >>> done in a better way. >>> >> >> I can't do it better then you did :) >> >> > Stef, > Traffic Control is not taking place after applying the above rules. > Here follows the test setup:- > 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL > and eth1 to the LAN. > 2. I tried doing traffic control for incoming(at eth1) and > outgoing(at eth0) traffic using CBQ(above rules). > 3. In LAN, I connected 3 m/c's(all linux). > 4. The ISP rate taken is 97% of 128Kbits. > 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. > > I have few observations and queries, as follows:-- > 1. Here the ISP rate is fluctuating in the range of 21Kbits to 131 > Kbits for 128Kbits ADSL. > 2. I have not added any filter for the parent class. Is it > required...? What happens if I add...? > 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth > on each LAN m/c. > 4. Whether shall I take outgoing and incoming ISP rate's in 30:70 > ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming > Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). > > Can you pls guide me where amI going wrong..? > > Regards > -Raghu > >> Stef >> >> >> > > -- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** From stef.coene@docum.org Mon Oct 27 14:43:41 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 27 Oct 2003 15:43:41 +0100 Subject: [LARTC] [htb] how do u calculate the Burst ? In-Reply-To: <20031025230916.35db3c67.raptor@tvskat.net> References: <20031020014041.007fb0ed.raptor@tvskat.net> <200310201652.46048.stef.coene@docum.org> <20031025230916.35db3c67.raptor@tvskat.net> Message-ID: <200310271543.41520.stef.coene@docum.org> On Saturday 25 October 2003 22:09, raptor wrote: > |On Monday 20 October 2003 00:40, raptor wrote: > |> how do u decide how big BURST to use for a class ?! > | > |If you don't specify a burst, htb will calculate the smallest one for you. > > ]- yep i know ... why i ask this ? I was thinking along the lines of using > burst to give some better behaviour for web-browsing.. what I mean ? > Normally users when browsing click on link a html page is loaded which in > most of the cases are not bigger than 50kBytes. What I want to know is how > this burst is paid off on subsequent seconds ? Other question - when, at > what speed, the htb calculated burst become bigger than 50kBytes.. > > Does someone made some test to see if such scenario works...etc.etc.. Most of your questions are answered on this page : http://www.docum.org/stef.coene/qos/tests/htb/burst/ To understand burst, you have to understand the concept of tokens. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gregoriandres@yahoo.com.ar Mon Oct 27 16:21:07 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Mon, 27 Oct 2003 13:21:07 -0300 Subject: [LARTC] dynamic bandwidth In-Reply-To: <200310270930.09692.rio@martin.mu> Message-ID: Ok, Martin... Thank you, and see my post I have done some ESFQ testings... but results are not satisfactory... eSFQ seems work like SFQ... :-( regards andres -> -----Mensaje original----- -> De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]En -> nombre de Rio Martin -> Enviado el: Domingo, 26 de Octubre de 2003 11:30 p.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: Re: [LARTC] dynamic bandwidth -> -> -> On Friday 24 October 2003 22:51, Ivo Vachkov wrote: -> > ThE PhP_KiD wrote: -> > > I have a linux router with eth0 (ADSL ISP connection), and -> > > eth1 (LAN, 10 hosts). -> > > I want to all hosts get equal bandwidth, but the problem -> > > is that ADSL connection bandwidth is very variable. -> > > How can I do to get a fairness bandwidth policy to upload -> > > and download from LAN hosts ? -> > > I think that I can't use HTB because it works with a -> > > fixed bandwidth. -> > > I must use ESFQ ? -> > I think SFQ is the rght solution if want to share bandwidth -> between host -> > > Also, how must I do if I want to privilege a particular -> > > host over others LAN hosts ? -> > CBQ or priority queueing -> > > Thank you very much ! -> > > Andres. -> -> The main problem for situation like this, is in the bandwidth -> alocated to -> parent class which is unpredictable because ADSL burstable. -> According to previous post to this list, there were no solutions -> for this. -> I am also looking somekind of trick to solve this one. -> -> Regards, -> Rio Martin. -> -> -> _______________________________________________ -> LARTC mailing list / LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> From derek@traffic-power.com Mon Oct 27 17:05:14 2003 From: derek@traffic-power.com (Derek) Date: Mon, 27 Oct 2003 09:05:14 -0800 Subject: [LARTC] tc patch for sch_null Message-ID: <20031027171156.BE7F03FC2@outpost.ds9a.nl> Hi all, I seem to have misplaced the message that contains the tc patch for the null scheduler.. Could someone repost or just e-mail it to me? Tia, Derek -- ----------------------- Derek Fedel Network Administrator Ext. 238 Traffic-Power.com "Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu From emece78@adinet.com.uy Mon Oct 27 20:03:30 2003 From: emece78@adinet.com.uy (MC) Date: Mon, 27 Oct 2003 17:03:30 -0300 Subject: [LARTC] tcng newie Message-ID: <3F8BA4BB00013D7E@nfs01.in.adinet.com.uy> Hi everyone!!! This is my first post here... I have a problem and I'd like to know if so= meone here could help me. I kinda new to traffic control. I have practically no= idea about it. I'm trying to learn about it now. I want to use htb to pri= orize some kinds of packets. I copied some scpripts from a howto about traffic control and htb. I'm tr= ying to use tcng... The thing is that when I run this line: tc qdisc add dev eth0 handle 1:0 root dsmark indices 8 default_index 0 I get this: Unknown qdisc "dsmark", hence option "indices" is unparsable I looked for some information on the net and found that many people say that TC_CONFIG_DIFFSERV should be set to "y" in iproute/Config . I searched "iproute" in my hard drive and didn't find anything. I did fin= d /etc/iproute2...but this directory only has 4 or 5 files and none of them= is called Config or somehting like that. I'm using SuSE 8.2 and I checked and found out that iproute2 is installed= (it shows on yast).... What's wrong here?! What should I do?:( PLEASE HELP! :) Marcelo From Mihai Tanasescu" Hello, 1. I currently have a 128kbps cable link to the internet..and I'm sharing this connection with others. I've made the following script(for alocating bandwidth depending on the services used: browsing, squid, games like counter-strike, icmp, ssh), which unfortunately isn't working very well as the response times I'm getting upon pinging the server are almost the same I get without the htb script being loaded. Any ideas ? Here goes my script: where eth1 = the internal network card eth0 = the link to my ISP ipt="/sbin/iptables" tc="/sbin/tc" IF_EXT=eth0 IF_LOC=eth1 ######################################################################## ##### $tc qdisc del dev $IF_EXT root $tc qdisc add dev $IF_EXT handle 1: root htb default 99 r2q 1 $tc class add dev $IF_EXT parent 1: classid 1:1 htb rate 100kbit $tc class add dev $IF_EXT parent 1:1 classid 1:2 htb rate 20kbit ceil 20kbit prio 1 $tc class add dev $IF_EXT parent 1:1 classid 1:3 htb rate 60kbit ceil 90kbit prio 3 $tc class add dev $IF_EXT parent 1:1 classid 1:99 htb rate 20kbit ceil 90kbit prio 7 //I'm letting 1:2 use FIFO...for low-latency $tc qdisc add dev $IF_EXT parent 1:3 handle 30: sfq perturb 10 $tc qdisc add dev $IF_EXT parent 1:99 handle 990: sfq perturb 10 # ICMP $tc filter add dev $IF_EXT protocol ip prio 1 parent 1: u32 \ match ip protocol 1 0xff flowid 1:2 #Counter-strike $tc filter add dev $IF_EXT protocol ip prio 1 parent 1: u32 \ match ip dport 27015 0xffff flowid 1:3 $tc filter add dev $IF_EXT protocol ip prio 1 parent 1: u32 \ match ip dport 28015 0xffff flowid 1:3 # TOS Minimum Delay (ssh, NOT scp) in 1:10: $tc filter add dev $IF_EXT protocol ip prio 2 parent 1: u32 \ match ip tos 0x10 0xff flowid 1:3 ###################################### #acks $tc filter add dev $IF_EXT parent 1: protocol ip prio 2 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:3 #dns query-uri $tc filter add dev $IF_EXT protocol ip prio 2 parent 1: u32 \ match ip dport 53 0xffff flowid 1:3 ############################################# # other services - web + irc $tc filter add dev $IF_EXT parent 1: protocol ip prio 2 u32 \ match ip dport 80 0xffff flowid 1:3 $tc filter add dev $IF_EXT parent 1: protocol ip prio 2 u32 \ match ip dport 6667 0xffff flowid 1:3 ############################################# # All others go to 1:99 $tc filter add dev $IF_EXT protocol ip prio 2 parent 1: u32 \ match ip dst 0.0.0.0/0 flowid 1:99 ######################################################################## ################## and for download I have the following: $tc qdisc del dev $IF_LOC root $tc qdisc add dev $IF_LOC handle 2: root htb default 99 r2q 1 $tc class add dev $IF_LOC parent 2: classid 2:1 htb rate 100kbit $tc class add dev $IF_LOC parent 2:1 classid 2:2 htb rate 70kbit ceil 90kbit prio 1 $tc class add dev $IF_LOC parent 2:1 classid 2:99 htb rate 30kbit ceil 90kbit prio 5 #PRIO FIFO...for 2:2 = low latency for counter-strike packets $tc qdisc add dev $IF_LOC parent 2:99 handle 299: sfq perturb 10 #Counter-strike $tc filter add dev $IF_LOC protocol ip prio 1 parent 2: u32 \ match ip dport 27005 0xffff flowid 2:2 #WEB $tc filter add dev $IF_LOC protocol ip prio 1 parent 2: u32 \ match ip sport 80 0xffff flowid 2:2 #SQUID $tc filter add dev $IF_LOC protocol ip prio 1 parent 2: u32 \ match ip sport 3128 0xffff flowid 2:2 # Restu $tc filter add dev $IF_LOC protocol ip prio 1 parent 2: u32 \ match ip dst 0.0.0.0/0 flowid 2:99 pinging the server without htb script loaded: [mihai@...mihai]$ ping -c 5 ip PING ip(ip) from .....: 56(84) bytes of data. 64 bytes from ip: icmp_seq=1 ttl=60 time=94.0 ms 64 bytes from ip: icmp_seq=2 ttl=60 time=41.3 ms 64 bytes from ip: icmp_seq=3 ttl=60 time=10.4 ms 64 bytes from ip: icmp_seq=4 ttl=60 time=25.5 ms 64 bytes from ip: icmp_seq=5 ttl=60 time=14.1 ms --- ip ping statistics --- 5 packets transmitted, 5 received, 0% loss, time 4036ms rtt min/avg/max/mdev = 10.454/37.105/94.057/30.443 ms pinging the server with htb script loaded: [mihai@.. mihai]$ ping -c 5 ip_addr PING ip(ip) from ...: 56(84) bytes of data. 64 bytes from ip: icmp_seq=1 ttl=60 time=31.1 ms 64 bytes from ip: icmp_seq=2 ttl=60 time=11.8 ms 64 bytes from ip: icmp_seq=3 ttl=60 time=38.5 ms 64 bytes from ip: icmp_seq=4 ttl=60 time=94.8 ms 64 bytes from ip: icmp_seq=5 ttl=60 time=31.5 ms --- ip ping statistics --- 5 packets transmitted, 5 received, 0% loss, time 4041ms rtt min/avg/max/mdev = 11.839/41.584/94.829/28.064 ms and tc -s qdisc shows: tc -s qdisc qdisc sfq 990: dev eth0 quantum 1514b perturb 10sec Sent 7574 bytes 75 pkts (dropped 0, overlimits 0) qdisc sfq 30: dev eth0 quantum 1514b perturb 10sec Sent 123614 bytes 1413 pkts (dropped 0, overlimits 0) qdisc htb 1: dev eth0 r2q 1 default 99 direct_packets_stat 0 Sent 149780 bytes 1678 pkts (dropped 87, overlimits 0) qdisc sfq 299: dev eth1 quantum 1514b perturb 10sec Sent 824005 bytes 1000 pkts (dropped 0, overlimits 0) backlog 3p qdisc htb 2: dev eth1 r2q 1 default 99 direct_packets_stat 2 Sent 1055635 bytes 1398 pkts (dropped 0, overlimits 2046) 2. I have the same problem with a htb script on an adsl connection (with the htb script I get ping response times of 80-90..without it I get 200-300 ms...but these response times aren't very stable..it's something like I'm getting 40 ms..then 100 ms..then 50 ms..) Sorry about the size of this message. Hope you can help, Mihai Tanasescu From gdamjan@mail.net.mk Mon Oct 27 20:40:35 2003 From: gdamjan@mail.net.mk (Damjan) Date: Mon, 27 Oct 2003 21:40:35 +0100 Subject: [LARTC] tcng newie In-Reply-To: <3F8BA4BB00013D7E@nfs01.in.adinet.com.uy> References: <3F8BA4BB00013D7E@nfs01.in.adinet.com.uy> Message-ID: <20031027204035.GA31808@legolas.on.net.mk> > I get this: > > Unknown qdisc "dsmark", hence option "indices" is unparsable > > I looked for some information on the net and found that many people say > that TC_CONFIG_DIFFSERV should be set to "y" in iproute/Config . ... > > What's wrong here?! What should I do?:( PLEASE HELP! :) Your "tc" binary doesn't support the "dsmark" option. You need to recompile iproute2 from source and change that Config file in the source tgz before you compile. Unfourtenatelly it might fail to compile, and then I dont have an answer for you. I've been struggling to compile iproute2 on my Slackware-9.1/kernel-2.4.22 box, searched google.com and I didn't find a sollution that would work :( YMMV -- Damjan Georgievski jabberID: damjan@bagra.net.mk From themel@iwoars.net Tue Oct 28 00:32:09 2003 From: themel@iwoars.net (Thomas Themel) Date: Tue, 28 Oct 2003 01:32:09 +0100 Subject: [LARTC] fwmark routing of locally generated packets Message-ID: <20031028003209.GC15501@iwoars.net> --aur3cTvV3HSyxJCW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm currently trying to get a Linux machine to route all traffic coming from a certain UID over a dedicated PPP interface. After going throught the available documentation and experimenting a bit, I settled for the following attempt: # 62.46.87.104 - local PPP address # 195.4.91.104 - PPP peer ip route add 195.3.91.104 dev ppp0 src 62.46.87.104 table special # local for DNS etc ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table special ip route add default via 195.3.91.104 src 62.46.87.104 table special ip rule add fwmark 3 lookup special iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK --set-mar= k 3 ip route flush cache This seems to work in a way. It correctly sends the packets generated by that user out the ppp0 interface, but they don't get the correct source address: | sophokles:~# sh -x description.txt=20 | + ip route flush table aonc | + ip route add 195.3.91.103 dev ppp0 src 62.46.86.137 table aonc | + ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table aonc | + ip route add default via 195.3.91.103 src 62.46.86.137 table aonc | + ip rule add fwmark 3 lookup aonc | + iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK | --set-mark 3 | + ip route flush cache | sophokles:~# tcpdump -ni ppp0 port 22 &=20 | [1] 841 | sophokles:~# tcpdump: listening on ppp0 |=20 | sophokles:~# nc iwoars.net 22 | SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 |=20 | sophokles:~# su - freenet | freenet@sophokles:~$ nc iwoars.net 22 | 01:25:17.044883 192.168.1.1.32848 > 217.160.110.113.22: SWE | 1344336467:1344336467(0) win 5840 (DF) | 01:25:20.043828 192.168.1.1.32848 > 217.160.110.113.22: SWE | 1344336467:1344336467(0) win 5840 (DF) | 01:25:26.042584 192.168.1.1.32848 > 217.160.110.113.22: SWE | 1344336467:1344336467(0) win 5840 (DF) |=20 | freenet@sophokles:~$=20 I've read on this list that owner-based policy routing is impossible because the routing decision is made before the packet traverses the OUTPUT chain. However, if this is true, then I don't understand how the packet can go out via the correct interface unless there are separate route lookups to determine the source address and outgoing interface. Could someone who knows please elaborate? I have also tried, unsuccessfully, to just mangle the source address using an iptables SNAT rule, but even though that produces correct network traffic, it seems to break something internally that keeps the TCP handshake from completing: | sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source | 62.46.86.137 | sophokles:~# su - freenet | freenet@sophokles:~$ nc iwoars.net 22 | 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE | 1656968486:1656968486(0) win 5840 (DF) | 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S | 2293250552:2293250552(0) ack 1656968487 win 32120 (DF) | 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE | 1656968486:1656968486(0) win 5840 (DF) | 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S | 2293250552:2293250552(0) ack 1656968487 win 32120 (DF) | 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S | 2293250552:2293250552(0) ack 1656968487 win 32120 (DF) | [...] ciao, --=20 [*Thomas Themel*] Since you obviously haven't lurked enough, [extended contact] we subtly tell lusers to piss off via the words "piss [info provided in] off, luser". =20 [*message header*] - David P. Murphy in the monastery --aur3cTvV3HSyxJCW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/nbkInaL7psKWQ8YRAhrgAJ0SBRtMBx5Y4WMeZPnTDyLQxxh9pACeLuEQ WRA8NRTxoRYGCeUuBbqaR6I= =ef4/ -----END PGP SIGNATURE----- --aur3cTvV3HSyxJCW-- From su_raj_in@yahoo.com Tue Oct 28 07:06:00 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Mon, 27 Oct 2003 23:06:00 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC Message-ID: <20031028070600.84540.qmail@web20013.mail.yahoo.com> Hi all, I am a system administrator trying to understand tc. I have been following the lartc documentation along with a few others. I am unable to understand few things explained in the howtos. Kindly help me with the same ... 1) Can somebody tell me the exact difference between a class and a qdisc? Martin Brown did try to explain to me but, I couldn't understand! 2) When we talk about pfifo, what is the 'pack size' understood to be; example, when I set limit to 10 (packets), how many bytes is my bucket? 3) 'HTB is suited for fixed bandwidth' ... by "fixed" what exactly is meant ... meaning can it be used where bandwidth is shared but at almost always a certain "fixed" bandwidth is available (even if available bandwidth exceeds, it will be by only a few bytes, for a short duration)? 4) Can somebody suggest which qdisc is most ideal (for shaping and scheduling) in a n/w where the ISP provies a (512Kbit) pipe, which is shared by multiple (4) clients but, an average of 45bytes can be expected at any point in time (although, it might exceed this)? 5) The lartc howto speaks about 'mpu' with reference to TBF, and states "for ethernet, no packet uses less than 64 bytes", can you please tell me whether 64 bytes is the least possible; meaning adding 20 bytes of IP and 28 bytes of TCP, I believed a TCP/IP packet with no payload could exist of 48 bytes, is this possible? and if a payload must be added, should it be 16 bytes atleast, can I not have a 52 byte ethernet packet? Kindly explain. Also, I am unable to see such a parameter when I do a tc...help, for TBF. 6) Could you please define the 'cell' parameter in a CBQ? Also, I am unable to see maxburst, minburst, minidle, mpu, rate parameter options when I do a ... for ex. : 'tc qdisc add dev eth0 handle 1 root cbq help' 7) How do I set WRR, link sharing and borrowing parameters using TC? 8) Also, please pardon my ignorance but, do I need a filter for a classless qdisc, cause if I were to attach a classless qdisc to the root qdisc then by default all packets enter this qdisc and I believe I wouldn't have the scope to classify ... right/wrong? Please help me. Thank you. Regards, suraj. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From util@deuroconsult.ro Tue Oct 28 07:41:14 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 28 Oct 2003 09:41:14 +0200 (EET) Subject: [LARTC] Pakets marked but no shapeing is done In-Reply-To: <931113721.20031027232619@web.de> References: <1644514561.20031020184000@web.de> <200310202047.24542.stef.coene@docum.org> <931113721.20031027232619@web.de> Message-ID: What ip isn't shaped right? --- Catalin(ux) BOIE catab@deuroconsult.ro From luciano@elo.com.br Tue Oct 28 12:08:06 2003 From: luciano@elo.com.br (Luciano Lima) Date: Tue, 28 Oct 2003 10:08:06 -0200 Subject: [LARTC] RTNETLINK answers: Invalid argument usign wondershaper Message-ID: <3F9E5C26.70800@elo.com.br> Hi, I compiled the last iproute2 version: iproute2-2.4.7-now-ss020116 and tried to use wondershaper. It seams that I missed something so that I can not use htb. # tc qdisc add dev eth0 root handle 1: htb RTNETLINK answers: Invalid argument The kernel is compiled with all QoS modules and the module sch_htb is loaded. Do I need to load any other modules before running this tc command ? Thanks, Luciano Lima From themel@iwoars.net Tue Oct 28 16:20:09 2003 From: themel@iwoars.net (Thomas Themel) Date: Tue, 28 Oct 2003 17:20:09 +0100 Subject: [LARTC] fwmark routing of locally generated packets In-Reply-To: <1067326504.1470.10.camel@drs0.manchotnetworks.net> References: <20031028003209.GC15501@iwoars.net> <1067326504.1470.10.camel@drs0.manchotnetworks.net> Message-ID: <20031028162009.GD15501@iwoars.net> --mZszkW9VVHlXj4dY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, christopher cuse (ccuse@manchotnetworks.net) wrote on 2003-10-28: > i had the same issue ... try adding to your iptables: >=20 > iptables --append POSTROUTING --table nat --match mark \=20 > --mark 0x3 --jump SNAT --to-source 62.46.87.104 >=20 > ip route flush cache I already tried that (though with a different match): > > I have also tried, unsuccessfully, to just mangle the source address > > using an iptables SNAT rule, but even though that produces correct > > network traffic, it seems to break something internally that keeps the > > TCP handshake from completing: > >=20 > > | sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-sour= ce > > | 62.46.86.137 > > | sophokles:~# su - freenet > > | freenet@sophokles:~$ nc iwoars.net 22 > > | 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE > > | 1656968486:1656968486(0) win 5840 > | 0,nop,wscale 0> (DF) > > | 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 > | 1460,sackOK,timestamp 313375234 2356000,nop,wscale 0> (DF) > > | 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE > > | 1656968486:1656968486(0) win 5840 > | 0,nop,wscale 0> (DF) > > | 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 > | 1460,sackOK,timestamp 313375535 2356000,nop,wscale 0> (DF) > > | 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 > | 1460,sackOK,timestamp 313375566 2356000,nop,wscale 0> (DF) So, the packets go out with the correct source address, the SYN-ACK comes back from the target host, but the local IP stack then doesn't send the last ACK back because it doesn't feel that these packets=20 belong to a local socket. That is quite understandable, since doing a netstat reveals that the socket believes it's using 192.168.1.1 as its source address (netstat output doesn't match tcpdump output from above, of course, because the tcpdump is from yesterday, but I did the same things). | freenet@sophokles:~$ netstat -ant | grep SYN_SENT | tcp 0 1 192.168.1.1:32915 217.160.110.113:22 SYN_SENT = =20 Now, with the ugly hacks mounting, I've considered something like=20 iptables -A INPUT -i ppp0 -j DNAT --to-destination 192.168.1.1=20 but of course that doesn't work. At the core of the problem is still how the socket ever got to be have the local address of 192.168.1.1. I'm pretty sure netcat doesn't bind to a specific local address, so it must be something in iproute2 behaving odd. ciao, --=20 [*Thomas Themel*] Frankly, many of you on this list really need to=20 [extended contact] be doused with gasoline and then lit. [info provided in] =20 [*message header*] - Tim May on cypherpunks --mZszkW9VVHlXj4dY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/npc4naL7psKWQ8YRAhsRAKCZSh+F0IdaoHThmgjq3lPDIKZjCACdE+Cb 5ioRgkDcgU3HTz3dbvssaMk= =8W0m -----END PGP SIGNATURE----- --mZszkW9VVHlXj4dY-- From stef.coene@docum.org Tue Oct 28 18:08:09 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 28 Oct 2003 19:08:09 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031028070600.84540.qmail@web20013.mail.yahoo.com> References: <20031028070600.84540.qmail@web20013.mail.yahoo.com> Message-ID: <200310281908.09031.stef.coene@docum.org> On Tuesday 28 October 2003 08:06, Suraj Shankar wrote: > Hi all, > I am a system administrator trying to understand tc. > I have been following the lartc documentation along > with a few others. I am unable to understand few > things explained in the howtos. Kindly help me with > the same ... > 1) Can somebody tell me the exact difference between a > class and a qdisc? Martin Brown did try to explain to > me but, I couldn't understand! You have 2 types of qdiscs. The root qdisc is attached to the device it self and all packets are queued in this qdisc. If this is a class-full qdisc (like htb or cbq) you can add class. A class can contain some packets. You can stack the classes so you can add a class to a class. So a packet enters the root qdisc and is redirected to a class by a filter. You need to create your filters in such way that the packets are placed in a class that contains no other classes. This class is named a leaf class. But the leaf class only contains the traffic and can not send them. To do so, you need to add a qdisc to that class. It's the qdisc that will send the packets. This can be a class-full qdisc so you can add classes, and restart the setup. But that will be a waste of CPU cycles. It's better to add a sfq qdisc or a fifo. So, you have 1 root qdisc, some classes, some special classes : leaf-classes and an other set of qdiscs. > 2) When we talk about pfifo, what is the 'pack size' > understood to be; example, when I set limit to 10 > (packets), how many bytes is my bucket? Pfifo holds packet, so the total bytes depends on the size of your packets : tot_bytes = bucket * size_packets. You can also use bfifo. This is a bucket expressed in bytes. > 3) 'HTB is suited for fixed bandwidth' ... by "fixed" > what exactly is meant ... meaning can it be used where > bandwidth is shared but at almost always a certain > "fixed" bandwidth is available (even if available > bandwidth exceeds, it will be by only a few bytes, for > a short duration)? Fixed means that you always have the same bandwidth available on the link. So no burst. This is needed because you have to make sure YOU are the bottleneck so if you have a 1000kbit/s link, you have to make sure you never send more then 996kbit/s. > 4) Can somebody suggest which qdisc is most ideal (for > shaping and scheduling) in a n/w where the ISP provies > a (512Kbit) pipe, which is shared by multiple (4) > clients but, an average of 45bytes can be expected at > any point in time (although, it might exceed this)? That's a difficult one, because YOU have to be the bottleneck to get some good shaping results. You can try the htb or the cbq qdisc and take a higher ceil then your link. You will not be the bottleneck and loose some control. > 5) The lartc howto speaks about 'mpu' with reference > to TBF, and states "for ethernet, no packet uses less > than 64 bytes", can you please tell me whether 64 > bytes is the least possible; meaning adding 20 bytes > of IP and 28 bytes of TCP, I believed a TCP/IP packet > with no payload could exist of 48 bytes, is this > possible? and if a payload must be added, should it be > 16 bytes atleast, can I not have a 52 byte ethernet > packet? Kindly explain. > Also, I am unable to see such a parameter when I do a > tc...help, for TBF. Sorry, no idea. > 6) Could you please define the 'cell' parameter in a > CBQ? If you have a bounded class, the ceil is the rate. If it's not bounded, the ceil will be the rate of a bounded parent class. > Also, I am unable to see maxburst, minburst, minidle, > mpu, rate parameter options when I do a ... for ex. : > 'tc qdisc add dev eth0 handle 1 root cbq help' Just take some example tc commands and copy the parameters you don't know. The only parameters you have to change is rate and weight. > 7) How do I set WRR, link sharing and borrowing > parameters using TC? Do you mean the wrr qdisc? See the homepage of the wrr qdisc. > 8) Also, please pardon my ignorance but, do I need a > filter for a classless qdisc, cause if I were to > attach a classless qdisc to the root qdisc then by > default all packets enter this qdisc and I believe I > wouldn't have the scope to classify ... right/wrong? Do you mean adding a class qdisc as the root qdisc or adding a class qdisc to a root qdisc? If you replace the root qdisc with a class less qdisc, you don't need a filter. If you add the class root qdisc to a root qdisc, you need a root qdisc with classes and add the class qdisc to a class. So you need some filters to put the packets from the root qdisc to the class where the class qdisc is attached to. More information on the subject can be found on http://www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From payal-lartc@staticky.com Tue Oct 28 18:19:14 2003 From: payal-lartc@staticky.com (Payal Rathod) Date: Tue, 28 Oct 2003 23:49:14 +0530 Subject: [LARTC] routing ways Message-ID: <20031028181914.GC1931@linux.local> Hi, This is just a hypothetical case (now) to get my basics cleared. If I have 2 different service providers A and B which provides me bandwidth. They terminate their lines on their two separate routers. So, one end of router has a external ip and the end connected to a switch in my LAN has an internal ip. So, I have two gateways to reach the internet i.e. 192.168.0.1 and 192.168.0.2 Now, I want to keep a Linux box which will be connected to the switch and serve as gateway for windows clients. My aim is random routing and NOT source-based routing. So, will this work properly as random router, # route add -net default gw 192.168.0.1 # route add -net default gw 192.168.0.2 So, my routing table will carry entries like, 0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 So, in theory this will do random routing between two ISPs. But a friend of mine says that this won't work and this is a classic "one-lung router". He says that for such a thing to work I have to give two ips from differnt subnets like e.g. (just fake ips for examples) # route add -net default gw 202.54.10.1 # route add -net default gw 61.11.191.11 And give two IPs from the respective subnets to my Linux box. Can someone please explain whether this and why my thinking may not work? Thanks a lot and bye. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated. From stef.coene@docum.org Tue Oct 28 18:18:42 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 28 Oct 2003 19:18:42 +0100 Subject: [LARTC] Pakets marked but no shapeing is done In-Reply-To: <931113721.20031027232619@web.de> References: <1644514561.20031020184000@web.de> <200310202047.24542.stef.coene@docum.org> <931113721.20031027232619@web.de> Message-ID: <200310281918.42979.stef.coene@docum.org> On Monday 27 October 2003 22:26, Dragos Cinteza wrote: > In the last mail I only put the results of listing chains and classes. You never told us what's your LAN interface : eth0 or eth1? And you have double filters : for the src and dst. And that's not needed. You can not have packets with src and dst the same address on a nic. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Tue Oct 28 17:52:16 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 28 Oct 2003 18:52:16 +0100 Subject: [LARTC] RTNETLINK answers: Invalid argument usign wondershaper In-Reply-To: <3F9E5C26.70800@elo.com.br> References: <3F9E5C26.70800@elo.com.br> Message-ID: <200310281852.16084.stef.coene@docum.org> On Tuesday 28 October 2003 13:08, Luciano Lima wrote: > Hi, > > I compiled the last iproute2 version: iproute2-2.4.7-now-ss020116 and > tried to use wondershaper. > > It seams that I missed something so that I can not use htb. > > # tc qdisc add dev eth0 root handle 1: htb > RTNETLINK answers: Invalid argument > > The kernel is compiled with all QoS modules and the module sch_htb is > loaded. Do I need to load any other modules before running this tc command > ? You need a tc binary with htb support. You can find the patch on the htb website or a precompiled tc binary on the website of htb or on www.docum.org. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Tue Oct 28 18:12:24 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 28 Oct 2003 19:12:24 +0100 Subject: [LARTC] Need help with HTB In-Reply-To: <004e01c39cda$e23762b0$6929a8c0@mihai> References: <004e01c39cda$e23762b0$6929a8c0@mihai> Message-ID: <200310281912.24332.stef.coene@docum.org> On Monday 27 October 2003 23:37, Mihai Tanasescu wrote: > I currently have a 128kbps cable link to the internet..and I'm sharing > this connection with others. > I've made the following script(for alocating bandwidth depending on the > services used: browsing, squid, games like counter-strike, icmp, ssh), > which unfortunately isn't working very well as the response times I'm > getting upon pinging the server are almost the same I get without the > htb script being loaded. > Any ideas ? > > 2. > > I have the same problem with a htb script on an adsl connection (with > the htb script I get ping response times of 80-90..without it I get > 200-300 ms...but these response times aren't very stable..it's > something > like I'm getting 40 ms..then 100 ms..then 50 ms..) > > Sorry about the size of this message. No problem. I don't see a problem with your script, but can you also post the output of tc -s -d class show dev eth0. And for eth1? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gdamjan@mail.net.mk Tue Oct 28 18:08:57 2003 From: gdamjan@mail.net.mk (Damjan) Date: Tue, 28 Oct 2003 19:08:57 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031028070600.84540.qmail@web20013.mail.yahoo.com> References: <20031028070600.84540.qmail@web20013.mail.yahoo.com> Message-ID: <20031028180857.GC32698@legolas.on.net.mk> > 1) Can somebody tell me the exact difference between a > class and a qdisc? Martin Brown did try to explain to > me but, I couldn't understand! The qdisc is what actually does the job. Some qdiscs allw you to define classes in them, but the kernel doesn't care about that. The kernel delivers a packet to the qdisc and it up to it to decide what to do with it (classify the packet etc..) > 3) 'HTB is suited for fixed bandwidth' ... by "fixed" > what exactly is meant ... meaning can it be used where > bandwidth is shared but at almost always a certain > "fixed" bandwidth is available (even if available > bandwidth exceeds, it will be by only a few bytes, for > a short duration)? Since HTB takes bandwidth as parameters, to really have any effect you'll have to know how much bandwidth preciselly you have. Like if you have 128kbps ISDN, you must set HTB classes so that cumulative rates of the classes are not bigger that your real limit. If not the shapping will not be correct and precise. > 5) The lartc howto speaks about 'mpu' with reference > to TBF, and states "for ethernet, no packet uses less > than 64 bytes", can you please tell me whether 64 > bytes is the least possible; meaning adding 20 bytes > of IP and 28 bytes of TCP, I believed a TCP/IP packet > with no payload could exist of 48 bytes, is this > possible? and if a payload must be added, should it be > 16 bytes atleast, can I not have a 52 byte ethernet > packet? Kindly explain. Ethernet is not the same as TCP/IP! And TC can shape other protocols than IP. An ethernet packet (actually a frame) is: 8 bytes preamble 6 bytes src MAC address 6 bytes dst MAC address 2 bytes type DATA (46–1500) bytes 4 bytes Checksum = 72-1526 bytes, now the OS actually doesn't see the preamble so the minimal ethernet frame in the OS is 64bytes. -- Damjan Georgievski jabberID: damjan@bagra.net.mk From Mihai Tanasescu" <200310281912.24332.stef.coene@docum.org> Message-ID: <037101c39d93$68a0fc40$6929a8c0@mihai> This is the output I get from tc -s -d class show dev eth0 and eth1: serv:~# tc -s -d class show dev eth0 class htb 1:99 parent 1:1 leaf 990: prio 7 quantum 2560 rate 20Kbit ceil 90Kbit burst 1624b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 Sent 4693480 bytes 28021 pkts (dropped 0, overlimits 0) rate 470bps 2pps lended: 26883 borrowed: 1138 giants: 0 tokens: 502079 ctokens: 117973 class htb 1:1 root rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst 1727b/8 mpu 0b level 7 Sent 38956319 bytes 489172 pkts (dropped 0, overlimits 0) rate 1771bps 18pps lended: 2994 borrowed: 0 giants: 0 tokens: 101376 ctokens: 101376 class htb 1:2 parent 1:1 prio 1 quantum 2560 rate 20Kbit ceil 20Kbit burst 1624b/8 mpu 0b cburst 1624b/8 mpu 0b level 0 Sent 33941 bytes 221 pkts (dropped 0, overlimits 0) lended: 221 borrowed: 0 giants: 0 tokens: 333119 ctokens: 333119 class htb 1:3 parent 1:1 leaf 30: prio 3 quantum 7680 rate 60Kbit ceil 90Kbit burst 1675b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 Sent 34228898 bytes 460930 pkts (dropped 0, overlimits 0) rate 1362bps 17pps lended: 459074 borrowed: 1856 giants: 0 tokens: 163413 ctokens: 111717 serv:~# tc -s -d class show dev eth1 class htb 2:99 parent 2:1 leaf 299: prio 5 quantum 3840 rate 30Kbit ceil 90Kbit burst 1637b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 Sent 109217144 bytes 335470 pkts (dropped 0, overlimits 0) rate 1927bps 13pps lended: 277195 borrowed: 58275 giants: 0 tokens: 244309 ctokens: 103297 class htb 2:1 root rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst 1727b/8 mpu 0b level 7 Sent 172060944 bytes 480526 pkts (dropped 0, overlimits 0) rate 2186bps 14pps lended: 68187 borrowed: 0 giants: 0 tokens: 96257 ctokens: 96257 class htb 2:2 parent 2:1 prio 1 quantum 8960 rate 70Kbit ceil 90Kbit burst 1688b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 Sent 62843800 bytes 145056 pkts (dropped 18, overlimits 0) rate 259bps lended: 135144 borrowed: 9912 giants: 0 tokens: 150034 ctokens: 118543 > On Monday 27 October 2003 23:37, Mihai Tanasescu wrote: > > I currently have a 128kbps cable link to the internet..and I'm sharing > > this connection with others. > > I've made the following script(for alocating bandwidth depending on the > > services used: browsing, squid, games like counter-strike, icmp, ssh), > > which unfortunately isn't working very well as the response times I'm > > getting upon pinging the server are almost the same I get without the > > htb script being loaded. > > Any ideas ? > > > > 2. > > > > I have the same problem with a htb script on an adsl connection (with > > the htb script I get ping response times of 80-90..without it I get > > 200-300 ms...but these response times aren't very stable..it's > > something > > like I'm getting 40 ms..then 100 ms..then 50 ms..) > > > > Sorry about the size of this message. > No problem. > I don't see a problem with your script, but can you also post the output of tc > -s -d class show dev eth0. And for eth1? > > Stef > > -- > stef.coene@docum.org > "Using Linux as bandwidth manager" > http://www.docum.org/ > #lartc @ irc.openprojects.net > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From stef.coene@docum.org Tue Oct 28 21:05:10 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 28 Oct 2003 22:05:10 +0100 Subject: [LARTC] Need help with HTB In-Reply-To: <037101c39d93$68a0fc40$6929a8c0@mihai> References: <004e01c39cda$e23762b0$6929a8c0@mihai> <200310281912.24332.stef.coene@docum.org> <037101c39d93$68a0fc40$6929a8c0@mihai> Message-ID: <200310282205.10695.stef.coene@docum.org> On Tuesday 28 October 2003 21:38, Mihai Tanasescu wrote: > This is the output I get from tc -s -d class show dev eth0 and eth1: > > serv:~# tc -s -d class show dev eth0 > > class htb 1:99 parent 1:1 leaf 990: prio 7 quantum 2560 rate 20Kbit ceil > 90Kbit burst 1624b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 > Sent 4693480 bytes 28021 pkts (dropped 0, overlimits 0) > rate 470bps 2pps > lended: 26883 borrowed: 1138 giants: 0 > tokens: 502079 ctokens: 117973 > > class htb 1:1 root rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst > 1727b/8 mpu 0b level 7 > Sent 38956319 bytes 489172 pkts (dropped 0, overlimits 0) > rate 1771bps 18pps > lended: 2994 borrowed: 0 giants: 0 > tokens: 101376 ctokens: 101376 > > class htb 1:2 parent 1:1 prio 1 quantum 2560 rate 20Kbit ceil 20Kbit > burst 1624b/8 mpu 0b cburst 1624b/8 mpu 0b level 0 > Sent 33941 bytes 221 pkts (dropped 0, overlimits 0) > lended: 221 borrowed: 0 giants: 0 > tokens: 333119 ctokens: 333119 > > class htb 1:3 parent 1:1 leaf 30: prio 3 quantum 7680 rate 60Kbit ceil > 90Kbit burst 1675b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 > Sent 34228898 bytes 460930 pkts (dropped 0, overlimits 0) > rate 1362bps 17pps > lended: 459074 borrowed: 1856 giants: 0 > tokens: 163413 ctokens: 111717 > > serv:~# tc -s -d class show dev eth1 > > > class htb 2:99 parent 2:1 leaf 299: prio 5 quantum 3840 rate 30Kbit ceil > 90Kbit burst 1637b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 > Sent 109217144 bytes 335470 pkts (dropped 0, overlimits 0) > rate 1927bps 13pps > lended: 277195 borrowed: 58275 giants: 0 > tokens: 244309 ctokens: 103297 > > class htb 2:1 root rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst > 1727b/8 mpu 0b level 7 > Sent 172060944 bytes 480526 pkts (dropped 0, overlimits 0) > rate 2186bps 14pps > lended: 68187 borrowed: 0 giants: 0 > tokens: 96257 ctokens: 96257 > > class htb 2:2 parent 2:1 prio 1 quantum 8960 rate 70Kbit ceil 90Kbit > burst 1688b/8 mpu 0b cburst 1714b/8 mpu 0b level 0 > Sent 62843800 bytes 145056 pkts (dropped 18, overlimits 0) > rate 259bps > lended: 135144 borrowed: 9912 giants: 0 > tokens: 150034 ctokens: 118543 I'm afraid it's not so easy to get better results. You allmost have no borrowed packets so none of your classes are over limited. And tokens/ctokens is never negative so you have tokens enough to send something. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Rokas Tue Oct 28 22:37:48 2003 From: Rokas (Rokas) Date: Wed, 29 Oct 2003 00:37:48 +0200 Subject: [LARTC] Policy routing with IPTABLES MARK Message-ID: <10144303314.20031029003748@centras.lt> Hello, I have a LINUX server with two internet connections available. One connection is the default route. I want all the traffic to go over this default route, but HTTP traffic to go over line #2. I think the configuration should be similar to source policy routing. I have tried source policy routing when I had to route one local computer via second ISP link. But now, as I understand, I need to mark the packets with destination port 80 and route them via the second ISP link. I have tried to put marking rules: echo 200 isp2 >> /etc/iproute2/rt_tables iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK --set-mark 1 ip rule add fwmark 1 table isp2 ip route add default via 192.168.2.113 dev eth1 table isp2 But it doesn't work for me. The #2 line is connected to the same Ethernet card as LAN, perhaps this is the bug ??? But if I use a rule: ip rule from 192.168.2.24 table isp2 , it works OK: local computer 192.168.2.24 comes out to the internet via ISP2 line. But I can't reach the same situation with IPTABLES/MARK IP RULE FWMARK tools... :( I would be very grateful if you gave me as much information as possible about my problem. Rokas Zakarevicius From andy.furniss@dsl.pipex.com Wed Oct 29 00:32:15 2003 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 29 Oct 2003 00:32:15 +0000 Subject: [LARTC] Need help with HTB In-Reply-To: <004e01c39cda$e23762b0$6929a8c0@mihai> References: <004e01c39cda$e23762b0$6929a8c0@mihai> Message-ID: <03102900321500.00666@MBC> On Monday 27 October 2003 10:37 pm, Mihai Tanasescu wrote: > Hello, > > 1. > > I currently have a 128kbps cable link to the internet..and I'm sharing > this connection with others. > I have the same problem with a htb script on an adsl connection (with > the htb script I get ping response times of 80-90..without it I get > 200-300 ms...but these response times aren't very stable..it's > something > like I'm getting 40 ms..then 100 ms..then 50 ms..) I am a newbie and don't yet fully understand the HTB stuff, but have experimented with others scripts/programs and thought about QOS for latency - which is what I will be aiming for when my home network is eventually finished. With an uplink of 128000 and MTU 1500 then you would expect this behavior as a 1500 byte packet will take >90ms to get up the wire. Reducing MTU should help, also quantum/burst should be small enough to release only one packet - I notice some big quantums in your other mail. I don't know about cable, but with dsl some MTUs are more efficient than others - which are best depends on whether your dsl uses pppoa or pppoe etc. Andy. From eturner@monash.edu.my Mon Oct 27 08:08:40 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Mon, 27 Oct 2003 16:08:40 +0800 Subject: [LARTC] (no subject) Message-ID: <002401c39c61$8bc63790$de0018ac@admin.monash.edu.my> Hey guys and gals, Sorry for the 'newbie' question, but I would like to get some help on configuring my HTB qdiscs form my network. My network setup: LAN --> Firewall --> Router -->Internet | | --> DMZ So much for the Ascii artist in me. :) The firewall has 3 interfaces: Eth0 = LAN --> 100Mbps NIC Eth1 = DMZ --> 100Mbps NIC Eth2 = Internet --> 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) I notice that users download A LOT of data at high transfer rates from a servers in DMZ zone. WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! How do I make the firewall Eth0 become the bottleneck???? Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit My objectives: 1.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? I would like to limit the max amount of bandwidth on Eth0 to 10MB I would like to limit the max amount of bandwidth on Eth0 to 3840kbps I would like to limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? Any help in anyway is appreciated! Regards edmund From eturner@monash.edu.my Tue Oct 28 07:21:37 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Tue, 28 Oct 2003 15:21:37 +0800 Subject: [LARTC] Basic Traffic Control Message-ID: <00dd01c39d24$20155bc0$de0018ac@admin.monash.edu.my> Hey guys and gals, Sorry for the 'newbie' question, but I would like to get some help on configuring my HTB qdiscs for my network. My network setup: LAN --> Firewall --> Router -->Internet | | --> DMZ So much for the Ascii artist in me. :) The firewall has 3 interfaces: Eth0 = LAN --> 100Mbps NIC Eth1 = DMZ --> 100Mbps NIC Eth2 = Internet --> 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck???? Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB I would like to limit the max amount of bandwidth on Eth0 to 3840kbps I would like to limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? Any help in anyway is appreciated! Regards edmund From eturner@monash.edu.my Wed Oct 29 02:46:22 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Wed, 29 Oct 2003 10:46:22 +0800 Subject: [LARTC] HELP!!! Conflicting HTB rates Message-ID: <00b701c39dc6$d7b73760$de0018ac@admin.monash.edu.my> Hey everyone, Im trying to configure my HTB qdiscs for my network. My network setup: LAN --> Firewall --> Router -->Internet | | --> DMZ The firewall has 3 interfaces: Eth0 = LAN --> 100Mbps NIC Eth1 = DMZ --> 100Mbps NIC Eth2 = Internet --> 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck???? Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB, limit the max amount of bandwidth on Eth1 to 3840kbps and limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? I executed a tc -s class show dev eth$ and noticed that the default values were wrong for both eth1 and eth2! root@gate2 root]# tc -s class show dev eth0 class htb 1:1 root rate 10Mbit ceil 10Mbit burst 14704b cburst 14704b Sent 114648626 bytes 157670 pkts (dropped 0, overlimits 0) rate 133156bps 221pps lended: 43368 borrowed: 0 giants: 0 tokens: 7303 ctokens: 7303 class htb 1:10 parent 1:1 prio 7 rate 1Mbit ceil 2Mbit burst 2909b cburst 4220b Sent 114617144 bytes 157600 pkts (dropped 0, overlimits 0) rate 133156bps 221pps backlog 5p lended: 114302 borrowed: 43368 giants: 0 tokens: -13123 ctokens: -13466 [root@gate2 root]# tc -s class show dev eth1 class htb 2:1 root rate 16Mbit ceil 16Mbit burst 22567b cburst 22567b Sent 27918685 bytes 53295 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 0 borrowed: 0 giants: 0 tokens: 8780 ctokens: 8780 class htb 2:10 parent 2:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 27905157 bytes 53263 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 53295 borrowed: 0 giants: 0 tokens: 17589 ctokens: 17589 [root@gate2 root]# tc -s class show dev eth2 class htb 3:1 root rate 30Mbit ceil 30Mbit burst 40914b cburst 40914b Sent 17969859 bytes 119438 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 0 borrowed: 0 giants: 0 tokens: 8515 ctokens: 8515 class htb 3:10 parent 3:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 17965779 bytes 119398 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 119438 borrowed: 0 giants: 0 tokens: 17888 ctokens: 17888 [root@gate2 root]# Any help in anyway is appreciated! Regards edmund From eturner@monash.edu.my Wed Oct 29 07:35:00 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Wed, 29 Oct 2003 15:35:00 +0800 Subject: [LARTC] RE: HELP!!! Conflicting HTB rates Message-ID: <00e601c39def$292fd110$de0018ac@admin.monash.edu.my> Hey everyone, Im trying to configure my HTB qdiscs for my network. My network setup: LAN --> Firewall --> Router -->Internet | | --> DMZ The firewall has 3 interfaces: Eth0 = LAN --> 100Mbps NIC Eth1 = DMZ --> 100Mbps NIC Eth2 = Internet --> 4MB link to internet Backgrond: DMZ Zone Eth1: Web/FTP, and SMTP servers. (100Mbps switches and NICs) WEB/FTP server :10.100.1.1/24 SMTP server:10.100.1.2/24 LAN Eth0: I have 3 different VLANs to categories the 3 different departments. VLAN1 -192.168.1.0/24 VLAN2 -192.168.2.0/24 VLAN3 -192.168.3.0/24 External Eth2 : 4MB Leased line to the internet. Currently my router that is connected to the 4MB leased line is becoming the bottleneck! 1.)How do I make the firewall Eth0 become the bottleneck???? Should I limit it to 10mbits as such: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit 2.) I want to limit the bandwidth from the WEB/FTP servers from the DMZ to either the internet or the LAN. This is what I did: tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbps ceil 256kbps prio 7 tc filter add dev eth0 protocol ip parent 1:1 prio 7 handle 7 fw classid 1:10 tc qdisc add dev eth1 root handle 2: htb default 10 tc class add dev eth1 parent 2: classid 2:1 htb rate 3840kbps tc class add dev eth1 parent 2:1 classid 2:10 htb rate 128kbps ceil 128kbps prio 7 tc filter add dev eth1 protocol ip parent 2:1 prio 7 handle 7 fw classid 2:10 tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 3840kbps tc class add dev eth2 parent 3:1 classid 3:10 htb rate 128kbps prio 7 tc filter add dev eth2 protocol ip parent 3:1 prio 7 handle 7 fw classid 3:10 /sbin/iptables -A PREROUTING -I eth1 -s 10.100.1.1 -t mangle -j MARK --set-mark 7 /sbin/iptables -A PREROUTING -I eth1 -d 10.100.1.1 -t mangle -j MARK --set-mark 7 After testing Via FTP/web downloads. It appears that Ive managed to limit the amount of bandwidth thru and from the FTP/WEB server from the DMZ. All other traffic (internet surfing etc) will fall into the default rules correct? Did I miss anything out? What I would like to accomplish : I would like to limit the max amount of bandwidth on Eth0 to 10MB, limit the max amount of bandwidth on Eth1 to 3840kbps and limit the max amount of bandwidth on Eth2 to 3840kbps. (4MB leased line to internet. Did I accomplish this? I executed a tc -s class show dev eth$ and noticed that the default values were wrong for both eth1 and eth2! root@gate2 root]# tc -s class show dev eth0 class htb 1:1 root rate 10Mbit ceil 10Mbit burst 14704b cburst 14704b Sent 114648626 bytes 157670 pkts (dropped 0, overlimits 0) rate 133156bps 221pps lended: 43368 borrowed: 0 giants: 0 tokens: 7303 ctokens: 7303 class htb 1:10 parent 1:1 prio 7 rate 1Mbit ceil 2Mbit burst 2909b cburst 4220b Sent 114617144 bytes 157600 pkts (dropped 0, overlimits 0) rate 133156bps 221pps backlog 5p lended: 114302 borrowed: 43368 giants: 0 tokens: -13123 ctokens: -13466 [root@gate2 root]# tc -s class show dev eth1 class htb 2:1 root rate 16Mbit ceil 16Mbit burst 22567b cburst 22567b Sent 27918685 bytes 53295 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 0 borrowed: 0 giants: 0 tokens: 8780 ctokens: 8780 class htb 2:10 parent 2:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 27905157 bytes 53263 pkts (dropped 0, overlimits 0) rate 890Kbit 122pps lended: 53295 borrowed: 0 giants: 0 tokens: 17589 ctokens: 17589 [root@gate2 root]# tc -s class show dev eth2 class htb 3:1 root rate 30Mbit ceil 30Mbit burst 40914b cburst 40914b Sent 17969859 bytes 119438 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 0 borrowed: 0 giants: 0 tokens: 8515 ctokens: 8515 class htb 3:10 parent 3:1 prio 7 rate 1Mbit ceil 1Mbit burst 2909b cburst 2909b Sent 17965779 bytes 119398 pkts (dropped 0, overlimits 0) rate 20777bps 165pps lended: 119438 borrowed: 0 giants: 0 tokens: 17888 ctokens: 17888 [root@gate2 root]# Any help in anyway is appreciated! Regards edmund From Dragoº C." References: <1644514561.20031020184000@web.de> <200310202047.24542.stef.coene@docum.org> Message-ID: <931113721.20031027232619@web.de> In the last mail I only put the results of listing chains and classes. This it is how the chains are made: echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Flush all rules and delete all custom chains /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -X # Set up policies /sbin/iptables -P INPUT DROP #Modificata din ACCEPT in DROP pt access selectiv cu exceptia HTTP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT # This chain will log, then DROPs "Xmas" and Null packets which might # indicate a port-scan attempt /sbin/iptables -N PSCAN /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " /sbin/iptables -A PSCAN -j DROP # Disallow packets frequently used by port-scanners, XMas and Null /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN # Limit Packets- helps reduce dos/syn attacks /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.1 -m mac --mac-source 00-02-44-67-30-30 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.2 -m mac --mac-source 00-02-44-67-30-5E -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.3 -m mac --mac-source 00-02-44-59-71-40 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.4 -m mac --mac-source 00-D0-09-D5-6B-12 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.5 -m mac --mac-source 00-50-FC-9D-7A-5B -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.6 -m mac --mac-source 00-80-5F-8F-C2-48 -j ACCEPT /sbin/iptables -A FORWARD -i $GREEN_DEV -s 192.168.1.7 -m mac --mac-source 00-06-4F-05-FB-16 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -d 192.168.1.5 -j ACCEPT /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 193.108.54.37 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 128.242.207.197 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 80.86.96.1 -j DROP /sbin/iptables -A CUSTOMFORWARD -s 213.157.170.39 -j DROP /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.3 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.4 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.5 -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.6 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168.1.7 -j MARK --set-mark 7 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-30 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-67-30-5E -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-02-44-59-71-40 -j MARK --set-mark 3 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-D0-09-D5-6B-12 -j MARK --set-mark 4 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-50-FC-9D-7A-5B -j MARK --set-mark 5 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-80-5F-8F-C2-48 -j MARK --set-mark 6 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -m mac --mac-source 00-06-4F-05-FB-16 -j MARK --set-mark 7 /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID /sbin/iptables -t nat -N PORTFW /sbin/iptables -t nat -A PREROUTING -j PORTFW # last rule in input and forward chain is for logging. /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " # Accept everyting connected /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # localhost and ethernet. /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT $GREEN_DEV is the LAN interface and here are the tc commands: # clean existing down- and uplink qdiscs, hide errors tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null tc qdisc del dev eth0 root 2> /dev/null > /dev/null tc qdisc del dev eth0 ingress 2> /dev/null > /dev/null tc qdisc add dev eth1 root handle 10: htb r2q 1 tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 125kbit quantum 2250 burst 60k tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.1 flowid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.1 flowid 10:1 tc class add dev eth1 parent 10:10 classid 10:2 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.2 flowid 10:2 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.2 flowid 10:2 tc class add dev eth1 parent 10:10 classid 10:3 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 3 fw classid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.3 flowid 10:3 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.3 flowid 10:3 tc class add dev eth1 parent 10:10 classid 10:4 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 4 fw classid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.4 flowid 10:4 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.4 flowid 10:4 tc class add dev eth1 parent 10:10 classid 10:5 htb rate 20kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 5 fw classid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.5 flowid 10:5 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.5 flowid 10:5 tc class add dev eth1 parent 10:10 classid 10:6 htb rate 18kbit ceil 125kbit quantum 1500 prio 2 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 6 fw classid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.6 flowid 10:6 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.6 flowid 10:6 tc class add dev eth1 parent 10:10 classid 10:7 htb rate 18kbit ceil 125kbit quantum 1500 prio 3 burst 60k tc filter add dev eth1 parent 10: protocol ip handle 7 fw classid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.168.1.7 flowid 10:7 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.168.1.7 flowid 10:7 From ganeshkumar@signal-networks.com Wed Oct 29 13:09:12 2003 From: ganeshkumar@signal-networks.com (Ganesh Kumar) Date: Wed, 29 Oct 2003 18:39:12 +0530 Subject: [LARTC] unsubscribe Message-ID: <017101c39e1d$daa9ff00$0c01a8c0@signet.local> This is a multi-part message in MIME format. ------=_NextPart_000_016D_01C39E4B.F2B52740 Content-Type: multipart/alternative; boundary="----=_NextPart_001_016E_01C39E4B.F2B52740" ------=_NextPart_001_016E_01C39E4B.F2B52740 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Blank ------=_NextPart_001_016E_01C39E4B.F2B52740 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Blank
 

 

------=_NextPart_001_016E_01C39E4B.F2B52740-- ------=_NextPart_000_016D_01C39E4B.F2B52740 Content-Type: image/gif; name="Blank Bkgrd.gif" Content-ID: <016c01c39e1d$d8fa7a40$0c01a8c0@signet.local> Content-Transfer-Encoding: base64 R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2 7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw== ------=_NextPart_000_016D_01C39E4B.F2B52740-- From su_raj_in@yahoo.com Wed Oct 29 14:23:25 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Wed, 29 Oct 2003 06:23:25 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031028180857.GC32698@legolas.on.net.mk> Message-ID: <20031029142325.91566.qmail@web20001.mail.yahoo.com> Hi, --- Damjan wrote: > The qdisc is what actually does the job. Some qdiscs > allw you to define > classes in them, but the kernel doesn't care about > that. The kernel > delivers a packet to the qdisc and it up to it to > decide what to do with > it (classify the packet etc..) IMHO, classification is done by the filter within a classful qdisc; but, I was wondering why call a class inside a qdisc a class, why not call it a sub-qdisc, there must be something more to a class-vs-qdisc. > Since HTB takes bandwidth as parameters, to really > have any effect > you'll have to know how much bandwidth preciselly > you have. Like if you > have 128kbps ISDN, you must set HTB classes so that > cumulative rates of > the classes are not bigger that your real limit. If > not the shapping > will not be correct and precise. okey, so ideally for a bandwidth that varies (by few bytes) cbq is the best available? > Ethernet is not the same as TCP/IP! And TC can shape > other protocols > than IP. okey, this I didn't know :D Spent the day doing, OSI and 802.3! Should have taken Tanenbaum, during graduation seriously. Sorry about this question. Thank you, for all the help. Regards, suraj. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From su_raj_in@yahoo.com Wed Oct 29 15:02:16 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Wed, 29 Oct 2003 07:02:16 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <200310281908.09031.stef.coene@docum.org> Message-ID: <20031029150216.78708.qmail@web20009.mail.yahoo.com> Hi, --- Stef Coene wrote: > You have 2 types of qdiscs. The root qdisc is > attached to the device it self > and all packets are queued in this qdisc. If this > is a class-full qdisc > (like htb or cbq) you can add class. A class can > contain some packets. You > can stack the classes so you can add a class to a > class. So a packet enters > the root qdisc and is redirected to a class by a > filter. You need to create > your filters in such way that the packets are placed > in a class that contains > no other classes. This class is named a leaf class. all this is agreed ... > But the leaf class only contains the traffic and can > not send them. To do so, > you need to add a qdisc to that class. It's the > qdisc that will send the > packets. This can be a class-full qdisc so you can now, if you are saying a class differs from a qdisc in that it cannot send out packets and qdisc can ... i think that is not perfectly true, in that, if a fifo qdisc was attached as a child to a classful qdisc (say cbq) the fifo qdisc will not be able to send packets out directly, it has to dequeue to the parent and only the root can dequeue-out. > add classes, and restart > the setup. But that will be a waste of CPU cycles. > It's better to add a sfq > qdisc or a fifo. > > So, you have 1 root qdisc, some classes, some > special classes : leaf-classes > and an other set of qdiscs. > Pfifo holds packet, so the total bytes depends on > the size of your packets : which (size of the packet) could vary, right? this would then lead to a dynamically sized queue, is this how it works? > > 3) 'HTB is suited for fixed bandwidth' ... by > "fixed" > > what exactly is meant ... meaning can it be used ... > Fixed means that you always have the same bandwidth > available on the link. So > no burst. This is needed because you have to make > sure YOU are the > bottleneck so if you have a 1000kbit/s link, you > have to make sure you never > send more then 996kbit/s. > > > 4) Can somebody suggest which qdisc is most ideal > (for > > shaping and scheduling) in a n/w where the ISP > provies > > a (512Kbit) pipe, which is shared by multiple (4) > > clients but, an average of 45bytes can be expected > at > > any point in time (although, it might exceed > this)? > That's a difficult one, because YOU have to be the > bottleneck to get some good > shaping results. You can try the htb or the cbq > qdisc and take a higher ceil > then your link. You will not be the bottleneck and > loose some control. okey, so can you please tell me, if I fail to be the bottleneck, what maximum would happen ... IMO, I could carry on shaping but not for that extra few bytes, now available, right? > > 5) The lartc howto speaks about 'mpu' with > reference > > to TBF, and states "for ethernet, no packet uses ... > > Also, I am unable to see such a parameter when I > do a > > tc...help, for TBF. > Sorry, no idea. :) > > 6) Could you please define the 'cell' parameter in > a > > CBQ? > If you have a bounded class, the ceil is the rate. > If it's not bounded, the > ceil will be the rate of a bounded parent class. 'ceil' IMHO, is a little different from 'cell', that the lartc howto talks about. > > Also, I am unable to see maxburst, minburst, > minidle, > > mpu, rate parameter options when I do a ... for > ex. : > > 'tc qdisc add dev eth0 handle 1 root cbq help' > Just take some example tc commands and copy the > parameters you don't know. > The only parameters you have to change is rate and > weight. yeah, but the lartc howto talks about more ... so was wondering! > > 7) How do I set WRR, link sharing and borrowing > > parameters using TC? > Do you mean the wrr qdisc? See the homepage of the > wrr qdisc. oops, I am sorry I meant according to the lartc howto, there are few WRR parameters that need to be set for CBQ!? > > 8) Also, please pardon my ignorance but, do I need > a > > filter for a classless qdisc, cause if I were to > > attach a classless qdisc to the root qdisc then by > > default all packets enter this qdisc and I believe > I > > wouldn't have the scope to classify ... > right/wrong? > Do you mean adding a class qdisc as the root qdisc > or adding a class qdisc to > a root qdisc? If you replace the root qdisc with a > class less qdisc, you > don't need a filter. If you add the class root > qdisc to a root qdisc, you > need a root qdisc with classes and add the class > qdisc to a class. So you > need some filters to put the packets from the root > qdisc to the class where > the class qdisc is attached to. > More information on the subject can be found on > http://www.docum.org. IMHO, the root qdisc (by default) is a pfifo_fast (classless) qdisc ... which means if want a classful qdisc you would need to replace the default qdisc. By "replace", I mean attach it to root ... which then follows all packets 'enter here' ... which then gets me back to my original Q! have been to your site ... went back today ... but couldn't find pointers to my confusion. Kindly, correct my understanding, if required. Thank you, for all your help. Regards, suraj. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From su_raj_in@yahoo.com Wed Oct 29 15:07:19 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Wed, 29 Oct 2003 07:07:19 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <3F9EB635.6050502@fibrespeed.net> Message-ID: <20031029150719.94849.qmail@web20011.mail.yahoo.com> Hi, --- "Michael T. Babcock" wrote: > If I may Stef, a qdisc is short for a Queuing > Discipline. It determines > how a packet leaves itself. A FIFO qdisc is > basically what you have if > you don't use one at all; every packet comes in, > lines up, and spits out > in the same order. > > You can add classifiable queuing disciplines > however. Such a queuing > discipline allows you to add classes to it. Each > class is like a branch > in a tree. When you get to the end of the branch > you have a leaf and > that needs a queuing discipline again. > > Whether it would work or not is one thing, but > technically speaking, you > could add an HTB (classful) qdisc to eth0, then make > a tree of classes > under that. Then some of those could have SFQ or > RED qdisc's attached > to them (the end leaves of the tree) and others > could have another tree > added as HTB or CBQ even (also classful). yes! somebody does think like I do ... but isn't there a valid reason why a class is called a class and a qdisc called a qdisc?!? Thank you. Regards, suraj. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From saptah2000@yahoo.es Wed Oct 29 18:49:21 2003 From: saptah2000@yahoo.es (Vicent Roca Daniel) Date: Wed, 29 Oct 2003 19:49:21 +0100 Subject: [LARTC] New in the list Message-ID: <3FA00BB1.2050601@yahoo.es> Hi people! ;-) I'm new in the list. Name: Vicent Roca Country: Spain see you. bye. Adeu From stef.coene@docum.org Wed Oct 29 18:59:49 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 29 Oct 2003 19:59:49 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031029150216.78708.qmail@web20009.mail.yahoo.com> References: <20031029150216.78708.qmail@web20009.mail.yahoo.com> Message-ID: <200310291959.49489.stef.coene@docum.org> On Wednesday 29 October 2003 16:02, Suraj Shankar wrote: > > But the leaf class only contains the traffic and can > > not send them. To do so, > > you need to add a qdisc to that class. It's the > > qdisc that will send the > > packets. This can be a class-full qdisc so you can > > now, if you are saying a class differs from a qdisc in > that it cannot send out packets and qdisc can ... i > think that is not perfectly true, in that, if a fifo > qdisc was attached as a child to a classful qdisc (say > cbq) the fifo qdisc will not be able to send packets > out directly, it has to dequeue to the parent and only > the root can dequeue-out. That's even confusing for me. I just ignore that part :( > which (size of the packet) could vary, right? > this would then lead to a dynamically sized queue, is > this how it works? Yes, you can stor a a number of packets in a pfifo. So the total queue length (in bytes) can vary. > > That's a difficult one, because YOU have to be the > > bottleneck to get some good > > shaping results. You can try the htb or the cbq > > qdisc and take a higher ceil > > then your link. You will not be the bottleneck and > > loose some control. > > okey, so can you please tell me, if I fail to be the > bottleneck, what maximum would happen ... IMO, I could > carry on shaping but not for that extra few bytes, now > available, right? Most modems have a hugh queue to speed up downloads. But that queue can kill the shaping you did. So you have to be sure the queue is never full. And the only thing to do so is to never send more data then the modem can handle. So you have to make sure YOU are the bottleneck. > > If you have a bounded class, the ceil is the rate. > > If it's not bounded, the > > ceil will be the rate of a bounded parent class. > 'ceil' IMHO, is a little different from 'cell', that > the lartc howto talks about. What part of the lartc howto ? > > Just take some example tc commands and copy the > > parameters you don't know. > > The only parameters you have to change is rate and > > weight. > yeah, but the lartc howto talks about more ... so was > wondering! One of the reasons why I like htb is you don't need these confusing options. And htb don't rely on the nic hardware to calculate the actual rate. > > Do you mean the wrr qdisc? See the homepage of the > > wrr qdisc. > > oops, I am sorry I meant according to the lartc howto, > there are few WRR parameters that need to be set for > CBQ!? Ah the WRR schedule. I think one of these parameters is the weight. Just take weight = rate / 10. > IMHO, the root qdisc (by default) is a pfifo_fast > (classless) qdisc ... which means if want a classful > qdisc you would need to replace the default qdisc. > By "replace", I mean attach it to root ... which then > follows all packets 'enter here' ... which then gets > me back to my original Q! > have been to your site ... went back today ... but > couldn't find pointers to my confusion. If you add a class qdisc as the root qdisc, all packets are queued in the class less qdisc and processed. So you don't need a filter. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Oct 29 18:41:37 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 29 Oct 2003 19:41:37 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031029142325.91566.qmail@web20001.mail.yahoo.com> References: <20031029142325.91566.qmail@web20001.mail.yahoo.com> Message-ID: <200310291941.37232.stef.coene@docum.org> On Wednesday 29 October 2003 15:23, Suraj Shankar wrote: > IMHO, classification is done by the filter within a > classful qdisc; but, I was wondering why call a class > inside a qdisc a class, why not call it a sub-qdisc, > there must be something more to a class-vs-qdisc. A qdisc is a queueing discipline : it's a queue for packets. A class is something virtual that hold some packets from that queue. > > Since HTB takes bandwidth as parameters, to really > > have any effect > > you'll have to know how much bandwidth preciselly > > you have. Like if you > > have 128kbps ISDN, you must set HTB classes so that > > cumulative rates of > > the classes are not bigger that your real limit. If > > not the shapping > > will not be correct and precise. > > okey, so ideally for a bandwidth that varies (by few > bytes) cbq is the best available? No, you will have the same problem with cbq :( Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From terminus@iespana.es Wed Oct 29 16:54:53 2003 From: terminus@iespana.es (Marcelo) Date: Wed, 29 Oct 2003 17:54:53 +0100 Subject: [LARTC] dead onlink Message-ID: <200310291754.54002.terminus@iespana.es> Hello people: I'm new in the forum. I've implemented the script for load balancing of "Linux Advanced Routing & Traffic Control HowTo" and I've a question: When I run the next command : "ip route" I get the folowing information: -------------- 192.168.0.32/27 dev eth0 proto kernel scope link src 192.168.0.33 192.168.0.96/27 dev eth2 proto kernel scope link src 192.168.0.97 192.168.0.64/27 dev eth1 proto kernel scope link src 192.168.0.65 192.168.0.128/27 dev eth3 proto kernel scope link src 192.168.0.129 127.0.0.0/8 dev lo scope link default nexthop via 192.168.0.126 dev eth2 weight 1 dead onlink nexthop via 192.168.0.61 dev eth0 weight 1 ----------------------------- Is normal the part of "dead onlink" ? Is it balancing the load between both internet providers? Sorry for my English. I'm from Argentine. Thanks in advance. From Peteris Krumins Wed Oct 29 20:50:33 2003 From: Peteris Krumins (Peteris Krumins) Date: Wed, 29 Oct 2003 22:50:33 +0200 Subject: [LARTC] Data rate accuracy started failing. Message-ID: <126285884740.20031029225033@lf.lv> Dear all, I am an experienced unix administrator and a long time ago (1+ year) I made traffic-shaping system for an ISP (~400 clients). Each ip address requires 4 classes - 2 for incoming (internet->client), one for international traffic, the other for local-country and border-country traffic. and 2 for outgoing (client->internet), for the same purposes. Everything worked ok until last week, when more clients were added. The data rate (rate NNkbit) is no longer stable - sometimes it exceeds the rate specified and sometimes there is starvation. And no, there is still planty of traffic left, so its not a problem of bandwidth capacity. The technique used is htb + sfq for traffic exceeding 0.8mbit/s, for traffics up to 0.8mbit/s as it is not cpu-intensive (but depends on HZ for calculations) Are there any limits I am not aware of? It seems that everything works ok again if I remove some addresses (single address /32 or larger networks). I am not sure which part fails, filtering or actual shaping. And, it is vanilla Linux 2.4.20 with qos services coming with it. Also, i never came up with the other question: there has always been problem with tbf. For example, rate 256kbit is specified but the actual rate never exceeds 230 - 250kbit, so I add 30kbit for each rate (so 256 becoms 286kbit) so client got exactly his 256kbit. thanks, P.Krumins From saptah2000@yahoo.es Wed Oct 29 22:11:14 2003 From: saptah2000@yahoo.es (Vicent Roca Daniel) Date: Wed, 29 Oct 2003 23:11:14 +0100 Subject: [LARTC] Data rate accuracy started failing. In-Reply-To: <126285884740.20031029225033@lf.lv> References: <126285884740.20031029225033@lf.lv> Message-ID: <3FA03B02.8080003@yahoo.es> Peteris Krumins wrote: > Dear all, > > I am an experienced unix administrator and a long time ago (1+ year) > I made traffic-shaping system for an ISP (~400 clients). > > Each ip address requires 4 classes - > 2 for incoming (internet->client), one for international traffic, > the other for local-country and border-country traffic. > and > 2 for outgoing (client->internet), for the same purposes. > > Everything worked ok until last week, when more clients > were added. The data rate (rate NNkbit) is no longer stable - > sometimes it exceeds the rate specified and sometimes > there is starvation. And no, there is still planty of traffic > left, so its not a problem of bandwidth capacity. > > The technique used is htb + sfq for traffic exceeding 0.8mbit/s, > for traffics up to 0.8mbit/s as it is not cpu-intensive > (but depends on HZ for calculations) > > Are there any limits I am not aware of? It seems that everything > works ok again if I remove some addresses (single address /32 or > larger networks). I am not sure which part fails, filtering > or actual shaping. > > And, it is vanilla Linux 2.4.20 with qos services coming with > it. > > Also, i never came up with the other question: there has always > been problem with tbf. For example, rate 256kbit is specified but the > actual rate never exceeds 230 - 250kbit, so I add 30kbit for each > rate (so 256 becoms 286kbit) so client got exactly his 256kbit. > > >thanks, >P.Krumins > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > Hi! mmm I'm new in the forum.. but, ¿can you paste your scripts? I wanna do something like your traffic-shaping system. Sorry for my English, I'm from Spain. From rvilim@tbaytel.net Wed Oct 29 21:35:48 2003 From: rvilim@tbaytel.net (Ryan Vilim) Date: Wed, 29 Oct 2003 16:35:48 -0500 Subject: [LARTC] Bandwidth shaping help Message-ID: <1067463348.3821.17.camel@laptop.no-ip.com> It seems I have quite a difficult (for me) bandwidth shaping problem. What I want is this; Port 80 and port 21 will share 30 kilobytes of the 50kilobytes upstream my ISP gives me, bittorrent will get 10 maximum (ports 6881-6890), and all other ports get the full 100 mbits. I want any of the other ports to be able to steal the bandwidth of the port 21 and port 80 as well as the bittorrent ports if they are not in use, however bittorrent, or port 21 or 80 cannot exceed thier bandwidth limitations. This is because I use my server as a samba server as well as a vnc server from within my network so I want as high a bandwidth as possible on those, however my HTTP server and FTP server and Bittorrent can't kill my internet connection for everyone else. My current configuration looks like tc qdisk add dev eth0 root handle 1: htb default 30 tc class add dev eth0 parent 1: classid 1:1 htb rate 95mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 320kbit burst 15k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit ceil 90mbit burst 15k tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 90mbit burst 15k tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10\ U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32" $U32 match ip sport 80 0xffff flowid 1:10 $U32 match ip sport 21 0xffff flowid 1:20 I sort of fiddled with one of the configurations in the book to get this, also this does not include the bittorrent ports which is a requirement I thought of just recently. I need, first a way to implement the bandwidth restrictions described above, and second a way to remove my old configuration (if I can't just overwrite it) Thanks alot :) -- Ryan Vilim From derek@traffic-power.com Wed Oct 29 23:01:30 2003 From: derek@traffic-power.com (Derek) Date: Wed, 29 Oct 2003 15:01:30 -0800 Subject: [LARTC] dead gateway In-Reply-To: <20031001053459.16325.qmail@mailweb34.rediffmail.com> References: <20031001053459.16325.qmail@mailweb34.rediffmail.com> Message-ID: <20031029230813.ADE474496@outpost.ds9a.nl> Hi there, I am currently doing testing of a kernel with multiple patches in it (julians dgd, multiple gw for netfilter, sch_null, layer7, and xfs fs) so I can tell you the results if you'd like, once I get the system into a full-scale environment. On Tuesday 30 September 2003 10:34 pm, vadiraj c s wrote: > Hi all, > > > Has any one used dead gateway detection patch. Any one worked on > it. > What do you feel about it > > regards > vadiraj > ___________________________________________________ > Television meets Accounts; Jyoti Weds Rajaram. > Rediff Matchmaker strikes another interesting match !! > Visit http://matchmaker.rediff.com?1 > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- ----------------------- Derek Fedel Network Administrator Ext. 238 Traffic-Power.com "Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu From eturner@monash.edu.my Thu Oct 30 05:51:38 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Thu, 30 Oct 2003 13:51:38 +0800 Subject: [LARTC] (no subject) Message-ID: <00ae01c39ea9$e475c190$de0018ac@admin.monash.edu.my> Hey everyone, I tried to mark traffic based on per subnet as to the usual per ip. Example: Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4 Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst 192.168.0.0/24 classid 1:11 After I enter this command, I did not get any errors. Does this mean that EACH IP belonging to that subnet will have a maximum rate of 400kbit? Or does it mean that ALL the IPs in that subnet have a total of 400kbit? Thanks in advance. Regards edmund From su_raj_in@yahoo.com Thu Oct 30 05:54:51 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Wed, 29 Oct 2003 21:54:51 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <200310291941.37232.stef.coene@docum.org> Message-ID: <20031030055451.39382.qmail@web20010.mail.yahoo.com> Hi, --- Stef Coene wrote: > A qdisc is a queueing discipline : it's a queue for > packets. A class is > something virtual that hold some packets from that > queue. okey, I must say I have a better understanding of the differences now. Thank you. > > okey, so ideally for a bandwidth that varies (by > few > > bytes) cbq is the best available? > No, you will have the same problem with cbq :( so which kind of qdisc will be best for varing bandwidths? Thank you, Stef. Regards, suraj. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From payal-lartc@staticky.com Thu Oct 30 05:56:14 2003 From: payal-lartc@staticky.com (Payal Rathod) Date: Thu, 30 Oct 2003 05:56:14 +0000 Subject: [LARTC] default route Message-ID: <20031030055614.GA13884@staticky.com> Hi, Is it possible to use more than one default route? I believe yes. Any comments on them. If I use more than one, where will the trafficc be diverted from? With warm regards, -Payal -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com From su_raj_in@yahoo.com Thu Oct 30 06:10:59 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Wed, 29 Oct 2003 22:10:59 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <200310291959.49489.stef.coene@docum.org> Message-ID: <20031030061059.76254.qmail@web20001.mail.yahoo.com> Hi, --- Stef Coene wrote: > > which (size of the packet) could vary, right? > > this would then lead to a dynamically sized queue, > is > > this how it works? > Yes, you can stor a a number of packets in a pfifo. > So the total queue length > (in bytes) can vary. yes! I understood something :) Thank you. > > okey, so can you please tell me, if I fail to be > the > > bottleneck, what maximum would happen ... IMO, I > could > > carry on shaping but not for that extra few bytes, > now > > available, right? > Most modems have a hugh queue to speed up downloads. > But that queue can kill > the shaping you did. So you have to be sure the > queue is never full. And > the only thing to do so is to never send more data > then the modem can handle. > So you have to make sure YOU are the bottleneck. yes, I have a proof-of-concept! ... meaning wrote a script that works but, waiting to take it 'live'. > > 'ceil' IMHO, is a little different from 'cell', > that > > the lartc howto talks about. > What part of the lartc howto ? http://lartc.org/lartc.html#AEN939 ; the part that lists parameters in CBQ ... was wondering how 'cell' can be defined. > > yeah, but the lartc howto talks about more ... so > was > > wondering! > One of the reasons why I like htb is you don't need > these confusing options. > And htb don't rely on the nic hardware to calculate > the actual rate. hmm, that's true. > > oops, I am sorry I meant according to the lartc > howto, > > there are few WRR parameters that need to be set > for > > CBQ!? > Ah the WRR schedule. I think one of these > parameters is the weight. Just > take weight = rate / 10. okey, but how do I set it ... Usage: ... cbq bandwidth BPS avpkt BYTES [ mpu BYTES ] [ cell BYTES ] [ ewma LOG ] ...this is what tc...help says, there isn't a weight parameter :( > If you add a class qdisc as the root qdisc, all > packets are queued in the > class less qdisc and processed. So you don't need a > filter. :) Stef, I do really appreciate the time spent in trying to help me. Thank you. Warm Regards, suraj. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From damion@snapgear.com Thu Oct 30 06:29:25 2003 From: damion@snapgear.com (Damion de Soto) Date: Thu, 30 Oct 2003 16:29:25 +1000 Subject: [LARTC] default route References: <20031030055614.GA13884@staticky.com> Message-ID: <3FA0AFC5.5090601@snapgear.com> Payal Rathod wrote: > Hi, > Is it possible to use more than one default route? I believe yes. > Any comments on them. If I use more than one, where will the trafficc be > diverted from? That's a good question. I was going to answer your other post, but did some tests which contradicted what I was going to say. I originally thought if you had two default routes on the same metric, traffic would just go out the first one, however, when I tried this earlier, I started losing packets, so I can only assume the packets were going out the other route, and then getting lost. anyone comment on this ? If you use the ip route tool to created multiple weighted or equalized default routes, you then use source-based routing to make sure that the traffic goes back out the same route it came in on. (unless you're trying to be tricky with asymetrical routing) -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From payal-lartc@staticky.com Thu Oct 30 07:25:18 2003 From: payal-lartc@staticky.com (Payal Rathod) Date: Thu, 30 Oct 2003 07:25:18 +0000 Subject: [LARTC] default route In-Reply-To: <3FA0AFC5.5090601@snapgear.com> References: <20031030055614.GA13884@staticky.com> <3FA0AFC5.5090601@snapgear.com> Message-ID: <20031030072518.GA19617@staticky.com> On Thu, Oct 30, 2003 at 04:29:25PM +1000, Damion de Soto wrote: > >Is it possible to use more than one default route? I believe yes. > >Any comments on them. If I use more than one, where will the trafficc be > >diverted from? > That's a good question. I was going to answer your other post, but did > some tests > which contradicted what I was going to say. > > I originally thought if you had two default routes on the same metric, > traffic would just go out the first one, however, when I tried this > earlier, I started losing packets, so I can only assume the packets were > going out the other route, and then getting lost. anyone comment on this ? A friend of mine says that if y ou have 2 default routes on different subnets each the routing will be done randomly. Unfortunately I do not have that kind of setup to test. I did it on same subnet using 2 default routes and found that I was losing packets too. > If you use the ip route tool to created multiple weighted or equalized > default routes, you then use source-based routing to make sure that the > traffic goes back out the same route it came in on. > (unless you're trying to be tricky with asymetrical routing) Isn't random routing (without depending on source) easy to implement than source based routing? Can you please tell what you mean by using ip route to create multiple weighted routes? I have absoluttely no idea what ip command does exactly. I am using just plain "route" and ifconfig. Are they decrepated? With warm regards, -Payal -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com From vadiraj@deeproot.co.in Thu Oct 30 07:48:23 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Thu, 30 Oct 2003 13:18:23 +0530 (IST) Subject: [LARTC] default route In-Reply-To: <20031030055614.GA13884@staticky.com> Message-ID: On Thu, 29 Oct 2003, Payal Rathod wrote: > Hi, > Is it possible to use more than one default route? I believe yes. > Any comments on them. If I use more than one, where will the trafficc be > diverted from? Yes you can, the traffic gets balanced between two routes... Vadiraj C S From vadiraj@deeproot.co.in Thu Oct 30 07:52:25 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Thu, 30 Oct 2003 13:22:25 +0530 (IST) Subject: [LARTC] default route In-Reply-To: <3FA0AFC5.5090601@snapgear.com> Message-ID: On Thu, 30 Oct 2003, Damion de Soto wrote: > getting lost. anyone comment on this ? > > If you use the ip route tool to created multiple weighted or equalized default > routes, you then use source-based routing to make sure that the traffic goes back out > the same route it came in on. > (unless you're trying to be tricky with asymetrical routing) I tried this, the routes get cached so most of the time the packets leave from the route they came in, but you can have two routes and there is no packet loss. Vadiraj C S From vadiraj@deeproot.co.in Thu Oct 30 07:45:49 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Thu, 30 Oct 2003 13:15:49 +0530 (IST) Subject: [LARTC] dead gateway In-Reply-To: <20031029230813.ADE474496@outpost.ds9a.nl> Message-ID: On Wed, 29 Oct 2003, Derek wrote: > > Hi there, > > I am currently doing testing of a kernel with multiple patches in it (julians > dgd, multiple gw for netfilter, sch_null, layer7, and xfs fs) so I can tell > you the results if you'd like, once I get the system into a full-scale > environment. > Thanks for that, I've worked on that, I dont think you need any patch for dead gateway detection. Small script will do better job. Vadiraj C S From vadiraj@deeproot.co.in Thu Oct 30 07:56:35 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Thu, 30 Oct 2003 13:26:35 +0530 (IST) Subject: [LARTC] default route In-Reply-To: <20031030072518.GA19617@staticky.com> Message-ID: On Thu, 30 Oct 2003, Payal Rathod wrote: > Can you please tell what you mean by using ip route to create multiple > weighted routes? I have absoluttely no idea what ip command does > exactly. I am using just plain "route" and ifconfig. Are they > decrepated? ip is more flexible, ip can do both the jobs i.e what route and ifconfig does. Download iproute2 package and you can know it by your self. Vadiraj C S From payal-lartc@staticky.com Thu Oct 30 08:40:09 2003 From: payal-lartc@staticky.com (Payal Rathod) Date: Thu, 30 Oct 2003 08:40:09 +0000 Subject: [LARTC] default route In-Reply-To: References: <20031030055614.GA13884@staticky.com> Message-ID: <20031030084009.GA5037@staticky.com> On Thu, Oct 30, 2003 at 01:18:23PM +0530, Vadiraj C S wrote: > > Is it possible to use more than one default route? I believe yes. > > Any comments on them. If I use more than one, where will the trafficc be > > diverted from? > > Yes you can, the traffic gets balanced between two routes... Ok. Just an sacrileige question. Are you 100% sure? Can you say with surety that with 2 default gateways, packets won't get lost any time. Thanks for the comments. Regards, -Payal p.s. deeproot rocks :) -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com From wouter.coppens@dedigate.com Thu Oct 30 09:46:47 2003 From: wouter.coppens@dedigate.com (Wouter Coppens) Date: Thu, 30 Oct 2003 10:46:47 +0100 Subject: [LARTC] Problems with tcng and gentoo Message-ID: This is a multi-part message in MIME format. ------_=_NextPart_001_01C39ECA.BC67C4A8 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hey, =20 I installed tcng on gentoo, but I always got the error:=20 Could not run/locate "tcc" =20 tcc is installed in /sbin. =20 I read somewhere that you need a little patch to get tcng running on gentoo, but I can't find the patch. =20 Can somebody help me? =20 Thanks in advance, =20 Wouter ------_=_NextPart_001_01C39ECA.BC67C4A8 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hey,
 
I = installed tcng on=20 gentoo, but I always got the error:
   =20 Could not run/locate "tcc"
 
tcc is = installed in=20 /sbin.
 
I read = somewhere=20 that you need a little patch to get tcng running on gentoo, but I can't = find the=20 patch.
 
Can = somebody help=20 me?
 
Thanks = in=20 advance,
 
Wouter
------_=_NextPart_001_01C39ECA.BC67C4A8-- From Rokas Thu Oct 30 10:06:56 2003 From: Rokas (Rokas) Date: Thu, 30 Oct 2003 12:06:56 +0200 Subject: [LARTC] Policy routing with IPTABLES MARK Message-ID: <624877353.20031030120656@centras.lt> Hello, I have a LINUX server with two internet connections available. I want all the traffic to go over the default route, but HTTP traffic to go over ISP2 line. Interfaces: eth1 192.168.2.254 - LAN 192.168.2.x ppp0 x.x.x.106 - remote gateway x.x.x.6 - ISP1 (default route) eth0 192.168.164.254 - remote gateway 192.168.164.113 - ISP2 (a hardware router) I have the following configuration: echo 200 gate2 >> /etc/iproute2/rt_tables server:/etc/network# ip route x.x.x.6 dev ppp0 proto kernel scope link src x.x.x.106 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.254 192.168.164.0/24 dev eth0 proto kernel scope link src 192.168.164.254 default via x.x.x.6 dev ppp0 server:/etc/network# ip route list table gate2 default via 192.168.164.113 dev eth0 server:/etc/network# ip rule 0: from all lookup local 32765: from all fwmark 1 lookup gate2 32766: from all lookup main 32767: from all lookup default The script: ----------------------------------------------------- #!/bin/bash iptables -t nat -F iptables -t mangle -F iptables -F iptables -P FORWARD ACCEPT ip route flush table gate2 ip route add default via 192.168.164.113 dev eth0 table gate2 ip rule add fwmark 0x01 table gate2 ip route flush cache iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p icmp -j MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 443 -j MARK --set-mark 0x01 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done ------------------------------------------------------- I also mark icmp packets, that I could test my configuration using traceroute. It seems that my rules are working OK, with tcpdump and traceroute I see that HTTP traffic of LAN computers go over the ISP2 line. When I connect to the WWW page, that shows my public IP address, I see the ISP2 line address. But after some time, part of the HTTP traffic begins going over the default ISP1 line. I see that some HTTP traffic goes over ISP2 line (that's good), but also it goes over default route. And after some time, if I connect to the WWW page, that shows my public IP address, I see the default ISP1 IP address (that's bad). I do my test browsing from one of my LAN computers, there are other computers working in the LAN, and perhaps their HTTP traffic goes OK (over the ISP2 line), because with tcpdump -i eth0 net 192.168.164 and port 80 I see that there are much HTTP traffic on the ISP2 line. Then I reboot my server, for some time (about 10 minutes) everything works OK, but then there comes my problem... :( I am totally lost, I don't know how to solve this problem.... :( I would be very grateful if you helped me with this issue. Rokas Zakarevicius From stef.coene@docum.org Thu Oct 30 10:32:57 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 11:32:57 +0100 Subject: [LARTC] Bandwidth shaping help In-Reply-To: <1067463348.3821.17.camel@laptop.no-ip.com> References: <1067463348.3821.17.camel@laptop.no-ip.com> Message-ID: <200310301132.57937.stef.coene@docum.org> On Wednesday 29 October 2003 22:35, Ryan Vilim wrote: > It seems I have quite a difficult (for me) bandwidth shaping problem. > What I want is this; > > Port 80 and port 21 will share 30 kilobytes of the 50kilobytes upstream > my ISP gives me, bittorrent will get 10 maximum (ports 6881-6890), and > all other ports get the full 100 mbits. > > I want any of the other ports to be able to steal the bandwidth of the > port 21 and port 80 as well as the bittorrent ports if they are not in > use, however bittorrent, or port 21 or 80 cannot exceed thier bandwidth > limitations. > > This is because I use my server as a samba server as well as a vnc > server from within my network so I want as high a bandwidth as possible > on those, however my HTTP server and FTP server and Bittorrent can't > kill my internet connection for everyone else. > > My current configuration looks like > > tc qdisk add dev eth0 root handle 1: htb default 30 It's "tc qdisc ..." > tc class add dev eth0 parent 1: classid 1:1 htb rate 95mbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 320kbit burst 15k > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit ceil 90mbit > burst 15k > tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 90mbit > burst 15k > tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10\ If eht0 is connected to the internet, the ceil should be your internet link. Not your NIC bandwidth. > U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32" > $U32 match ip sport 80 0xffff flowid 1:10 > $U32 match ip sport 21 0xffff flowid 1:20 > > I sort of fiddled with one of the configurations in the book to get > this, also this does not include the bittorrent ports which is a > requirement I thought of just recently. > > I need, first a way to implement the bandwidth restrictions described > above, and second a way to remove my old configuration (if I can't just > overwrite it) /qos/bin/tc qdisc del dev eth0 root Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Raghuveer K Thu Oct 30 10:29:26 2003 From: Raghuveer K (Raghuveer K) Date: Thu, 30 Oct 2003 15:59:26 +0530 Subject: [LARTC] Traffic Shaping not working with CBQ In-Reply-To: <3F9CBC1F.40709@gsecone.com> References: <5.1.0.14.2.20030910115658.02813c78@mail.axelero.hu> <200309222025.05016.stef.coene@docum.org> <3F6FE0A7.5090001@gsecone.com> <200309232146.09807.stef.coene@docum.org> <3F9634DD.2020707@gsecone.com> <3F9CBC1F.40709@gsecone.com> Message-ID: <3FA0E806.60105@gsecone.com> Hi Stef/Martin, Iam resending this mail for the third time, I request you to please respond ASAP. Iam stucked as my traffic control is not working, I just tried first with incoming traffic shaping, below is the test setup and rules applied. Your valuable suggestion will surely help me and make it right. Traffic Control is not taking place after applying the below rules. Here follows the test setup:- 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL and eth1 to the LAN. 2. I tried doing traffic control for incoming(at eth1). 3. In LAN, I connected 3 m/c's(all linux). 4. The ISP rate taken is 97% of 128Kbits. 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. Here are the rules Iam applying to control incoming traffic at LAN interface(eth1) for LAN users. Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is 192.168.5.1 /* root qdisc */ tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell 8 /* Parent Class */ tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 bounded /* Whether should I place the below filter for Parent class..??? tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:1 */ /* Child Classes */ /* 1st LAN user<192.168.5.2> = 37Kbit */ tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate 37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.2 classid 1:2 /* 2nd LAN user<192.168.5.3> = 24Kbit */ tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate 24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.3 classid 1:3 /* 3rd LAN user<192.168.5.4> = 12Kbit */ tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate 12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 192.168.5.4 classid 1:4 /* Default : Rest/Other traffic = 51Kbit*/ tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate 51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:5 I have few observations and queries, as follows:-- 1.In my test setup the ISP rate is fluctuating in the range of 21Kbits to 131 Kbits for 128Kbits ADSL. 2. I have not added any filter for the parent class. Is it required...? What happens if I add...? 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on each LAN m/c. 4. In case, if I shape outgoing traffic on eth0 interface, whether shall I take outgoing and incoming ISP rate's in 30:70 ratio, i.e 30% if 128Kbits for outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits rate being asyncronous(ADSL). Can you pls guide me where am I going wrong..? Do I continue using CBQ or try instead HTB rules. Regards -Raghu From stef.coene@docum.org Thu Oct 30 10:38:36 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 11:38:36 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031030055451.39382.qmail@web20010.mail.yahoo.com> References: <20031030055451.39382.qmail@web20010.mail.yahoo.com> Message-ID: <200310301138.36235.stef.coene@docum.org> On Thursday 30 October 2003 06:54, Suraj Shankar wrote: > > > okey, so ideally for a bandwidth that varies (by > > > > few > > > > > bytes) cbq is the best available? > > > > No, you will have the same problem with cbq :( > > so which kind of qdisc will be best for varing > bandwidths? If you want to use classes, you have to choose for htb or cbq. You can get good results even if you are not the bottleneck on the link. If you want to shape the traffic, you will be fine. But if you also want to give a low latency to certain packets, a modem queue can redo what you did on your shaping box (imagine that you give an ack packet a high priority but it has to wait in a big queue in your modem ....). Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 30 10:12:07 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 11:12:07 +0100 Subject: [LARTC] (no subject) In-Reply-To: <00ae01c39ea9$e475c190$de0018ac@admin.monash.edu.my> References: <00ae01c39ea9$e475c190$de0018ac@admin.monash.edu.my> Message-ID: <200310301112.07669.stef.coene@docum.org> On Thursday 30 October 2003 06:51, Edmund Turner wrote: > Hey everyone, > > I tried to mark traffic based on per subnet as to the usual per ip. > Example: > Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4 > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst > 192.168.0.0/24 classid 1:11 > > After I enter this command, I did not get any errors. > Does this mean that EACH IP belonging to that subnet will have a maximum > rate of 400kbit? No. > Or does it mean that ALL the IPs in that subnet have a total of 400kbit? Yes. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 30 10:43:19 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 11:43:19 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031030061059.76254.qmail@web20001.mail.yahoo.com> References: <20031030061059.76254.qmail@web20001.mail.yahoo.com> Message-ID: <200310301143.19764.stef.coene@docum.org> On Thursday 30 October 2003 07:10, Suraj Shankar wrote: > > > available, right? > > Most modems have a hugh queue to speed up downloads. > > But that queue can kill > > the shaping you did. So you have to be sure the > > queue is never full. And > > the only thing to do so is to never send more data > > then the modem can handle. > > So you have to make sure YOU are the bottleneck. > > yes, I have a proof-of-concept! ... meaning wrote a > script that works but, waiting to take it 'live'. > http://lartc.org/lartc.html#AEN939 ; the part that > lists parameters in CBQ ... was wondering how 'cell' > can be defined. If you bound a class, the class can never send more then the configure rate. So that's the ceil. If you add a sub class (not bounded), that class has to respect the rate (in this case also the ceil) of it's parente. > > One of the reasons why I like htb is you don't need > > these confusing options. > > And htb don't rely on the nic hardware to calculate > > the actual rate. > hmm, that's true. And htb is maintained, while the cbq code is not. > > Ah the WRR schedule. I think one of these > > parameters is the weight. Just > > take weight = rate / 10. > > okey, but how do I set it ... > Usage: ... cbq bandwidth BPS avpkt BYTES [ mpu BYTES ] > [ cell BYTES ] [ ewma LOG ] > ...this is what tc...help says, there isn't a weight > parameter :( Don't trust the help function :(. My tip : go to http://docum.org, go to the test pages and copy my cbq commands ,) > Stef, I do really appreciate the time spent in trying > to help me. Thank you. No problem. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Thu Oct 30 10:54:24 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 11:54:24 +0100 Subject: [LARTC] Re: Traffic Shaping not working with CBQ In-Reply-To: <3FA0E806.60105@gsecone.com> References: <5.1.0.14.2.20030910115658.02813c78@mail.axelero.hu> <3F9CBC1F.40709@gsecone.com> <3FA0E806.60105@gsecone.com> Message-ID: <200310301154.24286.stef.coene@docum.org> On Thursday 30 October 2003 11:29, Raghuveer K wrote: > Hi Stef/Martin, > > Iam resending this mail for the third time, I request you to please > respond ASAP. You mail ended twice in my "to read" folder. > Iam stucked as my traffic control is not working, I just tried first > with incoming traffic shaping, below is the test setup and rules > applied. Your valuable suggestion will surely help me and make it right. > > Traffic Control is not taking place after applying the below rules. Here > follows the test setup:- > 1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL > and eth1 to the LAN. > 2. I tried doing traffic control for incoming(at eth1). > 3. In LAN, I connected 3 m/c's(all linux). > 4. The ISP rate taken is 97% of 128Kbits. > 5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. > > Here are the rules Iam applying to control incoming traffic at LAN > interface(eth1) for LAN users. > Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is > 192.168.5.1 > > /* root qdisc */ > tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell > 8 > > /* Parent Class */ > tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate > 124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > bounded > /* Whether should I place the below filter for Parent class..??? > tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 0/0 classid 1:1 > */ You can also add the other filters to the root qdisc 1:0. > /* Child Classes */ > > /* 1st LAN user<192.168.5.2> = 37Kbit */ > tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate > 37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.2 classid 1:2 > > /* 2nd LAN user<192.168.5.3> = 24Kbit */ > tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate > 24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.3 classid 1:3 > > /* 3rd LAN user<192.168.5.4> = 12Kbit */ > tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate > 12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 192.168.5.4 classid 1:4 > > /* Default : Rest/Other traffic = 51Kbit*/ > tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate > 51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 > tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src > 0/0 match ip dst 0/0 classid 1:5 > > I have few observations and queries, as follows:-- > 1.In my test setup the ISP rate is fluctuating in the range of 21Kbits > to 131 Kbits for 128Kbits ADSL. > 2. I have not added any filter for the parent class. Is it required...? > What happens if I add...? Add all your filters to the root qdisc and put the traffic in the destination class. Like : tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 match ip dst 0/0 classid 1:5 > 3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on > each LAN m/c. Yes. > 4. In case, if I shape outgoing traffic on eth0 interface, whether shall > I take outgoing and incoming ISP rate's in 30:70 ratio, i.e 30% if > 128Kbits for > outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits > rate being asyncronous(ADSL). What's the speed of your connection? 128kbits for download, but how much for uploads? > Can you pls guide me where am I going wrong..? Do I continue using CBQ > or try instead HTB rules. If you can, go for htb. Much less confusing options. Als, check out with tc -s -d class show dev eth1 if the filters are working and each class is processing packets. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From Raghuveer K Thu Oct 30 11:26:42 2003 From: Raghuveer K (Raghuveer K) Date: Thu, 30 Oct 2003 16:56:42 +0530 Subject: [LARTC] Re: Traffic Shaping not working with CBQ In-Reply-To: <200310301154.24286.stef.coene@docum.org> References: <5.1.0.14.2.20030910115658.02813c78@mail.axelero.hu> <3F9CBC1F.40709@gsecone.com> <3FA0E806.60105@gsecone.com> <200310301154.24286.stef.coene@docum.org> Message-ID: <3FA0F572.5020901@gsecone.com> Thanks Stef, Let me incorporate and test with your valuable suggestions. I will get back to you soon. Regards -Raghu Stef Coene wrote: >On Thursday 30 October 2003 11:29, Raghuveer K wrote: > > >>Hi Stef/Martin, >> >>Iam resending this mail for the third time, I request you to please >>respond ASAP. >> >> >You mail ended twice in my "to read" folder. > > > >>Iam stucked as my traffic control is not working, I just tried first >>with incoming traffic shaping, below is the test setup and rules >>applied. Your valuable suggestion will surely help me and make it right. >> >>Traffic Control is not taking place after applying the below rules. Here >>follows the test setup:- >>1. The linux m/c 's eth0(100Mbits, WAN) is connected to 128 Kbits ADSL >>and eth1 to the LAN. >>2. I tried doing traffic control for incoming(at eth1). >>3. In LAN, I connected 3 m/c's(all linux). >>4. The ISP rate taken is 97% of 128Kbits. >>5. Bandwidth Monitoring is done by using IPTraf on each LAN m/c's. >> >>Here are the rules Iam applying to control incoming traffic at LAN >>interface(eth1) for LAN users. >>Here actual Isp rate = 128Kbit, rate taken = 97% of 128Kbit, eth1 ip is >>192.168.5.1 >> >>/* root qdisc */ >>tc qdisc add dev eth1 root handle 1: cbq bandwidth 100Mbit avpkt 1000 cell >>8 >> >>/* Parent Class */ >>tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate >>124Kbit weight 12Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>bounded >>/* Whether should I place the below filter for Parent class..??? >>tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:1 >>*/ >> >> >You can also add the other filters to the root qdisc 1:0. > > > >>/* Child Classes */ >> >>/* 1st LAN user<192.168.5.2> = 37Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 100Mbit rate >>37Kbit weight 3Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.2 classid 1:2 >> >>/* 2nd LAN user<192.168.5.3> = 24Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate >>24Kbit weight 2Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.3 classid 1:3 >> >>/* 3rd LAN user<192.168.5.4> = 12Kbit */ >>tc class add dev eth1 parent 1:1 classid 1:4 cbq bandwidth 100Mbit rate >>12Kbit weight 1Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 192.168.5.4 classid 1:4 >> >>/* Default : Rest/Other traffic = 51Kbit*/ >>tc class add dev eth1 parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate >>51Kbit weight 5Kbit prio 3 allot 1514 cell 8 maxburst 10 avpkt 1000 >>tc filter add dev eth1 parent 1:1 protocol ip prio 3 u32 match ip src >>0/0 match ip dst 0/0 classid 1:5 >> >>I have few observations and queries, as follows:-- >>1.In my test setup the ISP rate is fluctuating in the range of 21Kbits >>to 131 Kbits for 128Kbits ADSL. >>2. I have not added any filter for the parent class. Is it required...? >>What happens if I add...? >> >> >Add all your filters to the root qdisc and put the traffic in the destination >class. Like : >tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip src 0/0 >match ip dst 0/0 classid 1:5 > > > >>3. Is "iptraf " tool OK for monitoring the distribution of bandwidth on >>each LAN m/c. >> >> >Yes. > > > >>4. In case, if I shape outgoing traffic on eth0 interface, whether shall >>I take outgoing and incoming ISP rate's in 30:70 ratio, i.e 30% if >>128Kbits for >> outgoing Qdisc(eth0) and 70% for incoming Qdisc(eth1). As 128 Kbits >>rate being asyncronous(ADSL). >> >> >What's the speed of your connection? 128kbits for download, but how much for >uploads? > > > >>Can you pls guide me where am I going wrong..? Do I continue using CBQ >>or try instead HTB rules. >> >> >If you can, go for htb. Much less confusing options. >Als, check out with tc -s -d class show dev eth1 if the filters are working >and each class is processing packets. > >Stef > > > -- ****** This email is confidential and is intended for the original recipient(s) only. If you have erroneously received this mail, please delete it immediately and notify the sender. Unauthorized copying, disclosure or distribution of the material in this mail is prohibited. Views expressed in this mail are those of the individual sender and do not bind Gsec1 Limited. or its subsidiary, unless the sender has done so expressly with due authority of Gsec1.****** From rvilim@tbaytel.net Thu Oct 30 14:34:07 2003 From: rvilim@tbaytel.net (Ryan Vilim) Date: Thu, 30 Oct 2003 09:34:07 -0500 Subject: [LARTC] Bandwidth shaping help In-Reply-To: <200310301132.57937.stef.coene@docum.org> References: <1067463348.3821.17.camel@laptop.no-ip.com> <200310301132.57937.stef.coene@docum.org> Message-ID: <1067524447.24000.7.camel@laptop.no-ip.com> On Thu, 2003-10-30 at 05:32, Stef Coene wrote: > On Wednesday 29 October 2003 22:35, Ryan Vilim wrote: > > It seems I have quite a difficult (for me) bandwidth shaping problem. > > What I want is this; > > > > Port 80 and port 21 will share 30 kilobytes of the 50kilobytes upstream > > my ISP gives me, bittorrent will get 10 maximum (ports 6881-6890), and > > all other ports get the full 100 mbits. > > > > I want any of the other ports to be able to steal the bandwidth of the > > port 21 and port 80 as well as the bittorrent ports if they are not in > > use, however bittorrent, or port 21 or 80 cannot exceed thier bandwidth > > limitations. > > > > This is because I use my server as a samba server as well as a vnc > > server from within my network so I want as high a bandwidth as possible > > on those, however my HTTP server and FTP server and Bittorrent can't > > kill my internet connection for everyone else. > > > > My current configuration looks like > > > > tc qdisk add dev eth0 root handle 1: htb default 30 > It's "tc qdisc ..." > > > tc class add dev eth0 parent 1: classid 1:1 htb rate 95mbit burst 15k > > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 320kbit burst 15k > > tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1kbit ceil 90mbit > > burst 15k > > tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 90mbit > > burst 15k > > tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 > > tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10\ > If eht0 is connected to the internet, the ceil should be your internet link. > Not your NIC bandwidth. > > > U32="tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32" > > $U32 match ip sport 80 0xffff flowid 1:10 > > $U32 match ip sport 21 0xffff flowid 1:20 > > > > I sort of fiddled with one of the configurations in the book to get > > this, also this does not include the bittorrent ports which is a > > requirement I thought of just recently. > > > > I need, first a way to implement the bandwidth restrictions described > > above, and second a way to remove my old configuration (if I can't just > > overwrite it) > /qos/bin/tc qdisc del dev eth0 root > > Stef Oh, I am sorry I probably should have specified the setup of my network (stupid mistake by me :p). I have a server (linux) a laptop (linux) and my parents computer (windows). These are all connected to the internet via my router which is just a store bought, 4 port wireless routers. I want to control the bandwidth leaving my server on ports 80, 21, and the bittorrent ports because if someone is downoading from my webserver while I am getting anime off bittorrent, then the internet slows to a crawl because all of the upstream is used. Since none of the other computers ever participate in any upload-heavy activities I figure that 10kilobytes per second would be enough for them. However I still want the ability to copy at Ethernet speeds from the samba server on my server, use VNC to control my server (it has an audigy 2 in it so I have my speakers and headphones hooked up to it, then use vnc to controll xmms), and basically do any other miscellaneous high bandwidth activities from within my network. Sorry for not explaining my predicament earlier Thanks Ryan Vilim From cheongseng@hotmail.com Thu Oct 30 15:10:17 2003 From: cheongseng@hotmail.com (wong cheongseng) Date: Thu, 30 Oct 2003 23:10:17 +0800 Subject: [LARTC] Installation problems Message-ID: VERY URGENT!!! Hey, i'm final year student in upm. I have install linux Redhat 9.0. Wish to build up Qos linux packet filter using kernel-2.4.20.8 i have follow the instruction which i download from internet. But i 'm not very understand about the instruction. The following step have been done by me:- 1) Patch the L7-kernel patch to the kernel (success) 2) Re-compile the kernel (success) 3) Enable layer-7 filtering (success) 4) After i unpack "tar xvzf iproute2_w_layer7_patch-0.9.3.tar.gz" Inside there, i found a TC folder- 31 items - tc patch - how does the TC link against the new kernel header??? (question) - I have make the symbolic link from /usr/src/linux to /usr/src/linux-2.4.20.8 - Where should i put the files inside the TC folder??? (question) - When i "make" to compile, it show me error and tell me to compile the kernel first??? (question) - Since the tc folder have many files, which should i copy to /sbin/tc??? (question) 5) Protocol definitions - after unpack the latest pattern from l7-filter.sourceforge.net - i tried to cat all the pattern to /proc/net/layer7_protocols, but found error "no such files and directory" - Anythings i did wrong?? (question) Please reply me as soon as possible. Very urgent!!! Thank you. _________________________________________________________________ Download the latest MSN Messenger http://messenger.msn.com.my From jere_lartc@cassidyweb.com Thu Oct 30 15:11:58 2003 From: jere_lartc@cassidyweb.com (Jere Cassidy) Date: Thu, 30 Oct 2003 10:11:58 -0500 Subject: [LARTC] Re: Bandwidth shaping help In-Reply-To: <1067524447.24000.7.camel@laptop.no-ip.com> References: <1067463348.3821.17.camel@laptop.no-ip.com> <200310301132.57937.stef.coene@docum.org> <1067524447.24000.7.camel@laptop.no-ip.com> Message-ID: <20031030151159.12913.qmail@ns1.cassidyweb.com> I had same issue (wanted to control server even though it wasnt doing routing) and added the following to the wondershaper script: #exempt networks (i.e. local lan) EXEMPT=192.168.10.0/24 #added class for internal network traffic (5mbit of a 10mbit link) tc class add dev $DEV parent 1: classid 1:2 cbq rate 5mbit \ allot 1500 prio 4 avpkt 1000 #qdisc tc qdisc add dev $DEV parent 1:2 handle 90: sfq perturb 10 #loop through existing networks for a in $EXEMPT do tc filter add dev $DEV parent 1:0 protocol ip pri 9 u32 \ match ip dst $a flowid 1:2 done This worked fine! The following part however, does not work for some reason. I submitted a help ticket to this list, but it was waiting for moderator approval: #for ingress: tc qdisc add dev $DEV handle ffff: ingress # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: #exemptions by jere for a in $EXEMPT do tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ $a police rate 5mbit burst 15k drop flowid :1 done tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 Since its not a seperate class, I cant see if the packets are getting matched. Everything is filtered at the second 0.0.0.0/0 police rate. So now i can transfer files quickly from my server, but not to it. any help? From cheongseng@hotmail.com Thu Oct 30 15:27:05 2003 From: cheongseng@hotmail.com (wong cheongseng) Date: Thu, 30 Oct 2003 23:27:05 +0800 Subject: [LARTC] Installation problems- QoS layer 7 packet filter Message-ID: VERY URGENT!!! Hey, i'm final year student in upm. I have install linux Redhat 9.0. Wish to build up Qos linux packet filter using kernel-2.4.20.8 i have follow the instruction which i download from internet. But i 'm not very understand about the instruction. The following step have been done by me:- 1) Patch the L7-kernel patch to the kernel (success) 2) Re-compile the kernel (success) 3) Enable layer-7 filtering (success) 4) After i unpack "tar xvzf iproute2_w_layer7_patch-0.9.3.tar.gz" Inside there, i found a TC folder- 31 items - tc patch - how does the TC link against the new kernel header??? (question) - I have make the symbolic link from /usr/src/linux to /usr/src/linux-2.4.20.8 - Where should i put the files inside the TC folder??? (question) - When i "make" to compile, it show me error and tell me to compile the kernel first??? (question) - Since the tc folder have many files, which should i copy to /sbin/tc??? (question) 5) Protocol definitions - after unpack the latest pattern from l7-filter.sourceforge.net - i tried to cat all the pattern to /proc/net/layer7_protocols, but found error "no such files and directory" - Anythings i did wrong?? (question) Please reply me as soon as possible. Very urgent!!! Thank you. _________________________________________________________________ Are you in love? Find a date on MSN Personals http://match.msn.com.my/ From gregoriandres@yahoo.com.ar Thu Oct 30 15:24:25 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Thu, 30 Oct 2003 12:24:25 -0300 Subject: [LARTC] New in the list In-Reply-To: <3FA00BB1.2050601@yahoo.es> Message-ID: SALUDOS DESDE ARGENTINA, VICENTE! Andres. -> -----Mensaje original----- -> De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]En -> nombre de Vicent Roca Daniel -> Enviado el: Miercoles, 29 de Octubre de 2003 03:49 p.m. -> Para: lartc@mailman.ds9a.nl -> Asunto: [LARTC] New in the list -> -> -> Hi people! ;-) -> I'm new in the list. -> Name: Vicent Roca -> Country: Spain -> -> see you. -> bye. -> Adeu -> -> _______________________________________________ -> LARTC mailing list / LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -> From stef.coene@docum.org Thu Oct 30 18:41:09 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 30 Oct 2003 19:41:09 +0100 Subject: [LARTC] Bandwidth shaping help In-Reply-To: <1067524447.24000.7.camel@laptop.no-ip.com> References: <1067463348.3821.17.camel@laptop.no-ip.com> <200310301132.57937.stef.coene@docum.org> <1067524447.24000.7.camel@laptop.no-ip.com> Message-ID: <200310301941.09615.stef.coene@docum.org> On Thursday 30 October 2003 15:34, Ryan Vilim wrote: > Oh, I am sorry I probably should have specified the setup of my network > (stupid mistake by me :p). I have a server (linux) a laptop (linux) and > my parents computer (windows). These are all connected to the internet > via my router which is just a store bought, 4 port wireless routers. I > want to control the bandwidth leaving my server on ports 80, 21, and the > bittorrent ports because if someone is downoading from my webserver > while I am getting anime off bittorrent, then the internet slows to a > crawl because all of the upstream is used. Since none of the other > computers ever participate in any upload-heavy activities I figure that > 10kilobytes per second would be enough for them. However I still want > the ability to copy at Ethernet speeds from the samba server on my > server, use VNC to control my server (it has an audigy 2 in it so I have > my speakers and headphones hooked up to it, then use vnc to controll > xmms), and basically do any other miscellaneous high bandwidth > activities from within my network. For the LAN nic, you have to do something like this (this is for downloads): 1:0 1:1 LAN traffic, rate = 10Mbit-128kbit, ceil = 10mbit-128kbit 1:2 internet traffic, rate = 128kbit 1:20 : port 80, 21 and bittorent 1:21 : other traffic 1:211 : you 1:210 : mom 1:210 : daddy Stef Ps. You don't need vnc to control xmms : libxmms-perl - Interactive remote control for XMMS (X MultiMedia System) in perl XMMS is a multimedia player for X windows. This perl package contains a 'shell' for interacting with a running XMMS via IPC to control songs and playing. A perl interface to the XMMS config, remote and other utilities are provided via this package as well. This library exists at http://www.cpan.org xmms-infopipe - General plugin for XMMS, reports real-time information to a pipe. This plugin allows you to read XMMS information from a named pipe. Usable for webpages, irc-clients and where you would like real-time information from XMMS. Shows song position, song, length, playlist position, status (stoped/playing/paused), song title displayed by XMMS and filename. Easy parsable textformat. xmms-shell - XMMS Shell - Interface to control XMMS from the Console. This is a shell to control xmms from the linux-console. You can edit the playlist, change skins, play, control the volume and much more. -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From nalkunda@cse.msu.edu Fri Oct 31 00:43:25 2003 From: nalkunda@cse.msu.edu (N N Ashok) Date: Thu, 30 Oct 2003 19:43:25 -0500 Subject: [LARTC] default route In-Reply-To: References: Message-ID: <200310301943.25538.nalkunda@cse.msu.edu> On Thursday 30 October 2003 02:52 am, Vadiraj C S scrawled: > On Thu, 30 Oct 2003, Damion de Soto wrote: > > getting lost. anyone comment on this ? > > > > If you use the ip route tool to created multiple weighted or equalized > > default routes, you then use source-based routing to make sure that the > > traffic goes back out the same route it came in on. > > (unless you're trying to be tricky with asymetrical routing) > > I tried this, the routes get cached so most of the time the packets > leave from the route they came in, but you can have two routes and > there is no packet loss. > > Vadiraj C S > hi, Having multiple equal cost routes just ensures that the traffic is balanced per-route, i.e. every time a route is looked up in the FIB table, the load-balancing comes into picture. but once a route has been established for a destination, it is cached and all packets to that destination go via that route. However, if you install the nano patch (http://www.ssi.bg/~ja/nano.txt), the the load-balancing is done on a per-packet basis. so for every packet, leaving the system (either forwarded or output), the FIB table is consulted and the packets are balanced on the multiple equal-cost paths provided you have 'equalize' keyword for that multiple equal-cost route. current i am actually implementing load-balancing (outgoing) on a per-session and current-bandwidth-usage basis. hope that helps. ashok > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- ----------------------------------------------------------------------------- N N Ashok Ph: 408-644-3646 (c) 517-353-4633 (ELANS Lab) 517-355-1789 (ERL Lab) ----------------------------------------------------------------------------- From eturner@monash.edu.my Fri Oct 31 05:10:55 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Fri, 31 Oct 2003 13:10:55 +0800 Subject: [LARTC] (no subject) In-Reply-To: <200310301112.07669.stef.coene@docum.org> Message-ID: <019701c39f6d$5e871ab0$de0018ac@admin.monash.edu.my> Thanks Stef!!! Regards edmund -----Original Message----- From: Stef Coene [mailto:stef.coene@docum.org] Sent: Thursday, October 30, 2003 6:12 PM To: eturner@monash.edu.my; lartc@mailman.ds9a.nl Subject: Re: [LARTC] (no subject) On Thursday 30 October 2003 06:51, Edmund Turner wrote: > Hey everyone, > > I tried to mark traffic based on per subnet as to the usual per ip. > Example: > Tc class add dev eth0 parent 1:11 htb rate 400kbit ceil 500kbit prio4 > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 dst > 192.168.0.0/24 classid 1:11 > > After I enter this command, I did not get any errors. > Does this mean that EACH IP belonging to that subnet will have a maximum > rate of 400kbit? No. > Or does it mean that ALL the IPs in that subnet have a total of 400kbit? Yes. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From cheongseng@hotmail.com Fri Oct 31 05:26:57 2003 From: cheongseng@hotmail.com (wong cheongseng) Date: Fri, 31 Oct 2003 13:26:57 +0800 Subject: [LARTC] Installation problems Message-ID: Hello, Thank you for your information. I told me that you are using HTB shaping,rite? As i know you need the tc patch for your compiled kernel isnt?? How does the TC link against the new kernel header??? Before that, i have search for info about Layer-7 QoS but not much info i got. Since this is the latest QoS project, but i have read the latest example scripct. It using HTB, SFQ, and etc. Isn't any differs between the script for both project?? Slackware 8.1 LINUX + your compiled 2.4.20 kernel with all the QoS features ON isn't enough for provide QoS HTB shaping? Actually, i m very new user for Linux. I don't know what type of Linux should i choose. Any suggestion? Sorry, if i have ask a very stupid question. I really appreciate your information. Thank you. >From: Rokas >Reply-To: Rokas >To: "wong cheongseng" >Subject: Re[2]: [LARTC] Installation problems >Date: Thu, 30 Oct 2003 20:14:32 +0200 > > >Hello, > >I am sorry, but I haven't tried the Layer7 QoS, so I can't give you >any ideas about that... Instead I use HTB shaping: I use Slackware 8.1 >LINUX + my own compiled 2.4.20 kernel with all the QoS features ON. I >use HTB rules to shape traffic for both download and upload. My LINUX >server is a NAT router: interface ppp0 - to internet, and eth0 >interface to LAN. I put QoS HTB queues for both interfaces (on eth0 >for download and on ppp0 for upload). I mark packets with IPTABLES >MARK target in mangle table POSTROUTING and then add fwmark filters to >appropriate HTB class. I do shaping based on ports: I reduce download >and upload speed for all traffic, but some ports (HTTP, HTTPS, SSH, >POP3, DNS and other) I add to interactive HTB class with higher speed. >That how the shaping works. You can find much information about HTB >QoS in: >http://luxik.cdi.cz/~devik/qos/htb/ >http://www.docum.org >http://www.lartc.org > >Good luck ! :) > > Rokas Zakarevicius > >Kaunas, Lithuania, Europe > > > VERY URGENT!!! Hey, i'm final year student in upm. I have install linux > > Redhat 9.0. Wish to build up Qos linux packet filter using >kernel-2.4.20.8 > > i have follow the instruction which i download from internet. But i 'm >not > > very understand about the > > instruction. The following step have been done by me:- > > > 1) Patch the L7-kernel patch to the kernel (success) > > 2) Re-compile the kernel (success) > > 3) Enable layer-7 filtering (success) > > > 4) After i unpack "tar xvzf iproute2_w_layer7_patch-0.9.3.tar.gz" > > Inside there, i found a TC folder- 31 items > > - tc patch - how does the TC link against the new kernel header??? > > (question) > > - I have make the symbolic link from /usr/src/linux to > > /usr/src/linux-2.4.20.8 > > - Where should i put the files inside the TC folder??? > > (question) > > - When i "make" to compile, it show me error and tell me to compile >the > > kernel first??? (question) > > - Since the tc folder have many files, which should i copy to >/sbin/tc??? > > (question) > > > 5) Protocol definitions > > - after unpack the latest pattern from l7-filter.sourceforge.net > > - i tried to cat all the pattern to /proc/net/layer7_protocols, > > but found error "no such files and directory" - Anythings i did >wrong?? > > (question) > > > Please reply me as soon as possible. Very urgent!!! > > Thank you. > > _________________________________________________________________ Download ringtones, logos and picture messages from MSN Malaysia http://www.msn.com.my/mobile/ringtones/default.asp From damion@snapgear.com Fri Oct 31 05:52:35 2003 From: damion@snapgear.com (Damion de Soto) Date: Fri, 31 Oct 2003 15:52:35 +1000 Subject: [LARTC] Installation problems- QoS layer 7 packet filter References: Message-ID: <3FA1F8A3.7060702@snapgear.com> wong cheongseng wrote: > VERY URGENT!!! Hey, i'm final year student in upm. I'm sure it is. is your thesis due tomorrow? :P > I have install linux Redhat 9.0. Wish to build up Qos linux packet filter > using kernel-2.4.20.8 i have follow the instruction which i download from > internet. But i 'm not very understand about the instruction. The following > step have been done by me:- > 4) After i unpack "tar xvzf iproute2_w_layer7_patch-0.9.3.tar.gz" > Inside there, i found a TC folder- 31 items I don't know where you got this file from, so I can only guess at the answers: > - tc patch - how does the TC link against the new kernel header??? tc won't "link" against the new kernel headers, but it may use them when compiling. unless your environment is broken, it will automatically look in /usr/src/linux/include > - Where should i put the files inside the TC folder??? Which files? If they are .diff files, you use the 'patch' program to patch them into the original tc source files. > - When i "make" to compile, it show me error and tell me to compile the kernel first??? You may need to run a top level 'make config' (menuconfig or xconfig) and 'make dep' in /usr/src/linux to setup some files correctly for your system. > - Since the tc folder have many files, which should i copy to /sbin/tc??? After you've finished the 'make' (or maybe 'make install') the Makefile will automatically copy the correct binary to /sbin/tc (or probabaly /usr/local/sbin/tc ) You don't have to do it yourself, unless you're hacking. > Please reply me as soon as possible. Very urgent!!! Mailing lists and newsgroups aren't always the quickest source of info.. I find google faster most of the time. > Thank you. You're welcome. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From cheongseng@hotmail.com Fri Oct 31 06:51:49 2003 From: cheongseng@hotmail.com (wong cheongseng) Date: Fri, 31 Oct 2003 14:51:49 +0800 Subject: [LARTC] Installation problems- QoS layer 7 packet filter Message-ID: Thank you very much Damion de Soto. You're rite, i'm in final semester now. This is my final year project, must be finished and submit within this 3 months. Actually i search for so many web site to get the instruction build up Qos layer7 packet filter. But i really not very understand the given instruction. I got the latest TC patch files in "http://sourceforge.net". I'm very fresh in using Linux. Anyway, I will try it myself. Thank you!! >From: Damion de Soto >To: wong cheongseng >CC: lartc@mailman.ds9a.nl >Subject: Re: [LARTC] Installation problems- QoS layer 7 packet filter >Date: Fri, 31 Oct 2003 15:52:35 +1000 > >wong cheongseng wrote: >>VERY URGENT!!! Hey, i'm final year student in upm. >I'm sure it is. is your thesis due tomorrow? :P >>I have install linux Redhat 9.0. Wish to build up Qos linux packet filter > > using kernel-2.4.20.8 i have follow the instruction which i download >from > > internet. But i 'm not very understand about the instruction. The >following > > step have been done by me:- > >>4) After i unpack "tar xvzf iproute2_w_layer7_patch-0.9.3.tar.gz" >> Inside there, i found a TC folder- 31 items >I don't know where you got this file from, so I can only guess at the >answers: > >> - tc patch - how does the TC link against the new kernel header??? >tc won't "link" against the new kernel headers, but it may use them when >compiling. >unless your environment is broken, it will automatically look in >/usr/src/linux/include > > >> - Where should i put the files inside the TC folder??? >Which files? >If they are .diff files, you use the 'patch' program to patch them into the >original tc source files. > >> - When i "make" to compile, it show me error and tell me to compile the >>kernel first??? >You may need to run a top level 'make config' (menuconfig or xconfig) and >'make dep' in /usr/src/linux to setup some files correctly for your system. > >> - Since the tc folder have many files, which should i copy to >>/sbin/tc??? >After you've finished the 'make' (or maybe 'make install') the Makefile >will automatically copy the correct binary to /sbin/tc (or probabaly >/usr/local/sbin/tc ) >You don't have to do it yourself, unless you're hacking. > >>Please reply me as soon as possible. Very urgent!!! >Mailing lists and newsgroups aren't always the quickest source of info.. I >find google faster most of the time. > > > Thank you. >You're welcome. > >-- >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Damion de Soto - Software Engineer email: damion@snapgear.com >SnapGear --- ph: +61 7 3435 2809 > | Custom Embedded Solutions fax: +61 7 3891 3630 > | and Security Appliances web: http://www.snapgear.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > --- Free Embedded Linux Distro at http://www.snapgear.org --- > _________________________________________________________________ Are you in love? Find a date on MSN Personals http://match.msn.com.my/ From su_raj_in@yahoo.com Fri Oct 31 07:23:53 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Thu, 30 Oct 2003 23:23:53 -0800 (PST) Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <200310301143.19764.stef.coene@docum.org> Message-ID: <20031031072353.11847.qmail@web20009.mail.yahoo.com> Hi, --- Stef Coene wrote: > > http://lartc.org/lartc.html#AEN939 ; the part that > > lists parameters in CBQ ... was wondering how > 'cell' > > can be defined. > If you bound a class, the class can never send more > then the configure rate. > So that's the ceil. If you add a sub class (not > bounded), that class has to > respect the rate (in this case also the ceil) of > it's parente. ! > And htb is maintained, while the cbq code is not. in my xp, that sure is a reason to be using it :) > Don't trust the help function :(. My tip : go to > http://docum.org, go to the > test pages and copy my cbq commands ,) okey! now I understand what you earlier meant by test pages. Was there, you syntax works ... which means the tc help isn't exhaustive, well that's a pity. Thank you. Do you have any pointers to where I can find a list of parameters configurable with a particular queue? > > Stef, I do really appreciate the time spent in > trying > > to help me. Thank you. > No problem. :) Thank you. Regards, suraj. __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From ripple@ripple.be Fri Oct 31 07:21:59 2003 From: ripple@ripple.be (Justin Whitney) Date: Fri, 31 Oct 2003 02:21:59 -0500 Subject: [LARTC] tc filter oddities Message-ID: <1067584919.10134.28.camel@osiris.lan> I shape my upstream cable link with HTB from a script. My voip traffic (from the 192.168.0.14 host) gets priority over everything else to the near-starvation of other classes; the rest of the traffic is split up based on some priority rules (qos, empty ack packets, etc). eth1 is the uplink I've been using HTB and fw marking for the job until recently, when I changed the queue structure around a bit, and moved to tc filters (no marking). None of my filters are working, in fact none are being applied, or respecting the 'parent' attribute that I give them. All of my filters end up with parent 1: All qdiscs are empty save for the root qdisc, and all packets from that one seem to be direct_packet_stat'd from it... when I added default values to the htb qdiscs, this just caused all packets to filter down to whatever default class I specified, and continue to get direct_packet_stat'd from those... so.. I'm trying to sort out why my filters aren't working and why they're not getting the parents I've intended. comments on the sanity of my queue structure are welcomed (as are all others), but really I should be able to deal with that after my filters agree to work, as the fw ones were beforehand. copy of script (commented): //root limited to 120kbits (on 128kbit link) tc qdisc add root dev eth1 handle 1: htb tc class add dev eth1 parent 1: classid 1:1 htb rate 120kbit ceil 120kbit burst 2k //first one is voip, second one is everything else //this is a change from how i was doing it before and is untested tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil 120kbit burst 2k prio 1 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 20kbit ceil 120kbit burst 2k prio 2 //3 prio classes for the 'everything else' traffic tc class add dev eth1 parent 1:20 classid 1:21 htb rate 40kbit burst 2k prio 1 tc class add dev eth1 parent 1:20 classid 1:22 htb rate 40kbit burst 2k prio 2 tc class add dev eth1 parent 1:20 classid 1:23 htb rate 40kbit burst 2k prio 3 //sfq's for the prio classes tc qdisc add dev eth1 parent 1:21 handle 121: sfq tc qdisc add dev eth1 parent 1:22 handle 122: sfq tc qdisc add dev eth1 parent 1:23 handle 123: sfq //filters - first and second for voip and other tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src 192.168.0.14 flowid 110: tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip dst 0/0 flowid 1:20 //and others are for qos min-delay, empty-ack, and everything else tc filter add dev eth1 parent 1:20 pref 2 protocol ip u32 match ip tos 0x10 0xff flowid 121: tc filter add dev eth1 parent 1:20 pref 3 protocol ip u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthd r+13 match u16 0x0000 0xffc0 at 2 flowid 122: tc filter add dev eth1 parent 1:20 pref 4 protocol ip route flowid 123: --- tc -s -d qdisc ls: qdisc sfq 123: dev eth1 quantum 1514b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 122: dev eth1 quantum 1514b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 121: dev eth1 quantum 1514b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc htb 1: dev eth1 r2q 10 default 0 direct_packets_stat 166 ver 3.10 Sent 27491 bytes 166 pkts (dropped 0, overlimits 0) -- and perhaps more interesting is tc filter show dev eth1 (eth1=upstream) filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 122: match 00060000/00ff0000 at 8 match 00100000/00ff0000 at nexthdr+12 match 00000000/0000ffc0 at 0 filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 121: match 00100000/00ff0000 at 0 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 110: match c0a8000e/ffffffff at 12 filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:20 match 00000000/00000000 at 16 (parents == 1: ??!) Thanks in advance all for your comments on this. --Justin Whitney From util@deuroconsult.ro Fri Oct 31 08:38:30 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Fri, 31 Oct 2003 10:38:30 +0200 (EET) Subject: [LARTC] tc filter oddities In-Reply-To: <1067584919.10134.28.camel@osiris.lan> References: <1067584919.10134.28.camel@osiris.lan> Message-ID: Hi! > //root limited to 120kbits (on 128kbit link) > tc qdisc add root dev eth1 handle 1: htb > tc class add dev eth1 parent 1: classid 1:1 htb rate 120kbit ceil > 120kbit burst 2k > > //first one is voip, second one is everything else > //this is a change from how i was doing it before and is untested > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil > 120kbit burst 2k prio 1 > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 20kbit ceil > 120kbit burst 2k prio 2 > > //3 prio classes for the 'everything else' traffic > tc class add dev eth1 parent 1:20 classid 1:21 htb rate 40kbit burst 2k > prio 1 > tc class add dev eth1 parent 1:20 classid 1:22 htb rate 40kbit burst 2k > prio 2 > tc class add dev eth1 parent 1:20 classid 1:23 htb rate 40kbit burst 2k > prio 3 > > //sfq's for the prio classes > tc qdisc add dev eth1 parent 1:21 handle 121: sfq > tc qdisc add dev eth1 parent 1:22 handle 122: sfq > tc qdisc add dev eth1 parent 1:23 handle 123: sfq > > //filters - first and second for voip and other > tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src > 192.168.0.14 flowid 110: ^^^^ I think here is 1:10, right? > tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip dst > 0/0 flowid 1:20 OK, till here. > //and others are for qos min-delay, empty-ack, and everything else > tc filter add dev eth1 parent 1:20 pref 2 protocol ip u32 match ip tos > 0x10 0xff flowid 121: Here must be 1:21. > tc filter add dev eth1 parent 1:20 pref 3 protocol ip u32 match ip > protocol 6 0xff match u8 0x10 0xff at nexthd r+13 match u16 0x0000 > 0xffc0 at 2 flowid 122: Here must be 1:22. > tc filter add dev eth1 parent 1:20 pref 4 protocol ip route flowid 123: Here must be 1:23. Try this and come back. > > --- > tc -s -d qdisc ls: > > qdisc sfq 123: dev eth1 quantum 1514b limit 128p flows 128/1024 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 122: dev eth1 quantum 1514b limit 128p flows 128/1024 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 121: dev eth1 quantum 1514b limit 128p flows 128/1024 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc htb 1: dev eth1 r2q 10 default 0 direct_packets_stat 166 ver 3.10 > Sent 27491 bytes 166 pkts (dropped 0, overlimits 0) > > -- > and perhaps more interesting is tc filter show dev eth1 (eth1=upstream) > > filter parent 1: protocol ip pref 1 u32 > filter parent 1: protocol ip pref 1 u32 fh 802: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 802::800 order 2048 key ht > 802 bkt 0 flowid 122: > match 00060000/00ff0000 at 8 > match 00100000/00ff0000 at nexthdr+12 > match 00000000/0000ffc0 at 0 > filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 801::800 order 2048 key ht > 801 bkt 0 flowid 121: > match 00100000/00ff0000 at 0 > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht > 800 bkt 0 flowid 110: > match c0a8000e/ffffffff at 12 > filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht > 800 bkt 0 flowid 1:20 > match 00000000/00000000 at 16 > > (parents == 1: ??!) > > Thanks in advance all for your comments on this. > > --Justin Whitney > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From Rokas Fri Oct 31 09:20:15 2003 From: Rokas (Rokas) Date: Fri, 31 Oct 2003 11:20:15 +0200 Subject: [LARTC] Policy routing with IPTABLES MARK (please help me) Message-ID: <1911665214.20031031112015@centras.lt> Hello, I have a LINUX server with two internet connections available. I want all the traffic to go over the default route, but HTTP traffic to go over ISP2 line. Interfaces: eth1 192.168.2.254 - LAN 192.168.2.x ppp0 x.x.x.106 - remote gateway x.x.x.6 - ISP1 (default route) eth0 192.168.164.254 - remote gateway 192.168.164.113 - ISP2 (a hardware router) I have the following configuration: echo 200 gate2 >> /etc/iproute2/rt_tables server:/etc/network# ip route x.x.x.6 dev ppp0 proto kernel scope link src x.x.x.106 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.254 192.168.164.0/24 dev eth0 proto kernel scope link src 192.168.164.254 default via x.x.x.6 dev ppp0 server:/etc/network# ip route list table gate2 default via 192.168.164.113 dev eth0 server:/etc/network# ip rule 0: from all lookup local 32765: from all fwmark 1 lookup gate2 32766: from all lookup main 32767: from all lookup default The script: ----------------------------------------------------- #!/bin/bash iptables -t nat -F iptables -t mangle -F iptables -F iptables -P FORWARD ACCEPT ip route flush table gate2 ip route add default via 192.168.164.113 dev eth0 table gate2 ip rule add fwmark 0x01 table gate2 ip route flush cache iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p icmp -j MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x01 iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 443 -j MARK --set-mark 0x01 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done ------------------------------------------------------- I also mark icmp packets, that I could test my configuration using traceroute. It seems that my rules are working OK, with tcpdump and traceroute I see that HTTP traffic of LAN computers go over the ISP2 line. When I connect to the WWW page, that shows my public IP address, I see the ISP2 line address. But after some time, part of the HTTP traffic begins going over the default ISP1 line. I see that some HTTP traffic goes over ISP2 line (that's good), but also it goes over default route. And after some time, if I connect to the WWW page, that shows my public IP address, I see the default ISP1 IP address (that's bad). I do my test browsing from one of my LAN computers, there are other computers working in the LAN, and perhaps their HTTP traffic goes OK (over the ISP2 line), because with tcpdump -i eth0 net 192.168.164 and port 80 I see that there are much HTTP traffic on the ISP2 line. Then I reboot my server, for some time (about 10 minutes) everything works OK, but then there comes my problem... :( I am totally lost, I don't know how to solve this problem.... :( Perhaps somebody can see what I am doing incorrectly. I would be very grateful if you helped me with this issue. Rokas Zakarevicius From stef.coene@docum.org Fri Oct 31 09:47:07 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 31 Oct 2003 10:47:07 +0100 Subject: [LARTC] Explanation reqd. for few (more than few!) concepts in TC In-Reply-To: <20031031072353.11847.qmail@web20009.mail.yahoo.com> References: <20031031072353.11847.qmail@web20009.mail.yahoo.com> Message-ID: <200310311047.07764.stef.coene@docum.org> On Friday 31 October 2003 08:23, Suraj Shankar wrote: > > Don't trust the help function :(. My tip : go to > > http://docum.org, go to the > > test pages and copy my cbq commands ,) > > okey! now I understand what you earlier meant by test > pages. Was there, you syntax works ... which means the > tc help isn't exhaustive, well that's a pity. Thank > you. Do you have any pointers to where I can find a > list of parameters configurable with a particular > queue? Not really. The htb parameters are easy to understand. The cbq parameters are not. Some information can be found in the tc source, some in the kernel source. That's one of the reasons I suggest htb. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From ganeshkumar@signal-networks.com Fri Oct 31 10:15:09 2003 From: ganeshkumar@signal-networks.com (Ganesh Kumar) Date: Fri, 31 Oct 2003 15:45:09 +0530 Subject: [LARTC] un subscribe Message-ID: <00c301c39f97$df0c28e0$0c01a8c0@signet.local> This is a multi-part message in MIME format. ------=_NextPart_000_00BF_01C39FC5.F6FF5C50 Content-Type: multipart/alternative; boundary="----=_NextPart_001_00C0_01C39FC5.F6FF5C50" ------=_NextPart_001_00C0_01C39FC5.F6FF5C50 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable BlankHi all, I want to unsubscribe from this list can anybody tell how to do that... thanx... ganesh ------=_NextPart_001_00C0_01C39FC5.F6FF5C50 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Blank
Hi all,
  I want to unsubscribe from this list can anybody tell how to = do = that...
thanx...
ganesh

 

------=_NextPart_001_00C0_01C39FC5.F6FF5C50-- ------=_NextPart_000_00BF_01C39FC5.F6FF5C50 Content-Type: image/gif; name="Blank Bkgrd.gif" Content-ID: <00be01c39f97$dd472050$0c01a8c0@signet.local> Content-Transfer-Encoding: base64 R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2 7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw== ------=_NextPart_000_00BF_01C39FC5.F6FF5C50-- From liviu@rdsar.ro Fri Oct 31 10:28:26 2003 From: liviu@rdsar.ro (Liviu Obreja) Date: Fri, 31 Oct 2003 12:28:26 +0200 (EET) Subject: [LARTC] (no subject) Message-ID: I want to unsubscribe from this list can anybody tell how to do that... thanx... Liviu ------------------------------------------------ Liviu Obreja Network Administrator Romania Data Systems SA - Arad str. Spitalului Bl. 2B, Arad tel. +40-57-228.200 fax. +40-57-228.201 email: liviu.obreja@rdsnet.ro ------------------------------------------------- ------------------------------------------------- Don't ever be afraid of shadows. They only show the presence of light around. ~ Gary Sinise ------------------------------------------------ Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. From codrin@flynet.iasi.rdsnet.ro Fri Oct 31 10:15:54 2003 From: codrin@flynet.iasi.rdsnet.ro (The Codrinus) Date: Fri, 31 Oct 2003 12:15:54 +0200 (EET) Subject: [LARTC] Question about iptables and maximum file size Message-ID: Hi, I would like to know if there is any possibility to select from iptables the files with maximum size of 300 kbytes and send them to a proxy server. As I know until now you can only mark files with maximum size of 64 kbytes. thank you in advance, Codrin. From bdiehl@a1limo.com Fri Oct 31 14:06:10 2003 From: bdiehl@a1limo.com (Brian M. Diehl) Date: Fri, 31 Oct 2003 09:06:10 -0500 Subject: [LARTC] QoS / VoIP Message-ID: Hello, Please excuse any of my errors, as I am new to this list (Just signed last night!) Here is my situation. I have four remote offices, one connected by a wireless link, one connected by a regular T1 and two connected by frame. We have just switched PBX's and are now using VoIP phones instead of landlines. My problem is (obviously) with VoIP, the voice is getting choppy whenever there is high data transfers. =20 My question is, for the office with a T1, should I put a QoS box on both ends? (One here at HQ, and one there?) Same with the frame? And correct me if I'm wrong, but I will need one at both ends for the wireless link. If have read most of the LARTC HOW-TO, but it hasn't sank in totally (trying to take a drink from a fire hydrant) Thanks in advance, -- Brian M. Diehl Network Admin A-1 Limousine Inc. 609-919-2019 From lartc@24x7linux.com Fri Oct 31 19:49:30 2003 From: lartc@24x7linux.com (Jose Luis Domingo Lopez) Date: Fri, 31 Oct 2003 20:49:30 +0100 Subject: [LARTC] Question about iptables and maximum file size In-Reply-To: References: Message-ID: <20031031194930.GA4243@localhost> On Friday, 31 October 2003, at 12:15:54 +0200, The Codrinus wrote: > I would like to know if there is any possibility to select from iptables the > files with maximum size of 300 kbytes and send them to a proxy server. > As I know until now you can only mark files with maximum size of 64 kbytes. > iptables only knows about layer 2, 3 and 4. Files and their sizes is a layer 7 thing, and depends entirely on the application protocol used to transfer them (SMB, CIFS, NFS, FTP, HTTP, SSH, etc.). So the short answer is no, you can't select packages based on file sizes, it doesn't make any sense. But you obviously can select IP packages based on their size (match "length"). However, remember that MTU in normal layer 2 networks, typically ethernet, have a value of 1500 bytes, so I think in normal conditions you will not see any packages larger than that (except if you use jumboframes, FR or the like). -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test9-mm1) From sanyi@sigmasoft.ro Fri Oct 31 20:16:38 2003 From: sanyi@sigmasoft.ro (sanyi@sigmasoft.ro) Date: Fri, 31 Oct 2003 22:16:38 +0200 (EET) Subject: [LARTC] Can't use fwmark filters In-Reply-To: <33232.192.168.45.3.1067184510.squirrel@fakir.dyndns.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, On Sun, 26 Oct 2003, Alex wrote: > tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw classid 1:10 > tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 6 fw classid 1:60 > > Which works fine. > > Adding this single line triggers the error again : > > tc filter add dev ppp0 parent 1: protocol ip prio 1 u32 \ > match ip tos 0x10 0xff flowid 1:10 > > ---> RTNETLINK answers: Invalid argument Looks like the same problem what i reported ~2 months ago. A quick solution would be to use different prio's for fw filters and u32 filters. - -- Marton Sandor - sanyi@sigmasoft.ro GPG id: 0x32825B5A , www.keyserver.net BOFH excuse #438: sticky bit has come loose -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/osMrKiUXNzKCW1oRAs/QAJ9CZzpifK6WEdBriFGsCUDN7gYHGACdGkdS VYdgeBMVFlq1pCLYfsFQvzo= =4lXy -----END PGP SIGNATURE----- From ripple@ripple.be Fri Oct 31 23:01:55 2003 From: ripple@ripple.be (Justin Whitney) Date: Fri, 31 Oct 2003 18:01:55 -0500 Subject: [LARTC] tc filter oddities In-Reply-To: References: <1067584919.10134.28.camel@osiris.lan> Message-ID: <1067641315.23605.50.camel@osiris.lan> Thanks, I ran with that and got things working. The filters that I saw as not respecting their parent attribute were in fact dupes from the u32 bug, and present in both 1:20 and 1: (according to filter show). I made some adjustments to the queues, and i'll post my results later so that anyone in a similar situation can have something to work from. --Justin Whitney On Fri, 2003-10-31 at 03:38, Catalin BOIE wrote: > Hi! > > > //root limited to 120kbits (on 128kbit link) > > tc qdisc add root dev eth1 handle 1: htb > > tc class add dev eth1 parent 1: classid 1:1 htb rate 120kbit ceil > > 120kbit burst 2k > > > > //first one is voip, second one is everything else > > //this is a change from how i was doing it before and is untested > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 100kbit ceil > > 120kbit burst 2k prio 1 > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 20kbit ceil > > 120kbit burst 2k prio 2 > > > > //3 prio classes for the 'everything else' traffic > > tc class add dev eth1 parent 1:20 classid 1:21 htb rate 40kbit burst 2k > > prio 1 > > tc class add dev eth1 parent 1:20 classid 1:22 htb rate 40kbit burst 2k > > prio 2 > > tc class add dev eth1 parent 1:20 classid 1:23 htb rate 40kbit burst 2k > > prio 3 > > > > //sfq's for the prio classes > > tc qdisc add dev eth1 parent 1:21 handle 121: sfq > > tc qdisc add dev eth1 parent 1:22 handle 122: sfq > > tc qdisc add dev eth1 parent 1:23 handle 123: sfq > > > > //filters - first and second for voip and other > > tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip src > > 192.168.0.14 flowid 110: > ^^^^ > I think here is 1:10, right? > > > > tc filter add dev eth1 parent 1:0 prio 1 protocol ip u32 match ip dst > > 0/0 flowid 1:20 > > OK, till here. > > > //and others are for qos min-delay, empty-ack, and everything else > > tc filter add dev eth1 parent 1:20 pref 2 protocol ip u32 match ip tos > > 0x10 0xff flowid 121: > Here must be 1:21. > > > tc filter add dev eth1 parent 1:20 pref 3 protocol ip u32 match ip > > protocol 6 0xff match u8 0x10 0xff at nexthd r+13 match u16 0x0000 > > 0xffc0 at 2 flowid 122: > Here must be 1:22. > > > tc filter add dev eth1 parent 1:20 pref 4 protocol ip route flowid 123: > Here must be 1:23. > > Try this and come back. > > > > > --- > > tc -s -d qdisc ls: > > > > qdisc sfq 123: dev eth1 quantum 1514b limit 128p flows 128/1024 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 122: dev eth1 quantum 1514b limit 128p flows 128/1024 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 121: dev eth1 quantum 1514b limit 128p flows 128/1024 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc htb 1: dev eth1 r2q 10 default 0 direct_packets_stat 166 ver 3.10 > > Sent 27491 bytes 166 pkts (dropped 0, overlimits 0) > > > > -- > > and perhaps more interesting is tc filter show dev eth1 (eth1=upstream) > > > > filter parent 1: protocol ip pref 1 u32 > > filter parent 1: protocol ip pref 1 u32 fh 802: ht divisor 1 > > filter parent 1: protocol ip pref 1 u32 fh 802::800 order 2048 key ht > > 802 bkt 0 flowid 122: > > match 00060000/00ff0000 at 8 > > match 00100000/00ff0000 at nexthdr+12 > > match 00000000/0000ffc0 at 0 > > filter parent 1: protocol ip pref 1 u32 fh 801: ht divisor 1 > > filter parent 1: protocol ip pref 1 u32 fh 801::800 order 2048 key ht > > 801 bkt 0 flowid 121: > > match 00100000/00ff0000 at 0 > > filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 > > filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht > > 800 bkt 0 flowid 110: > > match c0a8000e/ffffffff at 12 > > filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht > > 800 bkt 0 flowid 1:20 > > match 00000000/00000000 at 16 > > > > (parents == 1: ??!) > > > > Thanks in advance all for your comments on this. > > > > --Justin Whitney > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > --- > Catalin(ux) BOIE > catab@deuroconsult.ro From hans.t.griem@boeing.com Sat Nov 1 00:56:47 2003 From: hans.t.griem@boeing.com (Griem, Hans T) Date: Fri, 31 Oct 2003 16:56:47 -0800 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 Message-ID: Hello Patrick, I read the abstract and introduction to original H-FSC paper. I believe = it was mostly about decoupling bw and delay. It seems to me HTB does this well. When and/or why would I would want = to use H-FSC versus HTB or are they direct competitors? Curious, Torsten -----Original Message----- From: Patrick McHardy [mailto:kaber@trash.net] Sent: Sunday, October 26, 2003 10:05 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 I've done a port of the altq H-FSC packet scheduler for linux 2.6. It's still in beta stage but it's running for about two weeks here without problems (and excellent shaping results). There is no documentation, so it's at best for the playful at the moment. The patches are available at http://trash.net/~kaber/hfsc If you are looking for 2.4 patches, there are none at the moment but it's a 5 minute effort so if you need them please ask. Please note due to a lack of time I will only answer basic usage questions at this point and for sure I won't review tc scripts without detailed bug reports. Have Fun, Patrick BTW: on a related issue, IMQ is looking for a new maintainer. If you are interested please contact me. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From bb@L8R.net Sat Nov 1 04:37:56 2003 From: bb@L8R.net (Brad Barnett) Date: Fri, 31 Oct 2003 23:37:56 -0500 Subject: [LARTC] fwmark routing of locally generated packets Message-ID: <20031031233756.4405eb56.bb@L8R.net> Hi Thomas, We have the same problem. ;) You're right, it doesn't make any sense. Can anyone elaborate?? My setup is virtually identical to what Thomas has. However, I'm using IPMASQ on my outgoing connection, so I am able to see that the problem exists even without using SNAT. Something is borked... > Thomas Themel themel@iwoars.net > Tue, 28 Oct 2003 01:32:09 +0100 > > Hi, > > I'm currently trying to get a Linux machine to route all traffic coming > from a certain UID over a dedicated PPP interface. After going throught > the available documentation and experimenting a bit, I settled for the > following attempt: > > > # 62.46.87.104 - local PPP address > # 195.4.91.104 - PPP peer > ip route add 195.3.91.104 dev ppp0 src 62.46.87.104 table special > # local for DNS etc > ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table special > ip route add default via 195.3.91.104 src 62.46.87.104 table special > ip rule add fwmark 3 lookup special > iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK > --set-mar= k 3 > ip route flush cache > > This seems to work in a way. It correctly sends the packets generated by > that user out the ppp0 interface, but they don't get the correct source > address: > > | sophokles:~# sh -x description.txt=20 > | + ip route flush table aon> | + ip route add 195.3.91.103 dev ppp0 src 62.46.86.137 table aonc > | + ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table aonc > | + ip route add default via 195.3.91.103 src 62.46.86.137 table aonc > | + ip rule add fwmark 3 lookup aonc > | + iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK > | --set-mark 3 > | + ip route flush cache > | sophokles:~# tcpdump -ni ppp0 port 22 &=20 > | [1] 841 > | sophokles:~# tcpdump: listening on ppp0 > |=20 > | sophokles:~# nc iwoars.net 22 > | SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 > |=20 > | sophokles:~# su - freenet > | freenet@sophokles:~$ nc iwoars.net 22 > | 01:25:17.044883 192.168.1.1.32848 > 217.160.110.113.22: SWE > | 1344336467:1344336467(0) win 5840 | 0,nop,wscale 0> (DF) > | 01:25:20.043828 192.168.1.1.32848 > 217.160.110.113.22: SWE > | 1344336467:1344336467(0) win 5840 | 0,nop,wscale 0> (DF) > | 01:25:26.042584 192.168.1.1.32848 > 217.160.110.113.22: SWE > | 1344336467:1344336467(0) win 5840 | 0,nop,wscale 0> (DF) > |=20 > | freenet@sophokles:~$=20 > > I've read on this list that owner-based policy routing is impossible > because the routing decision is made before the packet traverses the > OUTPUT chain. However, if this is true, then I don't understand how the > packet can go out via the correct interface unless there are separate > route lookups to determine the source address and outgoing interface. > > Could someone who knows please elaborate? > > I have also tried, unsuccessfully, to just mangle the source address > using an iptables SNAT rule, but even though that produces correct > network traffic, it seems to break something internally that keeps the > TCP handshake from completing: > > | sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 > --to-source| 62.46.86.137 > | sophokles:~# su - freenet > | freenet@sophokles:~$ nc iwoars.net 22 > | 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE > | 1656968486:1656968486(0) win 5840 | 0,nop,wscale 0> (DF) > | 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S > | 2293250552:2293250552(0) ack 1656968487 win 32120 | 1460,sackOK,timestamp 313375234 2356000,nop,wscale 0> (DF) > | 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE > | 1656968486:1656968486(0) win 5840 | 0,nop,wscale 0> (DF) > | 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S > | 2293250552:2293250552(0) ack 1656968487 win 32120 | 1460,sackOK,timestamp 313375535 2356000,nop,wscale 0> (DF) > | 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S > | 2293250552:2293250552(0) ack 1656968487 win 32120 | 1460,sackOK,timestamp 313375566 2356000,nop,wscale 0> (DF) > | [...] From themel@iwoars.net Sat Nov 1 10:39:10 2003 From: themel@iwoars.net (Thomas Themel) Date: Sat, 1 Nov 2003 11:39:10 +0100 Subject: [LARTC] fwmark routing of locally generated packets In-Reply-To: <20031031233756.4405eb56.bb@L8R.net> References: <20031031233756.4405eb56.bb@L8R.net> Message-ID: <20031101103910.GJ3312@iwoars.net> Hi, Brad Barnett (bb@L8R.net) wrote on 2003-11-01: > We have the same problem. ;) You're right, it doesn't make any sense. Yeah, that's what I feel. Unfortunately, my message to linux-netdev went unnoticed, and I don't really know of any reference against which to compare whether the current behaviour is intended or not. > Can anyone elaborate?? My setup is virtually identical to what Thomas > has. However, I'm using IPMASQ on my outgoing connection, so I am able to > see that the problem exists even without using SNAT. This is what I do currently, and it seems to work. This is from an ip-up script for my PPP link: ip route flush table aonc ip route add $GWIP dev $PPP_IFACE src $PPP_LOCAL table aonc # local for DNS etc ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table aonc # internet via PPP lnk ip route add default via $PPP_REMOTE src $PPP_LOCAL table aonc ip rule add fwmark 3 lookup aonc # owner tagging iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK --set-mark 3 # SNAT for outgoing packets iptables -A POSTROUTING -t nat -o $PPP_IFACE --match mark --mark 0x03 -j SNAT --to-source $PPP_LOCAL # DNAT for incoming packets iptables -t nat -A PREROUTING -i $PPP_IFACE -d $PPP_LOCAL -j DNAT --to-destination 192.168.1.1 ip route flush cache However, this is feels like a very bad hack - the final DNAT makes the interface unusable for other purposes, and the interaction between the sockets' addresses and the packets' addresses are too complicated for my taste. It's okay for my home network, but I wouldn't want to run this productively. ciao, -- [*Thomas Themel*] Our national shield displays a lion with two tails. It's [extended contact] rumoured that it symbolizes the nature of our governments; [info provided in] that there actually were two lions, but one is now stuck [*message header*] deep in the ass of the other one. - Thomas Shaddack From azoli@mad.hu Sat Nov 1 11:03:42 2003 From: azoli@mad.hu (Andrasi Zoltan) Date: Sat, 1 Nov 2003 12:03:42 +0100 (CET) Subject: [LARTC] Shaping up/download Message-ID: Dear all, My problem is the following: I am connected to my ISP through a 1Mbit connection without up/download ratio, and I want to shape the traffic between workstations equal. How can I do this? I can set up an up/download ratio to them, but when there is lower upload then my configures rate, I want the difference to be used for download. I found shaping descriptions only for fixed upload and download speed. --Zoli-- From Dragoº C." References: <1644514561.20031020184000@web.de> <200310202047.24542.stef.coene@docum.org> <931113721.20031027232619@web.de> <200310281918.42979.stef.coene@docum.org> Message-ID: <59084392.20031101143524@web.de> --====----====----====----====----====----====----====----====----====----===-- Stef> On Monday 27 October 2003 22:26, Dragos Cinteza wrote: >> In the last mail I only put the results of listing chains and classes. Stef> You never told us what's your LAN interface : eth0 or eth1? eth0 is my LAN interface (GREEN): IP = 192.168.1.10 and eth1 is my internet interface (RED) My script blocks access to all stations except the ones that have the right combinations of MAC and IP (7 hosts) Then are in customforward few rules that block access to certain sites. I tryed to do marking based on IP, then based on MAC, but host 192.168.1.1 it still isn't marked. Stef> And you have double filters : for the src and dst. And that's not needed. You can not have packets with src and dst the same address on a nic. I know, i think i should only put source. Im not sure but I think packets still have the LAN (192.168.1.x) source address when are filtered by tc, and only after that the source is replaced with the linux box external ip address for NATing. Anyway the filtering is not done with the source only, as iti isn't with source and destination or only destination. Stef> Stef ================================================================================ From kaber@trash.net Sat Nov 1 14:45:04 2003 From: kaber@trash.net (Patrick McHardy) Date: Sat, 01 Nov 2003 15:45:04 +0100 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 In-Reply-To: References: Message-ID: <3FA3C6F0.80409@trash.net> Hi Torsten, Griem, Hans T wrote: >I read the abstract and introduction to original H-FSC paper. I believe it was mostly about decoupling bw and delay. >It seems to me HTB does this well. When and/or why would I would want to use H-FSC versus HTB or are they direct competitors? > > Not sure what you mean with "competitors", I made this port for fun after happily discovering that the code was very nicely written (unlike the version mentioned in the paper). This should not be understood as dissatisfaction with HTB, I was perfectly happy with the entire time I used it. So why would you want to use H-FSC .. you're right, a major feature of H-FSC is decoupling of bandwidth and delay, but it also offers delay _guarantees_ if configured correctly. This is very important for streaming, VoIP, .. (and gamers of course). I don't know if my understanding of HTB's algorithm is correct, but it is basically a chained token bucket, so delay is directly coupled to bandwidth. Also I believe it always tries to dequeue "quantum" bytes at once so classes might go overlimits for a limited period of time. This hurts delay. On the other hand, HTB is more expressive due to priorites. So I'd say it basically comes down to expressiveness vs. delay guarantees. However I was able to convert my HTB config to something very similar with H-FSC depite using priorites with HTB. I hope that anwers your question. Best regards, Patrick From idallen@idallen.ca Sat Nov 1 15:50:31 2003 From: idallen@idallen.ca (Ian! D. Allen) Date: Sat, 1 Nov 2003 10:50:31 -0500 Subject: [LARTC] routing for split multiple uplinks/providers with port forwarding Message-ID: <20031101155031.GA7087@elm.cpu1808.adsl.bellglobal.com> The fine document: http://lartc.org/howto/lartc.rpdb.multiple-links.html works nicely to make sure that answers to packets incoming to the Linux router from a particular provider go back out again over the same provider. It doesn't work as given for connections that are port forwarded from the Linux router to machines inside the local network (e.g. to a web server). With port forwarding in the mix, packets arriving from the Internet to a particular port on the Linux router have DNAT applied so that they pass transparently on to the internal web server; but, the answer packets from the web server arrive back at the Linux router and do not necessarily go out by the same gateway/provider by which they came in. I suspect the fix is somehow to mark the port forwarded packets with a flag indicating on which interface they arrived at the Linux router, and then preserve this flag into the answer packets on the web server. On the Linux router I can then make sure that appropriately flagged answer packets go out the correct interface. Am I on the right track here? -- -IAN! Ian! D. Allen Ottawa, Ontario, Canada EMail: idallen@idallen.ca WWW: http://www.idallen.com/ College professor via: http://teaching.idallen.com/ Board Member, TeleCommunities CANADA http://www.tc.ca/ From Peteris Krumins Sat Nov 1 20:32:32 2003 From: Peteris Krumins (Peteris Krumins) Date: Sat, 1 Nov 2003 22:32:32 +0200 Subject: [LARTC] (simplified) Rate precision Message-ID: <7544004006.20031101223232@lf.lv> Hello gentleman, i wrote a few days ago but did not receive any answers. I simplified the problem and even wrote a quick example which demonstrates the innacurate rate precision: tc qdisc del dev eth0 root >/dev/null 2>&1 tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:101 htb rate 2048kbit tc qdisc add dev eth0 parent 1:101 handle 101: sfq perturb 10 tc filter add dev eth0 protocol ip parent 1: prio 5 handle 101 fw flowid 1:101 iptables -A PREROUTING -t mangle --src -j MARK --set-mark 101 The example above should shape the speed to 2mbit (2048kbit) but unfortunately the real speed is only 1920kbit.. Tthe only solution I have found is to add the missing rate. Linux 2.4.20 vanilla. Any comments? P.Krumins From arny@ats.s.bawue.de Sat Nov 1 21:09:38 2003 From: arny@ats.s.bawue.de (Thilo Schulz) Date: Sat, 1 Nov 2003 22:09:38 +0100 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 In-Reply-To: <3FA3C6F0.80409@trash.net> References: <3FA3C6F0.80409@trash.net> Message-ID: <200311012209.43373.arny@ats.s.bawue.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 01 November 2003 15:45, Patrick McHardy wrote: > So why would you want to use H-FSC .. you're right, a major > feature of H-FSC is decoupling of bandwidth and delay, but it > also offers delay _guarantees_ if configured correctly. This is > very important for streaming, VoIP, .. (and gamers of course). Exactly. I was able to shape the ping latency down from 2000 ms on large=20 uploads to 60-150 ms using HTB, this is good for ssh - but not good enough= =20 for quake3. =2D --=20 - Thilo Schulz My public GnuPG key is available at http://home.bawue.de/~arny/public_key.a= sc =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/pCESZx4hBtWQhl4RAvJPAJ4m+J+B2o2LSeaOKbykGoHyiWIgRgCg6enN 1oYZvSyTYC1sQgk2MBfqMEU=3D =3DWKzh =2D----END PGP SIGNATURE----- From Andreas.Klauer@metamorpher.de Mon Nov 3 00:37:26 2003 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Mon, 3 Nov 2003 01:37:26 +0100 Subject: [LARTC] (simplified) Rate precision In-Reply-To: <7544004006.20031101223232@lf.lv> References: <7544004006.20031101223232@lf.lv> Message-ID: <200311030137.27183.Andreas.Klauer@metamorpher.de> Am Saturday 01 November 2003 21:32 schrieb Peteris Krumins: > i wrote a few days ago but did not receive any answers. I did not receive/read this mail. > The example above should shape the speed to 2mbit (2048kbit) > but unfortunately the real speed is only 1920kbit.. How exactly do you measure the 'real speed'? The difference sounds much like overhead of some sort that you're not accounting properly. For example, when using scp to copy files over the line, it would be normal to have lower transfer rates than the actual line speed, because there's some kind of handshake/encryption overhead with every package sent. Regards, Andreas Klauer From damion@snapgear.com Mon Nov 3 00:23:49 2003 From: damion@snapgear.com (Damion de Soto) Date: Mon, 03 Nov 2003 10:23:49 +1000 Subject: [LARTC] QoS / VoIP References: Message-ID: <3FA5A015.3080106@snapgear.com> Hi Brian, > Here is my situation. I have four remote offices, one connected by a > wireless link, one connected by a regular T1 and two connected by frame. > We have just switched PBX's and are now using VoIP phones instead of > landlines. My problem is (obviously) with VoIP, the voice is getting > choppy whenever there is high data transfers. > > My question is, for the office with a T1, should I put a QoS box on both > ends? (One here at HQ, and one there?) Same with the frame? And > correct me if I'm wrong, but I will need one at both ends for the > wireless link. It really depends where your bandwidth is getting used up. QoS and traffic shaping works (best and easiest) on outbound traffic only, so if you can determine which links are being flooded with (non VoIP) data transfers, and then put a QoS box on the end sending the data, it may solve all the problems. If all the links are being flooded, then chances are you will need shaping at each end - 5 QoS boxes. Keep in mind, if you are using linux machines as any existing gateway/routers, then you can probabaly just install the tc tools and do the shaping on them, in their existing place in the network. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From raz@zazone.net Sun Nov 2 17:31:44 2003 From: raz@zazone.net (raz@zazone.net) Date: Sun, 2 Nov 2003 19:31:44 +0200 (EET) Subject: [LARTC] new user Message-ID: <1327.80.97.88.14.1067794304.squirrel@mail.zazone.net> hi, everybody i'm razvan From deff@sadomain.co.za Mon Nov 3 10:26:33 2003 From: deff@sadomain.co.za (ph4ke) Date: Mon, 3 Nov 2003 10:26:33 +0000 Subject: [LARTC] New member Message-ID: <200311031026.33306.deff@sadomain.co.za> Hi All, I'm new one the list and thought it somewhat appropriate to=20 divulge a little info about myself=20 Name: Cilli=E8 Country : South-Africa=20 I work for a ISP and we have been playing with tc/iptables/iproute snort and a whole load of other stuff on and off for the past view months= =2E=20 I have a small problem with tc that I struggle to find a solution for and= was=20 wondering if someone would be so kind as to help with it.=20 I have successfully set up some queuing chains, classfull and some=20 tbf's and sfq's but felt limited with the extent of tc's packet classifie= r.=20 So i thought that the FWMARK thing would be a great solution to the probl= em,=20 but unfortunately I can not get this to work.=20 Marking of the packets appears to be successfull but tc's classifier=20 [ rule something like "fw handle 6" ] fails to pick up the marked packets= =20 ( if its all right if i explain this so crudely )=20 I have tried several different kernels, with the patches applied, and yet= it=20 still seems to fail in this.=20 First was a patched RH 7.3 kernel ( 2.5.18-3 )=20 A redhat 9 kernel and a=20 gentoo linux kernel that had already been patched with [filter on fwmark]= =20 and all the other relevant stuff.=20 All the relevant options are compiled in.=20 As i'm writing this a stock 2.4.20 kernel is also being compiled.=20 Could anyone please try and clarify for me why this does not work ( or wh= at I=20 am 10 to 1 doing wrong ?)=20 I would really appreciate this=20 Best Regards,=20 Ciili=E8=20 --=20 evil is the r00t of all windows boxes From deff@sadomain.co.za Mon Nov 3 12:26:39 2003 From: deff@sadomain.co.za (ph4ke) Date: Mon, 3 Nov 2003 12:26:39 +0000 Subject: [LARTC] New member In-Reply-To: <011f01c3a1e9$6d3b7190$de0018ac@admin.monash.edu.my> References: <011f01c3a1e9$6d3b7190$de0018ac@admin.monash.edu.my> Message-ID: <200311031226.39984.deff@sadomain.co.za> Hi Edmund=20 Thanks for responding so soon.=20 That works fine for shaping traffic that likes to talk on fixed ports, li= ke=20 smtp of pop3, but really do much when you want to start limiting things l= ike=20 outbound http or ftp traffic.=20 regards, cilli=E8 On Monday 03 November 2003 09:04, you wrote: > Cillie, > I too have experience similar problems. I have since resorted to mark > the IP addresses for the respective tc classifiers as such : > > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip src > (IP address) classid 1:10 > > This seem to work for me. By the way, im using a patched RH9 2.4.20-18. > Iptables 1.2.8-9. > > Regards > edmund From eturner@monash.edu.my Mon Nov 3 10:35:28 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Mon, 3 Nov 2003 18:35:28 +0800 Subject: [LARTC] New member In-Reply-To: <200311031226.39984.deff@sadomain.co.za> Message-ID: <013f01c3a1f6$332a9000$de0018ac@admin.monash.edu.my> Cillie, I might be missing something here, but I do use this filter setup for limiting outbound http and ftp traffic. Regards edmund -----Original Message----- From: ph4ke [mailto:deff@sadomain.co.za]=20 Sent: Monday, November 03, 2003 8:27 PM To: eturner@monash.edu.my Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] New member Hi Edmund=20 Thanks for responding so soon.=20 That works fine for shaping traffic that likes to talk on fixed ports, like=20 smtp of pop3, but really do much when you want to start limiting things like=20 outbound http or ftp traffic.=20 regards, cilli=E8 On Monday 03 November 2003 09:04, you wrote: > Cillie, > I too have experience similar problems. I have since resorted to mark > the IP addresses for the respective tc classifiers as such : > > Tc filter add dev eth0 parent 1:0 protocol ip prio 7 u32 match ip src > (IP address) classid 1:10 > > This seem to work for me. By the way, im using a patched RH9 2.4.20-18. > Iptables 1.2.8-9. > > Regards > edmund From deff@sadomain.co.za Mon Nov 3 13:14:23 2003 From: deff@sadomain.co.za (ph4ke) Date: Mon, 3 Nov 2003 13:14:23 +0000 Subject: [LARTC] New member In-Reply-To: <013f01c3a1f6$332a9000$de0018ac@admin.monash.edu.my> References: <013f01c3a1f6$332a9000$de0018ac@admin.monash.edu.my> Message-ID: <200311031314.23740.deff@sadomain.co.za> Hi Edmund=20 OK, sorry 'bout that.=20 Say for example that I have a webserver and I only want that thing to pus= h=20 512kbit out. The only way that I see that I would be able to limit this k= ind=20 of outbound traffic with the tc classifier is if I knew which ip's will b= e=20 visiting web-pages. If this was the situation I would be able to have a = long=20 list of rules that all look something like=20 =09.. u32 match ip src xxx.xxx.xxx.xx flowid 1:1=20 or something=20 Unfortunately there is about a few million possible ipv4 addresses that c= an=20 access the box if they really felt like it.=20 This could problem could possibly be solved by having a rule like this :=20 =09.. u32 match ip sport 80 match ip src (webserver) flowid whatever But the real problem lies in limiting ftp, since ftp (at least the way i=20 thought it works. could be wrong. probably am)=20 just does the whole auth section on sport 20/21 and=20 the data transfer actually take place on a random 1024+ source port=20 and a random 1024+ destination port.=20 This would be perfectly solved with iptables marking because one=20 should be able to do something like=20 =09 --append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK=20 --set mark 1 { please excuse the line wrapping }=20 thanks a lot for your time=20 cilli=E8=20 On Monday 03 November 2003 10:35, you wrote: > Cillie, > I might be missing something here, but I do use this filter setup for > limiting outbound http and ftp traffic. > > > Regards > edmund From Peteris Krumins Mon Nov 3 11:34:16 2003 From: Peteris Krumins (Peteris Krumins) Date: Mon, 3 Nov 2003 13:34:16 +0200 Subject: Re[2]: [LARTC] (simplified) Rate precision In-Reply-To: <200311030137.27183.Andreas.Klauer@metamorpher.de> References: <7544004006.20031101223232@lf.lv> <200311030137.27183.Andreas.Klauer@metamorpher.de> Message-ID: <6954255755.20031103133416@lf.lv> Monday, November 3, 2003, 2:37:26 AM, you wrote: AK> Am Saturday 01 November 2003 21:32 schrieb Peteris Krumins: >> i wrote a few days ago but did not receive any answers. AK> I did not receive/read this mail. That one was about limits and data precision. >> The example above should shape the speed to 2mbit (2048kbit) >> but unfortunately the real speed is only 1920kbit.. AK> How exactly do you measure the 'real speed'? The difference sounds much like AK> overhead of some sort that you're not accounting properly. For example, when AK> using scp to copy files over the line, it would be normal to have lower AK> transfer rates than the actual line speed, because there's some kind of AK> handshake/encryption overhead with every package sent. Via ftp. If I perform the tests using tbf attached to a class then the rate is precise. For example, if I measure rate of 256kbit using sfq and then tbf, sfq is always wrong at (actual_rate/rate_set) 240kbit/256kbit = 0,9375 = 6,25% 1920kbit/2048kbit = 0,9375 = 6,25% I performed several tests at different data rates and the innacuracy of 6,25 percent always remain. P.Krumins From raz@zazone.net Mon Nov 3 13:21:29 2003 From: raz@zazone.net (raz@zazone.net) Date: Mon, 3 Nov 2003 15:21:29 +0200 (EET) Subject: [LARTC] tc filter Message-ID: <1063.80.97.88.115.1067865689.squirrel@mail.zazone.net> hello my name is razvan and I'm from Romania my problem is kinda' stupid but I have tried all the posible ways of getting things to work an it still seems i'm missing something, maybe you can help me problem: i have a routing server, that is the gateway to the internet for a network and a file server the same time so I want to allocate 90Mbit for file sharing and the 10 mbit for internet trafic where 80.97.88.16/28 would have only 64kbit of downlink and 80.97.88.0/24 the rest. what I wright is tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 20 r2q 100 tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit ceil 100mbit tc class add dev eth0 parent 1: classid 1:2 htb rate 1mbit ceil 10mbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 90mbit ceil 90mbit tc class add dev eth0 parent 1:2 classid 1:20 htb rate 940kbit ceil 1mbit tc class add dev eth0 parent 1:2 classid 1:21 htb rate 64kbit ceil 128kbit tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 80.97.88.1 flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 80.97.85.3 flowid 1:10 tc filter add dev eth0 protocol ip parent 1:2 prio 1 u32 match ip dst 80.97.88.16/28 flowid 1:12 but tc -s -d class show dev eth0 tells me that noting goes throuth 1:21 class htb 1:12 parent 1:2 prio 0 quantum 1000 rate 64Kbit ceil 128Kbit burst 1680b/8 mpu 0b cburst 1762b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 168099 ctokens: 88149 I appologize for cutting and pasting so much text but I just want to make the situation as clear as posible for someone that wants to help me thanks raz From ganeshkumar@signal-networks.com Mon Nov 3 13:22:06 2003 From: ganeshkumar@signal-networks.com (Ganesh Kumar) Date: Mon, 3 Nov 2003 18:52:06 +0530 Subject: [LARTC] MPC860 mailing lists Message-ID: <015d01c3a20d$7c55d3e0$0c01a8c0@signet.local> This is a multi-part message in MIME format. ------=_NextPart_000_0157_01C3A23B.93D1DB80 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0158_01C3A23B.93D1DB80" ------=_NextPart_001_0158_01C3A23B.93D1DB80 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable BlankHi all, I'm working on MPC860 Power PC , I want to know whether any mailing = lists or any user groups are available so that we can post our queries, = right now I'm using Motorola's official support, but other than this any = Internet mailing lists or user groups are available so that I can = subscribe, Do anybody know anything abt this pls do reply!!!! Thanx in advance, rgds, Ganesh = ------=_NextPart_001_0158_01C3A23B.93D1DB80 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Blank
Hi all,
  I'm working on MPC860 Power PC , I want to know whether any = mailing = lists or any user groups are available so that we can post our queries, = right = now I'm using  Motorola's official support, but other than this = any = Internet mailing lists or user groups are available so that I can = subscribe,
Do anybody know anything abt this pls do reply!!!!
Thanx in advance,
rgds,
Ganesh 

------=_NextPart_001_0158_01C3A23B.93D1DB80-- ------=_NextPart_000_0157_01C3A23B.93D1DB80 Content-Type: image/gif; name="Blank Bkgrd.gif" Content-ID: <015601c3a20d$7a172e80$0c01a8c0@signet.local> Content-Transfer-Encoding: base64 R0lGODlhLQAtAID/AP////f39ywAAAAALQAtAEACcAxup8vtvxKQsFon6d02898pGkgiYoCm6sq2 7iqWcmzOsmeXeA7uPJd5CYdD2g9oPF58ygqz+XhCG9JpJGmlYrPXGlfr/Yo/VW45e7amp2tou/lW xo/zX513z+Vt+1n/tiX2pxP4NUhy2FM4xtjIUQAAOw== ------=_NextPart_000_0157_01C3A23B.93D1DB80-- From pulsar@bofh.homeunix.org Mon Nov 3 09:18:44 2003 From: pulsar@bofh.homeunix.org (Alexey Sheshka) Date: Mon, 3 Nov 2003 11:18:44 +0200 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 In-Reply-To: <3FA3C6F0.80409@trash.net> References: <3FA3C6F0.80409@trash.net> Message-ID: <20031103111844.0f301993.pulsar@bofh.homeunix.org> On Sat, 01 Nov 2003 15:45:04 +0100 Patrick McHardy wrote: > Not sure what you mean with "competitors", I made this port for > fun after happily discovering that the code was very nicely > written (unlike the version mentioned in the paper). This should > not be understood as dissatisfaction with HTB, I was perfectly > happy with the entire time I used it. > > So why would you want to use H-FSC .. you're right, a major > feature of H-FSC is decoupling of bandwidth and delay, but it > also offers delay _guarantees_ if configured correctly. This is > very important for streaming, VoIP, .. (and gamers of course). > I don't know if my understanding of HTB's algorithm is correct, > but it is basically a chained token bucket, so delay is directly > coupled to bandwidth. Also I believe it always tries to dequeue > "quantum" bytes at once so classes might go overlimits for a > limited period of time. This hurts delay. On the other hand, > HTB is more expressive due to priorites. So I'd say it basically > comes down to expressiveness vs. delay guarantees. However > I was able to convert my HTB config to something very similar > with H-FSC depite using priorites with HTB. > > I hope that anwers your question. > > Best regards, > Patrick > > Sound interesting, but where I can find samples of hfsc usage ? I want to try my htb setup and hfsc. > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- PGP key : http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x0BE90515 From sani@gorna.net Mon Nov 3 21:31:20 2003 From: sani@gorna.net (Todor Neshev) Date: Mon, 3 Nov 2003 23:31:20 +0200 Subject: [LARTC] Iptables connbytes Message-ID: <200311032331.20047.sani@gorna.net> Hello, Is it possible to mark packets from particular IP and if it downloads over 100Kbytes, then it enters in CBQ shaper 32kbit/s for example ? My kernel is 2.4.22. If someone experimented with connection bytes patch please answer me. Regards, Todor Neshev From eturner@monash.edu.my Tue Nov 4 03:54:34 2003 From: eturner@monash.edu.my (Edmund Turner) Date: Tue, 4 Nov 2003 11:54:34 +0800 Subject: [LARTC] New member In-Reply-To: <200311031314.23740.deff@sadomain.co.za> Message-ID: <007701c3a287$628601e0$de0018ac@admin.monash.edu.my> Cillie, take this setup for example: Web server IP =3D 192.168.1.2 1MB access to the internet. Etho -LAN Eth2 - External --1MB access to the internet. tc qdisc add dev eth2 root handle 3: htb default 10 tc class add dev eth2 parent 3: classid 3:1 htb rate 1mbit tc class add dev eth2 parent 3:1 classid 3:12 htb rate 400kbit ceil 400kbit prio 4 tc filter add dev eth2 parent 3:0 protocol ip prio 4 u32 match ip src 192.168.1.2 classid 3:12 I manage to limit all outbound traffic from 192.168.1.2 by putting a filter for the src address of the web server on the external NIC. This seems to work for me. Regards edmund -----Original Message----- From: ph4ke [mailto:deff@sadomain.co.za]=20 Sent: Monday, November 03, 2003 9:14 PM To: eturner@monash.edu.my Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] New member Hi Edmund=20 OK, sorry 'bout that.=20 Say for example that I have a webserver and I only want that thing to push=20 512kbit out. The only way that I see that I would be able to limit this kind=20 of outbound traffic with the tc classifier is if I knew which ip's will be=20 visiting web-pages. If this was the situation I would be able to have a long=20 list of rules that all look something like=20 .. u32 match ip src xxx.xxx.xxx.xx flowid 1:1=20 or something=20 Unfortunately there is about a few million possible ipv4 addresses that can=20 access the box if they really felt like it.=20 This could problem could possibly be solved by having a rule like this : .. u32 match ip sport 80 match ip src (webserver) flowid whatever But the real problem lies in limiting ftp, since ftp (at least the way i thought it works. could be wrong. probably am)=20 just does the whole auth section on sport 20/21 and=20 the data transfer actually take place on a random 1024+ source port=20 and a random 1024+ destination port.=20 This would be perfectly solved with iptables marking because one=20 should be able to do something like=20 =09 --append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK=20 --set mark 1 { please excuse the line wrapping }=20 thanks a lot for your time=20 cilli=E8=20 On Monday 03 November 2003 10:35, you wrote: > Cillie, > I might be missing something here, but I do use this filter setup for > limiting outbound http and ftp traffic. > > > Regards > edmund From util@deuroconsult.ro Tue Nov 4 05:43:04 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 4 Nov 2003 07:43:04 +0200 (EET) Subject: [LARTC] tc filter In-Reply-To: <1063.80.97.88.115.1067865689.squirrel@mail.zazone.net> References: <1063.80.97.88.115.1067865689.squirrel@mail.zazone.net> Message-ID: > what I wright is > > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb default 20 r2q 100 > > tc class add dev eth0 parent 1: classid 1:1 htb rate 100mbit ceil 100mbit > tc class add dev eth0 parent 1: classid 1:2 htb rate 1mbit ceil 10mbit > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 90mbit ceil 90mbit > tc class add dev eth0 parent 1:2 classid 1:20 htb rate 940kbit ceil 1mbit > tc class add dev eth0 parent 1:2 classid 1:21 htb rate 64kbit ceil 128kbit > > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src > 80.97.88.1 flowid 1:10 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src > 80.97.85.3 flowid 1:10 Replace: > tc filter add dev eth0 protocol ip parent 1:2 prio 1 u32 match ip dst > 80.97.88.16/28 flowid 1:12 with: tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 80.97.88.16/28 flowid 1:21 Note that class 1:12 doesn't exists. > > > but tc -s -d class show dev eth0 tells me that noting goes throuth 1:21 > > class htb 1:12 parent 1:2 prio 0 quantum 1000 rate 64Kbit ceil 128Kbit Look, it's 1:12 above! > burst 1680b/8 mpu 0b cburst 1762b/8 mpu 0b level 0 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 168099 ctokens: 88149 > > I appologize for cutting and pasting so much text but I just want to make > the situation as clear as posible for someone that wants to help me > > thanks > raz > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From lartc@gmb.ro Tue Nov 4 08:54:48 2003 From: lartc@gmb.ro (Cezar Atanasiu) Date: Tue, 04 Nov 2003 10:54:48 +0200 Subject: [LARTC] Iptables connbytes In-Reply-To: <200311032331.20047.sani@gorna.net> References: <200311032331.20047.sani@gorna.net> Message-ID: <1067936087.5660.6.camel@asgard.gmb.ro> On Mon, 2003-11-03 at 23:31, Todor Neshev wrote: > Hello, > Is it possible to mark packets from particular IP and if it downloads > over 100Kbytes, then it enters in CBQ shaper 32kbit/s for example ? > My kernel is 2.4.22. > If someone experimented with connection bytes patch please answer me. > I did, and I am running it since I saw it first anounced on the list, and works really smooth ( ymmv ). I declare a download class and after that I mark the packets like this : $i -t mangle -A PREROUTING -m connbytes --connbytes 307200: -j MARK --set-mark 3 and then : $tc filter add dev $dev parent 1:0 protocol ip prio 1 handle 3 fw classid 1:30 this allows me to do dynamic shaping, shaping that keeps track of medium/large downloads and takes action when those are detected. hope it helps. > Regards, > Todor Neshev > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Cezar ATANASIU GMB Computers Departamentul Internet Tel/fax: +40 241 619222/673199 From themel@iwoars.net Tue Nov 4 10:26:24 2003 From: themel@iwoars.net (Thomas Themel) Date: Tue, 4 Nov 2003 11:26:24 +0100 Subject: [LARTC] fwmark routing of locally generated packets In-Reply-To: <20031101103910.GJ3312@iwoars.net> References: <20031031233756.4405eb56.bb@L8R.net> <20031101103910.GJ3312@iwoars.net> Message-ID: <20031104102624.GB30148@iwoars.net> --mKXzovbRDj+u9luS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Thomas Themel (themel@iwoars.net) wrote on 2003-11-01: > # SNAT for outgoing packets > iptables -A POSTROUTING -t nat -o $PPP_IFACE --match mark --mark 0x03 -j = SNAT --to-source $PPP_LOCAL I've been able to do away with the DNAT rule now. > # DNAT for incoming packets > iptables -t nat -A PREROUTING -i $PPP_IFACE -d $PPP_LOCAL -j DNAT --to-d= estination 192.168.1.1 I couldn't get it to work with just the SNAT rule originally (see original post, the SACKs would be ignored), but I've finally figured out why: I had enabled rp_filter on that machine. =20 Quite obviously, enabling rp_filter in combination with policy routing is a bad idea. echo 0 > /proc/sys/net/ipv4/conf/$PPP_IFACE/rp_filter=20 fixed it for me. I still think I shouldn't need the netfilter SNAT rule, but even enabling NAT with the routing rule (ip rule add fwmark 3 table aonc nat $PPP_REMOTE) doesn't seem to set the source address of the outgoing packets correctly. ciao, --=20 [*Thomas Themel*] "If we're not supposed to eat animals, how come=20 [extended contact] they're made of meat?" [info provided in] - Treat Carnivores Ethically, [*message header*] in the fuckedcompany.com forums --mKXzovbRDj+u9luS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/p37PnaL7psKWQ8YRAo1+AKCY6Yc2UwHn+9d404uSNHI2kEsRxACfd9qs pWDH7TQeRKvUGS/zgGTRV+M= =8DRU -----END PGP SIGNATURE----- --mKXzovbRDj+u9luS-- From gomi@perezoso.net Tue Nov 4 10:29:08 2003 From: gomi@perezoso.net (GoMi) Date: Tue, 4 Nov 2003 11:29:08 +0100 Subject: [LARTC] Splitting connections between 2 different ADSL lines In-Reply-To: Message-ID: =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was wondering this morning, why unstead of having load balancing, use = one ADSL router just for interactive traffic, and a second one just for = p2p programs for example? Has anybody ever used this setup. Wouldn't NAT = get crazy? Just a thought... -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP6d/c37diNnrrZKsEQJLWQCeLnArpTnbvMjHwAPN6HCzSVuIAnUAoINR jU6mHeHMJraHoEriHj0Ll6NY =3DAGrK -----END PGP SIGNATURE----- From luciano@elo.com.br Tue Nov 4 14:02:21 2003 From: luciano@elo.com.br (Luciano Lima) Date: Tue, 04 Nov 2003 12:02:21 -0200 Subject: [LARTC] Limiting incoming and outgoing traffic Message-ID: <3FA7B16D.7030800@elo.com.br> Hi, I've read the wondershaper.htb script and realise that it only uses one device: ppp. I have no experience with htb, but I thought that we could only shape outgoing traffic for an interface. How could the script be written to limit incoming and outgoing traffic for the same interface ? Thanks. Luciano Lima From kaber@trash.net Tue Nov 4 14:19:01 2003 From: kaber@trash.net (Patrick McHardy) Date: Tue, 04 Nov 2003 15:19:01 +0100 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 In-Reply-To: <20031103111844.0f301993.pulsar@bofh.homeunix.org> References: <3FA3C6F0.80409@trash.net> <20031103111844.0f301993.pulsar@bofh.homeunix.org> Message-ID: <3FA7B555.3040108@trash.net> Hi Alexey, Alexey Sheshka wrote: >Sound interesting, but where I can find samples of hfsc usage ? I want to try my htb setup and hfsc. > > > There is no documentation yet. Since H-FSC is currently approaching stability I will concentrate on this in the next time. If you don't like to wait that long I can also send you the script I use to shape my DSL connection. Best regards, Patrick From raptor@tvskat.net Tue Nov 4 13:09:11 2003 From: raptor@tvskat.net (raptor) Date: Tue, 4 Nov 2003 15:09:11 +0200 Subject: [LARTC] Problems with tcng and gentoo In-Reply-To: References: Message-ID: <20031104150911.7a9d0916.raptor@tvskat.net> Here is an .ebuild I'm just making for gentoo... Not fully tested yet, but compilation goes fine and install on my test computer.(look below). As I finish it I will give it to werner to include the .ebuild into the tcng itself... (tcsim is not compiled ) copy it to net-misc, make digest and emerge.. hth On Thu, 30 Oct 2003 10:46:47 +0100 "Wouter Coppens" wrote: > Hey, > > I installed tcng on gentoo, but I always got the error: > Could not run/locate "tcc" > > tcc is installed in /sbin. > > I read somewhere that you need a little patch to get tcng running on > gentoo, but I can't find the patch. > > Can somebody help me? > > Thanks in advance, > > Wouter > ==============================.ebuild================= # Copyright 1999-2002 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 # $Header: $ #made by raptor DESCRIPTION="Traffic control Next Generation.Higher level than tc" HOMEPAGE="http://tcng.sourceforge.net" SRC_URI="http://tcng.sourceforge.net/dist/${P}.tar.gz" LICENSE="" SLOT="0" KEYWORDS="x86" # - additional packages needed after "make immaculate": # transfig (fig2dev), wget DEPEND=">=virtual/linux-sources-2.4.19 >=perl-5.6.1 >=iproute-20010824-r2 >=gnuplot-3.7.1-r3 >=binutils-2.13.90.0.4 >=gcc-3.2-r4 >=make-3.80 >=flex-2.5.4a >=yacc-1.9.1-r1 >=grep-2.5-r1 >=sed-4.0.1 >=gawk-3.1.1-r1 >=textutils-2.1 >=fileutils-4.1.11 >=sh-utils-2.0.15 >=tetex-1.0.7-r12 " #>=LaTeX #>=dvips S=${WORKDIR}/tcng src_compile() { #first put iproute sources in tcism #if tcism is to be compiled. we dont do that #create /var/tmp/portage/tcng-xxx/image/usr&bin in advance #so that configure doesnt complain that it doesnt exists dodir /usr/bin #I'm using 2.4.22 so i had to handle it somehow :") perl -pi -e 's/,2.4.21/2.4.21,2.4.22/' configure # perl -pi -e 's|#!/bin/sh|#!/bin/sh\nTCNG_INSTALL_CWD=/usr|' ./scripts/localize.sh ./configure --no-tcsim \ --install-directory ${D}usr emake || die # echo # einfo "Now will run tcng test suite.....\n\n" # sleep 3 # make test } src_install() { dodir /usr/bin #For localization.sh to work corectly #TCNG INSTALL/TOPDIR has to be /usr, instead of /var/tmp/portage/tcng-xx/image/usr... TCNG_INSTALL_CWD=/usr einstall } From stef.coene@docum.org Tue Nov 4 18:17:23 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 4 Nov 2003 19:17:23 +0100 Subject: [LARTC] Limiting incoming and outgoing traffic In-Reply-To: <3FA7B16D.7030800@elo.com.br> References: <3FA7B16D.7030800@elo.com.br> Message-ID: <200311041917.23327.stef.coene@docum.org> On Tuesday 04 November 2003 15:02, Luciano Lima wrote: > Hi, > > I've read the wondershaper.htb script and realise that it only uses one > device: ppp. > > I have no experience with htb, but I thought that we could only shape > outgoing traffic for an interface. > How could the script be written to limit incoming and outgoing traffic > for the same interface ? You said it right. You can only shape outgoing traffic, but you can limit incoming and outgoing traffic. So limiting is not shaping. For instance, you can limit the incoming traffic from 1 hosts. Only limiting. You can not say (at least not easy), "if there is other bandwidth left, the host can use all of it, but it has throttle down to 40% if there is other traffc.". The latter is shaping and can only be done on outgoing traffic. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gomi@perezoso.net Tue Nov 4 23:23:06 2003 From: gomi@perezoso.net (GoMi) Date: Wed, 5 Nov 2003 00:23:06 +0100 Subject: [LARTC] Load balancing and Hight disponibility, but when a link fails, the whole thing stops working In-Reply-To: <200311041917.23327.stef.coene@docum.org> Message-ID: =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, i have a setup based on hight disponibility and load = balancing, and when any of the adsl lines stops working, the kernel does = not recognices that the route is down, and my clients only get access to = the internet if they are luckilly NATed thought the other ADSL. I have = the script running every minute pinging both ADSL's, but it does not = work. ANYONE? -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP6g02X7diNnrrZKsEQKkswCfXVbeJSZyhJLh4W2lNfD9VDWbrXsAoMnl eWuFrXZ+HnbhWa+f3AayUta2 =3DQHy/ -----END PGP SIGNATURE----- From alisson-empresas-seguranca@mt4.com.br Wed Nov 5 00:59:23 2003 From: alisson-empresas-seguranca@mt4.com.br (alisson-empresas-seguranca@mt4.com.br) Date: Tue, 4 Nov 2003 22:59:23 -0200 Subject: [LARTC] Two uplink provides with debian ( woody ) - problem to insert route in a table Message-ID: <20031105005923.4648.qmail@hm47.locaweb.com.br> Hello, I'm trying to configure iproute2 with two providers in a Load balancing configuration according "Linux Advanced Routing & Traffic Control HOWTO". I'm working with two links: - static ip (adsl link - 256Kbps) - dynamic ip (512kbps). In my HedHat 7.2 everything works well, but in my debian (woody) something wrong is going on. First I have to create two tables, one for each provider. That's ok, but when I try to add an route to one of these tables, it goes to main table. # ip route add default via $P1 table T1 looks OK, but the route goes to table main # ip route add default via $P2 table T2 NOK, because it goes to table main too, not to table T2. Any clues??? Thanks in advance, From sebastian@aresca.com.ar Wed Nov 5 04:23:07 2003 From: sebastian@aresca.com.ar (Sebastian A. Aresca) Date: Wed, 5 Nov 2003 01:23:07 -0300 Subject: [LARTC] Two uplink provides with debian ( woody ) - problem to insert route in a table References: <20031105005923.4648.qmail@hm47.locaweb.com.br> Message-ID: <002c01c3a354$83ad9f40$0400a8c0@wkswindowsxp> Try this ip route $P1 default scope global nexthop via 10.129.30.1 dev eth0 weight 1 \ nexthop via 10.129.31.1 dev eth1 weight 1 > Hello, > > I'm trying to configure iproute2 with two providers in a Load balancing configuration according "Linux Advanced Routing & Traffic Control HOWTO". > > I'm working with two links: > - static ip (adsl link - 256Kbps) > - dynamic ip (512kbps). > > In my HedHat 7.2 everything works well, but in my debian (woody) something wrong is going on. First I have to create two tables, one for each provider. That's ok, but when I try to add an route to one of these tables, it goes to main table. > > # ip route add default via $P1 table T1 > looks OK, but the route goes to table main > > # ip route add default via $P2 table T2 > NOK, because it goes to table main too, not to table T2. > > Any clues??? > > Thanks in advance, > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From vadiraj@deeproot.co.in Wed Nov 5 06:07:29 2003 From: vadiraj@deeproot.co.in (Vadiraj C S) Date: Wed, 5 Nov 2003 11:37:29 +0530 (IST) Subject: [LARTC] Load balancing and Hight disponibility, but when a link fails, the whole thing stops working In-Reply-To: Message-ID: Hi, On Wed, 5 Nov 2003, GoMi wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi there, i have a setup based on hight disponibility and load balancing, and when any of the adsl lines stops working, the kernel does not recognices that the route is down, and my clients only get access to the internet if they are luckilly NATed thought the other ADSL. I have the script running every minute pinging both ADSL's, but it does not work. ANYONE? You must be doing only load balancing, If you want the kernel to detect the dead gateway and make the link switch over, you need to have julian dead gateway detection patch. That should solve your problem, if you are already using it then you need to flush the cache for the switch over. In your ping script flush the cache at regular intervals or at every link failure. regards Vadiraj C S From themel@iwoars.net Wed Nov 5 10:05:59 2003 From: themel@iwoars.net (Thomas Themel) Date: Wed, 5 Nov 2003 11:05:59 +0100 Subject: [LARTC] Two uplink provides with debian ( woody ) - problem to insert route in a table In-Reply-To: <20031105005923.4648.qmail@hm47.locaweb.com.br> References: <20031105005923.4648.qmail@hm47.locaweb.com.br> Message-ID: <20031105100559.GF30148@iwoars.net> Hi, alisson-empresas-seguranca@mt4.com.br wrote on 2003-11-05: > In my HedHat 7.2 everything works well, but in my debian (woody) > something wrong is going on. First I have to create two tables, one > for each provider. That's ok, but when I try to add an route to one of > these tables, it goes to main table. It sounds stupid, I know, but it happened to me before: Do you have duplicate numeric ids in /etc/iproute2/rt_tables? ciao, -- [*Thomas Themel*] [...] this quickly escalated into a Holy War with Emacs [extended contact] users on one side and Jeep Wrangler drivers on the other. [info provided in] It was hard to tell but I think Emacs came out as the better [*message header*] utility vehicle. - Casey West From carles@pymag.com Wed Nov 5 10:16:17 2003 From: carles@pymag.com (=?iso-8859-1?Q?Carles_Torres_Nu=F1ez?=) Date: Wed, 5 Nov 2003 11:16:17 +0100 Subject: [LARTC] Triple IP Routing Message-ID: Creando un nuevo acceso a Internet me ha surgido una duda, os explico mi situacion. Tengo una red de PCs en el rango 200.0.0.x Un Linux que hace de Router con IP 200.0.0.254 (eth0) Este Linux tiene 2 tarjetas mas: IP 10.0.0.2 (eth1) IP 10.0.0.4 (eth2) Estas dos van cada una a un Hub diferente donde esta conectado en cada uno un router con direcciones 10.0.0.1 y 10.0.0.3 respectivamente. Relizo un enrutamiento por IP de destino, asi todo el trafico que va hacia la IP del servidor de mail la paso por un router y el resto va por el otro (conexiones a Internet ludicas). -> "route add mail.server.es gw 10.0.0.3" Ahora necesito ampliar el acceso a Internet de algunos nodos en concreto, tengo un nuevo router ADSL listo, pero esta vez quiero seleccionar por la IP de origen de los paquetes, no por la de destino de estos. ¿Alguien sabe como puedo hacer esto? Muchas gracias Carlos Torres From dante@tvnet.hu Wed Nov 5 10:28:51 2003 From: dante@tvnet.hu (Debreczeni Peter) Date: Wed, 05 Nov 2003 11:28:51 +0100 Subject: [LARTC] Triple IP Routing In-Reply-To: References: Message-ID: <3FA8D0E3.1010905@tvnet.hu> hmmmmm en is tudok mindenfele erdekes nyelveken irogatni de ugy az isten se ert meg ... English pliz! Carles Torres Nuñez wrote: > Creando un nuevo acceso a Internet me ha surgido una duda, os explico > mi situacion. > > Tengo una red de PCs en el rango 200.0.0.x > Un Linux que hace de Router con IP 200.0.0.254 (eth0) > Este Linux tiene 2 tarjetas mas: > IP 10.0.0.2 (eth1) > IP 10.0.0.4 (eth2) > Estas dos van cada una a un Hub diferente donde esta conectado en cada > uno un router con direcciones 10.0.0.1 y 10.0.0.3 respectivamente. > > Relizo un enrutamiento por IP de destino, asi todo el trafico que va > hacia la IP del servidor de mail la paso por un router y el resto va > por el otro (conexiones a Internet ludicas). > > -> "route add mail.server.es gw 10.0.0.3" > > Ahora necesito ampliar el acceso a Internet de algunos nodos en > concreto, tengo un nuevo router ADSL listo, pero esta vez quiero > seleccionar por la IP de origen de los paquetes, no por la de destino > de estos. > > ¿Alguien sabe como puedo hacer esto? > > Muchas gracias > > Carlos Torres > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From carles@pymag.com Wed Nov 5 11:47:01 2003 From: carles@pymag.com (=?iso-8859-1?Q?Carles_Torres_Nu=F1ez?=) Date: Wed, 5 Nov 2003 12:47:01 +0100 Subject: [LARTC] Triple IP Routing Message-ID: Creating a new Internet access I got a question, I tell my situation. I have a PCs network in 200.0.0.x range A Onux machine doing routing on IP 200.0.0.254 (eth0) This Linux has 2 ethernet cards more: IP 10.0.0.2 (eth1) IP 10.0.0.4 (eth2) These two lan cards goes to two different hubs, where there are two diferent routers conected, with IPs 10.0.0.1 and 10.0.0.3 respectively. I'm routing by target IP, in this way all the trafic going to the mail server goes thru one router, while remaider trafic goes by the other, that means every conection to "non business internet" access. -> "route add mail.server.es gw 10.0.0.3" Now I need to increase Internet bandwidth only to some nodes, then I have an ADSL router ready and conected to the hub, that means I must discriminate packets by source IP, but not by destination IP to go thru this router. ¿Does someone know how to do this? Thanks, Carlos Torres From alex_spam@distinctgroup.net Wed Nov 5 11:38:42 2003 From: alex_spam@distinctgroup.net (Alexandru Coseru) Date: Wed, 5 Nov 2003 13:38:42 +0200 Subject: [LARTC] HTB with both fwmark and IP Message-ID: <006b01c3a391$5d255920$87618ac1@alex2> This is a multi-part message in MIME format. ------=_NextPart_000_0068_01C3A3A2.20834890 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello.. How can I specify a class for htb based on a fwmark and user ip ? For instance: I have some routes marked with fwmark and their are very-high speed = connections... But only to some IP's.. For the rest , I must limit the user to 64Kbits Now , how can I limit the high speed connections ? I must create a rule and take in account both fwmark and IP ? To be more specific , I want to limit the user 10.0.0.1 to 1Mbit for the = routes marked with fwmark 1 (thoose are taken from zebra) The rules I have now are: tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dst = 10.0.0.1/32 flowid 1:20 tc filter add dev eth0 parent 1:0 prio 99 protocol ip handle 2 fw flowid = 1:99 I've tried this: class: 1:20 - 64 kbit class 1:99 - 100Mbit class 1:30 - 1 Mbit =20 tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dst = 10.0.0.1/32 protocol ip handle 2 fw flowid 1:30 but it failed.. Anybody can help me ? Thanks Alex ------=_NextPart_000_0068_01C3A3A2.20834890 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello..
 
How can I specify a class for htb  = based on a=20 fwmark and user ip ?
 
For instance:
 
 
I have some routes marked with fwmark = and their are=20 very-high speed connections... But only to some IP's..
For the rest , I must limit the user to = 64Kbits
 
 
Now , how can I limit the high speed = connections=20 ?
I must create a rule and take in = account both=20 fwmark and IP ?
To be more specific , I want to limit = the user=20 10.0.0.1 to 1Mbit for the routes marked with fwmark 1  (thoose are = taken=20 from zebra)
 
 
The rules I have now are:
 
tc filter add dev eth0 protocol ip = parent 1:0 prio=20 2 u32 match ip dst 10.0.0.1/32 flowid 1:20
tc filter add dev eth0 parent 1:0 prio = 99 protocol=20 ip handle 2 fw flowid 1:99
 
 
I've tried this:
 
class: 1:20  - 64 = kbit
class 1:99  - = 100Mbit
class 1:30  - 1 Mbit
 
tc filter add dev eth0 protocol ip = parent 1:0 prio=20 2 u32 match ip dst 10.0.0.1/32 protocol ip=20 handle 2 fw flowid 1:30
 
but it failed..
 
Anybody can help me ?
 
 
Thanks
    = Alex
------=_NextPart_000_0068_01C3A3A2.20834890-- From lartc@tww.cx Wed Nov 5 12:34:20 2003 From: lartc@tww.cx (Thomas Worthington) Date: Wed, 05 Nov 2003 12:34:20 -0000 Subject: [LARTC] Does -j TOS actually do anything? Message-ID: <1068035661_3095.message@tww.cx> Very simple setup: I have several machines, one of which (192.168.0.198) is used exclusively as a vnc client to a remote site. I want it to get priority over guff like email and web etc. tc qdisc add dev eth1 root handle 1: prio tc qdisc add dev eth1 parent 1:1 handle 10: pfifo tc qdisc add dev eth1 parent 1:2 handle 20: pfifo tc qdisc add dev eth1 parent 1:3 handle 30: pfifo iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 Effect: zero. All the vnc traffic from x.198 goes into 1:2. I've tried all the tables (PREROUTE etc) to no avail. I even tried applying the TOS change to ALL traffice bound for eth1 (the outside line) and still saw no change in the queuing despite tcpdump showing that the tos bits were being set. Why does this not work? It seems as if the priority is being set before iptables' mangle rules are applied. Thomas Worthington -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ From lartc@tww.cx Wed Nov 5 14:03:22 2003 From: lartc@tww.cx (Thomas Worthington) Date: Wed, 05 Nov 2003 14:03:22 -0000 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <1068035661_3095.message@tww.cx> References: <1068035661_3095.message@tww.cx> Message-ID: <1068041003_3328.message@tww.cx> On Wed, 05 Nov 2003 12:34:20 -0000, Thomas Worthington wrote: > > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 Sorry, that line crept in from one of the experimental setups: it should of course be: iptables -t mangle -I OUTPUT -s 192.168.0.198 -j TOS --set-tos 16 TWW From terminus@iespana.es Wed Nov 5 10:52:11 2003 From: terminus@iespana.es (Marcelo) Date: Wed, 5 Nov 2003 11:52:11 +0100 Subject: [LARTC] Re: dead onlink In-Reply-To: <200310291754.54002.terminus@iespana.es> References: <200310291754.54002.terminus@iespana.es> Message-ID: <200311051152.11416.terminus@iespana.es> Hello people: I've implemented the script for load balancing of "Linux Advanced Routing & Traffic Control HowTo" on this structure: ------------------linux gateway (subnet 1) ! linux router ------------------intranet (subnet 2) ! ------------------linux gateway2 (subnet 3) ! ------------------intranet (subnet 4) and I've a question: When I run the next command : "ip route" I get the folowing information: -------------- 192.168.0.32/27 dev eth0 proto kernel scope link src 192.168.0.33 192.168.0.96/27 dev eth2 proto kernel scope link src 192.168.0.97 192.168.0.64/27 dev eth1 proto kernel scope link src 192.168.0.65 192.168.0.128/27 dev eth3 proto kernel scope link src 192.168.0.129 127.0.0.0/8 dev lo scope link default nexthop via 192.168.0.126 dev eth2 weight 1 dead onlink nexthop via 192.168.0.61 dev eth0 weight 1 ----------------------------- Is normal the part of "dead onlink" ? This message is always there but the 192.168.0.126 gateway is online. Do I need the Julian's dead gateway detection patch?. Thanks in advance. Marcelo. From gaston@steel.com.ar Wed Nov 5 16:10:56 2003 From: gaston@steel.com.ar (gaston) Date: Wed, 05 Nov 2003 13:10:56 -0300 Subject: [LARTC] HTB syslog messages Message-ID: How can I disable htb syslog messages in the console? From slavov@optisprint.net Wed Nov 5 20:02:31 2003 From: slavov@optisprint.net (Emil Slavov) Date: Wed, 5 Nov 2003 22:02:31 +0200 (EET) Subject: [LARTC] Pririoritze and shape particular IPs over other without shaping Message-ID: <1793.10.1.24.22.1068062551.squirrel@webmail.optisprint.net> I try to solve the folloing problem. My Connection i 1 Mbit. I have a several IPs from a couple of class C networks that must be prioritized (but shaped to defined speed ), over remaining IPs that will have low priority but must be abble to use and share maximum bandwith when available from these several prioritized IPs. From stef.coene@docum.org Wed Nov 5 20:12:03 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 5 Nov 2003 21:12:03 +0100 Subject: [LARTC] HTB syslog messages In-Reply-To: References: Message-ID: <200311052112.03986.stef.coene@docum.org> On Wednesday 05 November 2003 17:10, gaston wrote: > How can I disable htb syslog messages in the console? It depends on the message. Sometimes there is an error in the htb setup. Or you have to change the htb source code to remove the print lines. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Nov 5 20:11:10 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 5 Nov 2003 21:11:10 +0100 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <1068041003_3328.message@tww.cx> References: <1068035661_3095.message@tww.cx> <1068041003_3328.message@tww.cx> Message-ID: <200311052111.10368.stef.coene@docum.org> On Wednesday 05 November 2003 15:03, Thomas Worthington wrote: > On Wed, 05 Nov 2003 12:34:20 -0000, Thomas Worthington > > wrote: > > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 > > Sorry, that line crept in from one of the experimental setups: it should > of course be: > > iptables -t mangle -I OUTPUT -s 192.168.0.198 -j TOS --set-tos 16 What's the output of iptables -L -v -n -t mangle Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From lartc@tww.cx Wed Nov 5 21:26:31 2003 From: lartc@tww.cx (Thomas Worthington) Date: Wed, 05 Nov 2003 21:26:31 -0000 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <200311052111.10368.stef.coene@docum.org> References: <1068035661_3095.message@tww.cx> <1068041003_3328.message@tww.cx> <200311052111.10368.stef.coene@docum.org> Message-ID: <1068067592_4695.message@tww.cx> On Wed, 5 Nov 2003 21:11:10 +0100, Stef Coene wrote: > What's the output of > iptables -L -v -n -t mangle > > Stef > Currently: Chain PREROUTING (policy ACCEPT 6088 packets, 2069K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1134 packets, 116K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4954 packets, 1953K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) pkts bytes target prot opt in out source destination 0 0 TOS all -- * * 192.168.0.198 0.0.0.0/0 TOS set 0x10 Chain POSTROUTING (policy ACCEPT 5759 packets, 2051K bytes) pkts bytes target prot opt in out source destination Thomas -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ From gomi@perezoso.net Wed Nov 5 21:49:41 2003 From: gomi@perezoso.net (GoMi) Date: Wed, 5 Nov 2003 22:49:41 +0100 Subject: [LARTC] Shaping p2p programs In-Reply-To: <200311052111.10368.stef.coene@docum.org> Message-ID: Hi there, i am going to explain you my setup and post you my scripts in case they are of any help to anybody :) This mail is a little long, but i think the only way you can undestandme is writing you my whole code.. 1.- I have to ADSL connections connected through ehternet cards eth0 and eth1 to the routers -Both ADSL are 2Mbit downsteam / 300kbit upstream -eth2 goes to my 200 users LAN. 2.- I am doing load balancing (that works great) 3.- I have a mail and web server redirected to eth0's ADSL. 4.- My QoS setup attached to eth0 and eth1 1 Qdisc for high-priority traffic (mark 1) 1 Qdisc for low-priority traffic (mark 2) 1 Qdisc for SYN,ACK traffic (mark 3) 1 Qdisc for ICMP traffic (mark 4) 1 Qdisc for Web-server traffic (mark 5) ->Scripts below 5.- Since i am doing load balancing i have a stateful firewall as explained in Nano HOWTO ->Firewall scripts below 6.- Use the mangle table to mark packets and redirect them to the Qdisc Let me explain my reasoning: I want to mark interactive traffic like HTTP,SMTP,etc to mark 1 Mark DNS traffic and MSN Messenger(dport 1863) to interactive High priority mark 1 Mark p2p programs with the ipp2p module to mark p2p programs to mark 2 (dport 1214 is Imesh) In order to make sure ACKS and SYN traffic is going out propperly i have an special qdisc If any traffic is unmarked, mark it as low-priority ->Mangle setup below ---->PROBLEM: The problem comes after having this setup running for an hour or so, when interactive traffic has VERY HIGH latency, or nearly dIES. Anybody having mor or less a similar setup, because i am driving mad here! Any suggestions are welcome :) Thank you very much!!!!! My BOX is an athlon 900MHz with 1GB ram: cat /proc/sys/net/ipv4/ip_conntrack_max 57336 txqueuelen on all eth cards is 100. ----> SCRIPTS IPTABLES MANGLE Table iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 4 iptables -t mangle -A POSTROUTING -p udp --dport 53 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p udp -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -m string --string 'KazaaClient' -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --dport 0:1024 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p tcp --dport 1214 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --dport 1863 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,ACK,RST SYN -j MARK --set-mark 3 iptables -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -j chkack iptables -t mangle -A POSTROUTING -m mark ! --mark 0 -j MARK --set-mark 2 Script for QoS attached to eth0 #!/bin/bash DEV=eth0 tc qdisc add dev ${DEV} handle 1: root htb default 10 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit ###################################### ## Interactive traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 250kbit tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10 ####################################### # Non Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 50kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20 ######################################## ## SYN,ACK Traffic tc clas add dev ${DEV} parent 1:1 classid 1:30 htb rate 45kbit ceil 250kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw flowid 1:30 ######################################## ## ICMP Traffic tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40 ######################################## ## Web-Server Traffic tc class add dev ${DEV} parent 1:1 classid 1:50 htb rate 50kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:50 handle 50: esfq hash dst perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 5 fw flowid 1:50 Script for QoS attached to eth1 #!/bin/bash DEV=eth1 tc qdisc add dev ${DEV} handle 1: root htb default 10 tc class add dev ${DEV} parent 1:1 classid 1:1 htb rate 250kbit ######################################## ## Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:10 htb rate 100kbit ceil 250kbit tc qdisc add dev ${DEV} parent 1:10 handle 10: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 1 fw flowid 1:10 ####################################### # Non Interactive Traffic tc class add dev ${DEV} parent 1:1 classid 1:20 htb rate 100kbit ceil 200kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:20 handle 20: esfq perturb 10 depth 15 tc filter add dev ${DEV} protocol ip parent 1:0 handle 2 fw flowid 1:20 ######################################## ## SYN,ACK Traffic tc class add dev ${DEV} parent 1:1 classid 1:30 htb rate 50kbit ceil 250kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:30 handle 30: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 3 fw flowid 1:30 #tc filter add dev ${DEV} parent 1:0 protocol ip u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u8 0x34 0xff at 3 match u8 0x10 0xff at 33 flowid 1:30 ######################################## ## ICMP Traffic tc class add dev ${DEV} parent 1:1 classid 1:40 htb rate 5kbit quantum 1500 tc qdisc add dev ${DEV} parent 1:40 handle 40: pfifo tc filter add dev ${DEV} protocol ip parent 1:0 handle 4 fw flowid 1:40 Firewall setup #################################################### ## Stateful Firewall ## ## ## iptables -t filter -N keep_state iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A keep_state -j RETURN iptables -t nat -N keep_state iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A keep_state -j RETURN iptables -t nat -A PREROUTING -j keep_state iptables -t nat -A POSTROUTING -j keep_state iptables -t nat -A OUTPUT -j keep_state iptables -t filter -A INPUT -j keep_state iptables -t filter -A OUTPUT -j keep_state iptables -t filter -A FORWARD -j keep_state iptables -t filter -A FORWARD -p tcp --dport 4661:4662 -j DROP iptables -t filter -A FORWARD -p udp --dport 4661:4662 -j DROP iptables -t filter -A FORWARD -p udp --dport 1663 -j DROP iptables -t filter -A FORWARD -p udp --dport 4665 -j DROP iptables -t filter -A FORWARD -p tcp --dport 4665 -j DROP From kaber@trash.net Wed Nov 5 22:25:38 2003 From: kaber@trash.net (Patrick McHardy) Date: Wed, 05 Nov 2003 23:25:38 +0100 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <1068035661_3095.message@tww.cx> References: <1068035661_3095.message@tww.cx> Message-ID: <3FA978E2.5040307@trash.net> Where did you get the information that setting TOS with netfilter would affect prio classification ? From what I can see in the source, prio classifies by skb->priority which only inheirits a value from tos field during the forwarding process. I can recall skb->priority also beeing affected by setsockopt(IP_TOS) (besides SO_PRIORITY) but not by simply setting the tos field in the ip header. Best regards, Patrick BTW: the netfilter CLASSIFY target from 2.6 or netfiler patch-o-matic can set skb->priority which is what you need. Thomas Worthington wrote: > Very simple setup: I have several machines, one of which > (192.168.0.198) is used exclusively as a vnc client to a remote site. > I want it to get priority over guff like email and web etc. > > tc qdisc add dev eth1 root handle 1: prio > tc qdisc add dev eth1 parent 1:1 handle 10: pfifo > tc qdisc add dev eth1 parent 1:2 handle 20: pfifo > tc qdisc add dev eth1 parent 1:3 handle 30: pfifo > > iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos 16 > > Effect: zero. All the vnc traffic from x.198 goes into 1:2. > > I've tried all the tables (PREROUTE etc) to no avail. I even tried > applying the TOS change to ALL traffice bound for eth1 (the outside > line) and still saw no change in the queuing despite tcpdump showing > that the tos bits were being set. > > Why does this not work? It seems as if the priority is being set > before iptables' mangle rules are applied. > > Thomas Worthington > From ja@ssi.bg Thu Nov 6 05:53:18 2003 From: ja@ssi.bg (Julian Anastasov) Date: Thu, 6 Nov 2003 07:53:18 +0200 (EET) Subject: [LARTC] Re: dead onlink In-Reply-To: <200311051152.11416.terminus@iespana.es> Message-ID: Hello, On Wed, 5 Nov 2003, Marcelo wrote: > default > nexthop via 192.168.0.126 dev eth2 weight 1 dead onlink > nexthop via 192.168.0.61 dev eth0 weight 1 > ----------------------------- > > Is normal the part of "dead onlink" ? No, you need the latest 'ip' utility from iproute2: ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.4.7-now-ss020116-try.tar.gz > This message is always there but the 192.168.0.126 gateway is online. > Do I need the Julian's dead gateway detection patch?. Not for this problem > Thanks in advance. > > Marcelo. Regards -- Julian Anastasov From yusufg@outblaze.com Thu Nov 6 05:59:58 2003 From: yusufg@outblaze.com (Yusuf Goolamabbas) Date: Thu, 6 Nov 2003 13:59:58 +0800 Subject: [LARTC] Bandwith limiting each host within a NAT'ed multi-homed environment Message-ID: <20031106055958.GB13626@outblaze.com> Hi, I currently have a NAT box with 3 WAN links and one internal link. On the internal link, I have different subnets (192.168.{2,3,5}) assigned via MAC addresses Each subnet is routed to an appropiate WAN link via iptables marking and 'ip rules'. Thanks to the LARTC howto for this. Now, I would like to limit each host within the subnet 192.168.2.0/24 to (let's say) 600kb uplink Do I need to create one class per ip ? or is there a way via the 'u32 divisor' mechanism to do this Regards, Yusuf -- If you're not using Firebird, you're not surfing the web you're suffering it http://www.mozilla.org/products/firebird/why/ From wa@almesberger.net Thu Nov 6 07:18:31 2003 From: wa@almesberger.net (Werner Almesberger) Date: Thu, 6 Nov 2003 04:18:31 -0300 Subject: [LARTC] tcng version 9g Message-ID: <20031106041831.A26055@almesberger.net> ... is on SourceForge: http://tcng.sourceforge.net/dist/tcng-9g.tar.gz md5sum 63ef58e3d3c2cf5298524fb174168681 See also http://tcng.sourceforge.net/ Yes, it's been an eternity since the last release, sorry. I'm obviously having too much fun with umlsim :-) This one starts a round of catch-up releases by fixing a few minor bugs. The next release will add compatibility with more recent 2.4 kernels (of course, tcc should also work on 2.5/2.6), and then there will be one with some new stuff I've accumulated. The complete list of changes is below. - Werner ----------------------------------- CHANGES ----------------------------------- Version 9g (6-NOV-2003) ----------------------- - tcsim leaked memory for variable names (fixed by Dimitry Ketov) - tcsim now frees commands after execution (based on a patch by Dimitry Ketov) - tcsim -c freed command variables on each access (tests/tcng-9g) - scripts/runtests.sh: the -c option had no effect and was not mentioned in the usage - changed "tree color meter" to "three color meter" in documentation (fixed by Martin A. Brown) -- _________________________________________________________________________ / Werner Almesberger, Buenos Aires, Argentina wa@almesberger.net / /_http://www.almesberger.net/____________________________________________/ From gypsy@iswest.com Thu Nov 6 07:59:18 2003 From: gypsy@iswest.com (gypsy) Date: Wed, 05 Nov 2003 23:59:18 -0800 Subject: [LARTC] HTB syslog messages References: Message-ID: <3FA9FF56.F3C36B1F@iswest.com> gaston wrote: > > How can I disable htb syslog messages in the console? Apply the patch htb_killdbg_{KERNEL_VERSION}.diff gypsy From gypsy@iswest.com Thu Nov 6 07:56:54 2003 From: gypsy@iswest.com (gypsy) Date: Wed, 05 Nov 2003 23:56:54 -0800 Subject: [LARTC] Re: dead onlink References: <200310291754.54002.terminus@iespana.es> <200311051152.11416.terminus@iespana.es> Message-ID: <3FA9FEC6.798C04B0@iswest.com> Marcelo wrote: > default > nexthop via 192.168.0.126 dev eth2 weight 1 dead onlink > nexthop via 192.168.0.61 dev eth0 weight 1 > > Is normal the part of "dead onlink" ? No, it is not normal. I don't know what "onlink" means, but "dead" means just what you fear it means; eth2 has been set dead by the kernel. It could be a routing issue or it could be your firewall, or possibly the NIC is telling the kernel something bad? You really need to run # ip route list table eth2 # ip route list table eth0 # ip route list table main to see what is going on. And assure that when only eth2 is up that you can surf (perhaps unplug the WAN wire on eth0?). > This message is always there but the 192.168.0.126 gateway is online. Are you 100% sure it is online? I have NEVER seen "dead" unless it was true. I _have_ been able to send/receive on a different (wrong) interface while one interface was dead. (I have 3 ISPs) > Do I need the Julian's dead gateway detection patch?. Well, whether you "need" it or not, I strongly recommend you apply it. You might also want to use # ip route add default equalize scope global nexthop via BLAH BLAH... rather than # ip route add default scope global nexthop via BLAH BLAH... If you run a kernel version 2.4.22 you will need to tweak Julian's patch (I could only find a patch for 2.4.20); if you want my tweaked version (2.4.22) you can FTP it from andthatsjazz.net/pub/linux/. And I use KeepState (see nano.txt), though I have NO CLUE why it is A Good Thing . I do not ping from inside though. I run a dgd ping from outside; when the ping fails I scp a flag file to the multilink setup that triggers a flush there. > Thanks in advance. > > Marcelo. gypsy From deff@sadomain.co.za Thu Nov 6 10:19:08 2003 From: deff@sadomain.co.za (ph4ke) Date: Thu, 6 Nov 2003 10:19:08 +0000 Subject: [LARTC] Finally got FWMARK to work Message-ID: <200311061019.08189.deff@sadomain.co.za> Hi List,=20 Only signed up recently and posted the problem that we had with FWMARK.=20 Got it solved, so if anyone has the same problem, maybe this could help := =20 The problem with the (redhat) 2.4.20 kernel was that when doing ethernet=20 bridging, packets seemed to bypass iptables rules, thus no marking occurs= =2E=20 Apparently there is a patch available to allow firewalling on the bridge = but I didn't bother to=20 use it. Funny thing is that the kernel that comes with RH 7.3 actually do= es let bridged packets=20 be filtered by iptables .=20 We finally opted for the 2.6.0-test1 kernel and everything is working fin= e now. Iptables=20 is marking the bridged packets, and tc is queuing them as the filters dic= tate. =20 Just thought I'd share that.=20 For limiting the ftp-outgoing involved a little of iptables sorcery.=20 See, the problem is that we want to limit outgoing ftp to a particular ip= range, but the=20 ftp server actually sits on a webserver as well.=20 So i tried these rules to mark the packets, looks like its working fine. = If there is a better way=20 to accomplish this, please let me know, cause I'm sure this isn't the bes= t way :=20 target prot opt source destination MARK tcp -- 100.200.100.10 xxx.xxx.xxx.xxx state RELAT= ED,ESTABLISHED MARK set 0x1 ## ftp marking rule MARK tcp -- anywhere anywhere tcp spt:h= ttp MARK set 0xa=09 MARK udp -- anywhere anywhere udp spt:ht= tp MARK set 0xa 0x1 goes to the htb class where we limit the traffic=20 0xa just goes to an htb class with a sfq qdisc attached to it=20 Everthing else also goes to the sfq by default=20 So this works fine. FTP downloads from the limited range are limited nice= ly, and uploads of "new" files=20 from that range is fast, just like it should be.=20 The only thing is that when you upload from the range and overwrite files= on the ftp server, it gets limited=20 just like if you where doing a download. This is extremely odd to me and = if anyone has any=20 ideas of why this might happen please give me a shout.=20 Regards,=20 Cilli=E8 From lartc@tww.cx Thu Nov 6 08:54:22 2003 From: lartc@tww.cx (Thomas Worthington) Date: Thu, 06 Nov 2003 08:54:22 -0000 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <3FA978E2.5040307@trash.net> References: <1068035661_3095.message@tww.cx> <3FA978E2.5040307@trash.net> Message-ID: <1068108863_6086.message@tww.cx> On Wed, 05 Nov 2003 23:25:38 +0100, Patrick McHardy wrote: > Where did you get the information that setting TOS with > netfilter would affect prio classification ? From what > I can see in the source, prio classifies by skb->priority > which only inheirits a value from tos field during the > forwarding process. I can recall skb->priority also > beeing affected by setsockopt(IP_TOS) (besides SO_PRIORITY) > but not by simply setting the tos field in the ip header. Well, it just seemed obvious. One man's "obvious" being another's "bloody stupid idea", of course. Since prio is all based on tos bits it seems logical that changing those bits would have some effect. I was partly just asking the simple question: are the TOS bits used to prioritise before netfilter gets its hand on them? The answer, from what you say, seems to be "yes". It seems a shame since its such an eligant and intuative way to do simple shaping of this sort > > Best regards, > Patrick > > BTW: the netfilter CLASSIFY target from 2.6 or netfiler > patch-o-matic can set skb->priority which is what you need. This is for active duty so I'll not be running 2.6 until someone tells me it's stable... Thanks, Thomas > Thomas Worthington wrote: > >> Very simple setup: I have several machines, one of which >> (192.168.0.198) is used exclusively as a vnc client to a remote site. I >> want it to get priority over guff like email and web etc. >> >> tc qdisc add dev eth1 root handle 1: prio >> tc qdisc add dev eth1 parent 1:1 handle 10: pfifo >> tc qdisc add dev eth1 parent 1:2 handle 20: pfifo >> tc qdisc add dev eth1 parent 1:3 handle 30: pfifo >> >> iptables -t mangle -I OUTPUT -p icmp -s 192.168.0.198 -j TOS --set-tos >> 16 >> >> Effect: zero. All the vnc traffic from x.198 goes into 1:2. >> >> I've tried all the tables (PREROUTE etc) to no avail. I even tried >> applying the TOS change to ALL traffice bound for eth1 (the outside >> line) and still saw no change in the queuing despite tcpdump showing >> that the tos bits were being set. >> >> Why does this not work? It seems as if the priority is being set before >> iptables' mangle rules are applied. >> >> Thomas Worthington >> > > -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ From cord@keppler.vrg.de Thu Nov 6 14:06:56 2003 From: cord@keppler.vrg.de (Cord Buhlert) Date: Thu, 6 Nov 2003 15:06:56 +0100 Subject: [LARTC] classify incominf traffic Message-ID: <20031106140656.GA18046@keppler.vrg.de> Hi, is it possible to treat incoming traffic different according to eg port numbers or source addresses? is there a way to setuop some filters that for example prefer incoming mail to incoming http? i've seen that simply limiting bandwith fer certain kinds of traffic is possible - but that wastes a lot of bandwidth if one kind of traffic isn't present at a time, not allowing the other traffic use that unused bandwidth, doesn't it? Is there a way to optimize that? thanks for reply cb From Andre Correa Thu Nov 6 13:48:55 2003 From: Andre Correa (Andre Correa) Date: Thu, 6 Nov 2003 11:48:55 -0200 Subject: [LARTC] Looking to default class traffic Message-ID: <1313902818.20031106114855@pobox.com> Hi people from LARTC, this is my first post to this list, but I've being using linux traffic shapping with HTB for almost an year. My box is just doing traffic shapping with HTB for =~ 7Mbps (1200pkts/sec). Since yesterday I've noticed too many packets going through the default class that is small and got a lot of backlogs. I could not figure out what is this traffic, so I would like to ask if is there a way to "look" at this traffic. Having =~ 1200pkts per second doesn't let me simply open a tcpdump and "look arround". Is there a way to "redirect" this traffic to an iptables rule that then would QUEUE it to userspace? How do you guys use to do it? tks a lot for your attention and any information... Andre Correa andre.correa@pobox.com From payal-lartc@staticky.com Thu Nov 6 15:10:40 2003 From: payal-lartc@staticky.com (Payal Rathod) Date: Thu, 6 Nov 2003 20:40:40 +0530 Subject: [LARTC] routing query again Message-ID: <20031106151040.GA1585@linux.local> Hi, I have a small routing query again. Same question but asking in simple language. Can I use, route add -net default gw 192.168.10.1 route add -net default gw 192.168.10.2 Where 192.168.10.1 and 192.168.10.2 are internal IPs of two different ISPs routers. And assume that random routing is enabled? I would like to mention that this time both default IPs are internal IPs connected to external world. I am not still clear on real use of multiple default gateways, so please excuse. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated. From grupis@doctornet.com.br Thu Nov 6 15:10:14 2003 From: grupis@doctornet.com.br (Rodrigo Gruppelli) Date: Thu, 6 Nov 2003 13:10:14 -0200 Subject: [LARTC] 2 adsl links (same P-t-P) on the same machine Message-ID: <20031106131014.66e43c2e.grupis@doctornet.com.br> Hi... I have 2 ADSL lines (ppp0 and ppp1) on the same machine, and at first moment, I just want to make them both ping correctly from the internet. I already setup 2 links on the same machine, following the item 4.2.1 (split access) of the LARTC-HOWTO. I guess it was one dial-up link and one ADSL. But now, I have two ADSL lines, both from the same provider, and both lines use the same P-t-P peer. I guess this is why I can't make work this dual link stuff... What should I do? ppp0 Link encap:Point-to-Point Protocol inet addr:200.163.173.xxx P-t-P:200.180.128.228 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:9178 Metric:1 RX packets:1083 errors:0 dropped:0 overruns:0 frame:0 TX packets:978 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:287476 (280.7 KiB) TX bytes:80139 (78.2 KiB) ppp1 Link encap:Point-to-Point Protocol inet addr:200.163.187.xxx P-t-P:200.180.128.228 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:9178 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:568 (568.0 b) TX bytes:61 (61.0 b) Thanks in advance Rodrigo From martin_villarreal@hotmail.com Thu Nov 6 20:21:01 2003 From: martin_villarreal@hotmail.com (Martin Villarreal) Date: Thu, 06 Nov 2003 17:21:01 -0300 Subject: [LARTC] 2 ADSL links with same P-t-P address !! Message-ID: Hi List... I cant share 2 adsl links in a Nat Box for 30 machines, the idea is balancing the load of that 30 machines between 2 adsl links, I tried whit several how to's including the LARTC How to and nothing work.... I think that the P-t-P can be the problem, actually I'm using only 1 ADSL for this problem (ppp0) Somebody can tell me what's wrong? or what to do step by step? Some info... 30 Machines from 192.168.1.100 to 192.168.1.130. -------- eth0 (no ip) ----------------- ADSL1 | Linux Box ----- eth1 (no ip) ----------------- ADSL2 | -------- eth2 (192.168.1.100) ----------------- To Local Lan (192.168.1.0/24). Here is my actual iptables rule... any suggestion with tho ppp devices? I must appy 15 rules for one adsl link and 15 rules for the other adsl link? iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -o ppp0 -j MASQUERADE eth0 Link encap:Ethernet HWaddr 00:04:75:C1:12:9B UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth1 Link encap:Ethernet HWaddr 00:04:75:C1:12:8A UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth2 Link encap:Ethernet HWaddr 00:04:75:C1:11:3B inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 ppp0 Link encap:Point-to-Point Protocol inet addr:168.226.152.62 P-t-P:192.168.96.239 Mask:255.255.255.255 ppp1 Link encap:Point-to-Point Protocol inet addr:200.63.152.109 P-t-P:192.168.96.239 Mask:255.255.255.255 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 200.32.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 200.32.3.1 0.0.0.0 UG 1 0 0 eth0 192.168.96.239 dev ppp0 proto kernel scope link src 168.226.152.62 192.168.96.239 dev ppp1 proto kernel scope link src 200.63.152.109 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.100 127.0.0.0/8 dev lo scope link default via 192.168.96.239 dev ppp0 Thats alll.... Thanks List .... Martin.... =) _________________________________________________________________ Consigue aquí las mejores y mas recientes ofertas de trabajo en América Latina y USA: www.yupimsn.com/empleos From terminus@iespana.es Thu Nov 6 20:23:23 2003 From: terminus@iespana.es (Marcelo) Date: Thu, 6 Nov 2003 17:23:23 -0300 Subject: [LARTC] Tanks Julian and gypsy In-Reply-To: <3FA9FEC6.798C04B0@iswest.com> References: <200310291754.54002.terminus@iespana.es> <200311051152.11416.terminus@iespana.es> <3FA9FEC6.798C04B0@iswest.com> Message-ID: <200311061723.23131.terminus@iespana.es> Julian and Gypsy: Tank you very much for your advices. I'vent tested it yet, but I'll try. Best regartds. From alex_spam@distinctgroup.net Thu Nov 6 20:51:49 2003 From: alex_spam@distinctgroup.net (Alexandru Coseru) Date: Thu, 6 Nov 2003 22:51:49 +0200 Subject: [LARTC] fwmark and u32 Message-ID: <00fe01c3a4a7$cc7836f0$87618ac1@alex2> This is a multi-part message in MIME format. ------=_NextPart_000_00FB_01C3A4B8.8FDD5250 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello.. How can I specify a class for htb based on a fwmark and user ip ? For instance: I have some routes marked with fwmark and their are very-high speed = connections... But only to some IP's.. For the rest , I must limit the user to 64Kbits Now , how can I limit the high speed connections ? I must create a rule and take in account both fwmark and IP ? To be more specific , I want to limit the user 10.0.0.1 to 1Mbit for the = routes marked with fwmark 1 (thoose are taken from zebra) The rules I have now are: tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dst = 10.0.0.1/32 flowid 1:20 tc filter add dev eth0 parent 1:0 prio 99 protocol ip handle 2 fw flowid = 1:99 I've tried this: class: 1:20 - 64 kbit class 1:99 - 100Mbit class 1:30 - 1 Mbit =20 tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dst = 10.0.0.1/32 protocol ip handle 2 fw flowid 1:30 but it failed.. Anybody can help me ? Thanks Alex ------=_NextPart_000_00FB_01C3A4B8.8FDD5250 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello..
 
How can I specify a class for htb  = based on a=20 fwmark and user ip ?
 
For instance:
 
 
I have some routes marked with fwmark = and their are=20 very-high speed connections... But only to some IP's..
For the rest , I must limit the user to = 64Kbits
 
 
Now , how can I limit the high speed = connections=20 ?
I must create a rule and take in = account both=20 fwmark and IP ?
To be more specific , I want to limit = the user=20 10.0.0.1 to 1Mbit for the routes marked with fwmark 1  (thoose are = taken=20 from zebra)
 
 
The rules I have now are:
 
tc filter add dev eth0 protocol ip = parent 1:0 prio=20 2 u32 match ip dst 10.0.0.1/32 flowid 1:20
tc filter add dev eth0 parent 1:0 prio = 99 protocol=20 ip handle 2 fw flowid 1:99
 
 
I've tried this:
 
class: 1:20  - 64 = kbit
class 1:99  - = 100Mbit
class 1:30  - 1 Mbit
 =20
tc filter add dev eth0 protocol ip = parent 1:0 prio=20 2 u32 match ip dst 10.0.0.1/32 protocol ip=20 handle 2 fw flowid 1:30
 
but it failed..
 
Anybody can help me ?
 
 
Thanks
   =20 Alex
------=_NextPart_000_00FB_01C3A4B8.8FDD5250-- From stef.coene@docum.org Thu Nov 6 21:47:06 2003 From: stef.coene@docum.org (Stef Coene) Date: Thu, 6 Nov 2003 22:47:06 +0100 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <1068067592_4695.message@tww.cx> References: <1068035661_3095.message@tww.cx> <200311052111.10368.stef.coene@docum.org> <1068067592_4695.message@tww.cx> Message-ID: <200311062247.06673.stef.coene@docum.org> On Wednesday 05 November 2003 22:26, Thomas Worthington wrote: > Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) > pkts bytes target prot opt in out source > destination > 0 0 TOS all -- * * 192.168.0.198 > 0.0.0.0/0 TOS set 0x10 None of the packets are matchde by the iptables rule. Are you sure you have to do this in OUTPUT? See : http://www.docum.org/stef.coene/qos/kptd/ If you are trying this on a router, try to change the tos in POSTROUTING. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From lartc@tww.cx Thu Nov 6 22:34:42 2003 From: lartc@tww.cx (Thomas Worthington) Date: Thu, 06 Nov 2003 22:34:42 -0000 Subject: [LARTC] Does -j TOS actually do anything? In-Reply-To: <200311062247.06673.stef.coene@docum.org> References: <1068035661_3095.message@tww.cx> <200311052111.10368.stef.coene@docum.org> <1068067592_4695.message@tww.cx> <200311062247.06673.stef.coene@docum.org> Message-ID: <1068158083_7976.message@tww.cx> On Thu, 6 Nov 2003 22:47:06 +0100, Stef Coene wrote: > On Wednesday 05 November 2003 22:26, Thomas Worthington wrote: >> Chain OUTPUT (policy ACCEPT 805 packets, 97871 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 TOS all -- * * 192.168.0.198 >> 0.0.0.0/0 TOS set 0x10 > None of the packets are matchde by the iptables rule. > Are you sure you have to do this in OUTPUT? See : > http://www.docum.org/stef.coene/qos/kptd/ > If you are trying this on a router, try to change the tos in POSTROUTING. > > Stef > I tried all five tables! It appears that I was simply misguided: setting TOS doe indeed have no effect as it happens after the priority has been set; a different filter is needed. I'm leaving the list now as it seems to be a great way to instantly sign up for tons of spam (as you can imagine, this is the only thing that I've ever used this email address for and after only two days it's become a spam magnet). Thanks to everyone that helped; I'll try some of the other methods. Thomas Worthington From wa@almesberger.net Fri Nov 7 03:20:47 2003 From: wa@almesberger.net (Werner Almesberger) Date: Fri, 7 Nov 2003 00:20:47 -0300 Subject: [LARTC] tcng version 9h Message-ID: <20031107002047.A3502@almesberger.net> ... is on SourceForge: http://tcng.sourceforge.net/dist/tcng-9h.tar.gz md5sum 9b7c520f92b312a5a00da12bad35f57d See also http://tcng.sourceforge.net/ This release upgrades to the current 2.4 kernels, fixes a few minor glitches in the build system, and adds the options --no-manual and --with-manual to configure, so that tcng can be build without the documentation (also, configure uses --no-manual if it can't find latex or dvips). The complete list of changes is below. - Werner ----------------------------------- CHANGES ----------------------------------- Version 9h (7-NOV-2003) ----------------------- - tcc/ext/Makefile: dependencies now only include .c files compiled in that directory, removing a warning when building RPMs - split tcsim/Makefile into Makefile.unclean and Makefile.clean to avoid rebuilding klib and ulib when cleaning up after configuration changes - configure is compatible with 2.4.22 and 2.4.23 (pre-release, tested with 2.4.23-pre9) - setup.klib generates linux/smp.h needed for 2.4.22 - tcsim/trace.c and tcsim/modules/sch_discard.c adjust ..._drop prototype for interface change in 2.4.22 - setup.klib clears LANG before using sed on [^ -~] - setup.klib adds "err" and "error_report" members to "struct sock" in af_netlink.c (for 2.4.23) - updated kernel version example in tcng/README from 2.4.21 to 2.4.22 - configure: added options --no-manual and --with-manual (abbreviations -m and -M) to allow building tcng with or without the documentation (suggested by "raptor") - configure: automatically assumes --no-manual if either latex or dvips is not in the PATH -- _________________________________________________________________________ / Werner Almesberger, Buenos Aires, Argentina wa@almesberger.net / /_http://www.almesberger.net/____________________________________________/ From su_raj_in@yahoo.com Fri Nov 7 14:47:48 2003 From: su_raj_in@yahoo.com (Suraj Shankar) Date: Fri, 7 Nov 2003 06:47:48 -0800 (PST) Subject: [LARTC] Understanding the U32 filter. Message-ID: <20031107144748.69587.qmail@web20006.mail.yahoo.com> Hi, I am trying to understand filters. 1) Under the U32 section of the lartc howto there is an example (to match ACKs on packets smaller than 64 bytes): # tc filter add dev ppp14 parent 1:0 protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:3 The howto says 'the filter above does only work on 32 bit systems', can someone tell me why this is so? 2) Doesn't U32 only mean 32 bits are read at one time? 3) Also a 'match tcp dport 53 0xffff' also needs a 'match ip protocol 0x6 0xff' for differentiating between tcp and udp. Why is this so? The first match phrase uses the words "match tcp dport ..." so in the kernel memory shouldn't a equivalent entry be there; then why do I need a second protocol match rule? Thank you. Regards, suraj. __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From gregoriandres@yahoo.com.ar Fri Nov 7 15:27:25 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Fri, 7 Nov 2003 12:27:25 -0300 Subject: [LARTC] limiting p2p Message-ID: Hi List ! I'm trying excelent module ipt_p2p from Filipe Almeida in a Linux Box with several connections, in order to block p2p traffic with next rule: iptables -L -t filter -m ipt_p2p -j DROP And results was that the traffic have been reduced from 1,3 mb to 0,85 mb !!! Excelent !! how ever, I've noted that after two days running, that Linux Box (RH 7,2 updated - Kernel 2.4.22 - iptables 1.2.8 with String and ConnMark modules, Pentium 4, 1.8 Mhz, 256 Mgbytes RAM, and 3c509 eth0, eth1 and eth2), begins to drop others packets and a simple ping look like this: # ping 192.168.210.3 (by example) PING 192.168.210.3 (192.168.210.3) from 192.168.210.254 : 56(84) bytes of data. 64 bytes from 192.168.210.3: icmp_seq=0 ttl=64 time=499 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=1 ttl=64 time=478 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 192.168.210.3: icmp_seq=2 ttl=64 time=489 usec ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted Next, the only way to fix this was making a REBOOT. I've heared similar problems (not with ipt_p2p), and some one say that next could be works: (in a cron job) echo -n "Unloading modules.." rmmod -a lsmod |grep "ipt_\|ip_\|iptable" |cut -f1 -d\ |xargs rmmod 2>/dev/null &&\ echo "Done!" || echo "failed!" and some other suggest that I could try a: "iptables clear" and regenerate IP Tables >From Man: > ping sendto: operation not permitted sendto(2) system call failed with errno EPERM, operation not permitted => reason is in the local firewall rules, chain OUTPUT. Otherwise the sendto(2) would have succeeded, and the error would come in an ICMP error packet. Have you a clue of this ? Thank you. Best Regards. Andres. From Pierre Castella" > Hi, > > I have tried and make the ultime traffic conditionner, but it was > catastrophic. I've a 600/200 cable connection, on the interface eth0, and I > have tried to put these numbers in the script, but the ping was really bad > and the bandwidth was only 350 kbps approximately. After that I have tried a > lot of other numbers combination, which didn't work worse. What can the > problem be? I have used both versions of the script (HTB and the other one). > I am running a mandrake 9.1 on a Pentium 2. > > Waiting for an illumination or pieces of advice. > > Thank you > > Pierre > From stmaria@dei.uc.pt Fri Nov 7 17:34:45 2003 From: stmaria@dei.uc.pt (Maria Joana Urbano) Date: Fri, 7 Nov 2003 17:34:45 +0000 (WET) Subject: [LARTC] TBF tunning Message-ID: Hi all, I am trying to tune tbf qdisc. My upstream configuration is as follows: tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1:0 classid 1:1 cbq rate ${UP_RATE}kbit \ allot 1500 prio 5 bounded tc qdisc add dev $DEV parent 1:1 handle 10: tbf rate ${UP_RATE}kbit \ burst $BURST limit $LIMIT mtu $MTU tc filter add dev $DEV parent 1:0 protocol ip prio 18 u323 match ip \ dst 0.0.0.0/0 flowid 1:1 I tried several combinations of BURST (from 10KB until there is no pkt drops at tbf) and LIMIT values (corresponding to latencies of 40ms, 70ms and 140ms). MTU is set to 1500, the MTU of the link. I tested this configuration with several combinations of TCP flows and UDP flows (seperately). However, the best value I got for throughput was about 90% of UP_RATE. My question is: is it possible to get better results with tbf, with throughput values closer to UP_RATE? And what should be changed in the script above to get it better? Thanks, Joana From stef.coene@docum.org Fri Nov 7 18:05:28 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 7 Nov 2003 19:05:28 +0100 Subject: [LARTC] TBF tunning In-Reply-To: References: Message-ID: <200311071905.28607.stef.coene@docum.org> On Friday 07 November 2003 18:34, Maria Joana Urbano wrote: > Hi all, > > I am trying to tune tbf qdisc. My upstream configuration is as follows: > > tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit > tc class add dev $DEV parent 1:0 classid 1:1 cbq rate ${UP_RATE}kbit \ > allot 1500 prio 5 bounded > tc qdisc add dev $DEV parent 1:1 handle 10: tbf rate ${UP_RATE}kbit \ > burst $BURST limit $LIMIT mtu $MTU > tc filter add dev $DEV parent 1:0 protocol ip prio 18 u323 match ip \ > dst 0.0.0.0/0 flowid 1:1 > > I tried several combinations of BURST (from 10KB until there is no pkt > drops at tbf) and LIMIT values (corresponding to latencies of 40ms, 70ms > and 140ms). MTU is set to 1500, the MTU of the link. I tested this > configuration with several combinations of TCP flows and UDP flows > (seperately). However, the best value I got for throughput was about 90% > of UP_RATE. > > My question is: is it possible to get better results with tbf, with > throughput values closer to UP_RATE? And what should be changed in the > script above to get it better? You don't need a tbf qdisc if you have a bounded class. The traffic is already bounded by the cbq class. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Fri Nov 7 18:11:51 2003 From: stef.coene@docum.org (Stef Coene) Date: Fri, 7 Nov 2003 19:11:51 +0100 Subject: [LARTC] classify incominf traffic In-Reply-To: <20031106140656.GA18046@keppler.vrg.de> References: <20031106140656.GA18046@keppler.vrg.de> Message-ID: <200311071911.51846.stef.coene@docum.org> On Thursday 06 November 2003 15:06, Cord Buhlert wrote: > Hi, > is it possible to treat incoming traffic different according to eg port > numbers or source addresses? is there a way to setuop some filters that > for example prefer incoming mail to incoming http? > > i've seen that simply limiting bandwith fer certain kinds of traffic is > possible - but that wastes a lot of bandwidth if one kind of traffic > isn't present at a time, not allowing the other traffic use that unused > bandwidth, doesn't it? > > Is there a way to optimize that? You can try the imq device. That's a virutal device and you can redirect any traffic to it. Also incoming traffic. Traffic can be shaped on this device with htb. So you can use htb to shape incoming traffic, but it can create also extra overhead and increase the latency. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From darklight@jambolnet.com Sat Nov 8 12:36:06 2003 From: darklight@jambolnet.com (Ilian Zarov) Date: Sat, 8 Nov 2003 14:36:06 +0200 Subject: [LARTC] Forwarding broadcast packets ? Message-ID: <20031108123017.M37422@jambolnet.com> Hello, I remember there was some package to forward broadcast packets so that LAN games like counter-strike could be seen on different subnets without specifying the IP, but I lost my bookmarks. Remeber it was ot freshmeat, but I can't find it. Anyone knows its name or is there any other way to do it ? It looks like this: CS Server 192.168.0.x <-> Linux gateway (without NAT) <-> Clients 192.168.1.x From algharri@site.uottawa.ca Sat Nov 8 15:37:10 2003 From: algharri@site.uottawa.ca (Al-Gharribeh Muhammad) Date: Sat, 08 Nov 2003 10:37:10 -0500 Subject: [LARTC] System freezing References: <20031107054511.19193.41982.Mailman@outpost.ds9a.nl> Message-ID: <3FAD0DA6.5090209@site.uottawa.ca> Hi guys, I need some help with this:- I have a problem with my Linux box its freezing when I'm bombing it with 60 Mbps IP traffic from a Gnettest generator, It was OK with (10Mbps-50Mbps) , but when I'm hitting the 60Mbps the system fezzes'. The Gnettest indicating that the 100% utilization of the fast Ethernet is 75.8 Mbps. I don't have any clue why the system is getting freeze with 60 Mbps. The system is P4 and it has 1G RAM. I do appreciate any information about this issue. Regards Al-Gharribeh From victor@ambra.ro Sat Nov 8 16:55:41 2003 From: victor@ambra.ro (victor) Date: Sat, 8 Nov 2003 18:55:41 +0200 (EET) Subject: [LARTC] wrong shaping Message-ID: <3219.80.97.24.235.1068310541.squirrel@www.ambra.ro> I have a class parent and a class child; In the child class I have 6 dropped pachets, but in the parent class I have none(in teh example configuration parent is 1:9 and child is 1:2eb). Is this possible, or I have somethimg wrong in the configuration? My exact problem is: -I have many clases that have 1Kbit rate and 500Kbit ceil. -I have HZ=1000, compiled in the kernel. When I create a class with rate=64Kbit, ceil=64Kbit, this class will not transfer at this exact rate. The rate will repat jumping from a few Kbits to 64Kbits and back, but will never stay at the rate=64Kbit. More than that, many clases that have rate=1Kbit, ceil=500Kbit will have a better transfer than the class with rate 64Kbit. My configuration is: tc qdisc add dev eth1 root handle 1: htb default 2 tc class add dev eth1 parent 1: classid 1:9 htb rate 1400Kbit prio 0 quantum 2000 tc class add dev eth1 parent 1: classid 1:2 htb rate 9999Kbit prio 0 quantum 2000 Just one class and 1 filter(thay are many): tc class add dev eth1 parent 1:9 classid 1:2eb htb rate 64Kbit ceil 500Kbit prio 0 quantum 2000 tc filter add dev eth1 parent 1: prio 1 handle 7: protocol ip u32 divisor 256 tc filter add dev eth1 parent 1: prio 1 protocol ip u32 ht 800:: match ip dst xxx.xxx.xxx.0/24 hashkey mask 0x000000ff at 16 link 7: tc filter add dev eth1 prio 1 protocol ip u32 ht 2:eb match ip src xxx.xxx.xxx.xxx flowid 1:2eb Configuration for upload is simetrical. Thank you From kchijioke@msn.com Sun Nov 9 06:26:21 2003 From: kchijioke@msn.com (Chijioke Kalu) Date: Sat, 08 Nov 2003 22:26:21 -0800 Subject: [LARTC] Parent rate=ceil Limit not respected Message-ID: This is a multi-part message in MIME format. ------=_NextPart_000_2745_a3f_16ec Content-Type: text/plain; format=flowed Hi Stef, lo all, Am hoping someone could have the time to look at my simple script, it basically tries to restrict users based on their ip, but I also incorporated the hints given by Stef on being able to allow local traffic unrestricted. no iptable marking (fw filter) is used, just tc. I see traffic passing thru all the classes when ever those systems are in use. Ave done some stress test on the local traffic by plugging p2p/web crawlers on the LAN of one of the systems, each time i notice that the parent ceil limit is being broken. I have met the one major requirement, sum of child classes rate <= parent rate. I dont know what else i might be doing wrong, once placed perturb to 1, and internally(kernel) am using PSCHED_CPU and a sfq buffer length of 15 as against 128. (notes on docum.org) to try and increase speed. (Processor has TSC flag) Would be much obliged on any comments/improvements i can make on the script. Using kernel 2.4.22 TIA K _________________________________________________________________ MSN Shopping upgraded for the holidays! Snappier product search... http://shopping.msn.com ------=_NextPart_000_2745_a3f_16ec Content-Type: text/plain; name="rc.qosv4.txt"; format=flowed Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="rc.qosv4.txt" #!/bin/bash # # rc.qos - GPL ver 0.04 (rate limiting specific ip's on a LAN) # # # TODO: # 1) make auto-startable # 2) place command line arguments # 3) make generic, this gonna be a hardone ;) # 4) improve QoS, attempt DiffServ again # 5) incorporate SQUID, include upload traffic control # 6) auto determine bandwidth per ip # # Acknowledgements: # Much thanks to Stef, Alex, Clouter and Ahu # Special thanks to reeler@#lartc for pointing out the not so obvious (in my case) ;) # # Schematic # --------- # # _________root 1:0_______ # / \ # local (10mbit) Internet (90kbit) # 1:2 1:3 # (h=handle 5) | # | # --------------+----------------------------------- # / | | | | \ # 1:10 1:11 1:12 1:13 1:... 1:50 # (high priority) (sys 1) (sys 2) (sys 3) (sys ...) (default) # (h10) (h11) (h12) (h13) (h...) (h50) # #set -x # LAN Interface ( Download ) # delete/create root class tc qdisc del dev eth1 root 2> /dev/null tc qdisc add dev eth1 root handle 1: htb default 50 r2q 1 # create local class tc class add dev eth1 parent 1: classid 1:2 htb rate 10mbit ceil 10mbit # create internet class #ceil 86 tc class add dev eth1 parent 1: classid 1:3 htb rate 86Kbit ceil 90Kbit # create high priority class in internet class for ack, icmp packets #ceil 82 tc class add dev eth1 parent 1:3 classid 1:10 htb rate 5Kbit ceil 82Kbit prio 0 # create 20 system classes in internet class, sys01 - sys20 ( 1:11 - 1:30 ) #ceil 82 for LOOP in `seq 11 30` do tc class add dev eth1 parent 1:3 classid 1:$[$LOOP] htb \ rate 4Kbit ceil 82Kbit prio 2 done # default class #ceil 80 tc class add dev eth1 parent 1:3 classid 1:50 htb rate 2Kbit ceil 80Kbit prio 3 # do qdisc attachment # perturb 10 tc qdisc add dev eth1 parent 1:2 handle 5: sfq perturb 10 for LOOP in `seq 10 30` do tc qdisc add dev eth1 parent 1:$[$LOOP] handle $[$LOOP]: sfq \ perturb 10 done tc qdisc add dev eth1 parent 1:50 handle 50: sfq perturb 10 # filter rules # 10mbit local traffic matched tc filter add dev eth1 parent 1: protocol ip prio 100 u32 match ip src 192.168.0.0/24 classid 1:2 # any other thing not matched to classid 1:3 ( must be from internet bound ) # 90Kbit Internet traffic match tc filter add dev eth1 parent 1: protocol ip prio 100 u32 match ip tos 0 0 classid 1:3 # High priority class 1:10 filter tc filter add dev eth1 parent 1:3 protocol ip prio 200 handle 10 fw classid 1:10 # (1:10 is high priority class in internet class) # TOS minimum delay in 1:10 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 \ match ip tos 0x10 0xff flowid 1:10 # UDP Traffic in 1:10 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 \ match ip protocol 17 0xff \ match ip dport 53 0xffff flowid 1:10 # ICMP (ip protocol 1) Set class to 1:10 to impress friends tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 \ match ip protocol 1 0xff flowid 1:10 # To speed up downloads while an upload is going on, put ACK packets in # the 1:10 class # ACKs on packets < 64 bytes tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ flowid 1:10 # remaining filters for sys01 - sys20 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.106/32 flowid 1:11 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.107/32 flowid 1:12 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.108/32 flowid 1:13 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.109/32 flowid 1:14 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.110/32 flowid 1:15 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.111/32 flowid 1:16 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.112/32 flowid 1:17 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.113/32 flowid 1:18 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.114/32 flowid 1:19 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.121/32 flowid 1:20 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.122/32 flowid 1:21 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.123/32 flowid 1:22 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.124/32 flowid 1:23 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.125/32 flowid 1:24 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.126/32 flowid 1:25 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.127/32 flowid 1:26 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.128/32 flowid 1:27 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.130/32 flowid 1:28 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.129/32 flowid 1:29 tc filter add dev eth1 parent 1:3 protocol ip prio 100 u32 match ip dst 192.168.0.104/32 flowid 1:30 tc filter add dev eth1 parent 1:3 protocol ip prio 200 handle 50 fw classid 1:50 # end of LAN interface ( download ) script ------=_NextPart_000_2745_a3f_16ec-- From nelson@politecnica.edu.co Mon Nov 10 07:36:33 2003 From: nelson@politecnica.edu.co (Nelson E. Castillo) Date: Mon, 10 Nov 2003 02:36:33 -0500 Subject: [LARTC] tcng version 9h Message-ID: <20031110073633.GA4555@mail.politecnica.edu.co> Hi, I tried compiled tcng withj HTB support using a vanilla 2.4.22 Linux Kernel. I downloaded iproute2 and the HTB patch from the locations suggested in the README file that comes with tcng. After compilation, some tests fail doing a 'make test'. For the first test, I used gcc 2.95.4 and gcc-3.0 (debian woody), and a test fails: http://www.geocities.com/arhuaco/post/tcng-9hlog-debian-woody.txt For the second one, I used gcc 3.3.2 (Debian - Knoppix 3.3), and it failed in a different way. http://www.geocities.com/arhuaco/post/tcng-9hlog-knoppix-3.3.txt The Knoppix kernel is not a vanilla kernel, but by reading tests/README I think it doesn't matter for the tests. Well, I'd like to know if I'm doing something wrong. Regards, Nelson.- >Quoting Werner Almesberger (Fri, 7 Nov 2003 00:20:47 -0300 : >(snip ... ) > .. is on SourceForge: > http://tcng.sourceforge.net/dist/tcng-9h.tar.gz > md5sum 9b7c520f92b312a5a00da12bad35f57d >(snip ... ) -- http://geocities.com/arhuaco The first principle is that you must not fool yourself and you are the easiest person to fool. -- Richard Feynman. From victor@ambra.ro Mon Nov 10 11:44:56 2003 From: victor@ambra.ro (Victor) Date: Mon, 10 Nov 2003 13:44:56 +0200 Subject: [LARTC] ceil Message-ID: <5bda8fe89b6d83fd72bfdcb6dedfd12e@ambra.ro> In my current configuration all classes have a ceil of 128kbit. And the configuration is working fine. But if I put a ceil of 500Kbit to all classes the configuration will not work fine. (A class with rate 64Kbit and ceil 64Kbit will not stay at this rate) Please tell me how can ceil influence in this situation. Thank you. From victor@ambra.ro Mon Nov 10 11:39:33 2003 From: victor@ambra.ro (victor) Date: Mon, 10 Nov 2003 13:39:33 +0200 (EET) Subject: [LARTC] ceil Message-ID: <1091.80.97.24.235.1068464373.squirrel@www.ambra.ro> In my current configuration all classes have a ceil of 128kbit. And the configuration is working fine. But if I put a ceil of 500Kbit to all classes the configuration will not work fine. (A class with rate 64Kbit and ceil 64Kbit will not stay at this rate) Please tell me how can ceil influence in this situation. Thank you From Pierre Castella" Hello! I have experienced problems with the script presented at pages 90-91 of the lartc howto. The script reduces the bandwith greatly and make the ping very high. I have tried many combinations for the UPSTRAM and DOWNSTREAM variables without success. Does anybody know were the problem comes from? Regards, Pete From noxy@icw.hu Mon Nov 10 12:29:46 2003 From: noxy@icw.hu (=?iso-8859-2?Q?Meretei_Bal=E1zs?=) Date: Mon, 10 Nov 2003 13:29:46 +0100 Subject: [LARTC] routing problem Message-ID: <001001c3a786$547cff00$6400010a@intel815> This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C3A78E.B55DBDC0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable I got a problem with ip aliasing. I've an interface (eth0) and its address (eg. 195.150.0.11) routed = throught 195.150.0.1=20 I made an alias 193.144.0.11 too (eth0:1) but I have to route the second subnet trought an other router = (193.144.0.1) the main problem is, that I cannot make two default routes... I dont know really what to in this case ---------- | | eth0 (195.150.0.11)----------------[router: = 195.150.0.11]-------------INET | | eth0:1 (193.144.0.11)---------------[router: = 193.144.0.11]-------------INET --------- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Meretei Bal=E1zs noxy@icw.hu ------=_NextPart_000_000D_01C3A78E.B55DBDC0 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable
I got a problem with ip = aliasing.
 
I've an interface (eth0) and its = address (eg.=20 195.150.0.11) routed throught 195.150.0.1 
 
 
I made an alias 193.144.0.11 too=20 (eth0:1)
but I have to route the second subnet = trought an=20 other router (193.144.0.1)
 
the main problem is, that I cannot make = two default=20 routes...
I dont know really what to in this=20 case
 
----------
|        = |=20 eth0    (195.150.0.11)----------------[router:=20 195.150.0.11]-------------INET
|        |=20 eth0:1  (193.144.0.11)---------------[router:=20 193.144.0.11]-------------INET
---------
 
 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
Meretei=20 Bal=E1zs
noxy@icw.hu
------=_NextPart_000_000D_01C3A78E.B55DBDC0-- From raptor@tvskat.net Mon Nov 10 15:11:40 2003 From: raptor@tvskat.net (raptor) Date: Mon, 10 Nov 2003 17:11:40 +0200 Subject: [LARTC] [tcng] nfmark & if Message-ID: <20031110171140.6f49c729.raptor@tvskat.net> hi there, will the following config work : class (<$class1>) if nfmark == VALUE && $condition1; class (<$class2>) if $condition1; class (<$class3>) if nfmark == VALUE && $condition2; class (<$class4>) if $condition2; class (<$class5>) if nfmark == VALUE && $condition3; class (<$class6>) if $condition3; .............................. tia From cnicules@4email.net Mon Nov 10 15:54:00 2003 From: cnicules@4email.net (Ciprian Niculescu) Date: Mon, 10 Nov 2003 16:54:00 +0100 Subject: [LARTC] flow classification Message-ID: <20031110155400.28140778E3@server2.messagingengine.com> hello, i have 2 links to the ISP of 128kbit each, and i want to balance the trafic between them, but not staticly (local ip1-5 throw isp1, and the rest to isp2). I though at a ingress clasification, then routing by the mark, and at the exit nat (yes i must do nat :(((, but the clasification must be flow based, and i dont know how to do it. C From stef.coene@docum.org Mon Nov 10 17:43:35 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 10 Nov 2003 18:43:35 +0100 Subject: [LARTC] Parent rate=ceil Limit not respected In-Reply-To: References: Message-ID: <200311101843.35231.stef.coene@docum.org> On Sunday 09 November 2003 07:26, Chijioke Kalu wrote: > Hi Stef, lo all, > > Am hoping someone could have the time to look at my simple script, it > basically tries to restrict users based on their ip, but I also > incorporated the hints given by Stef on being able to allow local traffic > unrestricted. no iptable marking (fw filter) is used, just tc. > > I see traffic passing thru all the classes when ever those systems are in > use. > > Ave done some stress test on the local traffic by plugging p2p/web crawlers > on the LAN of one of the systems, each time i notice that the parent ceil > limit is being broken. > > I have met the one major requirement, sum of child classes rate <= parent > rate. I dont know what else i might be doing wrong, once placed perturb to > 1, and internally(kernel) am using PSCHED_CPU and a sfq buffer length of 15 > as against 128. (notes on docum.org) to try and increase speed. (Processor > has TSC flag) > > Would be much obliged on any comments/improvements i can make on the > script. You attach class 1:2 and 1:3 to the root qdisc. It's better to add 1 class to the root qdisc and attach all other classes to that class. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Nov 10 17:37:49 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 10 Nov 2003 18:37:49 +0100 Subject: [LARTC] ceil In-Reply-To: <5bda8fe89b6d83fd72bfdcb6dedfd12e@ambra.ro> References: <5bda8fe89b6d83fd72bfdcb6dedfd12e@ambra.ro> Message-ID: <200311101837.49578.stef.coene@docum.org> On Monday 10 November 2003 12:44, Victor wrote: > In my current configuration all classes have a ceil of 128kbit. > And the configuration is working fine. > But if I put a ceil of 500Kbit to all classes the configuration will not > work fine. > (A class with rate 64Kbit and ceil 64Kbit will not stay at this rate) > Please tell me how can ceil influence in this situation. Can you post the used script? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Mon Nov 10 17:46:15 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 10 Nov 2003 18:46:15 +0100 Subject: [LARTC] wrong shaping In-Reply-To: <3219.80.97.24.235.1068310541.squirrel@www.ambra.ro> References: <3219.80.97.24.235.1068310541.squirrel@www.ambra.ro> Message-ID: <200311101846.15423.stef.coene@docum.org> On Saturday 08 November 2003 17:55, victor wrote: > I have a class parent and a class child; > In the child class I have 6 dropped pachets, but in the parent class I > have none(in teh example configuration parent is 1:9 and child is 1:2eb). > Is this possible, or I have somethimg wrong in the configuration? > My exact problem is: > -I have many clases that have 1Kbit rate and 500Kbit ceil. > -I have HZ=1000, compiled in the kernel. > > When I create a class with rate=64Kbit, ceil=64Kbit, this class will not > transfer at this exact rate. The rate will repat jumping from a few Kbits > to 64Kbits and back, but will never stay at the rate=64Kbit. How do you measure this ? > More than that, many clases that have rate=1Kbit, ceil=500Kbit will have a > better transfer than the class with rate 64Kbit. > > My configuration is: > tc qdisc add dev eth1 root handle 1: htb default 2 > > tc class add dev eth1 parent 1: classid 1:9 htb rate 1400Kbit prio 0 > quantum 2000 > > tc class add dev eth1 parent 1: classid 1:2 htb rate 9999Kbit prio 0 > quantum 2000 > > Just one class and 1 filter(thay are many): > > tc class add dev eth1 parent 1:9 classid 1:2eb htb rate 64Kbit ceil > 500Kbit prio 0 quantum 2000 > > tc filter add dev eth1 parent 1: prio 1 handle 7: protocol ip u32 divisor > 256 tc filter add dev eth1 parent 1: prio 1 protocol ip u32 ht 800:: match > ip dst xxx.xxx.xxx.0/24 hashkey mask 0x000000ff at 16 link 7: > tc filter add dev eth1 prio 1 protocol ip u32 ht 2:eb match ip src > xxx.xxx.xxx.xxx flowid 1:2eb > > Configuration for upload is simetrical. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From noxy@icw.hu Mon Nov 10 18:19:31 2003 From: noxy@icw.hu (=?iso-8859-2?Q?Meretei_Bal=E1zs?=) Date: Mon, 10 Nov 2003 19:19:31 +0100 Subject: [LARTC] routing problem2 Message-ID: <00b401c3a7b7$30f7b620$6400010a@intel815> My problem is, I got only one interface (eth0) so I have to use ipaliasing. (kernel-2.4.21-pre5-ac3) Could I solve this problem with Linux "Advanced routing & Traffic Control HOWTO", chapter 4.2.1, "Split access". solution anyway??? ====================== Meretei Balázs noxy@icw.hu From kchijioke@msn.com Mon Nov 10 18:46:09 2003 From: kchijioke@msn.com (Chijioke Kalu) Date: Mon, 10 Nov 2003 10:46:09 -0800 Subject: [LARTC] Parent rate=ceil Limit not respected Message-ID: Thanks Stef, but then, what bandwidth should I place on the first class, 10mbit or 90Kbit? am re-writing the script to follow what you've just suggested, it will look like this... root (1:0) | class (1:2) (10mbit or 90Kbit or nothing ?) / \ class (1:3) class (1:4) (LAN Traffic) (10Mbit) (90Kbit) (Internet Traffic) | | ------------------------- ----------------------- | | | 1:10 1:11 - 1:31 1:50 (high prio icmp,ack) (sys01 ... sys20) (default) 1. Is this what you're asking? 2. Is there any other improvements I can make on the script to make it efficient? Thanks K _________________________________________________________________ Frustrated with dial-up? Get high-speed for as low as $26.95. https://broadband.msn.com (Prices may vary by service area.) From stef.coene@docum.org Mon Nov 10 18:58:24 2003 From: stef.coene@docum.org (Stef Coene) Date: Mon, 10 Nov 2003 19:58:24 +0100 Subject: [LARTC] Parent rate=ceil Limit not respected In-Reply-To: References: Message-ID: <200311101958.24217.stef.coene@docum.org> On Monday 10 November 2003 19:46, Chijioke Kalu wrote: > Thanks Stef, > > but then, what bandwidth should I place on the first class, 10mbit or > 90Kbit? 10 mbit. > am re-writing the script to follow what you've just suggested, it will look > like this... > > root > (1:0) > > class > (1:2) (10mbit or 90Kbit or nothing ?) > / > \ > class (1:3) > class (1:4) > (LAN Traffic) (10Mbit) (90Kbit) > (Internet Traffic) > > > > > > ------------------------- ----------------------- > > > 1:10 > 1:11 - 1:31 1:50 > (high prio > icmp,ack) (sys01 ... sys20) (default) > > > 1. Is this what you're asking? Yep. > 2. Is there any other improvements I can make on the script to make it > efficient? I think the script is fine. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From flavio.xx.poletti@ericsson.com Mon Nov 10 18:06:16 2003 From: flavio.xx.poletti@ericsson.com (Flavio Poletti XX (ROMA/TEI)) Date: Mon, 10 Nov 2003 19:06:16 +0100 Subject: [LARTC] tc, tbf and accuracy Message-ID: <5DEA4E2C8262D51188B70002A55CA3C5064EB521@eitrmnt106.tei.ericsson.se> Hi all, I've tried to look for this info in previous messages but had no luck. I've a 2.4.20 kernel on an Intel arch., all TC is configured and it seems to work. Anyway, I've had some troubles in configuring TBF via tc: 1. when I configure burst or minburst to be, say, 1500b, when I peek the configuration with "tc -s qdisc" the answer is that burst/minburst is equal to 1499. Moreover, any other value I try to configure in "b" unit is always decremented by 1 (3000->2999, and so on). Any clue about that? 2. I also have some strange behaviours about latency configuration - it is always far from what I request. If, for example, I try to set 500ms, the most probably I get something around 620ms. Note that if I configure the "limit" parameter instead of "latency", I can manage to reach values closer to what I need (e.g. 500ms). Is there something I'm missing about latency configuration? 3. I've tried to configure peakrate/minburst, but I had to struggle a bit to have them work. In particular, when I tried to set minburst equal to interface MTU (100 bytes, ethernet) as suggested in the manpage I did not even manage to set up an HTTP session. I had to configure a minburst equal to around 12000 to have some traffic pass arrive to the remote client. Is the manpage wrong? 4. What I really need is to have a controlled bit rate for a unique HTTP session from my PC (i.e. no other traffic during the tests I want to perform). I was thus wondering what does it mean that there is a "drop" in packets that are generated from my own machine. I thought that there could be two basic models: 4.1 write-wait model, in which the rate is limited directly towards the application that issues some "write" on the socket file descriptor, thus limiting its rate - or 4.2 tcp-wait model, in which the application talks to TCP very fast, and some packets from TCP are actually dropped if TCP tries to send them too fast. What model is actually implemented? Thank to you all for any bit of attention, Flavio. From sparmar@veraznet.com Mon Nov 10 21:21:51 2003 From: sparmar@veraznet.com (Sumeet Singh Parmar) Date: Mon, 10 Nov 2003 13:21:51 -0800 Subject: [LARTC] inexpensive router platform Message-ID: <9E388C880C1ED411AFE1009027E7872504FADA7C@mail.veraznet.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C3A7D0.A82F1580 Content-Type: text/plain; charset="iso-8859-1" I am trying to build a linux router. I have done a NAT box before with two NICs. This time I just don't want a big pc case sitting around and mini-itx is too expensive. I was wondering if there is an alternate platform that's low power, space saving with just bare minimum disk or flash and two NICs that I could experiment with? Thanks a lot!! ------_=_NextPart_001_01C3A7D0.A82F1580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable inexpensive router platform

I am trying to build a linux router. I have done a = NAT box before with two NICs. This time I just don't want a big pc case = sitting around and mini-itx is too expensive. I was wondering if there = is an alternate platform that's low power, space saving with just bare = minimum disk or flash and two NICs that I could experiment with? =

Thanks a lot!!

------_=_NextPart_001_01C3A7D0.A82F1580-- From sparmar@veraznet.com Mon Nov 10 21:32:14 2003 From: sparmar@veraznet.com (Sumeet Singh Parmar) Date: Mon, 10 Nov 2003 13:32:14 -0800 Subject: [LARTC] inexpensive router platform Message-ID: <9E388C880C1ED411AFE1009027E7872504FADA7D@mail.veraznet.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C3A7D2.1B5D5CA0 Content-Type: text/plain; charset="iso-8859-1" Sorry the last message was in html. Here it is again in good old plain text: I am trying to build a linux router. I have done a NAT box before with two NICs. This time I just don't want a big pc case sitting around and mini-itx is too expensive. I was wondering if there is an alternate platform that's low power, space saving with just bare minimum disk or flash and two NICs that I could experiment with? Thanks a lot!! ------_=_NextPart_001_01C3A7D2.1B5D5CA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: [LARTC] inexpensive router platform

Sorry the last message was in html. Here it is again = in good old plain text:

I am trying to build a linux router. I have done a = NAT box before with two NICs. This time I just don't want a big pc case = sitting around and mini-itx is too expensive. I was wondering if there = is an alternate platform that's low power, space saving with just bare = minimum disk or flash and two NICs that I could experiment with? =

Thanks a lot!!

------_=_NextPart_001_01C3A7D2.1B5D5CA0-- From damion@snapgear.com Mon Nov 10 23:55:22 2003 From: damion@snapgear.com (Damion de Soto) Date: Tue, 11 Nov 2003 09:55:22 +1000 Subject: [LARTC] routing problem References: <001001c3a786$547cff00$6400010a@intel815> Message-ID: <3FB0256A.20806@snapgear.com> Meretei Balázs wrote: > I've an interface (eth0) and its address (eg. 195.150.0.11) routed > throught 195.150.0.1 > I made an alias 193.144.0.11 too (eth0:1) > but I have to route the second subnet trought an other router (193.144.0.1) I'm pretty sure you need source-based routing here. (or is that policy-based ?) you setup 2 routing tables, and then make rules that say packets from 195.150.0.0 go into one (which has a default gateway of 195.150.0.1) and packets from the other network go into the second routing table, with a gw of 193.144.0.1 take a look at: http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE and maybe: http://linux-ip.net/html/ch-routing.html http://linux-ip.net/gl/ip-cref/ it's pretty easy once you work out what needs to happen. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From damion@snapgear.com Mon Nov 10 23:59:18 2003 From: damion@snapgear.com (Damion de Soto) Date: Tue, 11 Nov 2003 09:59:18 +1000 Subject: [LARTC] flow classification References: <20031110155400.28140778E3@server2.messagingengine.com> Message-ID: <3FB02656.5080408@snapgear.com> > i have 2 links to the ISP of 128kbit each, and i want to balance the > trafic between them, but not staticly (local ip1-5 throw isp1, and the > rest to isp2). I though at a ingress clasification, then routing by the > mark, and at the exit nat (yes i must do nat :(((, but the clasification > must be flow based, and i dont know how to do it. If certain IPs are always going through the same link, then you don't really want load balancing at all. Don't you just want routing rules that say local ip1-5 always go through one gateway (isp1), and the default route is isp2 for everyone else? Or did I misunderstand? -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From kchijioke@msn.com Tue Nov 11 03:34:17 2003 From: kchijioke@msn.com (Chijioke Kalu) Date: Mon, 10 Nov 2003 19:34:17 -0800 Subject: [LARTC] New: Parent rate=ceil Limit still not respected Message-ID: This is a multi-part message in MIME format. ------=_NextPart_000_7681_22d1_63bf Content-Type: text/plain; format=flowed Hi Stef, I did the configuration change the way you asked, attached is the new script, still am not getting the parent ceil rate for the internet class 90Kbit respected. I dont know what else I must be doing wrong. Have any idea what other thing could be causing this to fail? Thank You. K _________________________________________________________________ MSN Shopping upgraded for the holidays! Snappier product search... http://shopping.msn.com ------=_NextPart_000_7681_22d1_63bf Content-Type: application/octet-stream; name="rc.qosv5" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="rc.qosv5" IyEvYmluL2Jhc2gKIwojIHJjLnFvcyAtIEdQTCB2ZXIgMC4wNSAocmF0ZSBs aW1pdGluZyBzcGVjaWZpYyBpcCdzIG9uIGEgTEFOKQojCTxrY2hpamlva2VA bXNuLmNvbT4KIyAKIyBUT0RPOgojCTEpIG1ha2UgYXV0by1zdGFydGFibGUK IwkyKSBwbGFjZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzCiMJMykgbWFrZSBn ZW5lcmljLCB0aGlzIGdvbm5hIGJlIGEgaGFyZG9uZSA7KQojCTQpIGltcHJv dmUgUW9TLCBhdHRlbXB0IERpZmZTZXJ2IGFnYWluCiMJNSkgaW5jb3Jwb3Jh dGUgU1FVSUQsIGluY2x1ZGUgdXBsb2FkIHRyYWZmaWMgY29udHJvbAojCTYp IGF1dG8gZGV0ZXJtaW5lIGJhbmR3aWR0aCBwZXIgaXAKIwojCUFja25vd2xl ZGdlbWVudHM6CiMJCU11Y2ggdGhhbmtzIHRvIFN0ZWYsIEFsZXgsIENsb3V0 ZXIsIGFuZCBBaHUKIwkJU3BlY2lhbCB0aGFua3MgdG8gcmVlbGVyQCNsYXJ0 YyBmb3IgcG9pbnRpbmcgb3V0IHRoZSBub3Qgc28gb2J2aW91cyAoaW4gbXkg Y2FzZSkgOykKIwojIFNjaGVtYXRpYwojIC0tLS0tLS0tLQojCiMgICAgICAg ICAgICAgICAgICAgICAgICByb290KDE6MCkKIyAgICAgICAgICAgICAgICAg ICAgICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKIwkJ IF9yb290IGNoaWxkIGNsYXNzIDE6Ml8KIyAgICAgICAgICAgICAgIC8gICAg ICAgKDEwbWJpdCkgICAgICAgXAojICAgICAgICAgICAgICAvICAgICAgICAg ICAgICAgICAgICAgICAgXAojCWxvY2FsICg5bWJpdCkJICAgICAgICBJbnRl cm5ldCAoOTBrYml0KQojICAgICAgICAgICAgMTozICAgICAgICAgICAgICAg ICAgICAgICAxOjQKIyAgICAgICAoaD1oYW5kbGUgNSkgICAgICAgICAgICAg ICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0t LSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQojICAgICAg ICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAgfCAgICAgICAgfCAgICAg ICB8ICAgICAgICAgfCAgICAgICAgICAgXAojICAgICAgICAgICAgICAgICAg ICAgIDE6MTAgICAgICAgIDE6MTEgICAgIDE6MTIgICAgIDE6MTMgICAgICAx Oi4uLiAgICAgICAxOjUwCiMgICAgICAgICAgICAgICAgKGhpZ2ggcHJpb3Jp dHkpICAoc3lzIDEpICAoc3lzIDIpICAoc3lzIDMpICAoc3lzIC4uLikgICAo ZGVmYXVsdCkKIyAgICAgICAgICAgICAgICAgICAgIChoMTApICAgICAgICAo aDExKSAgICAoaDEyKSAgICAoaDEzKSAgICAoaC4uLikgICAgICAgKGg1MCkK Iwojc2V0IC14CiMgTEFOIEludGVyZmFjZSAoIERvd25sb2FkICkKCiMgZGVs ZXRlL2NyZWF0ZSByb290IGNsYXNzCnRjIHFkaXNjIGRlbCBkZXYgZXRoMSBy b290IDI+IC9kZXYvbnVsbAp0YyBxZGlzYyBhZGQgZGV2IGV0aDEgcm9vdCBo YW5kbGUgMTogaHRiIGRlZmF1bHQgNTAgcjJxIDEKCiMgY3JlYXRlIHJvb3Qg Y2xhc3MKdGMgY2xhc3MgYWRkIGRldiBldGgxIHBhcmVudCAxOiBjbGFzc2lk IDE6MiBodGIgcmF0ZSAxMG1iaXQgY2VpbCAxMG1iaXQKCiMgY3JlYXRlIGxv Y2FsIGNsYXNzCnRjIGNsYXNzIGFkZCBkZXYgZXRoMSBwYXJlbnQgMToyIGNs YXNzaWQgMTozIGh0YiByYXRlIDltYml0IGNlaWwgOW1iaXQKCiMgY3JlYXRl IGludGVybmV0IGNsYXNzICNjZWlsIDg2CnRjIGNsYXNzIGFkZCBkZXYgZXRo MSBwYXJlbnQgMToyIGNsYXNzaWQgMTo0IGh0YiByYXRlIDg2S2JpdCBjZWls IDkwS2JpdAoKIyBjcmVhdGUgaGlnaCBwcmlvcml0eSBjbGFzcyBpbiBpbnRl cm5ldCBjbGFzcyBmb3IgYWNrLCBpY21wIHBhY2tldHMgI2NlaWwgODIKCXRj IGNsYXNzIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNzaWQgMToxMCBo dGIgcmF0ZSA1S2JpdCBjZWlsIDgyS2JpdCBwcmlvIDEKCiMgY3JlYXRlIDIw IHN5c3RlbSBjbGFzc2VzIGluIGludGVybmV0IGNsYXNzLCBzeXMwMSAtIHN5 czIwICggMToxMSAtIDE6MzAgKSAjY2VpbCA4Mgpmb3IgTE9PUCBpbiBgc2Vx IDExIDMwYApkbwoJdGMgY2xhc3MgYWRkIGRldiBldGgxIHBhcmVudCAxOjQg Y2xhc3NpZCAxOiRbJExPT1BdIGh0YiBcCgkJcmF0ZSA0S2JpdCBjZWlsIDgy S2JpdCBwcmlvIDIKZG9uZQoKIyBkZWZhdWx0IGNsYXNzICNjZWlsIDgwCnRj IGNsYXNzIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNzaWQgMTo1MCBo dGIgcmF0ZSAyS2JpdCBjZWlsIDgwS2JpdCBwcmlvIDMKCiMgZG8gcWRpc2Mg YXR0YWNobWVudCAjIHBlcnR1cmIgMTAKdGMgcWRpc2MgYWRkIGRldiBldGgx IHBhcmVudCAxOjMgaGFuZGxlIDU6IHNmcSBwZXJ0dXJiIDEwCgpmb3IgTE9P UCBpbiBgc2VxIDEwIDMwYApkbwoJdGMgcWRpc2MgYWRkIGRldiBldGgxIHBh cmVudCAxOiRbJExPT1BdIGhhbmRsZSAkWyRMT09QXTogc2ZxIFwKCQlwZXJ0 dXJiIDEwCmRvbmUKdGMgcWRpc2MgYWRkIGRldiBldGgxIHBhcmVudCAxOjUw IGhhbmRsZSA1MDogc2ZxIHBlcnR1cmIgMTAKCiMgZmlsdGVyIHJ1bGVzCgoj IDEwbWJpdCBsb2NhbCB0cmFmZmljIG1hdGNoZWQKdGMgZmlsdGVyIGFkZCBk ZXYgZXRoMSBwYXJlbnQgMTogcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1h dGNoIGlwIHNyYyAxOTIuMTY4LjAuMC8yNCBjbGFzc2lkIDE6MwojIGFueSBv dGhlciB0aGluZyBub3QgbWF0Y2hlZCB0byBjbGFzc2lkIDE6NCAoIG11c3Qg YmUgZnJvbSBpbnRlcm5ldCBib3VuZCApCiMgOTBLYml0IEludGVybmV0IHRy YWZmaWMgbWF0Y2gKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTog cHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIHRvcyAwIDAgY2xh c3NpZCAxOjQKCiMgSGlnaCBwcmlvcml0eSBjbGFzcyAxOjEwIGZpbHRlcgp0 YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAg cHJpbyAyMDAgaGFuZGxlIDEwIGZ3IGNsYXNzaWQgMToxMAoKIyAoMToxMCBp cyBoaWdoIHByaW9yaXR5IGNsYXNzIGluIGludGVybmV0IGNsYXNzKQojIFRP UyBtaW5pbXVtIGRlbGF5IGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRo MSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRj aCBpcCB0b3MgMHgxMCAweGZmIGZsb3dpZCAxOjEwCgojIFVEUCBUcmFmZmlj IGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHBy b3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCAx NyAweGZmIFwKCW1hdGNoIGlwIGRwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMTox MAoKI3RjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2Nv bCBpcCBwcmlvIDEwMCB1MzIgXAojCW1hdGNoIGlwIHByb3RvY29sIDE3IDB4 ZmYgXAojCW1hdGNoIGlwIHNwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMToxMAoK IyBJQ01QIChpcCBwcm90b2NvbCAxKSBTZXQgY2xhc3MgdG8gMToxMCB0byBp bXByZXNzIGZyaWVuZHMKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQg MTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90 b2NvbCAxIDB4ZmYgZmxvd2lkIDE6MTAKCiMgVG8gc3BlZWQgdXAgZG93bmxv YWRzIHdoaWxlIGFuIHVwbG9hZCBpcyBnb2luZyBvbiwgcHV0IEFDSyBwYWNr ZXRzIGluCiMgdGhlIDE6MTAgY2xhc3MKIyBBQ0tzIG9uIHBhY2tldHMgPCA2 NCBieXRlcwp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJv dG9jb2wgaXAgcHJpbyAxMDAgdTMyIFwKCW1hdGNoIGlwIHByb3RvY29sIDYg MHhmZiBcCgltYXRjaCB1OCAweDA1IDB4MGYgYXQgMCBcCgltYXRjaCB1MTYg MHgwMDAwIDB4ZmZjMCBhdCAyIFwKCW1hdGNoIHU4IDB4MTAgMHhmZiBhdCAz MyBcCglmbG93aWQgMToxMAoKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJl bnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBw cm90b2NvbCA2IDB4ZmYgXAoJbWF0Y2ggdTggMHgwNSAweDBmIGF0IDAgXAoJ bWF0Y2ggdTE2IDB4MDAwMCAweGZmYzAgYXQgMiBcCglmbG93aWQgMToxMAoK CiMgcmVtYWluaW5nIGZpbHRlcnMgZm9yIHN5czAxIC0gc3lzMjAKdGMgZmls dGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8g MTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEwNi8zMiBmbG93aWQg MToxMQp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9j b2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTA3 LzMyIGZsb3dpZCAxOjEyCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50 IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5 Mi4xNjguMC4xMDgvMzIgZmxvd2lkIDE6MTMKdGMgZmlsdGVyIGFkZCBkZXYg ZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRj aCBpcCBkc3QgMTkyLjE2OC4wLjEwOS8zMiBmbG93aWQgMToxNAp0YyBmaWx0 ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAx MDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTEwLzMyIGZsb3dpZCAx OjE1CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2Nv bCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMTEv MzIgZmxvd2lkIDE6MTYKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQg MTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTky LjE2OC4wLjExMi8zMiBmbG93aWQgMToxNwp0YyBmaWx0ZXIgYWRkIGRldiBl dGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNo IGlwIGRzdCAxOTIuMTY4LjAuMTEzLzMyIGZsb3dpZCAxOjE4CnRjIGZpbHRl ciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEw MCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMTQvMzIgZmxvd2lkIDE6 MTkKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29s IGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyMS8z MiBmbG93aWQgMToyMAp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAx OjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIu MTY4LjAuMTIyLzMyIGZsb3dpZCAxOjIxCnRjIGZpbHRlciBhZGQgZGV2IGV0 aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2gg aXAgZHN0IDE5Mi4xNjguMC4xMjMvMzIgZmxvd2lkIDE6MjIKdGMgZmlsdGVy IGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAw IHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyNC8zMiBmbG93aWQgMToy Mwp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wg aXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTI1LzMy IGZsb3dpZCAxOjI0CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6 NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4x NjguMC4xMjYvMzIgZmxvd2lkIDE6MjUKdGMgZmlsdGVyIGFkZCBkZXYgZXRo MSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBp cCBkc3QgMTkyLjE2OC4wLjEyNy8zMiBmbG93aWQgMToyNgp0YyBmaWx0ZXIg YWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAg dTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTI4LzMyIGZsb3dpZCAxOjI3 CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBp cCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMzAvMzIg Zmxvd2lkIDE6MjgKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0 IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2 OC4wLjEyOS8zMiBmbG93aWQgMToyOQp0YyBmaWx0ZXIgYWRkIGRldiBldGgx IHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlw IGRzdCAxOTIuMTY4LjAuMTA0LzMyIGZsb3dpZCAxOjMwCnRjIGZpbHRlciBh ZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDIwMCBo YW5kbGUgNTAgZncgY2xhc3NpZCAxOjUwCgojIGVuZCBvZiBMQU4gaW50ZXJm YWNlICggZG93bmxvYWQgKSBzY3JpcHQK ------=_NextPart_000_7681_22d1_63bf-- From xxx@andrew.cmu.edu Tue Nov 11 06:48:33 2003 From: xxx@andrew.cmu.edu (Peter Nelson) Date: Tue, 11 Nov 2003 01:48:33 -0500 Subject: [LARTC] Filter huge number of hosts Message-ID: <3FB08641.5010502@andrew.cmu.edu> Ok, I'm pretty new at this and am probably in a bit over my head, but I was looking for some pointers. I want to classify and then prioritize traffic based on if it is to an Internet2 host, a host on campus or the general internet. I got a dump from one of our campus's routers that classifies everything as either I2 or local, only problem is that it is ~8000 entries. Now a lot of those entries can probably be combined down (for example a couple of sequential /24's). My first question is does anyone have any script that you give it multiple netmasks and it combines it down to the simplest netmasks? Now my second question is would using hashtables, maybe even nested ones be practical for this? This is how I'm thinking of hashing so far: Mask hashes children to check 0xFF000000: 100 most 50-500 0xFFFF0000: 3000 most <20, some 50-200 0xFFFFFF00: 8000 all < 10 Obviously hashing based on 0xFF helps, but it still has to go through up to 500 checks for somes hosts. Once I hash based on 0xFFFF the worst case gets a lot better, and of course hashing on 0xFFFFFF makes almost perfect hashes. Only thing is does a hash table lose it's point once you start indexing everything? I was thinking maybe hashing based on the 0xFF and then from there making hashes based on 0x00FF (and then maybe an other layer of 0x0000FF). I admit I really don't know all that much about the hashing algorighm and it's complexity so I don't know how to approach this. Thanks for any information, Peter Nelson From util@deuroconsult.ro Tue Nov 11 08:28:46 2003 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 11 Nov 2003 10:28:46 +0200 (EET) Subject: [LARTC] Filter huge number of hosts In-Reply-To: <3FB08641.5010502@andrew.cmu.edu> References: <3FB08641.5010502@andrew.cmu.edu> Message-ID: On Tue, 11 Nov 2003, Peter Nelson wrote: > Ok, I'm pretty new at this and am probably in a bit over my head, but I > was looking for some pointers. I want to classify and then prioritize > traffic based on if it is to an Internet2 host, a host on campus or the > general internet. I got a dump from one of our campus's routers that > classifies everything as either I2 or local, only problem is that it is > ~8000 entries. Now a lot of those entries can probably be combined down > (for example a couple of sequential /24's). My first question is does > anyone have any script that you give it multiple netmasks and it > combines it down to the simplest netmasks? Now my second question is > would using hashtables, maybe even nested ones be practical for this? > This is how I'm thinking of hashing so far: > > Mask hashes children to check > 0xFF000000: 100 most 50-500 > 0xFFFF0000: 3000 most <20, some 50-200 > 0xFFFFFF00: 8000 all < 10 > You can link hashes to do what you want: hash (made from first byte of the ip): 01 -> another_hash_1 10 -> another_hash_2 another_hash_1 entries (hash made from second byte): 01 -> another_hash_on_level_2 10 -> another_hash_on_level_2 and so on. > Obviously hashing based on 0xFF helps, but it still has to go through up > to 500 checks for somes hosts. Once I hash based on 0xFFFF the worst > case gets a lot better, and of course hashing on 0xFFFFFF makes almost > perfect hashes. Only thing is does a hash table lose it's point once > you start indexing everything? I was thinking maybe hashing based on > the 0xFF and then from there making hashes based on 0x00FF (and then > maybe an other layer of 0x0000FF). I admit I really don't know all that > much about the hashing algorighm and it's complexity so I don't know how > to approach this. > > Thanks for any information, > Peter Nelson > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux) BOIE catab@deuroconsult.ro From mabrown-lartc@securepipe.com Tue Nov 11 04:22:38 2003 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Mon, 10 Nov 2003 22:22:38 -0600 (CST) Subject: [LARTC] routing problem In-Reply-To: <001001c3a786$547cff00$6400010a@intel815> References: <001001c3a786$547cff00$6400010a@intel815> Message-ID: Meretei, : I've an interface (eth0) and its address (eg. 195.150.0.11) routed : throught 195.150.0.1 I made an alias 193.144.0.11 too (eth0:1) but I : have to route the second subnet trought an other router (193.144.0.1) : : the main problem is, that I cannot make two default routes... I dont : know really what to in this case Damion was correct when he suggested that policy routing would be a good solution for you. He suggested reading lartc.org [0] and also a chapter in my (incomplete) book; the chapter on routing [1]. Together these two resources should give you a good idea of how the solution works. Policy routing leverages multiple routing tables and a policy database. The lookups in the policy database select the routing table to apply for a particular packet. With a careful design of your routing tables, you can easily have two or more default routes, depending on the characteristics of the outbound packet. : +--------+ : | linux | eth0 (195.150.0.11) -- [router: 195.150.0.1] -- INET : | router | eth0:1 (193.144.0.11) -- [router: 193.144.0.1] -- INET : +--------+ I assume that you are only showing us the networks connected to this router, and that there are no others. If that is the case, then my following statements hold. For you, the pitfall and difficulty will likely have more to do with ensuring that the packets are sourced from the correct IP. This will be trivial if you are running servers on 195.150.0.11 and 193.144.0.11, but may be more difficult if you are trying to select outbound path from userspace. This could depend on your application supporting the call to bind to a particular IP. In particular, you'll want to examine the kernel's rules for selecting a source IP if it is not specified by the application [2]. If eth0 is your preferred link, then this should work for you as a starting point: echo secondary >> /etc/iproute2/rt_tables ip rule add from 193.144.0.11 table secondary ip route flush table secondary ip route show table main | while read ROUTE ; do ip route add table secondary $ROUTE done ip route change default table secondary via 193.144.0.1 One other note. The use of the term IP aliasing is archaic and deprecated. The command "ifconfig" displays "aliased" interfaces with the old-style name "eth0:0", when, in fact, there is no such thing as an alias under Linux. This is immediately obvious when using the "ip address" command line tool to list addresses associated with a particular interface. -Martin [0] http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE [1] http://linux-ip.net/html/ch-routing.html [2] http://linux-ip.net/gl/ip-cref/node155.html -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From kristiadi_himawan@dtp.net.id Tue Nov 11 10:10:27 2003 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Tue, 11 Nov 2003 17:10:27 +0700 Subject: [LARTC] Traffic acounting References: <001001c3a786$547cff00$6400010a@intel815> Message-ID: <05e401c3a83c$07674b60$06a02bca@w2k> Hi, Sorry the subject OOT. Anyone know about html based (using mrtg) for traffic report that show per service traffic. Thanx. Regards, Kris From cnicules@4email.net Tue Nov 11 11:09:56 2003 From: cnicules@4email.net (Ciprian Niculescu) Date: Tue, 11 Nov 2003 12:09:56 +0100 Subject: [LARTC] flow classification In-Reply-To: <3FB02656.5080408@snapgear.com> References: <20031110155400.28140778E3@server2.messagingengine.com> <3FB02656.5080408@snapgear.com> Message-ID: <20031111110956.F02127D012@server2.messagingengine.com> On Tue, 11 Nov 2003 09:59:18 +1000, "Damion de Soto" said: > > i have 2 links to the ISP of 128kbit each, and i want to balance the > > trafic between them, but not staticly (local ip1-5 throw isp1, and the > > rest to isp2). I though at a ingress clasification, then routing by the > > mark, and at the exit nat (yes i must do nat :(((, but the clasification > > must be flow based, and i dont know how to do it. > > If certain IPs are always going through the same link, then you don't > really want > load balancing at all. > Don't you just want routing rules that say local ip1-5 always go through > one gateway > (isp1), and the default route is isp2 for everyone else? > > Or did I misunderstand? yes, you did, the 2 links are "practicaly" at the same isp, and i will gain nothing if i do shortest_path routing C From xxx@andrew.cmu.edu Tue Nov 11 06:48:33 2003 From: xxx@andrew.cmu.edu (Peter Nelson) Date: Tue, 11 Nov 2003 07:48:33 +0100 Subject: [LARTC] Filter huge number of hosts Message-ID: <3FB08641.5010502@andrew.cmu.edu> Ok, I'm pretty new at this and am probably in a bit over my head, but I was looking for some pointers. I want to classify and then prioritize traffic based on if it is to an Internet2 host, a host on campus or the general internet. I got a dump from one of our campus's routers that classifies everything as either I2 or local, only problem is that it is ~8000 entries. Now a lot of those entries can probably be combined down (for example a couple of sequential /24's). My first question is does anyone have any script that you give it multiple netmasks and it combines it down to the simplest netmasks? Now my second question is would using hashtables, maybe even nested ones be practical for this? This is how I'm thinking of hashing so far: Mask hashes children to check 0xFF000000: 100 most 50-500 0xFFFF0000: 3000 most <20, some 50-200 0xFFFFFF00: 8000 all < 10 Obviously hashing based on 0xFF helps, but it still has to go through up to 500 checks for somes hosts. Once I hash based on 0xFFFF the worst case gets a lot better, and of course hashing on 0xFFFFFF makes almost perfect hashes. Only thing is does a hash table lose it's point once you start indexing everything? I was thinking maybe hashing based on the 0xFF and then from there making hashes based on 0x00FF (and then maybe an other layer of 0x0000FF). I admit I really don't know all that much about the hashing algorighm and it's complexity so I don't know how to approach this. Thanks for any information, Peter Nelson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From kchijioke@msn.com Mon Nov 10 03:34:17 2003 From: kchijioke@msn.com (Chijioke Kalu) Date: Mon, 10 Nov 2003 04:34:17 +0100 Subject: [LARTC] New: Parent rate=ceil Limit still not respected Message-ID: This is a multi part message in MIME format. --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Stef, I did the configuration change the way you asked, attached is the new script, still am not getting the parent ceil rate for the internet class 90Kbit respected. I dont know what else I must be doing wrong. Have any idea what other thing could be causing this to fail? Thank You. K _________________________________________________________________ MSN Shopping upgraded for the holidays! Snappier product search... http://shopping.msn.com --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb Content-Type: application/octet-stream; name="rc.qosv5" Content-Disposition: attachment; filename="rc.qosv5" Content-Transfer-Encoding: base64 IyEvYmluL2Jhc2gKIwojIHJjLnFvcyAtIEdQTCB2ZXIgMC4wNSAocmF0ZSBsaW1pdGluZyBzcGVj aWZpYyBpcCdzIG9uIGEgTEFOKQojCTxrY2hpamlva2VAbXNuLmNvbT4KIyAKIyBUT0RPOgojCTEp IG1ha2UgYXV0by1zdGFydGFibGUKIwkyKSBwbGFjZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzCiMJ MykgbWFrZSBnZW5lcmljLCB0aGlzIGdvbm5hIGJlIGEgaGFyZG9uZSA7KQojCTQpIGltcHJvdmUg UW9TLCBhdHRlbXB0IERpZmZTZXJ2IGFnYWluCiMJNSkgaW5jb3Jwb3JhdGUgU1FVSUQsIGluY2x1 ZGUgdXBsb2FkIHRyYWZmaWMgY29udHJvbAojCTYpIGF1dG8gZGV0ZXJtaW5lIGJhbmR3aWR0aCBw ZXIgaXAKIwojCUFja25vd2xlZGdlbWVudHM6CiMJCU11Y2ggdGhhbmtzIHRvIFN0ZWYsIEFsZXgs IENsb3V0ZXIsIGFuZCBBaHUKIwkJU3BlY2lhbCB0aGFua3MgdG8gcmVlbGVyQCNsYXJ0YyBmb3Ig cG9pbnRpbmcgb3V0IHRoZSBub3Qgc28gb2J2aW91cyAoaW4gbXkgY2FzZSkgOykKIwojIFNjaGVt YXRpYwojIC0tLS0tLS0tLQojCiMgICAgICAgICAgICAgICAgICAgICAgICByb290KDE6MCkKIyAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgIHwK IwkJIF9yb290IGNoaWxkIGNsYXNzIDE6Ml8KIyAgICAgICAgICAgICAgIC8gICAgICAgKDEwbWJp dCkgICAgICAgXAojICAgICAgICAgICAgICAvICAgICAgICAgICAgICAgICAgICAgICAgXAojCWxv Y2FsICg5bWJpdCkJICAgICAgICBJbnRlcm5ldCAoOTBrYml0KQojICAgICAgICAgICAgMTozICAg ICAgICAgICAgICAgICAgICAgICAxOjQKIyAgICAgICAoaD1oYW5kbGUgNSkgICAgICAgICAgICAg ICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKIyAgICAg ICAgICAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQojICAgICAgICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAgfCAgICAg ICAgfCAgICAgICB8ICAgICAgICAgfCAgICAgICAgICAgXAojICAgICAgICAgICAgICAgICAgICAg IDE6MTAgICAgICAgIDE6MTEgICAgIDE6MTIgICAgIDE6MTMgICAgICAxOi4uLiAgICAgICAxOjUw CiMgICAgICAgICAgICAgICAgKGhpZ2ggcHJpb3JpdHkpICAoc3lzIDEpICAoc3lzIDIpICAoc3lz IDMpICAoc3lzIC4uLikgICAoZGVmYXVsdCkKIyAgICAgICAgICAgICAgICAgICAgIChoMTApICAg ICAgICAoaDExKSAgICAoaDEyKSAgICAoaDEzKSAgICAoaC4uLikgICAgICAgKGg1MCkKIwojc2V0 IC14CiMgTEFOIEludGVyZmFjZSAoIERvd25sb2FkICkKCiMgZGVsZXRlL2NyZWF0ZSByb290IGNs YXNzCnRjIHFkaXNjIGRlbCBkZXYgZXRoMSByb290IDI+IC9kZXYvbnVsbAp0YyBxZGlzYyBhZGQg ZGV2IGV0aDEgcm9vdCBoYW5kbGUgMTogaHRiIGRlZmF1bHQgNTAgcjJxIDEKCiMgY3JlYXRlIHJv b3QgY2xhc3MKdGMgY2xhc3MgYWRkIGRldiBldGgxIHBhcmVudCAxOiBjbGFzc2lkIDE6MiBodGIg cmF0ZSAxMG1iaXQgY2VpbCAxMG1iaXQKCiMgY3JlYXRlIGxvY2FsIGNsYXNzCnRjIGNsYXNzIGFk ZCBkZXYgZXRoMSBwYXJlbnQgMToyIGNsYXNzaWQgMTozIGh0YiByYXRlIDltYml0IGNlaWwgOW1i aXQKCiMgY3JlYXRlIGludGVybmV0IGNsYXNzICNjZWlsIDg2CnRjIGNsYXNzIGFkZCBkZXYgZXRo MSBwYXJlbnQgMToyIGNsYXNzaWQgMTo0IGh0YiByYXRlIDg2S2JpdCBjZWlsIDkwS2JpdAoKIyBj cmVhdGUgaGlnaCBwcmlvcml0eSBjbGFzcyBpbiBpbnRlcm5ldCBjbGFzcyBmb3IgYWNrLCBpY21w IHBhY2tldHMgI2NlaWwgODIKCXRjIGNsYXNzIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNz aWQgMToxMCBodGIgcmF0ZSA1S2JpdCBjZWlsIDgyS2JpdCBwcmlvIDEKCiMgY3JlYXRlIDIwIHN5 c3RlbSBjbGFzc2VzIGluIGludGVybmV0IGNsYXNzLCBzeXMwMSAtIHN5czIwICggMToxMSAtIDE6 MzAgKSAjY2VpbCA4Mgpmb3IgTE9PUCBpbiBgc2VxIDExIDMwYApkbwoJdGMgY2xhc3MgYWRkIGRl diBldGgxIHBhcmVudCAxOjQgY2xhc3NpZCAxOiRbJExPT1BdIGh0YiBcCgkJcmF0ZSA0S2JpdCBj ZWlsIDgyS2JpdCBwcmlvIDIKZG9uZQoKIyBkZWZhdWx0IGNsYXNzICNjZWlsIDgwCnRjIGNsYXNz IGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNzaWQgMTo1MCBodGIgcmF0ZSAyS2JpdCBjZWls IDgwS2JpdCBwcmlvIDMKCiMgZG8gcWRpc2MgYXR0YWNobWVudCAjIHBlcnR1cmIgMTAKdGMgcWRp c2MgYWRkIGRldiBldGgxIHBhcmVudCAxOjMgaGFuZGxlIDU6IHNmcSBwZXJ0dXJiIDEwCgpmb3Ig TE9PUCBpbiBgc2VxIDEwIDMwYApkbwoJdGMgcWRpc2MgYWRkIGRldiBldGgxIHBhcmVudCAxOiRb JExPT1BdIGhhbmRsZSAkWyRMT09QXTogc2ZxIFwKCQlwZXJ0dXJiIDEwCmRvbmUKdGMgcWRpc2Mg YWRkIGRldiBldGgxIHBhcmVudCAxOjUwIGhhbmRsZSA1MDogc2ZxIHBlcnR1cmIgMTAKCiMgZmls dGVyIHJ1bGVzCgojIDEwbWJpdCBsb2NhbCB0cmFmZmljIG1hdGNoZWQKdGMgZmlsdGVyIGFkZCBk ZXYgZXRoMSBwYXJlbnQgMTogcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIHNyYyAx OTIuMTY4LjAuMC8yNCBjbGFzc2lkIDE6MwojIGFueSBvdGhlciB0aGluZyBub3QgbWF0Y2hlZCB0 byBjbGFzc2lkIDE6NCAoIG11c3QgYmUgZnJvbSBpbnRlcm5ldCBib3VuZCApCiMgOTBLYml0IElu dGVybmV0IHRyYWZmaWMgbWF0Y2gKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTogcHJv dG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIHRvcyAwIDAgY2xhc3NpZCAxOjQKCiMgSGln aCBwcmlvcml0eSBjbGFzcyAxOjEwIGZpbHRlcgp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVu dCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAyMDAgaGFuZGxlIDEwIGZ3IGNsYXNzaWQgMToxMAoKIyAo MToxMCBpcyBoaWdoIHByaW9yaXR5IGNsYXNzIGluIGludGVybmV0IGNsYXNzKQojIFRPUyBtaW5p bXVtIGRlbGF5IGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3Rv Y29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCB0b3MgMHgxMCAweGZmIGZsb3dpZCAxOjEw CgojIFVEUCBUcmFmZmljIGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0 IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCAxNyAweGZmIFwK CW1hdGNoIGlwIGRwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMToxMAoKI3RjIGZpbHRlciBhZGQgZGV2 IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgXAojCW1hdGNoIGlwIHBy b3RvY29sIDE3IDB4ZmYgXAojCW1hdGNoIGlwIHNwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMToxMAoK IyBJQ01QIChpcCBwcm90b2NvbCAxKSBTZXQgY2xhc3MgdG8gMToxMCB0byBpbXByZXNzIGZyaWVu ZHMKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAw IHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCAxIDB4ZmYgZmxvd2lkIDE6MTAKCiMgVG8gc3BlZWQg dXAgZG93bmxvYWRzIHdoaWxlIGFuIHVwbG9hZCBpcyBnb2luZyBvbiwgcHV0IEFDSyBwYWNrZXRz IGluCiMgdGhlIDE6MTAgY2xhc3MKIyBBQ0tzIG9uIHBhY2tldHMgPCA2NCBieXRlcwp0YyBmaWx0 ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIFwKCW1h dGNoIGlwIHByb3RvY29sIDYgMHhmZiBcCgltYXRjaCB1OCAweDA1IDB4MGYgYXQgMCBcCgltYXRj aCB1MTYgMHgwMDAwIDB4ZmZjMCBhdCAyIFwKCW1hdGNoIHU4IDB4MTAgMHhmZiBhdCAzMyBcCglm bG93aWQgMToxMAoKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlw IHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCA2IDB4ZmYgXAoJbWF0Y2ggdTggMHgw NSAweDBmIGF0IDAgXAoJbWF0Y2ggdTE2IDB4MDAwMCAweGZmYzAgYXQgMiBcCglmbG93aWQgMTox MAoKCiMgcmVtYWluaW5nIGZpbHRlcnMgZm9yIHN5czAxIC0gc3lzMjAKdGMgZmlsdGVyIGFkZCBk ZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3Qg MTkyLjE2OC4wLjEwNi8zMiBmbG93aWQgMToxMQp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVu dCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTA3 LzMyIGZsb3dpZCAxOjEyCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2Nv bCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMDgvMzIgZmxvd2lkIDE6 MTMKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAw IHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEwOS8zMiBmbG93aWQgMToxNAp0YyBmaWx0ZXIg YWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlw IGRzdCAxOTIuMTY4LjAuMTEwLzMyIGZsb3dpZCAxOjE1CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEg cGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjgu MC4xMTEvMzIgZmxvd2lkIDE6MTYKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHBy b3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjExMi8zMiBmbG93 aWQgMToxNwp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJp byAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTEzLzMyIGZsb3dpZCAxOjE4CnRjIGZp bHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0 Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMTQvMzIgZmxvd2lkIDE6MTkKdGMgZmlsdGVyIGFkZCBkZXYg ZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTky LjE2OC4wLjEyMS8zMiBmbG93aWQgMToyMAp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAx OjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTIyLzMy IGZsb3dpZCAxOjIxCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBp cCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMjMvMzIgZmxvd2lkIDE6MjIK dGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUz MiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyNC8zMiBmbG93aWQgMToyMwp0YyBmaWx0ZXIgYWRk IGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRz dCAxOTIuMTY4LjAuMTI1LzMyIGZsb3dpZCAxOjI0CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFy ZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4x MjYvMzIgZmxvd2lkIDE6MjUKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3Rv Y29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyNy8zMiBmbG93aWQg MToyNgp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAx MDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTI4LzMyIGZsb3dpZCAxOjI3CnRjIGZpbHRl ciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2gg aXAgZHN0IDE5Mi4xNjguMC4xMzAvMzIgZmxvd2lkIDE6MjgKdGMgZmlsdGVyIGFkZCBkZXYgZXRo MSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2 OC4wLjEyOS8zMiBmbG93aWQgMToyOQp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQg cHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTA0LzMyIGZs b3dpZCAxOjMwCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBw cmlvIDIwMCBoYW5kbGUgNTAgZncgY2xhc3NpZCAxOjUwCgojIGVuZCBvZiBMQU4gaW50ZXJmYWNl ICggZG93bmxvYWQgKSBzY3JpcHQK --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb-- From kchijioke@msn.com Mon Nov 10 03:34:17 2003 From: kchijioke@msn.com (Chijioke Kalu) Date: Mon, 10 Nov 2003 04:34:17 +0100 Subject: [LARTC] New: Parent rate=ceil Limit still not respected Message-ID: This is a multi part message in MIME format. --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi Stef, I did the configuration change the way you asked, attached is the new script, still am not getting the parent ceil rate for the internet class 90Kbit respected. I dont know what else I must be doing wrong. Have any idea what other thing could be causing this to fail? Thank You. K _________________________________________________________________ MSN Shopping upgraded for the holidays! Snappier product search... http://shopping.msn.com --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb Content-Type: application/octet-stream; name="rc.qosv5" Content-Disposition: attachment; filename="rc.qosv5" Content-Transfer-Encoding: base64 IyEvYmluL2Jhc2gKIwojIHJjLnFvcyAtIEdQTCB2ZXIgMC4wNSAocmF0ZSBsaW1pdGluZyBzcGVj aWZpYyBpcCdzIG9uIGEgTEFOKQojCTxrY2hpamlva2VAbXNuLmNvbT4KIyAKIyBUT0RPOgojCTEp IG1ha2UgYXV0by1zdGFydGFibGUKIwkyKSBwbGFjZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzCiMJ MykgbWFrZSBnZW5lcmljLCB0aGlzIGdvbm5hIGJlIGEgaGFyZG9uZSA7KQojCTQpIGltcHJvdmUg UW9TLCBhdHRlbXB0IERpZmZTZXJ2IGFnYWluCiMJNSkgaW5jb3Jwb3JhdGUgU1FVSUQsIGluY2x1 ZGUgdXBsb2FkIHRyYWZmaWMgY29udHJvbAojCTYpIGF1dG8gZGV0ZXJtaW5lIGJhbmR3aWR0aCBw ZXIgaXAKIwojCUFja25vd2xlZGdlbWVudHM6CiMJCU11Y2ggdGhhbmtzIHRvIFN0ZWYsIEFsZXgs IENsb3V0ZXIsIGFuZCBBaHUKIwkJU3BlY2lhbCB0aGFua3MgdG8gcmVlbGVyQCNsYXJ0YyBmb3Ig cG9pbnRpbmcgb3V0IHRoZSBub3Qgc28gb2J2aW91cyAoaW4gbXkgY2FzZSkgOykKIwojIFNjaGVt YXRpYwojIC0tLS0tLS0tLQojCiMgICAgICAgICAgICAgICAgICAgICAgICByb290KDE6MCkKIyAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgIHwK IwkJIF9yb290IGNoaWxkIGNsYXNzIDE6Ml8KIyAgICAgICAgICAgICAgIC8gICAgICAgKDEwbWJp dCkgICAgICAgXAojICAgICAgICAgICAgICAvICAgICAgICAgICAgICAgICAgICAgICAgXAojCWxv Y2FsICg5bWJpdCkJICAgICAgICBJbnRlcm5ldCAoOTBrYml0KQojICAgICAgICAgICAgMTozICAg ICAgICAgICAgICAgICAgICAgICAxOjQKIyAgICAgICAoaD1oYW5kbGUgNSkgICAgICAgICAgICAg ICAgICAgIHwKIyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKIyAgICAg ICAgICAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLQojICAgICAgICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAgfCAgICAg ICAgfCAgICAgICB8ICAgICAgICAgfCAgICAgICAgICAgXAojICAgICAgICAgICAgICAgICAgICAg IDE6MTAgICAgICAgIDE6MTEgICAgIDE6MTIgICAgIDE6MTMgICAgICAxOi4uLiAgICAgICAxOjUw CiMgICAgICAgICAgICAgICAgKGhpZ2ggcHJpb3JpdHkpICAoc3lzIDEpICAoc3lzIDIpICAoc3lz IDMpICAoc3lzIC4uLikgICAoZGVmYXVsdCkKIyAgICAgICAgICAgICAgICAgICAgIChoMTApICAg ICAgICAoaDExKSAgICAoaDEyKSAgICAoaDEzKSAgICAoaC4uLikgICAgICAgKGg1MCkKIwojc2V0 IC14CiMgTEFOIEludGVyZmFjZSAoIERvd25sb2FkICkKCiMgZGVsZXRlL2NyZWF0ZSByb290IGNs YXNzCnRjIHFkaXNjIGRlbCBkZXYgZXRoMSByb290IDI+IC9kZXYvbnVsbAp0YyBxZGlzYyBhZGQg ZGV2IGV0aDEgcm9vdCBoYW5kbGUgMTogaHRiIGRlZmF1bHQgNTAgcjJxIDEKCiMgY3JlYXRlIHJv b3QgY2xhc3MKdGMgY2xhc3MgYWRkIGRldiBldGgxIHBhcmVudCAxOiBjbGFzc2lkIDE6MiBodGIg cmF0ZSAxMG1iaXQgY2VpbCAxMG1iaXQKCiMgY3JlYXRlIGxvY2FsIGNsYXNzCnRjIGNsYXNzIGFk ZCBkZXYgZXRoMSBwYXJlbnQgMToyIGNsYXNzaWQgMTozIGh0YiByYXRlIDltYml0IGNlaWwgOW1i aXQKCiMgY3JlYXRlIGludGVybmV0IGNsYXNzICNjZWlsIDg2CnRjIGNsYXNzIGFkZCBkZXYgZXRo MSBwYXJlbnQgMToyIGNsYXNzaWQgMTo0IGh0YiByYXRlIDg2S2JpdCBjZWlsIDkwS2JpdAoKIyBj cmVhdGUgaGlnaCBwcmlvcml0eSBjbGFzcyBpbiBpbnRlcm5ldCBjbGFzcyBmb3IgYWNrLCBpY21w IHBhY2tldHMgI2NlaWwgODIKCXRjIGNsYXNzIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNz aWQgMToxMCBodGIgcmF0ZSA1S2JpdCBjZWlsIDgyS2JpdCBwcmlvIDEKCiMgY3JlYXRlIDIwIHN5 c3RlbSBjbGFzc2VzIGluIGludGVybmV0IGNsYXNzLCBzeXMwMSAtIHN5czIwICggMToxMSAtIDE6 MzAgKSAjY2VpbCA4Mgpmb3IgTE9PUCBpbiBgc2VxIDExIDMwYApkbwoJdGMgY2xhc3MgYWRkIGRl diBldGgxIHBhcmVudCAxOjQgY2xhc3NpZCAxOiRbJExPT1BdIGh0YiBcCgkJcmF0ZSA0S2JpdCBj ZWlsIDgyS2JpdCBwcmlvIDIKZG9uZQoKIyBkZWZhdWx0IGNsYXNzICNjZWlsIDgwCnRjIGNsYXNz IGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IGNsYXNzaWQgMTo1MCBodGIgcmF0ZSAyS2JpdCBjZWls IDgwS2JpdCBwcmlvIDMKCiMgZG8gcWRpc2MgYXR0YWNobWVudCAjIHBlcnR1cmIgMTAKdGMgcWRp c2MgYWRkIGRldiBldGgxIHBhcmVudCAxOjMgaGFuZGxlIDU6IHNmcSBwZXJ0dXJiIDEwCgpmb3Ig TE9PUCBpbiBgc2VxIDEwIDMwYApkbwoJdGMgcWRpc2MgYWRkIGRldiBldGgxIHBhcmVudCAxOiRb JExPT1BdIGhhbmRsZSAkWyRMT09QXTogc2ZxIFwKCQlwZXJ0dXJiIDEwCmRvbmUKdGMgcWRpc2Mg YWRkIGRldiBldGgxIHBhcmVudCAxOjUwIGhhbmRsZSA1MDogc2ZxIHBlcnR1cmIgMTAKCiMgZmls dGVyIHJ1bGVzCgojIDEwbWJpdCBsb2NhbCB0cmFmZmljIG1hdGNoZWQKdGMgZmlsdGVyIGFkZCBk ZXYgZXRoMSBwYXJlbnQgMTogcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIHNyYyAx OTIuMTY4LjAuMC8yNCBjbGFzc2lkIDE6MwojIGFueSBvdGhlciB0aGluZyBub3QgbWF0Y2hlZCB0 byBjbGFzc2lkIDE6NCAoIG11c3QgYmUgZnJvbSBpbnRlcm5ldCBib3VuZCApCiMgOTBLYml0IElu dGVybmV0IHRyYWZmaWMgbWF0Y2gKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTogcHJv dG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIHRvcyAwIDAgY2xhc3NpZCAxOjQKCiMgSGln aCBwcmlvcml0eSBjbGFzcyAxOjEwIGZpbHRlcgp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVu dCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAyMDAgaGFuZGxlIDEwIGZ3IGNsYXNzaWQgMToxMAoKIyAo MToxMCBpcyBoaWdoIHByaW9yaXR5IGNsYXNzIGluIGludGVybmV0IGNsYXNzKQojIFRPUyBtaW5p bXVtIGRlbGF5IGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3Rv Y29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCB0b3MgMHgxMCAweGZmIGZsb3dpZCAxOjEw CgojIFVEUCBUcmFmZmljIGluIDE6MTAKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0 IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCAxNyAweGZmIFwK CW1hdGNoIGlwIGRwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMToxMAoKI3RjIGZpbHRlciBhZGQgZGV2 IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgXAojCW1hdGNoIGlwIHBy b3RvY29sIDE3IDB4ZmYgXAojCW1hdGNoIGlwIHNwb3J0IDUzIDB4ZmZmZiBmbG93aWQgMToxMAoK IyBJQ01QIChpcCBwcm90b2NvbCAxKSBTZXQgY2xhc3MgdG8gMToxMCB0byBpbXByZXNzIGZyaWVu ZHMKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAw IHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCAxIDB4ZmYgZmxvd2lkIDE6MTAKCiMgVG8gc3BlZWQg dXAgZG93bmxvYWRzIHdoaWxlIGFuIHVwbG9hZCBpcyBnb2luZyBvbiwgcHV0IEFDSyBwYWNrZXRz IGluCiMgdGhlIDE6MTAgY2xhc3MKIyBBQ0tzIG9uIHBhY2tldHMgPCA2NCBieXRlcwp0YyBmaWx0 ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIFwKCW1h dGNoIGlwIHByb3RvY29sIDYgMHhmZiBcCgltYXRjaCB1OCAweDA1IDB4MGYgYXQgMCBcCgltYXRj aCB1MTYgMHgwMDAwIDB4ZmZjMCBhdCAyIFwKCW1hdGNoIHU4IDB4MTAgMHhmZiBhdCAzMyBcCglm bG93aWQgMToxMAoKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlw IHByaW8gMTAwIHUzMiBcCgltYXRjaCBpcCBwcm90b2NvbCA2IDB4ZmYgXAoJbWF0Y2ggdTggMHgw NSAweDBmIGF0IDAgXAoJbWF0Y2ggdTE2IDB4MDAwMCAweGZmYzAgYXQgMiBcCglmbG93aWQgMTox MAoKCiMgcmVtYWluaW5nIGZpbHRlcnMgZm9yIHN5czAxIC0gc3lzMjAKdGMgZmlsdGVyIGFkZCBk ZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3Qg MTkyLjE2OC4wLjEwNi8zMiBmbG93aWQgMToxMQp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVu dCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTA3 LzMyIGZsb3dpZCAxOjEyCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2Nv bCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMDgvMzIgZmxvd2lkIDE6 MTMKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAw IHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEwOS8zMiBmbG93aWQgMToxNAp0YyBmaWx0ZXIg YWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlw IGRzdCAxOTIuMTY4LjAuMTEwLzMyIGZsb3dpZCAxOjE1CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEg cGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjgu MC4xMTEvMzIgZmxvd2lkIDE6MTYKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHBy b3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjExMi8zMiBmbG93 aWQgMToxNwp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJp byAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTEzLzMyIGZsb3dpZCAxOjE4CnRjIGZp bHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0 Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMTQvMzIgZmxvd2lkIDE6MTkKdGMgZmlsdGVyIGFkZCBkZXYg ZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTky LjE2OC4wLjEyMS8zMiBmbG93aWQgMToyMAp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAx OjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTIyLzMy IGZsb3dpZCAxOjIxCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBp cCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4xMjMvMzIgZmxvd2lkIDE6MjIK dGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUz MiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyNC8zMiBmbG93aWQgMToyMwp0YyBmaWx0ZXIgYWRk IGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRz dCAxOTIuMTY4LjAuMTI1LzMyIGZsb3dpZCAxOjI0CnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFy ZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2ggaXAgZHN0IDE5Mi4xNjguMC4x MjYvMzIgZmxvd2lkIDE6MjUKdGMgZmlsdGVyIGFkZCBkZXYgZXRoMSBwYXJlbnQgMTo0IHByb3Rv Y29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4wLjEyNy8zMiBmbG93aWQg MToyNgp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQgcHJvdG9jb2wgaXAgcHJpbyAx MDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTI4LzMyIGZsb3dpZCAxOjI3CnRjIGZpbHRl ciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBwcmlvIDEwMCB1MzIgbWF0Y2gg aXAgZHN0IDE5Mi4xNjguMC4xMzAvMzIgZmxvd2lkIDE6MjgKdGMgZmlsdGVyIGFkZCBkZXYgZXRo MSBwYXJlbnQgMTo0IHByb3RvY29sIGlwIHByaW8gMTAwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2 OC4wLjEyOS8zMiBmbG93aWQgMToyOQp0YyBmaWx0ZXIgYWRkIGRldiBldGgxIHBhcmVudCAxOjQg cHJvdG9jb2wgaXAgcHJpbyAxMDAgdTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjAuMTA0LzMyIGZs b3dpZCAxOjMwCnRjIGZpbHRlciBhZGQgZGV2IGV0aDEgcGFyZW50IDE6NCBwcm90b2NvbCBpcCBw cmlvIDIwMCBoYW5kbGUgNTAgZncgY2xhc3NpZCAxOjUwCgojIGVuZCBvZiBMQU4gaW50ZXJmYWNl ICggZG93bmxvYWQgKSBzY3JpcHQK --_NextPart_1_qmZrHLajoetbkwlTZTViemHPfyb-- From xxx@andrew.cmu.edu Tue Nov 11 06:48:33 2003 From: xxx@andrew.cmu.edu (Peter Nelson) Date: Tue, 11 Nov 2003 07:48:33 +0100 Subject: [LARTC] Filter huge number of hosts Message-ID: <3FB08641.5010502@andrew.cmu.edu> Ok, I'm pretty new at this and am probably in a bit over my head, but I was looking for some pointers. I want to classify and then prioritize traffic based on if it is to an Internet2 host, a host on campus or the general internet. I got a dump from one of our campus's routers that classifies everything as either I2 or local, only problem is that it is ~8000 entries. Now a lot of those entries can probably be combined down (for example a couple of sequential /24's). My first question is does anyone have any script that you give it multiple netmasks and it combines it down to the simplest netmasks? Now my second question is would using hashtables, maybe even nested ones be practical for this? This is how I'm thinking of hashing so far: Mask hashes children to check 0xFF000000: 100 most 50-500 0xFFFF0000: 3000 most <20, some 50-200 0xFFFFFF00: 8000 all < 10 Obviously hashing based on 0xFF helps, but it still has to go through up to 500 checks for somes hosts. Once I hash based on 0xFFFF the worst case gets a lot better, and of course hashing on 0xFFFFFF makes almost perfect hashes. Only thing is does a hash table lose it's point once you start indexing everything? I was thinking maybe hashing based on the 0xFF and then from there making hashes based on 0x00FF (and then maybe an other layer of 0x0000FF). I admit I really don't know all that much about the hashing algorighm and it's complexity so I don't know how to approach this. Thanks for any information, Peter Nelson _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From eddieknows@ananzi.co.za Tue Nov 11 14:44:15 2003 From: eddieknows@ananzi.co.za (Eddie) Date: 11 Nov 2003 16:44:15 +0200 Subject: [LARTC] Traffic acounting In-Reply-To: <05e401c3a83c$07674b60$06a02bca@w2k> References: <001001c3a786$547cff00$6400010a@intel815> <05e401c3a83c$07674b60$06a02bca@w2k> Message-ID: <1068561854.2520.55.camel@altusbox.co.za> Hi.I new to this so forgive me for errors What about ntop? On Tue, 2003-11-11 at 12:10, Kristiadi Himawan wrote: > Hi, > Sorry the subject OOT. > Anyone know about html based (using mrtg) for traffic report that show per > service traffic. > > Thanx. > > Regards, > > Kris > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From stef.coene@docum.org Tue Nov 11 15:00:20 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 11 Nov 2003 16:00:20 +0100 Subject: [LARTC] Traffic acounting In-Reply-To: <1068561854.2520.55.camel@altusbox.co.za> References: <001001c3a786$547cff00$6400010a@intel815> <05e401c3a83c$07674b60$06a02bca@w2k> <1068561854.2520.55.camel@altusbox.co.za> Message-ID: <200311111600.20632.stef.coene@docum.org> On Tuesday 11 November 2003 15:44, Eddie wrote: > Hi.I new to this so forgive me for errors > What about ntop? Ntop can be used. It even has an output function so you can use rrdtool (the mrtg backend) to create graphs. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Tue Nov 11 15:14:16 2003 From: stef.coene@docum.org (Stef Coene) Date: Tue, 11 Nov 2003 16:14:16 +0100 Subject: [LARTC] Re: New: Parent rate=ceil Limit still not respected In-Reply-To: References: Message-ID: <200311111614.16672.stef.coene@docum.org> On Tuesday 11 November 2003 04:34, Chijioke Kalu wrote: > Hi Stef, > > > I did the configuration change the way you asked, attached is the new > script, still am not getting > > the parent ceil rate for the internet class 90Kbit respected. I dont know > what else I must be doing wrong. Can post the output tc -s -d class show dev eth0 ? Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From gregoriandres@yahoo.com.ar Tue Nov 11 16:09:11 2003 From: gregoriandres@yahoo.com.ar (ThE PhP_KiD) Date: Tue, 11 Nov 2003 13:09:11 -0300 Subject: [LARTC] VoIP Message-ID: Hi, what I need to make VoIP inside from my LAN to outsite Internet ? I have a Linux router with - kernel 2.4.20 - iptables 1,2,8 (with Patch-o-Magic. H323) eth0 is connected to ISP eth1 is connected to LAN I've SNAT next rule in order to share my internet connection: iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -j SNAT --to-source 200.69.54.124 and, of course "/proc/sys/net/ipv4/ip_forwarding = 1" I need other netfilter patch ? REgards Andres. From nic@bbmcarlson.com Tue Nov 11 17:55:12 2003 From: nic@bbmcarlson.com (Nic Rodgers) Date: Tue, 11 Nov 2003 17:55:12 +0000 Subject: [LARTC] HTB on PPC (YellowDog) ? Message-ID: I'm at a bit of a loss. I've followed the lartc.org howto and read the stuff on docum.org too, but still can't get HTB working on my PowerPC-based YellowDog linux system. I've compiled a custom kernel: Linux 2.4.20 #1 Tue Nov 11 11:52:48 GMT 2003 ppc ppc ppc GNU/Linux The relevant options I used in my linux .config file are: ONFIG_NET_SCHED=y CONFIG_NET_SCH_CBQ=y CONFIG_NET_SCH_HTB=y CONFIG_NET_SCH_CSZ=y CONFIG_NET_SCH_PRIO=y CONFIG_NET_SCH_RED=y CONFIG_NET_SCH_SFQ=y CONFIG_NET_SCH_TEQL=y CONFIG_NET_SCH_TBF=y CONFIG_NET_SCH_GRED=y CONFIG_NET_SCH_DSMARK=y CONFIG_NET_SCH_INGRESS=y CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=y CONFIG_NET_CLS_ROUTE4=y CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=y CONFIG_NET_CLS_U32=y CONFIG_NET_CLS_RSVP=y CONFIG_NET_CLS_RSVP6=y CONFIG_NET_CLS_POLICE=y I have rebooted with this kernel but don't seem to have HTB: I have QOS enabled for sure: [root@bsd3 iproute2]# grep qdisc_get_rtab /proc/ksyms c0158c58 qdisc_get_rtab_R3adce61c But no HTB: [root@bsd3 iproute2]# grep htb_qdisc_ops /proc/ksyms [root@bsd3 iproute2]# When I try eg: [root@bsd3 iproute2]# tc qdisc add dev eth0 root handle 1: htb default 15 Unknown qdisc "htb", hence option "default" is unparsable What do I need to do? Many thanks, Nic. From Svetlin Simeonov Tue Nov 11 22:49:01 2003 From: Svetlin Simeonov (Svetlin Simeonov) Date: Wed, 12 Nov 2003 00:49:01 +0200 Subject: [LARTC] htb rate > 30mbit not working Message-ID: <13114988131.20031112004901@netissat.bg> Hello, I tried to set shaper on my local lan with HTB and rate 60mbit I used linux-2.4.22 and tried with 2.4.23rc1 - all QoS and HTB related staff compiled like modules. In both kernels the rate did not reach more than 30mbit( 3MB/sec ) When I delete shaper I can reach 9MB/sec ( about 74mbit ) if I set shaper more than 25mbit the speed did not increase :) I tried this with kernel 2.6.test9 and everything is OK shaper works on 60mbit - so I think this is problem of the current kernel Any ideas ? :) -- Regards, Svetlin Simeonov From yxjia@site.uottawa.ca Wed Nov 12 01:26:30 2003 From: yxjia@site.uottawa.ca (yuxiao jia) Date: Tue, 11 Nov 2003 20:26:30 -0500 Subject: [LARTC] buffer size Message-ID: <001901c3a8bc$004d74a0$8c5b7a89@BWWIL25> This is a multi-part message in MIME format. ------=_NextPart_000_0016_01C3A892.174A1B10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Stef I have one flow, I mark as EF class, then I use CBQ to control rate in tc script there is place to control queue size (buffer size) for example=20 ## Definition of the CBQ leaf classes to support EF and BE ## EF class $TC class add dev eth1 parent 2:1 classid 2:5 cbq bandwidth 100Mbit rate 6Mbit avpkt 1000 prio 1 bounded allot 1514 weight 600kbit maxburst 10 = defmap 0 $TC qdisc add dev eth1 parent 2:5 pfifo limit 10 ..... here use pfifo inside EF class, the parameter "limit" is queue size 10 However, each NIC card has txqueuelen which is transimission queue of = device, the default is 100 So I am confused here, if I want control EF class buffer size, I think I = should change "tc ......limit ...." but what about NIC queue size? does NIC queue size is only for BE = traffic? thanks yuxiao ------=_NextPart_000_0016_01C3A892.174A1B10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi Stef
 
I have one flow, I mark as EF class, = then I use CBQ=20 to control rate
 
in tc script there is place to control = queue size=20 (buffer size)
for example
 
## Definition of the CBQ leaf classes to support EF and BE
## EF = class
$TC class add dev eth1 parent 2:1 classid 2:5 cbq bandwidth = 100Mbit=20 rate
6Mbit
    avpkt 1000 prio 1 bounded allot 1514 = weight=20 600kbit maxburst 10 defmap 0
$TC qdisc add dev eth1 parent 2:5 pfifo = limit=20 10
.....
 
here use pfifo inside EF class, the = parameter=20 "limit" is queue size 10
 
However, each NIC card has = txqueuelen which is=20 transimission queue of device, the default is 100
 
So I am confused here, if I want = control EF class=20 buffer size, I think I should change "tc ......limit ...."
 
but what about NIC queue size? does NIC = queue size=20 is only for BE traffic?
 
thanks
 
yuxiao
 
 
------=_NextPart_000_0016_01C3A892.174A1B10-- From gdamjan@mail.net.mk Wed Nov 12 01:48:26 2003 From: gdamjan@mail.net.mk (Damjan) Date: Wed, 12 Nov 2003 02:48:26 +0100 Subject: [LARTC] htb rate > 30mbit not working In-Reply-To: <13114988131.20031112004901@netissat.bg> References: <13114988131.20031112004901@netissat.bg> Message-ID: <20031112014826.GB22196@legolas.on.net.mk> > I tried to set shaper on my local lan with HTB and rate 60mbit > I used linux-2.4.22 and tried with 2.4.23rc1 - all QoS and HTB related > staff compiled like modules. In both kernels the rate did not reach > more than 30mbit( 3MB/sec ) > > When I delete shaper I can reach 9MB/sec ( about 74mbit ) > if I set shaper more than 25mbit the speed did not increase :) > > I tried this with kernel 2.6.test9 and everything is OK shaper works > on 60mbit - so I think this is problem of the current kernel > > Any ideas ? :) Well there are two new things I can think of in 2.6 vs 2.4. One is that the HZ constant is bigger which peraps can make latencies in the kernel smaller... but I don't know if HZ has any influence on HTB performance. Also 2.6 has NAPI, a new API for network card drivers that modifies the drivers behaviour to better reflect the usage. Its interupt driven on lighter loads, but "poll"-ing based on higher load. Anyway you can run 2.6 its not that bad. -- Damjan Georgievski jabberID: damjan@bagra.net.mk From gdamjan@mail.net.mk Wed Nov 12 01:09:04 2003 From: gdamjan@mail.net.mk (Damjan) Date: Wed, 12 Nov 2003 02:09:04 +0100 Subject: [LARTC] HTB on PPC (YellowDog) ? In-Reply-To: References: Message-ID: <20031112010904.GA22196@legolas.on.net.mk> > When I try eg: > > [root@bsd3 iproute2]# tc qdisc add dev eth0 root handle 1: htb default 15 > Unknown qdisc "htb", hence option "default" is unparsable This errror ussually means that you dont have HTB support in your user-space "tc" utility. Get the source of iproute2 and the HTB patches for "tc" and compile it yourself. -- Damjan Georgievski jabberID: damjan@bagra.net.mk From eddieknows@ananzi.co.za Wed Nov 12 06:37:53 2003 From: eddieknows@ananzi.co.za (Eddie) Date: 12 Nov 2003 08:37:53 +0200 Subject: [LARTC] tc&htb Message-ID: <1068619072.2520.1009.camel@altusbox.co.za> Hi all. I'm very new to Linux and the whole traffic shaping thing. Now this is what I've got.A 128Kbit line on eth0 and a 100+ network on eth1.The mail server is on the internal network(eth1 side). This is what I want. They run banking software that uses port 15000-15010.I want the bank ports and if I'm going to ssh INTO the box to get all bandwidth,that is 128Kbit.Then I want the internal users limited to 96Kbit for web,32 for mail in and out and 10Kbit for other stuff.I also want them all to share bandwidth if not use(banking is not done most of the time but if it is it should get the most) I got this far and have no idea,I've been reading advance routing and traffic control,but as the song goes,I'm not the sharpest tool int the shed. This is what I've got so far(taken from 15.10. Example of a full nat solution with QoS) My main problem,if this is right,is with the filter.I don't know how Please help me because I'm thinking traffic control is a myth? Thanks Eddie CEIL=128 tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate $(CEIL)kbit ceil $(CEIL)kbit prio 0 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 96kbit ceil ${CEIL}kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 32kbit ceil ${CEIL}kbit prio 2 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 10kbit ceil ${CEIL}kbit prio 2 tc qdisc add dev eth0 parent 1:10 handle 120: sfq perturb 10 tc qdisc add dev eth0 parent 1:11 handle 130: sfq perturb 10 tc qdisc add dev eth0 parent 1:12 handle 140: sfq perturb 10 tc qdisc add dev eth0 parent 1:13 handle 150: sfq perturb 10 From idallen@idallen.ca Wed Nov 12 07:42:32 2003 From: idallen@idallen.ca (Ian! D. Allen) Date: Wed, 12 Nov 2003 02:42:32 -0500 Subject: [LARTC] routing for split multiple uplinks/providers with port forwarding Message-ID: <20031112074232.GA3011@elm.cpu1808.adsl.bellglobal.com> The fine document: http://lartc.org/howto/lartc.rpdb.multiple-links.html works nicely to make sure that answers to packets incoming to the Linux router from a particular provider go back out again over the same provider. It doesn't work as given for connections that are port forwarded from the Linux router to machines inside the local network (e.g. to a web server). With port forwarding in the mix, packets arriving from the Internet to a particular port on the Linux router have DNAT applied so that they pass transparently on to the internal web server; but, the answer packets from the web server arrive back at the Linux router and do not necessarily go out by the same gateway/provider by which they came in. I suspect the fix is somehow to mark the port forwarded packets with a flag indicating on which interface they arrived at the Linux router, and then preserve this flag into the answer packets on the web server. On the Linux router I can then make sure that appropriately flagged answer packets go out the correct interface. Or, perhaps I could add a network alias (e.g. eth1:0) for the local network interface on the router and somehow use ip routing to arrange that packets arriving from each of the two Internet interfaces get assigned to exit the router using only one of the two network card aliases, with reply packets coming back the to the same alias and returning by the same Internet interface by which they arrived. Or maybe use two network cards. Am I on the right track here? -- -IAN! Ian! D. Allen Ottawa, Ontario, Canada EMail: idallen@idallen.ca WWW: http://www.idallen.com/ College professor via: http://teaching.idallen.com/ Board Member, TeleCommunities CANADA http://www.tc.ca/ From raptor@tvskat.net Wed Nov 12 08:26:44 2003 From: raptor@tvskat.net (raptor) Date: Wed, 12 Nov 2003 10:26:44 +0200 Subject: [LARTC] HTB --> fw and u32 Message-ID: <20031112102644.7c6835c8.raptor@tvskat.net> hi, I have the following problem I have to classify packets based on iptables-mark and on u32 filter... My idea was to set root-------> classX |------------------> classY and then in the root to have a filter that on iptables-mark to direct it to classX, and then in classX to setup u32 filters that further classify the packets. Then in the root put the same u32 filters. So that (pseudo code): >root if fwmark == 2 then classid classX else u32 filter1 ..... flowid classY-child1 u32 filter2 ..... flowid classY-child2 u32 filter3 ..... flowid classY-child3 >classX u32 filter1 ..... flowid classX-child1 u32 filter2 ..... flowid classX-child2 u32 filter3 ..... flowid classX-child3 Now what I read in the LARTC docs : 9.6. Classifying packets with filters ................ You can't filter a packet 'upwards', by the way. Also, with HTB, you should attach all filters to the root! ...... Now this ruins my idea.... My config will not work with filters attached only on ROOT 'cause the filters are the same. The only difference is the fwmark. But on the other hand there is no way to set in one filter both of these mathces.. How to do what I want ?! aaa and I can't use iptables only solution.. (meanwhile what is the maximum number of the --set-mark values possible and what is the maximum numbers of classes and qdisc i can use). From damion@snapgear.com Wed Nov 12 08:32:07 2003 From: damion@snapgear.com (Damion de Soto) Date: Wed, 12 Nov 2003 18:32:07 +1000 Subject: [LARTC] routing for split multiple uplinks/providers with port forwarding References: <20031112074232.GA3011@elm.cpu1808.adsl.bellglobal.com> Message-ID: <3FB1F007.1000300@snapgear.com> Ian! D. Allen wrote: > I suspect the fix is somehow to mark the port forwarded packets with > a flag indicating on which interface they arrived at the Linux router, > and then preserve this flag into the answer packets on the web server. > On the Linux router I can then make sure that appropriately flagged > answer packets go out the correct interface. > Am I on the right track here? Is the same track I went along a week or so ago and seems to work fine. Mark them as they come in, then make the PREROUTING table direct them to the appropriate routing table to get back out. regards -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- From eddieknows@ananzi.co.za Wed Nov 12 09:17:50 2003 From: eddieknows@ananzi.co.za (Eddie) Date: 12 Nov 2003 11:17:50 +0200 Subject: [LARTC] post- and preouting Message-ID: <1068628670.2520.1030.camel@altusbox.co.za> HI all In Advance routing and traffic control's example(15.10) they use PREROUTING and in ADSL Bandwidth management's script they POSTROUTING to send the ports to the filters Can someone tell me diff. Thanks eddie From darklight@jambolnet.com Wed Nov 12 10:20:29 2003 From: darklight@jambolnet.com (Ilian Zarov) Date: Wed, 12 Nov 2003 12:20:29 +0200 Subject: [LARTC] Questions about wrr (wipl-wrr.sf.net) Message-ID: <20031112101619.M57530@jambolnet.com> Hello, (I have sent this mail to the wrr list, but I got no response) I have a not so difficult (I guess) situation, but I still can't get the concept of WRR. I have patched the kernel and squid, I think everything's ok there. I can't get how should I combine WRR and HTB ? Can I use htb.init ? Or should I use the example ? I have the following situation: Users -> Server -> First ISP -> Second ISP Some pages and most downloads go through the second ISP. They are redirected there by squid (using a cache_peer). I would like to shape all the traffic so that every user gets, say, 10 MBs per day traffic with unlimited speed and then wrr shapes him/her to 4 Kbytes/s. I also need to have some clients shaped at 10 kb/s all day, no matter how much traffic they generate and attach several IPs to this class. I saw there was an userconf.sh, but how do I use it in my situation ? I have all the .txts in the doc section, but I guess I'm newbie to tc (using it directly, I have used cbq.init and htb.init). Can I compile the example like cbq.init does (/var/cache/cbq.init) so I can look through it, examine it and get more control over the situation ? Thanks :) From slavov@optisprint.net Wed Nov 12 13:10:01 2003 From: slavov@optisprint.net (Emil Slavov) Date: Wed, 12 Nov 2003 15:10:01 +0200 (EET) Subject: [LARTC] Illegal match when matching tos Message-ID: <2736.62.73.103.10.1068642601.squirrel@webmail.optisprint.net> Hello i have the problem matching tos: root@gate:~# tc filter add dev eth1 parent 1: protocol ip u32 match ip tos 0x20 flowid 1:21 Illegal "match" Here is my lsmod root@gate:~# lsmod Module Size Used by Not tainted sch_dsmark 4416 0 (unused) sch_htb 20352 0 (autoclean) ipt_MARK 760 15 (autoclean) iptable_mangle 2168 1 (autoclean) iptable_nat 16184 1 (autoclean) cls_route 4568 0 (unused) cls_u32 5244 0 cls_fw 2808 4 sch_prio 2944 0 sch_sfq 3392 0 sch_tbf 2752 0 sch_cbq 12928 0 ipt_REJECT 2968 1 (autoclean) ipt_limit 888 1 (autoclean) ipt_LOG 3384 8 (autoclean) ipt_state 568 24 (autoclean) ip_conntrack 18848 2 (autoclean) [iptable_nat ipt_state] iptable_filter 1740 1 (autoclean) ip_tables 11960 10 [ipt_MARK iptable_mangle iptable_nat ipt_REJECT ipt_limit ipt_LOG ipt_state iptable_filter] 3c59x 27856 3 From sebastian@aresca.com.ar Wed Nov 12 17:06:08 2003 From: sebastian@aresca.com.ar (Sebastian A. Aresca) Date: Wed, 12 Nov 2003 14:06:08 -0300 Subject: [LARTC] www large package catch / ADSL HTB script Message-ID: <006301c3a93f$43fa0b40$0400a8c0@wkswindowsxp> Hi i send this script that i build for ADSL 512Kbps Downstream 128Kbps Upstream It works perfect but i have a problem with the WWW badnwidth management. I am using bering 1.2 for NAT Router. So i cant't use IMQ. Well the problem in fact is that i prioritize the ACK, ICMP, DNS, TELNET, Counter Strike and the most important WWW (well here is the problem). If anybody on my network start downloading with something like DAP (Download Accelerator) then it consume the total bandwidth. The idea is that for small www access it use this class but for large download use other class. This the policy i'm useing for mark the www access to internet. ############################################################################ # # WWW iptables -t mangle -A PREROUTING -p tcp --sport 80 \ -j MARK --set-mark 8 ############################################################################ # tc filter add dev eth0 parent 1: protocol ip prio 3 handle 8 fw flowid 1:13 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 30kbps ceil $BW burst 3k prio 2 I was thinking to set down the rate 30Kbps ceil 56Kbps ($BW) to rate 15Kbps ceil 30Kbps but this is not the best performance. So, anybody know how to catch the large package to www port? Thanks in advance, and i hope this script help you. Sebastian A. Aresca #! /bin/sh # ############################################################################ # # Parametros # ############################################################################ # # r2q = lower_rate / 1500 #R2Q=15 # Total Bandwidth BW=56Kbps OUTBW=14Kbps # Definicion de clase padre tc qdisc del dev eth0 root tc qdisc del dev eth0 ingress iptables -t mangle -F if [ "$1" = "stop" ] then echo 'Stop' exit fi tc qdisc add dev eth0 root handle 1: htb default 19 ############################################################################ # # Clases # ############################################################################ # tc class add dev eth0 parent 1: classid 1:1 htb rate $BW ceil $BW # Max prioridad (dns, icmp, ack, telnet, sshd) tc class add dev eth0 parent 1:1 classid 1:10 htb rate $BW ceil $BW burst 3k prio 0 # Counter Strike tc class add dev eth0 parent 1:1 classid 1:11 htb rate $BW ceil $BW burst 3k prio 1 # Terminals tc class add dev eth0 parent 1:1 classid 1:12 htb rate 40kbps ceil $BW burst 3k prio 2 # Ports tc class add dev eth0 parent 1:1 classid 1:13 htb rate 30kbps ceil $BW burst 3k prio 2 # Others tc class add dev eth0 parent 1:1 classid 1:19 htb rate 15kbps ceil $BW burst 3k prio 3 ############################################################################ # ############################################################################ # # SFQ Queueing tc qdisc add dev eth0 parent 1:11 handle 11: sfq perturb 10 tc qdisc add dev eth0 parent 1:12 handle 12: sfq perturb 10 tc qdisc add dev eth0 parent 1:13 handle 13: sfq perturb 10 tc qdisc add dev eth0 parent 1:19 handle 19: sfq perturb 10 ############################################################################ # ############################################################################ # # Filters # ############################################################################ # # IPTABLES tc filter add dev eth0 parent 1: protocol ip prio 1 handle 2 fw flowid 1:10 tc filter add dev eth0 parent 1: protocol ip prio 2 handle 9 fw flowid 1:11 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 3 fw flowid 1:12 tc filter add dev eth0 parent 1: protocol ip prio 3 handle 8 fw flowid 1:13 ############################################################################ ###################################### # PORTS Filters ############################################################################ # # ICMP iptables -t mangle -A PREROUTING -p icmp \ -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p icmp \ -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p icmp -j RETURN iptables -t mangle -A OUTPUT -p icmp -j RETURN ############################################################################ # ############################################################################ # # Telnet iptables -t mangle -A PREROUTING -p tcp --sport 23 \ -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp --sport 23 \ -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p tcp --sport 23 -j RETURN iptables -t mangle -A OUTPUT -p tcp --sport 23 -j RETURN ############################################################################ # ############################################################################ # # SSH iptables -t mangle -A PREROUTING -p tcp --sport 22 \ -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p tcp --sport 22 \ -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p tcp --sport 22 -j RETURN iptables -t mangle -A OUTPUT -p tcp --sport 22 -j RETURN ############################################################################ # ############################################################################ # # DNS iptables -t mangle -A PREROUTING -p udp --sport 53 \ -j MARK --set-mark 1 #iptables -t mangle -A OUTPUT -p udp --sport 53 \ TESTING # -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p udp --sport 53 -j RETURN #iptables -t mangle -A OUTPUT -p udp --sport 53 -j RETURN ############################################################################ # ############################################################################ # # WWW iptables -t mangle -A PREROUTING -p tcp --sport 80 \ -j MARK --set-mark 8 ############################################################################ # ############################################################################ # # Counter Strike Ports iptables -t mangle -A PREROUTING -p udp --dport 27010:27019 \ -j MARK --set-mark 9 iptables -t mangle -A PREROUTING -p udp --sport 27010:27019 -j RETURN ############################################################################ # ############################################################################ ###################################### ############################################################################ ###################################### # PC Filters # PC firewall # iptables -t mangle -A OUTPUT -s 192.168.0.101 \ # -j MARK --set-mark 1 # PC funcomputer2 # iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.1 \ # -j MARK --set-mark 11 # PC funcomputer1 # iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.3 \ # -j MARK --set-mark 13 # PC wkswindowsxp iptables -t mangle -A PREROUTING -s 192.168.1.4 \ -j MARK --set-mark 3 ############################################################################ ###################################### ############################################################################ # # Results # ############################################################################ # #echo 'Cola:' #tc qdisc show dev eth0 #echo '' #echo '' #echo 'Clases:' #tc class show dev eth0 #echo '' #echo '' echo 'Filtros:' tc filter show dev eth0 ############################################################################ # # OUT # ############################################################################ # tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip \ src 0.0.0.0 police rate $OUTBW burst 3k drop flowid :1 From stef.coene@docum.org Wed Nov 12 18:04:57 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 12 Nov 2003 19:04:57 +0100 Subject: [LARTC] HTB --> fw and u32 In-Reply-To: <20031112102644.7c6835c8.raptor@tvskat.net> References: <20031112102644.7c6835c8.raptor@tvskat.net> Message-ID: <200311121904.57331.stef.coene@docum.org> On Wednesday 12 November 2003 09:26, raptor wrote: > hi, > > I have the following problem I have to classify packets based on > iptables-mark and on u32 filter... My idea was to set > > root-------> classX > > |------------------> classY > > and then in the root to have a filter that on iptables-mark to direct it to > classX, and then in classX to setup u32 filters that further classify the > packets. > > Then in the root put the same u32 filters. So that (pseudo code): > >root > > if fwmark == 2 then classid classX > else > u32 filter1 ..... flowid classY-child1 > u32 filter2 ..... flowid classY-child2 > u32 filter3 ..... flowid classY-child3 > > >classX > > u32 filter1 ..... flowid classX-child1 > u32 filter2 ..... flowid classX-child2 > u32 filter3 ..... flowid classX-child3 > > Now what I read in the LARTC docs : > > 9.6. Classifying packets with filters > ................ > You can't filter a packet 'upwards', by the way. Also, with HTB, you should > attach all filters to the root! ...... You don't have to attach the filters to the root qdisc with htb. So you can implement your idea. Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Nov 12 18:07:30 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 12 Nov 2003 19:07:30 +0100 Subject: [LARTC] tc&htb In-Reply-To: <1068619072.2520.1009.camel@altusbox.co.za> References: <1068619072.2520.1009.camel@altusbox.co.za> Message-ID: <200311121907.30186.stef.coene@docum.org> On Wednesday 12 November 2003 07:37, Eddie wrote: > Hi all. > I'm very new to Linux and the whole traffic shaping thing. > Now this is what I've got.A 128Kbit line on eth0 and a 100+ network on > eth1.The mail server is on the internal network(eth1 side). > > This is what I want. > They run banking software that uses port 15000-15010.I want the bank > ports and if I'm going to ssh INTO the box to get all bandwidth,that is > 128Kbit.Then I want the internal users limited to 96Kbit for web,32 for > mail in and out and 10Kbit for other stuff.I also want them all to share > bandwidth if not use(banking is not done most of the time but if it is > it should get the most) > > I got this far and have no idea,I've been reading advance routing and > traffic control,but as the song goes,I'm not the sharpest tool int the > shed. > > This is what I've got so far(taken from > 15.10. Example of a full nat solution with QoS) > My main problem,if this is right,is with the filter.I don't know how > Please help me because I'm thinking traffic control is a myth? Your tc commands are ok. For the filters, you can use the u32 filter that can match on port and or ip address or the fw fliter so you can iptables to classify the packets. For some examples, see www.docum.org Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Nov 12 18:02:16 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 12 Nov 2003 19:02:16 +0100 Subject: [LARTC] Illegal match when matching tos In-Reply-To: <2736.62.73.103.10.1068642601.squirrel@webmail.optisprint.net> References: <2736.62.73.103.10.1068642601.squirrel@webmail.optisprint.net> Message-ID: <200311121902.16425.stef.coene@docum.org> On Wednesday 12 November 2003 14:10, Emil Slavov wrote: > Hello i have the problem matching tos: > > root@gate:~# tc filter add dev eth1 parent 1: protocol ip u32 match ip tos > 0x20 flowid 1:21 > Illegal "match" Try tc filter add dev eth1 parent 1: protocol ip u32 match ip tos 0x20 0xff flowid 1:21 Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From stef.coene@docum.org Wed Nov 12 18:03:44 2003 From: stef.coene@docum.org (Stef Coene) Date: Wed, 12 Nov 2003 19:03:44 +0100 Subject: [LARTC] post- and preouting In-Reply-To: <1068628670.2520.1030.camel@altusbox.co.za> References: <1068628670.2520.1030.camel@altusbox.co.za> Message-ID: <200311121903.44737.stef.coene@docum.org> On Wednesday 12 November 2003 10:17, Eddie wrote: > HI all > In Advance routing and traffic control's example(15.10) they use > PREROUTING and in ADSL Bandwidth management's script they POSTROUTING to > send the ports to the filters > Can someone tell me diff. http://www.docum.org/stef.coene/qos/kptd/ Stef -- stef.coene@docum.org "Using Linux as bandwidth manager" http://www.docum.org/ #lartc @ irc.openprojects.net From raptor@tvskat.net Wed Nov 12 23:56:30 2003 From: raptor@tvskat.net (raptor) Date: Thu, 13 Nov 2003 01:56:30 +0200 Subject: [LARTC] HTB --> fw and u32 In-Reply-To: <200311121904.57331.stef.coene@docum.org> References: <20031112102644.7c6835c8.raptor@tvskat.net> <200311121904.57331.stef.coene@docum.org> Message-ID: <20031113015630.66f5e46e.raptor@tvskat.net> |> Now what I read in the LARTC docs : |> |> 9.6. Classifying packets with filters |> ................ |> You can't filter a packet 'upwards', by the way. Also, with HTB, you should |> attach all filters to the root! ...... |You don't have to attach the filters to the root qdisc with htb. So you can |implement your idea. ]- so, the LARTC docs are wrong !? tia From lartc@24x7linux.com Wed Nov 12 23:17:05 2003 From: lartc@24x7linux.com (Jose Luis Domingo Lopez) Date: Thu, 13 Nov 2003 00:17:05 +0100 Subject: [LARTC] htb rate > 30mbit not working In-Reply-To: <20031112014826.GB22196@legolas.on.net.mk> References: <13114988131.20031112004901@netissat.bg> <20031112014826.GB22196@legolas.on.net.mk> Message-ID: <20031112231705.GA8730@localhost> On Wednesday, 12 November 2003, at 02:48:26 +0100, Damjan wrote: > Anyway you can run 2.6 its not that bad. > There was a report some time ago about HTB not shaping to the specified bandwidth in 2.6.x when traffics consists of small-sized packages. See: http://bugzilla.kernel.org/show_bug.cgi?id=657 This supposed bug has yet to be acknowledged by some developers. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.6.0-test9-mm2) From eddieknows@ananzi.co.za Thu Nov 13 05:58:03 2003 From: eddieknows@ananzi.co.za (Eddie) Date: 13 Nov 2003 07:58:03 +0200 Subject: [LARTC] htb&ssh Message-ID: <1068703083.2510.9.camel@altusbox.co.za> --=-aSO0nIOmCHgHmMZANVxt Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi all.Attached is my newly tried scrip.We have a digital 128Kbit line.This is what I did but the problem is when I do remote admin on the box it-self with ssh,its very slow.I tried to class it as OUTPUT but I think something is wrong. Please help and better my scrip.I dont know much(that's why its such a mess) but I hope to learn,with some help. Thanks --=-aSO0nIOmCHgHmMZANVxt Content-Disposition: attachment; filename=bandwidth.sh Content-Type: text/x-sh; name=bandwidth.sh; charset=UTF-8 Content-Transfer-Encoding: 7bit #!/bin/bash # DEV - set to ethX that connects to DSL/Cable Modem # RATEUP - set this to slightly lower than your # outbound bandwidth on the DSL/Cable Modem. # I have a 1500/128 DSL line and setting # RATEUP=90 works well for my 128kbps upstream. # However, your mileage may vary. # NOTE: The following configuration works well for my # setup: 1.5M/128K ADSL via Pacific Bell Internet (SBC Global Services) DEV=eth0 RATEUP=128 if [ "$1" = "status" ] then echo "[qdisc]" tc -s qdisc show dev $DEV echo "[class]" tc -s class show dev $DEV echo "[filter]" tc -s filter show dev $DEV echo "[iptables]" iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null exit fi # Reset everything to a known state (cleared) tc qdisc del dev $DEV root 2> /dev/null > /dev/null iptables -t mangle -D POSTROUTING -o $DEV -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -D PREROUTING -i $DEV -j MYSHAPER-IN 2> /dev/null > /dev/null if [ "$1" = "stop" ] then echo "Shaping removed on $DEV." exit fi ########################################################### # # Outbound Shaping (limits total bandwidth to RATEUP) # set queue size to give latency of about 2 seconds on low-prio packets ip link set dev $DEV qlen 30 # changes mtu on the outbound device. Lowering the mtu will result # in lower latency but will also cause slightly lower throughput due # to IP and TCP protocol overhead. ip link set dev $DEV mtu 1000 # add HTB root qdisc tc qdisc add dev $DEV root handle 1: htb default 23 # add main rate limit classes tc class add dev $DEV parent 1: classid 1:1 htb rate ${RATEUP}kbit # add leaf classes - We grant each class at LEAST it's "fair share" of bandwidth. # this way no class will ever be starved by another class. Each # class is also permitted to consume all of the available bandwidth # if no other classes are in use. tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${RATEUP}kbit ceil ${RATEUP}kbit prio 0 tc class add dev $DEV parent 1:1 classid 1:21 htb rate 96kbit ceil ${RATEUP}kbit prio 1 tc class add dev $DEV parent 1:1 classid 1:22 htb rate 32kbit ceil ${RATEUP}kbit prio 2 tc class add dev $DEV parent 1:1 classid 1:23 htb rate 10kbit ceil ${RATEUP}kbit prio 3 # attach qdisc to leaf classes - here we at SFQ to each priority class. SFQ insures that # within each class connections will be treated (almost) fairly. tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev $DEV parent 1:21 handle 21: sfq perturb 10 tc qdisc add dev $DEV parent 1:22 handle 22: sfq perturb 10 tc qdisc add dev $DEV parent 1:23 handle 23: sfq perturb 10 # filter traffic into classes by fwmark - here we direct traffic into priority class according to # the fwmark set on the packet (we set fwmark with iptables # later). Note that above we've set the default priority # class to 1:23 so unmarked packets (or packets marked with # unfamiliar IDs) will be defaulted to the lowest priority # class. tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 21 fw flowid 1:21 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:22 tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 23 fw flowid 1:23 # add MYSHAPER-OUT chain to the mangle table in iptables - this sets up the table we'll use # to filter and mark packets. iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o $DEV -j MYSHAPER-OUT # add fwmark entries to classify different types of traffic - Set fwmark from 20-23 according to # desired class. 20 is highest prio. iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j MARK --set-mark 23 # Default for low port traffic iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j MARK --set-mark 23 # "" iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 15000:15010 -j MARK --set-mark 20 # For banking software iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 20 -j MARK --set-mark 22 # ftp-data port, low prio iptables -t mangle -A MYSHAPER-OUT -p icmp -j MARK --set-mark 20 # ICMP (ping) - high prio, impress friends iptables -t mangle -A MYSHAPER-OUT -p udp -j MARK --set-mark 21 # DNS name resolution (small packets) iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 22 -j MARK --set-mark 20 # secure shell iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 22 -j MARK --set-mark 20 # secure shell iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 20 # secure shell on box iptables -t mangle -A OUTPUT -p tcp --sport 3000 -j MARK --set-mark 20 # ntop on box iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 25 -j MARK --set-mark 22 # mail out iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 25 -j MARK --set-mark 22 # mail in iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 80 -j MARK --set-mark 21 # http iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 443 -j MARK --set-mark 21 # https iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 1433 -j MARK --set-mark 21 # sql iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 1433 -j MARK --set-mark 21 # sql iptables -t mangle -A MYSHAPER-OUT -p tcp -m length --length :64 -j MARK --set-mark 21 # small packets (probably just ACKs) iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 23 # redundant- mark any unmarked packets as 26 (low prio) # Done with outbound shaping # #################################################### echo "Outbound shaping added to $DEV. Rate: ${RATEUP}Kbit/sec." # uncomment following line if you only want upstream shaping. exit --=-aSO0nIOmCHgHmMZANVxt-- From Rokas Thu Nov 13 09:23:38 2003 From: Rokas (Rokas) Date: Thu, 13 Nov 2003 11:23:38 +0200 Subject: [LARTC] HTB traffic shaping + squid cache proxy Message-ID: <617658382.20031113112338@centras.lt> Hello! My system is: Internet ADSL(PPPoE) ---> ppp0 [LINUX server(router)] eth0 ---> LAN Server(router) is running on LINUX Slackware 8.1. I have recompiled a 2.4.22 kernel, enabled all QoS support in the kernel config, including HTB. My ADSL bandwidth is 256Kbit/s for download and 64Kbit/s for upload. I use the following HTB+IPTABLES configuration, because I want to reduce bandwith for all traffic, except HTTP, MAIL, ICQ, IRC, SSH and etc. ------------------------------------------------------------------------- #!/bin/bash TC=/sbin/tc IPTABLES=/usr/sbin/iptables $TC qdisc del dev eth0 root 2> /dev/null > /dev/null $TC qdisc del dev ppp0 root 2> /dev/null > /dev/null $IPTABLES -F POSTROUTING -t mangle $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil 240Kbit burst 25k prio 0 $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kbit ceil 28Kbit burst 10k prio 1 $TC qdisc add dev eth0 parent 1:10 handle 11: sfq perturb 10 $TC qdisc add dev eth0 parent 1:30 handle 33: sfq perturb 10 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -j MARK --set-mark 3 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 443 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 21 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 53 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p udp --sport 53 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 110 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 5190 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p tcp --sport 6661:6669 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 1 $TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:10 $TC filter add dev eth0 parent 1:0 protocol ip handle 3 fw flowid 1:30 ############################## $TC qdisc add dev ppp0 root handle 1: htb default 20 $TC class add dev ppp0 parent 1: classid 1:1 htb rate 62Kbit burst 35k $TC class add dev ppp0 parent 1:1 classid 1:10 htb rate 40Kbit ceil 60Kbit burst 25k prio 1 $TC class add dev ppp0 parent 1:1 classid 1:20 htb rate 15Kbit ceil 55Kbit burst 10k prio 2 $TC class add dev ppp0 parent 1:1 classid 1:30 htb rate 7Kbit ceil 28Kbit burst 5k prio 3 $TC qdisc add dev ppp0 parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev ppp0 parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev ppp0 parent 1:30 handle 30: sfq perturb 10 $TC filter add dev ppp0 parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 $TC filter add dev ppp0 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -j MARK --set-mark 12 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p icmp -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --sport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s ! 192.168.0.0/24 -p tcp --dport 20 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MARK --set-mark 13 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 443 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p udp --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 23 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 25 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 110 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 5190 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -p tcp --dport 6661:6669 -j MARK --set-mark 11 $TC filter add dev ppp0 parent 1:0 protocol ip handle 11 fw flowid 1:10 $TC filter add dev ppp0 parent 1:0 protocol ip handle 12 fw flowid 1:20 $TC filter add dev ppp0 parent 1:0 protocol ip handle 13 fw flowid 1:30 -------------------------------------------------------------------------- This configuration works rather well. But I decided to start a SQUID HTTP caching transparent proxy on the same server box. I have configured squid on the 8080 port, and I redirect all the HTTP traffic to the SQUID proxy server: iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 The redirection works OK, and transparent proxy does its work. But what about HTTP downstream traffic shaping ? In my earlier configuration (without SQUID), I just put HTB classes on my internal eth0 interface, so I could point HTTP traffic into high rate/priority class. But if I redirect HTTP traffic through SQUID proxy, this shaping becomes not effective, because I can shape only outgoing traffic on each interface. What would be your suggestions about this issue ? Perhaps it is a bad idea to use SQUID proxy ? The most important thing for me is to reduce the download of big files via FTP, KaZaA and etc. (all non-priviledeged ports), and to give the WWW and other important traffic the highest bandwith rate and priority and to speed the WWW... I would be very grateful if you could give me suggestions how to speed up WWW... Rokas Zakarevicius From lartc@gmb.ro Thu Nov 13 09:49:27 2003 From: lartc@gmb.ro (Cezar Atanasiu) Date: Thu, 13 Nov 2003 11:49:27 +0200 Subject: [LARTC] beta-release of H-FSC port for Linux 2.6 In-Reply-To: <3FA7B555.3040108@trash.net> References: <3FA3C6F0.80409@trash.net> <20031103111844.0f301993.pulsar@bofh.homeunix.org> <3FA7B555.3040108@trash.net> Message-ID: <20031113114927.0c250d2f.lartc@gmb.ro> On Tue, 04 Nov 2003 15:19:01 +0100 Patrick McHardy wrote: I would be interested in seeing that script, if possible > Hi Alexey, > > Alexey Sheshka wrote: > > >Sound interesting, but where I can find samples of hfsc usage ? I > >want to try my htb setup and hfsc. > > > > > > > There is no documentation yet. Since H-FSC is currently > approaching stability I will concentrate on this in the > next time. If you don't like to wait that long I can also > send you the script I use to shape my DSL connection. > > Best regards, > Patrick > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Cezar ATANASIU GMB Computers Departamentul Internet Tel/fax: +40 241 619222/673199 From Svetlin Simeonov Thu Nov 13 10:27:02 2003 From: Svetlin Simeonov (Svetlin Simeonov) Date: Thu, 13 Nov 2003 12:27:02 +0200 Subject: [LARTC] htb rate > 30mbit not working In-Reply-To: <13114988131.20031112004901@netissat.bg> References: <13114988131.20031112004901@netissat.bg> Message-ID: <11598140578.20031113122702@netissat.bg> Hello again, I tested it with MTU 128 and it works fine :) ... for now I will set it with 2.6 kernel Thanks a lot :) on Wednesday, November 12, 2003, 12:49:01 AM, ste napisali SS> Hello, SS> I tried to set shaper on my local lan with HTB and rate 60mbit SS> I used linux-2.4.22 and tried with 2.4.23rc1 - all QoS and HTB related SS> staff compiled like modules. In both kernels the rate did not reach SS> more than 30mbit( 3MB/sec ) SS> When I delete shaper I can reach 9MB/sec ( about 74mbit ) SS> if I set shaper more than 25mbit the speed did not increase :) SS> I tried this with kernel 2.6.test9 and everything is OK shaper works SS> on 60mbit - so I think this is problem of the current kernel SS> Any ideas ? :) -- Regards, Svetlin Simeonov From raptor@tvskat.net Thu Nov 13 15:38:29 2003 From: raptor@tvskat.net (raptor) Date: Thu, 13 Nov 2003 17:38:29 +0200 Subject: [LARTC] prio on fw and u32 Message-ID: <20031113173829.3c8aab73.raptor@tvskat.net> why if I place a fw filter on root I cant place the u32 filter with the same prio. filter add ... parent root prio 1 fw ... filter add ... parent root prio 1 u32 ... <-gives error, but filter add ... parent root prio 2 u32 .x.x.x.1. filter add ... parent root prio 2 u32 x.x.x.1 no problem with this... I know that the priorities tells the order at which to check them(is the order they are inserted meaningless ), but then why it doesent matter on subsequent u32 filters... tia From raptor@tvskat.net Thu Nov 13 15:19:56 2003 From: raptor@tvskat.net (raptor) Date: Thu, 13 Nov 2003 17:19:56 +0200 Subject: [LARTC] [u32] match multiply IP addresses Message-ID: <20031113171956.6d3419c5.raptor@tvskat.net> /sbin/tc filter add dev eth0 parent 1:1 protocol all prio 1 u32 match ip dst x.x.x.10 match ip dst x.x.x.11 classid 2:7 Illegal "match" what is wrong with this... how to match multiply ip addresses ? how many ip address checks I can chain ? tia From dino@camelot.homedns.org Thu Nov 13 15:39:01 2003 From: dino@camelot.homedns.org (Jacek Bilski) Date: Thu, 13 Nov 2003 16:39:01 +0100 Subject: [LARTC] HTB --> fw and u32 In-Reply-To: <20031112102644.7c6835c8.raptor@tvskat.net> References: <20031112102644.7c6835c8.raptor@tvskat.net> Message-ID: <1068737941.6133.16.camel@merlin> --=-RV4p+sdu9VN9qPqBTWfd Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable Ehlo! On =B6ro, 2003-11-12 at 09:26, raptor wrote: > Now what I read in the LARTC docs : >=20 > 9.6. Classifying packets with filters > ................ > You can't filter a packet 'upwards', by the way. Also, with HTB, you should attach all filters to the root! > ...... I've noticed that also. Can anyone explain why I should attach all filters to root when using HTB and what could happen if I don't respect that? BTW, why there's no "reply-to: lartc@mailman.ds9a.nl" in header? I think it would be a good