From gypsy@iswest.com Thu Jul 1 03:15:11 2004 From: gypsy@iswest.com (gypsy) Date: Wed, 30 Jun 2004 19:15:11 -0700 Subject: [LARTC] Re: Can the mailing list archive be searched? Message-ID: <40E373AF.A2391B00@iswest.com> Are you looking in groups.google.com or just google.com? Use google.com and make LARTC the first word in your search. LARTC is not in groups. For example, enter lartc imq kernel panic and see what you get. gypsy From n.howden@eris.qinetiq.com Thu Jul 1 10:54:15 2004 From: n.howden@eris.qinetiq.com (Nick Howden) Date: Thu, 1 Jul 2004 10:54:15 +0100 Subject: [LARTC] Using Token Bucket Filter to simulate a low bandwidth radio link Message-ID: <200407011054.15481.n.howden@eris.qinetiq.com> Hello, I am attempting to use the LARTC traffic control to simulate a radio link that has variable bandwidth and availability. The basic bandwidth could be as low as 500 bits/sec but will generally be about 4000 bits/sec. If the simulated radio link is unavailable (zero bandwidth) then packets should be queued until a link is re-established. i.e. Initial bandwidth is 5000bits/sec then to 0 bits/sec and back to 5000bits/sec However, I am having several different problems Problem 1: Setting a very low bandwidth tbf - if the rate is less than my ethernet MTU size then packets appear to just get thrown away Problem 2: Preventing packets being sent instantaneously then arrive at the tbf (because sufficient tokens are available in the bucket?) I have tried to set the burst and minburst parameters but packets still appear to be transmitted too soon (e.g. a 5000bit packet should be delayed for 1 second on a 5000bit link) Problem 3: Is it possible to stop the flow of data when the simulated link is unavailable - whilst still keeping a queue of packets The tc command line I am using is tc qdisc add dev eth0 root tbf rate 5kbit burst 0.01kbit limit 50kbit peakrate 5kbit minburst 500 and to simulate a temporary link loss I use tc qdisc change dev eth0 root tbf rate 0.001kbit burst 0.01kbit limit 50kbit peakrate 5kbit minburst 500 Any help would be much appreciated. -- Nick Howden - Senior IT Analyst QinetiQ Trusted Information Management Woodward Building, Room B009 Malvern Technology Park, WR14 3PS Telephone 01684 895566, Fax 896660 The Information contained in this E-Mail and any subsequent correspondence is private and is intended solely for the intended recipient(s). For those other than the recipient any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be unlawful From lists@wildgooses.com Thu Jul 1 11:54:50 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Thu, 01 Jul 2004 11:54:50 +0100 Subject: [LARTC] Using Token Bucket Filter to simulate a low bandwidth radio link In-Reply-To: <200407011054.15481.n.howden@eris.qinetiq.com> References: <200407011054.15481.n.howden@eris.qinetiq.com> Message-ID: <40E3ED7A.4080707@wildgooses.com> Nick Howden wrote: >Hello, > >I am attempting to use the LARTC traffic control to simulate a radio link that >has variable bandwidth and availability. The basic bandwidth could be as low >as 500 bits/sec but will generally be about 4000 bits/sec. If the simulated >radio link is unavailable (zero bandwidth) then packets should be queued >until a link is re-established. > > Yeah, I think you are going to find it hard to simulate equivalent latency as well? I seem to remember a kernel module for slowing down a link for testing? Can't remember the details, but I saw it in my 2.6 kernel somewhere. Perhaps check the docs on that. For my own custom apps I simulated a satellite link simply by writing a small proxy program for my particular protocol (in perl and again in VB). It queued packets and released them after a set time period at a set rate. If you are only testing a simple app then this is another way to go Ed W From util@deuroconsult.ro Thu Jul 1 12:08:20 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Thu, 1 Jul 2004 14:08:20 +0300 (EEST) Subject: [LARTC] Using Token Bucket Filter to simulate a low bandwidth radio link In-Reply-To: <40E3ED7A.4080707@wildgooses.com> References: <200407011054.15481.n.howden@eris.qinetiq.com> <40E3ED7A.4080707@wildgooses.com> Message-ID: > I seem to remember a kernel module for slowing down a link for testing? > Can't remember the details, but I saw it in my 2.6 kernel somewhere. Perhaps > check the docs on that. Yes, it's Stephen's sch_delay. Both 2.4 and 2.6 versions available. Just run the 2.4.26 or 2.6.7 and last version of iproute2. Then: tc qdisc add dev eth0 root delay limit 100000 latency 3000ms > For my own custom apps I simulated a satellite link simply by writing a small > proxy program for my particular protocol (in perl and again in VB). It > queued packets and released them after a set time period at a set rate. If > you are only testing a simple app then this is another way to go > > Ed W > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From hclfm@pricol.co.in Thu Jul 1 12:14:45 2004 From: hclfm@pricol.co.in (hclfm@pricol.co.in) Date: Thu, 1 Jul 2004 16:44:45 +0530 Subject: [LARTC] Using Token Bucket Filter to simulate a low bandwidth radio link Message-ID:


!!Hello,

!!I am attempting to use the LARTC traffic cont= rol to simulate a radio link that
!!has variable bandwidth and availabil= ity. The basic bandwidth could be as low
!!as 500 bits/sec but will gene= rally be about 4000 bits/sec. If the simulated
!!radio link is unavailab= le (zero bandwidth) then packets should be queued
!!until a link is re-e= stablished.

!!i.e. Initial b= andwidth is 5000bits/sec
!!then to 0 bits/sec
!!and back to 5000bits/= sec

!!However, I am having s= everal different problems

!!= Problem 1:
!!Setting a very low bandwidth tbf - if the rate is less than= my ethernet MTU
!!size then packets appear to just get thrown away
<= /FONT>

Hi ,

the module for simulating delay is sch=5Fdelay .

tc qdisc add dev eth0 root delay latency 300ms rate 100mbit

regar= ds,

U.SivaKumar,

HCL Infosystems Limited.

 

&n= bsp;

 

= From edulix@tumundoweb.com Thu Jul 1 14:41:05 2004 From: edulix@tumundoweb.com (Edulix) Date: Thu, 1 Jul 2004 15:41:05 +0200 Subject: [LARTC] filter ingress policy rates by packet marks Message-ID: <200407011541.06101.edulix@tumundoweb.com> Hello everyone ! I'm new to the list :-). So I'll tell you: I'm Eduardo Robles Elvira aka Edulix, a young student from the south of Spain. I've developed a simple project for local pc bandwidth shaping called Edulix Shaper script [1]. It's based on the Wondershaper. I have it mostly finnished and debugged; I have only a final problem: Is it posible by any way using only QoS (no IMQ...) to filter incoming packets by its marks and at the same time rate them to spcified speed ? You can do: tc filter add dev $DEV parent ffff: protocol ip prio 10 u32 \ match ip src $Q_2_HOSTS \ police rate ${Q_2_DOWNLINK_MAX}mbit burst 10k drop flowid :2 and also: tc filter add dev $DEV protocol ip prio 5 parent 1: \ handle $Q_2_MARK fw classid 1:2 But can you have both commands mixed up so that we drop any incoming packet marked with $Q_2_MARK when they come at a higher speed than $Q_2_DOWNLINK_MAX? If that weren't possible I think I'd better remove outgoing marked packets rules for scripting coherence =). I'm still trying to upload the script to the webpage; If anyone is curious about it, I can send a 60 Kb tarball to you :-). Thanks for your time, Edulix. -- [1] http://eshaper.sf.net From edulix@tumundoweb.com Thu Jul 1 17:10:01 2004 From: edulix@tumundoweb.com (Edulix) Date: Thu, 1 Jul 2004 18:10:01 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! Message-ID: <200407011810.01786.edulix@tumundoweb.com> Hello one more time, As others seem to already asked without reply, I'm getting lower speed rates than specified via ingress. How do I know. Because I have this in my script: tc qdisc add dev $DEV handle ffff: ingress # Filter intranet traffic, so fit it to intranet speed tc filter add dev $DEV parent ffff: protocol ip prio 10 u32 \ match ip src $Q_2_HOSTS \ match ip dst $Q_2_HOSTS \ police rate ${LAN_SPEED}mbit burst 10k drop flowid :2 So let's say I execute a X -query to the my pc. Everything goes fine and fluently till I activate my script ingress rules!Then kde seems sluggish. and LAN_SPEED is "100" (mbit) ! I don't think the problem is that I have many ingress filters because even if I deactivate them (i.e. comment on them in my script) kde slows down after adding the tc filter mentioned above. Please, have you got any idea what might be going on ? Any comments, suggestions? Have you had the same experience ? What do you think the problem might be ? Am I asking in the wrong forum ? Should report this bug to tc developers ? Come on and reply me ;-). Good luck, Edulix. -- [1] http://eshaper.sf.net From shemminger@osdl.org Thu Jul 1 19:33:12 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 1 Jul 2004 11:33:12 -0700 Subject: [LARTC] [PATCH 2.6] update to network emulation QOS scheduler Message-ID: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> This patch updates the network emulation packet scheduler. * name changed from delay to netem since it does more than just delay * Catalin's merged code to do packet reordering * uses a socket queue's directly rather than layering on qdisc(fifo) because this is used in performance tests. * adds placeholder in API for future enhancements (rate and duplicate). Signed-off-by: Stephen Hemminger diff -urNp -X dontdiff linux-2.6/include/linux/pkt_sched.h sched-2.6/include/linux/pkt_sched.h --- linux-2.6/include/linux/pkt_sched.h 2004-06-24 08:52:58.000000000 -0700 +++ sched-2.6/include/linux/pkt_sched.h 2004-07-01 03:53:31.185482832 -0700 @@ -439,11 +439,14 @@ enum { #define TCA_ATM_MAX TCA_ATM_STATE -/* Delay section */ -struct tc_dly_qopt +/* Network emulator */ +struct tc_netem_qopt { - __u32 latency; - __u32 limit; - __u32 loss; + __u32 latency; /* added delay (us) */ + __u32 limit; /* fifo limit (packets) */ + __u32 loss; /* random packet loss (0=none ~0=100%) */ + __u32 gap; /* re-ordering gap (0 for delay all) */ + __u32 duplicate; /* random packet dup (0=none ~0=100%) */ + __u32 rate; /* maximum transmit rate (bytes/sec) */ }; #endif diff -urNp -X dontdiff linux-2.6/net/sched/Kconfig sched-2.6/net/sched/Kconfig --- linux-2.6/net/sched/Kconfig 2004-06-25 09:41:00.000000000 -0700 +++ sched-2.6/net/sched/Kconfig 2004-06-28 09:17:19.000000000 -0700 @@ -164,12 +164,12 @@ config NET_SCH_DSMARK To compile this code as a module, choose M here: the module will be called sch_dsmark. -config NET_SCH_DELAY - tristate "Delay simulator" +config NET_SCH_NETEM + tristate "Network emulator" depends on NET_SCHED help - Say Y if you want to delay packets by a fixed amount of - time. This is often useful to simulate network delay when + Say Y if you want to emulate network delay, loss, and packet + re-ordering. This is often useful to simulate networks when testing applications or protocols. To compile this driver as a module, choose M here: the module diff -urNp -X dontdiff linux-2.6/net/sched/Makefile sched-2.6/net/sched/Makefile --- linux-2.6/net/sched/Makefile 2004-06-24 08:52:58.000000000 -0700 +++ sched-2.6/net/sched/Makefile 2004-06-28 09:17:49.000000000 -0700 @@ -24,7 +24,7 @@ obj-$(CONFIG_NET_SCH_TBF) += sch_tbf.o obj-$(CONFIG_NET_SCH_TEQL) += sch_teql.o obj-$(CONFIG_NET_SCH_PRIO) += sch_prio.o obj-$(CONFIG_NET_SCH_ATM) += sch_atm.o -obj-$(CONFIG_NET_SCH_DELAY) += sch_delay.o +obj-$(CONFIG_NET_SCH_NETEM) += sch_netem.o obj-$(CONFIG_NET_CLS_U32) += cls_u32.o obj-$(CONFIG_NET_CLS_ROUTE4) += cls_route.o obj-$(CONFIG_NET_CLS_FW) += cls_fw.o diff -urNp -X dontdiff linux-2.6/net/sched/sch_delay.c sched-2.6/net/sched/sch_delay.c --- linux-2.6/net/sched/sch_delay.c 2004-06-21 09:23:15.000000000 -0700 +++ sched-2.6/net/sched/sch_delay.c 1969-12-31 16:00:00.000000000 -0800 @@ -1,281 +0,0 @@ -/* - * net/sched/sch_delay.c Simple constant delay - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - * - * Authors: Stephen Hemminger - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Network delay simulator - This scheduler adds a fixed delay to all packets. - Similar to NISTnet and BSD Dummynet. - - It uses byte fifo underneath similar to TBF */ -struct dly_sched_data { - u32 latency; - u32 limit; - u32 loss; - struct timer_list timer; - struct Qdisc *qdisc; -}; - -/* Time stamp put into socket buffer control block */ -struct dly_skb_cb { - psched_time_t queuetime; -}; - -/* Enqueue packets with underlying discipline (fifo) - * but mark them with current time first. - */ -static int dly_enqueue(struct sk_buff *skb, struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct dly_skb_cb *cb = (struct dly_skb_cb *)skb->cb; - int ret; - - /* Random packet drop 0 => none, ~0 => all */ - if (q->loss >= net_random()) { - sch->stats.drops++; - return 0; /* lie about loss so TCP doesn't know */ - } - - PSCHED_GET_TIME(cb->queuetime); - - /* Queue to underlying scheduler */ - ret = q->qdisc->enqueue(skb, q->qdisc); - if (ret) - sch->stats.drops++; - else { - sch->q.qlen++; - sch->stats.bytes += skb->len; - sch->stats.packets++; - } - return ret; -} - -/* Requeue packets but don't change time stamp */ -static int dly_requeue(struct sk_buff *skb, struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - int ret; - - ret = q->qdisc->ops->requeue(skb, q->qdisc); - if (ret == 0) - sch->q.qlen++; - return ret; -} - -static unsigned int dly_drop(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - unsigned int len; - - len = q->qdisc->ops->drop(q->qdisc); - if (len) { - sch->q.qlen--; - sch->stats.drops++; - } - return len; -} - -/* Dequeue packet. - * If packet needs to be held up, then stop the - * queue and set timer to wakeup later. - */ -static struct sk_buff *dly_dequeue(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct sk_buff *skb; - - retry: - skb = q->qdisc->dequeue(q->qdisc); - if (skb) { - struct dly_skb_cb *cb = (struct dly_skb_cb *)skb->cb; - psched_time_t now; - long diff, delay; - - PSCHED_GET_TIME(now); - diff = q->latency - PSCHED_TDIFF(now, cb->queuetime); - - if (diff <= 0) { - sch->q.qlen--; - sch->flags &= ~TCQ_F_THROTTLED; - return skb; - } - - if (q->qdisc->ops->requeue(skb, q->qdisc) != NET_XMIT_SUCCESS) { - sch->q.qlen--; - sch->stats.drops++; - goto retry; - } - - delay = PSCHED_US2JIFFIE(diff); - if (delay <= 0) - delay = 1; - mod_timer(&q->timer, jiffies+delay); - - sch->flags |= TCQ_F_THROTTLED; - } - return NULL; -} - -static void dly_reset(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - - qdisc_reset(q->qdisc); - sch->q.qlen = 0; - sch->flags &= ~TCQ_F_THROTTLED; - del_timer(&q->timer); -} - -static void dly_timer(unsigned long arg) -{ - struct Qdisc *sch = (struct Qdisc *)arg; - - sch->flags &= ~TCQ_F_THROTTLED; - netif_schedule(sch->dev); -} - -/* Tell Fifo the new limit. */ -static int change_limit(struct Qdisc *q, u32 limit) -{ - struct rtattr *rta; - int ret; - - rta = kmalloc(RTA_LENGTH(sizeof(struct tc_fifo_qopt)), GFP_KERNEL); - if (!rta) - return -ENOMEM; - - rta->rta_type = RTM_NEWQDISC; - rta->rta_len = RTA_LENGTH(sizeof(struct tc_fifo_qopt)); - ((struct tc_fifo_qopt *)RTA_DATA(rta))->limit = limit; - ret = q->ops->change(q, rta); - kfree(rta); - - return ret; -} - -/* Setup underlying FIFO discipline */ -static int dly_change(struct Qdisc *sch, struct rtattr *opt) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct tc_dly_qopt *qopt = RTA_DATA(opt); - int err; - - if (q->qdisc == &noop_qdisc) { - struct Qdisc *child - = qdisc_create_dflt(sch->dev, &bfifo_qdisc_ops); - if (!child) - return -EINVAL; - q->qdisc = child; - } - - err = change_limit(q->qdisc, qopt->limit); - if (err) { - qdisc_destroy(q->qdisc); - q->qdisc = &noop_qdisc; - } else { - q->latency = qopt->latency; - q->limit = qopt->limit; - q->loss = qopt->loss; - } - return err; -} - -static int dly_init(struct Qdisc *sch, struct rtattr *opt) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - - if (!opt) - return -EINVAL; - - init_timer(&q->timer); - q->timer.function = dly_timer; - q->timer.data = (unsigned long) sch; - q->qdisc = &noop_qdisc; - - return dly_change(sch, opt); -} - -static void dly_destroy(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - - del_timer(&q->timer); - qdisc_destroy(q->qdisc); - q->qdisc = &noop_qdisc; -} - -static int dly_dump(struct Qdisc *sch, struct sk_buff *skb) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - unsigned char *b = skb->tail; - struct tc_dly_qopt qopt; - - qopt.latency = q->latency; - qopt.limit = q->limit; - qopt.loss = q->loss; - - RTA_PUT(skb, TCA_OPTIONS, sizeof(qopt), &qopt); - - return skb->len; - -rtattr_failure: - skb_trim(skb, b - skb->data); - return -1; -} - -static struct Qdisc_ops dly_qdisc_ops = { - .id = "delay", - .priv_size = sizeof(struct dly_sched_data), - .enqueue = dly_enqueue, - .dequeue = dly_dequeue, - .requeue = dly_requeue, - .drop = dly_drop, - .init = dly_init, - .reset = dly_reset, - .destroy = dly_destroy, - .change = dly_change, - .dump = dly_dump, - .owner = THIS_MODULE, -}; - - -static int __init dly_module_init(void) -{ - return register_qdisc(&dly_qdisc_ops); -} -static void __exit dly_module_exit(void) -{ - unregister_qdisc(&dly_qdisc_ops); -} -module_init(dly_module_init) -module_exit(dly_module_exit) -MODULE_LICENSE("GPL"); diff -urNp -X dontdiff linux-2.6/net/sched/sch_netem.c sched-2.6/net/sched/sch_netem.c --- linux-2.6/net/sched/sch_netem.c 1969-12-31 16:00:00.000000000 -0800 +++ sched-2.6/net/sched/sch_netem.c 2004-06-30 14:05:13.000000000 -0700 @@ -0,0 +1,255 @@ +/* + * net/sched/sch_netem.c Network emulator + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Stephen Hemminger + * Catalin(ux aka Dino) BOIE + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +/* Network emulator + * + * This scheduler can alters spacing and order + * Similar to NISTnet and BSD Dummynet. + */ + +struct netem_sched_data { + struct sk_buff_head qnormal; + struct sk_buff_head qdelay; + struct timer_list timer; + + u32 latency; + u32 loss; + u32 counter; + u32 gap; +}; + +/* Time stamp put into socket buffer control block */ +struct netem_skb_cb { + psched_time_t time_to_send; +}; + +/* Enqueue packets with underlying discipline (fifo) + * but mark them with current time first. + */ +static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct netem_skb_cb *cb = (struct netem_skb_cb *)skb->cb; + + pr_debug("netem_enqueue skb=%p @%lu\n", skb, jiffies); + + /* Random packet drop 0 => none, ~0 => all */ + if (q->loss >= net_random()) { + sch->stats.drops++; + return 0; /* lie about loss so TCP doesn't know */ + } + + if (q->qnormal.qlen < sch->dev->tx_queue_len) { + PSCHED_GET_TIME(cb->time_to_send); + PSCHED_TADD(cb->time_to_send, q->latency); + + __skb_queue_tail(&q->qnormal, skb); + sch->q.qlen++; + sch->stats.bytes += skb->len; + sch->stats.packets++; + return 0; + } + + sch->stats.drops++; + kfree_skb(skb); + return NET_XMIT_DROP; +} + +/* Requeue packets but don't change time stamp */ +static int netem_requeue(struct sk_buff *skb, struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + __skb_queue_head(&q->qnormal, skb); + sch->q.qlen++; + return 0; +} + +/* + * Check the look aside buffer list, and see if any freshly baked buffers. + * If head of queue is not baked, set timer. + */ +static struct sk_buff *netem_get_delayed(struct netem_sched_data *q) +{ + struct sk_buff *skb; + psched_time_t now; + long delay; + + skb = skb_peek(&q->qdelay); + if (skb) { + const struct netem_skb_cb *cb + = (const struct netem_skb_cb *)skb->cb; + + PSCHED_GET_TIME(now); + delay = PSCHED_US2JIFFIE(PSCHED_TDIFF(cb->time_to_send, now)); + pr_debug("netem_dequeue: delay queue %p@%lu %ld\n", + skb, jiffies, delay); + + /* it's baked enough */ + if (delay <= 0) { + __skb_unlink(skb, &q->qdelay); + del_timer(&q->timer); + return skb; + } + + if (!timer_pending(&q->timer)) { + q->timer.expires = jiffies + delay; + add_timer(&q->timer); + } + } + return NULL; +} + +/* Dequeue packet. + * If packet needs to be held up, then put in the delay + * queue and set timer to wakeup later. + */ +static struct sk_buff *netem_dequeue(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct sk_buff *skb; + + skb = netem_get_delayed(q); + if (!skb && (skb = __skb_dequeue(&q->qnormal))) { + /* are we doing out of order packet skip? */ + if (q->counter < q->gap) { + pr_debug("netem_dequeue: send %p normally\n", skb); + q->counter++; + } else { + /* don't send now hold for later */ + pr_debug("netem_dequeue: hold [%p]@%lu\n", skb, jiffies); + __skb_queue_tail(&q->qdelay, skb); + q->counter = 0; + skb = netem_get_delayed(q); + } + } + + if (skb) + sch->q.qlen--; + return skb; +} + +static void netem_timer(unsigned long arg) +{ + struct Qdisc *sch = (struct Qdisc *)arg; + + pr_debug("netem_timer: fired @%lu\n", jiffies); + netif_schedule(sch->dev); +} + +static void netem_reset(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + skb_queue_purge(&q->qnormal); + skb_queue_purge(&q->qdelay); + + sch->q.qlen = 0; + del_timer_sync(&q->timer); +} + +static int netem_change(struct Qdisc *sch, struct rtattr *opt) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct tc_netem_qopt *qopt = RTA_DATA(opt); + + if (qopt->limit) + sch->dev->tx_queue_len = qopt->limit; + + q->gap = qopt->gap; + q->loss = qopt->loss; + q->latency = qopt->latency; + + return 0; +} + +static int netem_init(struct Qdisc *sch, struct rtattr *opt) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + if (!opt) + return -EINVAL; + + skb_queue_head_init(&q->qnormal); + skb_queue_head_init(&q->qdelay); + init_timer(&q->timer); + q->timer.function = netem_timer; + q->timer.data = (unsigned long) sch; + q->counter = 0; + + return netem_change(sch, opt); +} + +static void netem_destroy(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + del_timer_sync(&q->timer); +} + +static int netem_dump(struct Qdisc *sch, struct sk_buff *skb) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + unsigned char *b = skb->tail; + struct tc_netem_qopt qopt; + + qopt.latency = q->latency; + qopt.limit = sch->dev->tx_queue_len; + qopt.loss = q->loss; + qopt.gap = q->gap; + + RTA_PUT(skb, TCA_OPTIONS, sizeof(qopt), &qopt); + + return skb->len; + +rtattr_failure: + skb_trim(skb, b - skb->data); + return -1; +} + +static struct Qdisc_ops netem_qdisc_ops = { + .id = "netem", + .priv_size = sizeof(struct netem_sched_data), + .enqueue = netem_enqueue, + .dequeue = netem_dequeue, + .requeue = netem_requeue, + .init = netem_init, + .reset = netem_reset, + .destroy = netem_destroy, + .change = netem_change, + .dump = netem_dump, + .owner = THIS_MODULE, +}; + + +static int __init netem_module_init(void) +{ + return register_qdisc(&netem_qdisc_ops); +} +static void __exit netem_module_exit(void) +{ + unregister_qdisc(&netem_qdisc_ops); +} +module_init(netem_module_init) +module_exit(netem_module_exit) +MODULE_LICENSE("GPL"); From shemminger@osdl.org Thu Jul 1 21:11:01 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 1 Jul 2004 13:11:01 -0700 Subject: [LARTC] [PATCH 2.4] update to network emulation QOS scheduler In-Reply-To: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> Message-ID: <20040701131101.184f7840@dell_ss3.pdx.osdl.net> This is the 2.4 version of the conversion of simple network delay scheduler to network emulator. Signed-off-by: Stephen Hemminger diff -Nru a/include/linux/pkt_sched.h b/include/linux/pkt_sched.h --- a/include/linux/pkt_sched.h 2004-07-01 13:06:36 -07:00 +++ b/include/linux/pkt_sched.h 2004-07-01 13:06:36 -07:00 @@ -432,12 +432,15 @@ #define TCA_ATM_MAX TCA_ATM_STATE -/* Delay section */ -struct tc_dly_qopt +/* Network emulator */ +struct tc_netem_qopt { - __u32 latency; - __u32 limit; - __u32 loss; + __u32 latency; /* added delay (us) */ + __u32 limit; /* fifo limit (packets) */ + __u32 loss; /* random packet loss (0=none ~0=100%) */ + __u32 gap; /* re-ordering gap (0 for delay all) */ + __u32 duplicate; /* random packet dup (0=none ~0=100%) */ + __u32 rate; /* maximum transmit rate (bytes/sec) */ }; #endif diff -Nru a/net/sched/Config.in b/net/sched/Config.in --- a/net/sched/Config.in 2004-07-01 13:06:36 -07:00 +++ b/net/sched/Config.in 2004-07-01 13:06:36 -07:00 @@ -15,7 +15,7 @@ tristate ' TEQL queue' CONFIG_NET_SCH_TEQL tristate ' TBF queue' CONFIG_NET_SCH_TBF tristate ' GRED queue' CONFIG_NET_SCH_GRED -tristate ' Network delay simulator' CONFIG_NET_SCH_DELAY +tristate ' Network emulator' CONFIG_NET_SCH_NETEM tristate ' Diffserv field marker' CONFIG_NET_SCH_DSMARK if [ "$CONFIG_NETFILTER" = "y" ]; then tristate ' Ingress Qdisc' CONFIG_NET_SCH_INGRESS diff -Nru a/net/sched/Makefile b/net/sched/Makefile --- a/net/sched/Makefile 2004-07-01 13:06:36 -07:00 +++ b/net/sched/Makefile 2004-07-01 13:06:36 -07:00 @@ -14,7 +14,7 @@ obj-$(CONFIG_NET_SCH_INGRESS) += sch_ingress.o obj-$(CONFIG_NET_SCH_CBQ) += sch_cbq.o obj-$(CONFIG_NET_SCH_CSZ) += sch_csz.o -obj-$(CONFIG_NET_SCH_DELAY) += sch_delay.o +obj-$(CONFIG_NET_SCH_NETEM) += sch_netem.o obj-$(CONFIG_NET_SCH_HPFQ) += sch_hpfq.o obj-$(CONFIG_NET_SCH_HFSC) += sch_hfsc.o obj-$(CONFIG_NET_SCH_HTB) += sch_htb.o diff -Nru a/net/sched/sch_delay.c b/net/sched/sch_delay.c --- a/net/sched/sch_delay.c 2004-07-01 13:06:36 -07:00 +++ /dev/null Wed Dec 31 16:00:00 196900 @@ -1,289 +0,0 @@ -/* - * net/sched/sch_delay.c Simple constant delay - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - * - * Authors: Stephen Hemminger - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Network delay simulator - This scheduler adds a fixed delay to all packets. - Similar to NISTnet and BSD Dummynet. - - It uses byte fifo underneath similar to TBF */ -struct dly_sched_data { - u32 latency; - u32 limit; - u32 loss; - struct timer_list timer; - struct Qdisc *qdisc; -}; - -/* Time stamp put into socket buffer control block */ -struct dly_skb_cb { - psched_time_t queuetime; -}; - -/* Enqueue packets with underlying discipline (fifo) - * but mark them with current time first. - */ -static int dly_enqueue(struct sk_buff *skb, struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct dly_skb_cb *cb = (struct dly_skb_cb *)skb->cb; - int ret; - - /* Random packet drop 0 => none, ~0 => all */ - if (q->loss >= net_random()) { - sch->stats.drops++; - return 0; /* lie about loss so TCP doesn't know */ - } - - PSCHED_GET_TIME(cb->queuetime); - - /* Queue to underlying scheduler */ - ret = q->qdisc->enqueue(skb, q->qdisc); - if (ret) - sch->stats.drops++; - else { - sch->q.qlen++; - sch->stats.bytes += skb->len; - sch->stats.packets++; - } - return ret; -} - -/* Requeue packets but don't change time stamp */ -static int dly_requeue(struct sk_buff *skb, struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - int ret; - - ret = q->qdisc->ops->requeue(skb, q->qdisc); - if (ret == 0) - sch->q.qlen++; - return ret; -} - -static unsigned int dly_drop(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - unsigned int len; - - len = q->qdisc->ops->drop(q->qdisc); - if (len) { - sch->q.qlen--; - sch->stats.drops++; - } - return len; -} - -/* Dequeue packet. - * If packet needs to be held up, then stop the - * queue and set timer to wakeup later. - */ -static struct sk_buff *dly_dequeue(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct sk_buff *skb; - - retry: - skb = q->qdisc->dequeue(q->qdisc); - if (skb) { - struct dly_skb_cb *cb = (struct dly_skb_cb *)skb->cb; - psched_time_t now; - long diff, delay; - - PSCHED_GET_TIME(now); - diff = q->latency - PSCHED_TDIFF(now, cb->queuetime); - - if (diff <= 0) { - sch->q.qlen--; - sch->flags &= ~TCQ_F_THROTTLED; - return skb; - } - - if (q->qdisc->ops->requeue(skb, q->qdisc) != NET_XMIT_SUCCESS) { - sch->q.qlen--; - sch->stats.drops++; - goto retry; - } - - delay = PSCHED_US2JIFFIE(diff); - if (delay <= 0) - delay = 1; - mod_timer(&q->timer, jiffies+delay); - - sch->flags |= TCQ_F_THROTTLED; - } - return NULL; -} - -static void dly_reset(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - - qdisc_reset(q->qdisc); - sch->q.qlen = 0; - sch->flags &= ~TCQ_F_THROTTLED; - del_timer(&q->timer); -} - -static void dly_timer(unsigned long arg) -{ - struct Qdisc *sch = (struct Qdisc *)arg; - - sch->flags &= ~TCQ_F_THROTTLED; - netif_schedule(sch->dev); -} - -/* Tell Fifo the new limit. */ -static int change_limit(struct Qdisc *q, u32 limit) -{ - struct rtattr *rta; - int ret; - - rta = kmalloc(RTA_LENGTH(sizeof(struct tc_fifo_qopt)), GFP_KERNEL); - if (!rta) - return -ENOMEM; - - rta->rta_type = RTM_NEWQDISC; - rta->rta_len = RTA_LENGTH(sizeof(struct tc_fifo_qopt)); - ((struct tc_fifo_qopt *)RTA_DATA(rta))->limit = limit; - ret = q->ops->change(q, rta); - kfree(rta); - - return ret; -} - -/* Setup underlying FIFO discipline */ -static int dly_change(struct Qdisc *sch, struct rtattr *opt) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - struct tc_dly_qopt *qopt = RTA_DATA(opt); - int err; - - if (q->qdisc == &noop_qdisc) { - struct Qdisc *child - = qdisc_create_dflt(sch->dev, &bfifo_qdisc_ops); - if (!child) - return -EINVAL; - q->qdisc = child; - } - - err = change_limit(q->qdisc, qopt->limit); - if (err) { - qdisc_destroy(q->qdisc); - q->qdisc = &noop_qdisc; - } else { - q->latency = qopt->latency; - q->limit = qopt->limit; - q->loss = qopt->loss; - } - return err; -} - -static int dly_init(struct Qdisc *sch, struct rtattr *opt) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - int err; - - if (!opt) - return -EINVAL; - - MOD_INC_USE_COUNT; - - init_timer(&q->timer); - q->timer.function = dly_timer; - q->timer.data = (unsigned long) sch; - q->qdisc = &noop_qdisc; - - err = dly_change(sch, opt); - if (err) - MOD_DEC_USE_COUNT; - - return err; -} - -static void dly_destroy(struct Qdisc *sch) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - - del_timer(&q->timer); - qdisc_destroy(q->qdisc); - q->qdisc = &noop_qdisc; - - MOD_DEC_USE_COUNT; -} - -static int dly_dump(struct Qdisc *sch, struct sk_buff *skb) -{ - struct dly_sched_data *q = (struct dly_sched_data *)sch->data; - unsigned char *b = skb->tail; - struct tc_dly_qopt qopt; - - qopt.latency = q->latency; - qopt.limit = q->limit; - qopt.loss = q->loss; - - RTA_PUT(skb, TCA_OPTIONS, sizeof(qopt), &qopt); - - return skb->len; - -rtattr_failure: - skb_trim(skb, b - skb->data); - return -1; -} - -struct Qdisc_ops dly_qdisc_ops = { - .id = "delay", - .priv_size = sizeof(struct dly_sched_data), - .enqueue = dly_enqueue, - .dequeue = dly_dequeue, - .requeue = dly_requeue, - .drop = dly_drop, - .init = dly_init, - .reset = dly_reset, - .destroy = dly_destroy, - .change = dly_change, - .dump = dly_dump, -}; - -#ifdef MODULE -int init_module(void) -{ - return register_qdisc(&dly_qdisc_ops); -} - -void cleanup_module(void) -{ - unregister_qdisc(&dly_qdisc_ops); -} -#endif -MODULE_LICENSE("GPL"); diff -Nru a/net/sched/sch_netem.c b/net/sched/sch_netem.c --- /dev/null Wed Dec 31 16:00:00 196900 +++ b/net/sched/sch_netem.c 2004-07-01 13:06:36 -07:00 @@ -0,0 +1,255 @@ +/* + * net/sched/sch_netem.c Network emulator + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Stephen Hemminger + * Catalin(ux aka Dino) BOIE + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +/* Network emulator + * + * This scheduler can alters spacing and order + * Similar to NISTnet and BSD Dummynet. + */ + +struct netem_sched_data { + struct sk_buff_head qnormal; + struct sk_buff_head qdelay; + struct timer_list timer; + + u32 latency; + u32 loss; + u32 counter; + u32 gap; +}; + +/* Time stamp put into socket buffer control block */ +struct netem_skb_cb { + psched_time_t time_to_send; +}; + +/* Enqueue packets with underlying discipline (fifo) + * but mark them with current time first. + */ +static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct netem_skb_cb *cb = (struct netem_skb_cb *)skb->cb; + + pr_debug("netem_enqueue skb=%p @%lu\n", skb, jiffies); + + /* Random packet drop 0 => none, ~0 => all */ + if (q->loss >= net_random()) { + sch->stats.drops++; + return 0; /* lie about loss so TCP doesn't know */ + } + + if (q->qnormal.qlen < sch->dev->tx_queue_len) { + PSCHED_GET_TIME(cb->time_to_send); + PSCHED_TADD(cb->time_to_send, q->latency); + + __skb_queue_tail(&q->qnormal, skb); + sch->q.qlen++; + sch->stats.bytes += skb->len; + sch->stats.packets++; + return 0; + } + + sch->stats.drops++; + kfree_skb(skb); + return NET_XMIT_DROP; +} + +/* Requeue packets but don't change time stamp */ +static int netem_requeue(struct sk_buff *skb, struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + __skb_queue_head(&q->qnormal, skb); + sch->q.qlen++; + return 0; +} + +/* + * Check the look aside buffer list, and see if any freshly baked buffers. + * If head of queue is not baked, set timer. + */ +static struct sk_buff *netem_get_delayed(struct netem_sched_data *q) +{ + struct sk_buff *skb; + psched_time_t now; + long delay; + + skb = skb_peek(&q->qdelay); + if (skb) { + const struct netem_skb_cb *cb + = (const struct netem_skb_cb *)skb->cb; + + PSCHED_GET_TIME(now); + delay = PSCHED_US2JIFFIE(PSCHED_TDIFF(cb->time_to_send, now)); + pr_debug("netem_dequeue: delay queue %p@%lu %ld\n", + skb, jiffies, delay); + + /* it's baked enough */ + if (delay <= 0) { + __skb_unlink(skb, &q->qdelay); + del_timer(&q->timer); + return skb; + } + + if (!timer_pending(&q->timer)) { + q->timer.expires = jiffies + delay; + add_timer(&q->timer); + } + } + return NULL; +} + +/* Dequeue packet. + * If packet needs to be held up, then put in the delay + * queue and set timer to wakeup later. + */ +static struct sk_buff *netem_dequeue(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct sk_buff *skb; + + skb = netem_get_delayed(q); + if (!skb && (skb = __skb_dequeue(&q->qnormal))) { + /* are we doing out of order packet skip? */ + if (q->counter < q->gap) { + pr_debug("netem_dequeue: send %p normally\n", skb); + q->counter++; + } else { + /* don't send now hold for later */ + pr_debug("netem_dequeue: hold [%p]@%lu\n", skb, jiffies); + __skb_queue_tail(&q->qdelay, skb); + q->counter = 0; + skb = netem_get_delayed(q); + } + } + + if (skb) + sch->q.qlen--; + return skb; +} + +static void netem_timer(unsigned long arg) +{ + struct Qdisc *sch = (struct Qdisc *)arg; + + pr_debug("netem_timer: fired @%lu\n", jiffies); + netif_schedule(sch->dev); +} + +static void netem_reset(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + skb_queue_purge(&q->qnormal); + skb_queue_purge(&q->qdelay); + + sch->q.qlen = 0; + del_timer_sync(&q->timer); +} + +static int netem_change(struct Qdisc *sch, struct rtattr *opt) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + struct tc_netem_qopt *qopt = RTA_DATA(opt); + + if (qopt->limit) + sch->dev->tx_queue_len = qopt->limit; + + q->gap = qopt->gap; + q->loss = qopt->loss; + q->latency = qopt->latency; + + return 0; +} + +static int netem_init(struct Qdisc *sch, struct rtattr *opt) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + if (!opt) + return -EINVAL; + + skb_queue_head_init(&q->qnormal); + skb_queue_head_init(&q->qdelay); + init_timer(&q->timer); + q->timer.function = netem_timer; + q->timer.data = (unsigned long) sch; + q->counter = 0; + + return netem_change(sch, opt); +} + +static void netem_destroy(struct Qdisc *sch) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + + del_timer_sync(&q->timer); +} + +static int netem_dump(struct Qdisc *sch, struct sk_buff *skb) +{ + struct netem_sched_data *q = (struct netem_sched_data *)sch->data; + unsigned char *b = skb->tail; + struct tc_netem_qopt qopt; + + qopt.latency = q->latency; + qopt.limit = sch->dev->tx_queue_len; + qopt.loss = q->loss; + qopt.gap = q->gap; + + RTA_PUT(skb, TCA_OPTIONS, sizeof(qopt), &qopt); + + return skb->len; + +rtattr_failure: + skb_trim(skb, b - skb->data); + return -1; +} + +static struct Qdisc_ops netem_qdisc_ops = { + .id = "netem", + .priv_size = sizeof(struct netem_sched_data), + .enqueue = netem_enqueue, + .dequeue = netem_dequeue, + .requeue = netem_requeue, + .init = netem_init, + .reset = netem_reset, + .destroy = netem_destroy, + .change = netem_change, + .dump = netem_dump, +}; + + +static int __init netem_module_init(void) +{ + return register_qdisc(&netem_qdisc_ops); +} +static void __exit netem_module_exit(void) +{ + unregister_qdisc(&netem_qdisc_ops); +} +module_init(netem_module_init) +module_exit(netem_module_exit) +MODULE_LICENSE("GPL"); From stef.coene@docum.org Thu Jul 1 21:40:16 2004 From: stef.coene@docum.org (Stef Coene) Date: Thu, 1 Jul 2004 22:40:16 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! In-Reply-To: <200407011810.01786.edulix@tumundoweb.com> References: <200407011810.01786.edulix@tumundoweb.com> Message-ID: <200407012240.16357.stef.coene@docum.org> On Thursday 01 July 2004 18:10, Edulix wrote: > Hello one more time, > > As others seem to already asked without reply, I'm getting lower speed > rates than specified via ingress. How do I know. Because I have this in my > script: > > tc qdisc add dev $DEV handle ffff: ingress > > # Filter intranet traffic, so fit it to intranet speed > tc filter add dev $DEV parent ffff: protocol ip prio 10 u32 \ > match ip src $Q_2_HOSTS \ > match ip dst $Q_2_HOSTS \ > police rate ${LAN_SPEED}mbit burst 10k drop flowid :2 > > So let's say I execute a X -query to the my pc. Everything goes fine and > fluently till I activate my script ingress rules!Then kde seems sluggish. > and LAN_SPEED is "100" (mbit) ! > > I don't think the problem is that I have many ingress filters because even > if I deactivate them (i.e. comment on them in my script) kde slows down > after adding the tc filter mentioned above. > > Please, have you got any idea what might be going on ? Any comments, > suggestions? Have you had the same experience ? What do you think the > problem might be ? Am I asking in the wrong forum ? Should report this bug > to tc developers ? Come on and reply me ;-). Can you post the tc counters? tc -s -d qdisc filter ffff: Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From stef.coene@docum.org Thu Jul 1 21:52:14 2004 From: stef.coene@docum.org (Stef Coene) Date: Thu, 1 Jul 2004 22:52:14 +0200 Subject: [LARTC] HTB and iptables statistics In-Reply-To: <87isd93r60.fsf@vinci.loc> References: <87isd93r60.fsf@vinci.loc> Message-ID: <200407012252.14932.stef.coene@docum.org> On Wednesday 30 June 2004 19:13, Alexander Kotelnikov wrote: > Hello. > > The problems are: > 1. Using HTB I get negative values for tokens and ctokens in tc -s > output, for example: This is perfectly possible. It depends on your configuration and the=20 parent-child relation ship between the classes. If a class has a token, it can send a packet. But if a child class is send= ing=20 a packet, a token of the parent class is also used. And a class can use it= =20 tokens even if the parent class has no tokens left. So it's possible to dr= ag=20 the tokens negative if the child class is more sending packets then the=20 parent allows. But the parent can not forbid this. Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From edulix@tumundoweb.com Thu Jul 1 22:26:24 2004 From: edulix@tumundoweb.com (Edulix) Date: Thu, 1 Jul 2004 23:26:24 +0200 Subject: [LARTC] Re: e: [T] filter ingress policy rates -> slow!! In-Reply-To: <200407012240.16357.stef.coene@docum.org> References: <200407011810.01786.edulix@tumundoweb.com> <200407012240.16357.stef.coene@docum.org> Message-ID: <200407012326.25427.edulix@tumundoweb.com> El Jueves, 1 de Julio de 2004 22:40, Stef Coene escribi=F3: > Can you post the tc counters? > tc -s -d qdisc filter ffff: > > Stef Sure: BTW, that command d9oesn't work fine here: [root@k12ltsp-server root]# tc -s -d qdisc filter ffff: Command "filter" is unknown, try "tc qdisc help". So let's just print: [root@k12ltsp-server root]# /etc/init.d/eshaper start downlink Applying tc rules: [ OK ] (That command starts *only* ingress policies) [root@k12ltsp-server root]# tc -s -d qdisc qdisc ingress ffff: dev eth0 ---------------- Sent 384 bytes 3 pkts (dropped 0, overlimits 0) [root@k12ltsp-server root]# Is this normal or expected? Thanks for your time, Edulix. From shemminger@osdl.org Thu Jul 1 23:38:01 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 1 Jul 2004 15:38:01 -0700 Subject: [LARTC] [ANNOUNCE] Updated version of iproute2 snapshot version Message-ID: <20040701153801.78428e4a@dell_ss3.pdx.osdl.net> Okay, it's been too long already, here is an update to iproute2 (ip, tc, ss, ...) utilities. Here is an updated snapshot. http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.X-ss040701.tar.gz See the ChangeLog for detail but major changes are: * simple configuration (not autoconf) to deal with different systems * data rates in "tc" use communication standard K=1000 not K=1024 * also, -iec option and knows about "kibps" * long style GNU options * works with "netem" scheduler * additional options on the ip command (to match ifconfig) This should build and work on 2.6, and 2.4. From mingching.tiew@redtone.com Fri Jul 2 02:01:30 2004 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Fri, 2 Jul 2004 09:01:30 +0800 Subject: [LARTC] Best throughput routing or least latency routing Message-ID: <039f01c45fd0$1c901f20$0100a8c0@newlife> Correct me if I am wrong, RIP is kind least hop routing, but is there a way for me to have best throughput routing or least latency routing ? From gypsy@iswest.com Fri Jul 2 02:46:37 2004 From: gypsy@iswest.com (gypsy) Date: Thu, 01 Jul 2004 18:46:37 -0700 Subject: [LARTC] Re: e: [T] filter ingress policy rates -> slow!! References: <200407011810.01786.edulix@tumundoweb.com> <200407012240.16357.stef.coene@docum.org> <200407012326.25427.edulix@tumundoweb.com> Message-ID: <40E4BE7D.9B114B0F@iswest.com> Edulix wrote: > (That command starts *only* ingress policies) > [root@k12ltsp-server root]# tc -s -d qdisc > qdisc ingress ffff: dev eth0 ---------------- > Sent 384 bytes 3 pkts (dropped 0, overlimits 0) > [root@k12ltsp-server root]# This is a joke? You have not demonstrated any slowdown. From Andreas.Klauer@metamorpher.de Fri Jul 2 03:17:03 2004 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Fri, 2 Jul 2004 04:17:03 +0200 Subject: [LARTC] HTB and iptables statistics In-Reply-To: <200407012252.14932.stef.coene@docum.org> References: <87isd93r60.fsf@vinci.loc> <200407012252.14932.stef.coene@docum.org> Message-ID: <200407020417.03362.Andreas.Klauer@metamorpher.de> Am Thursday 01 July 2004 22:52 schrieb Stef Coene: > So it's possible to drag the tokens negative if the child class is more > sending packets then the parent allows. If I understand you right, it's only the parent classes that can get negative tokens this way. But I also have leaf classes with negative tokens. Does this mean there's something wrong? Are negative tokens a good thing, or rather a bad thing? Any way to prevent them? Andreas From edulix@tumundoweb.com Fri Jul 2 09:36:28 2004 From: edulix@tumundoweb.com (Edulix) Date: Fri, 2 Jul 2004 10:36:28 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! Message-ID: <200407021036.28648.edulix@tumundoweb.com> El Viernes, 2 de Julio de 2004 03:46, gypsy escribi=F3: > Edulix wrote: > > (That command starts *only* ingress policies) > > [root@k12ltsp-server root]# tc -s -d qdisc > > qdisc ingress ffff: dev eth0 ---------------- > > Sent 384 bytes 3 pkts (dropped 0, overlimits 0) > > [root@k12ltsp-server root]# > > This is a joke? You have not demonstrated any slowdown. Sorry, I didn't undertand very well the thing :-P. Also, I haven't got=20 permanent access to other's pc of the network (they're not mine ;-)!) and that's the reason because I posted the counters as is.=20 Anyway, here you can all see the problem: # tc -s -d qdisc qdisc ingress ffff: dev eth0 ---------------- Sent 5109350 bytes 13696 pkts (dropped 935, overlimits 0) And the only tc rules I executed were: tc qdisc add dev eth0 handle ffff: ingress tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 \ match ip src 192.168..0.0/24 \ match ip dst 192.168..0.0/24 \ police rate 100mbit burst 10k drop flowid :2 In this test I did is just overing the kde's taskbar and clicking in the K= =20 menu. BTW, I'll tell you that many operations work fine, but there'are some= =20 (as the one's Ive just refered to) that are rather slow. Now, let's see what is the maximun ssh speed: # scp=20 edulix@192.168.0.7:/home/edulix/videos/prodigy90_med.mpg /home/edulix/temp/ Warning: Permanently added '192.168.0.7' (RSA) to the list of known hosts. edulix@192.168.0.7's password: prodigy90_med.mpg 11% 992KB 45.0KB/s = =20 Mamma mia! That must demostrate the problem hehe. In normal conditions that= =20 video is transfered in less than 3 seconds at 7-8 Mb/s! After doing that, I= =20 can see: # tc -s -d qdisc qdisc ingress ffff: dev eth0 ---------------- Sent 30133742 bytes 88401 pkts (dropped 4792, overlimits 0) Cheers, Edulix. From lrotger@aircomp.aero Fri Jul 2 13:06:40 2004 From: lrotger@aircomp.aero (L Rotger) Date: Fri, 02 Jul 2004 14:06:40 +0200 Subject: [LARTC] [ANNOUNCE] Updated version of iproute2 snapshot version In-Reply-To: <20040701153801.78428e4a@dell_ss3.pdx.osdl.net> References: <20040701153801.78428e4a@dell_ss3.pdx.osdl.net> Message-ID: <40E54FD0.5040509@aircomp.aero> Stephen Hemminger wrote: > Okay, it's been too long already, here is an update to iproute2 > (ip, tc, ss, ...) utilities. Here is an updated snapshot. > > http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.X-ss040701.tar.gz Just some quick points: - maybe you should check for other executables. It turned out I had ip and tc in /sbin and they were first in the path so /usr/sbin/tc never ran. Maybe you can do a loop prior to installing and delete whatever "which tc" and "which ip" return until they return nothing. - the "make" command incorrectly detected ATM but I have not set it in the kernel, and KERNEL_INCLUDE was correctly set. After editing ./Config and setting it to n it compiled fine in 2.4.23. I can post my kernel config if you want to investigate this. well, many thanks for the good job! it works for me. L Rotger From util@deuroconsult.ro Fri Jul 2 14:24:09 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Fri, 2 Jul 2004 16:24:09 +0300 (EEST) Subject: [LARTC] [ANNOUNCE] Updated version of iproute2 snapshot version In-Reply-To: <40E54FD0.5040509@aircomp.aero> References: <20040701153801.78428e4a@dell_ss3.pdx.osdl.net> <40E54FD0.5040509@aircomp.aero> Message-ID: Hi Rotger. > Just some quick points: > - maybe you should check for other executables. It turned out I had ip and tc > in /sbin and they were first in the path so /usr/sbin/tc never ran. Maybe you > can do a loop prior to installing and delete whatever "which tc" and "which > ip" return until they return nothing. This is the job of the package manager. On slackware with upgradepkg works fine. > - the "make" command incorrectly detected ATM but I have not set it in the > kernel, and KERNEL_INCLUDE was correctly set. After editing ./Config and > setting it to n it compiled fine in 2.4.23. I can post my kernel config if > you want to investigate this. > > well, many thanks for the good job! it works for me. > > L Rotger > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From gypsy@iswest.com Fri Jul 2 15:13:25 2004 From: gypsy@iswest.com (gypsy) Date: Fri, 02 Jul 2004 07:13:25 -0700 Subject: [LARTC] filter ingress policy rates -> slow!! References: <200407021036.28648.edulix@tumundoweb.com> Message-ID: <40E56D85.374394CF@iswest.com> "Edulix (by way of Edulix )" wrote: > Anyway, here you can all see the problem: > > # tc -s -d qdisc > qdisc ingress ffff: dev eth0 ---------------- > Sent 5109350 bytes 13696 pkts (dropped 935, overlimits 0) > > And the only tc rules I executed were: > > tc qdisc add dev eth0 handle ffff: ingress > tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 \ > match ip src 192.168..0.0/24 \ > match ip dst 192.168..0.0/24 \ > police rate 100mbit burst 10k drop flowid :2 > > In this test I did is just overing the kde's taskbar and clicking in the K > menu. BTW, I'll tell you that many operations work fine, but there'are some > (as the one's Ive just refered to) that are rather slow. > > Now, let's see what is the maximun ssh speed: > # scp > edulix@192.168.0.7:/home/edulix/videos/prodigy90_med.mpg /home/edulix/temp/ > prodigy90_med.mpg 11% 992KB 45.0KB/s > > Mamma mia! That must demostrate the problem hehe. In normal conditions that > video is transfered in less than 3 seconds at 7-8 Mb/s! After doing that, I > can see: > # tc -s -d qdisc > qdisc ingress ffff: dev eth0 ---------------- > Sent 30133742 bytes 88401 pkts (dropped 4792, overlimits 0) > > Cheers, > Edulix. Did you build your own kernel? If not, do. If so: 1) What kernel version? 2) Post results of grep "define PSCHED_CLOCK" /usr/src/linux/incluce/net/pkt_sched.h Google "LARTC accuracy" and whatever else you can find from this list regarding having to set the rate based on results rather than what you know the rate to be. Keep Steph involved; he's The Master. gypsy From Glen.Mabey@usu.edu Fri Jul 2 15:58:56 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Fri, 2 Jul 2004 08:58:56 -0600 Subject: [LARTC] htb: class 10007 isn't work conserving ?! Message-ID: <20040702145856.GE630@mabeys.dsl.aros.net> I'm getting the following error/warning at some point in my config script, and I'm not sure which class it is referring to. htb: class 10007 isn't work conserving ?! I [think I] understand that htb is a non-work-conserving qdisc, and I [think I] have configured things so that every htb qdisc I instantiate limits the bandwidth, so I don't understand why this situation would invoke a warning message. Also -- is there some way to correlate this identifier "10007" with a classid? Thank you, Glen Mabey -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From saptah2000@yahoo.es Fri Jul 2 17:49:30 2004 From: saptah2000@yahoo.es (saptah) Date: Fri, 02 Jul 2004 18:49:30 +0200 Subject: [LARTC] traffic balancing over two ADSL Message-ID: <40E5921A.6010205@yahoo.es> hi all. First of all, sorry for my (bad) english. I Want to balance the traffic in a local network over two ADSL. I wanna send http traffic trough ADSL line number 1. And the other traffic by the default ASSL (number 2) Can you help me ? thx. From edulix@tumundoweb.com Fri Jul 2 17:51:57 2004 From: edulix@tumundoweb.com (Edulix) Date: Fri, 2 Jul 2004 18:51:57 +0200 Subject: [LARTC] Re: [] filter ingress policy rates -> slow!! In-Reply-To: <40E56D85.374394CF@iswest.com> References: <200407021036.28648.edulix@tumundoweb.com> <40E56D85.374394CF@iswest.com> Message-ID: <200407021851.59038.edulix@tumundoweb.com> El Viernes, 2 de Julio de 2004 16:13, gypsy escribi=F3: > Did you build your own kernel? If not, do. If so: > 1) What kernel version? Using 2.4.22 here (default of Fedora Core 1).=20 > 2) Post results of > grep "define PSCHED_CLOCK" /usr/src/linux/incluce/net/pkt_sched.h # grep "define PSCHED_CLOCK" /usr/src/linux-2.4/include/net/pkt_sched.h #define PSCHED_CLOCK_SOURCE PSCHED_JIFFIES does it help ? > Google "LARTC accuracy" and whatever else you can find from this list > regarding having to set the rate based on results rather than what you > know the rate to be. > > Keep Steph involved; he's The Master. Steph do you know anything about this problem ? keep involved! ;-P BTW, Now I'm just compiling the kernel from the SRPM, butdon't think it's t= hat=20 the problem. And yes, I've found at least one match; see=20 http://marc.theaimsgroup.com/?l=3Dlartc&m=3D108436626432730&w=3D2 . I think= he had=20 the same problem as me. I'll keep searching.. Good luck, Edulix. From lists@wildgooses.com Fri Jul 2 18:28:53 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Fri, 02 Jul 2004 18:28:53 +0100 Subject: [LARTC] traffic balancing over two ADSL In-Reply-To: <40E5921A.6010205@yahoo.es> References: <40E5921A.6010205@yahoo.es> Message-ID: <40E59B55.2000206@wildgooses.com> saptah wrote: > hi all. > First of all, sorry for my (bad) english. > I Want to balance the traffic in a local network over two ADSL. > I wanna send http traffic trough ADSL line number 1. And the other > traffic by the default ASSL (number 2) Sure, have a good read of the LARTC howto. It's a very thorough document that covers this in great depth. (I think it's translated into a couple of languages as well?) It's certainly quite possible though and several people here are using that kind of setup. Ed W From shemminger@osdl.org Fri Jul 2 19:06:22 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Fri, 2 Jul 2004 11:06:22 -0700 Subject: [LARTC] [ANNOUNCE] Another version of iproute2 snapshot version In-Reply-To: <40E54FD0.5040509@aircomp.aero> References: <20040701153801.78428e4a@dell_ss3.pdx.osdl.net> <40E54FD0.5040509@aircomp.aero> Message-ID: <20040702110622.53fec373@dell_ss3.pdx.osdl.net> Minor tweaks to yesterday's version: - ATM detection in configure is now by compiling not just looking for header. - TC command already supports extension via shared library, but changed the search from the usual LD_LIBRARY_PATH to /usr/lib/tc. Made more sense to put q_ffoo.so in separate directory. - ATM (and netem) are built as shared libraries, both as an example and for ATM to handle package dependency issues where a distribution would like to build support for all schedulers, but libatm.so may not be present on end user system (unless atm is installed). Available at: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.X-ss040702.tar.gz From shemminger@osdl.org Fri Jul 2 21:44:37 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Fri, 2 Jul 2004 13:44:37 -0700 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> Message-ID: <20040702134437.5891e998@dell_ss3.pdx.osdl.net> Here is an enhancement to netem to do allow emulating lower speed networks. The resolution is close, but obviously limited by the granularity of timers and size of packets. Also, fixes a rtnetlink dependency which showed up in some configurations and optimizes for the non-loss case by avoiding net_random call. Signed-off-by: Stephen Hemminger diff -Nru a/net/sched/sch_netem.c b/net/sched/sch_netem.c --- a/net/sched/sch_netem.c 2004-07-02 13:40:11 -07:00 +++ b/net/sched/sch_netem.c 2004-07-02 13:40:11 -07:00 @@ -18,6 +18,7 @@ #include #include #include +#include #include @@ -31,11 +32,13 @@ struct sk_buff_head qnormal; struct sk_buff_head qdelay; struct timer_list timer; + psched_time_t last; u32 latency; u32 loss; u32 counter; u32 gap; + u32 rate; }; /* Time stamp put into socket buffer control block */ @@ -54,13 +57,23 @@ pr_debug("netem_enqueue skb=%p @%lu\n", skb, jiffies); /* Random packet drop 0 => none, ~0 => all */ - if (q->loss >= net_random()) { + if (q->loss && q->loss >= net_random()) { sch->stats.drops++; return 0; /* lie about loss so TCP doesn't know */ } if (q->qnormal.qlen < sch->dev->tx_queue_len) { PSCHED_GET_TIME(cb->time_to_send); + if (q->rate) { + if (!PSCHED_IS_PASTPERFECT(q->last) && + PSCHED_TLESS(cb->time_to_send, q->last)) + cb->time_to_send = q->last; + + PSCHED_TADD(cb->time_to_send, + (USEC_PER_SEC * skb->len) / q->rate); + q->last = cb->time_to_send; + } + PSCHED_TADD(cb->time_to_send, q->latency); __skb_queue_tail(&q->qnormal, skb); @@ -179,6 +192,7 @@ q->gap = qopt->gap; q->loss = qopt->loss; q->latency = qopt->latency; + q->rate = qopt->rate; return 0; } @@ -196,6 +210,7 @@ q->timer.function = netem_timer; q->timer.data = (unsigned long) sch; q->counter = 0; + PSCHED_SET_PASTPERFECT(q->last); return netem_change(sch, opt); } @@ -217,6 +232,7 @@ qopt.limit = sch->dev->tx_queue_len; qopt.loss = q->loss; qopt.gap = q->gap; + qopt.rate = q->rate; RTA_PUT(skb, TCA_OPTIONS, sizeof(qopt), &qopt); From adamt@commspeed.net Fri Jul 2 23:54:45 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Fri, 2 Jul 2004 15:54:45 -0700 Subject: [LARTC] TC Hashing Filters Message-ID: <00b701c46087$91b18c00$903113d8@uranus> Hey all, I had asked a question a little while ago about CPU usage being outrageous while using tc and a cbq qdisc. Ed was very kind and offered a few suggestions. One of these was to look at hashing. So after pounding away at it for about a week, I have a general understanding of how it works and have tried to implement it. Unfortunately, and quite obviously since I'm posting here, it does not work for me. The Problem: When implemented, and all the tc commands are entered, I get no errors or anything for that matter. It looks like everything went in smoothly. I do a show and sure enough, it is all there and looks good. However, when I have a computer hooked up on one side of the limiter and the other side hooked up to the internet, I do a download test and get the average 35Mbps that I normally see from our office. The Situation: The first step in troubleshooting this problem involved finding out if tc even limited at all. So I set up a simple class with a 128Kbit rate and cbq root qdisc like I had originally and all worked well. The download test showed 128Kbit/s like it should. I was happy that this part works. It seems that when I install the hash tables and assign it to hash based on the last octet in the IP address, it just allows traffic to pass through without limiting. This is where I run into the trouble. The Commands: Here is what I originally started out with based on the Hashing Filter How To: # Create root qdisc tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 # Create a "transit class" tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 # Create hash table attached to transit class tc filter add dev eth1 parent 1:0 handle 2: protocol ip u32 divisor 256 # Create filter to hash out last octet and link to hash table 2: tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht 800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: # Create class for 128Kbit limit tc class add dev eth1 parent 1:0 classid 1:2 cbq bandwidth 200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded # Create filter for IP I'm limiting tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match ip src 216.19.49.140 flowid 1:2 Troubleshooting: There are a few things I'd like to point out. First off, I'm only working with one IP address at the moment and the traffic is coming from only one Class C at the moment. I've even tried hard setting the hash ip src to 216.19.49.140/32 and that doesn't work. Second, I've tried attaching each of these to different parents. I tried attaching the hash table to the root qdisc as well as the transit class. I've tried the same for the limiting class and the ip filter. None of this works. Third, I've also tried it without the transit class at all and just doing everything direct off the root qdisc. Not only have I used the Hashing Filter How To but I have also used some suggestions from Gideon who posted to this list in the past. (http://mailman.ds9a.nl/pipermail/lartc/2003q2/008516.html). I tried htb as well and this qdisc didn't work either. Also, I've changed the src to dst and I originally started out using the hash ip src as our entire network of 216.19.0.0/18. If anyone has an understanding of hashing filters, please PLEASE let me know what I'm doing wrong. I've been working on this for three days straight now and in the meantime, our bandwidth limiting is not running which is INCREDIBLY important to my boss. I currently have just a straight list of 5000 users that I do not want to stray too far from (the iptables project Ed referred to requires a complete overhaul of my current implementation). I'm pulling my hair out because according to my understanding of it and based on what others have done this SHOULD be working..... Thank you very much for at least taking the time to read this. I truly appreciate it. I'm also hoping that this will spark a thread for future people who run into the same trouble I am having. Thanks. Adam Towarnyckyj From zoop@lone.ath.cx Sat Jul 3 01:12:57 2004 From: zoop@lone.ath.cx (zoop@lone.ath.cx) Date: Sat, 03 Jul 2004 00:12:57 +0000 Subject: [LARTC] TC Hashing Filters Message-ID: <20040703.Wd7.83031100@www.djrance.com> > # Create filter to hash out last octet and link to hash table 2: > tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: I think this needs to be attached to the root. parent 1:0 Adam Towarnyckyj (adamt@commspeed.net) wrote: > >Hey all, > I had asked a question a little while ago about CPU usage being >outrageous while using tc and a cbq qdisc. Ed was very kind and offered >a few suggestions. One of these was to look at hashing. So after >pounding away at it for about a week, I have a general understanding of >how it works and have tried to implement it. Unfortunately, and quite >obviously since I'm posting here, it does not work for me. > >The Problem: > When implemented, and all the tc commands are entered, I get no >errors or anything for that matter. It looks like everything went in >smoothly. I do a show and sure enough, it is all there and looks good. >However, when I have a computer hooked up on one side of the limiter and >the other side hooked up to the internet, I do a download test and get >the average 35Mbps that I normally see from our office. > >The Situation: > The first step in troubleshooting this problem involved finding >out if tc even limited at all. So I set up a simple class with a 128Kbit >rate and cbq root qdisc like I had originally and all worked well. The >download test showed 128Kbit/s like it should. I was happy that this >part works. > It seems that when I install the hash tables and assign it to >hash based on the last octet in the IP address, it just allows traffic >to pass through without limiting. This is where I run into the trouble. > >The Commands: > Here is what I originally started out with based on the Hashing >Filter How To: > > # Create root qdisc > tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit >avpkt 1000 > > # Create a "transit class" > tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth >200Mbit rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt >1000 > > # Create hash table attached to transit class > tc filter add dev eth1 parent 1:0 handle 2: protocol ip u32 >divisor 256 > > # Create filter to hash out last octet and link to hash table 2: > tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > > # Create class for 128Kbit limit > tc class add dev eth1 parent 1:0 classid 1:2 cbq bandwidth >200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded > > # Create filter for IP I'm limiting > tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c >match ip src 216.19.49.140 flowid 1:2 > >Troubleshooting: > There are a few things I'd like to point out. First off, I'm >only working with one IP address at the moment and the traffic is coming >from only one Class C at the moment. I've even tried hard setting the >hash ip src to 216.19.49.140/32 and that doesn't work. Second, I've >tried attaching each of these to different parents. I tried attaching >the hash table to the root qdisc as well as the transit class. I've >tried the same for the limiting class and the ip filter. None of this >works. Third, I've also tried it without the transit class at all and >just doing everything direct off the root qdisc. Not only have I used >the Hashing Filter How To but I have also used some suggestions from >Gideon who posted to this list in the past. >(http://mailman.ds9a.nl/pipermail/lartc/2003q2/008516.html). I tried htb >as well and this qdisc didn't work either. Also, I've changed the src to >dst and I originally started out using the hash ip src as our entire >network of 216.19.0.0/18. > If anyone has an understanding of hashing filters, please PLEASE >let me know what I'm doing wrong. I've been working on this for three >days straight now and in the meantime, our bandwidth limiting is not >running which is INCREDIBLY important to my boss. I currently have just >a straight list of 5000 users that I do not want to stray too far from >(the iptables project Ed referred to requires a complete overhaul of my >current implementation). I'm pulling my hair out because according to my >understanding of it and based on what others have done this SHOULD be >working..... > Thank you very much for at least taking the time to read this. I >truly appreciate it. I'm also hoping that this will spark a thread for >future people who run into the same trouble I am having. Thanks. > >Adam Towarnyckyj > > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. From gypsy@iswest.com Sat Jul 3 05:14:24 2004 From: gypsy@iswest.com (gypsy) Date: Fri, 02 Jul 2004 21:14:24 -0700 Subject: [LARTC] filter ingress policy rates -> slow!! References: <200407021036.28648.edulix@tumundoweb.com> <40E56D85.374394CF@iswest.com> <200407021851.59038.edulix@tumundoweb.com> Message-ID: <40E632A0.51A90EE1@iswest.com> Edulix wrote: > Using 2.4.22 here (default of Fedora Core 1). > > > 2) Post results of > > grep "define PSCHED_CLOCK" /usr/src/linux/incluce/net/pkt_sched.h > > # grep "define PSCHED_CLOCK" /usr/src/linux-2.4/include/net/pkt_sched.h > #define PSCHED_CLOCK_SOURCE PSCHED_JIFFIES > > does it help ? Yes, it sure does. Edit pkt_sched.h and change from JIFFIES to CPU. Before you recompile the kernel, make config and make sure the CPU setting is higher than CONFIG_M486 or you'll get an error message. If you have any of the schedule stuff (CONFIG_NET_SCH_blah) as modules (you do): make (YourFavoriteFlavorOf)config (checking/changing - if needed - the CPU) make clean ; make dep ; make bzImage make modules make modules_install Those "make"s are broken up like that for a reason. Just Do It, please. If you did not have to change the CPU type, you can just reload the ingress module: modprobe -r sch_ingress modprobe sch_ingress and test the setup. If you did change the CPU type, you should install your new kernel, run lilo and reboot using the new kernel. buck From edulix@tumundoweb.com Sat Jul 3 10:44:46 2004 From: edulix@tumundoweb.com (Edulix) Date: Sat, 3 Jul 2004 11:44:46 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! In-Reply-To: <40E632A0.51A90EE1@iswest.com> References: <200407021036.28648.edulix@tumundoweb.com> <200407021851.59038.edulix@tumundoweb.com> <40E632A0.51A90EE1@iswest.com> Message-ID: <200407031144.46988.edulix@tumundoweb.com> El S=E1bado, 3 de Julio de 2004 06:14, gypsy escribi=F3: > Edulix wrote: > > Using 2.4.22 here (default of Fedora Core 1). > > > > > 2) Post results of > > > grep "define PSCHED_CLOCK" /usr/src/linux/incluce/net/pkt_sched.h > > > > # grep "define PSCHED_CLOCK" /usr/src/linux-2.4/include/net/pkt_sched.h > > #define PSCHED_CLOCK_SOURCE PSCHED_JIFFIES > > > > does it help ? > > Yes, it sure does. > > Edit pkt_sched.h and change from JIFFIES to CPU. Before you recompile > the kernel, make config and make sure the CPU setting is higher than > CONFIG_M486 or you'll get an error message. If you have any of the > schedule stuff (CONFIG_NET_SCH_blah) as modules (you do): > > make (YourFavoriteFlavorOf)config (checking/changing - if needed - the > CPU) > make clean ; make dep ; make bzImage > make modules > make modules_install > > Those "make"s are broken up like that for a reason. Just Do It, please. > > If you did not have to change the CPU type, you can just reload the > ingress module: > modprobe -r sch_ingress > modprobe sch_ingress > > and test the setup. If you did change the CPU type, you should install > your new kernel, run lilo and reboot using the new kernel. > > buck Thanks for the info I don't know why I'm having problems compiling the kern= el=20 image [1]. It looks like a linking issue or a bad module, but I doubt it's= =20 easy to solve. I am going to change distro in a few days so I think that=20 trying to find a solution might be not worthy :-). What's more, I haven't changed the CPU type (Athlon by default) so I'm tryi= ng=20 to build modules even without having compiled successfully the kernel image. BTW, Should I warn the Fedora devels about the JIFFIES problem? Thanks for your time, Edulix. =2D-- [1] In the execution of 'make bzImage', I get: =2D--------- make[1]: Saliendo directorio `/usr/src/linux-2.4.22-1.2135.nptl/arch/i386/l= ib' make[1]: Cambiando a directorio `/usr/src/linux-2.4.22-1.2135.nptl' kallsyms pass 1 ld -m elf_i386 -T /usr/src/linux-2.4.22-1.2135.nptl/arch/i386/vmlinux.lds -= e=20 stext arch/i386/kernel/head.o arch/i386/kernel/init_task.o init/main.o=20 init/version.o init/do_mounts.o --start-group arch/i386/kernel/kernel.o=20 arch/i386/mm/mm.o kernel/kernel.o mm/mm.o fs/fs.o ipc/ipc.o =20 drivers/acpi/acpi.o drivers/cpufreq/cpufreq.o drivers/char/char.o=20 drivers/block/block.o drivers/misc/misc.o drivers/net/net.o=20 drivers/char/drm/drm.o drivers/net/fc/fc.o drivers/net/appletalk/appletalk.= o=20 drivers/net/tokenring/tr.o drivers/net/wan/wan.o drivers/atm/atm.o=20 drivers/ide/idedriver.o drivers/cdrom/driver.o drivers/pci/driver.o=20 drivers/net/pcmcia/pcmcia_net.o drivers/net/wireless/wireless_net.o=20 drivers/pnp/pnp.o drivers/video/video.o drivers/net/hamradio/hamradio.o=20 drivers/media/media.o drivers/md/mddev.o drivers/isdn/vmlinux-obj.o=20 crypto/crypto.o drivers/sensors/sensor.o=20 net/network.o /usr/src/linux-2.4.22-1.2135.nptl/arch/i386/lib/lib.a /usr/sr= c/linux-2.4.22-1.2135.nptl/lib/lib.a /usr/src/linux-2.4.22-1.2135.nptl/arch= /i386/lib/lib.a=20 =2D-end-group -o .tmp_vmlinux1 drivers/ide/idedriver.o(.text+0x17570): En la funci=F3n `ide_mediactl': : undefined reference to `get_info_ptr' make[1]: *** [kallsyms] Error 1 make[1]: Saliendo directorio `/usr/src/linux-2.4.22-1.2135.nptl' make: *** [vmlinux] Error 2 =2D--------- From lists@wildgooses.com Sat Jul 3 12:09:37 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Sat, 03 Jul 2004 12:09:37 +0100 Subject: [LARTC] filter ingress policy rates -> slow!! In-Reply-To: <200407031144.46988.edulix@tumundoweb.com> References: <200407021036.28648.edulix@tumundoweb.com> <200407021851.59038.edulix@tumundoweb.com> <40E632A0.51A90EE1@iswest.com> <200407031144.46988.edulix@tumundoweb.com> Message-ID: <40E693F1.7030809@wildgooses.com> >Thanks for the info I don't know why I'm having problems compiling the kernel >image [1]. It looks like a linking issue or a bad module, but I doubt it's >easy to solve. I am going to change distro in a few days so I think that >trying to find a solution might be not worthy :-). > > Unlikely to change anything... Compiling is somewhat independent of the rest of your system (perhaps depends on gcc version and some other stuff, but not too much in practice) >What's more, I haven't changed the CPU type (Athlon by default) so I'm trying >to build modules even without having compiled successfully the kernel image. > > Aha, but did you do all the "make" commands that you were told to do? It's important that they are all done Ed W From edulix@tumundoweb.com Sat Jul 3 12:47:59 2004 From: edulix@tumundoweb.com (Edulix) Date: Sat, 3 Jul 2004 13:47:59 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! In-Reply-To: <40E693F1.7030809@wildgooses.com> References: <200407021036.28648.edulix@tumundoweb.com> <200407031144.46988.edulix@tumundoweb.com> <40E693F1.7030809@wildgooses.com> Message-ID: <200407031348.00292.edulix@tumundoweb.com> El S=E1bado, 3 de Julio de 2004 13:09, Ed Wildgoose escribi=F3: > >Thanks for the info I don't know why I'm having problems compiling the > > kernel image [1]. It looks like a linking issue or a bad module, but I > > doubt it's easy to solve. I am going to change distro in a few days so I > > think that trying to find a solution might be not worthy :-). > > Unlikely to change anything... Compiling is somewhat independent of the > rest of your system (perhaps depends on gcc version and some other > stuff, but not too much in practice) I think it will change because:=20 I'm not going to use the same distro, but change from Fedora to Suse. What's more, I've managed to compile this same kernel source time ago, so=20 something wrong must be happening :-).=20 > >What's more, I haven't changed the CPU type (Athlon by default) so I'm > > trying to build modules even without having compiled successfully the > > kernel image. > > Aha, but did you do all the "make" commands that you were told to do? > It's important that they are all done Of course I did =3D). BTW, I've been compiling (successfully most of the ti= me)=20 2.4.x linux kernels since 2-3 years ago :-P. As I said, I'll get Suse 9.1 Prof soon (the 10th most probably). I'm curiou= s=20 about the PSCHED_CLOCK_SOURCE value. Is it wrong or deprecated the default= =20 =46edora's value (PSCHED_JIFFIES instead of PSCHED_CPU)? Or is it just that= you=20 have to compile your own kernel in order to get ingress rate policies worki= ng=20 fine ? From mark@thummb.com Sat Jul 3 12:33:13 2004 From: mark@thummb.com (Mark Coetser) Date: Sat, 3 Jul 2004 13:33:13 +0200 Subject: [LARTC] load balanced adsl lines Message-ID: <002101c460f1$8699fcc0$fe00000a@citadel> This is a multi-part message in MIME format. ------=_NextPart_000_001E_01C46102.49F7EC30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Ppl I have 5 adsl lines that after reading quite a bit i managed to get load = balanced now abvoiusly it doesnt load balance evenly and this works on = what routes are still in the routing cache. my question is my outbound = masquerading had to be modified to use snat in iptables instead of just = plain masquerading my outbound masquerading now works but my inbound = port forwarding doesnt work would this be an iptables problem or a = routing issue... i have opened all the relavent ports on each of the interfaces and I am = not getting any logged denies the connection just never opens I am running the following debian woody kernel 2.6.6 ip rule list 0: from all lookup local 32761: from 165.165.170.110 lookup T5 32762: from 165.165.187.47 lookup T4 32763: from 165.165.189.95 lookup T3 32764: from 165.165.163.95 lookup T2 32765: from 165.165.179.151 lookup T1 32766: from all lookup main 32767: from all lookup default ip route sh 165.165.160.1 dev ppp1 proto kernel scope link src 165.165.163.95 165.165.160.1 dev ppp3 proto kernel scope link src 165.165.187.47 165.165.160.1 dev ppp4 proto kernel scope link src 165.165.170.110 165.165.160.1 dev ppp0 proto kernel scope link src 165.165.179.151 165.165.160.1 dev ppp2 proto kernel scope link src 165.165.189.95 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1 default nexthop via 165.165.160.1 dev ppp0 weight 1 nexthop via 165.165.160.1 dev ppp1 weight 1 nexthop via 165.165.160.1 dev ppp2 weight 1 nexthop via 165.165.160.1 dev ppp3 weight 1 nexthop via 165.165.160.1 dev ppp4 weight 1 ------=_NextPart_000_001E_01C46102.49F7EC30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi Ppl
 
I have 5 adsl lines that after reading = quite a bit=20 i managed to get load balanced now abvoiusly it doesnt load balance = evenly and=20 this works on what routes are still in the routing cache. my question is = my=20 outbound masquerading had to be modified to use snat in iptables instead = of just=20 plain masquerading my outbound masquerading now works but my inbound = port=20 forwarding doesnt work would this be an iptables problem or a routing=20 issue...
 
i have opened all the relavent ports on = each of the=20 interfaces and I am not getting any logged denies the connection just = never=20 opens
 
I am running the following
 
debian woody
 
kernel 2.6.6
 
 
ip rule list
0:      from = all lookup=20 local
32761:  from 165.165.170.110 lookup T5
32762:  = from=20 165.165.187.47 lookup T4
32763:  from 165.165.189.95 lookup=20 T3
32764:  from 165.165.163.95 lookup T2
32765:  from=20 165.165.179.151 lookup T1
32766:  from all lookup = main
32767: =20 from all lookup default
ip route sh
165.165.160.1 dev ppp1  proto = kernel =20 scope link  src 165.165.163.95
165.165.160.1 dev ppp3  = proto=20 kernel  scope link  src 165.165.187.47
165.165.160.1 dev = ppp4 =20 proto kernel  scope link  src 165.165.170.110
165.165.160.1 = dev=20 ppp0  proto kernel  scope link  src=20 165.165.179.151
165.165.160.1 dev ppp2  proto kernel  scope = link  src 165.165.189.95
10.0.0.0/24 dev eth0  proto = kernel =20 scope link  src=20 10.0.0.1
default
        = nexthop via=20 165.165.160.1  dev ppp0 weight=20 1
        nexthop via = 165.165.160.1 =20 dev ppp1 weight 1
        nexthop = via=20 165.165.160.1  dev ppp2 weight=20 1
        nexthop via = 165.165.160.1 =20 dev ppp3 weight 1
        nexthop = via=20 165.165.160.1  dev ppp4 weight 1
 
------=_NextPart_000_001E_01C46102.49F7EC30-- From lists@wildgooses.com Sat Jul 3 14:13:26 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Sat, 03 Jul 2004 14:13:26 +0100 Subject: [LARTC] filter ingress policy rates -> slow!! In-Reply-To: <200407031348.00292.edulix@tumundoweb.com> References: <200407021036.28648.edulix@tumundoweb.com> <200407031144.46988.edulix@tumundoweb.com> <40E693F1.7030809@wildgooses.com> <200407031348.00292.edulix@tumundoweb.com> Message-ID: <40E6B0F6.10805@wildgooses.com> > > >I think it will change because: >I'm not going to use the same distro, but change from Fedora to Suse. >What's more, I've managed to compile this same kernel source time ago, so >something wrong must be happening :-). > > One workaround is to look at which module is erroring (in your case an IDE bit of code). And then see if you live without that code (disable it). Also if you are using a redhat .config preprovided file then it tends to build everything as a module - in my experience this becomes very fragile. I prefer to have few or no modules (and this tends to fix a lot of compile probs as well) >As I said, I'll get Suse 9.1 Prof soon (the 10th most probably). I'm curious >about the PSCHED_CLOCK_SOURCE value. Is it wrong or deprecated the default >Fedora's value (PSCHED_JIFFIES instead of PSCHED_CPU)? Or is it just that you >have to compile your own kernel in order to get ingress rate policies working >fine ? > > I'm a BIG fan of gentoo. You never need to upgrade again...! (Debian sounds nice as well) I think the psched_clock_source code just changes how the scheduler works out how often to fire. Basically its hard to get accurate high resolution timers on most operating systems. I haven't studied the details, but assume the CPU method gives more accurate results, perhaps at the expense of more CPU required..? Ed W From lists@wildgooses.com Sat Jul 3 14:32:17 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Sat, 03 Jul 2004 14:32:17 +0100 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <20040702134437.5891e998@dell_ss3.pdx.osdl.net> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> Message-ID: <40E6B561.4050200@wildgooses.com> >Here is an enhancement to netem to do allow emulating lower speed >networks. The resolution is close, but obviously limited by the >granularity of timers and size of packets. > > Hi Stephen, This looks extremely useful. I have a need for a simulator for the Iridium Satellite phone network, this is at most 2,400 baud with perhaps 1 sec or more latency. Do you expect this scheduler to be able to do this slow? On a related note, for better accuracy I currently need a bit of stochastic variability on the latency, ie assume a 1 sec min delay, but also to vary that a little through time. Have you considered adding that as a feature? Thanks Ed W From nico@telecable.es Sat Jul 3 15:41:47 2004 From: nico@telecable.es (=?iso-8859-1?Q?Nicol=E1s_Victorero_Mier?=) Date: Sat, 3 Jul 2004 16:41:47 +0200 Subject: [LARTC] Setup balancing a cable modem and an ADSL Message-ID: <002701c4610b$e03e72a0$0a00a8c0@pain> This is a multi-part message in MIME format. ------=_NextPart_000_0024_01C4611C.A1A12E50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello,=20 I've setup a box, to balance traffic beetween a cable modem and an adsl, = i've installed fedora core 2 in the box, then downloaded kernel 2.6.7, = applied Julian Anastov parches for version 2.6.7, and then when i tried = to compile the kernel i got and error about variable rt not declared, so = i check the patch and saw one of the thing it changes is getting rid of = line 84 of ipt_MASQUERADE.c ( struct rtable *rt; ), so i added the line = back, and the kernel compiled ok. Now i can have the hosts in my internal network being forwarded through = both lines and all seems to work properly, but after some hours, it = stops working and i cannot have packets forwarded by any of the lines, = the linux box still can reach internet through both interfaces. I wonder = if it's caused by my changes to ipt_MASQUERADE.c. By the way my ultimate goal is too use both lines from 1 p2p host, but = it seems not to work like that. I guess, all the p2p clients comes to my = p2p box through line 1 (that has a inbound port forwarded to the p2p = host), and so all the packets to that p2p clients goes through line 1 = from then 2, while line 2 is virtually useless, i've checked with ntop, = and line 1 bandwith usage is 20+times that of line 2. Nico ------=_NextPart_000_0024_01C4611C.A1A12E50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
I've setup a box, to balance traffic = beetween a=20 cable modem and an adsl, i've installed fedora core 2 in the = box, then=20 downloaded kernel 2.6.7, applied Julian Anastov parches for version = 2.6.7, and=20 then when i tried to compile the kernel i got and error about variable = rt not=20 declared, so i check the patch and saw one of the thing it changes is = getting=20 rid of line 84 of ipt_MASQUERADE.c ( struct rtable *rt; ), so i added = the line=20 back, and the kernel compiled ok.
 
Now i can have the hosts in my internal = network=20 being forwarded through both lines and all seems to work properly, but = after=20 some hours, it stops working and i cannot have packets forwarded by any = of the=20 lines, the linux box still can reach internet through both interfaces. I = wonder=20 if it's caused by my changes to ipt_MASQUERADE.c.
 
By the way my ultimate goal is too use = both lines=20 from 1 p2p host, but it seems not to work like that. I guess, all the = p2p=20 clients comes to my p2p box through line 1 (that has a inbound port = forwarded to=20 the p2p host), and so all the packets to that p2p clients goes through = line 1=20 from then 2, while line 2 is virtually useless, i've checked with ntop, = and line=20 1 bandwith usage is 20+times that of line 2.
 
Nico
------=_NextPart_000_0024_01C4611C.A1A12E50-- From gypsy@iswest.com Sat Jul 3 16:02:31 2004 From: gypsy@iswest.com (gypsy) Date: Sat, 03 Jul 2004 08:02:31 -0700 Subject: [LARTC] filter ingress policy rates -> slow!! References: <200407021036.28648.edulix@tumundoweb.com> <200407021851.59038.edulix@tumundoweb.com> <40E632A0.51A90EE1@iswest.com> <200407031144.46988.edulix@tumundoweb.com> Message-ID: <40E6CA87.D5E6D84F@iswest.com> Edulix wrote: > BTW, Should I warn the Fedora devels about the JIFFIES problem? No. It is set to JIFFIES because that is the setting required so that all the CPUs in the kernel .config list work. If you select 386 or 486 in 'make config', make bzImage will fail because the CPU does not support a clock. 'cat /proc/cpuinfo | grep tsc' - if that would work in a .h file - would return TRUE for CPUs that do support a clock. Otherwise, the Time Of Day clock (IRQ 8) or "jiffies" (IRQ 0) should be used. > Edulix. > drivers/ide/idedriver.o drivers/cdrom/driver.o drivers/pci/driver.o > drivers/net/pcmcia/pcmcia_net.o drivers/net/wireless/wireless_net.o > drivers/pnp/pnp.o drivers/video/video.o drivers/net/hamradio/hamradio.o > drivers/media/media.o drivers/md/mddev.o drivers/isdn/vmlinux-obj.o > crypto/crypto.o drivers/sensors/sensor.o > net/network.o /usr/src/linux-2.4.22-1.2135.nptl/arch/i386/lib/lib.a /usr/src/linux-2.4.22-1.2135.nptl/lib/lib.a /usr/src/linux-2.4.22-1.2135.nptl/arch/i386/lib/lib.a > --end-group -o .tmp_vmlinux1 > drivers/ide/idedriver.o(.text+0x17570): En la función `ide_mediactl': > : undefined reference to `get_info_ptr' > make[1]: *** [kallsyms] Error 1 > make[1]: Saliendo directorio `/usr/src/linux-2.4.22-1.2135.nptl' > make: *** [vmlinux] Error 2 If anything should be reported, this is it. It says to me that you either didn't 'make clean ; make dep' or that the idedriver.c is poorly written. But, since you intend to change distros, why waste your time on this? You may want to have a look at my notes about building a 2.4.25 kernel. They are Slackware specific but they do describe most of the steps, in order (but not in detail), I take. ftp://andthatsjazz.org/pub/lartc/BUILD-2.4.25 From edulix@tumundoweb.com Sat Jul 3 23:25:34 2004 From: edulix@tumundoweb.com (Edulix) Date: Sun, 4 Jul 2004 00:25:34 +0200 Subject: [LARTC] filter ingress policy rates -> slow!! Message-ID: <200407040025.34742.edulix@tumundoweb.com> El S=E1bado, 3 de Julio de 2004 17:02, gypsy escribi=F3: > Edulix wrote: > > BTW, Should I warn the Fedora devels about the JIFFIES problem? > > No. It is set to JIFFIES because that is the setting required so that > all the CPUs in the kernel .config list work. If you select 386 or 486 > in 'make config', make bzImage will fail because the CPU does not > support a clock. 'cat /proc/cpuinfo | grep tsc' - if that would work in > a .h file - would return TRUE for CPUs that do support a clock. > Otherwise, the Time Of Day clock (IRQ 8) or "jiffies" (IRQ 0) should be > used. Well, a bit more info: I've tried to reproduce the same thing in my sister's computer. Whereas I have a Athlon XP 2000+, she has a Celeron 2.4 Ghz. Whereas I use FC1, she uses SuSE 9.0. I saw in the sources that she also h= as JIFFIES configured. Basically, exactly the same problem happens in her computer, her rate inste= ad of be of 44~ kb/s was of about... 400-700kb/s. After that, I just remembered that I've got gentoo installed in other partition of my PC. I rebooted, and went to kernel sources (using vanilla 2.6.1). I aw that it was using JIFFIES; so I changed to CPU. Then I execut= ed make menuconfig to be sure that I selected Athlon as my cpu type and that QoS modules was selected (they were). So I didn't need to change anything = in the conifguration: Finally, I executed "make" and "make modules_install", did a "modprobe -r sch_ingress; modprobe sch_ingress. I executed : "eshaper start downlink" and assured with a "eshaper status" that the rules were there (no packets droped still). Then I tried copying file from my sister's computer via scp and it went at about a 700 Kb/s to 1.2 Mb/s rate! Note that in Fedora, in the pretty same pc, it went at only 40 Kb/s. "eshaper status" told me that there were many many packets dropped. I tried to transfer files without any tc rules (executed "eshaper stop" for cleani= ng them) and it went at 10 Mb/s - files transfered much faster. I haven't checked CPU usage in this tests though... it might be a good idea= =2E=20 Any ideas? What to do now ? I'm still looking for compiling my sister's ker= nel=20 with CPU instead of JIFFIES, because maybe it will go at desired speed -=20 remember that even with JIFFIES the rate was of ~400-700 kb/s! Thanks for your time, Edulix. From gypsy@iswest.com Sun Jul 4 20:47:59 2004 From: gypsy@iswest.com (gypsy) Date: Sun, 04 Jul 2004 12:47:59 -0700 Subject: [LARTC] filter ingress policy rates -> slow!! References: <200407040025.34742.edulix@tumundoweb.com> Message-ID: <40E85EEF.7E46B49D@iswest.com> "Edulix (by way of Edulix )" wrote: > "eshaper status" told me that there were many many packets dropped. I tried > to transfer files without any tc rules (executed "eshaper stop" for cleaning > them) and it went at 10 Mb/s - files transfered much faster. > > I haven't checked CPU usage in this tests though... it might be a good idea. > > Any ideas? What to do now ? I'm still looking for compiling my sister's kernel Now that you have an accurate timer, it is time to find out how much deviation there is between what you expect and what you get. Create a script with these lines, replacing "#" with the correct number. tc qdisc del dev eth# ingress 2> /dev/null tc qdisc add dev eth# handle ffff: ingress tc filter add dev eth# parent ffff: protocol ip \ prio 50 u32 match ip src 0.0.0.0/0 police rate \ 82000Kbit burst 10k drop flowid :1 Read the LARTC documentation to see why I used 82000Kbit. Hint: 82000/8=10250 If necessary, increase 82000 until there are no more dropped packets when you transfer a file, then back it down until you start getting a few drops. Play with the 10k to see what effect changing burst has. I like it big. When you've found the maximum rate, please post your script (for google) and show us the counters. If you find that the CPU load is significant, I shall be VERY surprised. gypsy From mz269@hszk.bme.hu Sun Jul 4 22:40:38 2004 From: mz269@hszk.bme.hu (Mezei Zoltan) Date: Sun, 4 Jul 2004 23:40:38 +0200 (MEST) Subject: [LARTC] TEQL+HTB (?) Message-ID: Hi! We have 2 lines with 2 mbit each. I have to set up a configuration like the following: - if both lines work, grant 3 mbit to a web service running on a server in our DMZ - if one line fails, grant all the remaining 2 mbit to that service - if the service doesn't need all the bandwidth, use the remaining for other services I read through the HOWTO, and figured out that I need TEQL to create a virtual device that can have HTB attached. My questions: - how will bandwidth granting work with teql? Will the bandwidth be additive and then granting and borrowing possible? - if one line fails, how what will happen? I guess that the failing device (e.g. eth1) will go offline, and the teql device will contain only the remaining device (eth2) - how will htb behave then with that 3 mbit granting set up? Thanks, i hope these are not so beginner questions. -- Zizi "Meg nincs teljesen kesz, de mar majdnem elkezdtuk!" From mingching.tiew@redtone.com Mon Jul 5 03:25:08 2004 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Mon, 5 Jul 2004 10:25:08 +0800 Subject: [LARTC] traffic balancing over two ADSL References: <40E5921A.6010205@yahoo.es> <40E59B55.2000206@wildgooses.com> Message-ID: <017601c46237$4ac67560$0100a8c0@redtone.com> > > > hi all. > > First of all, sorry for my (bad) english. > > I Want to balance the traffic in a local network over two ADSL. > > I wanna send http traffic trough ADSL line number 1. And the other > > traffic by the default ASSL (number 2) > > > Sure, have a good read of the LARTC howto. It's a very thorough > document that covers this in great depth. (I think it's translated into > a couple of languages as well?) > > It's certainly quite possible though and several people here are using > that kind of setup. > I am assuming you are using NAT, sorry this may upset lots of people, I find that it is not advisable to implement according to the LARTC howto. I struggled on it for a few months. More info at :- http://www.geocities.com/mctiew/ffw/dual.htm You may not want to use it, but at least please read what I have been through in the 'Introduction'. From util@deuroconsult.ro Mon Jul 5 07:18:11 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Mon, 5 Jul 2004 09:18:11 +0300 (EEST) Subject: [LARTC] htb: class 10007 isn't work conserving ?! In-Reply-To: <20040702145856.GE630@mabeys.dsl.aros.net> References: <20040702145856.GE630@mabeys.dsl.aros.net> Message-ID: On Fri, 2 Jul 2004, Glen Mabey wrote: > I'm getting the following error/warning at some point in my config > script, and I'm not sure which class it is referring to. > > htb: class 10007 isn't work conserving ?! What qdisc is attached to this class? > > I [think I] understand that htb is a non-work-conserving qdisc, and I > [think I] have configured things so that every htb qdisc I instantiate > limits the bandwidth, so I don't understand why this situation would > invoke a warning message. > > Also -- is there some way to correlate this identifier "10007" with a > classid? > > Thank you, > Glen Mabey > > -- > ****************************************************************** > Glen W. Mabey > Glen.Mabey@usu.edu > http://mabeys.homelinux.com/glen/ > ****************************************************************** > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From cbolton@hirstanddanson.co.uk Mon Jul 5 15:07:33 2004 From: cbolton@hirstanddanson.co.uk (Chris Bolton) Date: Mon, 5 Jul 2004 15:07:33 +0100 Subject: [LARTC] htb: class 10007 isn't work conserving ?! In-Reply-To: Message-ID: <200407051409.i65E9px68044@smtp.shellnet.co.uk> Hi all, Our ISP has given us 5 static IP address plus one router IP address and I was wondering if I could get rid of their stupid EN5861 router and set up the linux machine to handle all the static addresses and routing. I figured I'd have to set up alises for other IP addresses eg ifconfig eth0:0 xx.xx.xx.193 but once I've done that I've found out I cant use ip route to configure it eg ip route add default dev eth0:0 table server. Whats the best way to go about this? Cheers. By the way I'm running redhat 9 with two adsl connections, on is a speedtouch USB modem and the other is the EN5861 router. From lists@wildgooses.com Mon Jul 5 16:51:03 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 05 Jul 2004 16:51:03 +0100 Subject: [LARTC] htb: class 10007 isn't work conserving ?! In-Reply-To: <200407051409.i65E9px68044@smtp.shellnet.co.uk> References: <200407051409.i65E9px68044@smtp.shellnet.co.uk> Message-ID: <40E978E7.6030908@wildgooses.com> >Our ISP has given us 5 static IP address plus one router IP address and I >was wondering if I could get rid of their stupid EN5861 router and set up >the linux machine to handle all the static addresses and routing. I figured >I'd have to set up alises for other IP addresses eg ifconfig eth0:0 >xx.xx.xx.193 but once I've done that I've found out I cant use ip route to >configure it eg ip route add default dev eth0:0 table server. Whats the >best way to go about this? > >Cheers. > >By the way I'm running redhat 9 with two adsl connections, on is a >speedtouch USB modem and the other is the EN5861 router. > > I'm not quite sure why you tagged this on to the end of a thread about htb classes? As a result many people may not even read your question...? I have one of those EN5861 router things, and actually I find it pretty good. The biggest issue is that it's a bit of a timebomb, the powersupply dies after a few years, and unless you have a spare it's a bit of a weak link Do you need to do some particularly advanced routing that's stopping you just using the en5861? Good luck Ed W From cbolton@hirstanddanson.co.uk Mon Jul 5 17:14:20 2004 From: cbolton@hirstanddanson.co.uk (Chris Bolton) Date: Mon, 5 Jul 2004 17:14:20 +0100 Subject: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! Message-ID: <200407051616.i65GGcx94225@smtp.shellnet.co.uk> >>Our ISP has given us 5 static IP address plus one router IP address >>and I was wondering if I could get rid of their stupid EN5861 router >>and set up the linux machine to handle all the static addresses and >>routing. I figured I'd have to set up alises for other IP addresses >>eg ifconfig eth0:0 >>xx.xx.xx.193 but once I've done that I've found out I cant use ip >>route to configure it eg ip route add default dev eth0:0 table server. >>Whats the best way to go about this? >> >>Cheers. >> >>By the way I'm running redhat 9 with two adsl connections, on is a >>speedtouch USB modem and the other is the EN5861 router. >> >> > >I'm not quite sure why you tagged this on to the end of a thread about htb classes? As a result many people may not even read your question...? Erm no reason I was just half asleep at the time. >I have one of those EN5861 router things, and actually I find it pretty >good. The biggest issue is that it's a bit of a timebomb, the >powersupply dies after a few years, and unless you have a spare it's a >bit of a weak link >Do you need to do some particularly advanced routing that's stopping you just using the en5861? No I am using the EN5861, just that we have two ADSL lines and only one EN5861 and rather than buying another I'd like to use linux to do the same job as the en5861, if you know what I mean. So far I've set up ppp0:0 which I've assigned one of the static ip addresses supplied to us by our ISP but when I try and route through it i.e. ip route add default dev ppp0:0 table T1 then it returns the error no such device, which it's quite right there isn't. If I route through it using the ip address of ppp0:0 i.e ip route add default via x.x.x.193 table T1 then it does work but anything that goes through it ends up using the IP address of ppp0. So how can I set up the linux box to use these static IP addresses in the same way I can with the EN5861? I hope I'd made myself clear, it's hard trying to explain something when your not to sure exactly what your talking about. Anyway any help with be gladly received. Cheers, Chris. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From Glen.Mabey@usu.edu Mon Jul 5 15:43:53 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Mon, 5 Jul 2004 08:43:53 -0600 Subject: [LARTC] htb: class 10007 isn't work conserving ?! In-Reply-To: References: <20040702145856.GE630@mabeys.dsl.aros.net> Message-ID: <20040705144353.GB1127@mabeys.dsl.aros.net> On Mon, Jul 05, 2004 at 09:18:11AM +0300, Catalin BOIE wrote: > On Fri, 2 Jul 2004, Glen Mabey wrote: > > >I'm getting the following error/warning at some point in my config > >script, and I'm not sure which class it is referring to. > > > >htb: class 10007 isn't work conserving ?! > > What qdisc is attached to this class? Yes, that's what I was trying to ask below. I'm still trying to figure out which class (in the : format) the error message is referring to. So, since I'm not sure which class it is (and I have several htb qdiscs; oh, I just realized that I neglected to mention that I'm using HTB), I'm not sure which qdisc this refers to. > >I [think I] understand that htb is a non-work-conserving qdisc, and I > >[think I] have configured things so that every htb qdisc I instantiate > >limits the bandwidth, so I don't understand why this situation would > >invoke a warning message. > > > >Also -- is there some way to correlate this identifier "10007" with a > >classid? I'm just starting back on working on this problem this morning, and I'll approach it via a process of elimination, but I just thought there surely must be some sort of deterministic mapping between the : label and this one given in the warning message. Thank you -- Glen -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From james+lartc@vincentsystems.com Mon Jul 5 20:21:34 2004 From: james+lartc@vincentsystems.com (James Sneeringer) Date: Mon, 5 Jul 2004 14:21:34 -0500 Subject: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! In-Reply-To: <200407051616.i65GGcx94225@smtp.shellnet.co.uk> References: <200407051616.i65GGcx94225@smtp.shellnet.co.uk> Message-ID: <20040705192134.GA16152@valjean.si.ocslink.com> On Mon, Jul 05, 2004 at 05:14:20PM +0100, Chris Bolton wrote: > No I am using the EN5861, just that we have two ADSL lines and only one > EN5861 and rather than buying another I'd like to use linux to do the same > job as the en5861, if you know what I mean. You can, but since you have two ADSL lines, you'll need two ADSL devices of some kind, whether it's a pair of 5861s, or a 5861 and an ADSL port adapter (external modem, PCI card, whatever) that Linux supports. The simplest solution will be to have the same setup for both lines. Either use two 5861s, or get two ADSL adapters that Linux can talk to. > So far I've set up ppp0:0 which I've assigned one of the static ip addresses > supplied to us by our ISP but when I try and route through it i.e. ip route > add default dev ppp0:0 table T1 then it returns the error no such device, > which it's quite right there isn't. If I route through it using the ip > address of ppp0:0 i.e ip route add default via x.x.x.193 table T1 then it > does work but anything that goes through it ends up using the IP address of > ppp0. So both lines were supplied by the same ISP? > So how can I set up the linux box to use these static IP addresses in the > same way I can with the EN5861? If you want to remove the 5861 from the picture entirely, you'll need to replace it with some sort of ADSL adapter. You can't just plug a DSL line into an ethernet card. > I hope I'd made myself clear, it's hard trying to explain something when > your not to sure exactly what your talking about. Anyway any help with be > gladly received. It would help if you could draw a diagram of your network so we could get a better idea of what yo're trying to do. -James From wadson@shaw.ca Tue Jul 6 03:09:05 2004 From: wadson@shaw.ca (David Wadson) Date: Mon, 05 Jul 2004 22:09:05 -0400 Subject: [LARTC] Redundant link, but with a separate router? Message-ID: <755DD65E-CEF1-11D8-BDDD-000393C9B940@shaw.ca> VPN (IP x.x.150.3) VPN (IP x.x.150.3) | | | | Cable Link DSL Link (IP y.y.y.y) (ppp0 z.z.z.z) | | | | Netopia R9100 Linux Router (IP x.x.125.1) (eth0 x.x.125.3) | | | | | | ------+--------x.x.125.0--------+--------- Currently, our network (x.x.125.0) uses a Netopia R9100 as it's gateway and firewall to the Internet. It also provides a critical VPN link to a remote site. In order to have a backup/redundant connection, I've added a DSL line using a Linux box as a router/firewall instead of purchasing another separate router. What I'd like to do is load balance the two connections but everything I've been reading shows a single box functioning as the router with 3 NICs in it - 1 for the internal network and 2 for the Internet connections. But, is it possible to do it with my current setup, using the separate Netopia router as the second gateway? Gateway for the internal clients would be set to x.x.125.3 (the Linux router) Most of the client workstations are Mac OS (pre-OS X for now) and Win 9x/XP. Only a small percentage of the workstations require access to the VPN and they don't produce much traffic on it. They could all be routed out one link or the other at the same time and it wouldn't have much effect on their performance, but if that link goes down, I want them to be able to flip over to the working connection relatlively seamlessly. Load balancing on the non-VPN Internet traffic would be great though, as that load can get rather large. I suppose I'm complicating things (needlessly?) by considering this approach instead of just sticking another NIC into the Linux router. But I do like having that Netopia router still in place - if anything happened to the Linux router, change the internal IP address on the Netopia and it functions as the default gateway with the VPN still in place. Is this concept going to be possible, and assuming that it is, is it worthwhile? Thanks, Dave Wadson IT Manager The Chronicle-Journal From util@deuroconsult.ro Tue Jul 6 06:52:48 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 6 Jul 2004 08:52:48 +0300 (EEST) Subject: [LARTC] htb: class 10007 isn't work conserving ?! In-Reply-To: <20040705144353.GB1127@mabeys.dsl.aros.net> References: <20040702145856.GE630@mabeys.dsl.aros.net> <20040705144353.GB1127@mabeys.dsl.aros.net> Message-ID: > Yes, that's what I was trying to ask below. I'm still trying to figure > out which class (in the : format) the error message is > referring to. It's about class 1:7. > So, since I'm not sure which class it is (and I have several htb > qdiscs; oh, I just realized that I neglected to mention that I'm using > HTB), I'm not sure which qdisc this refers to. > >>> I [think I] understand that htb is a non-work-conserving qdisc, and I >>> [think I] have configured things so that every htb qdisc I instantiate >>> limits the bandwidth, so I don't understand why this situation would >>> invoke a warning message. >>> >>> Also -- is there some way to correlate this identifier "10007" with a >>> classid? > > I'm just starting back on working on this problem this morning, and I'll > approach it via a process of elimination, but I just thought there > surely must be some sort of deterministic mapping between the > : label and this one given in the warning message. > > Thank you -- > Glen > > -- > ****************************************************************** > Glen W. Mabey > Glen.Mabey@usu.edu > http://mabeys.homelinux.com/glen/ > ****************************************************************** > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From cbolton@hirstanddanson.co.uk Tue Jul 6 08:22:42 2004 From: cbolton@hirstanddanson.co.uk (Chris Bolton) Date: Tue, 6 Jul 2004 08:22:42 +0100 Subject: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! Message-ID: <200407060724.i667Ovx82178@smtp.shellnet.co.uk> >> No I am using the EN5861, just that we have two ADSL lines and only >> one >> EN5861 and rather than buying another I'd like to use linux to do the >> same job as the en5861, if you know what I mean. > >You can, but since you have two ADSL lines, you'll need two ADSL devices of some kind, whether it's a pair of 5861s, or a 5861 and an ADSL port adapter (external modem, PCI card, whatever) that Linux supports. > >The simplest solution will be to have the same setup for both lines. Either use two 5861s, or get two ADSL adapters that Linux >can talk to. > >> So far I've set up ppp0:0 which I've assigned one of the static ip >> addresses supplied to us by our ISP but when I try and route through >> it i.e. ip route add default dev ppp0:0 table T1 then it returns the >> error no such device, which it's quite right there isn't. If I route >> through it using the ip address of ppp0:0 i.e ip route add default via >> x.x.x.193 table T1 then it does work but anything that goes through it >> ends up using the IP address of ppp0. > >So both lines were supplied by the same ISP? They sure are. Due to our location we can't have an ADSL line faster than 512kbs so we've got two and I'm trying to load balance them.. But that's another story. > >> So how can I set up the linux box to use these static IP addresses in >> the same way I can with the EN5861? > >If you want to remove the 5861 from the picture entirely, you'll need to replace it with some sort of ADSL adapter. You can't just plug a DSL line into an ethernet card. >> I hope I'd made myself clear, it's hard trying to explain something >> when your not to sure exactly what your talking about. Anyway any >> help with be gladly received. > >It would help if you could draw a diagram of your network so we could get a better idea of what yo're trying to do. Ok I'm not the best at ASCII diagrams but here goes anyway... (well I'll modify the one in the advanced routing howto) +------------+ / +---------------| | | IP ADDRESSES | +----------+ EN5861 +------- EN5861 - 217.x.196.222 __ | | | | / eth0 - 10.0.0.152 ___/ \_ +------+-------+ +------------+ | eth1 - 217.x.196.217 _/ \__ | eth2 eth1 | / eth2 - 217.x.196.218 / \eth0 | | | ppp0 - 217.x.230.198 | Local network -----+ Linux router | | ppp0:0 - 217.x.230.193 \_ __/ | | | Internet \__ __/ | ppp0 | \ \___/ +------+-------+ +------------+ | | | | \ +-------------+ USB +------- | Speedtouch | | +------------+ As you can see the linux router has 3 network adapters, eth0 being the local lan and eth1 & eth2 are both connected to the EN5861 router. I've done that because I couldn't work out any other way to use the static IP address that out ISP have given us. For each connection we've got 5 IP addresses plus one for for the router. Eth1 & eth2 work fine ie both have the correct static IP address given to us by our ISP but it seems impraticle putting in another 3 cards to make use of the other IP addresses we have, there must be another way. Cheers for the replies, I hope this makes things a bit easier to understand. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From lists@wildgooses.com Tue Jul 6 11:33:40 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 06 Jul 2004 11:33:40 +0100 Subject: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! In-Reply-To: <200407060724.i667Ovx82178@smtp.shellnet.co.uk> References: <200407060724.i667Ovx82178@smtp.shellnet.co.uk> Message-ID: <40EA8004.9000502@wildgooses.com> >eth1 & eth2 are both connected to the EN5861 router. I've done that >because I couldn't work out any other way to use the static IP address that >out ISP have given us. > Aha, this is a config question. You can just add as many ip addresses to each physical card as you like. I forget the exact syntax, but check man pages for "ifconfig" and look for "aliases". Chances are your distro already has support for this. For example in gentoo you edit /etc/conf.d/net and edit the aliases line. Different configs for all "normal" distros, but same idea From cbolton@hirstanddanson.co.uk Tue Jul 6 13:54:05 2004 From: cbolton@hirstanddanson.co.uk (Chris Bolton) Date: Tue, 6 Jul 2004 13:54:05 +0100 Subject: FW: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! Message-ID: <200407061256.i66CuJx62930@smtp.shellnet.co.uk> >>eth1 & eth2 are both connected to the EN5861 router. I've done that >>because I couldn't work out any other way to use the static IP address >>that out ISP have given us. >> > >Aha, this is a config question. You can just add as many ip addresses to each physical card as you like. I forget the exact syntax, but check man pages for "ifconfig" and look for "aliases". Right getting the hang of this now, managed to set up aliases for eth0 named eth0:0 and eth0:1 with the correct Ip addresses but how can I route with them? When I do something like ip route add default dev eth0:0 it complains that it cant find eth0:0 as its not a real adapter. I've been searching on google to no avail and have come to a bit of a full stop. Cheers. From wdwrn@friendlycity.net Tue Jul 6 14:48:45 2004 From: wdwrn@friendlycity.net (Walt Wyndroski) Date: Tue, 6 Jul 2004 09:48:45 -0400 Subject: [LARTC] Simply IMQ References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> Message-ID: <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> I've followed this list for quite a long time and have even posted a couple of times. I used the early versions of IMQ from Devik (I think that was his name), and it worked well. I only ever got the chance to implement it in my test environment. I now need to implement it in my production environment. My Linux core router has nine interfaces and has a 27 megabit connection to the internet. It is quite busy much of the time. It runs Fedora Core 1 now but will most likely be upgraded to Fedora Core 2 in the next month or so. Now with all that said, here is my question. I see that maintenance of IMQ has been passed on a couple of times. I see some people say that IMQ is not stable and should not be put into a production environment. My use of IMQ a year ago invovled only egress qdiscs using HTB and SFQ because the egress qdiscs were much more powerful and better than the ingress qdisc. The only problem that I ever had with IMQ was using the iptables target with both PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially crashes when doing egress shaping. Is this correct? I've always understood egress as outbound shaping/filtering and ingress as inbound shaping/filtering. I say that because I saw in an earlier post by Roy that he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not using the terms egress and ingress correctly? I see that the current 'big' problem is touching locally generated traffic. What I need to know is which version of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? McHardy's? Correa's? or Roy's? Or should I just leave it alone? My apologies if I got names wrong. This is probably a long email just to ask that question, but I can't seem to find an answer from the list archives. I downloaded the whole 46 mb archive and essentially read 90% of the posts related to IMQ. I'm just trying to get a good understanding of what's happening with/to IMQ. Thank you in advance for any advice. Walt Wyndroski From roy@xxx.lt Tue Jul 6 15:34:30 2004 From: roy@xxx.lt (Roy) Date: Tue, 6 Jul 2004 17:34:30 +0300 Subject: [LARTC] Simply IMQ References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> Message-ID: <000c01c46366$5bcde250$030aa8c0@t> Probably I was the last one who changed imq code. so here is are the facts: Basicaly all imq versions are usefull under aproriate condition, whis is do not touch localy generated traffic. ingress nad egress terms are not correct for imq, because it is iptables module, not nic. Just my version hooks on different iptables hooks, and simply ignores all local generated traffic. It cant be crashed with incorrect rules. basicaly only advantage of my version is nore clean way to hook on iptables, code is same for 2.4 and 2.6 kernels, and no need to patch, stability should be same on both kernels. Now it is hard to say why imq crash, because crashes occur in various places not related to this module, it seems like memory leak, but does not like imq can have such bug. I suppose there is somethisng wrong with iptables or tcp code itself, since imq does big mess with packets by droping and reordering then alot. Anyway imq does not work as I expected, basicaly all forward shaping is quite hard, I was trying to make tcp traffic predictor because else it is too late. It must be sart enough to work I need to adjust predictor delay, and packets size. what makes it quite hard to implement. ----- Original Message ----- From: "Walt Wyndroski" To: Sent: Tuesday, July 06, 2004 4:48 PM Subject: [LARTC] Simply IMQ > I've followed this list for quite a long time and have even > posted a couple > of times. I used the early versions of IMQ from Devik (I think that was his > name), and it worked well. I only ever got the chance to implement it in my > test environment. I now need to implement it in my production environment. > My Linux core router has nine interfaces and has a 27 megabit connection to > the internet. It is quite busy much of the time. It runs Fedora Core 1 now > but will most likely be upgraded to Fedora Core 2 in the next month or so. > > Now with all that said, here is my question. I see that maintenance of IMQ > has been passed on a couple of times. I see some people say that IMQ is not > stable and should not be put into a production environment. My use of IMQ a > year ago invovled only egress qdiscs using HTB and SFQ because the egress > qdiscs were much more powerful and better than the ingress qdisc. The only > problem that I ever had with IMQ was using the iptables target with both > PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially > crashes when doing egress shaping. Is this correct? I've always understood > egress as outbound shaping/filtering and ingress as inbound > shaping/filtering. I say that because I saw in an earlier post by Roy that > he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not using > the terms egress and ingress correctly? I see that the current 'big' problem > is touching locally generated traffic. What I need to know is which version > of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? > McHardy's? Correa's? or Roy's? Or should I just leave it alone? My apologies > if I got names wrong. > > This is probably a long email just to ask that question, but I can't seem to > find an answer from the list archives. I downloaded the whole 46 mb archive > and essentially read 90% of the posts related to IMQ. I'm just trying to get > a good understanding of what's happening with/to IMQ. > > Thank you in advance for any advice. > > Walt Wyndroski > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From lists@wildgooses.com Tue Jul 6 16:07:52 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 06 Jul 2004 16:07:52 +0100 Subject: FW: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! In-Reply-To: <200407061256.i66CuJx62930@smtp.shellnet.co.uk> References: <200407061256.i66CuJx62930@smtp.shellnet.co.uk> Message-ID: <40EAC048.9090404@wildgooses.com> Chris Bolton wrote: >>>eth1 & eth2 are both connected to the EN5861 router. I've done that >>>because I couldn't work out any other way to use the static IP address >>>that out ISP have given us. >>> >>> >>> >>Aha, this is a config question. You can just add as many ip addresses to >> >> >each physical card as you like. I forget the exact syntax, but check man >pages for "ifconfig" and look for "aliases". > >Right getting the hang of this now, managed to set up aliases for eth0 named >eth0:0 and eth0:1 with the correct Ip addresses but how can I route with >them? When I do something like ip route add default dev eth0:0 it complains >that it cant find eth0:0 as its not a real adapter. I've been searching on >google to no avail and have come to a bit of a full stop. > > Hmm, why would you need to route to a specific IP address? Basically it goes out on eth0 or it doesn't...? What else could it do? Perhaps you want to mangle things in IPTables or some such first? (eg NAT?) Ed W From james+lartc@vincentsystems.com Tue Jul 6 16:52:55 2004 From: james+lartc@vincentsystems.com (James Sneeringer) Date: Tue, 6 Jul 2004 10:52:55 -0500 Subject: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! Message-ID: <20040706155255.GC19258@valjean.si.ocslink.com> [Sorry if this is received twice. Sent it with the wrong address once, not sure if the moderator will approve it.] On Tue, Jul 06, 2004 at 08:22:42AM +0100, Chris Bolton wrote: > Ok I'm not the best at ASCII diagrams but here goes anyway... (well I'll > modify the one in the advanced routing howto) Does this look right? Forget eth0 on Linux for a moment. ---------- ---------- | | eth1 217.x.196.217/29 --- 217.x.196.222/29 | EN5861 | ___ DSL ___ | | eth2 217.x.196.218/29 --------------- eth0 | router | #1 | Linux | ---------- | router | -------------- | | ppp0 217.x.230.198/29 ---------------- | Speedtouch | ___ DSL ___ | | ppp0:0 217.x.230.193/29 -----' | DSL bridge | #2 ---------- -------------- > As you can see the linux router has 3 network adapters, eth0 being the local > lan and eth1 & eth2 are both connected to the EN5861 router. I've done that > because I couldn't work out any other way to use the static IP address that > out ISP have given us. For each connection we've got 5 IP addresses plus > one for for the router. Eth1 & eth2 work fine ie both have the correct > static IP address given to us by our ISP but it seems impraticle putting in > another 3 cards to make use of the other IP addresses we have, there must be > another way. Ok, so the Speedtouch is some sort of DSL bridge, right? Meaning when you establish PPP (PPPoE?) to your ISP, you really have another ethernet card (eth3?) connected to the Speedtouch? First, as someone else pointed out, the eth1/eth2 connections to the EN5861 are redundant. You can set up interface aliases on eth1 so it has both IP addresses. % ip addr add 217.x.196.217/29 brd 217.x.196.223 dev eth1 % ip addr add 217.x.196.218/29 brd 217.x.196.223 dev eth1 label eth1:0 PPP is set up similarly. (PPPoE might configure ppp0 for you.) % ip addr add 217.x.230.198/29 brd 217.x.230.199 dev ppp0 % ip addr add 217.x.230.193/29 brd 217.x.230.199 dev ppp0 label ppp0:0 You can continue to add as many aliases to either interface as you like. Your problem then becomes load-balancing outbound traffic, because you have two potential default routes. One is the PPPoE connection via the Speedtouch (the remote IP is probably the DSL concentrator at your ISP). The other is the EN5861 on 217.x.196.222/29 (which in turn is probably talking to the same DSL concentrator as the Speedtouch). The simplest approach (aside from defaulting everything out one interface, which you probably don't want) is to policy route based on source IP. If the source IP of a packet as it leaves the Linux router is 217.x.196.x/29, the packet should get routed via eth1 to the EN5861. If the source is 217.x.230.x/29, it should be routed via ppp0 to the Speedpath. There are examples of this in the LARTC HOWTO. How you want to set up your NAT for eth0 to take advantage of one connection or the other is up to you. -James From shemminger@osdl.org Tue Jul 6 17:09:06 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Tue, 6 Jul 2004 09:09:06 -0700 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1088824432.1043.271.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> Message-ID: <20040706090906.4ff6fb73@dell_ss3.pdx.osdl.net> On 02 Jul 2004 23:13:52 -0400 jamal wrote: > On Fri, 2004-07-02 at 16:44, Stephen Hemminger wrote: > > Here is an enhancement to netem to do allow emulating lower speed > > networks. The resolution is close, but obviously limited by the > > granularity of timers and size of packets. > > > > Also, fixes a rtnetlink dependency which showed up in some configurations > > and optimizes for the non-loss case by avoiding net_random call. > > > > I think its time i illustrate my comments earlier with some example > hopefully this will curb the amount of features on this qdisc. > I do think theres value in having this thing do delay and jitter, but > you have gone waay beyond that now; > Let illustrate things which apply to what you are trying to do in > network condituions emulation. Although i show ingress qdisc , this > applies to egress just the same. > > #drop 1 out 10 packets randomly using the netrand generator > tc filter add dev eth0 parent ffff: protocol ip prio 6 u32 \ > match ip src 10.0.0.21/32 flowid 1:16 \ > action drop random netrand ok 0xa Your examples made me think about this more. The netfilter seem best suited to things that effect the flow of packets (dropping, reordering, even corrupting), and the qdisc seems best when the timing needs to change. The limit match in netfilter is not the same as the rate in the qdisc. The netem scheduler acts as if the link is a slow fixed rate. The netfilter limit is usually targeted to drop packets over the rate which is not the same. Reordering is also hard without going out to a user log or building a custom target. So, you have convinced me that loss is unnecessary but not the rate, or delay. If we can figure out how to re-ordering with netfilter then that could go too, which would make it possible to use a layered qdisc again. From cbolton@hirstanddanson.co.uk Tue Jul 6 17:15:41 2004 From: cbolton@hirstanddanson.co.uk (Chris Bolton) Date: Tue, 6 Jul 2004 17:15:41 +0100 Subject: FW: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! Message-ID: <200407061617.i66GHsx05028@smtp.shellnet.co.uk> Brillient, cheers for that, appears to be approching 5.30 so I'll have to read through it tomorrow morning. First glance it appears its exactly want I need to impliment. I've learnt so much today with all this its untrue. Thanks to all whos helped. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of James Sneeringer Sent: 06 July 2004 16:53 To: lartc@mailman.ds9a.nl Subject: Re: FW: [LARTC] Static ip addresses/aliases previously (my mistake) htb: class 10007 isn't work conserving ?! [Sorry if this is received twice. Sent it with the wrong address once, not sure if the moderator will approve it.] On Tue, Jul 06, 2004 at 08:22:42AM +0100, Chris Bolton wrote: > Ok I'm not the best at ASCII diagrams but here goes anyway... (well > I'll modify the one in the advanced routing howto) Does this look right? Forget eth0 on Linux for a moment. ---------- ---------- | | eth1 217.x.196.217/29 --- 217.x.196.222/29 | EN5861 | ___ DSL ___ | | eth2 217.x.196.218/29 --------------- eth0 | router | #1 | Linux | ---------- | router | -------------- | | ppp0 217.x.230.198/29 ---------------- | Speedtouch | ___ DSL ___ | | ppp0:0 217.x.230.193/29 -----' | DSL bridge | #2 ---------- -------------- > As you can see the linux router has 3 network adapters, eth0 being the > local lan and eth1 & eth2 are both connected to the EN5861 router. > I've done that because I couldn't work out any other way to use the > static IP address that out ISP have given us. For each connection > we've got 5 IP addresses plus one for for the router. Eth1 & eth2 > work fine ie both have the correct static IP address given to us by > our ISP but it seems impraticle putting in another 3 cards to make use > of the other IP addresses we have, there must be another way. Ok, so the Speedtouch is some sort of DSL bridge, right? Meaning when you establish PPP (PPPoE?) to your ISP, you really have another ethernet card (eth3?) connected to the Speedtouch? First, as someone else pointed out, the eth1/eth2 connections to the EN5861 are redundant. You can set up interface aliases on eth1 so it has both IP addresses. % ip addr add 217.x.196.217/29 brd 217.x.196.223 dev eth1 % ip addr add 217.x.196.218/29 brd 217.x.196.223 dev eth1 label eth1:0 PPP is set up similarly. (PPPoE might configure ppp0 for you.) % ip addr add 217.x.230.198/29 brd 217.x.230.199 dev ppp0 % ip addr add 217.x.230.193/29 brd 217.x.230.199 dev ppp0 label ppp0:0 You can continue to add as many aliases to either interface as you like. Your problem then becomes load-balancing outbound traffic, because you have two potential default routes. One is the PPPoE connection via the Speedtouch (the remote IP is probably the DSL concentrator at your ISP). The other is the EN5861 on 217.x.196.222/29 (which in turn is probably talking to the same DSL concentrator as the Speedtouch). The simplest approach (aside from defaulting everything out one interface, which you probably don't want) is to policy route based on source IP. If the source IP of a packet as it leaves the Linux router is 217.x.196.x/29, the packet should get routed via eth1 to the EN5861. If the source is 217.x.230.x/29, it should be routed via ppp0 to the Speedpath. There are examples of this in the LARTC HOWTO. How you want to set up your NAT for eth0 to take advantage of one connection or the other is up to you. -James _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From adamt@commspeed.net Tue Jul 6 18:02:36 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Tue, 6 Jul 2004 10:02:36 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: Message-ID: <02dd01c4637b$0a2b8cd0$903113d8@uranus> zoop@lone.ath.cx wrote: >> # Create filter to hash out last octet and link to hash table 2: >> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >>800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > > >I think this needs to be attached to the root. >parent 1:0 Catalin BOIE (util@deuroconsult.ro) wrote: >> # Create root qdisc >> tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 >> # Create a "transit class" >> tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit >> rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 >> # Create hash table attached to transit class >> tc filter add dev eth1 parent 1:0 handle 2: protocol ip u32 divisor 256 >> # Create filter to hash out last octet and link to hash table 2: >> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >> 800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: >> # Create class for 128Kbit limit >> tc class add dev eth1 parent 1:0 classid 1:2 cbq bandwidth > >I think here is parent 1:1, right? > >> 200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded >> # Create filter for IP I'm limiting >> tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c >> match ip src 216.19.49.140 flowid 1:2 I have tried both of your suggestions and it is still allowing all traffic to pass through. Thank you for the help though. Here is what I have now: # Create root qdisc tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 # Create transit class tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 # Create hash table and attach to transit class tc filter add dev eth1 parent 1:1 handle 2: protocol ip u32 divisor 256 # Create filter to hash out last octet and link to hash table 2: tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: # Create class for 128Kbit limit tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded # Create filter for IP I'm limiting tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match ip src 216.19.49.140 flowid 1:2 If anyone can still see anything I'm doing wrong, I'd appreciate it if you pointed it out. I've tried many different scenarios with different parents and they still don't work. And as for the question earlier about if I was doing this for an ISP, yes I am. If you would like some help, and if I can get this to work, I plan on writing a How To and posting it to a website so people can easily set this up themselves. I find the lack of documentation on the subject quite frustrating at times. Thanks all for your help. Adam Towarnyckyj From wdwrn@friendlycity.net Tue Jul 6 18:37:04 2004 From: wdwrn@friendlycity.net (Walt Wyndroski) Date: Tue, 6 Jul 2004 13:37:04 -0400 Subject: [LARTC] Simply IMQ References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> <000c01c46366$5bcde250$030aa8c0@t> Message-ID: <007501c4637f$da837060$0201a8c0@jabbacom.net> So you are saying that I do not need to patch my kernel? I do not understand that statement. I had to recompile my kernel with the imq patch as well as iptables before IMQ would work for me. The way I have always understood IMQ is that it is a virtual network device, a virtual network card if you will. Therefore it seems to me that egress would apply since iptables is only being used to redirect traffic through the virtual IMQ device. IPROUTE2/TC would then shape traffic leaving the virutal IMQ device (egress traffic). This is how I understand IMQ. If I am wrong, please set me straight. >From what you are saying, either IMQ is completely unstable or iptables and/or the tcp/ip stack is unstable. Not that I am a guru on the internals of iptables or the Linux tcp/ip stack, but I think iptables and the Linux tcp/ip stack is most likely stable. To be fair, I must admit that I have not had a full opportunity to test out your version of IMQ either, only the prior versions. Who's version of IMQ resides on www.linuximq.org ? Walt Wyndroski ----- Original Message ----- From: "Roy" To: "Walt Wyndroski" ; Sent: Tuesday, July 06, 2004 10:34 AM Subject: Re: [LARTC] Simply IMQ > Probably I was the last one who changed imq code. > so here is are the facts: > Basicaly all imq versions are usefull under aproriate condition, whis is do > not touch localy generated traffic. > ingress nad egress terms are not correct for imq, because it is iptables > module, not nic. > Just my version hooks on different iptables hooks, and simply ignores all > local generated traffic. It cant be crashed with incorrect rules. > basicaly only advantage of my version is nore clean way to hook on iptables, > code is same for 2.4 and 2.6 kernels, and no need to patch, stability should > be same on both kernels. > Now it is hard to say why imq crash, because crashes occur in various places > not related to this module, it seems like memory leak, but does not like imq > can have such bug. I suppose there is somethisng wrong with iptables or tcp > code itself, since imq does big mess with packets by droping and reordering > then alot. > > Anyway imq does not work as I expected, basicaly all forward shaping is > quite hard, I was trying to make tcp traffic predictor because else it is > too late. > It must be sart enough to work I need to adjust predictor delay, and packets > size. what makes it quite hard to implement. > > > > ----- Original Message ----- > From: "Walt Wyndroski" > To: > Sent: Tuesday, July 06, 2004 4:48 PM > Subject: [LARTC] Simply IMQ > > > > I've followed this list for quite a long time and have even > > posted a couple > > of times. I used the early versions of IMQ from Devik (I think that was > his > > name), and it worked well. I only ever got the chance to implement it in > my > > test environment. I now need to implement it in my production environment. > > My Linux core router has nine interfaces and has a 27 megabit connection > to > > the internet. It is quite busy much of the time. It runs Fedora Core 1 now > > but will most likely be upgraded to Fedora Core 2 in the next month or so. > > > > Now with all that said, here is my question. I see that maintenance of IMQ > > has been passed on a couple of times. I see some people say that IMQ is > not > > stable and should not be put into a production environment. My use of IMQ > a > > year ago invovled only egress qdiscs using HTB and SFQ because the egress > > qdiscs were much more powerful and better than the ingress qdisc. The only > > problem that I ever had with IMQ was using the iptables target with both > > PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially > > crashes when doing egress shaping. Is this correct? I've always understood > > egress as outbound shaping/filtering and ingress as inbound > > shaping/filtering. I say that because I saw in an earlier post by Roy that > > he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not using > > the terms egress and ingress correctly? I see that the current 'big' > problem > > is touching locally generated traffic. What I need to know is which > version > > of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? > > McHardy's? Correa's? or Roy's? Or should I just leave it alone? My > apologies > > if I got names wrong. > > > > This is probably a long email just to ask that question, but I can't seem > to > > find an answer from the list archives. I downloaded the whole 46 mb > archive > > and essentially read 90% of the posts related to IMQ. I'm just trying to > get > > a good understanding of what's happening with/to IMQ. > > > > Thank you in advance for any advice. > > > > Walt Wyndroski > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From manish@tuxspace.com Tue Jul 6 19:01:58 2004 From: manish@tuxspace.com (Manish Kathuria) Date: Tue, 06 Jul 2004 23:31:58 +0530 Subject: [LARTC] Squid - Load Balancing Multihomed Linux Router Message-ID: <40EAE916.4070300@tuxspace.com> Hi All, In a scenario, where a LAN is being provided internet connectivity through multiple ISPs terminated at a Load Balanced Multihomed Linux Router as described in LARTC HowTo, how would the traffic distribution affected if there is a squid based transparent proxy for the LAN's web traffic on the same system (i.e. the load balanced router itself). The recent squid versions have an option of setting multiple values for "outgoing_tcp_address" depending upon various ACL rules. Its also possible to not specify any IP address for this parameter so that it takes the outtgoing address on its own. But how would the proxy server behave in case of 2 or more outgoing internet links ? Has someone tried out something similar ? What will happen if this transparent proxy server is on a different system within the LAN itself ? Would the traffic distribution between multiple ISPs be affected since the entire web traffic would appear to originate from a single LAN IP (the IP address of the proxy server) ? Thank you in advance for your comments. - Manish From adamt@commspeed.net Tue Jul 6 19:08:14 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Tue, 6 Jul 2004 11:08:14 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <02dd01c4637b$0a2b8cd0$903113d8@uranus> Message-ID: <02e001c46384$351ca880$903113d8@uranus> ----Original Message---- ># Create root qdisc >tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 > ># Create transit class >tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate >200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 > ># Create hash table and attach to transit class >tc filter add dev eth1 parent 1:1 handle 2: protocol ip u32 divisor 256 > ># Create filter to hash out last octet and link to hash table 2: >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: match >ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > ># Create class for 128Kbit limit >tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 200Mbit rate >128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded > ># Create filter for IP I'm limiting >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match >ip src 216.19.49.140 flowid 1:2 I messed with this a bit more before finally just giving up for today. I looked at Gideon's example he posted to this list in the past (http://mailman.ds9a.nl/pipermail/lartc/2003q2/008516.html) and copied it character by character except I changed the ethernet device it was attached to and the IP addresses he was using. Here's what I came up with: tc qdisc add dev eth1 root handle 1: htb tc class add dev eth1 parent 1: classid 1:2 htb rate 100MBit ceil 100MBit burst 0Kbit tc filter add dev eth1 parent 1:2 handle 2: protocol ip u32 divisor 256 tc filter add dev eth1 protocol ip parent 1: u32 match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: tc class add dev eth1 parent 1:2 classid 1:3 htb rate 64Kbit ceil 64Kbit burst 0Kbit tc filter add dev eth1 protocol ip parent 1:2 u32 ht 2:8c: match ip src 216.19.49.140 flowid 1:3 I even tried changing the src to dst and this still does not work. Gideon, if you are out there somewhere, I'd appreciate it if you could tell me if this actually worked for you. This is the most frustrating project I have ever had to deal with because it makes so much sense and in theory it looks like it should be working just fine. Anyways, thanks for everyone's help. If anyone has any other ideas, I welcome them. Adam Towarnyckyj From andre.correa@pobox.com Tue Jul 6 19:07:26 2004 From: andre.correa@pobox.com (Andre Correa) Date: Tue, 06 Jul 2004 15:07:26 -0300 Subject: [LARTC] Simply IMQ In-Reply-To: <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> Message-ID: <40EAEA5E.8000707@pobox.com> Hi Walt, I'm the "Correa" from your list. In fact www.linuximq.net is a project from a group of people, not just me, who are working on: Devera->McHardy IMQ's code that was unmantained and now is alive again. We can tell you that there is a lot of people in our mailling list who reports using IMQ in production, including myself, with great stability. My server is up for more then 160 days with around 100 PPPoE users on it all the time. I run it on other shapping servers as well. We've eing working on IMQ last months and now there are stable versions for 2.4 and 2.6 kernels (up to 2.6.7), and one beta version being tested. In your scenario you better get the stable versions: Patch for Linux-2.6.1 up to 2.6.7 - http://www.linuximq.net/patchs/linux-2.6.2-imq-4.diff Patch for Linux-2.4.24 / 2.4.25 / 2.4.26 - http://www.linuximq.net/patchs/linux-2.4.26-imq.diff Patch for iptables up to 1.2.11 - http://www.linuximq.net/patchs/iptables-1.2.9-imq1.diff I don't know if someone used IMQ in a 27Mbps link but it is worth trying. I would like to invite you to visit our site at www.linuximq.net and join our low traffic mailling list. If you ever decide to give our beta patch a try, it has some corrections and implementations as follows: - Correction of ipv6 support "+"s issue (Hasso Tepper) - Correction of imq_init_devs() issue that resulted in kernel OOPS unloading IMQ as module (Norbert Buchmuller) - Addition of functionality to choose number of IMQ devices during kernel config (Andre Correa) - Addition of functionality to choose how IMQ hooks on PRE and POSTROUTING (after or before NAT) (Andre Correa) - Cosmetic corrections (Norbert Buchmuller) (Andre Correa) Please let us know if we can help you somehow. Good Luck! Andre Walt Wyndroski wrote: > I've followed this list for quite a long time and have even posted a couple > of times. I used the early versions of IMQ from Devik (I think that was his > name), and it worked well. I only ever got the chance to implement it in my > test environment. I now need to implement it in my production environment. > My Linux core router has nine interfaces and has a 27 megabit connection to > the internet. It is quite busy much of the time. It runs Fedora Core 1 now > but will most likely be upgraded to Fedora Core 2 in the next month or so. > > Now with all that said, here is my question. I see that maintenance of IMQ > has been passed on a couple of times. I see some people say that IMQ is not > stable and should not be put into a production environment. My use of IMQ a > year ago invovled only egress qdiscs using HTB and SFQ because the egress > qdiscs were much more powerful and better than the ingress qdisc. The only > problem that I ever had with IMQ was using the iptables target with both > PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially > crashes when doing egress shaping. Is this correct? I've always understood > egress as outbound shaping/filtering and ingress as inbound > shaping/filtering. I say that because I saw in an earlier post by Roy that > he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not using > the terms egress and ingress correctly? I see that the current 'big' problem > is touching locally generated traffic. What I need to know is which version > of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? > McHardy's? Correa's? or Roy's? Or should I just leave it alone? My apologies > if I got names wrong. > > This is probably a long email just to ask that question, but I can't seem to > find an answer from the list archives. I downloaded the whole 46 mb archive > and essentially read 90% of the posts related to IMQ. I'm just trying to get > a good understanding of what's happening with/to IMQ. > > Thank you in advance for any advice. > > Walt Wyndroski > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > From andre.correa@pobox.com Tue Jul 6 19:23:21 2004 From: andre.correa@pobox.com (Andre Correa) Date: Tue, 06 Jul 2004 15:23:21 -0300 Subject: [LARTC] Simply IMQ In-Reply-To: <007501c4637f$da837060$0201a8c0@jabbacom.net> References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> <000c01c46366$5bcde250$030aa8c0@t> <007501c4637f$da837060$0201a8c0@jabbacom.net> Message-ID: <40EAEE19.3070406@pobox.com> Walt, www.linuximq.net version is the evolution from Devik->McHardy's IMQ. Roy started a project where he developed his own implementation of IMQ like functionality. I can't tell you more about his version because I never had a chance to give it a try. The IMQ version from www.linuximq.net that comes from the original IMQ implementation really needs patching the kernel and iptables sources. Andre Walt Wyndroski wrote: > So you are saying that I do not need to patch my kernel? I do not understand > that statement. I had to recompile my kernel with the imq patch as well as > iptables before IMQ would work for me. The way I have always understood IMQ > is that it is a virtual network device, a virtual network card if you will. > Therefore it seems to me that egress would apply since iptables is only > being used to redirect traffic through the virtual IMQ device. IPROUTE2/TC > would then shape traffic leaving the virutal IMQ device (egress traffic). > This is how I understand IMQ. If I am wrong, please set me straight. > >>From what you are saying, either IMQ is completely unstable or iptables > and/or the tcp/ip stack is unstable. Not that I am a guru on the internals > of iptables or the Linux tcp/ip stack, but I think iptables and the Linux > tcp/ip stack is most likely stable. To be fair, I must admit that I have not > had a full opportunity to test out your version of IMQ either, only the > prior versions. > > Who's version of IMQ resides on www.linuximq.org ? > > Walt Wyndroski > > > ----- Original Message ----- > From: "Roy" > To: "Walt Wyndroski" ; > Sent: Tuesday, July 06, 2004 10:34 AM > Subject: Re: [LARTC] Simply IMQ > > > >>Probably I was the last one who changed imq code. >>so here is are the facts: >>Basicaly all imq versions are usefull under aproriate condition, whis is > > do > >>not touch localy generated traffic. >>ingress nad egress terms are not correct for imq, because it is iptables >>module, not nic. >>Just my version hooks on different iptables hooks, and simply ignores all >>local generated traffic. It cant be crashed with incorrect rules. >>basicaly only advantage of my version is nore clean way to hook on > > iptables, > >>code is same for 2.4 and 2.6 kernels, and no need to patch, stability > > should > >>be same on both kernels. >>Now it is hard to say why imq crash, because crashes occur in various > > places > >>not related to this module, it seems like memory leak, but does not like > > imq > >>can have such bug. I suppose there is somethisng wrong with iptables or > > tcp > >>code itself, since imq does big mess with packets by droping and > > reordering > >>then alot. >> >>Anyway imq does not work as I expected, basicaly all forward shaping is >>quite hard, I was trying to make tcp traffic predictor because else it is >>too late. >>It must be sart enough to work I need to adjust predictor delay, and > > packets > >>size. what makes it quite hard to implement. >> >> >> >>----- Original Message ----- >>From: "Walt Wyndroski" >>To: >>Sent: Tuesday, July 06, 2004 4:48 PM >>Subject: [LARTC] Simply IMQ >> >> >> >>>I've followed this list for quite a long time and have even >>>posted a couple >>>of times. I used the early versions of IMQ from Devik (I think that was >> >>his >> >>>name), and it worked well. I only ever got the chance to implement it in >> >>my >> >>>test environment. I now need to implement it in my production > > environment. > >>>My Linux core router has nine interfaces and has a 27 megabit connection >> >>to >> >>>the internet. It is quite busy much of the time. It runs Fedora Core 1 > > now > >>>but will most likely be upgraded to Fedora Core 2 in the next month or > > so. > >>>Now with all that said, here is my question. I see that maintenance of > > IMQ > >>>has been passed on a couple of times. I see some people say that IMQ is >> >>not >> >>>stable and should not be put into a production environment. My use of > > IMQ > >>a >> >>>year ago invovled only egress qdiscs using HTB and SFQ because the > > egress > >>>qdiscs were much more powerful and better than the ingress qdisc. The > > only > >>>problem that I ever had with IMQ was using the iptables target with both >>>PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially >>>crashes when doing egress shaping. Is this correct? I've always > > understood > >>>egress as outbound shaping/filtering and ingress as inbound >>>shaping/filtering. I say that because I saw in an earlier post by Roy > > that > >>>he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not > > using > >>>the terms egress and ingress correctly? I see that the current 'big' >> >>problem >> >>>is touching locally generated traffic. What I need to know is which >> >>version >> >>>of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? >>>McHardy's? Correa's? or Roy's? Or should I just leave it alone? My >> >>apologies >> >>>if I got names wrong. >>> >>>This is probably a long email just to ask that question, but I can't > > seem > >>to >> >>>find an answer from the list archives. I downloaded the whole 46 mb >> >>archive >> >>>and essentially read 90% of the posts related to IMQ. I'm just trying to >> >>get >> >>>a good understanding of what's happening with/to IMQ. >>> >>>Thank you in advance for any advice. >>> >>>Walt Wyndroski >>> >>>_______________________________________________ >>>LARTC mailing list / LARTC@mailman.ds9a.nl >>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >> >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > From duda@icatu.com.br Tue Jul 6 19:19:15 2004 From: duda@icatu.com.br (Eduardo Ferreira) Date: Tue, 6 Jul 2004 15:19:15 -0300 Subject: [*] Re: [LARTC] Squid - Load Balancing Multihomed Linux Router In-Reply-To: <40EAE916.4070300@tuxspace.com> Message-ID: This is a multipart message in MIME format. --=_alternative 0064AC1383256EC9_= Content-Type: text/plain; charset="US-ASCII" Manish wrote on 06/07/2004 15:01:58: > [...]. But how would the proxy server > behave in case of 2 or more outgoing internet links ? Has someone tried > out something similar ? you will have problems with sites that keep track of IP addressess for session validation. Some sites will end the session if they receive a request from a different IP than the one that initiated the browsing. This occurs mainly in banks and other ssl connections. Here, I use a iptables mangle rule to mark tcp/443 packets and a ip rule to direct marked packets to one fixed link. > Thank you in advance for your comments. > > - Manish > ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606 --=_alternative 0064AC1383256EC9_= Content-Type: text/html; charset="US-ASCII"
Manish wrote on 06/07/2004 15:01:58:

> [...]. But how would the proxy server
> behave in case of 2 or more outgoing internet links ? Has someone tried
> out something similar ?
you will have problems with sites that keep track of IP addressess for session validation.  Some sites will end the session if they receive a request from a different IP than the one that initiated the browsing.  This occurs mainly in banks and other ssl connections.  Here, I use a iptables mangle rule to mark tcp/443 packets and a ip rule to direct marked packets to one fixed link.

> Thank you in advance for your comments.
>
> - Manish
>

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606
--=_alternative 0064AC1383256EC9_=-- From JPolache@texasmutual.com Tue Jul 6 20:04:41 2004 From: JPolache@texasmutual.com (Jonathan S. Polacheck) Date: Tue, 6 Jul 2004 14:04:41 -0500 Subject: [LARTC] Can the mailing list archive be searched? Message-ID: It says the list has been "picked up" by google, but I can't find any reference to "lartc". A search on "traffic control" and "advanced routing" returned these groups; comp.os.linux.networking fr.comp.os.linux.configuration hun.lists.mlf.linux comp.os.linux.security From zoop@lone.ath.cx Tue Jul 6 20:16:28 2004 From: zoop@lone.ath.cx (zoop@lone.ath.cx) Date: Tue, 06 Jul 2004 19:16:28 +0000 Subject: [LARTC] TC Hashing Filters Message-ID: <20040706.x3w.14188900@www.djrance.com> The reason I asked about if you were doing this for an ISP is that I worte an app to track IP's and the bandwidths associated with them, and it will generate the TC commands for you. It uses HTB though. Adam Towarnyckyj (adamt@commspeed.net) wrote: > >zoop@lone.ath.cx wrote: >>> # Create filter to hash out last octet and link to hash table 2: >>> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >>>800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link >2: >> >> >>I think this needs to be attached to the root. >>parent 1:0 > >Catalin BOIE (util@deuroconsult.ro) wrote: >>> # Create root qdisc >>> tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit >avpkt 1000 >>> # Create a "transit class" >>> tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth >200Mbit >>> rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 >>> # Create hash table attached to transit class >>> tc filter add dev eth1 parent 1:0 handle 2: protocol ip u32 >divisor 256 >>> # Create filter to hash out last octet and link to hash table 2: >>> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht >>> 800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link >2: >>> # Create class for 128Kbit limit >>> tc class add dev eth1 parent 1:0 classid 1:2 cbq bandwidth >> >>I think here is parent 1:1, right? >> >>> 200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded >>> # Create filter for IP I'm limiting >>> tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c > >>> match ip src 216.19.49.140 flowid 1:2 > > > I have tried both of your suggestions and it is still allowing >all traffic to pass through. Thank you for the help though. Here is what >I have now: > ># Create root qdisc >tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 > ># Create transit class >tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate >200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 > ># Create hash table and attach to transit class >tc filter add dev eth1 parent 1:1 handle 2: protocol ip u32 divisor 256 > ># Create filter to hash out last octet and link to hash table 2: >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: match >ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > ># Create class for 128Kbit limit >tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 200Mbit rate >128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded > ># Create filter for IP I'm limiting >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match >ip src 216.19.49.140 flowid 1:2 > > If anyone can still see anything I'm doing wrong, I'd appreciate >it if you pointed it out. I've tried many different scenarios with >different parents and they still don't work. And as for the question >earlier about if I was doing this for an ISP, yes I am. If you would >like some help, and if I can get this to work, I plan on writing a How >To and posting it to a website so people can easily set this up >themselves. I find the lack of documentation on the subject quite >frustrating at times. Thanks all for your help. > >Adam Towarnyckyj > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. From zoop@lone.ath.cx Tue Jul 6 20:14:51 2004 From: zoop@lone.ath.cx (zoop@lone.ath.cx) Date: Tue, 06 Jul 2004 19:14:51 +0000 Subject: [LARTC] TC Hashing Filters Message-ID: <20040706.CF9.96726200@www.djrance.com> Adam Towarnyckyj (adamt@commspeed.net) wrote: > >----Original Message---- >># Create root qdisc >>tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 >> >># Create transit class >>tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate >>200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 >> >># Create hash table and attach to transit class >>tc filter add dev eth1 parent 1:1 handle 2: protocol ip u32 divisor 256 >> >># Create filter to hash out last octet and link to hash table 2: >>tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: match >>ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: >> >># Create class for 128Kbit limit >>tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 200Mbit rate >>128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded >> >># Create filter for IP I'm limiting >>tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match >>ip src 216.19.49.140 flowid 1:2 > >I messed with this a bit more before finally just giving up for today. I >looked at Gideon's example he posted to this list in the past >(http://mailman.ds9a.nl/pipermail/lartc/2003q2/008516.html) and copied >it character by character except I changed the ethernet device it was >attached to and the IP addresses he was using. Here's what I came up >with: > >tc qdisc add dev eth1 root handle 1: htb > >tc class add dev eth1 parent 1: classid 1:2 htb rate 100MBit ceil >100MBit burst 0Kbit > Here the filter parents should be root not 1:2. I think in the howto it says that all filters should be attached to root. I'll get my box up that I have doing this to give you a working example. >tc filter add dev eth1 parent 1:2 handle 2: protocol ip u32 divisor 256 > >tc filter add dev eth1 protocol ip parent 1: u32 match ip src >216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > >tc class add dev eth1 parent 1:2 classid 1:3 htb rate 64Kbit ceil 64Kbit >burst 0Kbit > >tc filter add dev eth1 protocol ip parent 1:2 u32 ht 2:8c: match ip src >216.19.49.140 flowid 1:3 > >I even tried changing the src to dst and this still does not work. >Gideon, if you are out there somewhere, I'd appreciate it if you could >tell me if this actually worked for you. This is the most frustrating >project I have ever had to deal with because it makes so much sense and >in theory it looks like it should be working just fine. Anyways, thanks >for everyone's help. If anyone has any other ideas, I welcome them. > >Adam Towarnyckyj > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. From wdwrn@friendlycity.net Tue Jul 6 20:31:51 2004 From: wdwrn@friendlycity.net (Walt Wyndroski) Date: Tue, 6 Jul 2004 15:31:51 -0400 Subject: [LARTC] Simply IMQ References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> <40EAEA5E.8000707@pobox.com> Message-ID: <00b701c4638f$e3114710$0201a8c0@jabbacom.net> Actually, I do have a question concerning fedora core 2, iptables-1.2.9 and above, and IMQ. The problem is as follows: I easily got IMQ compiled into the 2.6.6 kernel on FC2. I'm using iptables-1.2.9. I could not get iptables-1.2.9 to recompile. I kept getting errors about using glibc headers instead. I found a patch for iptables Makefile which fixed that. However, the shared library (libipt_IMQ.so) would never get created. Is something wrong with the kernel headers from the Fedora kernel-sourcecode rpm? I realize that this is not entirely related to the LARTC list. Regards, Walt Wyndroski ----- Original Message ----- From: "Andre Correa" To: "Walt Wyndroski" Cc: Sent: Tuesday, July 06, 2004 2:07 PM Subject: Re: [LARTC] Simply IMQ > > Hi Walt, I'm the "Correa" from your list. In fact www.linuximq.net is a > project from a group of people, not just me, who are working on: > Devera->McHardy IMQ's code that was unmantained and now is alive again. > > We can tell you that there is a lot of people in our mailling list who > reports using IMQ in production, including myself, with great stability. > My server is up for more then 160 days with around 100 PPPoE users on it > all the time. I run it on other shapping servers as well. > > We've eing working on IMQ last months and now there are stable versions > for 2.4 and 2.6 kernels (up to 2.6.7), and one beta version being > tested. In your scenario you better get the stable versions: > > Patch for Linux-2.6.1 up to 2.6.7 - > http://www.linuximq.net/patchs/linux-2.6.2-imq-4.diff > > Patch for Linux-2.4.24 / 2.4.25 / 2.4.26 - > http://www.linuximq.net/patchs/linux-2.4.26-imq.diff > > Patch for iptables up to 1.2.11 - > http://www.linuximq.net/patchs/iptables-1.2.9-imq1.diff > > I don't know if someone used IMQ in a 27Mbps link but it is worth > trying. I would like to invite you to visit our site at www.linuximq.net > and join our low traffic mailling list. > > If you ever decide to give our beta patch a try, it has some corrections > and implementations as follows: > > - Correction of ipv6 support "+"s issue (Hasso Tepper) > - Correction of imq_init_devs() issue that resulted in > kernel OOPS unloading IMQ as module (Norbert Buchmuller) > - Addition of functionality to choose number of IMQ devices > during kernel config (Andre Correa) > - Addition of functionality to choose how IMQ hooks on > PRE and POSTROUTING (after or before NAT) (Andre Correa) > - Cosmetic corrections (Norbert Buchmuller) (Andre Correa) > > > Please let us know if we can help you somehow. > > Good Luck! > > Andre > > > > Walt Wyndroski wrote: > > I've followed this list for quite a long time and have even posted a couple > > of times. I used the early versions of IMQ from Devik (I think that was his > > name), and it worked well. I only ever got the chance to implement it in my > > test environment. I now need to implement it in my production environment. > > My Linux core router has nine interfaces and has a 27 megabit connection to > > the internet. It is quite busy much of the time. It runs Fedora Core 1 now > > but will most likely be upgraded to Fedora Core 2 in the next month or so. > > > > Now with all that said, here is my question. I see that maintenance of IMQ > > has been passed on a couple of times. I see some people say that IMQ is not > > stable and should not be put into a production environment. My use of IMQ a > > year ago invovled only egress qdiscs using HTB and SFQ because the egress > > qdiscs were much more powerful and better than the ingress qdisc. The only > > problem that I ever had with IMQ was using the iptables target with both > > PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially > > crashes when doing egress shaping. Is this correct? I've always understood > > egress as outbound shaping/filtering and ingress as inbound > > shaping/filtering. I say that because I saw in an earlier post by Roy that > > he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not using > > the terms egress and ingress correctly? I see that the current 'big' problem > > is touching locally generated traffic. What I need to know is which version > > of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? > > McHardy's? Correa's? or Roy's? Or should I just leave it alone? My apologies > > if I got names wrong. > > > > This is probably a long email just to ask that question, but I can't seem to > > find an answer from the list archives. I downloaded the whole 46 mb archive > > and essentially read 90% of the posts related to IMQ. I'm just trying to get > > a good understanding of what's happening with/to IMQ. > > > > Thank you in advance for any advice. > > > > Walt Wyndroski > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From wdwrn@friendlycity.net Tue Jul 6 20:33:54 2004 From: wdwrn@friendlycity.net (Walt Wyndroski) Date: Tue, 6 Jul 2004 15:33:54 -0400 Subject: [LARTC] Can the mailing list archive be searched? References: Message-ID: <00c301c46390$2c3110b0$0201a8c0@jabbacom.net> I actually downloaded the entire archive in mbox format. I then imported it into Evolution. Evolution has good searching capabilities and will also let you sort the mail in a thread context making it easy to follow. Walt Wyndroski ----- Original Message ----- From: "Jonathan S. Polacheck" To: Sent: Tuesday, July 06, 2004 3:04 PM Subject: [LARTC] Can the mailing list archive be searched? > > > > > It says the list has been "picked up" by google, but I can't find any > reference to "lartc". A search on "traffic control" and "advanced routing" > returned these groups; > > comp.os.linux.networking > fr.comp.os.linux.configuration > hun.lists.mlf.linux > comp.os.linux.security > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From wdwrn@friendlycity.net Tue Jul 6 20:36:00 2004 From: wdwrn@friendlycity.net (Walt Wyndroski) Date: Tue, 6 Jul 2004 15:36:00 -0400 Subject: [LARTC] TC Hashing Filters References: <20040706.x3w.14188900@www.djrance.com> Message-ID: <00cd01c46390$777c6ce0$0201a8c0@jabbacom.net> Where can I find that app? I would like to evaluate it for my site. Regards, Walt Wyndroski ----- Original Message ----- From: To: "Adam Towarnyckyj" ; Sent: Tuesday, July 06, 2004 3:16 PM Subject: RE: [LARTC] TC Hashing Filters > The reason I asked about if you were doing this for an ISP is that I worte an app to > track IP's and the bandwidths associated with them, and it will generate the TC > commands for you. It uses HTB though. > > Adam Towarnyckyj (adamt@commspeed.net) wrote: > > > >zoop@lone.ath.cx wrote: > >>> # Create filter to hash out last octet and link to hash table 2: > >>> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht > >>>800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link > >2: > >> > >> > >>I think this needs to be attached to the root. > >>parent 1:0 > > > >Catalin BOIE (util@deuroconsult.ro) wrote: > >>> # Create root qdisc > >>> tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit > >avpkt 1000 > >>> # Create a "transit class" > >>> tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth > >200Mbit > >>> rate 200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 > >>> # Create hash table attached to transit class > >>> tc filter add dev eth1 parent 1:0 handle 2: protocol ip u32 > >divisor 256 > >>> # Create filter to hash out last octet and link to hash table 2: > >>> tc filter add dev eth1 protocol ip parent 1:1 prio 5 u32 ht > >>> 800:: match ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link > >2: > >>> # Create class for 128Kbit limit > >>> tc class add dev eth1 parent 1:0 classid 1:2 cbq bandwidth > >> > >>I think here is parent 1:1, right? > >> > >>> 200Mbit rate 128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded > >>> # Create filter for IP I'm limiting > >>> tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c > > > >>> match ip src 216.19.49.140 flowid 1:2 > > > > > > I have tried both of your suggestions and it is still allowing > >all traffic to pass through. Thank you for the help though. Here is what > >I have now: > > > ># Create root qdisc > >tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 200Mbit avpkt 1000 > > > ># Create transit class > >tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 200Mbit rate > >200Mbit allot 1514 weight 2Mbit prio 8 maxburst 10 avpkt 1000 > > > ># Create hash table and attach to transit class > >tc filter add dev eth1 parent 1:1 handle 2: protocol ip u32 divisor 256 > > > ># Create filter to hash out last octet and link to hash table 2: > >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 800:: match > >ip src 216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > > > ># Create class for 128Kbit limit > >tc class add dev eth1 parent 1:1 classid 1:2 cbq bandwidth 200Mbit rate > >128kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded > > > ># Create filter for IP I'm limiting > >tc filter add dev eth1 protocol ip parent 1:0 prio 5 u32 ht 2:8c match > >ip src 216.19.49.140 flowid 1:2 > > > > If anyone can still see anything I'm doing wrong, I'd appreciate > >it if you pointed it out. I've tried many different scenarios with > >different parents and they still don't work. And as for the question > >earlier about if I was doing this for an ISP, yes I am. If you would > >like some help, and if I can get this to work, I plan on writing a How > >To and posting it to a website so people can easily set this up > >themselves. I find the lack of documentation on the subject quite > >frustrating at times. Thanks all for your help. > > > >Adam Towarnyckyj > > > >_______________________________________________ > >LARTC mailing list / LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > -- > When dealing with a slow pipe, never underestimate the throughput of the postal system. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From andre.correa@pobox.com Tue Jul 6 20:43:47 2004 From: andre.correa@pobox.com (Andre Correa) Date: Tue, 06 Jul 2004 16:43:47 -0300 Subject: [LARTC] Simply IMQ In-Reply-To: <00b701c4638f$e3114710$0201a8c0@jabbacom.net> References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> <40EAEA5E.8000707@pobox.com> <00b701c4638f$e3114710$0201a8c0@jabbacom.net> Message-ID: <40EB00F3.905@pobox.com> Walt, I cannot tell you about Fedora, I'm not a user of it. I would suggest you ask it on IMQ mailling list. Maybe there is somebody using Fedora there who can help. If you find nothing please send me in pvt exactly what were your steps and the error messages you got on the way. Andre Walt Wyndroski wrote: > Actually, I do have a question concerning fedora core 2, iptables-1.2.9 and > above, and IMQ. The problem is as follows: > > I easily got IMQ compiled into the 2.6.6 kernel on FC2. I'm using > iptables-1.2.9. I could not get iptables-1.2.9 to recompile. I kept getting > errors about using glibc headers instead. I found a patch for iptables > Makefile which fixed that. However, the shared library (libipt_IMQ.so) would > never get created. > > Is something wrong with the kernel headers from the Fedora kernel-sourcecode > rpm? > > I realize that this is not entirely related to the LARTC list. > > Regards, > > Walt Wyndroski > > ----- Original Message ----- > From: "Andre Correa" > To: "Walt Wyndroski" > Cc: > Sent: Tuesday, July 06, 2004 2:07 PM > Subject: Re: [LARTC] Simply IMQ > > > >>Hi Walt, I'm the "Correa" from your list. In fact www.linuximq.net is a >>project from a group of people, not just me, who are working on: >>Devera->McHardy IMQ's code that was unmantained and now is alive again. >> >>We can tell you that there is a lot of people in our mailling list who >>reports using IMQ in production, including myself, with great stability. >>My server is up for more then 160 days with around 100 PPPoE users on it >>all the time. I run it on other shapping servers as well. >> >>We've eing working on IMQ last months and now there are stable versions >>for 2.4 and 2.6 kernels (up to 2.6.7), and one beta version being >>tested. In your scenario you better get the stable versions: >> >>Patch for Linux-2.6.1 up to 2.6.7 - >>http://www.linuximq.net/patchs/linux-2.6.2-imq-4.diff >> >>Patch for Linux-2.4.24 / 2.4.25 / 2.4.26 - >>http://www.linuximq.net/patchs/linux-2.4.26-imq.diff >> >>Patch for iptables up to 1.2.11 - >>http://www.linuximq.net/patchs/iptables-1.2.9-imq1.diff >> >>I don't know if someone used IMQ in a 27Mbps link but it is worth >>trying. I would like to invite you to visit our site at www.linuximq.net >>and join our low traffic mailling list. >> >>If you ever decide to give our beta patch a try, it has some corrections >>and implementations as follows: >> >>- Correction of ipv6 support "+"s issue (Hasso Tepper) >>- Correction of imq_init_devs() issue that resulted in >>kernel OOPS unloading IMQ as module (Norbert Buchmuller) >>- Addition of functionality to choose number of IMQ devices >>during kernel config (Andre Correa) >>- Addition of functionality to choose how IMQ hooks on >>PRE and POSTROUTING (after or before NAT) (Andre Correa) >>- Cosmetic corrections (Norbert Buchmuller) (Andre Correa) >> >> >>Please let us know if we can help you somehow. >> >>Good Luck! >> >>Andre >> >> >> >>Walt Wyndroski wrote: >> >>>I've followed this list for quite a long time and have even posted a > > couple > >>>of times. I used the early versions of IMQ from Devik (I think that was > > his > >>>name), and it worked well. I only ever got the chance to implement it in > > my > >>>test environment. I now need to implement it in my production > > environment. > >>>My Linux core router has nine interfaces and has a 27 megabit connection > > to > >>>the internet. It is quite busy much of the time. It runs Fedora Core 1 > > now > >>>but will most likely be upgraded to Fedora Core 2 in the next month or > > so. > >>>Now with all that said, here is my question. I see that maintenance of > > IMQ > >>>has been passed on a couple of times. I see some people say that IMQ is > > not > >>>stable and should not be put into a production environment. My use of > > IMQ a > >>>year ago invovled only egress qdiscs using HTB and SFQ because the > > egress > >>>qdiscs were much more powerful and better than the ingress qdisc. The > > only > >>>problem that I ever had with IMQ was using the iptables target with both >>>PREROUTING and POSTROUTING. I see Roy has posted that IMQ essentially >>>crashes when doing egress shaping. Is this correct? I've always > > understood > >>>egress as outbound shaping/filtering and ingress as inbound >>>shaping/filtering. I say that because I saw in an earlier post by Roy > > that > >>>he changed his terminology to INPUT,OUTPUT, and FORWARD. Was he not > > using > >>>the terms egress and ingress correctly? I see that the current 'big' > > problem > >>>is touching locally generated traffic. What I need to know is which > > version > >>>of IMQ is most stable for kernel 2.6? Or even kernel2.4? Is it Devera's? >>>McHardy's? Correa's? or Roy's? Or should I just leave it alone? My > > apologies > >>>if I got names wrong. >>> >>>This is probably a long email just to ask that question, but I can't > > seem to > >>>find an answer from the list archives. I downloaded the whole 46 mb > > archive > >>>and essentially read 90% of the posts related to IMQ. I'm just trying to > > get > >>>a good understanding of what's happening with/to IMQ. >>> >>>Thank you in advance for any advice. >>> >>>Walt Wyndroski >>> >>>_______________________________________________ >>>LARTC mailing list / LARTC@mailman.ds9a.nl >>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >>> >> >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > From lartc@nospam.otaku42.de Tue Jul 6 20:16:38 2004 From: lartc@nospam.otaku42.de (Michael Renzmann) Date: Tue, 06 Jul 2004 21:16:38 +0200 Subject: [LARTC] Can the mailing list archive be searched? In-Reply-To: References: Message-ID: <40EAFA96.1000804@otaku42.de> Hi. You might want to try the search functionality provided for the archive hosted on gmane.org: http://news.gmane.org/gmane.linux.network.routing Bye Mike From adamt@commspeed.net Tue Jul 6 21:16:38 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Tue, 6 Jul 2004 13:16:38 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <20040706.CF9.96726200@www.djrance.com> Message-ID: <02f801c46396$24a27f90$903113d8@uranus> Ok, I tried this: tc qdisc add dev eth1 root handle 1: cbq bandwidth 200Mbit avpkt 1000 tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 200Mbit rate 200MBit allot 1514 weight 2Mbit prio 8 maxburst 20 avpkt 1000 tc filter add dev eth1 parent 1: handle 2: protocol ip u32 divisor 256 tc filter add dev eth1 protocol ip parent 1: u32 match ip src 216.19.49.140/32 hashkey mask 0x000000ff at 12 link 2: tc class add dev eth1 parent 1:2 classid 1:3 cbq bandwidth 200Mbit rate 128Kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded tc filter add dev eth1 protocol ip parent 1: u32 ht 2:8c: match ip src 216.19.49.140 flowid 1:3 As well as changing the last class parent to 1: Neither of these worked. As for the app, could I take a look at it? I'm sure it could be easily modified to use CBQ and if not, I could modify the box the use HTB. I really don't mind either way. I was having a problem patching for HTB and that's why I'm not currently using it. My boss and I wrote a perl script to pull information from a MySql database (rate and customer IP) and plug it in to TC and that's what I was planning on doing this time around only with a few modifications for the hashing tables. I won't start on that though until I can get this up and running. Anyways, thanks for the help. Adam Towarnyckyj -----Original Message----- From: zoop@lone.ath.cx [mailto:zoop@lone.ath.cx] Sent: Tuesday, July 06, 2004 12:15 PM To: Adam Towarnyckyj; lartc@mailman.ds9a.nl Subject: RE: [LARTC] TC Hashing Filters .... Here the filter parents should be root not 1:2. I think in the howto it says that all filters should be attached to root. I'll get my box up that I have doing this to give you a working example. >tc filter add dev eth1 parent 1:2 handle 2: protocol ip u32 divisor 256 > >tc filter add dev eth1 protocol ip parent 1: u32 match ip src >216.19.49.0/24 hashkey mask 0x000000ff at 12 link 2: > >tc class add dev eth1 parent 1:2 classid 1:3 htb rate 64Kbit ceil 64Kbit >burst 0Kbit > >tc filter add dev eth1 protocol ip parent 1:2 u32 ht 2:8c: match ip src >216.19.49.140 flowid 1:3 > >I even tried changing the src to dst and this still does not work. >Gideon, if you are out there somewhere, I'd appreciate it if you could >tell me if this actually worked for you. This is the most frustrating >project I have ever had to deal with because it makes so much sense and >in theory it looks like it should be working just fine. Anyways, thanks >for everyone's help. If anyone has any other ideas, I welcome them. > >Adam Towarnyckyj From james+lartc@vincentsystems.com Tue Jul 6 21:16:59 2004 From: james+lartc@vincentsystems.com (James Sneeringer) Date: Tue, 6 Jul 2004 15:16:59 -0500 Subject: [LARTC] Can the mailing list archive be searched? In-Reply-To: References: Message-ID: <20040706201659.GA20119@valjean.si.ocslink.com> On Tue, Jul 06, 2004 at 02:04:41PM -0500, Jonathan S. Polacheck wrote: > It says the list has been "picked up" by google, but I can't find any > reference to "lartc". "Picked up" by Google just means Google is spidering the list archives, so you can do a Google search that is restricted to the archives. For example: site:mailman.ds9a.nl inurl:lartc imq htb This will search for "imq" and "htb", but search results are restricted to those from mailman.ds9a.nl (which hosts the archives) which also have "lartc" in the URL. -James From adamt@commspeed.net Tue Jul 6 22:15:04 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Tue, 6 Jul 2004 14:15:04 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <02f801c46396$24a27f90$903113d8@uranus> Message-ID: <030001c4639e$4ec173a0$903113d8@uranus> Gideon was an incredible help with all of this. He solved my little problem I was having. It was such a simple solution and I completely missed it. You see, when I changed the src to dst (which is what I'm trying to accomplish because I'm shaping the download rates of our customers, not upload rates) I forgot that in the IP Header, bit 12 is the source address. Since I was shaping incoming traffic, I want the destination IP. Gideon was so kind to point this out to me. I knew it was something very small and obvious... So, here are the completed commands that work great for anyone who is attempting to do this themselves. I will also post to this list with this same subject the link to the How To as soon as I get it created. # Delete current qdisc wiping the slate clean tc qdisc del dev eth1 root # Create root qdisc tc qdisc add dev eth1 root handle 1: cbq bandwidth 200Mbit avpkt 1000 # Create "transit class" tc class add dev eth1 parent 1: classid 1:2 cbq bandwidth 200Mbit rate 200MBit allot 1514 weight 2Mbit prio 8 maxburst 20 avpkt 1000 # Create hash tables (256) tc filter add dev eth1 parent 1: handle 2: protocol ip u32 divisor 256 # Create hash filter to separate traffic going TO 216.19.49.0/24 using the last octet tc filter add dev eth1 protocol ip parent 1: u32 match ip dst 216.19.49.0/24 hashkey mask 0x000000ff at 16 link 2: # Create the 128Kbit class for limiting tc class add dev eth1 parent 1: classid 1:3 cbq bandwidth 200Mbit rate 128Kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded # Filter per IP into the hash tables tc filter add dev eth1 protocol ip parent 1: u32 ht 2:8c: match ip dst 216.19.49.140 flowid 1:3 (Note: The last filter will need to be done for each IP you want to limit. Also note that you can create multiple classes for different rates you would like to limit. You'll just need to point the last filter's flowid to that class) Thanks, once again, to everyone for their help and the pointing out of my obvious mistakes. If anyone has any questions about how to do this or anything, please feel free to ask. I'll answer to the best of my abilities. Adam Towarnyckyj From lists@wildgooses.com Tue Jul 6 22:25:46 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 06 Jul 2004 22:25:46 +0100 Subject: [LARTC] TC Hashing Filters In-Reply-To: <030001c4639e$4ec173a0$903113d8@uranus> References: <030001c4639e$4ec173a0$903113d8@uranus> Message-ID: <40EB18DA.6060709@wildgooses.com> >If anyone has any questions about how to do this or >anything, please feel free to ask. I'll answer to the best of my >abilities. > > I have one. How much faster does it go now? From util@deuroconsult.ro Wed Jul 7 07:39:34 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Wed, 7 Jul 2004 09:39:34 +0300 (EEST) Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1089119090.4260.2.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> <20040705194925.37b7efcb.davem@redhat.com> <1089119090.4260.2.camel@jzny.localdomain> Message-ID: On Tue, 6 Jul 2004, jamal wrote: > On Mon, 2004-07-05 at 22:49, David S. Miller wrote: >> I'm going to hold off on Stephen's patches until Jamal and he has >> a chance to fight it out :-) > > Actually i would be fine with it if Stephen gets rid of the new "rate" > thing. I expect that duplicates of packet will not going to sch_netem, right? I'm asking because I have a pactch pending. Thank you. > > cheers, > jamal > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From util@deuroconsult.ro Wed Jul 7 08:01:30 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Wed, 7 Jul 2004 10:01:30 +0300 (EEST) Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1089164179.1039.26.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> <20040706090906.4ff6fb73@dell_ss3.pdx.osdl.net> <1089164179.1039.26.camel@jzny.localdomain> Message-ID: On Wed, 6 Jul 2004, jamal wrote: > On Tue, 2004-07-06 at 12:09, Stephen Hemminger wrote: > >> Your examples made me think about this more. The netfilter seem best >> suited to things that effect the flow of packets (dropping, reordering, >> even corrupting), and the qdisc seems best when the timing needs to change. > > Some of the attributes you are trying to control need queueing; no doubt > the best spot to do queueing is on a qdisc. Delays, and reordering for > example are ideal. Rate control as well fits here. There are other > qdiscs which have done a really good job at rate control hence my > arguement against you doing it - you will either not do a better job at > it or if you do a good job you will be replicating what they already > did; just stash your qdisc in another qdisc which can do a good rate > control job (CBQ, TBF, HFSC, HTB) - we are flexible enough in Linux. > > Depending on where you want to do things, netfilter may be a good > candidate (example IP protocol) or things that dont need queueing. > The examples i gave are more powerful than anything netfilter can do at > the moment though with only caveat theres only two "hooks". > >> The limit match in netfilter is not the same as the rate in the qdisc. >> The netem scheduler acts as if the link is a slow fixed rate. The netfilter >> limit is usually targeted to drop packets over the rate which is not the same. >> Reordering is also hard without going out to a user log or building a custom >> target. > > Not sure what the netfilter limit target is - i suspect its something > that limits based on a group of flows. You can still do that with a > fwamrk at the qdisc level. Reordering needs a queue. Even the example i > gave uses a queue that resides on the dummy device. > >> So, you have convinced me that loss is unnecessary but not the rate, or delay. >> If we can figure out how to re-ordering with netfilter then that could go too, >> which would make it possible to use a layered qdisc again. > > I think keep the reordering aspect of it unless it is very complex. The > delay is a must. If you can add configurable jitter to it that would be > a big bonus. Keep the randomization. Duplication, dropping, bit error > injection, and rate control are the ones i didnt see belonging there > mostly because they can be done better elsewhere. > Again this is just opinion, if you think that theres no complexity in > the architecture, by all means keep all those features - my > recommendation is to pick a few things that will work well and implement > them well. > > cheers, > jamal I suggest to keep duplication because: 1. Adds 5-10 lines of code and no complexity 2. It's very easy to use it attached directly to a device. Thank you. --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From raptor@tvskat.net Wed Jul 7 09:52:00 2004 From: raptor@tvskat.net (raptor@tvskat.net) Date: Wed, 7 Jul 2004 11:52:00 +0300 Subject: [LARTC] ala gateway problems Message-ID: <20040707115200.60d2aaea@bugs> hi, I have very annoying problem.. First a simple diagram : x.x.1.0/24 -----------------| x.x.2.0/24 -----------------|---- (gw: eth0: x.x.1.1 eth1: x.x.2.1 eth1: x.x.3.1) ----> x.x.3.0/24 -----------------| now I have two machines x.x.3.10 (2.4 kernel) and x.x.3.11(2.6 kernel) AND they are in the same LAN (phisical net) but as u see in different IP (logical nets). As I look the traffic with tcpdump and iftop and the path is the following : (f.e lets take host at address x.x.1.5 and destination x.x.3.10 ) x.x.1.5 ----> gw:x.x.1.1 ----> x.x.3.10 ---> x.x.1.5 take into account gateway on the return path is not used (remember they are on the same LAN), which is what I want... Now I have deployed a new server with a 2.6 kernel, all other routing tables,ifconfig is the same.. but now the path of the packets is : x.x.1.5 ----> gw:x.x.1.1 ----> x.x.3.11 ---> gw:x.x.3.1? ---> x.x.1.5 Now I want the first behavior, but have no CLUE what is different, is there some option to set or what ?!! The second behavior is the not suitable 'cause if there wasn't qos on the gateway it will not be able to handle the traffic... One my thought is this has to be something with ARP..'cause I dont see arp entires on the new machine ... #arp -n | wc -l 3 on the old one there is : # arp -n | wc -l 105 both are contacted from many hosts... much more than 3 !! ?? ANY IDEA ?? tia From chilek@chilan.com Wed Jul 7 12:23:19 2004 From: chilek@chilan.com (Tomasz Chilinski) Date: Wed, 7 Jul 2004 13:23:19 +0200 Subject: [LARTC] connmark+connbytes Message-ID: <20040707112022.M2815@chilan.com> This is a multi-part message in MIME format. ------=OPENWEBMAIL_ATT_0.660794338052259 Content-Type: text/plain; charset=iso-8859-2 Hello! Maybe someone needs connmark and connbytes working together? See attached file compatible with pom-ng-20040621 (I called it connmarkbytes :)). Kind Regards, Tomasz Chilinski ------=OPENWEBMAIL_ATT_0.660794338052259 Content-Type: application/x-tbz; name="pom-ng-connmarkbytes.tar.bz2" Content-Disposition: attachment; filename="pom-ng-connmarkbytes.tar.bz2" Content-Transfer-Encoding: base64 QlpoOTFBWSZTWagfckcAH4R/9f2yAFZ////////f////3/8QAQIIBCAACAAEAAhgH731UFAKJAAA AAUAAEVaMklFFCqAACgAA0AAAAAAAAAAAAAAAAAARECGk9AARoGJkxoEwhtT1PUZMCMEYhgAjIwJ 5Q40NAGgAaAAAADQAAAADIAABiAcaGgDQANAAAABoAAAABkAAAxAEpoQUaE1I/RGo9QbU/Saj9FN onqPUNGnqBk0eoA0aaNHqGjR6gAHGhoA0ADQAAAAaAAAAAZAAAMQAqSECAQCZDQQAmhMmKnvSNpH oKaehPSantNT0jIE8U3qjTR6n/feAMI7g2HzaUdsfpQ8OLSlZDFk3Ly4oW6zBqCo0kup0EWsUiqS kFOSSSQ1b29ffnPSOdGFJkpNXsQ95pD0ItWLXrak3ZvHBQkVT9s4iNwmoWCN19cTSsUl90xvyvm5 RKYSJdO6xThWsXiLlnuK1NkYpQSdkkjbQRSlIk4JyotSRKUUIl7QlAikpJSRSKUHJJakV+3sqy6f RayllktRVQnqKSilFSVFSSVCiLrf5U9DCWtoq16FQpTKksVCi1kspFZ3VaF1RKFqSlSS9JVJdSXN fh95E/X0CNk7FisHdeCgfodUEOcIMg/UQHpkwydrC0lPxdNllzMypY2D4HW+Cbvhr/rksziaxSU6 6T8E3OpR+bwxhgpkcV1kuikslNGd0uUOwv0XLqSi05f8+e3bl26nao1f7GT8prZM2u9GRqlhZSaM mH7uz7PTWJVT18tr4prfn6+vTckxSOh2O3twlqblPFo6Zzxx/3tluYU2mPC1uLPNd0zbPA7xR/3G b6yhd4FwudDMfAGj9DUpTu4bvI4rus3KdxZLKUpJ2cvb6d+uu/K1XHzfH9Onx5cT5GlZ387VGgYv 8vfdvCpoR/aNym9jCd0TSlAYDQNQmOfX35ENHvzvkJo1JPmkp9pIjOSSTMOSvhqXkHmIpIRySXdK sqpFSSUpVSUqIoOU6/M9jTHzxm0W3l117ovdJLzgd0hLpWYwIuvDq6Qn0S6iXzS6v39i97107uQC K592QnjPAbhtGcawaOU3rZVyHyBnZ0hMhdXwev2/RNK0cnJF5/kxuoqSiqZT21O47D971M37HlD7 o9ejMpmn4VpupJjtQSyXvmwn9ngsZeXYnmycTJPlfiKMC6WcD4EwlR7vxnuRbpFe3t/b/EdW/jp9 d+z6Vj6RPFK9RyReldlfNu+7/uffaB9f6/DPwRd6PxcnabdA+I5Hxv46J/YNEh7j3fCp8CeL+9lu 0PRn1ap5F0o3ZKZu1q4nVZ6O7u7/7zIdOo+73n4e6j4aeTVdb99YqXHNY9B/AX4a5ZnaCk/5BkPc MJpPRT+yWmo5nzty/5A1G4zP0C7M0+t73Fp9le4n5DyNx+AOafSuTQzG0W7PL2Gpr0LJRPrsf9D5 DBos+F/I6nxqdGalKU700Tc/C8Uph5ny1wuevbdkY/Z2mu9R0MscXd/4/w3bzIdYotDWv0df07/U XUX7tenJzKbxYbLMlnY3Xx2f45ck07LPnGsnZS/M77PD5ds8L26lzvUxN7RfJkwuy6/PN9inx7Gk /BT5X5GronJ3NzQx/8O51R4cB2Nx19fF72OPpsORTz4DocWM3J6tuWZXiaDefBno6kwX4ZtjdTTN 1ujuaJs8BqoUkuMk8kpkoulLLEnNLrOmMi1Dc7qernb3+qyS+90G8unmPbGXPF+nv9VXxkGvnv0c N3VTry6rzapda+5g3KTvjzd5ecfNkzvyqjWuL3VON30mTnhq8T8q0nQas9yaHB1uJoY6/9u4m2HB NnqWf6LvJ2Or3F/Sct6xkPpHNyL5VOSpjwWTUdrgj5Tbbt3Lcnc3TE3WD89C8nEo4j43RfLkPJdw wydPlO9/O/4qWdiNntvYbrRy7WZPelByq/J2Wv4u7GGHwOHY7z2PZ7Vp+ilnUeLc2RwUePHttaly 88TzHqIsxn8buaNWPQjVVtWW+2mUpbe3KHh8jB6Ntm48/CueDhwYpXmp1NsHIrl63a4OphWXK3Di PU+hwKUdp3W3tDccsdLW4oqoWCsb25ksUpvTqNTccdTM0ydh3GhQ4uZoPoJ1x3NgOpEhlJOPs+4+ oNvvHGaBg914Ns553fAWZGYyjRl7jBZ3+bZnesKk3JKbKkpRzHzS1i0/oSyD7yMTqVJ3rLLdkWkn WpN0UKSiiniVJUlczmfzlM2JzUd6fUZnxnuxui5TMo3tlKXVSM3/FFsuBYeyKvd8hselkNykZpSk wsjgKajIyf0MP5Eultx7F/alc+yamTM6Ep3sn0vyrO1/ijM8BX5zk9zNzZGBxRTL8TFDX8n2OudO 2VWrU2fM3mZ8XbVmef9NzZRzT6XqNyiz7x5En1/rslFIpRRQKKFSkNH9a0HWwWT7dJD2I1fw3Q+e J9q0UqyWlTWLkeDoo6PesLFlnVObKd3xlnm9i3sPYaJVK3n4HnlhbK9ZPqPZnPr5rOf6dj2uPrOZ oPv9m4t7+imtsmSMKGHh1sM3JRj6/1fnsLfpve238M/+UVPOfH7D+0/UfvSLmfY5lUU6R6l/NMeV npYGKF1qWpFqMMUmWMJobuG7wbsup/SWmWl2f2ej125YqsV/V7rc83mZnvWNXXk6z4DZ1la8e5u3 9X2GVnanqSMun37WtvT5owBjQcAq1d3R5RxEwkziJHHIGuNqFtMk+KBJcIGDDVMRcqcR05kXRsWD a5xsFDJGC577r0vkGY19IdcZ9wzOJB7YGrWbWwHYyGTLKSXY8uIVVWKZdQ0SkpRSilFhMQdSiKGO Go2MLv5DukCElt6+6hTKSWAzCBm3AO+yfwjtE0z0r5vuPhytlREkwzTBdnUIghGNgQwjHKPS5kXs QwBklFlT+1hhNDrQC2lbyUQgo8a+1QN5OEYwI/wEUJJaeqpRKKVFCkT2nnKVfX9uZiUi1iWZq7y5 aSPdLPdRtUNcbF50wi+WdjOs0bXzUXI3bonzb7TXTbdtfZAUlQsY2orfaWXAZrIYbqmE1xBULmax k72UdUv64YTlaxaDG+SHTFBGAmk4DPGazlit3G5mnLGblanDa9Zmo9FhXJIywHMZXK2eGfVfDSo4 W38K4ZJenVRShZfTqY1XttThTbpqIo7K7DVjPcxQ7qzQVlqyZCvrBoCclgTWMtmHJxY1krRrVpBg ClBM0zEQGMHoZqPQJRhrhuvNtt9UJlnpVTK+MhZxH7yJuxllnfXZnWZecMTfriEtoZZaorVnfTDO Xm+l42xxgPetrMBUYk15eoxL3xDqUFIFL2mUMUTL6hfGmltNEZX3Nxnmz002q+uHYWs5BnrvNF9s 9ItbK+NrTRbNa04Cc8aVllKz0RlOTZGV6mkXaZ2YyyyYLZVfJ19mcTLZlUi5XDgAuFSjSrXkxmuD 4Gsg+owvf2TsiNhuLi7Xqhxg3d1dvK63d1Ydz9vzp/Mp+VKKU+FY8lLvqKKFilGTCzyWT+czKFPq 8bMVjLOzq/k/24Z1Xhi0keTVZ1pSWeTm4OWow/OcH9pcbjMzN7SOuDuwkDOCbqJxviO4QUTSIkQ2 lFF1Jm/Ywlyyo/m7+/fg/UjmFCVZKPQtPISLfiFXNjad5P1nsMj8IofPIsk++i+PqMFz8ZgZigj/ Qf3FiXn82xuNf1fuH6KMqkzGR9iOv/JOZvJojfO1tCcuZIhhQJCQpTiQ+PAYkQII7T9t+9NM0lyk R0Pp5n+bX9ButKpGXWqax/yGHM1Cwg6A2g0PlGdoOYgEOcps+hBh4l8lOQaTD+Q4LVFTIzNUucDL 1Dqsk8dEh0kYVaJFCfaWOxO38fAY9A0Q8UsgsGyNHWc0lEumBmcUyKHig/abjCZHp1k4GyfmXDou UpSjdeWqqUqSlFKlUKqS2/3pw95gwZpNocqqlVVQjeUSyKSevD0s6SnV6jwpOEnqsk5p7x1d5iY3 0ZLCehRVF6FPBKUpUlllhSokUTncsnik6F5an+HuNTmOjXcOHC/kbmpC8SORlyNSDJEjomCy6Sxv DNrLmhYmz2EdiYmZ3APA8TRPAsWMjY/8cBsYImCkkdfdcjocyjFhsk0OoySnWmQ5lBG6jBznYXHD EPMpg1LHam4uXKlJt12LJzNpQVRLtTFmpnJoNpuiZU4dj743pvN5zODgXMm9P6OkzSZFGZOMUSZ2 nHU5qKea0i1E9NaodD3EWnHeZHYbjZR2GBunDu3HcPWMxzCMfBwLk0wUJER0RGff0ef1uncDrBnA 2TQF9IYKpSpT8aLInsSVMjzu+0sUi0m4f71FPjI9lJNE1mzTVFE2SsaRIwk3TA9JvJ69uxFJI/Oh /LQXfpwk9yepMXqT1KWLLCylljCYT1JczJKzTCli4supT9lkxJnYs/M/nNydDDYszRhMJySfCIzl on99SYQ+xSf3HFnITWRRykxDSPZTHU1M0/gLYDrVZ+venbsW4vcXTIjQMRvpH935ZqSlOep+2knA 2j+WSj9xdYvgXEap01MiNCMkSdl4QlzJbSJuSyRZ9qx2byLbz6hz63DKRVSSN9SScnJDvbquLLyS aFJQ+92XcC2yh4wnR4qknD1+SP3InpDpQ9mlJmjZO2MDMlIn6HcqFWVSlrWGQi33Lp/7yM4FUksc LexmlqJ5V0T8zBOh6SwnfEqKgqkkzTCp/wcI2LH1s3fSbv02ROU4b0qpSqVCKiVJKe90CetlxiOU fo5z57/pV3PFJaSTK7+Y8sgydxYP/Ju2KQAKQNRIkz00EykTAUGCsaw0gUTd5nHPzmQCaCa32x5Q yCxF6IyTCXT/yfeUUwWSy8ZKT3vtflaKfdEfJSRp4sjUpHMpZo+7rDkmExeIYinxp8bwj5mD7llp /DS4VKTqWKXskootUFUFUwqxUS1MEpLimRY3KJxzSdCG4pJTCf+kzZu2rO6ZC0dhOt+JhFnrzZm5 HIWM1PwvuHQ6ZS32ydbaIbUfgffbnbv3Xl72bFGUe3Eu760x/oMk147dhLYKQbxTA2E3pSN5xJwT +LMzGu/imG0k3ljMujJ/mvvZijItZYzpM1ZKlmxaN4zsM31GC04MmxrpvjBZScW/i5qUoo9azoZs hRwjnvvXTKzlmoyS1HJwSXTTFXUuNNMkmaYKVJuo6ciMWRukFe1owptm/rnEsLtr5M42gYt81ZmX cX/PoteppVQ2oj7DqT+Mod+8yQ8h3HHgnDTfHpla/YciS51bJZYtDepHvR3T84eP5SdBPEdvvUTo n8TzHhDs/qzdnriuf4atHh67PBuFrCoQ8HlBeNi+vpZjefxskjRieNIpSyy0z9q7DBdUl0pRQS/S +RaNfQleeLpSyl7qVFqgoorjElUSyLcovETCZoPUexkku9maT+N5RPoavTVVandNJ8RSyoSpFRSj 4kq9IoT+odsWGSN+lS0nQqaO5FSko+RaLz8kvqa/RlpfaHA3xEoXT6E68gzShExDKyLDmpSpKU1N xGRmjPjV1y0SWKWKnBTq3JNqFpKI0zGtw1JnpGUDIK+lPiU9FnOhVSRUlRJz7X292GiDOLJRc+0t BPoolUkopKoKwJ3iv5dprnBrGSW+BLP9lIX2kpUhR6f5SaEvwOBaNBzGY1x6Hs73cTzfBum/InvD XZJPo46k/rE+JNPSgwsarcI8Ij3KWj7ncx6rrjEOq6WRqOg6oFrE3OPQ+UyLvKHvLxE0fIdXKO5U n009Kec6kHsSYNwt8KM3W5vUwjko4KKMHpUUzTcaKUMKXSxhklK+JYY51mtmsvnwJsTZPQmtifeK IophOEMSRH/pxZN26qUKKVEihSGfoanM6NEqR8NiWCkpKFJRLFJJ607va0ZqRKSOyZySqUVlZYqS KjmN9VDtJ6iYifKm5LJPtXS6HqfMansvD5hR3Xx3ZHHjxaCcEaJHuSonzEoYvZKUJVJsWWLipRai 1lKkUUlKUT3Jcsl6VWTdiRhGFJR8KUSxSLySUIzLxOpKkYwksZLSzK6g4Q0Sy/Mq3KfSe+HCM3Af 07Xj4imRTrpKUdSiqS5jC5OKVjyjz5N8WraSMy1gxsXvrrdPIk+YVJKJSlKUoZD1fPnDZJ5a2KCi vh6W3lozKmS0ROrvQlyNeWlpT0PCSOHUmhLt91lKUuWiOH5ip+ceAotv2tVT1u86yili0WKXWYyl 4i1FkyZFqusi5kwwsuvfXIg967/Uo+RU7q701RY8bWfD06Z4LLSylRSkofCUMi8jejcslFHZ2a0U VIv28ck32irTgZSScU4kosnoZxqbbFh7RRGFRV6ulLxYm5SXGWMlsMS1FKi9L1SYVZIwisJgq6rq p1v3xheGDJSotBe8sl1ClOMWRu7CPumaE0kjeTvShojCpsslSaSD2wLuKZQc3sVCcJJSE7HtLiu2 b4UuussUptJEmIqpKUVKKrkixKUJ43OMJFJJIyfHEqTmnEmKE1LwNcIiliiMURhKS0l0tDRJGWJJ kUPnaZxJGIdXYedJZHxUKvRZKvU3KEuUUFKJFy9kl1iW9vkf+ylO/WafeT5IScYk5ij7ZMxu1D6E HWj2XSSoj+DhteOyWpFSpJG1GCoS59G4zPvSqtEYLpF1RSlKiVUSDKpEegfQ3kRYzDBmLJO15ipM v1E4OxMWmrf9AXwtQ/WdYR4ybjl/2H9pSWuf7icEwODB86dXbO6hkdTiWS/ULCPJPXrFUaedtTx+ 8itJhfOJfvCveH3EzmkfhfIv6qg6yaucRHEMCyRLJHwiMUlRVWKlKiiVvFRZQuVag7FO+ki9Qjsp QkqD5w2i54mpG2GGhMGlCiyZVFFSupMDM+57ksaFD0k9gyTzUpSlOVeWZ4dyd6pVJHFv4ok4OhPW OJM85SM8ofKdd4QmQ60FJnBn1FEqJ/mI4iO8y9mxqhuCizaIKoX9HpvZlVVysk9QqbitS1jKJVcq RammYtlOawyvYNBeM1rL1Rks0r5s1llntLzYihJlTg++sn7Hoeih47OhXNLE3etVhtaSaI8Db0+z Q7BmfavAwu+lQ2ng4ClDr9BSUUzHNI0J4o2Kf4l3s+BOPF2uUzHSu2oqOE0RGOs1EWhndT753pJ2 6PaJsak7DfHYuTzJ1JucGSllll11y4lJR61BtvPYtEbwjpwlUeiZotPQKse+ykyM2Ew5kqWt2pZd 2szPNNmUzHoYTRshkpI3lWmGZ+7NkS5eyN5JmYVvWNBgUajdIzkX0ollJYpLJoUpTOm8yGtBV/jK iSyXbbHAmVJIolMWRYtSLUjnHpTrXuc0yNtnA2UIyZqV8in2XWKO5TyXLI4ljipmpqE23pb7nBEd ikJ1lSLHkdovcoZuqzBXw5W3RmJoeu032VMhSyReiSicBlJIYjdETWGHXSSJquLDfYsuknc3hbuL SlElCxakllmxkg9aU558Ybcx4ao2lKqJVRGsM0nqnemLohUk6M1G3kN90FPcR5GWh8E79eiHv/1f jdD3vqDwHoSSbkg+iI/bv8zrNFzZEdEd6u9Ok/1Zk8R4pQ9qk65ZUj2XMk3BQ9do+3ZB6KZen6rS PhUav7BHglilJRPDskiO4iZxHn7IpPamubIKKuTC1iknYpPiJm+2LnQij5mmVzOod3ctspGaTOxR sPoHySRH92b/fKkjiV8HuHcOx8GEqXFylGd3bCx3FzI0aI5pGQ+AdYZlFSSFe94CZyHcJRSj/mpP a8SkwJV6qyVUVSi4if/4u5IpwoSFQPuSOA== ------=OPENWEBMAIL_ATT_0.660794338052259-- From Reema.Bangar@nokia.com Wed Jul 7 14:41:22 2004 From: Reema.Bangar@nokia.com (Reema.Bangar@nokia.com) Date: Wed, 7 Jul 2004 21:41:22 +0800 Subject: [LARTC] HTB Packet Scheduling for Linux 2.4.14 kernel Message-ID: Hi All, Can I backport 2.4.20 kernel version's HTB related changes to 2.4.14 ? = Will this work w/o any issues ? Please consider this urgent and replay asap. Thanks in advance, Reema. From anilkg@gmail.com Wed Jul 7 15:52:55 2004 From: anilkg@gmail.com (Anil Kumar) Date: Wed, 7 Jul 2004 20:22:55 +0530 Subject: [LARTC] ESFQ patch problem In-Reply-To: <3045e25d040707073350db08a2@mail.gmail.com> References: <20040707141616.31476.67883.Mailman@outpost.ds9a.nl> <3045e25d040707073350db08a2@mail.gmail.com> Message-ID: <3045e25d0407070752538ac34d@mail.gmail.com> I applied esfq patch to kernel then I have applied iproute2-2.2.4-now-ss001007-esfq.diff to patch iproute2 (tc utility, iproute2-ss010824) source: http://www.ssi.bg/~alex/esfq/ But whenever I try to add esfq qdisc with parameter it says it donot know the qdisc i.e esfq. tc qdisc add dev eth0 parent 1:13 handle 13: esfq perturb 34 quantum 1514 depth 25 divisor 23 limit 34534 hash src Unknown qdisc "esfq", hence option "perturb" is unparsable but if I donot specify any parameters i.e tc qdisc add dev eth0 parent 1:13 handle 13: sfq perturb 3 qdisc esfq 13: [Unknown qdisc, optlen=24] is added. Is their some incompatibility between kernel and tc utility ? I am working in a customized kernel with minimum functionality (embedded applications).Is some thing missing? From shemminger@osdl.org Wed Jul 7 19:10:55 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 7 Jul 2004 11:10:55 -0700 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1088824432.1043.271.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> Message-ID: <20040707111055.32ebb25b@dell_ss3.pdx.osdl.net> Ok, I'll bite how would you do: Rate limit packet egress on a ethernet device (eth0) so it looks like a slow DSL link (25 Kbps) by not dropping packets but by pacing the data. From shemminger@osdl.org Wed Jul 7 21:58:31 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 7 Jul 2004 13:58:31 -0700 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1089226667.1027.411.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> <20040707111055.32ebb25b@dell_ss3.pdx.osdl.net> <1089226667.1027.411.camel@jzny.localdomain> Message-ID: <20040707135831.4c98dd51@dell_ss3.pdx.osdl.net> On 07 Jul 2004 14:57:48 -0400 jamal wrote: > I seem to have hit the jackpot - all my emails to netdev are showing > up and on time too. > > On Wed, 2004-07-07 at 14:10, Stephen Hemminger wrote: > > Ok, I'll bite how would you do: > > > > Rate limit packet egress on a ethernet device (eth0) so it looks like a slow DSL link (25 Kbps) > > by not dropping packets but by pacing the data. > > Doesnt TBF work? > rate 25kbit burst 90k should probably do it. Maybe i misunderstood the > question. TBF works but since the sender (on the same local machine) may go over it's allocation, it will drop packets. For example, if I use tbf to simulate a slow 33k bits/sec link then TCP test never completes, it just hangs! TBF does work for intermediate sizes. But if I use the pacing simulation it works. > > You may be able to avoid dropping but dont think you can guarantee it > simply because you have finite buffers. At some point you will congest > that queue and packets will be dropped; and if you dont limit your queue > buffer size, sooner than later you are bound to hog all the system > memory. I understand that, every queue has to have a limit. > Having said that, i have never seen a good arguement for why pacing > traffic vs dropping to initiate a slowdown is better than the other. > So in that case, a policer/meter should suffice. From shemminger@osdl.org Wed Jul 7 22:22:16 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 7 Jul 2004 14:22:16 -0700 Subject: [LARTC] Re: [PATCH 2.6] update to network emulation QOS scheduler In-Reply-To: <1089234699.1026.448.camel@jzny.localdomain> References: <20040701113312.43cfe6c5@dell_ss3.pdx.osdl.net> <20040702134437.5891e998@dell_ss3.pdx.osdl.net> <1088824432.1043.271.camel@jzny.localdomain> <20040707111055.32ebb25b@dell_ss3.pdx.osdl.net> <1089226667.1027.411.camel@jzny.localdomain> <20040707135831.4c98dd51@dell_ss3.pdx.osdl.net> <1089234699.1026.448.camel@jzny.localdomain> Message-ID: <20040707142216.7c9763c3@dell_ss3.pdx.osdl.net> On 07 Jul 2004 17:11:39 -0400 jamal wrote: > On Wed, 2004-07-07 at 16:58, Stephen Hemminger wrote: > > > TBF works but since the sender (on the same local machine) may go over > > it's allocation, it will drop packets. > > As should any queue that gets congested. > > For example, if I use tbf to simulate a slow 33k bits/sec link then > > TCP test never > > completes, it just hangs! TBF does work for intermediate sizes. > > > > But if I use the pacing simulation it works. > > I am not sure i follow; is this because of the return code from the > enqueue? Actually, the problem only occurs if burst is set large (like 2mb). I think it gets stuck waiting for that much data. From Glen.Mabey@usu.edu Wed Jul 7 23:00:01 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Wed, 7 Jul 2004 16:00:01 -0600 Subject: [LARTC] tutorial for Julian Anastasov's patches Message-ID: <20040707220001.GA22765@mabeys.dsl.aros.net> I'm sure that I had found (and printed out ...) a really good tutorial that explain how to use Julian Anastasov's routing patch, but I can't seem to find it now. Any pointers? -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From nemo-h@po.ntts.co.jp Thu Jul 8 09:34:46 2004 From: nemo-h@po.ntts.co.jp (Hideaki Nemoto) Date: Thu, 08 Jul 2004 17:34:46 +0900 Subject: [LARTC] Reclassifing with the filters Message-ID: <20040708171522.4AF0.NEMO-H@po.ntts.co.jp> Hi all, Is the reclassify function useful for really reclassifing ? I couldnt find any samples or documents about this function. I want to pick a packet that's over a specific rate, and reclassify that to arbitrary class that I specify. I've tested with the ingress filter, but it didnt work. (the script below in the ingress, and a simple qdisc, class structure at the egress) =====================From Here========================= # tc qdisc add dev eth1 handle ffff: ingress # tc filter add dev eth1 parent ffff: protocol ip prio 1 \ u32 match ip src 192.168.48.10 \ match ip dst 192.168.0.1 \ match ip dport 5007 0xff \ police rate 64kbit buffer 1522 reclassify \ flowid :2 # tc filter add dev eth1 parent ffff: protocol ip prio 2 \ u32 match ip src 192.168.48.10 \ match ip dst 192.168.0.1 \ match ip dport 5007 0xff \ flowid :1 =======================To Here========================= I also tried one in the IMQ, with DSMARK qdisc as a parent, where it didnt work. Would anyone give me a clue ? Thanks in advance, Hideaki From ja@ssi.bg Thu Jul 8 08:04:16 2004 From: ja@ssi.bg (Julian Anastasov) Date: Thu, 8 Jul 2004 10:04:16 +0300 (EEST) Subject: [LARTC] tutorial for Julian Anastasov's patches In-Reply-To: <20040707220001.GA22765@mabeys.dsl.aros.net> References: <20040707220001.GA22765@mabeys.dsl.aros.net> Message-ID: Hello, On Wed, 7 Jul 2004, Glen Mabey wrote: > I'm sure that I had found (and printed out ...) a really good tutorial > that explain how to use Julian Anastasov's routing patch, but I can't > seem to find it now. > > Any pointers? http://www.ssi.bg/~ja/ Regards -- Julian Anastasov From x11@h2o.sky.lt Thu Jul 8 10:40:19 2004 From: x11@h2o.sky.lt (=?UTF-8?B?QXJ0xatyYXMgxaBsYWp1cw==?=) Date: Thu, 08 Jul 2004 12:40:19 +0300 Subject: [LARTC] connmark+connbytes In-Reply-To: <20040707112022.M2815@chilan.com> References: <20040707112022.M2815@chilan.com> Message-ID: <40ED1683.8090500@h2o.sky.lt> This is a multi-part message in MIME format. --------------080008050907090100060504 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Tomasz Chilinski wrote: > Hello! > > Maybe someone needs connmark and connbytes working together? > See attached file compatible with pom-ng-20040621 (I called it > connmarkbytes :)). what about submitting it to pom? --------------080008050907090100060504 Content-Type: text/x-vcard; charset=utf-8; name="x11.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="x11.vcf" YmVnaW46dmNhcmQNCmZuO3F1b3RlZC1wcmludGFibGU6QXJ0PUM1PUFCcmFzID1DNT1BMGxh anVzDQpuO3F1b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTo9QzU9QTBsYWp1cztB cnQ9QzU9QUJyYXMNCmVtYWlsO2ludGVybmV0OngxMUBoMm8ucGlldmEubmV0DQp0ZWw7Y2Vs bDorMzcwNjg5NTg3MzMNCngtbW96aWxsYS1odG1sOkZBTFNFDQp1cmw6aHR0cDovL2gyby5z a3kubHQvDQp2ZXJzaW9uOjIuMQ0KZW5kOnZjYXJkDQoNCg== --------------080008050907090100060504-- From x11@h2o.sky.lt Thu Jul 8 10:39:46 2004 From: x11@h2o.sky.lt (=?UTF-8?B?QXJ0xatyYXMgxaBsYWp1cw==?=) Date: Thu, 08 Jul 2004 12:39:46 +0300 Subject: [LARTC] tutorial for Julian Anastasov's patches In-Reply-To: <20040707220001.GA22765@mabeys.dsl.aros.net> References: <20040707220001.GA22765@mabeys.dsl.aros.net> Message-ID: <40ED1662.2040700@h2o.sky.lt> This is a multi-part message in MIME format. --------------010707070300010703020106 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Glen Mabey wrote: > I'm sure that I had found (and printed out ...) a really good tutorial > that explain how to use Julian Anastasov's routing patch, but I can't > seem to find it now. > > Any pointers? > http://h2o.sky.lt/stuff/docs/nano.txt always keep a copy :P --------------010707070300010703020106 Content-Type: text/x-vcard; charset=utf-8; name="x11.vcf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="x11.vcf" YmVnaW46dmNhcmQNCmZuO3F1b3RlZC1wcmludGFibGU6QXJ0PUM1PUFCcmFzID1DNT1BMGxh anVzDQpuO3F1b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTo9QzU9QTBsYWp1cztB cnQ9QzU9QUJyYXMNCmVtYWlsO2ludGVybmV0OngxMUBoMm8ucGlldmEubmV0DQp0ZWw7Y2Vs bDorMzcwNjg5NTg3MzMNCngtbW96aWxsYS1odG1sOkZBTFNFDQp1cmw6aHR0cDovL2gyby5z a3kubHQvDQp2ZXJzaW9uOjIuMQ0KZW5kOnZjYXJkDQoNCg== --------------010707070300010703020106-- From sudheer@svw.com Thu Jul 8 12:30:21 2004 From: sudheer@svw.com (Sudheer Divakaran) Date: Thu, 08 Jul 2004 17:00:21 +0530 Subject: [LARTC] Is Linux based Router feasible Message-ID: <40ED304D.9000107@svw.com> Hi, I've a local LAN consisting of about 150 machines. I'm using a Linux machine as the gateway machine which inturn connects to two different ISPs. My question is can a Linux based machine match the performance of a hardware based routers provided by Cisco,... OR is my decision to go for a Linux based solution is a wrong one?. Is there so much difference between these two solutions? Can I achieve the same performance using a high end PC and Linux? I'm asking this because one guy told me that my decision to go for a Linux based solution is a wrong one and it can never match the performance of Routers provided by Cisco. Thanks Sudheer From util@deuroconsult.ro Thu Jul 8 12:42:57 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Thu, 8 Jul 2004 14:42:57 +0300 (EEST) Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <40ED304D.9000107@svw.com> References: <40ED304D.9000107@svw.com> Message-ID: > I've a local LAN consisting of about 150 machines. I'm using a Linux machine > as the gateway machine which inturn connects to two different ISPs. My > question is can a Linux based machine match the performance of a hardware > based routers provided by Cisco,... OR is my decision to go for a Linux based > solution is a wrong one?. > > Is there so much difference between these two solutions? > > Can I achieve the same performance using a high end PC and Linux? > > I'm asking this because one guy told me that my decision to go for a Linux > based solution is a wrong one and it can never match the performance of > Routers provided by Cisco. Go with Linux. You can always come here and ask a question. > > Thanks > Sudheer _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From Jeff_Green@sapiens.co.uk Thu Jul 8 12:53:41 2004 From: Jeff_Green@sapiens.co.uk (Jeff Green) Date: Thu, 8 Jul 2004 12:53:41 +0100 Subject: [LARTC] Is Linux based Router feasible Message-ID: <1B61C6F7F250D711951800065BF1116E11A89C@red-alert-backup.uk.sapiens.int> Hi Sudheer, In general the answer is yes - but your situation m= ay be different and it depends what you want your "router" to do (YMMV).= You need to be prepared to produce a custom kernel / boot image and = Use the appropriate h/w, etc, for equivalent "uptime". This question h= as been asked frequently in the Zebra and Quagga lists. I suggest you = consult the list archives for h/w and config http://www.quagga.net = http://www.zebra.org Regards, -----Original Message----- = From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] O= n Behalf Of Sudheer Divakaran Sent: 08 July 2004 12:30 To: lartc@mailma= n.ds9a.nl Subject: [LARTC] Is Linux based Router feasible Hi, I've= a local LAN consisting of about 150 machines. I'm using a Linux machin= e as the gateway machine which inturn connects to two different ISPs. M= y question is can a Linux based machine match the performance of a hardw= are based routers provided by Cisco,... OR is my decision to go for a Li= nux based solution is a wrong one?. Is there so much difference betwee= n these two solutions? Can I achieve the same performance using a high= end PC and Linux? I'm asking this because one guy told me that my de= cision to go for a Linux based solution is a wrong one and it can never = match the performance of Routers provided by Cisco. Thanks Sudheer = _______________________________________________ LARTC mailing list / LAR= TC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: = http://lartc.org/ --------------------------------------------------= ---------------------- Confidentiality Note: The information contained i= n this email and document(s) attached are for the exclusive use of the a= ddressee and may contain confidential, privileged and non-disclosable inf= ormation. If the recipient of this email is not the addressee, such recip= ient is strictly prohibited from reading, photocopying, distribution or o= therwise using this email or its contents in any way. Please notify the S= apiens (UK) Ltd. Systems Administrator via e-mail immediately at networks= upport@sapiens.co.uk, if you have received this email in error. Discla= imer: The views, opinions and guidelines contained in this confidential e= -mail are those of the originating author and may not be representative o= f Sapiens (UK) Ltd. ----------------------------------------------------= -------------------- From ufo_mechanic@hotmail.com Thu Jul 8 13:23:16 2004 From: ufo_mechanic@hotmail.com (Laurence Arabia) Date: Thu, 08 Jul 2004 12:23:16 +0000 Subject: [LARTC] Is Linux based Router feasible Message-ID: I spent a few years developing routers just small parts of them. I cannot speak much on protocol implementation. But just as a point most routers you buy use vxWorks/PSOS as an embedded OS although most that I know now who can afford to do so are moving to embedded linux. They then buy stacks which implement protocols these stacks when you go through the source generall have BSD,GPL licences in the source. So understand that most of the sofware base has come from open source communities. And I find it to be better written cause the source base has matured. The only thing a company adds is a warranty. IOS is a different kettle of fish its very well guarded. But I firmly believe if you investigate your HW well you will get the same results if not better and with more functionality. Which will also stop router companies holding people to ransom because they want there bugs fixed. Stick with linux I suggest. _________________________________________________________________ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger From Michael 'Moose' Dinn Thu Jul 8 12:59:15 2004 From: Michael 'Moose' Dinn (Michael 'Moose' Dinn) Date: Thu, 8 Jul 2004 08:59:15 -0300 Subject: [LARTC] Is Linux based Router feasible In-Reply-To: References: <40ED304D.9000107@svw.com> Message-ID: <20040708115915.GS22108@blend.twistedpair.ca> > >I've a local LAN consisting of about 150 machines. I'm using a Linux > >machine as the gateway machine which inturn connects to two different > >ISPs. My question is can a Linux based machine match the performance of a How fast is your internet connection? A Pentium 133 will happily run wire speed for 10M ether, and most places don't have 10M of incoming bandwidth... for reference, we have a Duron 800 running 3 net connections for a total of about 10M with virtually no load. -- Michael 'Moose' Dinn, Twisted Pair Network Consulting Incorporated dinn@twistedpair.ca // 902 423 4700 (voice) // support@twistedpair.ca From abz@frogfoot.net Thu Jul 8 13:22:48 2004 From: abz@frogfoot.net (Abraham van der Merwe) Date: Thu, 8 Jul 2004 14:22:48 +0200 Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <40ED304D.9000107@svw.com> References: <40ED304D.9000107@svw.com> Message-ID: <20040708122248.GB24487@oasis.frogfoot.net> Hi Sudheer >@2004.07.08_13:30:21_+0200 > I've a local LAN consisting of about 150 machines. I'm using a Linux > machine as the gateway machine which inturn connects to two different > ISPs. My question is can a Linux based machine match the performance of > a hardware based routers provided by Cisco,... OR is my decision to go > for a Linux based solution is a wrong one?. > > Is there so much difference between these two solutions? > > Can I achieve the same performance using a high end PC and Linux? > > I'm asking this because one guy told me that my decision to go for a > Linux based solution is a wrong one and it can never match the > performance of Routers provided by Cisco. Unless you're talking upper end Cisco/Juniper hardware even the lowliest PC nowadays will outperform a Cisco router by an order of magnitude. For the kind of load you're talking about, any modern Linux PC will handle the load without breaking a sweat. The only reason to possibly choose Cisco/Juniper/other commercial solution is (a) You need a lot of interfaces (think Cisco 7500) (b) You need interfaces which are not [well] supported in Linux (E1/E3, ATM, etc) (c) Features (e.g. better routing/netflow/qos support) -- Regards Abraham TODAY the Pond! TOMORROW the World! -- Frogs (1972) ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 1st Floor, Albion Springs, 183 Main Road, Newlands Phone: +27 21 689 3876 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net From sudheer@svw.com Thu Jul 8 13:49:54 2004 From: sudheer@svw.com (Sudheer Divakaran) Date: Thu, 08 Jul 2004 18:19:54 +0530 Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <20040708115915.GS22108@blend.twistedpair.ca> References: <40ED304D.9000107@svw.com> <20040708115915.GS22108@blend.twistedpair.ca> Message-ID: <40ED42F2.3050604@svw.com> 1mbps & 256 kbps :'( Michael 'Moose' Dinn wrote: > > >>>I've a local LAN consisting of about 150 machines. I'm using a Linux >>>machine as the gateway machine which inturn connects to two different >>>ISPs. My question is can a Linux based machine match the performance of a >>> >>> > >How fast is your internet connection? A Pentium 133 will happily run wire >speed for 10M ether, and most places don't have 10M of incoming bandwidth... > >for reference, we have a Duron 800 running 3 net connections for a total of >about 10M with virtually no load. > > > > From shurdeek@routehat.org Thu Jul 8 13:24:49 2004 From: shurdeek@routehat.org (Peter Surda) Date: Thu, 8 Jul 2004 14:24:49 +0200 Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <40ED304D.9000107@svw.com> References: <40ED304D.9000107@svw.com> Message-ID: <20040708122449.GC28089@soldats.cb.ac.at> On Thu, Jul 08, 2004 at 05:00:21PM +0530, Sudheer Divakaran wrote: > Hi, Hi. > I've a local LAN consisting of about 150 machines. I'm using a Linux > machine as the gateway machine which inturn connects to two different ISPs. > My question is can a Linux based machine match the performance of a hardware > based routers provided by Cisco,... OR is my decision to go for a Linux > based solution is a wrong one?. Without more information it is difficult to say, but you didn't write what bandwidth it is supposed to route. I have positive experience with 16MBit/s and ~1200 machines (on linux). > Is there so much difference between these two solutions? Actually, I think if you don't have really high traffic (say >100MBit/s), or odd connectors, linux is better. I have had very bad experience with Ciscos that didn't support basic things like vlans and bridging (and there was no right IOS to be found), trouble with loadbalancing, and not being able to withstand flooding attacks. > Can I achieve the same performance using a high end PC and Linux? I don't think a "high end PC" is necessary. If you only have like ~10MBit/s, a Pentium II should be all you need (heck, even PI if you don't need special gimmicks). > I'm asking this because one guy told me that my decision to go for a Linux > based solution is a wrong one and it can never match the performance of > Routers provided by Cisco. According to my experience, this is only true with very expensive cisco models and very high bandwidth (Gbit/s range). You can also fsck up linux' performance by crappy ethernet cards and improper software configuration (like iptables chains with 1000s of rules), but an inexperienced admin can fsck up ciscos as well. If you only need a ROUTER, Cisco is a generally good idea. But if you also need a FIREWALL or even more features, it is less so. Go for a specialized linux distribution for routers, there are plenty of them. I won't recommend any, because as an author of one of them I'm obviously biased :-). > Thanks > Sudheer Bye, Peter Surda (Shurdeek) , ICQ 10236103, +436505122023 -- Where do you think you're going today? From misch@multinet.de Thu Jul 8 13:36:45 2004 From: misch@multinet.de (Michael Schwartzkopff) Date: Thu, 8 Jul 2004 14:36:45 +0200 Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <20040708115915.GS22108@blend.twistedpair.ca> References: <40ED304D.9000107@svw.com> <20040708115915.GS22108@blend.twistedpair.ca> Message-ID: <200407081436.54840.misch@multinet.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Donnerstag, 8. Juli 2004 13:59 schrieb Michael 'Moose' Dinn: > > >I've a local LAN consisting of about 150 machines. I'm using a Linux > > >machine as the gateway machine which inturn connects to two different > > >ISPs. My question is can a Linux based machine match the performance = of > > > a > > How fast is your internet connection? A Pentium 133 will happily run wire > speed for 10M ether, and most places don't have 10M of incoming > bandwidth... > > for reference, we have a Duron 800 running 3 net connections for a total = of > about 10M with virtually no load. Well, it depends if you also want to encrypt your traffic (VPN). See=20 http://www.suse.de/~garloff/linux/FreeSWAN/ for ipsec performance sheets. =2D --=20 Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 =46ax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA7T/lqndXpO3Yl5sRAibAAJ4ry5FZzG9FzegzRoYVPOwrFPUnmgCg4Exj V1cFpNNp7XuPa3RpKnETQ38=3D =3DEVdY =2D----END PGP SIGNATURE----- From devik@cdi.cz Thu Jul 8 15:36:23 2004 From: devik@cdi.cz (Martin Devera) Date: Thu, 8 Jul 2004 16:36:23 +0200 (CEST) Subject: [LARTC] HTB Packet Scheduling for Linux 2.4.14 kernel In-Reply-To: References: Message-ID: yes but I'm not sure if RB three lib is in 2.4.14 On Wed, 7 Jul 2004 Reema.Bangar@nokia.com wrote: > Hi All, > > Can I backport 2.4.20 kernel version's HTB related changes to 2.4.14 ? Will this work w/o any issues ? > Please consider this urgent and replay asap. > > Thanks in advance, > Reema. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > From Gareth.Segree@gleanerjm.com Thu Jul 8 16:42:30 2004 From: Gareth.Segree@gleanerjm.com (Segree, Gareth) Date: Thu, 8 Jul 2004 10:42:30 -0500 Subject: [LARTC] Help with dual internet connection Message-ID: <1198536982594F4E9A8E8D4DA6B64E668276@COMMSRV04.gleanerjm.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C46502.2DA95AB0 Content-Type: text/plain I have 2 connections to the internet. 1 is an ADSL the other is a 3MB link over satellite. This is a portion of my firewall script ip route flush table 3 2> /dev/null ip rule delete table 3 2> /dev/null ip route add table 3 127.0.0.0/8 dev lo scope link ip route add table 3 89.0.0.0/8 dev eth0 scope link ip rule add fwmark 3 table 3 ip route add table 3 default via $isp2_ip dev eth3 ip route flush cache iptables -t mangle -A PREROUTING -p tcp -s $ip_set2 --dport $http -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -p tcp --dport $ftp -j MARK --set-mark 3 iptables -t nat -A POSTROUTING -o $isp1_if -j SNAT --to-source $isp1_ip iptables -t nat -A POSTROUTING -o $isp2_if -j SNAT --to-source $isp2_ip iptables -A FORWARD -i $lan_if -j ACCEPT iptables -A INPUT -p ALL -d $isp2_ip -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -d $isp1_ip1 -m state --state ESTABLISHED,RELATED -j ACCEPT Http & ftp works fine but if link1 is down only http works. Why is this? Is there a proper/different way to setup internet access over 2 isp? I need to route mail from the second isp to my mail server is the DMZ? Gareth Segree mailto:Gareth.Segree@gleanerjm.com Technical Support Analyst The Gleaner Company Ltd. 7 North Street Kingston Tel: 922-3400 ------_=_NextPart_001_01C46502.2DA95AB0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Help with dual internet connection

I have 2 connections to the = internet.
1 is an ADSL the other is a 3MB link = over satellite.

This is a portion of my firewall = script

ip route flush table 3 2> = /dev/null
ip rule delete table 3 2> = /dev/null
ip route add table 3 = 127.0.0.0/8 dev lo scope link
ip route add table 3 89.0.0.0/8 = dev eth0 scope link
ip rule add fwmark 3 table = 3
ip route add table 3 default = via $isp2_ip dev eth3
ip route flush cache
iptables -t mangle -A = PREROUTING -p tcp -s $ip_set2 --dport $http -j MARK --set-mark 3
iptables -t mangle -A = PREROUTING -p tcp --dport $ftp -j MARK --set-mark 3
iptables -t nat -A POSTROUTING = -o $isp1_if -j SNAT --to-source $isp1_ip
iptables -t nat -A POSTROUTING = -o $isp2_if -j SNAT --to-source $isp2_ip
iptables -A FORWARD -i $lan_if = -j ACCEPT
iptables -A INPUT -p ALL -d = $isp2_ip -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -d = $isp1_ip1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Http & ftp works fine but if link1 = is down only http works. Why is this?
Is there a proper/different way to = setup internet access over 2 isp?
I need to route mail from the second = isp to my mail server is the DMZ?




Gareth Segree
mailto:Gareth.Segree@gleanerjm.com
Technical Support Analyst
The Gleaner Company Ltd.
7 North Street
Kingston
Tel: 922-3400

------_=_NextPart_001_01C46502.2DA95AB0-- From icamargo@unet.edu.ve Thu Jul 8 17:07:57 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Thu, 08 Jul 2004 12:07:57 -0400 Subject: [LARTC] Re: LARTC digest, Vol 1 #1809 - 14 msgs In-Reply-To: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> Message-ID: <40ED715D.8010904@unet.edu.ve> Hi! >Message: 5 >Date: Thu, 08 Jul 2004 17:00:21 +0530 >From: Sudheer Divakaran >To: lartc@mailman.ds9a.nl >Subject: [LARTC] Is Linux based Router feasible > >Hi, > >I've a local LAN consisting of about 150 machines. I'm using a Linux >machine as the gateway machine which inturn connects to two different >ISPs. My question is can a Linux based machine match the performance of >a hardware based routers provided by Cisco,... OR is my decision to go >for a Linux based solution is a wrong one?. > > I don't like Cisco: You only get good things if you go to high order systems, and you have to pay for everything (even software upgrades, if you need them). At the university I work, we have a cisco router, AND a linux router/qos/filter/traffic-shaper before it. Due to the amount of clients (>900), and the amount of connections (>8000 at any time, with peacks of up to 90.000 (yes, that much)) the cisco router was colapsing, we added the linux router and now everything works A LOT better. We have two ISPs, hence two connections, one of 384kbps/128kbps and the other of 1024kbps/1024kbps. Additionally, it is not as durable as you may expect, I saw a cisco Catalist 2900 swtich die due to a power peak, and when I looked at the power source, there was a filter design problem (this equipment would not survive more than one year without a regulator/peak suppresor AND external power line filter on any pseudo-industrial enviroment). >Is there so much difference between these two solutions? > > Yes, off course. The Linux solution is somehow difficult to implement (but hey, you are not alone, you can come here and ask :) ), but it is more flexible, and it is free. >Can I achieve the same performance using a high end PC and Linux? > > Even without a high end PC. The solution I told you was implemented with a PII 300MHz with 128Mb RAM. > I'm asking this because one guy told me that my decision to go for a >Linux based solution is a wrong one and it can never match the >performance of Routers provided by Cisco. > > If you go for the Cisco high end routers, it would be only harder, but you can still match. See, cisco routers often use very small processors (some of them only comparable with K6-II or PIII), you can use an Athlon 64 with DDR RAM and very good network hardware (that is very, very important) and certenly you can match any cisco solution (unless you need MANY interfaces, in wich case you would be going to clustering, but that is another history and will be expensive). >Thanks >Sudheer > > > From Glen.Mabey@usu.edu Thu Jul 8 20:33:00 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Thu, 8 Jul 2004 13:33:00 -0600 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40ED715D.8010904@unet.edu.ve> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> Message-ID: <20040708193300.GA30890@mabeys.dsl.aros.net> On Thu, Jul 08, 2004 at 12:07:57PM -0400, Jos? Ildefonso Camargo Tolosa wrote: > you can use an Athlon > 64 with DDR RAM and very good network hardware (that is very, very > important) Regarding NICs, are there any recommendations out there for which manufacturers to go with? I don't need anything faster than 100baseT. I would think that Intel and 3Com would be in the "reliable" category, and RTL-based cards in the "forget it" category. On the Intel note, I wonder what experience y'all have had with the two different drivers for the EtherExpressPro/100 card. That is, eepro100 versus e100. I would think that noone would take the time to rewrite a driver if there wasn't anything wrong with the original one. Thank you-- Glen Mabey -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From Gareth.Segree@gleanerjm.com Thu Jul 8 22:23:22 2004 From: Gareth.Segree@gleanerjm.com (Segree, Gareth) Date: Thu, 8 Jul 2004 16:23:22 -0500 Subject: [LARTC] Help with dual internet connection Message-ID: <1198536982594F4E9A8E8D4DA6B64E668278@COMMSRV04.gleanerjm.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C46531.CC3F2630 Content-Type: text/plain > I have 2 connections to the internet. > 1 is an ADSL the other is a 3MB link over satellite. > > This is a portion of my firewall script > > ip route flush table 3 2> /dev/null > ip rule delete table 3 2> /dev/null > ip route add table 3 127.0.0.0/8 dev lo scope link > ip route add table 3 89.0.0.0/8 dev eth0 scope link > ip rule add fwmark 3 table 3 > ip route add table 3 default via $isp2_ip dev eth3 > ip route flush cache > iptables -t mangle -A PREROUTING -p tcp -s $ip_set2 --dport $http -j MARK > --set-mark 3 > iptables -t mangle -A PREROUTING -p tcp --dport $ftp -j MARK --set-mark 3 > iptables -t nat -A POSTROUTING -o $isp1_if -j SNAT --to-source $isp1_ip > iptables -t nat -A POSTROUTING -o $isp2_if -j SNAT --to-source $isp2_ip > iptables -A FORWARD -i $lan_if -j ACCEPT > iptables -A INPUT -p ALL -d $isp2_ip -m state --state ESTABLISHED,RELATED > -j ACCEPT > iptables -A INPUT -p ALL -d $isp1_ip1 -m state --state ESTABLISHED,RELATED > -j ACCEPT > > Http & ftp works fine but if link1 is down only http works. Why is this? > Is there a proper/different way to setup internet access over 2 isp? > I need to route mail from the second isp to my mail server is the DMZ? > > > > > Gareth Segree > mailto:Gareth.Segree@gleanerjm.com > Technical Support Analyst > The Gleaner Company Ltd. > 7 North Street > Kingston > Tel: 922-3400 > ------_=_NextPart_001_01C46531.CC3F2630 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Help with dual internet connection

I have 2 connections to the = internet.
1 is an ADSL the other is a 3MB link = over satellite.

This is a portion of my firewall = script

ip route flush table 3 2> = /dev/null
ip rule delete table 3 2> = /dev/null
ip route add table 3 = 127.0.0.0/8 dev lo scope link
ip route add table 3 89.0.0.0/8 = dev eth0 scope link
ip rule add fwmark 3 table = 3
ip route add table 3 default = via $isp2_ip dev eth3
ip route flush cache
iptables -t mangle -A = PREROUTING -p tcp -s $ip_set2 --dport $http -j MARK --set-mark 3
iptables -t mangle -A = PREROUTING -p tcp --dport $ftp -j MARK --set-mark 3
iptables -t nat -A POSTROUTING = -o $isp1_if -j SNAT --to-source $isp1_ip
iptables -t nat -A POSTROUTING = -o $isp2_if -j SNAT --to-source $isp2_ip
iptables -A FORWARD -i $lan_if = -j ACCEPT
iptables -A INPUT -p ALL -d = $isp2_ip -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -d = $isp1_ip1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Http & ftp works fine but if link1 = is down only http works. Why is this?
Is there a proper/different way to = setup internet access over 2 isp?
I need to route mail from the second = isp to my mail server is the DMZ?




Gareth Segree
mailto:Gareth.Segree@gleanerjm.com
Technical Support Analyst
The Gleaner Company Ltd.
7 North Street
Kingston
Tel: 922-3400

------_=_NextPart_001_01C46531.CC3F2630-- From nick@erkert.com Thu Jul 8 22:44:26 2004 From: nick@erkert.com (Nicholas Erkert) Date: Thu, 08 Jul 2004 14:44:26 -0700 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040708193300.GA30890@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> Message-ID: <40EDC03A.2040804@erkert.com> Glen Mabey wrote: > On Thu, Jul 08, 2004 at 12:07:57PM -0400, Jos? Ildefonso Camargo Tolosa wrote: > >>you can use an Athlon >>64 with DDR RAM and very good network hardware (that is very, very >>important) > > > Regarding NICs, are there any recommendations out there for which > manufacturers to go with? I don't need anything faster than 100baseT. > > I would think that Intel and 3Com would be in the "reliable" category, > and RTL-based cards in the "forget it" category. > > On the Intel note, I wonder what experience y'all have had with the two > different drivers for the EtherExpressPro/100 card. That is, eepro100 > versus e100. I would think that noone would take the time to rewrite a > driver if there wasn't anything wrong with the original one. > > Thank you-- > Glen Mabey > I have had some good luck with Intel cards using either drivers. I haven't noticed much difference between them but I haen't done a lot of stress testing on them. On a side note has anyone built a linux router with dual/quad port ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? --Nick Erkert From nick@erkert.com Thu Jul 8 22:38:54 2004 From: nick@erkert.com (Nicholas Erkert) Date: Thu, 08 Jul 2004 14:38:54 -0700 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040708193300.GA30890@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> Message-ID: <40EDBEEE.6080202@erkert.com> Glen Mabey wrote: > On Thu, Jul 08, 2004 at 12:07:57PM -0400, Jos? Ildefonso Camargo Tolosa wrote: > >>you can use an Athlon >>64 with DDR RAM and very good network hardware (that is very, very >>important) > > > Regarding NICs, are there any recommendations out there for which > manufacturers to go with? I don't need anything faster than 100baseT. > > I would think that Intel and 3Com would be in the "reliable" category, > and RTL-based cards in the "forget it" category. > > On the Intel note, I wonder what experience y'all have had with the two > different drivers for the EtherExpressPro/100 card. That is, eepro100 > versus e100. I would think that noone would take the time to rewrite a > driver if there wasn't anything wrong with the original one. > > Thank you-- > Glen Mabey > I have had some good luck with Intel cards using either drivers. I haven't noticed much difference between them but I haen't done a lot of stress testing on them. On a side note has anyone built a linux router with dual/quad port ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? From andre.correa@pobox.com Thu Jul 8 23:12:26 2004 From: andre.correa@pobox.com (Andre Correa) Date: Thu, 08 Jul 2004 19:12:26 -0300 Subject: [LARTC] Default class traffic In-Reply-To: <40EB00F3.905@pobox.com> References: <20030325160701.19589.85494.Mailman@outpost.ds9a.nl> <003a01c4635f$f4cc9e30$0201a8c0@jabbacom.net> <40EAEA5E.8000707@pobox.com> <00b701c4638f$e3114710$0201a8c0@jabbacom.net> <40EB00F3.905@pobox.com> Message-ID: <40EDC6CA.4040203@pobox.com> Hi, I'm facing a problem that I cannot figure out how to solve. Some of my linux boxes with heavy traffic (>20Mbps) are registering avg of 200pkts per second in their default classes. This is not supposed to happen and I want to find some info about this traffic (source ip, destination ip, proto, ports, etc). Is there a way to find what is going to the default class or any other class? For what I know there is no way and it wouldn't be trivial to program it. Thanks in advance for any information. Andre From josh@imagestream.com Thu Jul 8 23:31:06 2004 From: josh@imagestream.com (Joshua Snyder) Date: Thu, 8 Jul 2004 17:31:06 -0500 (EST) Subject: [LARTC] Is Linux based Router feasible In-Reply-To: <40ED304D.9000107@svw.com> References: <40ED304D.9000107@svw.com> Message-ID: Let me start out by saying that I work for a company that makes Linux based routers. Checkout www.imagestream.com Anyway, any Linux box will perform just fine at the data rates your talking about. You don't even have to worry about what type of hardware your using as long as it not more than 5 years old. Now to answer some of the points that other people have brought up. You can make a pc that has a large number of interfaces. I have seen Linux boxes with 100 t-1's and 2 ds-3's plugged into them... 8 port t-1 cards are common and dual port ds-3 cards are easy to get. You just have to get mainboards that have enough pci slots. In general as long as you stay inside of what the hardware can do you should be able to route at line rate. Currently most pc hardware is limited to about a max of 1Gbit/sec but server hardware can be used to build routers that will route 4Gbit/sec. Not as good as some of the highest end cisco routers... but ten's of thousands of dollars cheaper. One thing I have seen doing testing of many routers vs Linux routers most cisco routers tend to get badly boughed down when running many access lists. This is not a big problem with a Linux box or even other non-cisco routers. If you don't believe me checkout... http://www.nwfusion.com/reviews/2003/0714rev.html You should have no problems doing what you want to do. josh p.s. alot of the packet per sec numbers that cisco talks about are only valid when routing from Ethernet to Ethernet interfaces and with packets that stay in the fast switching path on the cisco. If you start talking about other interfaces all of those numbers are out of the window. This leads many people to end-up with cisco's that are way under powered for the application. I am not saying that cisco's can't route at wire-speed but that most people don't have the right router for the job. From eosyn@tampabay.rr.com Thu Jul 8 22:44:47 2004 From: eosyn@tampabay.rr.com (David Cooper(roadrunner)) Date: Thu, 08 Jul 2004 17:44:47 -0400 Subject: [LARTC] possibly simple priority question Message-ID: <40EDC04F.20505@tampabay.rr.com> Greetings list folk.. I have been reading up on QOS for a short time now with the idea of solving one problem I have but I cant seem to piece together a working system to do so. I have a linux box acting as a home gateway system running Gentoo and vanilla 2.4.26. I have a vonage uhh voip device that is connected behind the router. There are only 3-4 other hosts on the network. All I really need to do is have my linux machine understand that -any- traffic from the vonage host gets top priority over any other hosts. Sounds fairly simple. Ive tried a few examples of things using cbq or htb and have tried to hack somethings together myself with no real good results. I would like to know if anyone has any simple solutions prio maybe or know a good direction in which to read up. Ive read through the lartc howto (which was excellent!) and been to the home page for htb but I can never find what what I need to solve the problem and I guess I havent learned near enough to piece together what I need. Anyone have any ideas? Thanks very much in advance. Dave Cooper From lists@wildgooses.com Fri Jul 9 00:20:35 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Fri, 09 Jul 2004 00:20:35 +0100 Subject: [LARTC] possibly simple priority question In-Reply-To: <40EDC04F.20505@tampabay.rr.com> References: <40EDC04F.20505@tampabay.rr.com> Message-ID: <40EDD6C3.5050801@wildgooses.com> David Cooper(roadrunner) wrote: > Greetings list folk.. I have been reading up on QOS for a short time > now with the idea of solving one problem I have but I cant seem to > piece together a working system to do so. ... > Anyone have any ideas? I think this script is probably the best one to learn from. Much more complete than the Wondershaper script http://digriz.org.uk/jdg-qos-script/ From aathan-lartc-15280@cloakmail.com Fri Jul 9 03:05:22 2004 From: aathan-lartc-15280@cloakmail.com (Andrew Athan) Date: Thu, 8 Jul 2004 22:05:22 -0400 Subject: [LARTC] tc filter + bridging + htb -- works only if ip_forward = 0 Message-ID: I thought that the below email would be of interest to LARTC readers. I wasted quite a bit of time tracking down this "feature" (bug?). Any comments that shed light on this would be appreciated. In short, "tc filter" + htb + bridging works only with ip_forward off. Andrew Athan ----------------------------------------------------------------------- All: It seems that Fedora Core 2 (Linux Kernel 2.6) echo "1" > /proc/sys/net/ipv4/ip_forward will cause tc filter rules not to work. I am not sure if this is unique to cases of bridging or if turning ip forwarding on also breaks tc filter rules on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would assume it would but don't have time to test this case right now (i.e., this is probably not specific to bridging). A. -----Original Message----- Folks: I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1 or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in the htb. If I set a default class, all the traffic ends up in the default class. This leads me to believe that the u32 classifier simply never matches, although it probably gets the packets. Perhaps there is a wrong offset or mismatched struct somewhere? I'd be glad to investigate if pointed in the right direction, I will start by diffing cls_u32.c between linux-2.4.26 and linux-2.6.5 (people have reported there are no issues with packet classification + bridging under linux-2.4). A. # lspci 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory Controller Hub] (rev 03) 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset Graphics Controller] (rev 03) 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02) 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02) 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02) 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02) 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02) 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev 02) 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev 78) #!/bin/bash # # qos Add traffic shaping to eth0 # # chkconfig: 2345 86 14 # description: Add traffic shaping to eth0 # # processname: none WAN=br0 # external interface LAN=eth1 # internal interface TC=/usr/local/tc CMD="$1" if [ "$CMD" == "stop" ] then TCOP="del" IPTOP="-D" #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null $TC qdisc del dev ${WAN} root handle 1: htb fi if [ "$CMD" == "start" ] then brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 up ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255 up echo "1" > /proc/sys/net/ipv4/ip_forward route add default gw 10.100.82.1 sysctl -w net.core.rmem_max=8388608 sysctl -w net.core.wmem_max=8388608 sysctl -w net.core.rmem_default=65536 sysctl -w net.core.wmem_default=65536 sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608' sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608' sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' sysctl -w net.ipv4.route.flush=1 TCOP="add" IPTOP="-A" #iptables -t mangle -N MYSHAPER-OUT ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT # +---------+ # | root 1: | # +---------+ # | # +----------------------------+ # | class 1:1 | # +----------------------------+ # | | | # +----+ +----+ +----+ # |1:10| |1:20| |1:30| # +----+ +----+ +----+ # | # +--------+--------+ # | | | # +-----+ +-----+ +-----+ # |1:100| |1:101| |1:102| # +-----+ +-----+ +-----+ # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc) # 1:20 is for bulk traffic (htb, leaves use sfq) # 1:30 is the class that interactive traffic which must never get snuffed out completely goes to (sfq) # 1:20 is further split up into different kinds of bulk traffic: web, mail and # everything else. 1:100-102 fight amongst themselves for their slice of excess # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above their # minimum rates. # ceil is 90% of max rate (768kbps) # rate is 80% of max rate # we don't let it go to 100% because we don't want the WAN provider to buffer CEIL=4500kbit RATE1=1000kbit RATE2=3000kbit RATE3=500kbit APPRATE1=1500kbit APPRATE2=750kbit APPRATE3=250kbit $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL} ceil ${CEIL} $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1} ceil ${CEIL} prio 1 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2} ceil ${CEIL} prio 2 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3} ceil ${CEIL} prio 3 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate ${APPRATE1} ceil ${CEIL} prio 4 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate ${APPRATE2} ceil ${CEIL} prio 5 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate ${APPRATE3} ceil ${CEIL} prio 6 $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10 #--------------------------------------------------------------------------- #phones $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip dst 10.50.30.0/24 flowid 1:10 ##trading #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 207.251.101.0/24 flowid 1:100 ##non-critical #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 10.50.20.0/24 flowid 1:101 # # ##ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x10 0xff at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##SYN-ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x12 0x12 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##FIN #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x01 0x01 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##RST #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x04 0x04 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ## ICMP #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 1 0xff flowid 1:10 # ## DNS #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x11 0xff \ # match ip dport 53 0xffff \ # flowid 1:100 # ##telnet and AOL #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 5190 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 5190 0xffff flowid 1:30 # ##web #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 80 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 80 0xffff flowid 1:102 ##ftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 21 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 21 0xffff flowid 1:102 ##tftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 69 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 69 0xffff flowid 1:102 ##dhcp? ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 # #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw flowid 1:10 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100 fw flowid 1:100 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101 fw flowid 1:101 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102 fw flowid 1:102 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw flowid 1:30 # ##TOS min delay #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \ # match ip tos 0x10 0xff \ # flowid 1:30 # ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j MARK --set-mark 30 # aol instant messenger ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j MARK --set-mark 101 # Default for low port traffic ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j MARK --set-mark 101 # "" ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 102 # redundant- mark any unmarked packets as 26 (low prio) fi if [ "$CMD" = "status" ] then echo "[qdisc-$WAN]" $TC -s qdisc show dev $WAN echo "[class-$WAN]" $TC -s class show dev $WAN echo "[filter-$WAN]" $TC -s filter show dev $WAN echo "[iptables]" iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null exit fi From reza@mra.co.id Fri Jul 9 06:01:07 2004 From: reza@mra.co.id (Mohammad Reza) Date: Fri, 9 Jul 2004 12:01:07 +0700 Subject: [LARTC] tutorial for Julian Anastasov's patches Message-ID: Dear All, I follow this this tutorial, but I't seem failed to detect dead gateway from both router side and client side. If one link is down, I except that routing will flush automatically after 60 second. But this not happened. Keeping them alive with pinging trick don't make any changes.=20 Maybe something I miss configured, here my configuration on router #/sbin/ip ro sh table main xxx.138.255.168/30 dev eth2 proto kernel scope link src xxx.138.255.170 xxx.138.254.0/26 dev eth1 proto kernel scope link src xxx.138.254.2 172.16.0.0/24 dev eth0 scope link 172.16.0.0/16 via 172.16.0.1 dev eth0 127.0.0.0/8 dev lo scope link # /sbin/ip ro ls table 201 default via 202.138.254.1 dev eth1 proto static src 202.138.254.2 prohibit default proto static metric 1 #/sbin/ip ro ls table 202 default via 202.138.255.169 dev eth2 proto static src 202.138.255.170 prohibit default proto static metric 1 #/sbin/ip ro ls table 222 default proto static nexthop via 202.138.255.169 dev eth2 weight 2 nexthop via 202.138.254.1 dev eth1 weight 1 Established connection tracking is enable in iptables rules, I use 2.4.26 kernel, please enlight and help me. Regards,=20 Reza -----Original Message----- From: Julian Anastasov [mailto:ja@ssi.bg]=20 Sent: Thursday, July 08, 2004 2:04 PM To: Glen Mabey Cc: LARTC Mailing List Subject: Re: [LARTC] tutorial for Julian Anastasov's patches Hello, On Wed, 7 Jul 2004, Glen Mabey wrote: > I'm sure that I had found (and printed out ...) a really good tutorial > that explain how to use Julian Anastasov's routing patch, but I can't > seem to find it now. > > Any pointers? http://www.ssi.bg/~ja/ Regards -- Julian Anastasov _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From Jeff_Green@sapiens.co.uk Fri Jul 9 10:47:43 2004 From: Jeff_Green@sapiens.co.uk (Jeff Green) Date: Fri, 9 Jul 2004 10:47:43 +0100 Subject: [LARTC] the "cisco vs. Linux" thread Message-ID: <1B61C6F7F250D711951800065BF1116E11A89D@red-alert-backup.uk.sapiens.int> FYI this topic has been covered on the Zebra and Quagga lists - ha= rdware processors, memory, NICs, etc - software OS (Linux, *BSD), drive= rs, etc I've been running a couple of Linux routers for about 2 years = now, I'm using them as core routers so I bought a couple of rackmount "= server" boxes with redundant PSUs and h/w RAID (1) for hotswap disks. = I'm using a couple of Adaptec Quartet66 NICs in each, that gives me 2 = x 1GbE (on mobo) and 8 x 10/100 Mb ports per box. Regards, = -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lar= tc-admin@mailman.ds9a.nl] On Behalf Of Nicholas Erkert Sent: 08 July 20= 04 22:44 To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] the "cisco vs. = Linux" thread Glen Mabey wrote: > On Thu, Jul 08, 2004 at 12:07:57PM = -0400, Jos? Ildefonso Camargo Tolosa wrote: > >>you can use an Athlon= >>64 with DDR RAM and very good network hardware (that is very, very >= >important) > > > Regarding NICs, are there any recommendations out = there for which > manufacturers to go with? I don't need anything fast= er than 100baseT. > > I would think that Intel and 3Com would be in th= e "reliable" category, > and RTL-based cards in the "forget it" catego= ry. > > On the Intel note, I wonder what experience y'all have had wit= h the > two different drivers for the EtherExpressPro/100 card. That i= s, > eepro100 versus e100. I would think that noone would take the tim= e to > rewrite a driver if there wasn't anything wrong with the origin= al one. > > Thank you-- > Glen Mabey > I have had some good luck w= ith Intel cards using either drivers. I haven't noticed much difference = between them but I haen't done a lot of stress testing on them. On a = side note has anyone built a linux router with dual/quad port ethernet c= ards (ie Intel PRO/1000 MT Quad Port Server Adapter)? --Nick Erkert = _______________________________________________ LARTC mailing list / LAR= TC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: = http://lartc.org/ --------------------------------------------------= ---------------------- Confidentiality Note: The information contained i= n this email and document(s) attached are for the exclusive use of the a= ddressee and may contain confidential, privileged and non-disclosable inf= ormation. If the recipient of this email is not the addressee, such recip= ient is strictly prohibited from reading, photocopying, distribution or o= therwise using this email or its contents in any way. Please notify the S= apiens (UK) Ltd. Systems Administrator via e-mail immediately at networks= upport@sapiens.co.uk, if you have received this email in error. Discla= imer: The views, opinions and guidelines contained in this confidential e= -mail are those of the originating author and may not be representative o= f Sapiens (UK) Ltd. ----------------------------------------------------= -------------------- From npf@eurotux.com Fri Jul 9 14:56:12 2004 From: npf@eurotux.com (Nuno Miguel Pais Fernandes) Date: Fri, 09 Jul 2004 14:56:12 +0100 Subject: [LARTC] iptables MARK with msn messenger Message-ID: <1089381372.2020.11.camel@xeon.office.eurotux.com> --=-9cFUwy7U3QszOjYXAnVX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, I've setup a router with linux 2.4.26 with h323 conntrack patch from pom-ng. The network schema is: ADSL internal |--------|--------------------- ----------| Linux | |--------|--------------------- Frame-Relay Default gw is frame relay and i'm using netfilter mark to send traffic to adsl. # ip rule ls 0: from all lookup local 32765: from all fwmark 0x2 lookup 200 32766: from all lookup main 32767: from all lookup 253 How can i send msn netmeeting trafic to ADSL? Is it port based? Which ports should be marked with netfilter? Thanks Nuno Fernandes --=20 Nuno Miguel Pais Fernandes --=-9cFUwy7U3QszOjYXAnVX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBA7qP7bJtoPy2XRQkRAiTaAKCj2twQLGKQan5LMIW5LLJywcqQYwCgp7Cg 6LAbI3v6zFkP1SuY8P0+wFQ= =l+ok -----END PGP SIGNATURE----- --=-9cFUwy7U3QszOjYXAnVX-- From alfie@syncompute.net Fri Jul 9 15:35:22 2004 From: alfie@syncompute.net (Alfie Viechweg) Date: Fri, 09 Jul 2004 10:35:22 -0400 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40EDC03A.2040804@erkert.com> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> Message-ID: <40EEAD2A.7030300@syncompute.net> Regarding building your own router/switch. You might want to check out www.routerboard.com for a really reasonably priced 4 port NIC. --Alfie Viechweg From icamargo@unet.edu.ve Fri Jul 9 16:05:40 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Fri, 09 Jul 2004 11:05:40 -0400 Subject: [LARTC] Re: the "cisco vs. Linux" thread (two answers (I have digest, sorry), Nick Erkert, Joshua Snyder) In-Reply-To: <20040709020602.25355.8208.Mailman@outpost.ds9a.nl> References: <20040709020602.25355.8208.Mailman@outpost.ds9a.nl> Message-ID: <40EEB444.6060800@unet.edu.ve> > Message: 5 > Date: Thu, 08 Jul 2004 14:44:26 -0700 > From: Nicholas Erkert > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] the "cisco vs. Linux" thread > > Glen Mabey wrote: > >>> On Thu, Jul 08, 2004 at 12:07:57PM -0400, Jos? Ildefonso Camargo Tolosa wrote: >>> >> >>>>>you can use an Athlon >>>>>64 with DDR RAM and very good network hardware (that is very, very >>>>>important) >> >>> >>> >>> Regarding NICs, are there any recommendations out there for which >>> manufacturers to go with? I don't need anything faster than 100baseT. >>> ........ >>> >>> Thank you-- >>> Glen Mabey >>> > > I have had some good luck with Intel cards using either drivers. I > haven't noticed much difference between them but I haen't done a lot of > stress testing on them. > > On a side note has anyone built a linux router with dual/quad port > ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? I used a dlink one: not fully tested, but seem to work fine. > > > --Nick Erkert > > Message: 8 > Date: Thu, 8 Jul 2004 17:31:06 -0500 (EST) > From: Joshua Snyder > To: Sudheer Divakaran > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Is Linux based Router feasible > > Let me start out by saying that I work for a company that makes Linux > based routers. Checkout www.imagestream.com Anyway, any > Linux box will perform just fine at the data rates your talking about. Some realtek cards (and even some 3com) report: Too much work at interrupt, and REALLY slows down things, even at 256kbps. There are workarounds, but it just raises the CPU load A LOT (altough things starts working faster). > You don't even have to worry about what type of hardware your using as > long as it not more than 5 years old. Now to answer some of the points > that other people have brought up. You can make a pc that has a large > number of interfaces. I have seen Linux boxes with 100 t-1's and 2 ds-3's > plugged into them... 8 port t-1 cards are common and dual port ds-3 cards > are easy to get. You just have to get mainboards that have enough pci > slots. In general as long as you stay inside of what the hardware can do > you should be able to route at line rate. Currently most pc hardware is > limited to about a max of 1Gbit/sec but server hardware can be used to > build routers that will route 4Gbit/sec. Not as good as some of the > highest end cisco routers... but ten's of thousands of dollars cheaper. > One thing I have seen doing testing of many routers vs Linux routers most > cisco routers tend to get badly boughed down when running many access > lists. This is not a big problem with a Linux box or even other non-cisco > routers. If you don't believe me checkout... > > http://www.nwfusion.com/reviews/2003/0714rev.html Just as I said: cisco use very *small* cpus. > > You should have no problems doing what you want to do. > > josh > > > p.s. alot of the packet per sec numbers that cisco talks about are only > valid when routing from Ethernet to Ethernet interfaces and with packets > that stay in the fast switching path on the cisco. If you start talking > about other interfaces all of those numbers are out of the window. This > leads many people to end-up with cisco's that are way under powered for > the application. I am not saying that cisco's can't route at wire-speed > but that most people don't have the right router for the job. > > > From aravindforn@yahoo.co.in Fri Jul 9 17:06:39 2004 From: aravindforn@yahoo.co.in (=?iso-8859-1?q?Aravind=20babu?=) Date: Fri, 9 Jul 2004 17:06:39 +0100 (BST) Subject: [LARTC] Problem with HTB queuing discipline Message-ID: <20040709160639.11130.qmail@web8205.mail.in.yahoo.com> --0-1309536956-1089389199=:9192 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi , I have the problem with HTB queuing discipline.I am giving my setup below. 172.30.179.206 172.30.180.55 LAN | | WAN -----------------| LINUX WITH |-------------- 172.30.179.140 | HTB | 172.30.180.72 FTP SERVER FTP CLIENT On the LAN side i put FTP server(172.30.179.140) and on WAN side i put FTP client(172.30.180.72). FTP client and FTP server will communicate through the middle linux box. Middle linux box has two interfaces.eth0 is 172.30.179.206 and eth1 is 172.30.180.55 In the middle linux box i configured HTB using following commands. ./tc qdisc add dev eth0 root handle 1:0 htb ./tc class add dev eth0 parent 1:0 classid 1:1 htb rate 30kbps ceil 30kbps ./tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbps ceil 30kbps ./tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 21 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 20 0xffff flowid 1:10 When i downloaded one file of size 10.7MB from FTP server(i.e from 172.30.179.140) to client(i.e. 172.30.180.72) , download speed is coming as 362.19kbytes/sec instead of 30kbps which i ceil.What may be the problem? Any configuration issue?Any idea? Thanks in advance, Aravind. Yahoo! India Careers: Over 50,000 jobsonline. --0-1309536956-1089389199=:9192 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi ,
 
 
    I have the problem with HTB queuing discipline.I am giving my setup below.
 
 
                  172.30.179.206       172.30.180.55
 
                  LAN     |                      |   WAN
            -----------------| LINUX WITH    |--------------
172.30.179.140       |     HTB           |  172.30.180.72
FTP SERVER                                   FTP CLIENT
 
On the LAN side i put FTP server(172.30.179.140) and on WAN side i put FTP client(172.30.180.72).
 
FTP client and FTP server will communicate through the middle linux box.
 
Middle linux box has two interfaces.eth0 is 172.30.179.206 and
eth1 is 172.30.180.55
 
In the middle linux box i configured HTB using following commands.
 
./tc qdisc add dev eth0 root handle 1:0 htb
 
./tc class add dev eth0 parent 1:0 classid 1:1  htb rate 30kbps  ceil 30kbps
 
./tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbps  ceil 30kbps
 
./tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 21 0xffff flowid 1:10

tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 20 0xffff flowid 1:10
 
 
When i downloaded one file of size 10.7MB from FTP server(i.e from
172.30.179.140) to client(i.e. 172.30.180.72) , download speed is coming as 362.19kbytes/sec instead of 30kbps which i ceil.What may be the problem? Any configuration issue?Any idea?
 
 
Thanks in advance,
Aravind.
 

Yahoo! India Careers: Over 50,000 jobs online. --0-1309536956-1089389199=:9192-- From register@flintz.de Fri Jul 9 18:10:39 2004 From: register@flintz.de (FB) Date: Fri, 09 Jul 2004 19:10:39 +0200 Subject: [LARTC] Layer 7 netfilter not working Message-ID: <40EED18F.4050804@flintz.de> Hello there! I am trying to get traffic shaping working on my Linux router (debian woody 3r02) and for some things I wanted to use the layer 7 packet classifier, but I can't get it to work. Here is what I did: -downloaded the patches from http://l7-filter.sourceforge.net -downloaded the kernel 2.6.7 source -downloaded the iptables 1.2.11 source -patched kernel (layer7 patch and some patch to get iptables 1.2.11 working with kernel 2.6.7) -patched iptables -compiled iptables -activated layer 7 support in kernel-config (and a lot of other packet classifing options) -compiled and installed kernel Now I tried to mark some packets with layer 7 so that I can shape them with tc afterwards. But nothing changed, outgoing connection still didn't changed. So I changed the line in the iptables-script to this: $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols --l7proto ftp -j DROP before it was: $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto ftp -j MARK --set-mark 322 but nothing of them worked (I could still connect over ftp). The /proc/net/layer7_numpackets is 08 (don't know which 8 packets got identified there, but the number is not going any higher). Any help is really appreciated! -FB From tgraf@suug.ch Fri Jul 9 18:45:15 2004 From: tgraf@suug.ch (Thomas Graf) Date: Fri, 9 Jul 2004 19:45:15 +0200 Subject: [LARTC] LARTC related talks at Swiss Unix Conference 2004 Message-ID: <20040709174515.GD28158@postel.suug.ch> Might be of interest for some of you, especially: o HTB - detailed look into new QoS shaper - Martin Devera o Linux Packet Classification Performance - Jamal Hadi Salim o Status of IPv6 Implementations - Peter Bieringer o High Availability using Keepalived - Alexandre Cassen o Application Layer Fingerprinting - Hendrik Scholz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SUCON'04 - 2nd Swiss Unix Conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2nd Swiss Unix Conference September 2-4, 2004 Technopark, Zurich http://www.sucon.ch/ Early bird discount available until Monday, 9th August. Provisional Conference Programme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Operating Systems: o Keynote: History of Linux - Theodore Ts'o o Documentation / CodingStyle and Beyond - Greg-KH o Linux Power Management - Patrick Mochel o NetBSD Status Report Fall 2004 - Hubert Feyrer o Old mistakes repeated (but you do get the source code now) - Poul-Henning Kamp o Resource Management in Linux using CKRM - Rik van Riel o The Linux Standard Base: Solving the Cross-Distribution Compatibility Challenge - Theodore Ts'o o The sysfs Filesystem - Patrick Mochel o udev, a way to manage /dev from userspace - Greg-KH Free Software: o Keynote: Quality Issues in Free Software Projects - Martin Michlmayr o The Legal 101 for Open Source Contributors and Users - David Rosenthal o Debian - Contributing to the Project - Martin Michlmayr o Writing Portable Multimedia Applications - Samuel Hocevar o Google in Zurich - Narayanan Shivakumar, Google Networking: o A secure BGP Implemementation - Henning Brauer o ADSL Provider Issues - Fredy Kuenzler o Application Layer Fingerprinting - Hendrik Scholz o FreeBSD Network Enhancements - Andre Oppermann o High Availability using Keepalived - Alexandre Cassen o HTB - detailed look into new QoS shaper - Martin Devera o Installing IPv6 - Peter Bieringer (Hands-On) o Linux Packet Classification Performance - Jamal Hadi Salim o Performance and Enhancement Response Team (PERT) - Chris Welti, SWITCH o PF - Extended Introduction - Max Laier o Status of IPv6 Implementations - Peter Bieringer System Management: o FreeBSD network performance tunig - Hendrik Scholz o Fully automatic Linux installations - Thomas Lange o Performance bottleneck detection and removal - Hendrik Scholz o Spamikaze - a distributed anti-spam technology - Rik van Riel o System Admin Training in the Virtual Unix Lab - Hubert Feyrer Security: o GBDE -- Spook strength disk encryption - Poul-Henning Kamp o Rule Set Based Access Control (RSBAC) - Securing Linux from the inside - Amon Ott Multimedia: o All About MPLayer - Alex Beregszaszi o Multimedia On Unix: Past, Present, and Future - Mike Melanson o Multimedia Trash And The Evolution of Full Motion Video - Mike Melanson Training Programme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Half-Day: o How to Recover From Hard Disk Disasters - Theodore Ts'o o How to Use LDAP for User Management - Lukas Beeler Full-Day: o Contributing to Eclipse: understanding and writing plug-ins - Kai-Uwe Maetzel Exhibition ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The exhibition will take place on all days and is open for commercial and non-profit organizations. Contact office@sucon.ch if you are interested in exhibiting. Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o Free internet access via conference network for wired and wireless clients. o Rooms open to the public for spontaneous meetings, coding sessions and discussions. o Bulletin Boards with latest programme schedules and job offers. Conference Fees ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Early Bird Registrations (Before August 9): Regular Association* Student/Unemployed 1 Day CHF 50/EUR 33 CHF 40/EUR 26 CHF 30/EUR 20 3 Days CHF 90/EUR 59 CHF 70/EUR 46 CHF 50/EUR 33 Regular Registrations (After August 9): Regular Association* Student/Unemployed 1 Day CHF 80/EUR 53 CHF 60/EUR 39 CHF 50/EUR 33 3 Days CHF 150/EUR 99 CHF 100/EUR 66 CHF 80/EUR 53 * All members of SUUG or any other national Unix User Group receive a discount. Ask your user group leaders for the authorization code. Thanks to our sponsor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hewlett Packard http://www.hp.com/ We are still looking for sponsors: contact office@sucon.ch for details. SUCON'04 Committee http://www.sucon.ch/ office@sucon.ch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From jasonb@edseek.com Fri Jul 9 19:11:12 2004 From: jasonb@edseek.com (Jason Boxman) Date: Fri, 9 Jul 2004 14:11:12 -0400 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <40EED18F.4050804@flintz.de> References: <40EED18F.4050804@flintz.de> Message-ID: <200407091411.12223.jasonb@edseek.com> On Friday 09 July 2004 13:10, FB wrote: > Hello there! > > I am trying to get traffic shaping working on my Linux router (debian > woody 3r02) and for some things I wanted to use the layer 7 packet > classifier, but I can't get it to work. > Here is what I did: > > -downloaded the patches from http://l7-filter.sourceforge.net > -downloaded the kernel 2.6.7 source > -downloaded the iptables 1.2.11 source That's not necessary. You might be creating more work for yourself. I jus= t=20 recycled the Debian iptables package, which is still 1.2.9 I believe. You'= ll=20 need to patch it and create the appropriate dot file for the build to=20 succeed, but after that I just rebuild the package with 'debuild -uc -us' a= nd=20 copied it to my compiler-less router. I'm using 2.6.6, but I'm sure 2.6.7= =20 should work fine. > -patched kernel (layer7 patch and some patch to get iptables 1.2.11 > working with kernel 2.6.7) > -patched iptables > -compiled iptables > -activated layer 7 support in kernel-config (and a lot of other packet > classifing options) > -compiled and installed kernel > > Now I tried to mark some packets with layer 7 so that I can shape them > with tc afterwards. But nothing changed, outgoing connection still > didn't changed. So I changed the line in the iptables-script to this: > > $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols > --l7proto ftp -j DROP I believe the documentation mentions that layer7 works best when it can see= =20 both 'sides' of the connection. If you're filtering through INPUT or OUTPU= T=20 you're missing half. Check the ftp protocol match. Does it rely on seeing= =20 both sides of the connection to match up? Try matching in FORWARD, PREROUTING, or POSTROUTING. I believe these see a= ll=20 sides of the connection. =46rom docs[1]: "Some patterns need to be able to observe both sides of a connection in ord= er=20 to match. This is pretty easy to achieve with Netfilter. By default, rules = in=20 the POSTROUTING chain of the mangle table will apply to both directions.=20 However, the OUTPUT chain (for example) only sees locally generated packets= ,=20 so it's not a good choice." [1] http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter From Ow.Mun.Heng@wdc.com Fri Jul 9 20:11:11 2004 From: Ow.Mun.Heng@wdc.com (Ow Mun Heng) Date: Fri, 09 Jul 2004 12:11:11 -0700 Subject: [LARTC] RED/GRED implementation for InBound Traffic Control (from ISP) Message-ID: <1089400271.19925.133.camel@neuromancer.home.net> Hi all, Can anyone show me pointers on how to get this implemented on a Linux box with tc rules? I also want to know, just how efficient is this Algorithm. AFAIK, inbound traffic control can't really be achieved without losing bandwidth. In some of the howtos' I've read, one guy had to limit his downspeed to 1/2 his bandwidth to actually control it. And he was saying that the only way to actually efficiently control inbound traffic control is to use TCP windowshaping which there is not an oss implementation of it. Can anyone please shed light on this? FWIW, this discussion was in http://my-opensource.org/lists/myoss/2004-07/msg00051.html http://my-opensource.org/lists/myoss/2004-06/msg00167.html http://www.redhat.com/archives/fedora-list/2004-July/msg01492.html Thanks -- Ow Mun Heng Fedora GNU/Linux Core 2 (Tettnang) on D600 1.4Ghz CPU kernel 2.6.7-2.jul1-interactive Neuromancer 12:06:38 up 3:13, 3 users, load average: 1.80, 1.23, 1.41 From register@flintz.de Fri Jul 9 19:58:36 2004 From: register@flintz.de (FB) Date: Fri, 09 Jul 2004 20:58:36 +0200 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <200407091411.12223.jasonb@edseek.com> References: <40EED18F.4050804@flintz.de> <200407091411.12223.jasonb@edseek.com> Message-ID: <40EEEADC.1060406@flintz.de> Jason Boxman wrote: > That's not necessary. You might be creating more work for yourself. I just > recycled the Debian iptables package, which is still 1.2.9 I believe. You'll > need to patch it and create the appropriate dot file for the build to > succeed, but after that I just rebuild the package with 'debuild -uc -us' and > copied it to my compiler-less router. I'm using 2.6.6, but I'm sure 2.6.7 > should work fine. Ok, it may not be necessary, but shouldn't be the source of the problem, or? Should work with iptables 1.2.11 all the same or are there some issues there? > I believe the documentation mentions that layer7 works best when it can see > both 'sides' of the connection. If you're filtering through INPUT or OUTPUT > you're missing half. Check the ftp protocol match. Does it rely on seeing > both sides of the connection to match up? > > Try matching in FORWARD, PREROUTING, or POSTROUTING. I believe these see all > sides of the connection. Doesn't change anything :-( BTW, when I use the setting from the NETFILTER HOWTO page: iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK --set-mark 1 and change it (as written in the howto under "blocking") to: iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT I get an "iptables: Invalid Argument" when executing the script, how that? (I must admit that I am not that iptable expert, so excuse some lack of knowledge of all the chains and structures ;) ) -FB From jasonb@edseek.com Fri Jul 9 21:39:27 2004 From: jasonb@edseek.com (Jason Boxman) Date: Fri, 9 Jul 2004 16:39:27 -0400 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <40EEEADC.1060406@flintz.de> References: <40EED18F.4050804@flintz.de> <200407091411.12223.jasonb@edseek.com> <40EEEADC.1060406@flintz.de> Message-ID: <200407091639.27425.jasonb@edseek.com> On Friday 09 July 2004 14:58, FB wrote: > Doesn't change anything :-( > BTW, when I use the setting from the NETFILTER HOWTO page: > > iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK > --set-mark 1 > > and change it (as written in the howto under "blocking") to: > iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT > > I get an "iptables: Invalid Argument" when executing the script, how > that? (I must admit that I am not that iptable expert, so excuse some > lack of knowledge of all the chains and structures ;) ) More of a question for the netfilter list, but it sounds like you may not have compiled in support for the REJECT target. You should have ipt_REJECT in the output when you do an `lsmod` if you compiled it as a module. From lists@wildgooses.com Fri Jul 9 21:51:30 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Fri, 09 Jul 2004 21:51:30 +0100 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <200407091639.27425.jasonb@edseek.com> References: <40EED18F.4050804@flintz.de> <200407091411.12223.jasonb@edseek.com> <40EEEADC.1060406@flintz.de> <200407091639.27425.jasonb@edseek.com> Message-ID: <40EF0552.8010602@wildgooses.com> Jason Boxman wrote: >On Friday 09 July 2004 14:58, FB wrote: > > > >>Doesn't change anything :-( >>BTW, when I use the setting from the NETFILTER HOWTO page: >> >>iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j MARK >>--set-mark 1 >> >>and change it (as written in the howto under "blocking") to: >>iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT >> >>I get an "iptables: Invalid Argument" when executing the script, how >>that? (I must admit that I am not that iptable expert, so excuse some >>lack of knowledge of all the chains and structures ;) ) >> >> > >More of a question for the netfilter list, but it sounds like you may not have >compiled in support for the REJECT target. You should have ipt_REJECT in the >output when you do an `lsmod` if you compiled it as a module. > > Can you REJECT in the mangle table? From Ow.Mun.Heng@wdc.com Fri Jul 9 21:52:11 2004 From: Ow.Mun.Heng@wdc.com (Ow Mun Heng) Date: Fri, 09 Jul 2004 13:52:11 -0700 Subject: [LARTC] Re: Problem with HTB queuing discipline Message-ID: <1089406331.19925.183.camel@neuromancer.home.net> This will surely break threads. (i don't know why but I'm not receiving any mails from lartc. My post got submitted but I'm not getting any posts back) I wonder if it's cause of my email server blocking it. Anyway, Aravind, The problem which I see here is that what you're trying to perform is limit download(or inbound) traffic. This is unfortunately, not feasible. The HTB/QoS stuffs is usually only controllable upstream. However, there _are_ workarounds for it. One such solution is to put in additional network cards such that "in a way" you create an upstream traffic. Refer to this thread in which I've posted a solution for a multi-interface http://www.redhat.com/archives/fedora-list/2004-July/msg01764.html And BTW, I'm not sure about others, but I've never gotten much luck trying to perform u32 classifications. I got better luck using fwmarks. Referencing: http://mailman.ds9a.nl/pipermail/lartc/2004q3/013064.html Hi , I have the problem with HTB queuing discipline.I am giving my setup below. 172.30.179.206 172.30.180.55 LAN | | WAN -----------------| LINUX WITH |-------------- 172.30.179.140 | HTB | 172.30.180.72 FTP SERVER FTP CLIENT On the LAN side i put FTP server(172.30.179.140) and on WAN side i put FTP client(172.30.180.72). FTP client and FTP server will communicate through the middle linux box. Middle linux box has two interfaces.eth0 is 172.30.179.206 and eth1 is 172.30.180.55 In the middle linux box i configured HTB using following commands. ./tc qdisc add dev eth0 root handle 1:0 htb ./tc class add dev eth0 parent 1:0 classid 1:1 htb rate 30kbps ceil 30kbps ./tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbps ceil 30kbps ./tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 21 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dst 172.30.180.72 match ip sport 20 0xffff flowid 1:10 When i downloaded one file of size 10.7MB from FTP server(i.e from 172.30.179.140) to client(i.e. 172.30.180.72) , download speed is coming as 362.19kbytes/sec instead of 30kbps which i ceil.What may be the problem? Any configuration issue?Any idea? Thanks in advance, Aravind. -- Ow Mun Heng Fedora GNU/Linux Core 2 (Tettnang) on D600 1.4Ghz CPU kernel 2.6.7-2.jul1-interactive Neuromancer 13:46:30 up 4:53, 4 users, load average: 1.64, 1.64, 1.50 From jasonb@edseek.com Fri Jul 9 22:02:05 2004 From: jasonb@edseek.com (Jason Boxman) Date: Fri, 9 Jul 2004 17:02:05 -0400 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <40EF0552.8010602@wildgooses.com> References: <40EED18F.4050804@flintz.de> <200407091639.27425.jasonb@edseek.com> <40EF0552.8010602@wildgooses.com> Message-ID: <200407091702.05329.jasonb@edseek.com> On Friday 09 July 2004 16:51, Ed Wildgoose wrote: > Can you REJECT in the mangle table? > It seems not. rebecca:~# iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j REJECT iptables: Invalid argument rebecca:~# iptables -A INPUT -m layer7 --l7proto http -j REJECT rebecca:~# iptables -D INPUT -m layer7 --l7proto http -j REJECT `man iptables` "REJECT This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and userdefined chains which are only called from those chains. The following option controls the nature of the error packet returned:" From register@flintz.de Fri Jul 9 22:24:44 2004 From: register@flintz.de (FB) Date: Fri, 09 Jul 2004 23:24:44 +0200 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <200407091702.05329.jasonb@edseek.com> References: <40EED18F.4050804@flintz.de> <200407091639.27425.jasonb@edseek.com> <40EF0552.8010602@wildgooses.com> <200407091702.05329.jasonb@edseek.com> Message-ID: <40EF0D1C.2060105@flintz.de> > `man iptables` > "REJECT > This is used to send back an error packet in response to the matched packet: > otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule > traversal. This target is only valid in the INPUT, FORWARD and OUTPUT > chains, and userdefined chains which are only called from those chains. The > following option controls the nature of the error packet returned:" I kinda expectet that, but I just did whats on the Netfilter HOWTO page...there ist says: "Blocking packets when they are identified is easy. Simply use "-j DROP" (or REJECT) at the ends of the lines in the above section." But this is still not my problem, the problem is that the Layer7 classifier don't recognize the packets! (Thanks anyway) From freeswan9@yahoo.fr Fri Jul 9 23:48:39 2004 From: freeswan9@yahoo.fr (=?iso-8859-1?q?toto=20toto?=) Date: Sat, 10 Jul 2004 00:48:39 +0200 (CEST) Subject: [LARTC] HTB & Bdw Guarantee Message-ID: <20040709224839.71831.qmail@web25307.mail.ukl.yahoo.com> Hello, I have problems setting up HTB. This is my setup : NET 1024/256 ADSL || eth1 Linux Firewall eth0 || LAN 10.a.a.a I want to GUARANTEE for an IP (10.x.y.z) a 800kbit bandwidth for HTTP download. But When 10.x.y.z does no HTTP download, other trafic must get the whole bandwidth, of course. The script I use (see below) is quite the same as presented at (the greeeeat page) : http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm, the only difference is that I use only 2 classes (HTTP trafic vs other) BUT ( :-(( ) When I root@test# wget ftp.fr.debian.org/debian/ls-lR (...) 21% [==========> ] 4,984,704 106.39K/s root@test# It goes at ~110 Ko, as expected when no other trafic is generated. But if I root@test# wget ftp://ftp.fr.debian.org/debian/ls-lR after the beginning of the HTTP download, the latter goes dooown, and if I run a second wget ftp://..., the HTTP download goes UNDER (really under) the 800 kbits...??!! It seems like there's no difference whether the shaping is done or not. Trafic seems to be classified (tc -s -d class show dev eth0 / eth1), but... Actually my goal is more complicated than HTTP downloads (I need to guarantee bandwidth for H323 -> Netmeeting & co, so both down&up-loads), but I'm just testing for now, and if I can't shape such a simple trafic as HTTP download... Could anyone tell me what I did wrong, or didn't understand... Is this only because one can't shape incoming trafic ? Could Ingress solve my pb ? I don't think so, as Ingress seems to limit the WHOLE bandwidth... Is it a "prio" question ? Thanks for your help PSes : - has anyone experienced H323 trafic shaping ?? if so, scripts are welcome !!! - If CBQ can do better, then I'll turn to CBQ, but it's just like chinese for me... HTB is more simple Here's the script : #!/bin/bash OUT=eth1 IN=eth0 IP=10.x.y.z BDW_IN=1024kbit BDW_OUT=256kbit BDW_WEB_IN=800kbit BDW_OTHER_IN=224kbit BDW_WEB_OUT=176kbit BDW_OTHER_OUT=80kbit #-----------------------------------------------------------# function start_out () { tc qdisc add dev $OUT root handle 1: htb default 11 tc class add dev $OUT parent 1: classid 1:1 htb rate $BDW_OUT ceil $BDW_OUT tc class add dev $OUT parent 1:1 classid 1:10 htb rate $BDW_WEB_OUT ceil $BDW_OUT tc class add dev $OUT parent 1:1 classid 1:11 htb rate $BDW_OTHER_OUT ceil $BDW_OUT tc qdisc add dev $OUT parent 1:10 handle 20: pfifo limit 5 tc qdisc add dev $OUT parent 1:11 handle 40: sfq perturb 10 tc filter add dev $OUT protocol ip parent 1:0 prio 1 u32 \ match ip src $IP match ip dport 80 0xffff flowid 1:10 } function start_in () { tc qdisc add dev $IN root handle 1: htb default 11 tc class add dev $IN parent 1: classid 1:1 htb rate $BDW_IN ceil $BDW_IN tc class add dev $IN parent 1:1 classid 1:10 htb rate $BDW_WEB_IN ceil $BDW_IN tc class add dev $IN parent 1:1 classid 1:11 htb rate $BDW_OTHER_IN ceil $BDW_IN tc qdisc add dev $IN parent 1:10 handle 20: pfifo limit 5 tc qdisc add dev $IN parent 1:11 handle 40: sfq perturb 10 tc filter add dev $IN protocol ip parent 1:0 prio 1 u32 \ match ip dst $IP match ip sport 80 0xffff flowid 1:10 } #-----------------------------------------------------------# function stop_out () { tc filter del dev $OUT protocol ip parent 1:0 prio 1 u32 tc class del dev $OUT parent 1:1 classid 1:11 tc class del dev $OUT parent 1:1 classid 1:10 tc class del dev $OUT parent 1: classid 1:1 tc qdisc del dev $OUT root handle 1: htb } function stop_in() { tc filter del dev $IN protocol ip parent 1:0 prio 1 u32 tc class del dev $IN parent 1:1 classid 1:11 tc class del dev $IN parent 1:1 classid 1:10 tc class del dev $IN parent 1: classid 1:1 tc qdisc del dev $IN root handle 1: htb } case $1 in start) echo start_out start_in echo ;; stop) echo stop_out stop_in echo ;; *) echo "Usage : $0 {start|stop|restart}" ;; esac Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com From freeswan9@yahoo.fr Fri Jul 9 23:54:44 2004 From: freeswan9@yahoo.fr (=?iso-8859-1?q?toto=20toto?=) Date: Sat, 10 Jul 2004 00:54:44 +0200 (CEST) Subject: [LARTC] HTB & BDW Guarantee Message-ID: <20040709225444.27401.qmail@web25302.mail.ukl.yahoo.com> Hello, I have problems setting up HTB. This is my setup : NET 1024/256 ADSL || eth1 Linux Firewall eth0 || LAN 10.a.a.a I want to GUARANTEE for an IP (10.x.y.z) a 800kbit bandwidth for HTTP download. But When 10.x.y.z does no HTTP download, other trafic must get the whole bandwidth, of course. The script I use (see below) is quite the same as presented at (the greeeeat page) : http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm, the only difference is that I use only 2 classes (HTTP trafic vs other) BUT :-(( When I root@test# wget ftp.fr.debian.org/debian/ls-lR (...) 21% [==========> ] 4,984,704 106.39K/s root@test# It goes at ~100 Ko, as expected when no other trafic is generated. But if I root@test# wget ftp://ftp.fr.debian.org/debian/ls-lR after the beginning of the HTTP download, the latter goes dooown, and if I run a second wget ftp://..., the HTTP download goes UNDER (really under) the 800 kbits...??!! It seems like there's no difference whether the shaping is done or not. Trafic seems to be classified (tc -s -d class show dev eth0 / eth1), but... Actually my goal is more complicated than HTTP downloads (I need to guarantee bandwidth for H323 -> Netmeeting & co, so both down&up-loads), but I'm just testing for now, and if I can't shape such a simple trafic as HTTP download... Could anyone tell me what I did wrong, or didn't understand... Is this only because one can't shape incoming trafic ? Could Ingress solve my pb ? I don't think so, as Ingress seems to limit the WHOLE bandwidth... Is it a "prio" question ? Thanks for your help PSes : - has anyone experienced H323 trafic shaping ?? if so, scripts are welcome !!! - If CBQ can do better, then I'll turn to CBQ, but it's just like chinese for me... HTB is more simple Here's the script : #!/bin/bash OUT=eth1 IN=eth0 IP=10.x.y.z BDW_IN=1024kbit BDW_OUT=256kbit BDW_WEB_IN=800kbit BDW_OTHER_IN=224kbit BDW_WEB_OUT=176kbit BDW_OTHER_OUT=80kbit #-----------------------------------------------------------# function start_out () { tc qdisc add dev $OUT root handle 1: htb default 11 tc class add dev $OUT parent 1: classid 1:1 htb rate $BDW_OUT ceil $BDW_OUT tc class add dev $OUT parent 1:1 classid 1:10 htb rate $BDW_WEB_OUT ceil $BDW_OUT tc class add dev $OUT parent 1:1 classid 1:11 htb rate $BDW_OTHER_OUT ceil $BDW_OUT tc qdisc add dev $OUT parent 1:10 handle 20: pfifo limit 5 tc qdisc add dev $OUT parent 1:11 handle 40: sfq perturb 10 tc filter add dev $OUT protocol ip parent 1:0 prio 1 u32 \ match ip src $IP match ip dport 80 0xffff flowid 1:10 } function start_in () { tc qdisc add dev $IN root handle 1: htb default 11 tc class add dev $IN parent 1: classid 1:1 htb rate $BDW_IN ceil $BDW_IN tc class add dev $IN parent 1:1 classid 1:10 htb rate $BDW_WEB_IN ceil $BDW_IN tc class add dev $IN parent 1:1 classid 1:11 htb rate $BDW_OTHER_IN ceil $BDW_IN tc qdisc add dev $IN parent 1:10 handle 20: pfifo limit 5 tc qdisc add dev $IN parent 1:11 handle 40: sfq perturb 10 tc filter add dev $IN protocol ip parent 1:0 prio 1 u32 \ match ip dst $IP match ip sport 80 0xffff flowid 1:10 } #-----------------------------------------------------------# function stop_out () { tc filter del dev $OUT protocol ip parent 1:0 prio 1 u32 tc class del dev $OUT parent 1:1 classid 1:11 tc class del dev $OUT parent 1:1 classid 1:10 tc class del dev $OUT parent 1: classid 1:1 tc qdisc del dev $OUT root handle 1: htb } function stop_in() { tc filter del dev $IN protocol ip parent 1:0 prio 1 u32 tc class del dev $IN parent 1:1 classid 1:11 tc class del dev $IN parent 1:1 classid 1:10 tc class del dev $IN parent 1: classid 1:1 tc qdisc del dev $IN root handle 1: htb } case $1 in start) echo start_out start_in echo ;; stop) echo stop_out stop_in echo ;; *) echo "Usage : $0 {start|stop|restart}" ;; esac Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com From register@flintz.de Sat Jul 10 00:12:31 2004 From: register@flintz.de (FB) Date: Sat, 10 Jul 2004 01:12:31 +0200 Subject: [LARTC] Re: layer 7 netfilter not working In-Reply-To: <1089412100.940.20.camel@murdegern.luettgert.de> References: <40EF0666.9010902@flintz.de> <1089412100.940.20.camel@murdegern.luettgert.de> Message-ID: <40EF265F.4000304@flintz.de> > I wouldn't bet the layer7 match works in table filter. You could try > > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7dir /etc/l7-protocols > --l7proto ftp -j LOG --log-prefix 'marked: ' > > and watch your logs. Um, and /etc/l7-protocols does contain your pattern > definitions, right? Yes there are my definition. And your idea with the logging was great, I did it and guess what, the packets showed up in /var/log/syslog, so I guess the layer7 classifier is working, but now I wonder why it still doesn't shape (and remember DROP didn't work either, but there I am not sure if it wasn't a configure mistake by me). I changed the line back to: $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7dir /etc/l7-protocols --l7proto ftp -j MARK --set-mark 322 But the shaping still doesn't work. I didn't want to terrorize you all by posting my whole shapingskript here, so I uploaded it here: http://www.flintz.de/shaping.txt Would be really nice if someone could search the script for any mistakes! -FB From Ow.Mun.Heng@wdc.com Sat Jul 10 01:05:32 2004 From: Ow.Mun.Heng@wdc.com (Ow Mun Heng) Date: Fri, 09 Jul 2004 17:05:32 -0700 Subject: [LARTC] HTB & Bdw Guarantee Message-ID: <1089417931.19925.257.camel@neuromancer.home.net> Referencing: http://mailman.ds9a.nl/pipermail/lartc/2004q3/013076.html (the bullet'ed items are what he wrote) * NET * 1024/256 ADSL * ||eth1 * Linux Firewall * eth0 * ||LAN 10.a.a.a * * I want to GUARANTEE for an IP (10.x.y.z) a 800kbit * bandwidth for HTTP download. * But When 10.x.y.z does no HTTP download, other trafic * must get the whole bandwidth, of course. OK. * BUT :-(( * When I * root@test# wget ftp.fr.debian.org/debian/ls-lR * (...) * 21% [==========> ] 4,984,704 106.39K/s * root@test# * * It goes at ~100 Ko, as expected when no other trafic * is generated. * But if I * root@test# wget ftp://ftp.fr.debian.org/debian/ls-lR * * after the beginning of the HTTP download, the latter * goes dooown, and if I run a second wget ftp://..., * the HTTP download goes UNDER (really under) the 800 * kbits...??!! * It seems like there's no difference whether the * shaping is done or not. Dude.. If you want to shape HTTP traffic, why the heck are you going for ftp download?? If you look at your connections (eg: tcptrack -i eth0, you'll see you're initiating port 20/21 and not port 80 as you wanted.) * Is this only because one can't shape incoming trafic ? Yes. That is true. but in your case, since you're pushing out to eth0 (from eth1) you theoretically is allready introducing outgoing traffic (from eth1 to eth0) So you can shape on that. * Could Ingress solve my pb ? I don't think so, as * Ingress seems to limit the WHOLE bandwidth... You can use an ingress filter and then use a filter against the FWmarks or in your case sport . (Though I've never did that successfully. I prefer fwmarks) * Is it a "prio" question ? Not sure. Check this out. See if it helps you. http://www.redhat.com/archives/fedora-list/2004-July/msg01764.html http://my-opensource.org/howto/qostrafficshaping-shorewall-wondershaper-howto.html -- Ow Mun Heng Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel 2.6.7-2.jul1-interactive Neuromancer 16:55:59 up 8:02, 5 users, load average: 1.38, 1.00, 1.02 From rio@martin.mu Sat Jul 10 03:39:44 2004 From: rio@martin.mu (Rio Martin) Date: Sat, 10 Jul 2004 09:39:44 +0700 Subject: [LARTC] HTB & BDW Guarantee In-Reply-To: <20040709225444.27401.qmail@web25302.mail.ukl.yahoo.com> References: <20040709225444.27401.qmail@web25302.mail.ukl.yahoo.com> Message-ID: <200407100939.44054.rio@martin.mu> On Saturday 10 July 2004 05:54, toto toto wrote: > Hello, > I have problems setting up HTB. > This is my setup : > NET > 1024/256 ADSL > eth1 > Linux Firewall > eth0 > LAN 10.a.a.a > I want to GUARANTEE for an IP (10.x.y.z) a 800kbit > bandwidth for HTTP download. > But When 10.x.y.z does no HTTP download, other trafic > must get the whole bandwidth, of course. > The script I use (see below) is quite the same as > presented at (the greeeeat page) : > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm, > the only difference is that I use only 2 classes (HTTP > trafic vs other) > BUT :-(( > When I > root@test# wget ftp.fr.debian.org/debian/ls-lR > (...) > 21% [==========> ] 4,984,704 106.39K/s > root@test# > It goes at ~100 Ko, as expected when no other trafic > is generated. > But if I > root@test# wget ftp://ftp.fr.debian.org/debian/ls-lR I completely disagree with the way you performed the test. Debian.Org is not on your local network isnt it ?? How far from your host until it reach Debian.Org as destination host ? Are you sure your ISP or Debian.Org ISP or perhaps Debian.Org itself doesnt perform traffic per session management, or any QoS ? My suggestion is to test the performance of your HTB using your own local network. Because you know completely your network condition and you can analyze it perfectly. Regards, Rio Martin. From lists@wildgooses.com Sat Jul 10 09:17:41 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Sat, 10 Jul 2004 09:17:41 +0100 Subject: [LARTC] RED/GRED implementation for InBound Traffic Control (from ISP) In-Reply-To: <1089412699.19925.210.camel@neuromancer.home.net> References: <1089400271.19925.133.camel@neuromancer.home.net> <40EF085E.3060400@wildgooses.com> <1089412699.19925.210.camel@neuromancer.home.net> Message-ID: <40EFA625.8010303@wildgooses.com> >>So the solution is to throttle incoming to 99.9% of total incoming >>bandwidth. Well, actually since you have no control over who can send >>you data, this only works in steady state. So perhaps you should make >>it 95% or 90%. It depends whether you mind there being the odd blip >>where someone starts sending you traffic, but it takes a second or so >>while you instruct other senders to slow down. In the meantime you will >>be overloaded. >> >> > >And how does RED/GRED solve that or are you not addressing that? > > RED and GRED are used in conjunction with something that queues packets and releases them slowly. So you can use IMQ on the incoming stream and then HTB, etc or do it on the outgoing stream. The idea is that you could temporarily let the incoming queue get really, really large until the sender fills their send window with data, then perhaps this might throttle the send speed... (iffy), or you could look at your queue and when it gets beyond a certain size then you (wastefully) drop some of the packets, which because of the way TCP works means that the sender slows down. The "R" in these two algorithms means that packets get dropped randomly, as opposed to, say, waiting for the queue to fill up and then drop any incoming packets until it clears down a bit - the theory is that this is fairer ("drop randomly" instead of "drop most recent"). >My understanding when talking to this guy and all the stuffs which I've >read seems to point that RED is good at handling these sort of things. >(but then again, it's not as good as TCP windowshaping, which >incidently, all i've heard/read is that it's Good, but whether or not it >drops packets(or compared to RED/GRED), I have no idea. > > You need to read how TCP works. People have a variable sized output buffer and keep that amount of data "in transit" at any one time. Once the window fills up, ie there is a load of data in-transit, then they pause until they get some acknowlegments that the data was received. TCP also changes the size of this window based on whether packet drops occur, and in fact the whole point of a load of clever TCP algorithms are to find the optimal window size so that we don't overload the receiver, but still keep the net link in full use. Simple throttling algorithms just drop a few packets to encourage the sender to slowdown. However, this is wasteful because you already downloaded them, then throw away, then you clearly have to download them again! However, fiddling with windowsize is obviously going to be complicated... No one has written anything free yet. >> In this case you pay >>for NOT 512Kbit/s of IP bandwidth, but 512Kb/s of ATM bandwidth. And >>unfortunately the relationship between the two is slightly complicated. >> >> >I have no idea what's the difference actually. > > Well read the rest of the very clear flipping email that I took 20 mins to write!!!!! >>To save you the headache of worrying about those calculations consider >>sending a 49 byte packet. It will clearly need to be split into two 48 >>byte packets (yes?), >> >> >1st packet = 48byte >2nd packet = 1 byte >YES? > > No second packet = 48 bytes!!! It only has 1 byte of data in it, the rest is blank. ATM ***only*** sends data in 53 byte packets - 48 contain data + 5 byte header. So if your MTU is a multiple of 48 then you will waste very few packets, otherwise you will have some wastage. If you have a P2P app which sends data in random, probably small sized packets, then frequently they won't be a multiple of 48, and the wastage will be large compared with the size of the IP packet being sent..... However, the kernel is throttling based on the size of the IP bandwidth consumed, whereas you might already have overloaded your link despite the kernel thinking its 3/4 full Solution is to enhance the kernel calculation of rate on the ADSL line so that it knows it is different to the rate used on an ethernet connection. However, every ADSL provider does it slightly differently. It's not easy to find the correct calculation.... >>then each packet has a 5 byte header = 53 bytes >> >> >1st packet = 48+5 = 53byte >2nd packet = 1+5 = 6byte > > Nope.... See above. (Or search the net for ADSL QOS and ATM. There are plenty of references and a really good HOWTO) >huh?? I take it that you're saying the maximum/min for each packet is >53bytes (yes?) > > ....you're getting it! >>So big FTP transfers with large IP packets don't waste too much, but if >>you have a load of SSH users, or some P2P users, or something else which >>spits out tons of small packets then the IP bandwidth might be loads >>less than the ADSL bandwidth, hence some people really throttle back to >>be sure they have control of the inbound connection >> >> > >That's what I want actually. The (or rather my) holy grail and without >severely limiting my inbound traffic. (50%?? Man.. I'm not gonna waste >50% of what I'm paying. It's like buying a big mac and only getting the >buns minus the patties) > > Well, some people prefer to avoid any blips in their latency rather than worrying about some wasted bandwidth. Different needs that's all (Some people buy a big mac and throw out the gurkin as well...) However, without a clever patch then there was previously no other way to limit the download link. Remember they *weren't* limiting themselves to 50% of what they paid for, what they were doing was putting 50% of the magic number in the script. Because of the size of packets in transit they were actually consuming 100% of the link, but only registering as using 50% of the equiv ethernet bandwidth... People fiddle around and determine this number empiracally based on the type of data they receive.... Look at it another way, depending on the type of data you transmit, eg P2P it can consume (waste) up to 50% of the bandwidth in useless ATM cells... >>Clear as mud? >> >> > >I didn't know mud was clear. (so that means, I've not a clue) > > Sorry, english uses irony a lot. My fault. The phrase means "clear as something which isn't very clear"..? ie Did I explain it badly? or "Still confused?" So the answer was obviously yes.... Hopefully the above helps. Try the ADSL-QOS Howto is you still have questions Ed W From dmitry@mikrotik.com Sat Jul 10 10:14:15 2004 From: dmitry@mikrotik.com (Dmitry Golubev) Date: Sat, 10 Jul 2004 12:14:15 +0300 Subject: [LARTC] HTB & Bdw Guarantee In-Reply-To: <20040709224839.71831.qmail@web25307.mail.ukl.yahoo.com> References: <20040709224839.71831.qmail@web25307.mail.ukl.yahoo.com> Message-ID: <200407101214.15480.dmitry@mikrotik.com> Shouldn't you assign priorities to your classes? Also make RED a leaf queue= =20 for more more smooth TCP experience Dmitry On Saturday 10 July 2004 01:48, toto toto wrote: > Hello, > > I have problems setting up HTB. > This is my setup : > > NET 1024/256 ADSL > > eth1 > Linux Firewall > eth0 > > LAN 10.a.a.a > > I want to GUARANTEE for an IP (10.x.y.z) a 800kbit > bandwidth for HTTP download. > But When 10.x.y.z does no HTTP download, other trafic > must get the whole bandwidth, of course. > > The script I use (see below) is quite the same as > presented at (the greeeeat page) : > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm, > the only difference is that I use only 2 classes (HTTP > trafic vs other) > > BUT ( :-(( ) > When I > root@test# wget ftp.fr.debian.org/debian/ls-lR > (...) > 21% [=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D> ] 4,984,704 106.39K/s > root@test# > > It goes at ~110 Ko, as expected when no other trafic > is generated. > But if I > root@test# wget ftp://ftp.fr.debian.org/debian/ls-lR > > after the beginning of the HTTP download, the latter > goes dooown, and if I run a second wget ftp://..., > the HTTP download goes UNDER (really under) the 800 > kbits...??!! > It seems like there's no difference whether the > shaping is done or not. > > Trafic seems to be classified (tc -s -d class show dev > eth0 / eth1), but... > > Actually my goal is more complicated than HTTP > downloads (I need to guarantee bandwidth for > H323 -> Netmeeting & co, so both down&up-loads), but > I'm just testing for now, and if I can't shape such a > simple trafic as HTTP download... > > Could anyone tell me what I did wrong, or didn't > understand... > Is this only because one can't shape incoming trafic ? > > Could Ingress solve my pb ? I don't think so, as > Ingress seems to limit the WHOLE bandwidth... > Is it a "prio" question ? > > Thanks for your help > > PSes : > - has anyone experienced H323 trafic shaping ?? if so, > scripts are welcome !!! > - If CBQ can do better, then I'll turn to CBQ, but > it's just like chinese for me... > HTB is more simple > > > > Here's the script : > #!/bin/bash > > OUT=3Deth1 > IN=3Deth0 > > IP=3D10.x.y.z > > BDW_IN=3D1024kbit > BDW_OUT=3D256kbit > > BDW_WEB_IN=3D800kbit > BDW_OTHER_IN=3D224kbit > BDW_WEB_OUT=3D176kbit > BDW_OTHER_OUT=3D80kbit > > #-----------------------------------------------------------# > > function start_out () { > > tc qdisc add dev $OUT root handle 1: htb default 11 > > tc class add dev $OUT parent 1: classid 1:1 htb rate > $BDW_OUT ceil $BDW_OUT > tc class add dev $OUT parent 1:1 classid 1:10 htb rate > $BDW_WEB_OUT ceil $BDW_OUT > tc class add dev $OUT parent 1:1 classid 1:11 htb rate > $BDW_OTHER_OUT ceil $BDW_OUT > > tc qdisc add dev $OUT parent 1:10 handle 20: pfifo > limit 5 > tc qdisc add dev $OUT parent 1:11 handle 40: sfq > perturb 10 > > tc filter add dev $OUT protocol ip parent 1:0 prio 1 > u32 \ > match ip src $IP match ip dport 80 0xffff > flowid 1:10 > } > > function start_in () { > > tc qdisc add dev $IN root handle 1: htb default 11 > > tc class add dev $IN parent 1: classid 1:1 htb rate > $BDW_IN ceil $BDW_IN > tc class add dev $IN parent 1:1 classid 1:10 htb rate > $BDW_WEB_IN ceil $BDW_IN > tc class add dev $IN parent 1:1 classid 1:11 htb rate > $BDW_OTHER_IN ceil $BDW_IN > > tc qdisc add dev $IN parent 1:10 handle 20: pfifo > limit 5 > tc qdisc add dev $IN parent 1:11 handle 40: sfq > perturb 10 > > tc filter add dev $IN protocol ip parent 1:0 prio 1 > u32 \ > match ip dst $IP match ip sport 80 0xffff > flowid 1:10 > } > > #-----------------------------------------------------------# > > function stop_out () { > > tc filter del dev $OUT protocol ip parent 1:0 prio 1 > u32 > > tc class del dev $OUT parent 1:1 classid 1:11 > tc class del dev $OUT parent 1:1 classid 1:10 > > tc class del dev $OUT parent 1: classid 1:1 > tc qdisc del dev $OUT root handle 1: htb > } > > function stop_in() { > > tc filter del dev $IN protocol ip parent 1:0 prio 1 > u32 > > tc class del dev $IN parent 1:1 classid 1:11 > tc class del dev $IN parent 1:1 classid 1:10 > > tc class del dev $IN parent 1: classid 1:1 > tc qdisc del dev $IN root handle 1: htb > } > > case $1 in > start) > echo > start_out > start_in > echo > ;; > stop) > echo > stop_out > stop_in > echo > ;; > *) > echo "Usage : $0 {start|stop|restart}" > ;; > esac > > > > > > > > > Cr=E9ez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! > Cr=E9ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ > > Dialoguez en direct avec vos amis gr=E2ce =E0 Yahoo! Messenger !T=E9l=E9c= hargez > Yahoo! Messenger sur http://fr.messenger.yahoo.com > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From lists@wildgooses.com Sat Jul 10 12:21:22 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Sat, 10 Jul 2004 12:21:22 +0100 Subject: [Fwd: Re: [LARTC] RED/GRED implementation for InBound Traffic Control (from ISP)] Message-ID: <40EFD132.7050705@wildgooses.com> Sorry all, this is the missing email that I referred to previously. I inadvertently sent it only to the original poster rather than the list. Sorry for the wasted b/w for those who don't care... Ed W -------- Original Message -------- Subject: Re: [LARTC] RED/GRED implementation for InBound Traffic Control (from ISP) Date: Fri, 09 Jul 2004 22:04:30 +0100 From: Ed Wildgoose To: Ow Mun Heng References: <1089400271.19925.133.camel@neuromancer.home.net> >I also want to know, just how efficient is this Algorithm. AFAIK, >inbound traffic control can't really be achieved without losing >bandwidth. >In some of the howtos' I've read, one guy had to limit his downspeed to >1/2 his bandwidth to actually control it. And he was saying that the >only way to actually efficiently control inbound traffic control is to >use TCP windowshaping which there is not an oss implementation of it. > >Can anyone please shed light on this? > > The issue is not as alarming as you think. The point is that there is a buffer on the ISP end. If this buffer fills up then the algorithm is usually first in first out. ie you have no way to prioritise important stuff to go ahead of the regular traffic. If you can control your ISP router then this isn't an issue of course So the solution is to throttle incoming to 99.9% of total incoming bandwidth. Well, actually since you have no control over who can send you data, this only works in steady state. So perhaps you should make it 95% or 90%. It depends whether you mind there being the odd blip where someone starts sending you traffic, but it takes a second or so while you instruct other senders to slow down. In the meantime you will be overloaded. Now the reason for dropping to really low numbers (50%) is because most of the throttle filters work on bandwidth consumed over a normal ethernet LAN. However, you might be using ADSL. In this case you pay for NOT 512Kbit/s of IP bandwidth, but 512Kb/s of ATM bandwidth. And unfortunately the relationship between the two is slightly complicated. First you need to add 10 bytes to every IP packet for PPP overheads, then some other overhead if you are on PPPoE, then you have to break it up into 48 byte chunks and add a 5 byte header. That will tell you how much bandwidth you used. To save you the headache of worrying about those calculations consider sending a 49 byte packet. It will clearly need to be split into two 48 byte packets (yes?), then each packet has a 5 byte header = 53 bytes each, so that 49 byte packet takes up 53*2 = 106 bytes of bandwitch on your ATM line. On the other hand if you used really large IP packets then the overhead would be less, consider the effect of a wasted 53 byte packet when you are sending in chunks of 1500 bytes a time. So big FTP transfers with large IP packets don't waste too much, but if you have a load of SSH users, or some P2P users, or something else which spits out tons of small packets then the IP bandwidth might be loads less than the ADSL bandwidth, hence some people really throttle back to be sure they have control of the inbound connection However, if you scroll back a few weeks you will find an experimental patch from me which adds the correct calculations to HTB and other qdiscs. At some point I will code it up in a much neater way, but in the meantime it works really well as it is. So now you can say, throttle me to 500Kb/s and it throttles to that much ATM bandwidth, regardless of how much IP bandwidth that equates to. Clear as mud? Ed W From bety1@poczta.onet.pl Sat Jul 10 13:43:43 2004 From: bety1@poczta.onet.pl (bety1@poczta.onet.pl) Date: Sat, 10 Jul 2004 14:43:43 +0200 Subject: [LARTC] HFSC simple curves configuration Message-ID: <20040710124351Z4872694-25360+1995248@kps5.test.onet.pl> Hi First I must say that I`am an author of HTB auto-configurator (so I know some about QoS under linux) and I have read a lot of articles about HFSC, but I still don`t know how to configure this algoritm properly. Maybe somone can help me and write a little example for me (the best will be Patrick McHardy who has ported HFSC to linux) - please just three queues. My situation: Let say I have 1Mbit of bandwidth. I need three queues: - prio queue (with low delays, and 100 kbit guaranted rate ) - 1_client queue (with 0 kbit guaranted rate and fairness share the unsued rest of bandwidth) - 2_client queue (with 0 kbit guaranted rate and fairness share the unsued rest of bandwidth) Here you can field the queues configuration: tc qdisc add dev imq0 root handle 1:0 hfsc default 100 tc class add dev imq0 parent 1:0 classid 1:1 hfsc rt kbit ms kbit ls kbit ms kbit ul kbit ms kbit tc class add dev imq0 parent 1:1 classid 1:10 hfsc rt kbit ms kbit ls kbit ms kbit ul kbit ms kbit # prio queue tc class add dev imq0 parent 1:1 classid 1:100 hfsc rt kbit ms kbit ls kbit ms kbit ul kbit ms kbit # 1_client queue tc class add dev imq0 parent 1:1 classid 1:100 hfsc rt kbit ms kbit ls kbit ms kbit ul kbit ms kbit # 2_client queue What must general relations between these parameters? Thanks for any examples. From ciprianc@gmail.com Sat Jul 10 17:35:21 2004 From: ciprianc@gmail.com (Cyp) Date: Sat, 10 Jul 2004 19:35:21 +0300 Subject: [LARTC] 2 internet connections Message-ID: <6d36e9660407100935608cbb19@mail.gmail.com> Hello, i have a little problem and i would appreciate any help I have 2 internet connections and i need a way to use them both I use linux btw first ip : 192.168.200.25 , gateway 192.168.200.1, ip on internet : 82.77.29.169 second ip : 212.146.71.5, gateway 212.146.71.1 ,ip on internet : 212.146.71.5 What i want : I want everyone to be able to connect to both ips i want all the outgoing connections that are made from the linux router to be trought 212.146.71.1, except to some ips that are in a list (/etc/iplist for example) If any1 knows how to do this pls lemme know. -- Boo!!! From gregoriandres@yahoo.com.ar Sat Jul 10 19:00:00 2004 From: gregoriandres@yahoo.com.ar (ThE LinuX_KiD) Date: Sat, 10 Jul 2004 15:00:00 -0300 Subject: [LARTC] load balanced adsl lines In-Reply-To: <002101c460f1$8699fcc0$fe00000a@citadel> Message-ID: Have you each ADSL line connected to a NIC ethernet ? You have 6 NIC ethernets ? bests andres -----Mensaje original----- De: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]En nombre de Mark Coetser Enviado el: Sábado, 03 de Julio de 2004 08:33 a.m. Para: LARTC@mailman.ds9a.nl Asunto: [LARTC] load balanced adsl lines Hi Ppl I have 5 adsl lines that after reading quite a bit i managed to get load balanced now abvoiusly it doesnt load balance evenly and this works on what routes are still in the routing cache. my question is my outbound masquerading had to be modified to use snat in iptables instead of just plain masquerading my outbound masquerading now works but my inbound port forwarding doesnt work would this be an iptables problem or a routing issue... i have opened all the relavent ports on each of the interfaces and I am not getting any logged denies the connection just never opens I am running the following debian woody kernel 2.6.6 ip rule list 0: from all lookup local 32761: from 165.165.170.110 lookup T5 32762: from 165.165.187.47 lookup T4 32763: from 165.165.189.95 lookup T3 32764: from 165.165.163.95 lookup T2 32765: from 165.165.179.151 lookup T1 32766: from all lookup main 32767: from all lookup default ip route sh 165.165.160.1 dev ppp1 proto kernel scope link src 165.165.163.95 165.165.160.1 dev ppp3 proto kernel scope link src 165.165.187.47 165.165.160.1 dev ppp4 proto kernel scope link src 165.165.170.110 165.165.160.1 dev ppp0 proto kernel scope link src 165.165.179.151 165.165.160.1 dev ppp2 proto kernel scope link src 165.165.189.95 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.1 default nexthop via 165.165.160.1 dev ppp0 weight 1 nexthop via 165.165.160.1 dev ppp1 weight 1 nexthop via 165.165.160.1 dev ppp2 weight 1 nexthop via 165.165.160.1 dev ppp3 weight 1 nexthop via 165.165.160.1 dev ppp4 weight 1 From webmaster@familie-ott.info Sat Jul 10 22:02:55 2004 From: webmaster@familie-ott.info (Stephan M. Ott) Date: Sat, 10 Jul 2004 23:02:55 +0200 Subject: [LARTC] limiting doesn't work Message-ID: <000001c466c1$5cc7b650$3700a8c0@nathanxp> Hi folks, I read the fantastic LARTC How-to and after that i tried to limit one host in my LAN for both down-and upload bandwidth usage. I took section 15.9. and added uplink-limiting as I understood it from the previous chapters. Unfortunately it doesn't work. I ran the script and went to the specified PC, started a download, and watched the rate. The rate was always about 2000 kbit/s, though I defined (well, at least I thought so) 768 kbit/s as maximum rate. Can anyone please look at the script and tell me, what must be corrected in order for it to work ? Thanks in advance. This is the script: #!/bin/bash LIMITDOWN=768 LIMITUP=96 DEV=ppp0 # clean up qdiscs tc qdisc del dev $DEV root 2> /dev/null > /dev/null # limit up- and downlink for benni tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 2mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate ${LIMITDOWN}kbit allot 1500 prio 5 bounded isolated tc class add dev $DEV parent 1: classid 1:2 cbq rate ${LIMITUP}kbit allot 1500 prio 5 avpkt 1000 tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.0.51 flowid 1:1 tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src 192.168.0.51 flowid 1:2 #tc qdisc add dev $DEV parent 1:1 sqf perturb 10 #tc qdisc add dev $DEV parent 1:2 sqf perturb 10 I commented out the last 2 lines for testing so that the rate is always limited. Any ideas ? Thanks. Stephan From dada_dna@yahoo.it Sat Jul 10 23:31:46 2004 From: dada_dna@yahoo.it (dp) Date: Sun, 11 Jul 2004 00:31:46 +0200 Subject: [LARTC] "interactive" traffic shaping Message-ID: <200407110031.46446.dada_dna@yahoo.it> Hi! I'm trying to control the bandwidth usage of a filesharing client. I've read a little bit of the LARTC HOWTO, but I'm not sure it gives me the solution, or I can't see how it could give one. I was thinking about the possibility to run the application in an "artificial environment" (relatively to the user's one) where all connections are slowed down. In the howto I red about limiting the bw of an host connected to a network; is it possible to run a process on a "virtual host" (without effectively being on another computer), with its own address and in a sort of LAN with the real one, so I can limit the bw of that virtual host? As I said, I'm a newbie, and maybe I'm saying things that just can't exists; but if there is a way, can someone please tell me where to search or to read (I understand that maybe a full answer would be too long, and maybe it would be a useless doble work). Thaks! Daniele P. From Glen.Mabey@usu.edu Sat Jul 10 23:51:40 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Sat, 10 Jul 2004 16:51:40 -0600 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40EEAD2A.7030300@syncompute.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <40EEAD2A.7030300@syncompute.net> Message-ID: <20040710225140.GA17983@mabeys.dsl.aros.net> On Fri, Jul 09, 2004 at 10:35:22AM -0400, Alfie Viechweg wrote: > Regarding building your own router/switch. You might want to check out > www.routerboard.com for a > really reasonably priced 4 port NIC. I had no idea this type of board existed! (forgive my excitement) Alfie, have you used the Routerboard 230 or 240 products? Anyone else? Could anyone else recommend other manufacturers of this type of hardware: an embedded system board with * a couple of NICs * PCMCIA * runs linux Thanks -- Glen -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From Glen.Mabey@usu.edu Sun Jul 11 00:25:49 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Sat, 10 Jul 2004 17:25:49 -0600 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710225140.GA17983@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <40EEAD2A.7030300@syncompute.net> <20040710225140.GA17983@mabeys.dsl.aros.net> Message-ID: <20040710232549.GA18261@mabeys.dsl.aros.net> On Sat, Jul 10, 2004 at 04:51:40PM -0600, glen wrote: > Alfie, have you used the Routerboard 230 or 240 products? Whoops, I meant 220 or 230 ... Glen -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From dmitry@mikrotik.com Sun Jul 11 01:36:39 2004 From: dmitry@mikrotik.com (Dmitry Golubev) Date: Sun, 11 Jul 2004 03:36:39 +0300 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710232549.GA18261@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <20040710225140.GA17983@mabeys.dsl.aros.net> <20040710232549.GA18261@mabeys.dsl.aros.net> Message-ID: <200407110336.39217.dmitry@mikrotik.com> Runs good on Linux and has many (perhaps too many) different extras. Performance is sufficient for most cases unless you are working with data rates of more than 30-40Mbit/s (well, IPsec with a kind of strong encryption goes only with some 3-5 megabits...). You may want to check out the site after a while - more HW products to come soon. You might also want to check out the manufacturer's routing software based on Linux kernel with some proprietary extensions (like wireless driver that is undoubtedly better than the anything else for Atheros cards). (don't look on my e-mail address :) Feel free to ask me more on these products. Dmitry On Sunday 11 July 2004 02:25, Glen Mabey wrote: > On Sat, Jul 10, 2004 at 04:51:40PM -0600, glen wrote: > > Alfie, have you used the Routerboard 230 or 240 products? > > Whoops, I meant 220 or 230 ... > > Glen From gypsy@iswest.com Sun Jul 11 01:49:10 2004 From: gypsy@iswest.com (gypsy) Date: Sat, 10 Jul 2004 17:49:10 -0700 Subject: [LARTC] limiting doesn't work References: <000001c466c1$5cc7b650$3700a8c0@nathanxp> Message-ID: <40F08E86.E5CE2614@iswest.com> "Stephan M. Ott" wrote: > tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst > 192.168.0.51 flowid 1:1 > tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src > 192.168.0.51 flowid 1:2 Wild guess: You are trying to match a masqueraded IP address. On your external interface, 192.168.blah just is not very damn likely to exist. From aathan-lartc-15280@cloakmail.com Sun Jul 11 02:19:47 2004 From: aathan-lartc-15280@cloakmail.com (Andrew Athan) Date: Sat, 10 Jul 2004 21:19:47 -0400 Subject: [LARTC] tc filter + bridging + htb -- works only if ip_forward = 0 In-Reply-To: Message-ID: By the way, under Fedora Core 2, bridging + htb + tc filter works correctly BUT tc show does not report rates correctly. I tested htb with several subsidiary classes, each with ceil's and prio's and they all borrowed/allocated/etc rates correctly as measured from outside hosts. However, tc show did not seem to report sane values for bps/pps or total bytes sent except for the root qdisc. A. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Andrew Athan Sent: Thursday, July 08, 2004 10:05 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] tc filter + bridging + htb -- works only if ip_forward = 0 I thought that the below email would be of interest to LARTC readers. I wasted quite a bit of time tracking down this "feature" (bug?). Any comments that shed light on this would be appreciated. In short, "tc filter" + htb + bridging works only with ip_forward off. Andrew Athan ----------------------------------------------------------------------- All: It seems that Fedora Core 2 (Linux Kernel 2.6) echo "1" > /proc/sys/net/ipv4/ip_forward will cause tc filter rules not to work. I am not sure if this is unique to cases of bridging or if turning ip forwarding on also breaks tc filter rules on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would assume it would but don't have time to test this case right now (i.e., this is probably not specific to bridging). A. -----Original Message----- Folks: I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1 or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in the htb. If I set a default class, all the traffic ends up in the default class. This leads me to believe that the u32 classifier simply never matches, although it probably gets the packets. Perhaps there is a wrong offset or mismatched struct somewhere? I'd be glad to investigate if pointed in the right direction, I will start by diffing cls_u32.c between linux-2.4.26 and linux-2.6.5 (people have reported there are no issues with packet classification + bridging under linux-2.4). A. # lspci 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory Controller Hub] (rev 03) 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset Graphics Controller] (rev 03) 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02) 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02) 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02) 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02) 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02) 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev 02) 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev 78) #!/bin/bash # # qos Add traffic shaping to eth0 # # chkconfig: 2345 86 14 # description: Add traffic shaping to eth0 # # processname: none WAN=br0 # external interface LAN=eth1 # internal interface TC=/usr/local/tc CMD="$1" if [ "$CMD" == "stop" ] then TCOP="del" IPTOP="-D" #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null $TC qdisc del dev ${WAN} root handle 1: htb fi if [ "$CMD" == "start" ] then brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 up ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255 up echo "1" > /proc/sys/net/ipv4/ip_forward route add default gw 10.100.82.1 sysctl -w net.core.rmem_max=8388608 sysctl -w net.core.wmem_max=8388608 sysctl -w net.core.rmem_default=65536 sysctl -w net.core.wmem_default=65536 sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608' sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608' sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' sysctl -w net.ipv4.route.flush=1 TCOP="add" IPTOP="-A" #iptables -t mangle -N MYSHAPER-OUT ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT # +---------+ # | root 1: | # +---------+ # | # +----------------------------+ # | class 1:1 | # +----------------------------+ # | | | # +----+ +----+ +----+ # |1:10| |1:20| |1:30| # +----+ +----+ +----+ # | # +--------+--------+ # | | | # +-----+ +-----+ +-----+ # |1:100| |1:101| |1:102| # +-----+ +-----+ +-----+ # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc) # 1:20 is for bulk traffic (htb, leaves use sfq) # 1:30 is the class that interactive traffic which must never get snuffed out completely goes to (sfq) # 1:20 is further split up into different kinds of bulk traffic: web, mail and # everything else. 1:100-102 fight amongst themselves for their slice of excess # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above their # minimum rates. # ceil is 90% of max rate (768kbps) # rate is 80% of max rate # we don't let it go to 100% because we don't want the WAN provider to buffer CEIL=4500kbit RATE1=1000kbit RATE2=3000kbit RATE3=500kbit APPRATE1=1500kbit APPRATE2=750kbit APPRATE3=250kbit $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL} ceil ${CEIL} $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1} ceil ${CEIL} prio 1 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2} ceil ${CEIL} prio 2 $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3} ceil ${CEIL} prio 3 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate ${APPRATE1} ceil ${CEIL} prio 4 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate ${APPRATE2} ceil ${CEIL} prio 5 $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate ${APPRATE3} ceil ${CEIL} prio 6 $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10 $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10 #--------------------------------------------------------------------------- #phones $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip dst 10.50.30.0/24 flowid 1:10 ##trading #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 207.251.101.0/24 flowid 1:100 ##non-critical #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 10.50.20.0/24 flowid 1:101 # # ##ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x10 0xff at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##SYN-ACK #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x12 0x12 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##FIN #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x01 0x01 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ##RST #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x6 0xff \ # match u8 0x05 0x0f at 0 \ # match u8 0x04 0x04 at 33 \ # match u16 0x0000 0xffc0 at 2 \ # flowid 1:10 # ## ICMP #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 1 0xff flowid 1:10 # ## DNS #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ # match ip protocol 0x11 0xff \ # match ip dport 53 0xffff \ # flowid 1:100 # ##telnet and AOL #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 5190 0xffff flowid 1:30 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 5190 0xffff flowid 1:30 # ##web #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 80 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 80 0xffff flowid 1:102 ##ftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 21 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 21 0xffff flowid 1:102 ##tftp #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip sport 69 0xffff flowid 1:102 #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dport 69 0xffff flowid 1:102 ##dhcp? ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:10 # #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw flowid 1:10 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100 fw flowid 1:100 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101 fw flowid 1:101 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102 fw flowid 1:102 #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw flowid 1:30 # ##TOS min delay #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \ # match ip tos 0x10 0xff \ # flowid 1:30 # ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j MARK --set-mark 30 # aol instant messenger ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j MARK --set-mark 30 # secure shell ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j MARK --set-mark 101 # Default for low port traffic ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j MARK --set-mark 101 # "" ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j MARK --set-mark 102 # Web ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark 102 # redundant- mark any unmarked packets as 26 (low prio) fi if [ "$CMD" = "status" ] then echo "[qdisc-$WAN]" $TC -s qdisc show dev $WAN echo "[class-$WAN]" $TC -s class show dev $WAN echo "[filter-$WAN]" $TC -s filter show dev $WAN echo "[iptables]" iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null exit fi _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From aathan-lartc-15280@cloakmail.com Sun Jul 11 02:46:52 2004 From: aathan-lartc-15280@cloakmail.com (Andrew Athan) Date: Sat, 10 Jul 2004 21:46:52 -0400 Subject: [LARTC] limiting doesn't work In-Reply-To: <40F08E86.E5CE2614@iswest.com> Message-ID: I also sent this to Stephan, hopefully I'm not too far offbase :-) A. ------------ 1) It's sfq not sqf, you should be getting errors when your two lines are not commented out 2) Your statement that commenting these lines out "so that rate is always limited" makes no sense. Adding the sfq's does not affect whether or not rate is limited, it only changes how packets belonging to the classes to which the sfq's are attached are ordered/scheduled. 3) Why use cbq at all? htb gives more reliable results and is easier to correctly configure. 4) You cannot shape downlink packets the way you are trying to do it. You must use an IMQ device, and to do that you probably have to patch your kernel and/or iptables/tc (google IMQ). Regarding why you gor 2Mbit: Perhaps your filters simply did not hit. Were you sending to/from .51? What did tc show tell you about the number of packets assigned to each class? Regarding downlink shaping: The word "shaping" vs "policing" or "limiting" implies that you are going to queue up out-of-rate packets so that you can resend them a bit later in order to "flatten out" the usage. Policing and limiting imply that anything out-of-rate just gets dropped/clipped. When you are talking about downlink packets, remember that you are at the far end of a link through which the packets have already been sent. What's the point of queueing them in order to "shape" the arrival profile, unless you are going to forward them further to another box??? If they are meant for this box, then they've already "used" the link. They've already "arrived" at their destination. No point in "shaping" them. On the other hand, if you are going to send them further (forward/route/bridge) then you are really shaping the OUTBOUND traffic on the given ethernet port, not the inbound traffic on the inbound port. That's why shaping is only relevant "on the way out". If what you want to do is forcibly limit downlink speed, it is more appropriate to call that "policing"--i.e., dropping packets on the floor which fall outside your rate parameters. Now think about this: If you just drop those packets, which have already "used" the link, will you benefit down the road? First, it should be obvious that ignoring incoming packets makes no sense unless you are trying to limit to some rate below the actual link speed rate. But secondly, you should also be thinking "hmm, the packet already used the link, if I ignore it what's the point?" Well, it turns out that if you ignore TCP packets, the TCP implementation on the sender should back-off and transmit more slowly--it will "train" to your policed speed. However, if you drop UDP packets, UDP has no such concept. Who knows what the application sending UDP will do. Most likely it will just keep sending at the same rate. Worse, it might try to resend them. So you're just making your life worse. When limiting downstream, drop only TCP packets. Look around, and you'll find sample scripts that use IMQ etc. and set up downstream rate limiting that keep ACK/SYN-ACK/etc. packets flowing. A. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]On Behalf Of Stephan M. Ott Sent: Saturday, July 10, 2004 5:03 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] limiting doesn't work Hi folks, I read the fantastic LARTC How-to and after that i tried to limit one host in my LAN for both down-and upload bandwidth usage. I took section 15.9. and added uplink-limiting as I understood it from the previous chapters. Unfortunately it doesn't work. I ran the script and went to the specified PC, started a download, and watched the rate. The rate was always about 2000 kbit/s, though I defined (well, at least I thought so) 768 kbit/s as maximum rate. Can anyone please look at the script and tell me, what must be corrected in order for it to work ? Thanks in advance. This is the script: #!/bin/bash LIMITDOWN=768 LIMITUP=96 DEV=ppp0 # clean up qdiscs tc qdisc del dev $DEV root 2> /dev/null > /dev/null # limit up- and downlink for benni tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 2mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate ${LIMITDOWN}kbit allot 1500 prio 5 bounded isolated tc class add dev $DEV parent 1: classid 1:2 cbq rate ${LIMITUP}kbit allot 1500 prio 5 avpkt 1000 tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst 192.168.0.51 flowid 1:1 tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src 192.168.0.51 flowid 1:2 #tc qdisc add dev $DEV parent 1:1 sqf perturb 10 #tc qdisc add dev $DEV parent 1:2 sqf perturb 10 I commented out the last 2 lines for testing so that the rate is always limited. Any ideas ? Thanks. Stephan _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From ja@ssi.bg Sun Jul 11 05:45:52 2004 From: ja@ssi.bg (Julian Anastasov) Date: Sun, 11 Jul 2004 07:45:52 +0300 (EEST) Subject: [LARTC] tutorial for Julian Anastasov's patches In-Reply-To: References: Message-ID: Hello, On Fri, 9 Jul 2004, Mohammad Reza wrote: > If one link is down, I except that routing will flush automatically > after 60 second. But this not happened. Keeping them alive with pinging > trick don't make any changes. The 'ping' trick works for gateways which become unreachable in the ARP cache when their link is down (which does not happen in all setups) or when the devices are marked down. In all other cases you have to recreate your multipath routes with script on fatal events such as "link" failed, indirect gateways are failed, device is registered/unregisterd, etc. > Regards, > Reza Regards -- Julian Anastasov From webmaster@familie-ott.info Sun Jul 11 06:57:01 2004 From: webmaster@familie-ott.info (Stephan M. Ott) Date: Sun, 11 Jul 2004 07:57:01 +0200 Subject: AW: [LARTC] limiting doesn't work In-Reply-To: Message-ID: <000201c4670b$fdbeaf10$3700a8c0@nathanxp> Hi Andrew (and hi to all others on the list). ### 1) It's sfq not sqf, you should be getting errors when your two lines are not commented out Of course you're right. I did not uncomment them by now. But thanks for the hint anyway. Saves me a little time when I activate it. ### 2) Your statement that commenting these lines out "so that rate is always limited" makes no sense. Adding the sfq's does not affect whether or not rate is limited, it only changes how packets belonging to the classes to which the sfq's are attached are ordered/scheduled. Hmm, as far as I understood it, these lines allow the limited host to take unused bandwidth even if over the limit. Did I get this wrong ? ### 3) Why use cbq at all? htb gives more reliable results and is easier to correctly configure. Well, would take too long to explain it completely. To be short, I have no other choice as cbq. I cannot use htb unfortunately. ### 4) You cannot shape downlink packets the way you are trying to do it. You must use an IMQ device, and to do that you probably have to patch your kernel and/or iptables/tc (google IMQ). Hmm, sounds logical. I just started with all this and when I saw this short piece of script in the How-to I thought "well, give it a try. Maybe this will do the trick". In the How-to one can read: --- 15.9. Rate limiting a single host or netmask Although this is described in stupendous details elsewhere and in our manpages, this question gets asked a lot and happily there is a simple answer that does not need full comprehension of traffic control. This three line script does the trick: tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 10mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 512kbit \ allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 \ match ip dst 195.96.96.97 flowid 1:1 --- Did I miss something ? ### Regarding why you gor 2Mbit: Perhaps your filters simply did not hit. Were you sending to/from .51? What did tc show tell you about the number of packets assigned to each class? Now it starts getting myterious for me. My complete downlink bandwidth is 2mbit, that's why I defined it. (I have ADSL-connection which is called "DSL 2000" here in germany.) Yes, I was sending from and to client .51. I physically went to this computer *g* and checked everything from there. So my tests really took place at .51. But the filters really didn't hit... Here's what tc show tells me: linux-gw:~ # tc -s class show dev ppp0 class cbq 1: root rate 2Mbit (bounded,isolated) prio no-transmit Sent 706511167 bytes 1396938 pkts (dropped 117, overlimits 0) borrowed 0 overactions 0 avgidle 3027 undertime 0 class cbq 1:1 parent 1: rate 768Kbit (bounded,isolated) prio 5 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 0 undertime 0 class cbq 1:2 parent 1: rate 96Kbit prio 5 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 0 undertime 0 What did I do wrong ? As far as I understand it, I should have specified the client .51 correctly. But why is no single packet hitting the filters ? ### Regarding downlink shaping: The word "shaping" vs "policing" or "limiting" implies that you are going to queue up out-of-rate packets so that you can resend them a bit later in order to "flatten out" the usage. Policing and limiting imply that anything out-of-rate just gets dropped/clipped. When you are talking about downlink packets, remember that you are at the far end of a link through which the packets have already been sent. What's the point of queueing them in order to "shape" the arrival profile, unless you are going to forward them further to another box??? If they are meant for this box, then they've already "used" the link. They've already "arrived" at their destination. No point in "shaping" them. On the other hand, if you are going to send them further (forward/route/bridge) then you are really shaping the OUTBOUND traffic on the given ethernet port, not the inbound traffic on the inbound port. That's why shaping is only relevant "on the way out". If what you want to do is forcibly limit downlink speed, it is more appropriate to call that "policing"--i.e., dropping packets on the floor which fall outside your rate parameters. Now think about this: If you just drop those packets, which have already "used" the link, will you benefit down the road? First, it should be obvious that ignoring incoming packets makes no sense unless you are trying to limit to some rate below the actual link speed rate. But secondly, you should also be thinking "hmm, the packet already used the link, if I ignore it what's the point?" Well, it turns out that if you ignore TCP packets, the TCP implementation on the sender should back-off and transmit more slowly--it will "train" to your policed speed. However, if you drop UDP packets, UDP has no such concept. Who knows what the application sending UDP will do. Most likely it will just keep sending at the same rate. Worse, it might try to resend them. So you're just making your life worse. When limiting downstream, drop only TCP packets. Look around, and you'll find sample scripts that use IMQ etc. and set up downstream rate limiting that keep ACK/SYN-ACK/etc. packets flowing. Okay, I think I got what you tell me. Of course I just can limit tcp packets. And that's all I want to do. Obviously I misunderstood what the How-to wants to say. I read it the way that these few lines will DO limiting and will drop packets coming in out of the limit and thereby "train" the netflow. Can you give me some hint where I should take a look for scripts doing well ? On the other hand... limiting upstream also does not work. Tc show tells that no packet hits the filter. And limiting the upstream should work, because I catch these packets before they reach the internet. What goes wrong here ? As you can see, I'm a newbie to all of this. I'm interested in improving the network and LARTC sounds great. But it seems as if I get wrecked even at the start :-( Thanks in advance for your assistance. From acid@dg.net.ua Sun Jul 11 07:53:45 2004 From: acid@dg.net.ua (Michael Vasilenko) Date: Sun, 11 Jul 2004 09:53:45 +0300 Subject: [LARTC] tc filter + bridging + htb -- works only if ip_forward = 0 In-Reply-To: References: Message-ID: <20040711065345.GA27559@ihateyouall.dg.net.ua> Andrew Athan (aathan-lartc-15280@cloakmail.com) wrote: > > I thought that the below email would be of interest to LARTC readers. I > wasted quite a bit of time tracking down this "feature" (bug?). Any > comments that shed light on this would be appreciated. In short, "tc > filter" + htb + bridging works only with ip_forward off. > > Andrew Athan tc filter + class + shape htb + sfq works fine for me, but I'm matching packets on bridge - br0 interface and build htb classes for input and output on eth0 and eth1 interfaces. And, I agree, tc doesn't show correct statistics in some cases. I'm still unable to find out, why. > ----------------------------------------------------------------------- > All: > > It seems that Fedora Core 2 (Linux Kernel 2.6) > > echo "1" > /proc/sys/net/ipv4/ip_forward > > will cause tc filter rules not to work. I am not sure if this is unique to > cases of bridging or if turning ip forwarding on also breaks tc filter rules > on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would > assume it would but don't have time to test this case right now (i.e., this > is probably not specific to bridging). > > A. > > -----Original Message----- > > Folks: > > I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a > bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1 > or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in > the htb. If I set a default class, all the traffic ends up in the default > class. > > This leads me to believe that the u32 classifier simply never matches, > although it probably gets the packets. Perhaps there is a wrong offset or > mismatched struct somewhere? I'd be glad to investigate if pointed in the > right direction, I will start by diffing cls_u32.c between linux-2.4.26 and > linux-2.6.5 (people have reported there are no issues with packet > classification + bridging under linux-2.4). > > A. > > > # lspci > 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory > Controller Hub] (rev 03) > 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset > Graphics Controller] (rev 03) > 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02) > 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02) > 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02) > 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02) > 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02) > 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev > 02) > 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) > 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev > 78) > > #!/bin/bash > # > # qos Add traffic shaping to eth0 > # > # chkconfig: 2345 86 14 > # description: Add traffic shaping to eth0 > # > # processname: none > > WAN=br0 # external interface > LAN=eth1 # internal interface > TC=/usr/local/tc > > CMD="$1" > if [ "$CMD" == "stop" ] > then > TCOP="del" > IPTOP="-D" > #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2> > /dev/null > /dev/null > #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null > #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null > $TC qdisc del dev ${WAN} root handle 1: htb > fi > > if [ "$CMD" == "start" ] > then > brctl addbr br0 > brctl addif br0 eth0 > brctl addif br0 eth1 > ifconfig eth0 0.0.0.0 > ifconfig eth1 0.0.0.0 > ifconfig br0 up > ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255 > up > echo "1" > /proc/sys/net/ipv4/ip_forward > route add default gw 10.100.82.1 > > sysctl -w net.core.rmem_max=8388608 > sysctl -w net.core.wmem_max=8388608 > sysctl -w net.core.rmem_default=65536 > sysctl -w net.core.wmem_default=65536 > sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608' > sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608' > sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' > sysctl -w net.ipv4.route.flush=1 > > TCOP="add" > IPTOP="-A" > #iptables -t mangle -N MYSHAPER-OUT > ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT > #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT > > > # +---------+ > # | root 1: | > # +---------+ > # | > # +----------------------------+ > # | class 1:1 | > # +----------------------------+ > # | | | > # +----+ +----+ +----+ > # |1:10| |1:20| |1:30| > # +----+ +----+ +----+ > # | > # +--------+--------+ > # | | | > # +-----+ +-----+ +-----+ > # |1:100| |1:101| |1:102| > # +-----+ +-----+ +-----+ > > # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc) > # 1:20 is for bulk traffic (htb, leaves use sfq) > # 1:30 is the class that interactive traffic which must never get > snuffed out completely goes to (sfq) > > # 1:20 is further split up into different kinds of bulk traffic: web, > mail and > # everything else. 1:100-102 fight amongst themselves for their slice > of excess > # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above > their > # minimum rates. > > # ceil is 90% of max rate (768kbps) > # rate is 80% of max rate > # we don't let it go to 100% because we don't want the WAN provider to > buffer > CEIL=4500kbit > RATE1=1000kbit > RATE2=3000kbit > RATE3=500kbit > APPRATE1=1500kbit > APPRATE2=750kbit > APPRATE3=250kbit > > $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb > $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL} > ceil ${CEIL} > > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1} > ceil ${CEIL} prio 1 > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2} > ceil ${CEIL} prio 2 > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3} > ceil ${CEIL} prio 3 > > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate > ${APPRATE1} ceil ${CEIL} prio 4 > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate > ${APPRATE2} ceil ${CEIL} prio 5 > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate > ${APPRATE3} ceil ${CEIL} prio 6 > > $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo > $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10 > $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10 > $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10 > $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10 > > > #--------------------------------------------------------------------------- > > #phones > $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip > dst 10.50.30.0/24 flowid 1:10 > > ##trading > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dst 207.251.101.0/24 flowid 1:100 > ##non-critical > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dst 10.50.20.0/24 flowid 1:101 > # > # > ##ACK > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 0x6 0xff \ > # match u8 0x05 0x0f at 0 \ > # match u8 0x10 0xff at 33 \ > # match u16 0x0000 0xffc0 at 2 \ > # flowid 1:10 > # > ##SYN-ACK > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 0x6 0xff \ > # match u8 0x05 0x0f at 0 \ > # match u8 0x12 0x12 at 33 \ > # match u16 0x0000 0xffc0 at 2 \ > # flowid 1:10 > # > ##FIN > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 0x6 0xff \ > # match u8 0x05 0x0f at 0 \ > # match u8 0x01 0x01 at 33 \ > # match u16 0x0000 0xffc0 at 2 \ > # flowid 1:10 > # > ##RST > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 0x6 0xff \ > # match u8 0x05 0x0f at 0 \ > # match u8 0x04 0x04 at 33 \ > # match u16 0x0000 0xffc0 at 2 \ > # flowid 1:10 > # > ## ICMP > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 1 0xff flowid 1:10 > # > ## DNS > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > # match ip protocol 0x11 0xff \ > # match ip dport 53 0xffff \ > # flowid 1:100 > # > ##telnet and AOL > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > sport 22 0xffff flowid 1:30 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dport 22 0xffff flowid 1:30 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > sport 5190 0xffff flowid 1:30 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dport 5190 0xffff flowid 1:30 > # > ##web > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > sport 80 0xffff flowid 1:102 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dport 80 0xffff flowid 1:102 > ##ftp > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > sport 21 0xffff flowid 1:102 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dport 21 0xffff flowid 1:102 > ##tftp > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > sport 69 0xffff flowid 1:102 > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > dport 69 0xffff flowid 1:102 > ##dhcp? > ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match > ip dst 0.0.0.0/0 flowid 1:10 > ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match > ip dst 0.0.0.0/0 flowid 1:10 > # > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw > flowid 1:10 > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100 > fw flowid 1:100 > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101 > fw flowid 1:101 > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102 > fw flowid 1:102 > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw > flowid 1:30 > # > ##TOS min delay > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \ > # match ip tos 0x10 0xff \ > # flowid 1:30 > # > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j > MARK --set-mark 30 # aol instant messenger > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j > MARK --set-mark 30 # secure shell > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j > MARK --set-mark 30 # secure shell > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j > MARK --set-mark 30 # secure shell > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j > MARK --set-mark 101 # Default for low port traffic > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j > MARK --set-mark 101 # "" > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j > MARK --set-mark 102 # Web > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j > MARK --set-mark 102 # Web > ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark > 102 # redundant- mark any unmarked packets as 26 (low prio) > fi > > if [ "$CMD" = "status" ] > then > echo "[qdisc-$WAN]" > $TC -s qdisc show dev $WAN > echo "[class-$WAN]" > $TC -s class show dev $WAN > echo "[filter-$WAN]" > $TC -s filter show dev $WAN > echo "[iptables]" > iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null > exit > fi > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Michael Vasilenko From acid@dg.net.ua Sun Jul 11 08:26:36 2004 From: acid@dg.net.ua (Michael Vasilenko) Date: Sun, 11 Jul 2004 10:26:36 +0300 Subject: [LARTC] tc filter + bridging + htb -- works only if ip_forward = 0 In-Reply-To: <20040711065345.GA27559@ihateyouall.dg.net.ua> References: <20040711065345.GA27559@ihateyouall.dg.net.ua> Message-ID: <20040711072636.GB27559@ihateyouall.dg.net.ua> Michael Vasilenko (acid@dg.net.ua) wrote: > Andrew Athan (aathan-lartc-15280@cloakmail.com) wrote: > > > > I thought that the below email would be of interest to LARTC readers. I > > wasted quite a bit of time tracking down this "feature" (bug?). Any > > comments that shed light on this would be appreciated. In short, "tc > > filter" + htb + bridging works only with ip_forward off. > > > > Andrew Athan > > > tc filter + class + shape htb + sfq works fine for me, but I'm matching > packets on bridge - br0 interface and build htb classes for input and output on > eth0 and eth1 interfaces. And, I agree, tc doesn't show correct statistics in some > cases. I'm still unable to find out, why. and ip_forward is "ON" > > ----------------------------------------------------------------------- > > All: > > > > It seems that Fedora Core 2 (Linux Kernel 2.6) > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > will cause tc filter rules not to work. I am not sure if this is unique to > > cases of bridging or if turning ip forwarding on also breaks tc filter rules > > on "true", non-promiscuous, non-bridged (e.g., eth0) interfaces. I would > > assume it would but don't have time to test this case right now (i.e., this > > is probably not specific to bridging). > > > > A. > > > > -----Original Message----- > > > > Folks: > > > > I am having trouble making linux-2.6.5-1.358 (Fedora Core 2) configured as a > > bridge work. See below. Wether I set the tc filter's parent as 1: or 1:1 > > or rename 1: to 1:0 and use 1:0 etc I never get any traffic classified in > > the htb. If I set a default class, all the traffic ends up in the default > > class. > > > > This leads me to believe that the u32 classifier simply never matches, > > although it probably gets the packets. Perhaps there is a wrong offset or > > mismatched struct somewhere? I'd be glad to investigate if pointed in the > > right direction, I will start by diffing cls_u32.c between linux-2.4.26 and > > linux-2.6.5 (people have reported there are no issues with packet > > classification + bridging under linux-2.4). > > > > A. > > > > > > # lspci > > 00:00.0 Host bridge: Intel Corp. 82810E DC-133 GMCH [Graphics Memory > > Controller Hub] (rev 03) > > 00:01.0 VGA compatible controller: Intel Corp. 82810E DC-133 CGC [Chipset > > Graphics Controller] (rev 03) > > 00:1e.0 PCI bridge: Intel Corp. 82801AA PCI Bridge (rev 02) > > 00:1f.0 ISA bridge: Intel Corp. 82801AA ISA Bridge (LPC) (rev 02) > > 00:1f.1 IDE interface: Intel Corp. 82801AA IDE (rev 02) > > 00:1f.2 USB Controller: Intel Corp. 82801AA USB (rev 02) > > 00:1f.3 SMBus: Intel Corp. 82801AA SMBus (rev 02) > > 00:1f.5 Multimedia audio controller: Intel Corp. 82801AA AC'97 Audio (rev > > 02) > > 01:0a.0 Ethernet controller: Lite-On Communications Inc LNE100TX (rev 20) > > 01:0c.0 Ethernet controller: 3Com Corporation 3c905C-TX/TX-M [Tornado] (rev > > 78) > > > > #!/bin/bash > > # > > # qos Add traffic shaping to eth0 > > # > > # chkconfig: 2345 86 14 > > # description: Add traffic shaping to eth0 > > # > > # processname: none > > > > WAN=br0 # external interface > > LAN=eth1 # internal interface > > TC=/usr/local/tc > > > > CMD="$1" > > if [ "$CMD" == "stop" ] > > then > > TCOP="del" > > IPTOP="-D" > > #iptables -t mangle -D POSTROUTING -o $WAN -j MYSHAPER-OUT 2> > > /dev/null > /dev/null > > #iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null > > #iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null > > $TC qdisc del dev ${WAN} root handle 1: htb > > fi > > > > if [ "$CMD" == "start" ] > > then > > brctl addbr br0 > > brctl addif br0 eth0 > > brctl addif br0 eth1 > > ifconfig eth0 0.0.0.0 > > ifconfig eth1 0.0.0.0 > > ifconfig br0 up > > ifconfig br0 10.100.82.252 netmask 255.255.255.0 broadcast 10.100.82.255 > > up > > echo "1" > /proc/sys/net/ipv4/ip_forward > > route add default gw 10.100.82.1 > > > > sysctl -w net.core.rmem_max=8388608 > > sysctl -w net.core.wmem_max=8388608 > > sysctl -w net.core.rmem_default=65536 > > sysctl -w net.core.wmem_default=65536 > > sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608' > > sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608' > > sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608' > > sysctl -w net.ipv4.route.flush=1 > > > > TCOP="add" > > IPTOP="-A" > > #iptables -t mangle -N MYSHAPER-OUT > > ##iptables -t mangle -I POSTROUTING -d $LIMITNETSPEC -j MYSHAPER-OUT > > #iptables -t mangle -I POSTROUTING -o $WAN -j MYSHAPER-OUT > > > > > > # +---------+ > > # | root 1: | > > # +---------+ > > # | > > # +----------------------------+ > > # | class 1:1 | > > # +----------------------------+ > > # | | | > > # +----+ +----+ +----+ > > # |1:10| |1:20| |1:30| > > # +----+ +----+ +----+ > > # | > > # +--------+--------+ > > # | | | > > # +-----+ +-----+ +-----+ > > # |1:100| |1:101| |1:102| > > # +-----+ +-----+ +-----+ > > > > # 1:10 is the class for VOIP traffic, ACKs, SYNs, etc (pfifo qdisc) > > # 1:20 is for bulk traffic (htb, leaves use sfq) > > # 1:30 is the class that interactive traffic which must never get > > snuffed out completely goes to (sfq) > > > > # 1:20 is further split up into different kinds of bulk traffic: web, > > mail and > > # everything else. 1:100-102 fight amongst themselves for their slice > > of excess > > # bandwidth, and in turn 1:10,20 and 30 then fight for any excess above > > their > > # minimum rates. > > > > # ceil is 90% of max rate (768kbps) > > # rate is 80% of max rate > > # we don't let it go to 100% because we don't want the WAN provider to > > buffer > > CEIL=4500kbit > > RATE1=1000kbit > > RATE2=3000kbit > > RATE3=500kbit > > APPRATE1=1500kbit > > APPRATE2=750kbit > > APPRATE3=250kbit > > > > $TC qdisc ${TCOP} dev ${WAN} root handle 1: htb > > $TC class ${TCOP} dev ${WAN} parent 1: classid 1:1 htb rate ${CEIL} > > ceil ${CEIL} > > > > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:10 htb rate ${RATE1} > > ceil ${CEIL} prio 1 > > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:20 htb rate ${RATE2} > > ceil ${CEIL} prio 2 > > $TC class ${TCOP} dev ${WAN} parent 1:1 classid 1:30 htb rate ${RATE3} > > ceil ${CEIL} prio 3 > > > > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:100 htb rate > > ${APPRATE1} ceil ${CEIL} prio 4 > > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:101 htb rate > > ${APPRATE2} ceil ${CEIL} prio 5 > > $TC class ${TCOP} dev ${WAN} parent 1:20 classid 1:102 htb rate > > ${APPRATE3} ceil ${CEIL} prio 6 > > > > $TC qdisc ${TCOP} dev ${WAN} parent 1:10 handle 10: pfifo > > $TC qdisc ${TCOP} dev ${WAN} parent 1:100 handle 100: sfq perturb 10 > > $TC qdisc ${TCOP} dev ${WAN} parent 1:101 handle 101: sfq perturb 10 > > $TC qdisc ${TCOP} dev ${WAN} parent 1:102 handle 102: sfq perturb 10 > > $TC qdisc ${TCOP} dev ${WAN} parent 1:30 handle 30: sfq perturb 10 > > > > > > #--------------------------------------------------------------------------- > > > > #phones > > $TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 match ip > > dst 10.50.30.0/24 flowid 1:10 > > > > ##trading > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dst 207.251.101.0/24 flowid 1:100 > > ##non-critical > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dst 10.50.20.0/24 flowid 1:101 > > # > > # > > ##ACK > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 0x6 0xff \ > > # match u8 0x05 0x0f at 0 \ > > # match u8 0x10 0xff at 33 \ > > # match u16 0x0000 0xffc0 at 2 \ > > # flowid 1:10 > > # > > ##SYN-ACK > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 0x6 0xff \ > > # match u8 0x05 0x0f at 0 \ > > # match u8 0x12 0x12 at 33 \ > > # match u16 0x0000 0xffc0 at 2 \ > > # flowid 1:10 > > # > > ##FIN > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 0x6 0xff \ > > # match u8 0x05 0x0f at 0 \ > > # match u8 0x01 0x01 at 33 \ > > # match u16 0x0000 0xffc0 at 2 \ > > # flowid 1:10 > > # > > ##RST > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 0x6 0xff \ > > # match u8 0x05 0x0f at 0 \ > > # match u8 0x04 0x04 at 33 \ > > # match u16 0x0000 0xffc0 at 2 \ > > # flowid 1:10 > > # > > ## ICMP > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 1 0xff flowid 1:10 > > # > > ## DNS > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 1 u32 \ > > # match ip protocol 0x11 0xff \ > > # match ip dport 53 0xffff \ > > # flowid 1:100 > > # > > ##telnet and AOL > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > sport 22 0xffff flowid 1:30 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dport 22 0xffff flowid 1:30 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > sport 5190 0xffff flowid 1:30 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dport 5190 0xffff flowid 1:30 > > # > > ##web > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > sport 80 0xffff flowid 1:102 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dport 80 0xffff flowid 1:102 > > ##ftp > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > sport 21 0xffff flowid 1:102 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dport 21 0xffff flowid 1:102 > > ##tftp > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > sport 69 0xffff flowid 1:102 > > #$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match ip > > dport 69 0xffff flowid 1:102 > > ##dhcp? > > ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match > > ip dst 0.0.0.0/0 flowid 1:10 > > ##$TC filter ${TCOP} dev ${WAN} protocol ip parent 1: prio 1 u32 match > > ip dst 0.0.0.0/0 flowid 1:10 > > # > > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 10 fw > > flowid 1:10 > > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 100 > > fw flowid 1:100 > > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 101 > > fw flowid 1:101 > > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 102 > > fw flowid 1:102 > > #$TC filter ${TCOP} dev ${WAN} parent 1: prio 2 protocol ip handle 30 fw > > flowid 1:30 > > # > > ##TOS min delay > > #$TC filter ${TCOP} dev ${WAN} parent 1: protocol ip prio 3 u32 \ > > # match ip tos 0x10 0xff \ > > # flowid 1:30 > > # > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 5190 -j > > MARK --set-mark 30 # aol instant messenger > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport ssh -j > > MARK --set-mark 30 # secure shell > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport ssh -j > > MARK --set-mark 30 # secure shell > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport x11 -j > > MARK --set-mark 30 # secure shell > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport 0:1024 -j > > MARK --set-mark 101 # Default for low port traffic > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 0:1024 -j > > MARK --set-mark 101 # "" > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport http -j > > MARK --set-mark 102 # Web > > ##iptables -t mangle -A MYSHAPER-OUT -p tcp --sport https -j > > MARK --set-mark 102 # Web > > ##iptables -t mangle -A MYSHAPER-OUT -m mark --mark 0 -j MARK --set-mark > > 102 # redundant- mark any unmarked packets as 26 (low prio) > > fi > > > > if [ "$CMD" = "status" ] > > then > > echo "[qdisc-$WAN]" > > $TC -s qdisc show dev $WAN > > echo "[class-$WAN]" > > $TC -s class show dev $WAN > > echo "[filter-$WAN]" > > $TC -s filter show dev $WAN > > echo "[iptables]" > > iptables -t mangle -L MYSHAPER-OUT -v -x 2> /dev/null > > exit > > fi > > > > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > -- > Michael Vasilenko > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Michael Vasilenko From slash@ramdown.com Sun Jul 11 14:44:05 2004 From: slash@ramdown.com (slash) Date: Sun, 11 Jul 2004 06:44:05 -0700 Subject: [LARTC] Internet Cafe tcp and udp sharing Message-ID: <20040711134405.26071.qmail@olympus.ramdown.com> Hi guys, I run an internet cafe with 40 odd computers in it and would like some sugestions on sharing the data evenly for udp and tcp data. Currently i have all tcp data put into a class thats half our link speed and udp data doesnt get class'd at all. which works well but also means that the line doesnt get shared in terms of bandwidth evenly. What i would like tho is to setup a parent class of 1mbit then have 2 leafs below that, with one leaf being tcp and the other udp setting the rate to 512 on both and a ceiling of 1M so if no one is playing games there is bandwidth to utalise the line to leech away. Yet if people are playing games then there will be enough bandwidth for that as well without surfing the net being affected. I tried setting the above up and it kinda works but the latency is huge for UDP data any recomendations of sharing the line for tcp and udp? with onbiously udp being priority 1.. cheers guys for the help! --Chris From james+lartc@vincentsystems.com Sun Jul 11 18:15:25 2004 From: james+lartc@vincentsystems.com (James Sneeringer) Date: Sun, 11 Jul 2004 12:15:25 -0500 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710225140.GA17983@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <40EEAD2A.7030300@syncompute.net> <20040710225140.GA17983@mabeys.dsl.aros.net> Message-ID: <20040711171525.GA8941@valjean.si.ocslink.com> On Sat, Jul 10, 2004 at 04:51:40PM -0600, Glen Mabey wrote: > Could anyone else recommend other manufacturers of this type of > hardware: an embedded system board with > * a couple of NICs > * PCMCIA > * runs linux Try Soekris or Acrosser. Both make boards that work with Linux. http://www.soekris.com/ http://www.acrosser.com/ -James From gypsy@iswest.com Sun Jul 11 20:56:06 2004 From: gypsy@iswest.com (gypsy) Date: Sun, 11 Jul 2004 12:56:06 -0700 Subject: [LARTC] Internet Cafe tcp and udp sharing References: <20040711134405.26071.qmail@olympus.ramdown.com> Message-ID: <40F19B56.B05AFF0A@iswest.com> slash wrote: > > Hi guys, > > I run an internet cafe with 40 odd computers in it and would like some > sugestions on sharing the data evenly for udp and tcp data. Here are a few pointers: http://digriz.org.uk/jdg-qos-script/ http://www.metamorpher.de/fairnat/ google: lartc dynamic ratelimiting David DeLauro lartc pyshaper lartc james jones From gypsy@iswest.com Sun Jul 11 21:03:39 2004 From: gypsy@iswest.com (gypsy) Date: Sun, 11 Jul 2004 13:03:39 -0700 Subject: [LARTC] Internet Cafe tcp and udp sharing References: <20040711134405.26071.qmail@olympus.ramdown.com> Message-ID: <40F19D1B.8D97418@iswest.com> slash wrote: OOPS! I inadertently left out google lartc rio martin cafe Where Rio posts his script... From cnicules@4email.net Mon Jul 12 00:40:53 2004 From: cnicules@4email.net (Ciprian Niculescu) Date: Mon, 12 Jul 2004 01:40:53 +0200 Subject: [LARTC] htb quantum/r2q problem/question Message-ID: <40F1D005.5020303@4email.net> hello, i have a config that is with a large domain of rate, from 2kb to 40Mb and i have some problems with i don't know how to deal with. so here are some classes 2 with q=1000, one with q 200000 and one with q=6400, all have been calculated by htb, in the code i speficien just rate,ceil, no quantum, no r2q, no bursts ($tc class add $IF_INT parent 1:2 classid 1:21 htb rate ${eth1_web_r}kbit prio 1) class htb 1:199 parent 1:10 leaf 1990: prio 2 quantum 200000 rate 23000Kbit ceil 47040Kbit burst 10Kb/8 mpu 0b cburst 61800b/8 mpu 0b level 0 class htb 1:2 parent 1:20 prio 1 quantum 1000 rate 48Kbit ceil 48Kbit burst 10Kb/8 mpu 0b cburst 1660b/8 mpu 0b level 0 class htb 1:12 parent 1:10 prio 1 quantum 1000 rate 50Kbit ceil 48000Kbit burst 10Kb/8 mpu 0b cburst 63025b/8 mpu 0b level 0 class htb 1:15 parent 1:10 prio 1 quantum 6400 rate 500Kbit ceil 48000Kbit burst 10Kb/8 mpu 0b cburst 63025b/8 mpu 0b level 0 and in the logs o get: kernel: HTB init, kernel part version 3.17 kernel: HTB: quantum of class 10001 is big. Consider r2q change. kernel: HTB: quantum of class 10002 is small. Consider r2q change. kernel: HTB: quantum of class 10012 is small. Consider r2q change. kernel: HTB: quantum of class 10199 is big. Consider r2q change. for now i put manualy 1500 to all, but more logicaly how do i set the quantum, what are the considerations???? primus:/etc# uname -a Linux primus 2.4.26 #3 Sun Jul 4 16:58:02 EEST 2004 i686 unknown primus:/etc# tc -V tc utility, iproute2-ss020116 primus:/etc# C From lshobbrook@fasttrack.net.au Mon Jul 12 05:06:27 2004 From: lshobbrook@fasttrack.net.au (Lewis Shobbrook) Date: Mon, 12 Jul 2004 14:06:27 +1000 Subject: [LARTC] Multipath load balance issues Message-ID: <0C8098CA7F09CE419F0C2B68EB8358761EBA88@exchange.fasttrack.net.au> Hi All, I've configured a mutlipath as detailed in the HOWTO. =20 For the most part it's great, but when the cheap DSL line drops it's connection, as it regularly does, the outbound routing doesn't automatically use the remaining path for internal outbound traffic.=20 Ip route show lists no default route once the default path dies, and if the ppp connection is revived we still lack a default route. I've tried adding connection specific up-down scripts to the ppp config, but it hasn't worked. I need to run connection specific scripts as I have other ppp's going up & down which aren't related. The routing script starts as follows... #!/bin/sh ## ip route multi path configuration script ## Provider 1 (SWIFTEL)network P1_NET=3D"202.154.xxx.0/24" ## Provider 2(NTT) network P2_NET=3D"202.53.xxx.xxx/30" ## Provider 2 alias network P2_ALIAS_NET=3D"xxx.xxx.xxx.xxx/30" ## Interface for Provider 1 IF1=3D"ppp0" ## Interface for Provider 2 IF2=3D"eth1" ## Static IP Address of provider 1 connection IP1=3D"218.xxx.xxx.xxx" ## Static IP Address of provider 2 connection IP2=3D"202.xxx.xxx.xxx" ## Alias IP Address of provider 2 connection SPIP1=3D"203.xxx.xxx.xxx" ## Gateway address for provider 1 P1=3D"202.154.xxx.xxx" ## Gateway address for provider 2 P2=3D"202.53.xxx.xxx" ## Routing Table Config ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P2_ALIAS_NET dev $IF2 src $IP2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P2_ALIAS_NET dev $IF2 src $IP2 ip route add default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip rule add from $SPIP1 table T2 ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 ip rule add fwmark 1 table mail.out ip rule add fwmark 2 table ipsec.out ip route add default via $IP1 dev $IF1 table mail.out ip route add default via $IP2 dev $IF2 table ipsec.out I then use iptables to mark & direct traffic out the interfaces in preference to cost/speed.=20 This works very well til the DSL line drops ($P1), at which time we loose web browsing (as the default route is lost). Any ideas how to use $IF2 path as fail-over automatically when $IF1 drops??? If I change the default route to the more reliable interface and direct ports using routing tables out the cheapo one, I'm still stuck with loss of service. I was under the false impression that ... ip route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 ... would provide some fault tolerance.=20 If the default path (ip route add default via $P1) was too congested eventually packets will go out against the default route via $P2? Also, for iptables marked traffic directed though the routing tables mail.out or ipsec.out, is it possible to acheive fault tolerance here with something like....? ip route add default nexthop via $P1 dev $IF1 weight 5 nexthop via $P2 dev $IF2 weight 1 table mail.out (I know this doesn't work, but hopefully the idea is conveyed). In which direction does the value of the weight attribute work? I've looked high and low but can't find any info on this. =20 Does the increase in the weight from 1 to 5 make a packet more biased to go the given path or less? =20 Anyway, after partially failing on the multipath front, the idea was to simply rewrite the routing tables by using connection specific up/down scripts via the pppd. If I run the scripts manually all is well; but they don't get called in a specific manner by ppp. I have linkname=3D"swiftel" in the peers/ configuration file also named "swiftel" and a sub folder named swiftel in /etc/ppp/ip-down.d/ /etc/ppp/ip-up.d/. When the DSL link fails, I have attempted fire the rerouting scripts off from /etc/ppp/ip-down.d/ with... if [ -n "$LINKNAME" ] ; then run-parts /etc/ppp/ip-down.d/$LINKNAME fi exit 0 This was intended to call the following script among others residing in the /etc/ppp/ip-down.d/swiftel/ folder... #!/bin/sh ## ip route multi path configuration script *** All the unlisted but required variables.... ## START WITH CLEAN ROUTING TABLE route del default gw $P2 $IF2 route del default gw $P1 $IF2 ip route del $P1_NET dev $IF1 src $IP1 table T1 ip route del $P2_NET dev $IF2 src $IP2 table T2 ip rule del from $IP1 table T1 ip rule del from $IP2 table T2 ip rule del fwmark 1 table T1 ip rule del fwmark 2 table T2 ip rule del fwmark 1 table mail.out ip rule del fwmark 2 table l2tp.out ip route del default via $IP1 dev $IF1 table mail.out ip route del default via $IP2 dev $IF2 table l2tp.out ip route del default via $IP1 dev $IF1 table T1 ip route del default via $IP2 dev $IF2 table T2 ip route flush cache ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P2_ALIAS_NET dev $IF2 src $IP2 table T2 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P2 ip rule add from $IP2 table T2 ip rule add from $ALIASIPS2 table T2 ip route add default scope global nexthop via $P2 dev $IF2 weight 1 ip rule add fwmark 1 table mail.out ip rule add fwmark 2 table ipsec.out ip route add default via $IP2 dev $IF2 table ipsec.out ip route add default via $IP2 dev $IF2 table mail.out If anyone can offer some advice here I'd be most appreciative. Thanks to all! Lewis Shobbrook From smohan@vsnl.com Sun Jul 11 15:36:59 2004 From: smohan@vsnl.com (S Mohan) Date: Sun, 11 Jul 2004 20:06:59 +0530 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710225140.GA17983@mabeys.dsl.aros.net> Message-ID: <20040712044254.528804008@outpost.ds9a.nl> You could try the following: 1. http://www.axiomtech.com.tw 2. http://www.soekris.com 3. http://www.pcengines.com 4. http://www.nexedi.org 5. http://www.nagasaki.com.tw 6. http://www.iei.com.tw 7. http://www.advantech.com 8. http://www.lannerinc.com An a lot more. Nagasaki is good and has a few good options. Cheapest of the lot. Most of these are Taiwanese/Chinese companies with US offices. Warm regards Mohan > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl > [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Glen Mabey > Sent: Sunday, July 11, 2004 4:22 AM > To: LARTC Mailing List > Subject: Re: [LARTC] the "cisco vs. Linux" thread > > On Fri, Jul 09, 2004 at 10:35:22AM -0400, Alfie Viechweg wrote: > > Regarding building your own router/switch. You might want > to check out > > www.routerboard.com for a really reasonably priced 4 port NIC. > > I had no idea this type of board existed! (forgive my excitement) > > Alfie, have you used the Routerboard 230 or 240 products? > Anyone else? > > Could anyone else recommend other manufacturers of this type of > hardware: an embedded system board with > * a couple of NICs > * PCMCIA > * runs linux > > Thanks -- > Glen > > -- > ****************************************************************** > Glen W. Mabey > Glen.Mabey@usu.edu > http://mabeys.homelinux.com/glen/ > ****************************************************************** > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From ahessling@gmx.de Mon Jul 12 08:29:13 2004 From: ahessling@gmx.de (=?ISO-8859-15?Q?Andr=E9_He=DFling?=) Date: Mon, 12 Jul 2004 09:29:13 +0200 Subject: [LARTC] Traffic shaping: upload should not hurt download Message-ID: <20040712092913.00000db0@ANDRE> Hello! I have a small home network and I'd like to use traffic shaping because every time someone uploads a file at full speed, my download speed drops to ~10 KB/s. My connection is 768/128 DSL. I found a script at http://www.knowplace.org/shaper/examples.html $TC qdisc add dev $INTERFACE root handle 1: htb default 60 $TC class add dev $INTERFACE parent 1: classid 1:1 htb rate 116kbit $TC class add dev $INTERFACE parent 1:1 classid 1:10 htb rate 32kbit ceil 116kbit prio 0 $TC class add dev $INTERFACE parent 1:1 classid 1:20 htb rate 22kbit ceil 116kbit prio 1 $TC class add dev $INTERFACE parent 1:1 classid 1:30 htb rate 22kbit ceil 116kbit prio 2 $TC class add dev $INTERFACE parent 1:1 classid 1:40 htb rate 20kbit ceil 116kbit prio 3 $TC class add dev $INTERFACE parent 1:1 classid 1:50 htb rate 18kbit ceil 116kbit prio 4 $TC class add dev $INTERFACE parent 1:1 classid 1:60 htb rate 2kbit ceil 116kbit prio 5 $TC qdisc add dev$INTERFACE parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev$INTERFACE parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev$INTERFACE parent 1:30 handle 30: sfq perturb 10 $TC qdisc add dev$INTERFACE parent 1:40 handle 40: sfq perturb 10 $TC qdisc add dev$INTERFACE parent 1:50 handle 50: sfq perturb 10 $TC qdisc add dev$INTERFACE parent 1:60 handle 60: sfq perturb 10 This works quite well as I can download a file at about 70 KB/s when uploading a file at full speed. But http traffic is not that good. I still want to have a good surfing speed. I slightly modified the line where iptables classifies http packets. I set this rule to class 1:10 (highest priority). But that doesn't change very much. It should be possible because I have seen such a solution under Windows using the cFos PPPoE driver. You are able to upload and download a file at full speed while surfing is still possible. So do you have any ideas how to optimize the above script or do you know a better solution? It is "only" important to me that downloading and surfing is still possible while uploading at a good speed (should be around 12 KB/s). Thanks! --=20 Regards, Andr=E9 From przemolicc@poczta.fm Mon Jul 12 08:18:07 2004 From: przemolicc@poczta.fm (przemolicc@poczta.fm) Date: Mon, 12 Jul 2004 09:18:07 +0200 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40EDC03A.2040804@erkert.com> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> Message-ID: <20040712071807.GB2939@przemek.pgf.com.pl> On Thu, Jul 08, 2004 at 02:44:26PM -0700, Nicholas Erkert wrote: > On a side note has anyone built a linux router with dual/quad port > ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? I have bulit a linux router with quad D-Link DFE-580TX nics. It works like a charm and is routing between four local LANs. But had to use kernel patch for those cards because in-kernel driver wasn't good enough. przemol From lists@wildgooses.com Mon Jul 12 08:50:49 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 12 Jul 2004 08:50:49 +0100 Subject: [LARTC] Traffic shaping: upload should not hurt download In-Reply-To: <20040712092913.00000db0@ANDRE> References: <20040712092913.00000db0@ANDRE> Message-ID: <40F242D9.9090002@wildgooses.com> >So do you have any ideas how to optimize the above script or do you know >a better solution? It is "only" important to me that downloading and >surfing is still possible while uploading at a good speed (should be >around 12 KB/s). > > Yes its easily possible. Why not trying to start from one of the following scripts (which are very good) I prefer the first for most home applications http://digriz.org.uk/jdg-qos-script/ http://www.metamorpher.de/fairnat/ From abz@frogfoot.net Mon Jul 12 09:15:57 2004 From: abz@frogfoot.net (Abraham van der Merwe) Date: Mon, 12 Jul 2004 10:15:57 +0200 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040712071807.GB2939@przemek.pgf.com.pl> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <20040712071807.GB2939@przemek.pgf.com.pl> Message-ID: <20040712081557.GA717@oasis.frogfoot.net> Hi przemolicc >@2004.07.12_09:18:07_+0200 > > On a side note has anyone built a linux router with dual/quad port > > ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? > > I have bulit a linux router with quad D-Link DFE-580TX nics. > It works like a charm and is routing between four > local LANs. But had to use kernel patch for those > cards because in-kernel driver wasn't good enough. Could you please post a link to the driver for that nic? -- Regards Abraham TODAY the Pond! TOMORROW the World! -- Frogs (1972) ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 1st Floor, Albion Springs, 183 Main Road, Newlands Phone: +27 21 689 3876 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net From princenux79@yahoo.com Mon Jul 12 09:27:03 2004 From: princenux79@yahoo.com (Furin Ongko) Date: Mon, 12 Jul 2004 01:27:03 -0700 (PDT) Subject: [LARTC] Please help... classical problem Message-ID: <20040712082703.6818.qmail@web52404.mail.yahoo.com> Hello all.. i'm a newbie in LARTC... And I reallize that my problem is a clasical problem in this LARTC milist..... So if anyone dont mind.. please help me with this... Situation : LAN --> Gateway <-- Internet 10.0.0.0/8 --> eth0 eth1<-- 20.0.0.0/8 Linux Box: RedHat 8.0 /sbin/tc size is +- 700 kb #NAT to all computer to access the internet iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE # partly copy from : http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 100kbps tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbps tc class add dev eth0 parent 1:1 classid 1:11 htb rate 10kbps tc class add dev eth0 parent 1:1 classid 1:12 htb rate 60kbps # i want to filter all ftp activity to get a slower bandwidth tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip dport 20 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip sport 20 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip dport 21 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip sport 21 0xffff flowid 1:10 # i read in docum.org that source and destinantion should be write in hexa tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip dport 14 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip sport 14 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip dport 15 0xffff flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src 10.0.0.0/8 match ip sport 15 0xffff flowid 1:10 I have try this script... and the result is that the script is not doing like what i like to do. FTP is running in default bandwidth, 60kbps, not 30 kbps. Is anyone can help me ? what wrong with this configuration ? __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail From przemolicc@poczta.fm Mon Jul 12 09:39:09 2004 From: przemolicc@poczta.fm (przemolicc@poczta.fm) Date: Mon, 12 Jul 2004 10:39:09 +0200 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040712081557.GA717@oasis.frogfoot.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <20040712071807.GB2939@przemek.pgf.com.pl> <20040712081557.GA717@oasis.frogfoot.net> Message-ID: <20040712083909.GD2939@przemek.pgf.com.pl> On Mon, Jul 12, 2004 at 10:15:57AM +0200, Abraham van der Merwe wrote: > Hi przemolicc >@2004.07.12_09:18:07_+0200 > > > > On a side note has anyone built a linux router with dual/quad port > > > ethernet cards (ie Intel PRO/1000 MT Quad Port Server Adapter)? > > > > I have bulit a linux router with quad D-Link DFE-580TX nics. > > It works like a charm and is routing between four > > local LANs. But had to use kernel patch for those > > cards because in-kernel driver wasn't good enough. > > Could you please post a link to the driver for that nic? This is part of a header: /* These identify the driver base version and may not be removed. */ static const char version1[] = "sundance.c:v1.11 2/4/2003 Written by Donald Becker \n"; static const char version2[] = " http://www.scyld.com/network/sundance.html\n"; /* Updated to recommendations in pci-skeleton v2.12. */ przemol From thomaskrad@mycomax.com Mon Jul 12 09:51:49 2004 From: thomaskrad@mycomax.com (Thomas Kotze RAD) Date: Mon, 12 Jul 2004 10:51:49 +0200 Subject: [LARTC] ebtables and HTB bandwidth shaping - change frame or packet sizes Message-ID: <0bbc01c467ed$77f8f150$08010a0a@thomas> Hallo=20 I have recently implemented a Fedora core 2 Linux box with ebtables and = HTB for doing some traffic shaping What I would like to know is if there are some way to change the packet = or frame sizes of the traffic that passes through this type of system. If = I am understand correctly this will also help with the bandwidth, maybe not = on throughput but definitely on continues throughput if the data line is running in the 99% utilization. We had a demo on our data line with a system called packeteer, and it = seems as if this product intercepts the packet and changes the packet or frame size and therefore the traffic will not hog the bandwidth that easily. = This how ever is a very expensive product and if one can do it on Linux why = not. I have more or less the same queues setup than what was the case for the packeteer demo and currently I do not see that big a change than with packeteer. Can someone give me some advice and if at all possible give me an = indication of how to go about to do this. Groete / Regards Thomas From przemolicc@poczta.fm Mon Jul 12 10:33:04 2004 From: przemolicc@poczta.fm (przemolicc@poczta.fm) Date: Mon, 12 Jul 2004 11:33:04 +0200 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040712085656.GA1356@oasis.frogfoot.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <20040712071807.GB2939@przemek.pgf.com.pl> <20040712081557.GA717@oasis.frogfoot.net> <20040712083909.GD2939@przemek.pgf.com.pl> <20040712085656.GA1356@oasis.frogfoot.net> Message-ID: <20040712093304.GA3943@przemek.pgf.com.pl> On Mon, Jul 12, 2004 at 10:56:56AM +0200, Abraham vd Merwe wrote: > > This is part of a header: > > > > /* These identify the driver base version and may not be removed. */ > > static const char version1[] = > > "sundance.c:v1.11 2/4/2003 Written by Donald Becker \n"; > > static const char version2[] = > > " http://www.scyld.com/network/sundance.html\n"; > > /* Updated to recommendations in pci-skeleton v2.12. */ > > That looks rather outdated. The link is stale and Donald Becker hasn't > worked on network drivers in ages. I don't remember exact link. But you can look for string "sundance.c:v1.11" in google. Please don't send me cc copy - I am on the list. przemol From lists@wildgooses.com Mon Jul 12 12:33:55 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 12 Jul 2004 12:33:55 +0100 Subject: [LARTC] ebtables and HTB bandwidth shaping - change frame or packet sizes In-Reply-To: <0bbc01c467ed$77f8f150$08010a0a@thomas> References: <0bbc01c467ed$77f8f150$08010a0a@thomas> Message-ID: <40F27723.3020803@wildgooses.com> >What I would like to know is if there are some way to change the packet or >frame sizes of the traffic that passes through this type of system. If I am >understand correctly this will also help with the bandwidth, maybe not on >throughput but definitely on continues throughput if the data line is >running in the 99% utilization. > >We had a demo on our data line with a system called packeteer, and it seems >as if this product intercepts the packet and changes the packet or frame >size and therefore the traffic will not hog the bandwidth that easily. This >how ever is a very expensive product and if one can do it on Linux why not. > > I'm not quite sure what you are asking for, but perhaps you mean fragmenting packets so that they are smaller (ie 5 small packets rather than 1 large one?) The trick here is either to change every machine to have a lower MTU in your office (can be tedious), or look at using "MSS clamping". This is something that you can do in iptables. Search google, and I think in the LARTC for more details. There are other tricks you can do with MTU Packeteer is perhaps the premier product out there, but you should be able to do 90% of the same things with Linux, and for many cases far *more* than with packeteer. I think there are a few people who will offer paid support as well, so you are not necessarily disadvantaged here either. Out of curiousity, what does a packeteer box set you back these days? My old firm was looking at buying one, I was thinking about biding against them... Ed W From mike@superiorholidayadventures.ca Mon Jul 12 13:25:43 2004 From: mike@superiorholidayadventures.ca (Mike) Date: Mon, 12 Jul 2004 08:25:43 -0400 Subject: [LARTC] Layer 7 netfilter not working Message-ID: Everyone, Don't you mark on the inbound interface and shape on the outbound interface? Mike Fetherston > -----Original Message----- > From: FB [mailto:register@flintz.de] > Sent: Friday, July 09, 2004 1:11 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Layer 7 netfilter not working >=20 > Hello there! >=20 > I am trying to get traffic shaping working on my Linux router (debian > woody 3r02) and for some things I wanted to use the layer 7 packet > classifier, but I can't get it to work. > Here is what I did: >=20 > -downloaded the patches from http://l7-filter.sourceforge.net > -downloaded the kernel 2.6.7 source > -downloaded the iptables 1.2.11 source > -patched kernel (layer7 patch and some patch to get iptables 1.2.11 > working with kernel 2.6.7) > -patched iptables > -compiled iptables > -activated layer 7 support in kernel-config (and a lot of other packet > classifing options) > -compiled and installed kernel >=20 > Now I tried to mark some packets with layer 7 so that I can shape them > with tc afterwards. But nothing changed, outgoing connection still > didn't changed. So I changed the line in the iptables-script to this: >=20 > $IPTABLES -t filter -A OUTPUT -m layer7 --l7dir /etc/l7-protocols > --l7proto ftp -j DROP >=20 > before it was: >=20 > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto ftp -j MARK > --set-mark 322 >=20 > but nothing of them worked (I could still connect over ftp). The > /proc/net/layer7_numpackets is 08 (don't know which 8 packets got > identified there, but the number is not going any higher). >=20 > Any help is really appreciated! >=20 > -FB > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From aravindforn@yahoo.co.in Mon Jul 12 13:52:51 2004 From: aravindforn@yahoo.co.in (=?iso-8859-1?q?Aravind=20babu?=) Date: Mon, 12 Jul 2004 13:52:51 +0100 (BST) Subject: [LARTC] Performance difference with HTB patch in 2.4.14 and without patch in 2.4.20 Message-ID: <20040712125251.28376.qmail@web8203.mail.in.yahoo.com> --0-1989013623-1089636771=:24190 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, I am using linux 2.4.14 box for my bandwidth management.I patched the kernel for HTB support.I think HTB comes by default with 2.4.20.My doubt is "Is there any performance difference between patched kernel i.e. 2.4.14 and unpatched kernel 2.4.20 with respect to bandwidth management ?" Thanks in advance, Aravind. Yahoo! India Careers: Over 50,000 jobsonline. --0-1989013623-1089636771=:24190 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit

Hi,
 
   I am using linux 2.4.14 box for my bandwidth management.I patched the kernel for HTB support.I think HTB comes by default with 2.4.20.My doubt is
 
"Is there any performance difference between patched kernel i.e. 2.4.14  and unpatched kernel 2.4.20 with respect to bandwidth management ?"
 
Thanks in advance,
Aravind.

Yahoo! India Careers: Over 50,000 jobs online. --0-1989013623-1089636771=:24190-- From icamargo@unet.edu.ve Mon Jul 12 15:33:04 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Mon, 12 Jul 2004 10:33:04 -0400 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> References: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> Message-ID: <40F2A120.5040702@unet.edu.ve> Hi! > Message: 9 Date: Sat, 10 Jul 2004 16:51:40 -0600 To: LARTC Mailing List Subject: Re: [LARTC] the "cisco vs. Linux" thread Reply-To: Glen.Mabey@usu.edu From: Glen Mabey On Fri, Jul 09, 2004 at 10:35:22AM -0400, Alfie Viechweg wrote: > >>> Regarding building your own router/switch. You might want to check out >>> www.routerboard.com for a >>> really reasonably priced 4 port NIC. > > > I had no idea this type of board existed! (forgive my excitement) > > Alfie, have you used the Routerboard 230 or 240 products? > Anyone else? > > Could anyone else recommend other manufacturers of this type of > hardware: an embedded system board with > * a couple of NICs > * PCMCIA > * runs linux This one, and its cheaper: http://www.soekris.com/ you may want to check out: http://www.netgate.com/ (good wireless stuff). I'm trying to buy some of the soekris hardware, but still need to get some more money. :( > > Thanks -- > Glen > > -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From lists@wildgooses.com Mon Jul 12 16:48:48 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 12 Jul 2004 16:48:48 +0100 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40F2A120.5040702@unet.edu.ve> References: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> <40F2A120.5040702@unet.edu.ve> Message-ID: <40F2B2E0.3000103@wildgooses.com> >> Alfie, have you used the Routerboard 230 or 240 products? Anyone else? >> >> Could anyone else recommend other manufacturers of this type of >> hardware: an embedded system board with * a couple of NICs >> * PCMCIA >> * runs linux > > > This one, and its cheaper: > > http://www.soekris.com/ Actually, I am really interested in this kind of hardware. But it's actually not really as cheap as it looks. (Bear in mind I am based in the UK so I am looking post-shipping price) Most of these tiny embeded devices need $20-30 or powersupply, and same again for a case, and a bit of RAM... It looks like around £300 sterling to me all in. However, you can often pickup a bottom of the range Compaq/HP server for that price... (OK, not as small and neat!) There are some really nice and neat little boxes, which would be good for a mid-priced box where you need the grunt. ...But for low end hardware it seems hard to beat the Linksys WRT54GS which is around £50 GPB from ebuyer.... This gets you 32Mb and a 200Mhz processor! (and 2 net cards, a small switch and a wireless radio!) The "S" model is only starting to arrive in the UK so mine's on backorder, but I think it's easily available in the US? Ed W From icamargo@unet.edu.ve Mon Jul 12 17:01:32 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Mon, 12 Jul 2004 12:01:32 -0400 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40F2B2E0.3000103@wildgooses.com> References: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> <40F2A120.5040702@unet.edu.ve> <40F2B2E0.3000103@wildgooses.com> Message-ID: <40F2B5DC.9000307@unet.edu.ve> Ed Wildgoose wrote: > >>> Alfie, have you used the Routerboard 230 or 240 products? Anyone else? >>> >>> Could anyone else recommend other manufacturers of this type of >>> hardware: an embedded system board with * a couple of NICs >>> * PCMCIA >>> * runs linux >> >> >> >> This one, and its cheaper: >> >> http://www.soekris.com/ > > > > Actually, I am really interested in this kind of hardware. But it's > actually not really as cheap as it looks. (Bear in mind I am based in > the UK so I am looking post-shipping price) > > Most of these tiny embeded devices need $20-30 or powersupply, and same > again for a case, and a bit of RAM... It looks like around £300 No, it have RAM on board (and some of them, flash memory), the power supply is unregulated AC (read the specs), so you can buy it on your country. > sterling to me all in. However, you can often pickup a bottom of the > range Compaq/HP server for that price... (OK, not as small and neat!) > > There are some really nice and neat little boxes, which would be good > for a mid-priced box where you need the grunt. > ...But for low end hardware it seems hard to beat the Linksys WRT54GS > which is around £50 GPB from ebuyer.... This gets you 32Mb and a 200Mhz > processor! (and 2 net cards, a small switch and a wireless radio!) I have used linksys (what a piece of crab), and I still preffer to buy a soekris card and a mini-PCI 802.11g card from netgate. I can install Linux on it, an get a very powerfull router/firewall/vpn. And due that I need it for outdoor mounting, I would buy a nema box. Can you Install Linux/OpenBSD/FreeBSD on it? > > The "S" model is only starting to arrive in the UK so mine's on > backorder, but I think it's easily available in the US? > > Ed W > From icamargo@unet.edu.ve Sun Jul 11 19:48:35 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Sun, 11 Jul 2004 14:48:35 -0400 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> References: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> Message-ID: <40F18B83.8020604@unet.edu.ve> Hi! > Message: 9 Date: Sat, 10 Jul 2004 16:51:40 -0600 To: LARTC Mailing List Subject: Re: [LARTC] the "cisco vs. Linux" thread Reply-To: Glen.Mabey@usu.edu From: Glen Mabey On Fri, Jul 09, 2004 at 10:35:22AM -0400, Alfie Viechweg wrote: > >>> Regarding building your own router/switch. You might want to check out >>> www.routerboard.com for a >>> really reasonably priced 4 port NIC. > > > I had no idea this type of board existed! (forgive my excitement) > > Alfie, have you used the Routerboard 230 or 240 products? > Anyone else? > > Could anyone else recommend other manufacturers of this type of > hardware: an embedded system board with > * a couple of NICs > * PCMCIA > * runs linux This one, and its cheaper: http://www.soekris.com/ you may want to check out: http://www.netgate.com/ (good wireless stuff). I'm trying to buy some of the soekris hardware, but still need to get some more money. :( > > Thanks -- > Glen > > -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From register@flintz.de Mon Jul 12 17:24:25 2004 From: register@flintz.de (FB) Date: Mon, 12 Jul 2004 18:24:25 +0200 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <200407091702.05329.jasonb@edseek.com> References: <40EED18F.4050804@flintz.de> <200407091639.27425.jasonb@edseek.com> <40EF0552.8010602@wildgooses.com> <200407091702.05329.jasonb@edseek.com> Message-ID: <40F2BB39.6030300@flintz.de> heya! first thanks to all for your help. shaping is working now (not 100% but working). This is why I didn't notice that it already worked: My settings where all correct, BUT when I establish for example a FTP connection from the router itself, it is somehow not shaped, however a connection over the router (from a computer inside the lan) the connection is shaped perfectly (with layer7). So my question: Why do the layer7 rules only work with connections over the router but not from the router itself? -FB From mike@superiorholidayadventures.ca Mon Jul 12 18:46:09 2004 From: mike@superiorholidayadventures.ca (Mike) Date: Mon, 12 Jul 2004 13:46:09 -0400 Subject: [LARTC] Layer 7 netfilter not working Message-ID: You may be marking on the ingress interface. Locally generated packets do not go through that NIC and therefore do not get marked. You would have to mark them on the INPUT chain of your egress interface. Mike Fetherston > -----Original Message----- > From: FB [mailto:register@flintz.de] > Sent: Monday, July 12, 2004 12:24 PM > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Layer 7 netfilter not working >=20 > heya! > first thanks to all for your help. shaping is working now (not 100% but > working). > This is why I didn't notice that it already worked: > My settings where all correct, BUT when I establish for example a FTP > connection from the router itself, it is somehow not shaped, however a > connection over the router (from a computer inside the lan) the > connection is shaped perfectly (with layer7). >=20 > So my question: Why do the layer7 rules only work with connections over > the router but not from the router itself? >=20 > -FB > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From lists@wildgooses.com Mon Jul 12 20:35:13 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 12 Jul 2004 20:35:13 +0100 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: <40F2BB39.6030300@flintz.de> References: <40EED18F.4050804@flintz.de> <200407091639.27425.jasonb@edseek.com> <40EF0552.8010602@wildgooses.com> <200407091702.05329.jasonb@edseek.com> <40F2BB39.6030300@flintz.de> Message-ID: <40F2E7F1.30801@wildgooses.com> > So my question: Why do the layer7 rules only work with connections > over the router but not from the router itself? Look at your script and look at which interface you are shaping on. Most likely you are shaping on the interface which talks to the lan. So the stuff destined for the local machine never sees the shaper The only real solution is to add the IMQ device to the wan side and use this to effectively put something upstream of the machine that you can shape on From jasonb@edseek.com Mon Jul 12 19:58:43 2004 From: jasonb@edseek.com (Jason Boxman) Date: Mon, 12 Jul 2004 14:58:43 -0400 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: References: Message-ID: <200407121458.43070.jasonb@edseek.com> On Monday 12 July 2004 13:46, Mike wrote: > You may be marking on the ingress interface. Locally generated packets > do not go through that NIC and therefore do not get marked. You would > have to mark them on the INPUT chain of your egress interface. Keeping in mind that INPUT doesn't see both sides of the connection, so some (many) L7 filters would fail. > Mike Fetherston > From adamt@commspeed.net Mon Jul 12 21:48:16 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Mon, 12 Jul 2004 13:48:16 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <030001c4639e$4ec173a0$903113d8@uranus> Message-ID: <05fd01c46851$8ed41580$903113d8@uranus> Hey all, So I got the script to run and populate everything. I watch as the script uses the tc commands to add filters for each IP into their appropriate tables. After 2045 entries, it starts to give me a "File Exists" error. I've done extensive testing on the script and everything else to come to this same result. I also looked at how many entries were going into individual tables. It seems there are only 15-20 per table and this isn't a lot. So my question is does the hash filter have a limit on the number of entries? I wouldn't believe so but I keep running into this problem. If this is the case, I guess I'll be looking for another alternative. Thanks! Adam Towarnyckyj From register@flintz.de Mon Jul 12 23:53:14 2004 From: register@flintz.de (FB) Date: Tue, 13 Jul 2004 00:53:14 +0200 Subject: [LARTC] Layer 7 netfilter not working In-Reply-To: References: Message-ID: <40F3165A.80701@flintz.de> > You may be marking on the ingress interface. Locally generated packets > do not go through that NIC and therefore do not get marked. You would > have to mark them on the INPUT chain of your egress interface. > > Mike Fetherston Thats the line in my iptables-skript: $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto ftp -j MARK --set-mark 322 Any suggestion how to modify it? (-A INPUT doesn't work, no shaping anymore at all, when I put this) -FB From aravindforn@yahoo.co.in Mon Jul 12 17:52:28 2004 From: aravindforn@yahoo.co.in (=?iso-8859-1?q?Aravind=20babu?=) Date: Mon, 12 Jul 2004 17:52:28 +0100 (BST) Subject: [LARTC] Performance difference with HTB patch in 2.4.14 and without patch in 2.4.20 Message-ID: <20040712165228.5995.qmail@web8206.mail.in.yahoo.com> --0-433042606-1089651148=:5693 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, I am using linux 2.4.14 box for my bandwidth management.I patched the kernel for HTB support.I think HTB comes by default with 2.4.20.My doubt is "Is there any performance difference between patched kernel i.e. 2.4.14 and unpatched kernel 2.4.20 with respect to bandwidth management ?" Thanks in advance, Aravind. Yahoo! India Careers: Over 50,000 jobsonline. --0-433042606-1089651148=:5693 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit

Hi,
 
   I am using linux 2.4.14 box for my bandwidth management.I patched the kernel for HTB support.I think HTB comes by default with 2.4.20.My doubt is
 
"Is there any performance difference between patched kernel i.e. 2.4.14  and unpatched kernel 2.4.20 with respect to bandwidth management ?"
 
Thanks in advance,
Aravind.

Yahoo! India Careers: Over 50,000 jobs online. --0-433042606-1089651148=:5693-- From gypsy@iswest.com Tue Jul 13 02:23:34 2004 From: gypsy@iswest.com (gypsy) Date: Mon, 12 Jul 2004 18:23:34 -0700 Subject: [LARTC] TC Hashing Filters References: <05fd01c46851$8ed41580$903113d8@uranus> Message-ID: <40F33996.4DCD8CA3@iswest.com> Adam Towarnyckyj wrote: > > Hey all, > So I got the script to run and populate everything. I watch as > the script uses the tc commands to add filters for each IP into their > appropriate tables. After 2045 entries, it starts to give me a "File > Exists" error. I've done extensive testing on the script and everything COMMENT: Why is it that everyone who has a bad script does not post (even a snip of) it? The limit is 65536. If you don't get the significance of that, it means the numbers are hex and you're trying to make 'em be decimal. Go read docum.org. From lists@wildgooses.com Tue Jul 13 08:22:08 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 13 Jul 2004 08:22:08 +0100 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40F2B2E0.3000103@wildgooses.com> References: <20040710235801.28691.74947.Mailman@outpost.ds9a.nl> <40F2A120.5040702@unet.edu.ve> <40F2B2E0.3000103@wildgooses.com> Message-ID: <40F38DA0.7020702@wildgooses.com> I just saw a post on the wrt54g yahoo list which was quite interesting. It's mainly a list of tiny routers, but at the bottom they list some of the other boards like those being discussed here: http://www.seattlewireless.net/index.cgi/HardwareComparison The main page here is where I came in. I'm interested in getting a Linksys wrt54gs first for testing. Looks like a 200Mhz processor with 32Mb ram that runs a linux distro. You can install pretty much what you want, although bear in mind it's a mips architecture. http://www.seattlewireless.net/index.cgi/LinksysWrt54g From sxt85@case.edu Tue Jul 13 11:01:19 2004 From: sxt85@case.edu (Sipat Triukose) Date: Tue, 13 Jul 2004 06:01:19 -0400 Subject: [LARTC] Data collection in Linux TC queue Message-ID: <1089712879.3443.7.camel@localhost.localdomain> Dear All, Would you guy have any advices concerning how to get some data like queue length, pkt size, and so forth, from the running queue. Right now, I modified the queue disc to print out some info I want using printk() and use syslogd to catch those info up. The problem is, in burst, syslogd can't catch all the msg the queue sent out. Are there any standard or better way to collect those info from the queue disc ? Thank you very much in advance for every advices. -- Sipat Triukose Case Western Reserve University From util@deuroconsult.ro Tue Jul 13 11:13:11 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 13 Jul 2004 13:13:11 +0300 (EEST) Subject: [LARTC] Data collection in Linux TC queue In-Reply-To: <1089712879.3443.7.camel@localhost.localdomain> References: <1089712879.3443.7.camel@localhost.localdomain> Message-ID: > Dear All, > > Would you guy have any advices concerning how to get some data like > queue length, pkt size, and so forth, from the running queue. Queue len, bytes, bps, pps, packets can be obtain by using libnetlink. What do you mean by "pkt size"? An average or something for every packet? > > Right now, I modified the queue disc to print out some info I want using > printk() and use syslogd to catch those info up. The problem is, in > burst, syslogd can't catch all the msg the queue sent out. > > Are there any standard or better way to collect those info from the > queue disc ? > > Thank you very much in advance for every advices. > > -- > Sipat Triukose > Case Western Reserve University > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From sxt85@case.edu Tue Jul 13 11:41:52 2004 From: sxt85@case.edu (Sipat Triukose) Date: Tue, 13 Jul 2004 06:41:52 -0400 Subject: [LARTC] Data collection in Linux TC queue In-Reply-To: References: <1089712879.3443.7.camel@localhost.localdomain> Message-ID: <1089715312.3443.13.camel@localhost.localdomain> Dear Catalin BOIE, Thank you very much for your advice. I might want to collect pkt size of all pkt ever enqueue during a period of time. Would you mind please give me more detail regarding how to use "libnetlink" or direct me to any helpful sources. Thank you very much. On Tue, 2004-07-13 at 06:13, Catalin BOIE wrote: > > Dear All, > > > > Would you guy have any advices concerning how to get some data like > > queue length, pkt size, and so forth, from the running queue. > > Queue len, bytes, bps, pps, packets can be obtain by using libnetlink. > What do you mean by "pkt size"? An average or something for every packet? > > > > > Right now, I modified the queue disc to print out some info I want using > > printk() and use syslogd to catch those info up. The problem is, in > > burst, syslogd can't catch all the msg the queue sent out. > > > > Are there any standard or better way to collect those info from the > > queue disc ? > > > > Thank you very much in advance for every advices. > > > > -- > > Sipat Triukose > > Case Western Reserve University > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ -- Sipat Triukose Case Western Reserve University From util@deuroconsult.ro Tue Jul 13 11:49:36 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Tue, 13 Jul 2004 13:49:36 +0300 (EEST) Subject: [LARTC] Data collection in Linux TC queue In-Reply-To: <1089715312.3443.13.camel@localhost.localdomain> References: <1089712879.3443.7.camel@localhost.localdomain> <1089715312.3443.13.camel@localhost.localdomain> Message-ID: On Tue, 13 Jul 2004, Sipat Triukose wrote: > Dear Catalin BOIE, > > Thank you very much for your advice. I might want to collect pkt size of > all pkt ever enqueue during a period of time. Would you mind please give > me more detail regarding how to use "libnetlink" or direct me to any > helpful sources. Thank you very much. You can check out last iproute2 sources. http://developer.osdl.org/dev/iproute2/ > > > On Tue, 2004-07-13 at 06:13, Catalin BOIE wrote: >>> Dear All, >>> >>> Would you guy have any advices concerning how to get some data like >>> queue length, pkt size, and so forth, from the running queue. >> >> Queue len, bytes, bps, pps, packets can be obtain by using libnetlink. >> What do you mean by "pkt size"? An average or something for every packet? >> >>> >>> Right now, I modified the queue disc to print out some info I want using >>> printk() and use syslogd to catch those info up. The problem is, in >>> burst, syslogd can't catch all the msg the queue sent out. >>> >>> Are there any standard or better way to collect those info from the >>> queue disc ? >>> >>> Thank you very much in advance for every advices. >>> >>> -- >>> Sipat Triukose >>> Case Western Reserve University >>> >>> _______________________________________________ >>> LARTC mailing list / LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >> >> --- >> Catalin(ux aka Dino) BOIE >> catab at deuroconsult.ro >> http://kernel.umbrella.ro/ > -- > Sipat Triukose > Case Western Reserve University > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From alfie@syncompute.net Tue Jul 13 12:49:16 2004 From: alfie@syncompute.net (Alfie Viechweg) Date: Tue, 13 Jul 2004 07:49:16 -0400 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <20040710225140.GA17983@mabeys.dsl.aros.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <40EEAD2A.7030300@syncompute.net> <20040710225140.GA17983@mabeys.dsl.aros.net> Message-ID: <40F3CC3C.7050602@syncompute.net> I haven't tried routerboard as yet. Seem like one of the most cost effective way to add more ports to your own switch/router/brouter device. Another probably more complicated way is to use a USB hub, multiport USB card or the ports built into your PC with USB ethernet devices. The USB ethernet devices a quite expensive compared to plain ethernet - even gigabit - but if you use an embeded board or a mico atx with a shotage of slots this a solution for getting up to a staggering 128 ethernet ports - in theory. Wireless USB would make things even more interesting in this arena. From lists@wildgooses.com Tue Jul 13 14:44:49 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 13 Jul 2004 14:44:49 +0100 Subject: [LARTC] the "cisco vs. Linux" thread In-Reply-To: <40F3CC3C.7050602@syncompute.net> References: <20040708145003.7275.46237.Mailman@outpost.ds9a.nl> <40ED715D.8010904@unet.edu.ve> <20040708193300.GA30890@mabeys.dsl.aros.net> <40EDC03A.2040804@erkert.com> <40EEAD2A.7030300@syncompute.net> <20040710225140.GA17983@mabeys.dsl.aros.net> <40F3CC3C.7050602@syncompute.net> Message-ID: <40F3E751.4020806@wildgooses.com> > Another probably more complicated way is to use a USB hub, multiport > USB card or the ports built into > your PC with USB ethernet devices. USB 1 has a 12 Mbit bandwidth though. And you won't be able to use all of that in practice either. USB 2 is a lot higher, several hundred mbits, but again you will probably find it hard to completely saturate it. USB drivers also tend to be nasty and flaky in my experience... Should get better in time though. Now a motherboard with several gigabit connections in the southbridge, or perhaps even multiple PCI Express interfaces... Now you would be talking about something cheap that could knock even a top end CISCO sideways...! Some of these new Asus P4 boards look extremely close now. P.S. Doesn't look that hot, but no one mentioned the "open brick" yet as a possibility From adamt@commspeed.net Tue Jul 13 18:45:08 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Tue, 13 Jul 2004 10:45:08 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <40F33996.4DCD8CA3@iswest.com> Message-ID: <065d01c46901$23a8df10$903113d8@uranus> First off, no need to be rude. I read the documentation; I just missed the number limit. Second, I know it's in hex and that's what I'm using. Third, the script is rather large. I didn't want to post even a snippet because it is so big. But, if that's what you require in order to give me some advice, then here it is: Action("$tc qdisc del dev $dev root"); Action("$tc qdisc add dev $dev root handle 1:0 cbq bandwidth 200mbit avpkt 1000"); # Create 'transit class', tc hash tables, and hash filter Action("$tc class add dev $dev parent 1: classid 1:2 cbq bandwidth 200Mbit rate 200MBit allot 1514 weight 2Mbit prio 8 maxburst 20 avpkt 1000"); Action("$tc filter add dev $dev parent 1: handle 2: protocol ip u32 divisor 256"); Action("$tc filter add dev $dev protocol ip parent 1: u32 match ip dst 0.0.0.0/0 hashkey mask 0x000000ff at 16 link 2:"); # Create classes for rate groups @RATES = SelectSQL("SELECT dsrate FROM dsrate"); my $classid = 3; foreach $dsrate (@RATES) { $ds = $$dsrate{dsrate}; if ($ds == "0" || $ds == "1") { next; } Action("$tc class add dev eth1 parent 1: classid 1:$classid cbq bandwidth 200Mbit rate $$dsrate{dsrate}Kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded"); $rates{$ds} = $classid; $classid++; } # Get our list of accounts @MODEMS = SelectSQL("SELECT mid, dsrate FROM modems"); $z = 0; # Figure out account IPs and put 'em in! foreach $modem (@MODEMS) { if ($$modem{dsrate} == "0" || $$modem{dsrate} == "1") { next; } my @COMPUTERS = SelectSQL("SELECT ipid FROM computers WHERE mid='$$modem{mid}'"); foreach $computer (@COMPUTERS) { my $ip = SelectSingleSQL("SELECT ipaddr FROM ips WHERE ipid='$$computer{ipid}'"); @octets = split(/\./,$ip); $table = $octets[3]; $table = sprintf("%X", $table); $classid = $rates{$$modem{dsrate}}; Action("$tc filter add dev $dev protocol ip parent 1: u32 ht 2:$table: match ip dst $ip flowid 1:$classid"); $z++; print "$z\n"; } } "Action" is a sub that performs a system action and reports errors to another sub. "SelectSQL" is a sub that performs a sql query to our database. COMMENT: Why is it whenever anyone new posts a question to a list even after reading through the documentation, someone always has to jump down his throat instead of being helpful and kind? This is a mailing list which was created so people can ask questions and get a helpful response from a community. I have been nothing but nice to everyone here and I am really grateful for all the help that has been provided so far. Instead of barking at people, simply stating that you require a snippet of code and providing an answer would be much more helpful and wouldn't cause people like me to bark back which is surely going to cause an argument between us. Thanks again! Adam Towarnyckyj -----Original Message----- From: gypsy [mailto:gypsy@iswest.com] Sent: Monday, July 12, 2004 6:24 PM To: adamt@commspeed.net; LARTC Subject: Re: [LARTC] TC Hashing Filters Adam Towarnyckyj wrote: > > Hey all, > So I got the script to run and populate everything. I watch as > the script uses the tc commands to add filters for each IP into their > appropriate tables. After 2045 entries, it starts to give me a "File > Exists" error. I've done extensive testing on the script and everything COMMENT: Why is it that everyone who has a bad script does not post (even a snip of) it? The limit is 65536. If you don't get the significance of that, it means the numbers are hex and you're trying to make 'em be decimal. Go read docum.org. From mike@superiorholidayadventures.ca Tue Jul 13 18:51:43 2004 From: mike@superiorholidayadventures.ca (Mike) Date: Tue, 13 Jul 2004 13:51:43 -0400 Subject: [LARTC] Layer 7 netfilter not working Message-ID: Add -i eth0 if eth0 is your outward facing interface, you may also have to place the mark in PREROUTING. It's been a while since I fiddled and am kind of fuzzy ATM about iptables packet traversal. Mike. > -----Original Message----- > From: FB [mailto:register@flintz.de] > Sent: Monday, July 12, 2004 6:53 PM > To: Mike > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Layer 7 netfilter not working >=20 > > You may be marking on the ingress interface. Locally generated packets > > do not go through that NIC and therefore do not get marked. You would > > have to mark them on the INPUT chain of your egress interface. > > > > Mike Fetherston >=20 > Thats the line in my iptables-skript: > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto ftp -j MARK > --set-mark 322 >=20 > Any suggestion how to modify it? > (-A INPUT doesn't work, no shaping anymore at all, when I put this) >=20 > -FB > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From util@deuroconsult.ro Wed Jul 14 06:57:54 2004 From: util@deuroconsult.ro (Catalin BOIE) Date: Wed, 14 Jul 2004 08:57:54 +0300 (EEST) Subject: [LARTC] TC Hashing Filters In-Reply-To: <065d01c46901$23a8df10$903113d8@uranus> References: <065d01c46901$23a8df10$903113d8@uranus> Message-ID: On Tue, 13 Jul 2004, Adam Towarnyckyj wrote: > First off, no need to be rude. I read the documentation; I just missed > the number limit. > Second, I know it's in hex and that's what I'm using. > Third, the script is rather large. I didn't want to post even a snippet > because it is so big. But, if that's what you require in order to give > me some advice, then here it is: Show me the command that fails. > > Action("$tc qdisc del dev $dev root"); > Action("$tc qdisc add dev $dev root handle 1:0 cbq bandwidth 200mbit > avpkt 1000"); > > # Create 'transit class', tc hash tables, and hash filter > > Action("$tc class add dev $dev parent 1: classid 1:2 cbq bandwidth > 200Mbit rate 200MBit allot 1514 weight 2Mbit prio 8 maxburst 20 avpkt > 1000"); > Action("$tc filter add dev $dev parent 1: handle 2: protocol ip u32 > divisor 256"); > Action("$tc filter add dev $dev protocol ip parent 1: u32 match ip dst > 0.0.0.0/0 hashkey mask 0x000000ff at 16 link 2:"); > > # Create classes for rate groups > > @RATES = SelectSQL("SELECT dsrate FROM dsrate"); > my $classid = 3; > foreach $dsrate (@RATES) { > $ds = $$dsrate{dsrate}; > if ($ds == "0" || $ds == "1") { > next; > } > Action("$tc class add dev eth1 parent 1: classid 1:$classid cbq > bandwidth 200Mbit rate $$dsrate{dsrate}Kbit allot 1514 prio 5 maxburst > 20 avpkt 1000 bounded"); > $rates{$ds} = $classid; > $classid++; > } > > # Get our list of accounts > > @MODEMS = SelectSQL("SELECT mid, dsrate FROM modems"); > > $z = 0; > # Figure out account IPs and put 'em in! > foreach $modem (@MODEMS) { > if ($$modem{dsrate} == "0" || $$modem{dsrate} == "1") { > next; > } > my @COMPUTERS = SelectSQL("SELECT ipid FROM computers WHERE > mid='$$modem{mid}'"); > foreach $computer (@COMPUTERS) { > my $ip = SelectSingleSQL("SELECT ipaddr FROM ips WHERE > ipid='$$computer{ipid}'"); > @octets = split(/\./,$ip); > $table = $octets[3]; > $table = sprintf("%X", $table); > $classid = $rates{$$modem{dsrate}}; > Action("$tc filter add dev $dev protocol ip parent 1: > u32 ht 2:$table: match ip dst $ip flowid 1:$classid"); > $z++; > print "$z\n"; > } > } > > "Action" is a sub that performs a system action and reports errors to > another sub. > "SelectSQL" is a sub that performs a sql query to our database. > > COMMENT: Why is it whenever anyone new posts a question to a list even > after reading through the documentation, someone always has to jump down > his throat instead of being helpful and kind? This is a mailing list > which was created so people can ask questions and get a helpful response > from a community. I have been nothing but nice to everyone here and I am > really grateful for all the help that has been provided so far. Instead > of barking at people, simply stating that you require a snippet of code > and providing an answer would be much more helpful and wouldn't cause > people like me to bark back which is surely going to cause an argument > between us. > > Thanks again! > Adam Towarnyckyj > > > -----Original Message----- > From: gypsy [mailto:gypsy@iswest.com] > Sent: Monday, July 12, 2004 6:24 PM > To: adamt@commspeed.net; LARTC > Subject: Re: [LARTC] TC Hashing Filters > > Adam Towarnyckyj wrote: >> >> Hey all, >> So I got the script to run and populate everything. I watch as >> the script uses the tc commands to add filters for each IP into their >> appropriate tables. After 2045 entries, it starts to give me a "File >> Exists" error. I've done extensive testing on the script and > everything > > COMMENT: Why is it that everyone who has a bad script does not post > (even a snip of) it? > > The limit is 65536. > > If you don't get the significance of that, it means the numbers are hex > and you're trying to make 'em be decimal. Go read docum.org. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From verycoldpenguin@hotmail.com Wed Jul 14 10:54:40 2004 From: verycoldpenguin@hotmail.com (Gareth Glaccum) Date: Wed, 14 Jul 2004 09:54:40 +0000 Subject: [LARTC] tcng/tc setup Message-ID: Hi all, Can someone please help with a tcng setup? I have played with tc and tcng in the past, and now would like to get some serious rules in place. However, I have a difficulty in setting them up. My setup is as follows: One machine working as a firewall: eth0 is the interface connected to a 512K DSL line eth1 is connected to a LAN eth2 is connected to another LAN, a bit like a DMZ eth1 and 2 are totaly different subnets, 10.1.1.x and 10.2.1.x both class B, (sorry, this is a system I inherited, I am slowly getting ready to collapse it all to class C). I wanted to set the following rules: High priority data needs to be some ssh from 10.1.1.x/16 (all) to external IPs. Priority is to be given to data going to 10.1.1.x/16 over the DMZ data. Input is 55KB/s, output is 25KB/s To the DMZ from the LAN, there should be no throttling. To the LAN from the DMZ, there should be no throttling. (100Mbs/s) SSH data should be given priority over HTTP SMTP should be given priority over HTTP HTTP is given priority over anything else Interfaces, eth0, 512Kb/s input, 256 Kb/s output eth1, 100Mb/s each way eth2, 100Mb/s each way And I wrote out some rules. These rules seem to be correct, as far as I can tell, but I stupidly forgot that this is all egress, and it cannot be done as easily with ingress. Can someone please help by showing me how I can modify these to give me control over the bandwidth in (albeit limited) as well as out? Also could someone explain how I can easily write flows to test all of the possible traffic I might be experiencing? My aim is, that any normal ssh to any machine, whether comming from the DMZ to the internet, or from the LAN to the internet, should get at least 2KB/s low-latency traffic each, even if other machines or other connections are being made in the background. I am wondering whether my first qdisc should infact be an SFQ and then HTBs below it? All help will be gratefully received. Thank you, Gareth ----- Start long probably incorrect tcng code (I have left out the ingress code I had, because it didn't work at all, and I didn't understand any of it) #define INTERNET eth0 #define LAN eth1 #define DMZ eth2 #define INTERNET_IP 0.0.0.0/0 #define DMZ_IP 10.2.1.0/16 #define LAN_IP 10.1.1.0/16 #define maxadsl 600kbps/2 #define highadsl 500kbps/2 #define medadsl 400kbps/2 #define midadsl 300kbps/2 #define lowadsl 200kbps/2 #define intadsl 150kbps/2 #define vloadsl 100kbps/2 #define noadsl 50kbps/2 dev INTERNET { $meter = trTCM( cir 128kbps, cbs 10kB, pir 200kbps, pbs 10 kB ); egress { class(<$lanssh>) if tcp_sport == 22 || tcp_dport == 22 if ip_src == LAN_IP || ip_dst == LAN_IP; class(<$dmzssh>) if tcp_sport == 22 || tcp_dport == 22 if ip_src == DMZ_IP || ip_dst == DMZ_IP; class(<$ssh>) if tcp_sport == 22 || tcp_dport == 22 if ip_tos_delay==1 ; class(<$smtp>) if tcp_sport == 25 || tcp_dport == 25; class(<$lanhttp>) if tcp_sport == 80 || tcp_dport == 80 if ip_src == LAN_IP || ip_dst == LAN_IP; class(<$dmzhttp>) if tcp_sport == 80 || tcp_dport == 80 if ip_src == DMZ_IP || ip_dst == DMZ_IP; class(<$http>) if tcp_sport == 80 || tcp_dport == 80; class(<$othermed>) if trTCM_green( $meter); class(<$otherslow>) if trTCM_yellow( $meter); drop if trTCM_red ( $meter); class(<$otherslow>) if 1; drop if 1; htb(){ class ( rate maxadsl, ceil maxadsl){ $ssh = class ( rate medadsl, ceil highadsl) { $lanssh = class ( rate midadsl , ceil medadsl){ sfq ( perturb 10 sec );}; $dmzssh = class (rate vloadsl, ceil lowadsl){ sfq ( perturb 10 sec );}; }; $smtp = class ( rate midadsl, ceil highadsl) {sfq ( perturb 10 sec );}; $http = class ( rate lowadsl, ceil highadsl) { $lanhttp = class (rate lowadsl , ceil highadsl) {sfq ( perturb 10 sec );}; $dmzhttp = class (rate lowadsl, ceil highadsl) {sfq ( perturb 10 sec );}; }; $othermed = class ( rate lowadsl, ceil medadsl) {sfq ( perturb 10 sec );}; $otherslow = class ( rate noadsl, ceil intadsl) {sfq ( perturb 10 sec );}; } } } } _________________________________________________________________ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo From gypsy@iswest.com Wed Jul 14 14:48:36 2004 From: gypsy@iswest.com (gypsy) Date: Wed, 14 Jul 2004 06:48:36 -0700 Subject: [LARTC] TC Hashing Filters References: <065d01c46901$23a8df10$903113d8@uranus> Message-ID: <40F539B4.821C5545@iswest.com> Adam Towarnyckyj wrote: > > First off, no need to be rude. I read the documentation; I just missed > the number limit. I apolgize. I regretted hitting SEND as soon as I came to my senses and I'm ashamed of how long it took me to do that. I had a (what turned out to be minor) emergency last night, I overslept this morning and I have a prior committment tonight so I can't get to this until at least tomorrow night. But I do have a couple of general suggestions now: > Second, I know it's in hex and that's what I'm using. Try setting classid to 0xffff and decrement rather than increment it. Pepper the script with debug (print or echo) lines error traps that exit the script on error. Is what you posted entire so that if I extract it from the message then it should run? > Action("$tc qdisc del dev $dev root"); > Action("$tc qdisc add dev $dev root handle 1:0 cbq bandwidth 200mbit > avpkt 1000"); gypsy From jasonb@edseek.com Wed Jul 14 16:00:59 2004 From: jasonb@edseek.com (Jason Boxman) Date: Wed, 14 Jul 2004 11:00:59 -0400 Subject: [LARTC] tcng/tc setup In-Reply-To: References: Message-ID: <200407141100.59120.jasonb@edseek.com> On Wednesday 14 July 2004 05:54, Gareth Glaccum wrote: > Hi all, > Can someone please help with a tcng setup? I have played with tc and tcng > in the past, and now would like to get some serious rules in place. > However, I have a difficulty in setting them up. I'd suggest using `tc` and using Netfilter to classify traffic. There are quite a few matches you just can't do with tcng. > And I wrote out some rules. These rules seem to be correct, as far as I can > tell, but I stupidly forgot that this is all egress, and it cannot be done > as easily with ingress. Can someone please help by showing me how I can > modify these to give me control over the bandwidth in (albeit limited) as > well as out? Also could someone explain how I can easily write flows to > test all of the possible traffic I might be experiencing? tcng is supposed to let you perform all kinds of simulations on your traffic, but I have never gotten it to work. If someone has produced useful information, I'd love to know how. > My aim is, that any normal ssh to any machine, whether comming from the DMZ > to the internet, or from the LAN to the internet, should get at least 2KB/s > low-latency traffic each, even if other machines or other connections are > being made in the background. > I am wondering whether my first qdisc should infact be an SFQ and then HTBs > below it? That is not possible. sfq is a classless qdisc. It cannot contain anything. You would need to attach sfq to htb classes, instead, for instance. From adamt@commspeed.net Wed Jul 14 19:06:34 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Wed, 14 Jul 2004 11:06:34 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <40F539B4.821C5545@iswest.com> Message-ID: <06dd01c469cd$4c8f7a20$903113d8@uranus> gypsy wrote: >Try setting classid to 0xffff and decrement rather than increment it. > >Pepper the script with >debug (print or echo) lines >error traps that exit the script on error. > >Is what you posted entire so that if I extract it from the message then >it should run? It's really tough for me to convey what I've done so far mainly because when I get in "Troubleshoot Mode" I really tend to forget what I've tried and the results of those efforts after I've done them. This is because if it doesn't work, I rule it out and go on to the next thing until I find out what the problem is. The reason I say this is because I didn't really tell you specifically what I've done to troubleshoot. Only that I found out where the problem was. For this, I apologize. So let me try to be as specific as possible. This is what the script does step by step: 1. Connect to the provisioning database (MySQL) 2. Define subroutines a. SelectSQL - Subroutine for placing all information from a sql query into a variable. b. SelectSingleSQL - Subroutine for placing one piece of information from a sql query into a variable. c. SimpleSQL - Subroutine for making a sql query d. Action - Subroutine for performing a system action and outputting any errors to an array for later use. 3. Remove existing root qdisc and add a new one (clears all information currently stored). 4. Create transit class and hash table/filter. 5. For creating the individual classes for each rate, we have it connect to our database and add a class for each rate located in that database. This is so it can be dynamic in case we need to add new classes down the road. 6. This is where the script grabs all the accounts from our database by modem. The modem table holds the rate for each customer. Then the script compares those modems to the public IPs assigned to that customer and adds the tc command to limit that IP based on the modem rate. 7. Take all the errors from any "Action" and output them. (This emails to me directly when there's a problem). 8. There's a bunch of stuff here for promotional rates we're running that is unimportant to the current problem I'm having. The error appears at step 6. For each modem in our database, it checks the IPs assigned to it. For each of those, it runs: tc filter add dev $dev protocol ip parent 1: u32 ht 2:$table: match ip dst $ip flowid 1:$classid I added a counter in there and an exit command in the "Action" subroutine so that when the script errors, it exits and shows me how many IPs tc has added before it produced an error. The number was 2045 and the error was RTNETLINK answers: File exists. As for your suggestion about the classid, I'm a bit confused as to what you mean about decrementing it. Could you be a little more specific on where this is in the script? I have attached the script in its entirety so you can see it and maybe figure out what is wrong. The only problem with running it would be connecting to the database. If you want, I can put up a mock database and you can connect to that for testing purposes. The problem with this is that I'd have to populate it with about 3000 entries for you to see the error I'm seeing. I have removed my traps and counters so you can see what the script was originally. I'll comment where the error occurs. Thank you all once again for your help and time. It is very much appreciated. #!/usr/bin/perl # # TC Helper Script: Written by Mike Davis & Adam Towarnyckyj # # Synchronizes data rates with MySQL server and applies hourly. # ### Configuration Section ### $dev = "eth1"; $tc = "/sbin/tc"; $mysql_host = "sql database"; $mysql_db = "databse"; $mysql_user = "user"; $mysql_pass = "password"; ### END Configuration Section ### use POSIX qw(strftime); # Database connect and define subroutines use DBI; $dsn = "DBI:mysql:database=$mysql_db;hostname=$mysql_host"; $dbh = DBI->connect($dsn, $mysql_user, $mysql_pass) || die "Can't connect to database: " . DBI->errstr; # Subroutine for placing all information from a sql query into a variable. sub SelectSQL { my($sql) = @_; my @MATCHES, $hash; $sth = $dbh->prepare("$sql"); $sth->execute(); while ($hash = $sth->fetchrow_hashref) { push @MATCHES, $hash; } return @MATCHES; } sub SelectSingleSQL { my($sql) = @_; my($gotit, $return, $hash); $sth = $dbh->prepare("$sql"); $sth->execute(); while ($hash = $sth->fetchrow_array) { unless ($gotit) { $return = $hash; $gotit++; } else { warn "got multiple SQL returns when exepecting only one"; } } return $return; } sub SimpleSQL { my($sql) = $_[0]; my $rows_affected; $rows_affected = $dbh->do($sql); return $rows_affected; } sub Action { my($action) = @_; # print"Performing: $action\n"; $warn=`$action 2>&1`; if ($warn) { chomp($warn); $prepare = "ERROR: $warn. Command was: $action"; # print"WHOOPS: $warn\n"; push @WARNING, $prepare; } } ### Ok, now we start having fun. Let's rebuild the tc tree. # Remove existing tree and add the root. Action("$tc qdisc del dev $dev root"); Action("$tc qdisc add dev $dev root handle 1:0 cbq bandwidth 200mbit avpkt 1000"); # Create 'transit class', tc hash tables, and hash filter Action("$tc class add dev $dev parent 1: classid 1:2 cbq bandwidth 200Mbit rate 200MBit allot 1514 weight 2Mbit prio 8 maxburst 20 avpkt 1000"); Action("$tc filter add dev $dev parent 1: handle 2: protocol ip u32 divisor 256"); Action("$tc filter add dev $dev protocol ip parent 1: u32 match ip dst 0.0.0.0/0 hashkey mask 0x000000ff at 16 link 2:"); # Create classes for rate groups @RATES = SelectSQL("SELECT dsrate FROM dsrate"); my $classid = 3; foreach $dsrate (@RATES) { $ds = $$dsrate{dsrate}; if ($ds == "0" || $ds == "1") { next; } Action("$tc class add dev eth1 parent 1: classid 1:$classid cbq bandwidth 200Mbit rate $$dsrate{dsrate}Kbit allot 1514 prio 5 maxburst 20 avpkt 1000 bounded"); $rates{$ds} = $classid; $classid++; } # Get our list of accounts @MODEMS = SelectSQL("SELECT mid, dsrate FROM modems"); # Figure out account IPs and put 'em in! foreach $modem (@MODEMS) { if ($$modem{dsrate} == "0" || $$modem{dsrate} == "1") { next; } my @COMPUTERS = SelectSQL("SELECT ipid FROM computers WHERE mid='$$modem{mid}'"); foreach $computer (@COMPUTERS) { my $ip = SelectSingleSQL("SELECT ipaddr FROM ips WHERE ipid='$$computer{ipid}'"); @octets = split(/\./,$ip); $table = $octets[3]; $table = sprintf("%X", $table); $classid = $rates{$$modem{dsrate}}; Action("$tc filter add dev $dev protocol ip parent 1: u32 ht 2:$table: match ip dst $ip flowid 1:$classid"); ### Here is where it errors after 2045 entries ### } } if (@WARNING) { print"WARNING: TCHELPER produced errors! See below:\n @WARNING\n"; } # # Cool, everyone is now limited. Let's do some up-keep on the promo rates. # # First we check accounts with a promo rate and no promo code, and fill it in. @PROMORATES = SelectSQL("SELECT dsrate,drpromo FROM dsrate WHERE drpromo !='0'"); $month=strftime "%m", localtime; $day=strftime "%d", localtime; $year=strftime "%Y", localtime; $today="$year" . "$month" . "$day"; foreach $rate (@PROMORATES) { ($exprate,$expdays) = split("-",$$rate{drpromo}); $expdate = $day + $expdays; $expmonth = $month; $expyear = $year; while ($expdate > "30") { $expmonth++; $expdate = $expdate - 30; } while ($expmonth > "12") { $expyear++; $expmonth = $expmonth - 12; } $absexpdate = "$expyear" . "$expmonth" . "$expdate"; @UNMARKED = SelectSQL("SELECT mid FROM modems WHERE dsrate='$$rate{dsrate}' AND promocode=''"); foreach $mark (@UNMARKED) { $query = SimpleSQL("UPDATE modems SET promocode='$exprate-$absexpdate' WHERE mid='$$mark{mid}'"); } } # Now we check for expired promo codes and reset their rate. @PROMOACCTS = SelectSQL("SELECT mid,promocode FROM modems WHERE promocode != ''"); foreach $acct (@PROMOACCTS) { ($exprate,$expdate) = split("-",$$acct{promocode}); if ($expdate <= $today) { $query = SimpleSQL("UPDATE modems SET dsrate='$exprate', promocode='' WHERE mid='$$acct{mid}'"); } } # Exit Nice and clean. $dbh->disconnect; exit(0); From jasonb@edseek.com Wed Jul 14 19:25:09 2004 From: jasonb@edseek.com (Jason Boxman) Date: Wed, 14 Jul 2004 14:25:09 -0400 Subject: [LARTC] TC Hashing Filters In-Reply-To: <06dd01c469cd$4c8f7a20$903113d8@uranus> References: <06dd01c469cd$4c8f7a20$903113d8@uranus> Message-ID: <200407141425.09594.jasonb@edseek.com> On Wednesday 14 July 2004 14:06, Adam Towarnyckyj wrote: > As for your suggestion about the classid, I'm a bit confused as > to what you mean about decrementing it. Could you be a little more > specific on where this is in the script? > I think he means start with classid 0xffff and then substract one as you iterate through each row in the table. So next you'd use 0xfffe and so on. From gerryw@it-procorp.com Wed Jul 14 22:25:05 2004 From: gerryw@it-procorp.com (Gerry Weaver) Date: Wed, 14 Jul 2004 16:25:05 -0500 Subject: [LARTC] Syntax for u32 match of src mac at offset -8 Message-ID: <40F5A4B1.6030907@it-procorp.com> Hello All, I've been trying to figure out how to do bandwidth limiting by mac address. There are several posts on this subject, but nothing concrete. My question concerns the proper tc filter syntax to do a u32 match at a negative offset of -8 that should based on what I've read be the source mac address. I've been plating around with it, but no success yet. Any help would be much appreciated. Thanks, Gerry From gypsy@iswest.com Thu Jul 15 03:13:11 2004 From: gypsy@iswest.com (gypsy) Date: Wed, 14 Jul 2004 19:13:11 -0700 Subject: [LARTC] TC Hashing Filters References: <06dd01c469cd$4c8f7a20$903113d8@uranus> Message-ID: <40F5E837.D2FD536B@iswest.com> Adam Towarnyckyj wrote: > > gypsy wrote: > >Try setting classid to 0xffff and decrement rather than increment it. > > > >Pepper the script with > >debug (print or echo) lines > >error traps that exit the script on error. > > The error appears at step 6. For each modem in our database, it > checks the IPs assigned to it. For each of those, it runs: tc filter add > dev $dev protocol ip parent 1: u32 ht 2:$table: match ip dst $ip flowid > 1:$classid I think that "$classid" is outside its allowable range when that line executes, although it is also possible that the RTNETLINK message is due to an erroneous value in "$dev", "$ip" or "$table". Your script can be modified to display the line with the substitutions and to exit when executing causes an error. What I envision is that you'll watch 2000+ lines of good stuff scroll by and that the final line will be your Bad Boy. And the last few lines are what we all are holding our breath to see . > I added a counter in there and an exit command in the "Action" > subroutine so that when the script errors, it exits and shows me how > many IPs tc has added before it produced an error. The number was 2045 > and the error was RTNETLINK answers: File exists. I still don't think it is how many. I am certain that some value is just not in the expected range. > As for your suggestion about the classid, I'm a bit confused as > to what you mean about decrementing it. Could you be a little more > specific on where this is in the script? > Action("$tc class add dev eth1 parent 1: classid 1:$classid cbq > bandwidth 200Mbit rate $$dsrate{dsrate}Kbit allot 1514 prio 5 maxburst > 20 avpkt 1000 bounded"); > $rates{$ds} = $classid; > $classid++; I think the line above should count down from 65535, not up. > ipid='$$computer{ipid}'"); > @octets = split(/\./,$ip); > $table = $octets[3]; > $table = sprintf("%X", $table); > $classid = $rates{$$modem{dsrate}}; > Action("$tc filter add dev $dev protocol ip parent 1: > u32 ht 2:$table: match ip dst $ip flowid 1:$classid"); ### Here is > where it errors after 2045 entries ### And here is where you need to display the Action line. Plus add an error trap to exit when it fails. Sorry, that's all I have time for now. From n1kei@yahoo.com Thu Jul 15 05:35:43 2004 From: n1kei@yahoo.com (c jay) Date: Wed, 14 Jul 2004 21:35:43 -0700 (PDT) Subject: [LARTC] (no subject) Message-ID: <20040715043543.57572.qmail@web53410.mail.yahoo.com> --0-86934614-1089866143=:57441 Content-Type: text/plain; charset=us-ascii --------------------------------- Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! --0-86934614-1089866143=:57441 Content-Type: text/html; charset=us-ascii

Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out! --0-86934614-1089866143=:57441-- From n1kei@yahoo.com Thu Jul 15 06:11:01 2004 From: n1kei@yahoo.com (c jay) Date: Wed, 14 Jul 2004 22:11:01 -0700 (PDT) Subject: [LARTC] problem tc htb with bridge machine In-Reply-To: <20040715021101.15306.99162.Mailman@outpost.ds9a.nl> Message-ID: <20040715051101.51630.qmail@web53407.mail.yahoo.com> --0-433692834-1089868261=:49644 Content-Type: text/plain; charset=us-ascii hello all, i have problem with my tc htb at bridge machine (tsl 2.1), in fact bw limitter it's ok, but if i down the bw limitter and then up the bw limitter, my machine shape bw verry long i want to make this more quickly can anyone in here help me how the rule it's it nikei --------------------------------- Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! --0-433692834-1089868261=:49644 Content-Type: text/html; charset=us-ascii
hello all,
    i have problem with my tc htb at bridge machine (tsl 2.1), in fact bw limitter it's ok, but if i down the bw limitter and then up the bw limitter, my machine shape bw verry long  i want to make this more quickly can anyone in here help me how the rule it's it
 
 
nikei

Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages! --0-433692834-1089868261=:49644-- From ja@ssi.bg Thu Jul 15 06:26:32 2004 From: ja@ssi.bg (Julian Anastasov) Date: Thu, 15 Jul 2004 08:26:32 +0300 (EEST) Subject: [LARTC] Syntax for u32 match of src mac at offset -8 In-Reply-To: <40F5A4B1.6030907@it-procorp.com> References: <40F5A4B1.6030907@it-procorp.com> Message-ID: Hello, On Wed, 14 Jul 2004, Gerry Weaver wrote: > I've been trying to figure out how to do bandwidth limiting by mac > address. There are several posts on this subject, but nothing concrete. > My question concerns the proper tc filter syntax to do a u32 match at a > negative offset of -8 that should based on what I've read be the source > mac address. I've been plating around with it, but no success yet. > > Any help would be much appreciated. http://mailman.ds9a.nl/pipermail/lartc/2003q1/006663.html > Thanks, > Gerry Regards -- Julian Anastasov From anupam@iitb.ac.in Thu Jul 15 08:50:45 2004 From: anupam@iitb.ac.in (anupam chomal) Date: Thu, 15 Jul 2004 13:20:45 +0530 (IST) Subject: [LARTC] Problem with multiple N/W cards Message-ID: <32825.10.150.106.170.1089877845.squirrel@gpo.iitb.ac.in> Hi, I am trying to set up a linux box with 5 N/W cards of which one is 10/100/1000T and the others are 10/100T. I connected all the cards and turned on the machine. I wanted to force eth0 to be the 1000T cards but the cards get allotted eth0 to eth4 randomly. Is there some way wherein I can force my 1000T card to be eth0. Also I want to turn off auto negotation & flow control on the 1000T card. How can I do this. Can someone please help. From justin.piszcz@mitretek.org Thu Jul 15 13:10:20 2004 From: justin.piszcz@mitretek.org (Piszcz, Justin Michael) Date: Thu, 15 Jul 2004 08:10:20 -0400 Subject: [LARTC] Problem with multiple N/W cards Message-ID: <2E314DE03538984BA5634F12115B3A4E62E8A8@email1.mitretek.org> Yup. I had the same problem. Soltuion: use nameif You can call any interface anything you want. Turning off auto negotiation and flow control may be an option when you load the moadule (check docs)-- example: if it is a 3com 100mbps 905b - you may be able to use ethtool to change it. -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of anupam chomal Sent: Thursday, July 15, 2004 3:51 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] Problem with multiple N/W cards Hi, I am trying to set up a linux box with 5 N/W cards of which one is 10/100/1000T and the others are 10/100T. I connected all the cards and turned on the machine. I wanted to force eth0 to be the 1000T cards but the cards get allotted eth0 to eth4 randomly. Is there some way wherein I can force my 1000T card to be eth0. Also I want to turn off auto negotation & flow control on the 1000T card. How can I do this. Can someone please help. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From Glen.Mabey@usu.edu Thu Jul 15 13:46:15 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Thu, 15 Jul 2004 06:46:15 -0600 Subject: [LARTC] Problem with multiple N/W cards In-Reply-To: <32825.10.150.106.170.1089877845.squirrel@gpo.iitb.ac.in> References: <32825.10.150.106.170.1089877845.squirrel@gpo.iitb.ac.in> Message-ID: <20040715124615.GB29057@mabeys.dsl.aros.net> On Thu, Jul 15, 2004 at 01:20:45PM +0530, anupam chomal wrote: > I am trying to set up a linux box with 5 N/W cards of which one is > 10/100/1000T and the others are 10/100T. I connected all the cards and > turned on the machine. I wanted to force eth0 to be the 1000T cards but > the cards get allotted eth0 to eth4 randomly. Is there some way wherein I > can force my 1000T card to be eth0. You can also create an alias for the device driver. I'm not that well-versed in the various distribution and kernel version differences, but this is how I do it. If running a 2.4 kernel, edit /etc/modules.conf (or if running Debian, edit /etc/modutils/alias, and afterward run update-modules) and add alias eth0 where is the name of the device driver module for your gigabit card, say, e1000. If running 2.6, add the same line to /etc/modprobe.d/aliases . A reboot afterward may do the trick if you don't have an update-modules command that will get the right aliases going. Hope that helps. -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From Glen.Mabey@usu.edu Thu Jul 15 13:36:26 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Thu, 15 Jul 2004 06:36:26 -0600 Subject: [LARTC] TC Hashing Filters In-Reply-To: <40F5E837.D2FD536B@iswest.com> References: <06dd01c469cd$4c8f7a20$903113d8@uranus> <40F5E837.D2FD536B@iswest.com> Message-ID: <20040715123626.GA29057@mabeys.dsl.aros.net> On Wed, Jul 14, 2004 at 07:13:11PM -0700, gypsy wrote: > Your script can be modified to display the line with the substitutions > and to exit when executing causes an error. What I envision is that > you'll watch 2000+ lines of good stuff scroll by and that the final line > will be your Bad Boy. And the last few lines are what we all are > holding our breath to see . This took me a little while to figure out myself, so I thought I'd post it. If you are running a bash script, what you want to do is to add at the top: set -e # causes script exit on error set -x # causes command to be printed before it is executed Glen -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From adamt@commspeed.net Thu Jul 15 18:40:04 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Thu, 15 Jul 2004 10:40:04 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <40F5E837.D2FD536B@iswest.com> Message-ID: <075301c46a92$c357fef0$903113d8@uranus> gypsy wrote: > Your script can be modified to display the line with the substitutions > and to exit when executing causes an error. What I envision is that > you'll watch 2000+ lines of good stuff scroll by and that the final line > will be your Bad Boy. And the last few lines are what we all are > holding our breath to see . I have done as you suggested (actually, if you noticed in the Action subroutine, all the error reporting from before was still there I just commented it out) and this is what I've come up with. This is the last known good command and then the command that errors, as well as the error message, and the counter I added back in. Performing: /sbin/tc filter add dev eth1 protocol ip parent 1: u32 ht 2:54: match ip dst 216.19.20.84 flowid 1:FFFB 2045 Performing: /sbin/tc filter add dev eth1 protocol ip parent 1: u32 ht 2:2E: match ip dst 216.19.46.46 flowid 1:FFFB WHOOPS: RTNETLINK answers: File exists The error exists on the 2046th command. Any tc filter command I try to add from here on out gives me the same error even if I try it manually instead of using the script. I examined the previous commands that worked fine and there are plenty that dump into the 2:2E: table. > I think the line above should count down from 65535, not up. As you can see, I did this as you suggested. I like it better because it keeps things very separate so there's no confusion. Thanks for the suggestion. > Sorry, that's all I have time for now. Any time you can spare is incredibly helpful. Thank you. Adam Towarnyckyj From gypsy@iswest.com Fri Jul 16 04:36:48 2004 From: gypsy@iswest.com (gypsy) Date: Thu, 15 Jul 2004 20:36:48 -0700 Subject: [LARTC] TC Hashing Filters References: <075301c46a92$c357fef0$903113d8@uranus> Message-ID: <40F74D50.9E5AFB13@iswest.com> Adam Towarnyckyj wrote: > Any tc filter command I try to > add from here on out gives me the same error even if I try it manually > instead of using the script. Adam, That is a killer. Please read the following and then, when we both have the same information, I'm going to try again to assist you. HINT TO READERS: I hope someone else will help us both because I have obligations that I'm stealing time from that I can ill afford. There is a LARTC mailing list thread dated (about) 24 thru 26 June 2003 between Trevor Warren and Michael Ulitskiy whose Subject is "u32 clarification...limits on 2000>???" Please use your favorite method to find it. Note that there may be kernel issues not mentioned by them; kernels change. I'd like to suggest that you see if anyone involved in that thread will send you a testing script; perhaps you could find a way to start with a working setup and then apply minor changes until either it breaks or it suits you. From alessandro.ren@opservices.com.br Fri Jul 16 16:19:58 2004 From: alessandro.ren@opservices.com.br (Alessandro Ren) Date: Fri, 16 Jul 2004 12:19:58 -0300 Subject: [LARTC] QoS for Voip. In-Reply-To: <200405231508.59885.dmitry@mikrotik.com> References: <200405191427.53256.ml-lartc@drspirograph.com> <200405192226.07971.ml-lartc@drspirograph.com> <200405191617.06453.Andreas.Klauer@metamorpher.de> <200405231508.59885.dmitry@mikrotik.com> Message-ID: <40F7F21E.7020305@opservices.com.br> This is a multi-part message in MIME format. --------------090206000301050300000709 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit I've been using a altered version of the wshaper script to priorize voip traffic for my customers. I'd like to know if someone in the list has any tips on QoS for voip, if someone has done some experimentation. I am using HTB and if someone on the LAN uses a p2p program, I started to noticed in the voip, with cuts, jitter and lag. If a reserve a fixed amount of bandwitdh not letting anyonbe borrow, it works fine, but then if noone is using voip, I have bandwidth going to waste. I think I need some fine tunning oin the HTB parameters, but I am not sure sure about that. Any indeas? --------------090206000301050300000709 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit
     I've been using a altered version of the wshaper script  to priorize voip traffic for my customers.
     I'd like to know if someone in the list has any tips on QoS for voip, if someone has done some experimentation.
    I am using HTB and if someone on the LAN uses a p2p program, I started to noticed in the voip, with cuts, jitter and lag.  If a reserve a fixed amount of bandwitdh not letting anyonbe borrow, it works fine, but then if noone is using voip, I have bandwidth going to waste.
    I think I need some fine tunning oin the HTB parameters, but I am not sure sure about that.
      Any indeas?


--------------090206000301050300000709-- From Andreas.Klauer@metamorpher.de Fri Jul 16 16:53:34 2004 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Fri, 16 Jul 2004 17:53:34 +0200 Subject: [LARTC] QoS for Voip. In-Reply-To: <40F7F21E.7020305@opservices.com.br> References: <200405191427.53256.ml-lartc@drspirograph.com> <200405231508.59885.dmitry@mikrotik.com> <40F7F21E.7020305@opservices.com.br> Message-ID: <200407161753.34816.Andreas.Klauer@metamorpher.de> Am Friday 16 July 2004 17:19 schrieb Alessandro Ren: > I am using HTB and if someone on the LAN uses a p2p program, I > started to noticed in the voip, with cuts, jitter and lag. Have you tried filtering P2P traffic (using IPP2P or l7-filter)? With HTB, I'd suggest to put it into a class with low prio and low rate, so P2P has to borrow nearly everything. But on the other hand you should make sure Voip can't max out the line either. It's not easy to find a balance there. At home, I have a different approach. There's just fair sharing between custumers (err, flatmates). Each person gets his HTB class, all HTB classes have the same priorities and rates, so everyone gets the same amount of bandwidth no matter what it's used for (p2p, www, voip, gaming). Prioritizing interactive over http over p2p traffic is then also done on a per-user basis. This way it doesn't matter to a single user what kind of traffic other users generates... the only guarantee there is that each user can get the same amount of bandwidth. If this setup causes cuts, jitter and lag in voip, it's either because the same user is generating other traffic with same or higher priority than voip; or because there just isn't enough bandwidth available altogether to serve all the people. However, that kind of setup requires a lot of classes in HTB (one per [active] client); so if there are too many clients, the rates per class get too low, which might impact HTB performance. Andreas From ibb_linux@yahoo.com Fri Jul 16 18:51:37 2004 From: ibb_linux@yahoo.com (ibro tj) Date: Fri, 16 Jul 2004 10:51:37 -0700 (PDT) Subject: [LARTC] QoS for Voip. In-Reply-To: <40F7F21E.7020305@opservices.com.br> Message-ID: <20040716175137.84790.qmail@web21501.mail.yahoo.com> Hi, the hint from Martin A Brown which I am experimenting without regret yet is that you shoul decrease the queue lenght to say 30 from the default 100 and also reduce the MTU(MAX. TRANSFER UNIT) to the size of typical voice traffic say 256 using ip link set dev eth0 qlen 30 ip link set dev eth0 mtu 1000 Hope it helps. Ibrahim T. --- Alessandro Ren wrote: > > I've been using a altered version of the > wshaper script to > priorize voip traffic for my customers. > I'd like to know if someone in the list has any > tips on QoS for > voip, if someone has done some experimentation. > I am using HTB and if someone on the LAN uses a > p2p program, I > started to noticed in the voip, with cuts, jitter > and lag. If a reserve > a fixed amount of bandwitdh not letting anyonbe > borrow, it works fine, > but then if noone is using voip, I have bandwidth > going to waste. > I think I need some fine tunning oin the HTB > parameters, but I am > not sure sure about that. > Any indeas? > > > __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From jasonb@edseek.com Fri Jul 16 17:54:56 2004 From: jasonb@edseek.com (Jason Boxman) Date: Fri, 16 Jul 2004 12:54:56 -0400 Subject: [LARTC] QoS for Voip. In-Reply-To: <200407161753.34816.Andreas.Klauer@metamorpher.de> References: <200405191427.53256.ml-lartc@drspirograph.com> <40F7F21E.7020305@opservices.com.br> <200407161753.34816.Andreas.Klauer@metamorpher.de> Message-ID: <200407161254.56216.jasonb@edseek.com> On Friday 16 July 2004 11:53, Andreas Klauer wrote: > At home, I have a different approach. There's just fair sharing between > custumers (err, flatmates). Each person gets his HTB class, all HTB > classes have the same priorities and rates, so everyone gets the same > amount of bandwidth no matter what it's used for (p2p, www, voip, gaming). > Prioritizing interactive over http over p2p traffic is then also done on a > per-user basis. This way it doesn't matter to a single user what kind of > traffic other users generates... the only guarantee there is that each > user can get the same amount of bandwidth. But how well does that scale? # Default: Put stuff in class 2. $BIN_TC filter add dev $UC_DEV parent 1:$UC_MARK prio 100 \ protocol ip handle $UC_MARK fw flowid 1:$(($UC_MARK+2)) Would you want to do per user classifications to give SSH for each user a higher priority if you had, say, 230 users, for example? Or would each user merely need to find for himself with his slice? From ibb_linux@yahoo.com Fri Jul 16 19:18:42 2004 From: ibb_linux@yahoo.com (ibro tj) Date: Fri, 16 Jul 2004 11:18:42 -0700 (PDT) Subject: [LARTC] Shaping using both public and private Ip addresss on same linux box In-Reply-To: <075301c46a92$c357fef0$903113d8@uranus> Message-ID: <20040716181842.43095.qmail@web21527.mail.yahoo.com> I have a qos system that is currently shaping (down/up) using public ip address on eth0 and eth1 -eth0 faces the internet.What I want to do is similar to what jiri fojtasek ( http://hyperfighter.jinak.cz/qos ) in his imq implementation example. But in my case , i do not want to use imq but rather attach the 3rd NIC eth2 that will shape traffic originating/destined to my local LAN -192.168.0.0/24. wHAT i find challenging is how to construct the tc scripts between the interface eth0 and eth2 taking care of up/down as well , without conflicting with the public aspect. A sample script will be of great help. Ibrahim T __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From Andreas.Klauer@metamorpher.de Fri Jul 16 19:38:40 2004 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Fri, 16 Jul 2004 20:38:40 +0200 Subject: [LARTC] QoS for Voip. In-Reply-To: <200407161254.56216.jasonb@edseek.com> References: <200405191427.53256.ml-lartc@drspirograph.com> <200407161753.34816.Andreas.Klauer@metamorpher.de> <200407161254.56216.jasonb@edseek.com> Message-ID: <200407162038.40465.Andreas.Klauer@metamorpher.de> Am Friday 16 July 2004 18:54 schrieb Jason Boxman: > But how well does that scale? > Would you want to do per user classifications to give SSH for each user > a higher priority if you had, say, 230 users, for example? Or would > each user merely need to find for himself with his slice? I wrote something about having to many users in my mail too. :-)=20 And I made clear that this setup is what I do at home and I do not have=20 (thank god) 230 flatmates. So hopefully there were no=20 misunderstandings. :-) The interesting question is... are the 230 users all active at the same=20 time. You only need classes for active users. And for that many active=20 users, you need a lot of bandwidth if each of them wants to be doing VoIP=20 and P2P so I don't see *that* many problems there. Of course, I don't have= =20 any practical experience there. =46rom the point of view of a big ISP, I'd probably make my own life easier= =20 by just providing constant (ceiled) rates, no borrowing. Global=20 prioritization (where theoretically each user can use the whole available=20 bandwidth) has the risk that if a user finds out a special type of traffic= =20 is being prioritized, he abuses this. For example, he could use a=20 prioritized protocol to tunnel other stuff through it... think of P2P over= =20 VoIP. If VoIP is allowed to use all the bandwith, such a user could steal=20 way too many bandwidth from others. The only way to prevent this sort of=20 thing would then be to make no global prioritizations, but give each user=20 his own sandbox (which is more or less the idea behind my home setup). Depending on the bandwidth your clients get, you don't have to do things=20 like prioritizing SSH and VoIP for them... my ISP doesn't do that for me=20 either, at least not on such a close level. And I doubt I would like my=20 ISP to decide for me which traffic to prioritize for me. I just do this=20 kind of stuff on my own home machine. I hope it makes sense in a way :-0 It was a rather hasty rant, sorry Andreas From icamargo@unet.edu.ve Sat Jul 17 15:49:48 2004 From: icamargo@unet.edu.ve (=?ISO-8859-1?Q?Jos=E9_Ildefonso_Camargo_Tolosa?=) Date: Sat, 17 Jul 2004 10:49:48 -0400 Subject: [LARTC] Re: QoS for Voip. In-Reply-To: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> Message-ID: <40F93C8C.6090703@unet.edu.ve> Hi! I answer to two messages from this thread (I use digest). lartc-request@mailman.ds9a.nl wrote: > > Message: 3 > Date: Fri, 16 Jul 2004 10:51:37 -0700 (PDT) > From: ibro tj > Subject: Re: [LARTC] QoS for Voip. > To: lartc@mailman.ds9a.nl, alessandro.ren@opservices.com.br > > Hi, > > the hint from Martin A Brown which I am experimenting > without regret yet is that you shoul decrease the > queue lenght to say 30 from the default 100 and also > reduce the MTU(MAX. TRANSFER UNIT) to the size of > typical voice traffic say 256 using The MTU is Maximum Transfer Unit, if a package is smaller than the MTU, it will pass just like that. I got very good results doing something like that, but you introduce more header overhead, wich will waste bandwith. And, you can't control the MTO your ISP sends to you (at least not in my case, it would be MRU, I changed it, and nothing happened). The queue lenght will reduce the maximum delay you can get for packages without classification, if you classify them, you don't have to worry about that > > ip link set dev eth0 qlen 30 > ip link set dev eth0 mtu 1000 > > Hope it helps. > > > Ibrahim T. > > > From: Andreas Klauer > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] QoS for Voip. > Date: Fri, 16 Jul 2004 20:38:40 +0200 > > Am Friday 16 July 2004 18:54 schrieb Jason Boxman: > > >>But how well does that scale? > > >>Would you want to do per user classifications to give SSH for each user >>a higher priority if you had, say, 230 users, for example? Or would >>each user merely need to find for himself with his slice? > > > I wrote something about having to many users in my mail too. :-)=20 > And I made clear that this setup is what I do at home and I do not have=20 > (thank god) 230 flatmates. So hopefully there were no=20 > misunderstandings. :-) > > The interesting question is... are the 230 users all active at the same > time. You only need classes for active users. And for that many active > users, you need a lot of bandwidth if each of them wants to be doing VoIP > and P2P so I don't see *that* many problems there. Of course, I don't have > any practical experience there. You can "put your foot" over the p2p, I'm about to test l7filter, but I'll tell you how it works for me right now: I have a 900 users network, and about 80% of them are always active, I have VoIP, and, off course, p2p. I also have to route traffic for local net through the same router :-S I created a default class (30), any traffic that I didn't wanted to give priority went here. And I created others (let me look at the scripts :P ): My max bandwith is 1024kbps. 10: Standart burst traffic (http,ftp,tftp,pop,imap,https). rate 250kbit ceil 97% of total uplink(downlink) prio 3. 14: Higher prio traffic (VoIP): rate 170kbit ceil 97% of total. prio 1. 15: ACK and these kind (SSH, and other interactive traffic, telnet). rate 170kbit ceil 97% prio 2. 20: Server traffic (we have some servers): rate 200kbit ceil 97% prio 3 30: trash (p2p, anything else): rate 90kbit ceil 70% quantum 1920 prio 4 Off course, due that there are so few classes, the ones that have fewer packets are the ones that behaves better (I think of it like "virtual" links going into a trunk). The VoIp traffic will come from only one IP, in my case, so I filter to class 14 only from this host (a filter with a higher prio than the one that sends ACK/ICMP ping and others to the 15). I created another similar script for the other eth device (eth0 points to my local net, eth1 points to Internet), after creating the classes, I create LOTS of filters to classify the traffic by sport/dport. Due that u32 isn't statefull, one have to think that you are looking at a package and that you only "see" the header, you only care that the package is passing through and going out of the interface you installed the qdisc. That's why I have to have two scripts, and that's why the computer that is doing the traffic shaping, doesn't uses it on it's whole. I was about to use IMQ, but due that we have a dedicated computer to do the job, I just don't worry. > > from the point of view of a big ISP, I'd probably make my own life easier > by just providing constant (ceiled) rates, no borrowing. Global > prioritization (where theoretically each user can use the whole available > bandwidth) has the risk that if a user finds out a special type of traffic > is being prioritized, he abuses this. For example, he could use a > prioritized protocol to tunnel other stuff through it... think of P2P over > VoIP. If VoIP is allowed to use all the bandwith, such a user could steal > way too many bandwidth from others. The only way to prevent this sort of > thing would then be to make no global prioritizations, but give each user > his own sandbox (which is more or less the idea behind my home setup). > > Depending on the bandwidth your clients get, you don't have to do things > like prioritizing SSH and VoIP for them... my ISP doesn't do that for me > either, at least not on such a close level. And I doubt I would like my > ISP to decide for me which traffic to prioritize for me. I just do this > kind of stuff on my own home machine. > > I hope it makes sense in a way :-0 It was a rather hasty rant, sorry > > Andreas > > > --__--__-- Hope this helped, Ildefonso Camargo icamargo@unet.edu.ve From wishbone@h4b.org Sun Jul 18 20:06:25 2004 From: wishbone@h4b.org (wishbone@h4b.org) Date: Sun, 18 Jul 2004 12:06:25 -0700 Subject: [LARTC] dead gateway detection/failover without load ballancing? Message-ID: <20040718190625.GB7840@psitron> Greetings, I wanted to ask the list a question about dead gateway detection. I've fol= lowed the wonderful writeup by Christoph Simon on how to use Julians patch = for dgd on two loadballanced connections, but I don't want them loadballanc= ed. How can I setup two default gateways but always have one be the prefer= ence unless it goes down. Once the dgd code sees that have it switch until= it become available again. I've tried just adding two default routes to t= he same route table and it seems to switch between them randomly whether I = use the "nexthop" code or put them both on their own lines. I've also trie= d using the weight code but obviously that just gives more preference to on= e connection but some connections will still go the other route. I've also= tried using a higher metric on the second gateway, but that doesn't work a= t all. The second route never gets taken even if the first goes down. Acc= ording to Julian's writeup this makes sense, he states that they must have = the same metric for the dgd to work. My second question is about proto static. It is my understanding that prot= o static is suppose to keep the route in there even if the interface goes d= own. I run dhcp on my external interfaces and when the interface goes down= and the dhcp tries to renew it deletes all my proto static lines related t= o that interface. Is this a route code or a dhcp code problem? Is dhcpcd = manually removing those lines even though they are not in the main route ta= ble? thanks for any help you can provide, joshua From jwpark@haninternet.co.kr Mon Jul 19 04:58:39 2004 From: jwpark@haninternet.co.kr (=?ks_c_5601-1987?B?udogwaS/+A==?=) Date: Mon, 19 Jul 2004 12:58:39 +0900 Subject: [LARTC] patch equalize_2.4.18.patch on multi-processor Message-ID: <373769E1AB84A74CBBFA6ED3912F0557B6D683@han-ex.haninternetworks.co.kr> This is a multi-part message in MIME format. ------=_NextPart_000_006C_01C46D90.1D466F50 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable I have a question about equalize_2.4.18.patch. I use a kernel 2.4.25. And I have multi-processor(Xeon dual) machine. I had patch equalize_2.4.18.patch file. And I had check =A1=AESymmetric multi-processing support=A1=AF kernel = compile option. When I use that kernel, the system is down. But, I had not check =A1=AESymmetric multi-processing support=A1=AF = kernel compile option, and, I had complie that kernel.=20 When I uset that kernel, the system is good. How to solve that problem? =20 ------=_NextPart_000_006C_01C46D90.1D466F50 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: quoted-printable

I have = a question about equalize_2.4.18.patch.

I use a = kernel 2.4.25.

And I = have multi-processor(Xeon dual) machine.

I had = patch equalize_2.4.18.patch file.

And I = had check =A1=AESymmetric multi-processing support=A1=AF kernel compile = option.

When I = use that kernel, the system is down.

But, I = had not check =A1=AESymmetric multi-processing support=A1=AF kernel compile = option,

and, I = had complie that kernel.

When I = uset that kernel, the system is good.

How to = solve that problem?

 

------=_NextPart_000_006C_01C46D90.1D466F50-- From =?ks_c_5601-1987?B?udrBpL/4?= Mon Jul 19 06:32:59 2004 From: =?ks_c_5601-1987?B?udrBpL/4?= (=?ks_c_5601-1987?B?udrBpL/4?=) Date: Mon, 19 Jul 2004 14:32:59 +0900 Subject: [LARTC] patch equalize_2.4.18.patch on multi-processor Message-ID: <001001c46d51$da64bc70$3d9e613d@ojulie> This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C46D9D.4A30C620 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 KEkgcmVzZW5kIGJlY2F1c2UgbXkgcHJldmlvdXMgdGV4dCBpcyBicmVhay4gc29ycnkuLikNCg0K SSBoYXZlIGEgcXVlc3Rpb24gYWJvdXQgZXF1YWxpemVfMi40LjE4LnBhdGNoLg0KDQpJIHVzZSBh IGtlcm5lbCAyLjQuMjUuDQoNCkFuZCBJIGhhdmUgbXVsdGktcHJvY2Vzc29yKFhlb24gZHVhbCkg bWFjaGluZS4NCg0KSSBoYWQgcGF0Y2ggZXF1YWxpemVfMi40LjE4LnBhdGNoIGZpbGUuDQoNCkFu ZCBJIGhhZCBjaGVjayChrnN5bW1ldHJpYyBtdWx0aS1wcm9jZXNzaW5nIHN1cHBvcnShryBrZXJu ZWwgY29tcGlsZSBvcHRpb24uDQoNCldoZW4gSSB1c2UgdGhhdCBrZXJuZWwsIHRoZSBzeXN0ZW0g aXMgZG93bi4NCg0KQnV0LCBJIGhhZCBub3QgY2hlY2sgoa5zeW1tZXRyaWMgbXVsdGktcHJvY2Vz c2luZyBzdXBwb3J0oa8ga2VybmVsIGNvbXBpbGUgb3B0aW9uLA0KDQphbmQsIEkgaGFkIGNvbXBs aWUgdGhhdCBrZXJuZWwuIA0KDQpXaGVuIEkgdXNldCB0aGF0IGtlcm5lbCwgdGhlIHN5c3RlbSBp cyBnb29kLg0KDQpIb3cgdG8gc29sdmUgdGhhdCBwcm9ibGVtPw0KDQo= ------=_NextPart_000_000D_01C46D9D.4A30C620 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PWtzX2NfNTYwMS0xOTg3Ij4NCjxNRVRBIGNvbnRlbnQ9Ik1T SFRNTCA2LjAwLjI4MDAuMTQwMCIgbmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwv SEVBRD4NCjxCT0RZIGJnQ29sb3I9I2ZmZmZmZj4NCjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0i TEFZT1VULUdSSUQtTU9ERTogY2hhciI+PEZPTlQgc2l6ZT0yPjxTUEFOIGxhbmc9RU4tVVMgDQpz dHlsZT0iRk9OVC1TSVpFOiAxMHB0OyBGT05ULUZBTUlMWTogsby4siI+KEkgcmVzZW5kJm5ic3A7 YmVjYXVzZSBteSBwcmV2aW91cyB0ZXh0IA0KaXMgYnJlYWsuIHNvcnJ5Li4pPC9TUEFOPjwvRk9O VD48L1A+DQo8UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9IkxBWU9VVC1HUklELU1PREU6IGNoYXIi PjxGT05UIHNpemU9Mj48U1BBTiBsYW5nPUVOLVVTIA0Kc3R5bGU9IkZPTlQtU0laRTogMTBwdDsg Rk9OVC1GQU1JTFk6ILG8uLIiPkkgaGF2ZSBhIHF1ZXN0aW9uIGFib3V0IA0KZXF1YWxpemVfMi40 LjE4LnBhdGNoLjwvU1BBTj48L0ZPTlQ+PC9QPg0KPFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSJM QVlPVVQtR1JJRC1NT0RFOiBjaGFyIj48Rk9OVCBzaXplPTI+PFNQQU4gbGFuZz1FTi1VUyANCnN0 eWxlPSJGT05ULVNJWkU6IDEwcHQ7IEZPTlQtRkFNSUxZOiCxvLiyIj5JIHVzZSBhIGtlcm5lbCAN CjIuNC4yNS48L1NQQU4+PC9GT05UPjwvUD4NCjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTEFZ T1VULUdSSUQtTU9ERTogY2hhciI+PEZPTlQgc2l6ZT0yPjxTUEFOIGxhbmc9RU4tVVMgDQpzdHls ZT0iRk9OVC1TSVpFOiAxMHB0OyBGT05ULUZBTUlMWTogsby4siI+QW5kIEkgaGF2ZSBtdWx0aS1w cm9jZXNzb3IoWGVvbiBkdWFsKSANCm1hY2hpbmUuPC9TUEFOPjwvRk9OVD48L1A+DQo8UCBjbGFz cz1Nc29Ob3JtYWwgc3R5bGU9IkxBWU9VVC1HUklELU1PREU6IGNoYXIiPjxGT05UIHNpemU9Mj48 U1BBTiBsYW5nPUVOLVVTIA0Kc3R5bGU9IkZPTlQtU0laRTogMTBwdDsgRk9OVC1GQU1JTFk6ILG8 uLIiPkkgaGFkIHBhdGNoIGVxdWFsaXplXzIuNC4xOC5wYXRjaCANCmZpbGUuPC9TUEFOPjwvRk9O VD48L1A+DQo8UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9IkxBWU9VVC1HUklELU1PREU6IGNoYXIi PjxTUEFOIGxhbmc9RU4tVVMgDQpzdHlsZT0iRk9OVC1TSVpFOiAxMHB0OyBGT05ULUZBTUlMWTog sby4siI+QW5kIEkgaGFkIGNoZWNrIDwvU1BBTj48Rk9OVCANCnNpemU9Mj48Rk9OVCBmYWNlPbG8 uLI+PFNQQU4gbGFuZz1FTi1VUyBzdHlsZT0iRk9OVC1GQU1JTFk6IEFyaWFsIj6hrnM8L1NQQU4+ PFNQQU4gDQpsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogsby4siI+eW1tZXRyaWMgbXVs dGktcHJvY2Vzc2luZyBzdXBwb3J0PC9TUEFOPjxTUEFOIA0KbGFuZz1FTi1VUyBzdHlsZT0iRk9O VC1GQU1JTFk6IEFyaWFsIj6hrzwvU1BBTj48U1BBTiBsYW5nPUVOLVVTIA0Kc3R5bGU9IkZPTlQt RkFNSUxZOiCxvLiyIj4ga2VybmVsIGNvbXBpbGUgb3B0aW9uLjwvU1BBTj48L0ZPTlQ+PC9GT05U PjwvUD4NCjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTEFZT1VULUdSSUQtTU9ERTogY2hhciI+ PEZPTlQgc2l6ZT0yPjxTUEFOIGxhbmc9RU4tVVMgDQpzdHlsZT0iRk9OVC1TSVpFOiAxMHB0OyBG T05ULUZBTUlMWTogsby4siI+V2hlbiBJIHVzZSB0aGF0IGtlcm5lbCwgdGhlIHN5c3RlbSBpcyAN CmRvd24uPC9TUEFOPjwvRk9OVD48L1A+DQo8UCBjbGFzcz1Nc29Ob3JtYWwgc3R5bGU9IkxBWU9V VC1HUklELU1PREU6IGNoYXIiPjxTUEFOIGxhbmc9RU4tVVMgDQpzdHlsZT0iRk9OVC1TSVpFOiAx MHB0OyBGT05ULUZBTUlMWTogsby4siI+QnV0LCBJIGhhZCBub3QgY2hlY2sgPC9TUEFOPjxGT05U IA0Kc2l6ZT0yPjxGT05UIGZhY2U9sby4sj48U1BBTiBsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZB TUlMWTogQXJpYWwiPqGuczwvU1BBTj48U1BBTiANCmxhbmc9RU4tVVMgc3R5bGU9IkZPTlQtRkFN SUxZOiCxvLiyIj55bW1ldHJpYyBtdWx0aS1wcm9jZXNzaW5nIHN1cHBvcnQ8L1NQQU4+PFNQQU4g DQpsYW5nPUVOLVVTIHN0eWxlPSJGT05ULUZBTUlMWTogQXJpYWwiPqGvPC9TUEFOPjxTUEFOIGxh bmc9RU4tVVMgDQpzdHlsZT0iRk9OVC1GQU1JTFk6ILG8uLIiPiBrZXJuZWwgY29tcGlsZSBvcHRp b24sPC9TUEFOPjwvRk9OVD48L0ZPTlQ+PC9QPg0KPFAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSJM QVlPVVQtR1JJRC1NT0RFOiBjaGFyIj48Rk9OVCBzaXplPTI+PFNQQU4gbGFuZz1FTi1VUyANCnN0 eWxlPSJGT05ULVNJWkU6IDEwcHQ7IEZPTlQtRkFNSUxZOiCxvLiyIj5hbmQsIEkgaGFkIGNvbXBs aWUgdGhhdCBrZXJuZWwuIA0KPC9TUEFOPjwvRk9OVD48L1A+DQo8UCBjbGFzcz1Nc29Ob3JtYWwg c3R5bGU9IkxBWU9VVC1HUklELU1PREU6IGNoYXIiPjxGT05UIHNpemU9Mj48U1BBTiBsYW5nPUVO LVVTIA0Kc3R5bGU9IkZPTlQtU0laRTogMTBwdDsgRk9OVC1GQU1JTFk6ILG8uLIiPldoZW4gSSB1 c2V0IHRoYXQga2VybmVsLCB0aGUgc3lzdGVtIGlzIA0KZ29vZC48L1NQQU4+PC9GT05UPjwvUD4N CjxQIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0iTEFZT1VULUdSSUQtTU9ERTogY2hhciI+PEZPTlQg c2l6ZT0yPjxTUEFOIGxhbmc9RU4tVVMgDQpzdHlsZT0iRk9OVC1TSVpFOiAxMHB0OyBGT05ULUZB TUlMWTogsby4siI+SG93IHRvIHNvbHZlIHRoYXQgDQpwcm9ibGVtPzwvU1BBTj48L0ZPTlQ+PC9Q Pg0KPERJVj48Rk9OVCBzaXplPTI+PC9GT05UPiZuYnNwOzwvRElWPjwvQk9EWT48L0hUTUw+DQo= ------=_NextPart_000_000D_01C46D9D.4A30C620-- From lartc@ssi.bg Mon Jul 19 10:19:50 2004 From: lartc@ssi.bg (Anton Glinkov) Date: Mon, 19 Jul 2004 12:19:50 +0300 (EEST) Subject: [LARTC] (no subject) Message-ID: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> Hi I want to block the IP traffic between any 2 hosts on a switched ethernet LAN. Will setting all the possible IP addresses on a linux machine in the LAN do the trick or there is another easier solution? -- Anton Glinkov network administrator From kristiadi_himawan@dtp.net.id Mon Jul 19 11:42:15 2004 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Mon, 19 Jul 2004 17:42:15 +0700 Subject: [LARTC] tc+mrtg References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> Message-ID: <014901c46d7d$0e58d9a0$15a02bca@gsd03> Hi, I'm sorry if this question already asked by someone else. My question is how to make mrtg graph for traffic that already shape by htb. Acctually i already have mrtg for it but the traffic captured was before the shaper (PREROUTING and POSTROUTING) so the bandwidth shown is not the real traffic. So what should i do if i want to see graph traffic that passing through my shaper. Thanks for the help. Regards, Kris From lists@wildgooses.com Mon Jul 19 13:04:44 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 19 Jul 2004 13:04:44 +0100 Subject: [LARTC] (no subject) In-Reply-To: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> Message-ID: <40FBB8DC.6090907@wildgooses.com> >I want to block the IP traffic between any 2 hosts on a switched ethernet >LAN. Will setting all the possible IP addresses on a linux machine in the >LAN do the trick or there is another easier solution? > > You need to arrange to have the linux machine running as that switch, which is unlikely to be practical. See if your switch has such options (if it's a high end device). Otherwise your best option is to segregate the two LAN's and then route or bridge between then, the linux box will do filtering in the middle. You haven't said what you are trying to achieve, so it's hard to offer better suggestions From lartc@ssi.bg Mon Jul 19 13:18:14 2004 From: lartc@ssi.bg (Anton Glinkov) Date: Mon, 19 Jul 2004 15:18:14 +0300 (EEST) Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBB8DC.6090907@wildgooses.com> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> Message-ID: <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> On Mon, July 19, 2004 15:04, Ed Wildgoose said: > >>I want to block the IP traffic between any 2 hosts on a switched ethernet >>LAN. Will setting all the possible IP addresses on a linux machine in the >>LAN do the trick or there is another easier solution? >> >> > > You need to arrange to have the linux machine running as that switch, > which is unlikely to be practical. > > See if your switch has such options (if it's a high end device). > Otherwise your best option is to segregate the two LAN's and then route > or bridge between then, the linux box will do filtering in the middle. > > You haven't said what you are trying to achieve, so it's hard to offer > better suggestions > the bridge thing is not possible.. the network is too big.. 300 machines.. with over 30 switches (only one of them is manageable) :( Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. The only solution I thought of was to have a linux machine in this LAN that has all the possible IP addresses set on its interface. -- Anton Glinkov network administrator From lists@wildgooses.com Mon Jul 19 13:25:16 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 19 Jul 2004 13:25:16 +0100 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> Message-ID: <40FBBDAC.609@wildgooses.com> >the bridge thing is not possible.. the network is too big.. 300 machines.. >with over 30 switches (only one of them is manageable) :( >Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >The only solution I thought of was to have a linux machine in this LAN >that has all the possible IP addresses set on its interface. > > Look, we can't help you until you explain the problem WHY is it not possible to have a bridge? This only requires two network cards? From lartc@ssi.bg Mon Jul 19 13:33:49 2004 From: lartc@ssi.bg (Anton Glinkov) Date: Mon, 19 Jul 2004 15:33:49 +0300 (EEST) Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBBDAC.609@wildgooses.com> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> Message-ID: <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> On Mon, July 19, 2004 15:25, Ed Wildgoose said: > > >>the bridge thing is not possible.. the network is too big.. 300 >> machines.. >>with over 30 switches (only one of them is manageable) :( >>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >>The only solution I thought of was to have a linux machine in this LAN >>that has all the possible IP addresses set on its interface. >> >> > > Look, we can't help you until you explain the problem > > WHY is it not possible to have a bridge? This only requires two network > cards? I want to block the traffic between _ANY_ 2 of the machines in the network. -- Anton Glinkov network administrator From roy@xxx.lt Mon Jul 19 13:20:36 2004 From: roy@xxx.lt (Roy) Date: Mon, 19 Jul 2004 15:20:36 +0300 Subject: [LARTC] tc+mrtg References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> <014901c46d7d$0e58d9a0$15a02bca@gsd03> Message-ID: <000d01c46d8a$cc2e3030$030aa8c0@t> MRTG can only show interface load, basicaly it is the graphic representation of what you will see with ifconfig. For more advanced graph you need to use another software than mrtg. ----- Original Message ----- From: "Kristiadi Himawan" To: Sent: Monday, July 19, 2004 1:42 PM Subject: [LARTC] tc+mrtg > Hi, > > I'm sorry if this question already asked by someone else. > My question is how to make mrtg graph for traffic that already shape by htb. > Acctually i already have mrtg for it but the traffic captured was before the > shaper (PREROUTING and POSTROUTING) > so the bandwidth shown is not the real traffic. > So what should i do if i want to see graph traffic that passing through my > shaper. > > Thanks for the help. > > Regards, > > Kris > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From lartc@draxinusom.ch Mon Jul 19 13:52:01 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Mon, 19 Jul 2004 14:52:01 +0200 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> Message-ID: <40FBC3F1.9080105@draxinusom.ch> Anton Glinkov wrote: > On Mon, July 19, 2004 15:25, Ed Wildgoose said: >=20 >> >>>the bridge thing is not possible.. the network is too big.. 300 >>>machines.. >>>with over 30 switches (only one of them is manageable) :( >>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >>>The only solution I thought of was to have a linux machine in this LAN= >>>that has all the possible IP addresses set on its interface. >>> >>> >> >>Look, we can't help you until you explain the problem >> >>WHY is it not possible to have a bridge? This only requires two networ= k >>cards? >=20 >=20 > I want to block the traffic between _ANY_ 2 of the machines in the netw= ork. How about giving them a netmask of /32 instead of /24 (or whatever you=20 have) so that they only see themselves in the same network and then=20 giving them a static route to the default gw (since it is outside of the = /32). Then you can block all inter-client traffic at that single default=20 gateway (or one hop "in front" of it, seen from the clients) --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From alessandro.ren@opservices.com.br Mon Jul 19 13:45:22 2004 From: alessandro.ren@opservices.com.br (Alessandro Ren) Date: Mon, 19 Jul 2004 09:45:22 -0300 Subject: [LARTC] QoS for Voip. Message-ID: <40FBC262.4090101@opservices.com.br> This is a multi-part message in MIME format. --------------010709010008020602010009 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Thanks for the tips Brian, Actually, I have many sorts of links, line PPOE ADSL, PPPOA ADSL which a use PPTP over PPOA relay, radio links that connect in the ethernet interface and cable modems. To change the SFQ queue size I must recompile de kernel? I think a saw some messages talking about that. One other thing, I have the 1:10 a 1:20 class, let's assume there is no voip traffic and all bandwidth is being consumed and it is in the other class. When the voip traffic starts, there is a inicial delay untill the 1:20 class starts to free bandwidth to the 1:10 class, as I've noticed. Should I change the burst and cburst parameters to get a better response or just make de queues smaller? Thanks. Brian Carrig wrote: On 16 Jul 2004 at 13:35, Alessandro Ren wrote: > Hello Brian, > > This is the basis for the wshaper. > I have only two classes and I put voip on the 1:10 class and the rest in the 1:20. I > > am not >listing here, but I have the rule marking packets and sorting then into classes, > > actually, I just put >one port into the 1:10 class, that's the voip port and nothing else. I really want to > > keep the best >quality I can for voip, without bandwidth waste., because, if a page takes 1 > > seconds longer do >load is ok, but if a voip packet starts to get delay, we got a problem, > I think, I must have no queue for voip packets, all packtes should be forwarded as > > soon as >they get to the box, right? > > You do actually have a queue for VoIP, as you implement SFQ for both the 1:10 and 1:20 classes. To the best of my knowledge the default setting for this queue is 128 packets. This may be too large for VoIP if latency is a concern so I would suggest making this queue much smaller (limit option). Unfortunately without knowing the particulars of your link I am unable to suggest a figure but have play around and see what suits. Regards Brian ># >tc qdisc add dev $DEV root handle 1: htb default 20 > ># shape everything at $UPLINK speed - this prevents huge queues in your ># DSL modem which destroy latency: > >tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k > ># high prio class 1:10: > >tc class add dev $DEV parent 1:1 classid 1:10 htb rate $[4*$UPLINK/10]kbit \ > burst 6k prio 1 > ># bulk & default class 1:20 - gets slightly less traffic, ># and a lower priority: > >tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[6*$UPLINK/10]kbit \ > ceil $[10*$UPLINK/10]kbit burst 6k prio 2 > ># all get Stochastic Fairness: >tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 >tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 > > >Brian Carrig wrote: > We run something similar allowing customers to place traffic into gold, silver or > bronze classes. I reserve a fixed amount of bandwidth for each class and allow > > them > to borrow (I hate the idea of bandwidth going to waste). However, excess > > bandwidth > is offered preferrentially to gold, then silver before being offered to bronze. > Because p2p and other bw consuming traffic are unlikely to be in the gold and > > silver > classes (they cost more) there haven't been any problems. > I haven't really looked at the wondershaper script in much detail, how is voip > > traffic > prioritised? > > Regards > Brian > > On 16 Jul 2004 at 12:19, Alessandro Ren wrote: > > > > I've been using a altered version of the wshaper script to priorize voip traffic for > > my > > customers. > I'd like to know if someone in the list has any tips on QoS for voip, if someone > > has done some > > experimentation. > I am using HTB and if someone on the LAN uses a p2p program, I started to > > noticed in the > > voip, with cuts, jitter and lag. If a reserve a fixed amount of bandwitdh not letting > > anyonbe > > borrow, it works fine, but then if noone is using voip, I have bandwidth going to > > waste. > > I think I need some fine tunning oin the HTB parameters, but I am not sure sure > > about that. > --------------010709010008020602010009 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
    Thanks for the tips Brian,

    Actually, I have many sorts of links, line PPOE ADSL, PPPOA ADSL which a use PPTP over PPOA relay, radio links that connect in the  ethernet interface and cable modems.
    To change the SFQ queue size I must recompile de kernel? I think a saw some messages talking about that.
    One other thing, I have the 1:10 a   1:20 class, let's assume there is no voip traffic and all bandwidth is being consumed and it is in the other class. When the voip traffic starts, there is  a inicial delay untill the 1:20 class starts to free bandwidth to the 1:10 class, as I've noticed. Should I change the burst and cburst parameters to get a better response or just make de queues smaller?
      Thanks.


Brian Carrig wrote: 
On 16 Jul 2004 at 13:35, Alessandro Ren wrote:


 Hello Brian,

 This is the basis for the wshaper.
 I have only two classes and I put voip on the 1:10 class and the rest in the 1:20. I 
  
am not 

listing here, but I have the rule marking packets and sorting then into classes, 
  
actually, I just put 

one port into the 1:10 class, that's the voip port and nothing else. I really want to 
  
keep the best 

quality I can for voip, without bandwidth waste., because, if a page takes 1 
  
seconds longer do 

load is ok, but if a voip packet starts to get delay, we got a problem,
 I think, I must have no queue for voip packets, all packtes should be forwarded as 
  
soon as 

they get to the box, right?
  

You do actually have a queue for VoIP, as you implement SFQ for both the 1:10 and 
1:20 classes. To the best of my knowledge the default setting for this queue is 128 
packets. This may be too large for VoIP if latency is a concern so I would suggest 
making this queue much smaller (limit option). Unfortunately without knowing the 
particulars of your link I am unable to suggest a figure but have play around and see 
what suits.

Regards
Brian

  

#
tc qdisc add dev $DEV root handle 1: htb default 20

# shape everything at $UPLINK speed - this prevents huge queues in your
# DSL modem which destroy latency:

tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k

# high prio class 1:10:

tc class add dev $DEV parent 1:1 classid 1:10 htb rate $[4*$UPLINK/10]kbit \
 burst 6k prio 1

# bulk & default class 1:20 - gets slightly less traffic,
# and a lower priority:

tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[6*$UPLINK/10]kbit \
 ceil $[10*$UPLINK/10]kbit burst 6k prio 2

# all get Stochastic Fairness:
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10


Brian Carrig wrote:
    We run something similar allowing customers to place traffic into gold, silver or 
    bronze classes. I reserve a fixed amount of bandwidth for each class and allow 
  
them 

    to borrow (I hate the idea of bandwidth going to waste). However, excess 
  
bandwidth 

    is offered preferrentially to gold, then silver before being offered to bronze.
    Because p2p and other bw consuming traffic are unlikely to be in the gold and 
  
silver 

    classes (they cost more) there haven't been any problems.
    I haven't really looked at the wondershaper script in much detail, how is voip 
  
traffic 

    prioritised?
    
    Regards
    Brian
    
    On 16 Jul 2004 at 12:19, Alessandro Ren wrote:
    
      
    
     I've been using a altered version of the wshaper script to priorize voip traffic for 
        
    my 
      
    customers.
     I'd like to know if someone in the list has any tips on QoS for voip, if someone 
        
    has done some 
      
    experimentation.
     I am using HTB and if someone on the LAN uses a p2p program, I started to 
        
    noticed in the 
      
    voip, with cuts, jitter and lag. If a reserve a fixed amount of bandwitdh not letting 
        
    anyonbe 
      
    borrow, it works fine, but then if noone is using voip, I have bandwidth going to 
        
    waste.
      
     I think I need some fine tunning oin the HTB parameters, but I am not sure sure 
        
    about that.

--------------010709010008020602010009-- From lartc@ssi.bg Mon Jul 19 13:58:08 2004 From: lartc@ssi.bg (Anton Glinkov) Date: Mon, 19 Jul 2004 15:58:08 +0300 (EEST) Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBC3F1.9080105@draxinusom.ch> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> <40FBC3F1.9080105@draxinusom.ch> Message-ID: <39919.217.79.71.234.1090241888.squirrel@217.79.71.234> > Anton Glinkov wrote: > >> On Mon, July 19, 2004 15:25, Ed Wildgoose said: >> >>> >>>>the bridge thing is not possible.. the network is too big.. 300 >>>>machines.. >>>>with over 30 switches (only one of them is manageable) :( >>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >>>>The only solution I thought of was to have a linux machine in this LAN >>>>that has all the possible IP addresses set on its interface. >>>> >>>> >>> >>>Look, we can't help you until you explain the problem >>> >>>WHY is it not possible to have a bridge? This only requires two network >>>cards? >> >> >> I want to block the traffic between _ANY_ 2 of the machines in the >> network. > > How about giving them a netmask of /32 instead of /24 (or whatever you > have) so that they only see themselves in the same network and then > giving them a static route to the default gw (since it is outside of the > /32). > > Then you can block all inter-client traffic at that single default > gateway (or one hop "in front" of it, seen from the clients) > I don't have access to those machines :-) they use internet via different ehternet protocol (PPPoE) From lartc@draxinusom.ch Mon Jul 19 14:26:56 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Mon, 19 Jul 2004 15:26:56 +0200 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <39919.217.79.71.234.1090241888.squirrel@217.79.71.234> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> <40FBC3F1.9080105@draxinusom.ch> <39919.217.79.71.234.1090241888.squirrel@217.79.71.234> Message-ID: <40FBCC20.8080802@draxinusom.ch> Anton Glinkov wrote: >>Anton Glinkov wrote: >> >> >>>On Mon, July 19, 2004 15:25, Ed Wildgoose said: >>> >>> >>>>>the bridge thing is not possible.. the network is too big.. 300 >>>>>machines.. >>>>>with over 30 switches (only one of them is manageable) :( >>>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.= >>>>>The only solution I thought of was to have a linux machine in this L= AN >>>>>that has all the possible IP addresses set on its interface. >>>>> >>>>> >>>> >>>>Look, we can't help you until you explain the problem >>>> >>>>WHY is it not possible to have a bridge? This only requires two netw= ork >>>>cards? >>> >>> >>>I want to block the traffic between _ANY_ 2 of the machines in the >>>network. >> >>How about giving them a netmask of /32 instead of /24 (or whatever you >>have) so that they only see themselves in the same network and then >>giving them a static route to the default gw (since it is outside of th= e >>/32). >> >>Then you can block all inter-client traffic at that single default >>gateway (or one hop "in front" of it, seen from the clients) >> >=20 >=20 > I don't have access to those machines :-) > they use internet via different ehternet protocol (PPPoE) If you don't have access to those machines, you need to do "something"=20 where you have access which presumeably is at the switches. But that=20 means you either need to replace those with smart ones (which can also=20 be a linux box with many nics or multi-port nics) or basically put a=20 linux box with 2 nics in between the cable from the client and the=20 switch port. Either way, it's not gonna be cheap and possibly isn't=20 feasible at all. I see no easier solution if you cannot control/trust=20 the client systems. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From lartc@draxinusom.ch Mon Jul 19 14:27:04 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Mon, 19 Jul 2004 15:27:04 +0200 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBC6A6.80609@ornl.gov> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> <40FBC3F1.9080105@draxinusom.ch> <40FBC6A6.80609@ornl.gov> Message-ID: <40FBCC28.5020600@draxinusom.ch> Lawrence MacIntyre wrote: > This will work as long as none of the clients are clued enough to add=20 > host routes or alias addresses. Yes, I assumed he were the admin of the site in question. If the clients = have full control over their systems then this is a no-go. Some linux boxes with bridges and bridge_filter might do the trick but=20 he'd need to put one of those basically in front of each switch port. I don't see an easy way to solve the problem. >=20 > Rene Gallati wrote: >=20 >> Anton Glinkov wrote: >> >>> On Mon, July 19, 2004 15:25, Ed Wildgoose said: >>> >>>> >>>>> the bridge thing is not possible.. the network is too big.. 300 >>>>> machines.. >>>>> with over 30 switches (only one of them is manageable) :( >>>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN= =2E >>>>> The only solution I thought of was to have a linux machine in this = LAN >>>>> that has all the possible IP addresses set on its interface. >>>>> >>>>> >>>> >>>> Look, we can't help you until you explain the problem >>>> >>>> WHY is it not possible to have a bridge? This only requires two=20 >>>> network >>>> cards? >>> >>> >>> >>> >>> I want to block the traffic between _ANY_ 2 of the machines in the=20 >>> network. >> >> >> >> How about giving them a netmask of /32 instead of /24 (or whatever you= =20 >> have) so that they only see themselves in the same network and then=20 >> giving them a static route to the default gw (since it is outside of=20 >> the /32). >> >> Then you can block all inter-client traffic at that single default=20 >> gateway (or one hop "in front" of it, seen from the clients) >> >> >=20 --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From gideon@adept.co.za Mon Jul 19 14:00:39 2004 From: gideon@adept.co.za (Gideon le Grange) Date: 19 Jul 2004 15:00:39 +0200 Subject: [LARTC] tc+mrtg In-Reply-To: <000d01c46d8a$cc2e3030$030aa8c0@t> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> <014901c46d7d$0e58d9a0$15a02bca@gsd03> <000d01c46d8a$cc2e3030$030aa8c0@t> Message-ID: <1090242039.2669.67.camel@gideon.adept.co.za> On Mon, 2004-07-19 at 14:20, Roy wrote: > MRTG can only show interface load, basicaly it is the graphic representation > of what you will see with ifconfig. > > For more advanced graph you need to use another software than mrtg. MRTG can graph any variable that you can read using SNMP. The problem is getting the tc stats readable using SNMP, that's the trick bit (which as far as I've seen can't be done, but I hope I'm wrong). Gideon From lartc@draxinusom.ch Mon Jul 19 14:47:38 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Mon, 19 Jul 2004 15:47:38 +0200 Subject: [LARTC] tc+mrtg In-Reply-To: <1090242039.2669.67.camel@gideon.adept.co.za> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> <014901c46d7d$0e58d9a0$15a02bca@gsd03> <000d01c46d8a$cc2e3030$030aa8c0@t> <1090242039.2669.67.camel@gideon.adept.co.za> Message-ID: <40FBD0FA.7060100@draxinusom.ch> Gideon le Grange wrote: > On Mon, 2004-07-19 at 14:20, Roy wrote: >=20 >>MRTG can only show interface load, basicaly it is the graphic represent= ation >> of what you will see with ifconfig. >> >>For more advanced graph you need to use another software than mrtg. >=20 >=20 > MRTG can graph any variable that you can read using SNMP. The problem i= s > getting the tc stats readable using SNMP, that's the trick bit (which a= s > far as I've seen can't be done, but I hope I'm wrong).=20 >=20 MRTG doesn't necessarily need SNMP, you can feed it ANY value via a perl = script. I've been doing it for ages. You just need to get at the values=20 (peridoic tc -s qdisc show, parse it, feed mrtg) From : http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-reference.ht= ml "External Monitoring Scripts If you want to monitor something which does not provide data via=20 snmp you can use some external program to do the data gathering. The external command must return 4 lines of output: Line 1 current state of the first variable, normally 'incoming bytes count'= Line 2 current state of the second variable, normally 'outgoing bytes count= ' Line 3 string (in any human readable format), telling the uptime of the=20 target. Line 4 string, telling the name of the target. Depending on the type of data your script returns you might want to use=20 the 'gauge' or 'absolute' arguments for the Options keyword. Example: Target[ezwf]: `/usr/local/bin/df2mrtg /dev/dsk/c0t2d0s0` Note the use of the backticks (`), not apostrophes (') around the command= =2E If you want to use a backtick in the command name this can be done but=20 you must escape it with a backslash ... If your script does not have any data to return but does not want mrtg=20 to complain about invalid data, it can return 'UNKNOWN' instead of a=20 number. Note though that only rrdtool is realy equipped to handle=20 unknown data well. " --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From lpz@ornl.gov Mon Jul 19 14:03:34 2004 From: lpz@ornl.gov (Lawrence MacIntyre) Date: Mon, 19 Jul 2004 09:03:34 -0400 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBC3F1.9080105@draxinusom.ch> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> <40FBC3F1.9080105@draxinusom.ch> Message-ID: <40FBC6A6.80609@ornl.gov> This will work as long as none of the clients are clued enough to add host routes or alias addresses. Rene Gallati wrote: > Anton Glinkov wrote: > >> On Mon, July 19, 2004 15:25, Ed Wildgoose said: >> >>> >>>> the bridge thing is not possible.. the network is too big.. 300 >>>> machines.. >>>> with over 30 switches (only one of them is manageable) :( >>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >>>> The only solution I thought of was to have a linux machine in this LAN >>>> that has all the possible IP addresses set on its interface. >>>> >>>> >>> >>> Look, we can't help you until you explain the problem >>> >>> WHY is it not possible to have a bridge? This only requires two network >>> cards? >> >> >> >> I want to block the traffic between _ANY_ 2 of the machines in the >> network. > > > How about giving them a netmask of /32 instead of /24 (or whatever you > have) so that they only see themselves in the same network and then > giving them a static route to the default gw (since it is outside of the > /32). > > Then you can block all inter-client traffic at that single default > gateway (or one hop "in front" of it, seen from the clients) > > -- Lawrence MacIntyre 865.574.8696 lpz@ornl.gov Oak Ridge National Laboratory High Performance Information Infrastructure Technology Group From Andreas.Klauer@metamorpher.de Mon Jul 19 14:19:28 2004 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Mon, 19 Jul 2004 15:19:28 +0200 Subject: [LARTC] QoS for Voip. In-Reply-To: <40FBC262.4090101@opservices.com.br> References: <40FBC262.4090101@opservices.com.br> Message-ID: <200407191519.29989.Andreas.Klauer@metamorpher.de> Am Monday 19 July 2004 14:45 schrieb Alessandro Ren: > To change the SFQ queue size I must recompile de kernel? Yes. It's not dynamic. But you could use ESFQ instead, I think it allows specifying the queue length with the tc command. > When the voip traffic starts, there is a inicial delay untill the 1:20 > class starts to free bandwidth to the 1:10 class, as I've noticed. Should > I change the burst and cburst parameters to get a better response or just > make de queues smaller? This is just guesswork, I haven't checked the code: As far as I understand the way QoS is implemented in the kernel, a packet may only get out of the queue if the qdisc (in your case HTB) allows it to. If that's correct, the queue size should not matter, your problem is that HTB allows the 1:20 class to dequeue whilst 1:10 does not get a chance to do stuff. If you get a delay, then HTB is just too slow adjusting for the changed conditions. I haven't noticed such a problem myself though, since there is usually always traffic in my classes... Andreas From lists@wildgooses.com Mon Jul 19 16:43:14 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 19 Jul 2004 16:43:14 +0100 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> Message-ID: <40FBEC12.5080400@wildgooses.com> >Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. > > Go on then, I'll bite. Why do you want to do this at all? From alessandro.ren@opservices.com.br Mon Jul 19 17:20:17 2004 From: alessandro.ren@opservices.com.br (Alessandro Ren) Date: Mon, 19 Jul 2004 13:20:17 -0300 Subject: [LARTC] tc+mrtg In-Reply-To: <40FBD0FA.7060100@draxinusom.ch> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> <014901c46d7d$0e58d9a0$15a02bca@gsd03> <000d01c46d8a$cc2e3030$030aa8c0@t> <1090242039.2669.67.camel@gideon.adept.co.za> <40FBD0FA.7060100@draxinusom.ch> Message-ID: <40FBF4C1.6080308@opservices.com.br> This is a multi-part message in MIME format. --------------030706070400010205070802 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit A good tool that I use to graoh things is netmrg, www.netmrg.net []s. Rene Gallati wrote: > Gideon le Grange wrote: > >> On Mon, 2004-07-19 at 14:20, Roy wrote: >> >>> MRTG can only show interface load, basicaly it is the graphic >>> representation >>> of what you will see with ifconfig. >>> >>> For more advanced graph you need to use another software than mrtg. >> >> >> >> MRTG can graph any variable that you can read using SNMP. The problem is >> getting the tc stats readable using SNMP, that's the trick bit (which as >> far as I've seen can't be done, but I hope I'm wrong). > > > MRTG doesn't necessarily need SNMP, you can feed it ANY value via a > perl script. I've been doing it for ages. You just need to get at the > values (peridoic tc -s qdisc show, parse it, feed mrtg) > > From : > http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-reference.html > > "External Monitoring Scripts > If you want to monitor something which does not provide data via > snmp you can use some external program to do the data gathering. > > The external command must return 4 lines of output: > > Line 1 > current state of the first variable, normally 'incoming bytes count' > > Line 2 > current state of the second variable, normally 'outgoing bytes count' > > Line 3 > string (in any human readable format), telling the uptime of the > target. > > Line 4 > string, telling the name of the target. > > Depending on the type of data your script returns you might want to > use the 'gauge' or 'absolute' arguments for the Options keyword. > > Example: > > Target[ezwf]: `/usr/local/bin/df2mrtg /dev/dsk/c0t2d0s0` > > Note the use of the backticks (`), not apostrophes (') around the > command. > > If you want to use a backtick in the command name this can be done but > you must escape it with a backslash ... > > If your script does not have any data to return but does not want mrtg > to complain about invalid data, it can return 'UNKNOWN' instead of a > number. Note though that only rrdtool is realy equipped to handle > unknown data well. > " > > -- _______________________________________________ Alessandro Ren */ OpServices Luciana de Abreu, 471 - Sala 403 Porto Alegre, RS - CEP 90570-060/* * (* phone 55(51)3061-3588 * 4*/ / fax 55(51)3061-3588 * Q* mobile 55(51)9807-3255 * :* email alessandro.ren@opservices.com.br _______________________________________________ "Esta mensagem é endereçada exclusivamente à(s) pessoa(s) e/ou instituições acima indicadas e pode conter informações confidenciais, particulares ou privilegiadas, as quais não podem, sob qualquer forma ou pretexto, ser utilizadas, divulgadas, alteradas, impressas ou copiadas, total ou parcialmente, por pessoas não autorizadas. No caso desta mensagem ser recebida por erro, por favor, providencie sua exclusão do sistema, notificando o remetente imediatamente. Eventual erro de transmissão desta mensagem em nenhuma hipótese constituirá renúncia à confidencialidade ou a qualquer direito ou prerrogativa daí decorrente." "This message is intended only for the named person's and/or entity's use and may contain confidential, proprietary or legally privileged information, which shall not be used, disclosed, changed, printed or copied, in whole or in part, by not intended recipients. If this message is received by error, please delete it from your system and notify the sender, immediately. No confidentiality or privilege is waived by any mistransmission." --------------030706070400010205070802 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
    A good tool that I use to graoh things is netmrg, www.netmrg.net

    []s.

Rene Gallati wrote:
Gideon le Grange wrote:

On Mon, 2004-07-19 at 14:20, Roy wrote:

MRTG can only show interface load, basicaly it is the graphic representation
of what you will see with ifconfig.

For more advanced graph you need to use another software than mrtg.


MRTG can graph any variable that you can read using SNMP. The problem is
getting the tc stats readable using SNMP, that's the trick bit (which as
far as I've seen can't be done, but I hope I'm wrong).

MRTG doesn't necessarily need SNMP, you can feed it ANY value via a perl script. I've been doing it for ages. You just need to get at the values (peridoic tc -s qdisc show, parse it, feed mrtg)

>From : http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-reference.html

"External Monitoring Scripts
    If you want to monitor something which does not provide data via snmp you can use some external program to do the data gathering.

    The external command must return 4 lines of output:

Line 1
    current state of the first variable, normally 'incoming bytes count'

Line 2
    current state of the second variable, normally 'outgoing bytes count'

Line 3
    string (in any human readable format), telling the uptime of the target.

Line 4
    string, telling the name of the target.

Depending on the type of data your script returns you might want to use the 'gauge' or 'absolute' arguments for the Options keyword.

Example:

 Target[ezwf]: `/usr/local/bin/df2mrtg /dev/dsk/c0t2d0s0`

Note the use of the backticks (`), not apostrophes (') around the command.

If you want to use a backtick in the command name this can be done but you must escape it with a backslash ...

If your script does not have any data to return but does not want mrtg to complain about invalid data, it can return 'UNKNOWN' instead of a number. Note though that only rrdtool is realy equipped to handle unknown data well.
"



--
Ren Signature

_______________________________________________

Alessandro Ren

OpServices
 Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060

(   phone 55(51)3061-3588
 4    fax 55(51)3061-3588

Q   mobile 55(51)9807-3255
 :   email alessandro.ren@opservices.com.br

_______________________________________________

"Esta mensagem é endereçada exclusivamente à(s) pessoa(s) e/ou instituições acima indicadas e pode conter informações confidenciais, particulares ou privilegiadas, as quais não podem, sob qualquer forma ou pretexto, ser utilizadas, divulgadas, alteradas, impressas ou copiadas, total ou parcialmente, por pessoas não autorizadas. No caso desta mensagem ser recebida por erro, por favor, providencie sua exclusão do sistema, notificando o remetente imediatamente. Eventual erro de transmissão desta mensagem em nenhuma hipótese constituirá renúncia à confidencialidade ou a qualquer direito ou prerrogativa daí decorrente."

"This message is intended only for the named person's and/or entity's use and may contain confidential, proprietary or legally privileged information, which shall not be used, disclosed, changed, printed or copied, in whole or in part, by not intended recipients. If this message is received by error, please delete it from your system and notify the sender, immediately. No confidentiality or privilege is waived by any mistransmission."

 
--------------030706070400010205070802-- From xerox@foonet.net Mon Jul 19 18:17:00 2004 From: xerox@foonet.net (Paul) Date: Mon, 19 Jul 2004 13:17:00 -0400 Subject: [LARTC] block ethernet IPv4 traffic In-Reply-To: <40FBC6A6.80609@ornl.gov> References: <33089.217.79.71.231.1090228790.squirrel@217.79.71.231> <40FBB8DC.6090907@wildgooses.com> <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> <40FBBDAC.609@wildgooses.com> <39791.217.79.71.234.1090240429.squirrel@217.79.71.234> <40FBC3F1.9080105@draxinusom.ch> <40FBC6A6.80609@ornl.gov> Message-ID: <1090257420.2457.9.camel@localhost.localdomain> What about vlans? Every machine on a separate vlan. Easy enough if you have access to the network On Mon, 2004-07-19 at 09:03, Lawrence MacIntyre wrote: > This will work as long as none of the clients are clued enough to add > host routes or alias addresses. > > Rene Gallati wrote: > > Anton Glinkov wrote: > > > >> On Mon, July 19, 2004 15:25, Ed Wildgoose said: > >> > >>> > >>>> the bridge thing is not possible.. the network is too big.. 300 > >>>> machines.. > >>>> with over 30 switches (only one of them is manageable) :( > >>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. > >>>> The only solution I thought of was to have a linux machine in this LAN > >>>> that has all the possible IP addresses set on its interface. > >>>> > >>>> > >>> > >>> Look, we can't help you until you explain the problem > >>> > >>> WHY is it not possible to have a bridge? This only requires two network > >>> cards? > >> > >> > >> > >> I want to block the traffic between _ANY_ 2 of the machines in the > >> network. > > > > > > How about giving them a netmask of /32 instead of /24 (or whatever you > > have) so that they only see themselves in the same network and then > > giving them a static route to the default gw (since it is outside of the > > /32). > > > > Then you can block all inter-client traffic at that single default > > gateway (or one hop "in front" of it, seen from the clients) > > > > From nathan@iwantka.com Mon Jul 19 19:45:41 2004 From: nathan@iwantka.com (Nathan Littlepage) Date: Mon, 19 Jul 2004 13:45:41 -0500 Subject: [LARTC] PPS Message-ID: <007a01c46dc0$a74d83c0$6c45a8c0@ntbrt.bigrivertelephone.com> Anyone know, or where I might find, how many packets per second can be sustained with the new 2.6 kernel and various processors? From xerox@foonet.net Mon Jul 19 20:28:53 2004 From: xerox@foonet.net (Paul) Date: Mon, 19 Jul 2004 15:28:53 -0400 Subject: [LARTC] PPS In-Reply-To: <007a01c46dc0$a74d83c0$6c45a8c0@ntbrt.bigrivertelephone.com> References: <007a01c46dc0$a74d83c0$6c45a8c0@ntbrt.bigrivertelephone.com> Message-ID: <1090265333.2457.12.camel@localhost.localdomain> I can tell you a pretty close number. It all depends on what type of packets, size of routing table, filter rules, shaping rules, etc. If you want shoot me an email and tell me what you are doing. On Mon, 2004-07-19 at 14:45, Nathan Littlepage wrote: > Anyone know, or where I might find, how many packets per second can be > sustained with the new 2.6 kernel and various processors? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From waruiinu@gmail.com Mon Jul 19 20:34:12 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Mon, 19 Jul 2004 22:34:12 +0300 Subject: [LARTC] PPS In-Reply-To: <007a01c46dc0$a74d83c0$6c45a8c0@ntbrt.bigrivertelephone.com> References: <007a01c46dc0$a74d83c0$6c45a8c0@ntbrt.bigrivertelephone.com> Message-ID: <3063e50407191234284c618a@mail.gmail.com> I think it depence of the PCI interface On Mon, 19 Jul 2004 13:45:41 -0500, Nathan Littlepage wrote: > Anyone know, or where I might find, how many packets per second can be > sustained with the new 2.6 kernel and various processors? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From jwpark@haninternet.co.kr Tue Jul 20 00:44:51 2004 From: jwpark@haninternet.co.kr (=?ks_c_5601-1987?B?udogwaS/+A==?=) Date: Tue, 20 Jul 2004 08:44:51 +0900 Subject: [LARTC] patch equalize_2.4.18.patch on multi-processor Message-ID: <373769E1AB84A74CBBFA6ED3912F0557B6D688@han-ex.haninternetworks.co.kr> (I resend because my previous text is break. sorry..) I have a question about equalize_2.4.18.patch. I use a kernel 2.4.25. And I have multi-processor(Xeon dual) machine. I had patch equalize_2.4.18.patch file. And I had check =A1=AESymmetric multi-processing support=A1=AF kernel = compile option. When I use that kernel, the system is down. But, I had not check =A1=AESymmetric multi-processing support=A1=AF = kernel compile option, and, I had complie that kernel.=20 When I uset that kernel, the system is good. How to solve that problem? From gypsy@iswest.com Tue Jul 20 02:35:57 2004 From: gypsy@iswest.com (gypsy) Date: Mon, 19 Jul 2004 18:35:57 -0700 Subject: [LARTC] Re: TC Hashing Filters References: <00b801c46dbe$41c1cbd0$903113d8@uranus> Message-ID: <40FC76FD.8E48B1FB@iswest.com> Adam Towarnyckyj wrote: > > Gypsy, > Looks like the script ran fine and everything's in there. It > took almost an hour to complete. I still believe it might have something > to do with my classes setup. I'll see if I can modify the script to do > one class per IP like this one does. Thanks! > > Adam Adam, While the limit (if any) on the number of filters is at least 64,516 it is possible that there is a smaller limit for U32 matches or parents or classIDs or _something_. If you find such to be the case, you should report it to this list and to the kernel mailing list. Your success does mean that your software is good. Some time last year (I think), Red Hat released some broken stuff that caused "File exists" errors. You just removed my fears about that issue. Gypsy From rio@martin.mu Tue Jul 20 02:42:06 2004 From: rio@martin.mu (Rio Martin.) Date: Tue, 20 Jul 2004 08:42:06 +0700 Subject: [LARTC] tc+mrtg In-Reply-To: <000d01c46d8a$cc2e3030$030aa8c0@t> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <014901c46d7d$0e58d9a0$15a02bca@gsd03> <000d01c46d8a$cc2e3030$030aa8c0@t> Message-ID: <200407200842.06372.rio@martin.mu> HTB + IMQ + SNMPD + MRTG IMQ made its own interface as shown when you typed "ifconfig" So you'll be able to graph just as you graph using the real interface .. - Rio.Martin - On 19 July 2004 pm 19:20, Roy wrote: > MRTG can only show interface load, basicaly it is the graphic > representation of what you will see with ifconfig. > For more advanced graph you need to use another software than mrtg. > > ----- Original Message ----- > From: "Kristiadi Himawan" > To: > Sent: Monday, July 19, 2004 1:42 PM > Subject: [LARTC] tc+mrtg > > > Hi, > > > > I'm sorry if this question already asked by someone else. > > My question is how to make mrtg graph for traffic that already shape by > > htb. > > > Acctually i already have mrtg for it but the traffic captured was before > > the > > > shaper (PREROUTING and POSTROUTING) > > so the bandwidth shown is not the real traffic. > > So what should i do if i want to see graph traffic that passing through > > my shaper. > > > > Thanks for the help. > > > > Regards, > > > > Kris > > From kristiadi_himawan@dtp.net.id Tue Jul 20 06:43:22 2004 From: kristiadi_himawan@dtp.net.id (Kristiadi Himawan) Date: Tue, 20 Jul 2004 12:43:22 +0700 Subject: [LARTC] tc+mrtg References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40F93C8C.6090703@unet.edu.ve> <014901c46d7d$0e58d9a0$15a02bca@gsd03> <000d01c46d8a$cc2e3030$030aa8c0@t> <1090242039.2669.67.camel@gideon.adept.co.za> <40FBD0FA.7060100@draxinusom.ch> Message-ID: <014f01c46e1c$78427f20$15a02bca@gsd03> I already use external script that fetch iptables mangle table from PREROUTING and POSTROUTING counter. But the traffic isn't really accurate, i found when there's bulk UDP traffic come to the shaper, my mrtg shown that the traffic shown bigger than allocated bandwidth for that class. So the question, it's possible to make script from tc command, that count bandwith acctually passing through the shaper. Regards, Kris ----- Original Message ----- From: "Rene Gallati" To: Cc: Sent: Monday, July 19, 2004 8:47 PM Subject: Re: [LARTC] tc+mrtg Gideon le Grange wrote: > On Mon, 2004-07-19 at 14:20, Roy wrote: > >>MRTG can only show interface load, basicaly it is the graphic representation >> of what you will see with ifconfig. >> >>For more advanced graph you need to use another software than mrtg. > > > MRTG can graph any variable that you can read using SNMP. The problem is > getting the tc stats readable using SNMP, that's the trick bit (which as > far as I've seen can't be done, but I hope I'm wrong). > MRTG doesn't necessarily need SNMP, you can feed it ANY value via a perl script. I've been doing it for ages. You just need to get at the values (peridoic tc -s qdisc show, parse it, feed mrtg) From : http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-reference.html "External Monitoring Scripts If you want to monitor something which does not provide data via snmp you can use some external program to do the data gathering. The external command must return 4 lines of output: Line 1 current state of the first variable, normally 'incoming bytes count' Line 2 current state of the second variable, normally 'outgoing bytes count' Line 3 string (in any human readable format), telling the uptime of the target. Line 4 string, telling the name of the target. Depending on the type of data your script returns you might want to use the 'gauge' or 'absolute' arguments for the Options keyword. Example: Target[ezwf]: `/usr/local/bin/df2mrtg /dev/dsk/c0t2d0s0` Note the use of the backticks (`), not apostrophes (') around the command. If you want to use a backtick in the command name this can be done but you must escape it with a backslash ... If your script does not have any data to return but does not want mrtg to complain about invalid data, it can return 'UNKNOWN' instead of a number. Note though that only rrdtool is realy equipped to handle unknown data well. " -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- - _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From sacha@myxomop.com Tue Jul 20 09:12:16 2004 From: sacha@myxomop.com (Alexander Kotelnikov) Date: Tue, 20 Jul 2004 12:12:16 +0400 Subject: [LARTC] Strange things with HTB Message-ID: <87u0w35c7z.fsf@vinci.loc> --=-=-= Hello. I have a strange problem with HTB. The configuration is: tc qdisc add dev eth0 root handle 1: htb default 12 r2q 1 tc class add dev eth0 parent 1: classid 1:1 htb rate 78kbit ceil 78kbit burst 3K cburst 3K tc class add dev eth0 parent 1:1 classid 1:10 htb rate 30kbit ceil 78kbit prio 0 burst 3K cburst 3K tc class add dev eth0 parent 1:1 classid 1:11 htb rate 16kbit ceil 78kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 16kbit ceil 78kbit prio 2 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 16kbit ceil 78kbit prio 7 burst 1 cburst 1 iptables -A POSTROUTING -t mangle -o eth0 -m length --length 0:1024 -p tcp --dport ssh -j MARK --set-mark 10 # 554 realplayer, 123 ntpd iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --destination-ports ircd,ftp,domain,554 -j MARK --set-mark 10 iptables -A POSTROUTING -t mangle -o eth0 -p tcp --dport 123 -j MARK --set-mark 10 iptables -A POSTROUTING -t mangle -o eth0 -p udp --dport 123 -j MARK --set-mark 10 iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --destination-ports ftp-data,www,https -j MARK --set-mark 11 iptables -A POSTROUTING -t mangle -o eth0 -m owner --uid-owner 102 -j MARK --set-mark 13 tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10 tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 13 fw flowid 1:13 tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 11 fw flowid 1:11 In this situation most important are low priority traffic from UID 102, which is user mldonkey running mldonkey server and default traffic. When there is now other network activity the band is totally used by mldonkey, but when something else happens, it should force out mldonkey traffic. Now, let us look at the picture: --=-=-= Content-Type: image/png Content-Disposition: attachment; filename=tc_stat.png Content-Transfer-Encoding: base64 Content-Description: Strange graphic iVBORw0KGgoAAAANSUhEUgAAAoAAAAHgCAMAAAACDyzWAAAAA3NCSVQICAjb4U/gAAABKVBMVEX/ //8AAAAAAAD/AAAAAP//AP//iAAAu2YAiP9A/4AgIMCAAMAAYIAAgAAAgEAAgIAAwGAAwMAA/wAg gCAwYIBAQEBAgAAAAICAYACAYBCAYGCAYIAAAMAAAP8AYABAwIBgoMBgwABgwKCAAACAAIBgIIBg YGAA//8gICAgQEAgQIBggCBggGBggICAgECAgICgoKCg0ODAICDAYACAwODAYMDAgADAgGD/QAD/ QECAwP//gGD/gIDAoADAwMDA/8D/AAD/AP//gKD/gP/AwKD/YGD/gAD/oACA4OCg4OCg/yDAAADA AMCgICCgIP+AIACAICCAQACAQCCAQICAYMCAYP+AgACggP/AYIDAwAD/gED/oED/oGD/oHD/wCD/ wMD//wD//4D//8BH22E8AAAAOXRFWHRTb2Z0d2FyZQBnbnVwbG90IHZlcnNpb24gMy43IHBhdGNo bGV2ZWwgMiBvbiBMaW51eCAyLjQuMjboam1gAAAgAElEQVR4nO2di6KrKAxF6XCU///jua0CCQQE QXztPXPbytu4DKAeUQqCIAiCIAiCIAiCIAiCIAiCIOi9+iyfnw/5WkPdFgQdpRW85d/6tYa6LQg6 ThZA6vs+jkgACB2sFcCVuQ/zhR/vAT8QtKUGAD8OOwubCyTJOusS7vUKjbhCGzo0ogVARQH0AQBw iK7QhrMA/NDpr/ej0SwYAB6oK7ThNA94YuGH211foREFukIbAGB/aQBYoU/R+Zov4UBdwkaVKgIQ smo2FwDk0s2n9KvUbi4AyAUAq6TLxswZAUAmrZot+ioBwM4CgFXqYC4AyNRs0XfRCwA7S7uPphJe o3Z7AUCmZoO+bA6TtFe5FQAgFQCsUwWAKbsAQKpWADcnhQ/DMw1gFAgASwQAq6TJZxARBibvmABA qg4A5rO/F8DUrgNAKgBYJQDYW5JFK5ih/MrZnvWoQwbA2IgAsEC7APSZaHYRtYdNklMAxh0BACyT YFEHktYJ96Wd4yPZZYs/C0AdfLMIALhHWQDDGJ5C61IAH8MgB9Dvlj8jbXxmbAwAiYThm1bbAC5U aZJfJxIvqZ5CYACg5ubTPllIJBUAJBIsyP2afNE1AjA5D9Hrf88QA1BH5K0dgw6TcwFAohjAaGpB Ems6+7AMxsVxf0q66turCMA4ORcAJArOXRUDGI1sKIChhX0xJAQAcgFAokoAvYnTAGpWqo4Py40V jY6jyQcArFNw7urQtio40TmAkYU1OwZax6XdWwUAaiE5FwAkCiyqBbPqKFQyPUlMgN0aj99NALC3 KCAJAN0YTgAwLo/03qyPfhyAfEfDcJ6cCwASFQGoKgAkX6yPfgeASgPAOhFA/MhOIoyafBumGFMA 6AQAifYAWMJShOmzAFQaAPaRDKDk5pxpi+6rJS5R311sXGxDGHJaTM4EAInI+HkLQB3+yJf7TgBL /D4AJNLBLz+JiGxXNZx7JoDB6boGAcAGHQWg0IM/QOcD+OEL1bi3lXcp/AwlOCma6u4p+N4KT1e1 ZaneALLFGRx4nyDFnZTipPsTVE8FMG+pgwB0pfiPDoWfopTx+j9C+gQCpX3IWuqILnh9Tb4vii09 sqxE8t9dpHfEdK/qPpL2Qed2LIxrWKjGIxauCnL4OiEHKn32wgMKEvdhqAeUcHsmgHeu6jCdD6Cb BNOe+OiFag4UAKxS9T7gOuCGAGCVAGBvAcAqAcDeAoBVAoC9BQCrBAB764UAtrQDAPYWADw2LwDc EAA8Ni8A3BAAPDYvAMxrJBQXAbDpKQsA2FkAsDJzlxwA0AkAVmbukgMAOgHAysxdcgBAp4sCeGSz AOCVBAArM3fJAQCthvaKVwGwpXQA2EV1f1/ZvdauSXe0Yn/pO3ICwFgnvTKtvLIj36kPAM+Xf4Uf AKzO3CPLywHMvP7l4HrLUx7XMAB4uhyAg1fvuDaARTV2ata7AdTrP5VaB+7IiktTHtQyHQColfRT 2MyGVgsAngJg+eFLAqgrCxLyJwHkhUq26XZeAMAFwNE3x0qrSw/T3NhhX+HhgnaaoqhzPPo0PQQA 139XBFDnVtccCGBcoO42OweA7DAMrbkgUWZhr9VzC9ElbER7HgCoEwC6y1YAsIeuDWB2lKc3AcxW Ee45g4yPiWkd/S9bPQ3AKrPYY3g7AHUeQL9jyQp19K1pFIcu/n0vAEce3vcAmBy8EkiSFerwRx2A He31OABrKuvdnVRXXZRG7mN1EgYbrsMsUvWa5RGrBYA1ehCAYS9JYzQDkF/FLABQh7+8DXRU7e0B HHmNt+7y1D0AlHycB9DY3zT1fgCjmNg79r1m+jgA89aROqLbAagVB5DvgAOQ5Qt9JP+p1bsATO5A 857Fx4JH3wDAuOcNjzgF0JjggvLySwe50qu22eQhgCaAjia+G4DSKSxqy1du7ziDSSJf6ImG34bz VYsxOkwR9rBaWa/3D8CVlMBdOgB1WITWQm8cfHx1BwD5CjXJV/ReB8DQ1+lEugHaBJAyp+MNAiBP Tk4qTk7ENdmOAfx61jBB3E13UId1Qj707eTxS8rjHi51wLdOrYJTj/ZGIvisg7sigDogQXEASbT+ 8RcASD3ezxjBMIPWa2wAibojgNHr8XcAqF2fktE2gMyGsueVzHoCgOlegJ9FSxAD0CdLAWhIH+12 NA0g9bnaRmUA7KquXTBdtsYGfXS0QomO1zjR6xon2QVchHzSUijabUT1ulheGUs3b9TRSaldWRum o8Ao13f/zH/f//+jO/2fDVqLsXuqw/zG2FJI1nXjW64m0Tqs3mR2rVStC9VwD7j+iJfqEjxgfCYF PYioLQep+Nkap6cnOvMyNNk8b9TRSRkPKI9eo1zMA1IfZXwQ8adhx74m07xs5wH/zUIWDyp7QJPb txr1BJCN/1xEPP7NzEo2ANwiMDRWIYBEszoXwHxwsD8/AHkf/APQByUAND5V8HepmsTHf7NKAOxF YIcu2H2tGx82BqTjLjpCVnSvSgCMzuBEEgqaBOAScTqAtHb5Jz3ECQCNT5cD0JuOAfj74pDx+HT9 ppsLPPw6IBv/avZ9HoBaiF10HQDZMdZhut9mDODCHwNQkYmIc3DGA8jq0OafFCmWxjEAexF4JoD+ i1tBVjOAhPJbA2h8oLEpDUlBAOR2JiWY2MmtACrbvT4BQDb8oFt0fwoBFH2AmIbYOg0gMyfROABJ e6Td54BQeiIAyUUT7XL67jUC0Kg8gL4BPO6+ALKPgEO1TrT4ZE4uawNA3pGnAYzMSTQaQPdonwtz UMkAmtgDLik1zW+Mu0usomuBruhKAH07Y3p3axyApH801AWt3ya4pSQUlYkOIrnrTUWfD6D9szcG oO1XlT/I5H4v8T05AJV9TsbmOwrAVnMNB1DZ2zy8Nz4eQM1teg0AVTAEcTd3iR9UK4CWPyVAEgK4 hGUA5D98grhsP6HxQ4U7AkhHN8tDlM4RLoH+1mSqqEx0GCf8Xc7lALQ9JG2Ju7RcCaAdBAYAkkIV KyLOHgFoZzgCgPQUuTSAH//uH3KwLYDGkN6HXjuQpPN8RnF6G0CZv+EAqhyAdkTn+gmlGGLK/9Qu vwvzyJo8gCYJoL+mSP4UmLSi+cbRIAB/n35wY2oBdGOjDIGbAJqrAei+tA9Z6eMA2i6W+8UiAE0G QF9QCkByWDyAZJB6FwAX+etLXwCNH7moIgBdP5GQFrY0DQiurJ0OoJcHkPV7ygOoqQe3duS0aBUC aFM5UycA9KbNAsiHkPcDcLHFYrwQQO/UUwAaVQdgFHZlAPlobTSAxLS0j1gP1qMAJINqzQxYBCD1 mGKabNidAFQxgBQP26tGAOowbLHa8pkC0Pj8HEDa1eoo+++7fc42DkB+cunDADRC2O8nP2LXBtBr afUPQMMDzT4A+XFQaQBpGjZYJz9uDKBRMoAyYtqmSAPIpmhhoCoHcBSBQjsF/hyALIcxtmslyXRY gOGEtQJIHaK6H4B81wwH0O9bAjG39wUAGiFQXRPA37MnS2uWz1IAl48NAIObKjsBtB3TEwHk44nV 2PJQrhhA/qRaACCJW0b1JniwchyAdmpA/X4GQKUiOnjTTQGA4RCQ1F8CoNBpXRxAw+8espjjAOR+ zlcZNGMdVZ0JIOFjA8C4pSoIEAEM4vMABiNIXspNAUw5QEXveHrb/g5KDkA51qaxFW0BuF7S1vQA rBoGIBnDEQDlIVghgEpvA2jCwBoAee4HAej6kjSALkUHAI0/5NcCUHKA3lKic2QbWiyAxwdDDvNs AD+mAECyVx0AjDpaXgSpUMeJ+wBY9Pc6FH1LYBbArUK7ACi54GcAGO4YOfsND5WGed6w5QAaGqrI PNpGHgWg1FmKqeoALCgw4cF8JcG1eNZYkwfQXri9H4Ckm6Hyux2MSboBaEioCgBkh4s2oAlA6ZzK pyW/NwAsKTALoNyT++1NAH87ZoJgGcCyFi86HcBwICMwRu+CFgGo/BTzFAALjoAAYGoIVgxgvmLR kVYAGOa/B4D8hiLRQQDSYo0L/f3wPnf5OgjAsg4z3u3kCK4ngHG0OQDAqj9aPxlAobESgCYdSVKp KgBVbwBNokwxbbyV6kBLj+aW503E1wEYBl8dQDfrSjZJOCf3AUh7YGLtCMAwAWvC7D526J4AkmgA uITkAEwTuB9A4g2PALCAKiOG5gIT6UYDKD48JAyr4p9ORwNYOij32g2gEa4xeAI3ADSdAIy9anjp LYxXGwAWV79RAAAsVZhY+EMbQb9rXOUAukGiOhzA3MiLb7YCmM1fAKDOABjlDQH0w6QAQBOloDr+ JeX1AAaMlQMYFrSEr/FZAE2PLjiEOqooaFq42cRfgnRexy4PWQqgT2dYsvsDaDKRPtUGgLH9CCPW aC0Amsir0nCpaeFmK4D5/AcB6MxFAAy63ewI4zkAJo5yC4C1I4cyAAWDdAFwI//hAJK9MD7Dd/dz M9EnA/irtghA+8EBFFxKfhC1G8B6I9VrN4CJ06McQLYdCgDSxBRAE5Gjst1cBkBejlRwNIHqL3Eo wOMbAQzYOxxA9zZeuzqDvFBNPYDB4wjHABgd8QBA0Wa5g7gJoIuSADwav/EAssd40oU3ekC/UI3y n3ydkGYAuftIAJh4kkTRB1WFyGA7BFDwkqldITbnGe1h8O/F3ULhGA0A0NXhjWG2Cm8DkKBHFqmJ AKw0t2ELmnHXdiMAie0teKvzG+DvxAbmq00mKALQ76YaByBdGekjrRX3k6ld1cSwNVG04XHyCi9a qoMWFMWHAd/t3yI1M4k2cZrEzixRhmyzEsya9RdseizzUiuztbpMMoFoCmevmSXyaQ21llh260I1 bH2Q9FpxauMCaSzquCIPmPi7OPEaPh0EbrahwANmxtJrFOl5+bUHPzY8ywNuHocOHpCkpT1yrvLG hWr8j8sCGDymkK11N4A2dRJAn/DZALKiBgEYrlcTzIL7ApgaBGYAjP8cNllrHkCTivCnPwEwNYpM D4cO1hb2yeMkn3dFAJIxcX8At7UTQNpzCo+xiATmAEz+zX+U1gMY9JxREJ1tpE5z8cBluvGDtRtA +ZwBgEztAH5TpADklP0+6WY1gKdo+y87kwmk3vnJADICoz6sHsDUk25R4iSA8Y07H/MCAKVjWAAg LTFV9kUBNA7A+DEqEcDc8KUBQO/vuCmN2gvgeSoahCSj9gG4Xfg1AVTri+GV+Byfe8TPh6b46gOg iUzpAVR86htV/gwAEw9mpAE0YeDdAFQXAzAo0yH5JACzmXcBWKABAO7b8wyAK3lsjcM8gEp+2DxK uxhzVlkAV/q8b0wNdC4GYJvOAPDTeq8EAL4UwIpL7Rt4fdqWVF9bsydvCkBHoP0np6KpVWcAlXkh gLFGAPjZTFFSeAuAMTi/gHAtuEMBjJvgQgEgu3Hk4+4P4JorAeB6bTn1J29x8mMADBEThgsAMK+t LrjH4zJ9AfTFuYXqNwA0+RQkaSGACgAqZ65jAWxTU+FrV5sGkLzMMofX8lhKJYAeclUDYCLZM5UF sLiUGwJog4zrhHOvpl1dYF8AScEAcN0I4kq13QX3eGJwj5Y1cqU9YQD+tLHDhSDsBLC53ptqBIAd /mRpt9IAesfDLpbkyiqyCACs0hsAzLw0lL4M7SwAt6sFgFvavBDdoqMA9LMsAHiecgCWa8MDnjwG 3J46bEwDXKq9AGY62oJC9z2HcRONALBRIwA0quSiU+HiMSKAqawA8PEAbs1ul3RFbAHA7hoCYJ8/ HN4lk196qrIwANhdQ8aAmykaCt/S9mWOirLOAfCkvwAeIwBYU9YBAHYbe95UALCmrEMA7FTvTfX0 MWBXAFsuwwBAWRTA/bt53VnwIwB8yyTkoQB2PHoAsLuGANjlb0J2avg1DABYpREAnjoJGT6AqgXw 5Xo+gKMFAKsEAHsLAFZpzBjwxMswwwUAq/T4WfBwiQCCv5QuACBbIYS/NL+98PECgFUa1AVv5/3w 7+gd0bcRAKzSmElI5kJg8DL8j31bPgB8h4z/M/6TAPzQLvjj5swfluLzKVhE5Roy66IrM1tV5YxF ZW4h46y100gFL1/b9ICWPffnI6xMeMAna4QHzF6G4QD6b3TB79AKIHuVTr2aLvMFS9MAwFfpfADP Lby/ZAChhAiADebavBX39jshUEpjAGx6Huu2AIK/AgHA3gKAVQKAvQUAqzQCwMZB4N0AdBYFgAUa AmCbAOCTBQB7CwBWCQD2lrWomgFggQBgbwHAKgHA3gKAVQKAvQUAqwQAewsAVgkA9hYArBIA7C0A WKVRd0IaBACfrEGPY7XoZgA6OwLAEvW5bg8AiQBgjUYA+K4uGABWaYgHPHGlpBMEAGs0xAO2CQA+ WQCwuwBgjcaMAdteXtSS+QQBwBqNmQW/6ZF8AFglANhdALBGALC7AGCNBo0BX/SH6QCwSpgFdxcA rBEA7C4AWCN0wd0FAGs06mEETEIgUQCwuwBgjQY9DYMuGJI17GmY/cNAAPhknT4Ldmx+7Cb5ai38 FAHAGp0PoP12FH6CUSMAfLLOB/ATLNW1AnjbZRoAYJVOB9Blp10wu3t8s4Vq3HIrMxanKdC6UM1+ a7VNMEIA7RoNH3TBL5HzgE3WahwDxgAqAPgSnQ4gn/dad4pZ8Ft0PoDnFn6AAGCN3IskAGAvAcAa jQCw7SX5APDRGgMgHsmHEgKA3QUAawQAuwsA1mjIJKRtEAgAnyzMgrsLANYIAHYXAKzRmC74le+G AX8lwiSkuwBglbqYCwASAcAqAcDeAoBVGgDgS/8wHQAWaQSAbQKAjxYA7C0AWKUhY8BXPg0DAIs0 BkBMQqCEDgew+a+WbgvgnE0GLRrkAQ8r/HoCgFUCgL0FAKuEWXBvAcAqAcDeAoBVWs3VZq2S17Md VPj1BACrNADAJcXr3g8IAEs0A8DeAoA1AoDdBQBrNAJAXIiGkhrlAa9a+AECgDUCgN0FAGs0BEB0 wVBKQ8aAmykaCr+eAGCNAGB3AcAajemC3/lAKgAs0PEANq6TBACfrSvMgsk7ot185QHviAaAJXIA qhZztb16w44RP364SAsEgE/W+QB+HHwfxmGXws8QAKzR6QA66lYQf30wGzTedaUkuwYQlJNdIcn8 t9NczVMMi5zD+BP0wvCAT9bpHlCFA79oGAgAn6yrAOhnwYpsdSh8vABgja4A4JmFHyAAWCMA2F0A sEZDAHzpK3oBYIFGAPjWF1QCwAIBwO4CgDUCgN0FAGs0aAyIx7EgWZgFdxcArBEA7C4AWKMxY0A8 EQ0lNAhATEIgWccDiFf0QhmN8oCHFX49iQACxoQAYHcBwBphFtxd4t95AcCEAGB3rSblFgWACY26 E/KiWTAArJGzVpONcC+YCADWCAB2FwCsEQDsLgBYoxEAliQ4KO8ZAoA1GgRgi54A4AwAEwKA3QUA azQAQPfyoSMKv6AAYI2OB/DzthdUAsAazcuty4MBfNWfZYoAYhaS0BgA95e8UfgVBQBrNADAt72i FwDWiADYYCPMgon8sNobFACmBAB7a7UoACwTAOwtAFglANhbtQC+nEwA2FsAsEoAsLcAYJXOB5Ct UGOv2Nz4Fb0AsEo5AMtN03iVj78X/+ZvyT8CwAdDejqAa3Z/w+7jA7sUPlrVABaYGQBuqO1e7+Lv 1icWhLfk32uhmnldqcb8R5ZemZPLsKRjWKLHajWXWX6HcQVqfvOGcu7Pd7yfIPZOkjzgnD6bBd8Y B7zEA4Z7fsIY0A8DuxR+hgBglU4HMJgFu7DPk8aABQCyJxfCNG8FsHi/cR3QCwBWCQD2FgCsEgDs LQBYJQDYW/0BfPSjNACwt/YCSK5aR5PBdwJYcoFgFQD0qgZwicoC+GAC5wU+ANhNdQDOCgACwK7a ByA1NgC0UQBwhwBglQBgb0l/6DoryXazEgEM7S5nfoqqAExOiwGgVx7AmaUEgACwuzYADHpaAEgB 5PsZDz2SF6QAoFcWwGiot4ZSYwNAHwUA67UBYMAZAASAnSUAONMPAMgEAHtrC0AyG5kBIADsrhyA nsQEgDRUkdwAcA0BgJsS/swrDaD7nQaQ5HmiagCMibQCgF6bANJNl6ASwOcACQB7azeA389iAB9D IADsrW0AydhvJ4APekIQAPYWtWgxgG5zLgTwMQQu5jJ+i0VtzUqsAKBXACCde8w+STuADyEQAPbW IACfgmAlgAkCAaAXB9Df8KUDtzkAUNUBOLOve6sIwDkMCAUAvdioeq4BkNBHzAwAra+X+oJVANCr AkDfiwJAt0VjrDH8JwDcVACg71ElAEkmlQMwPjLqkQBKO25NMgPAInEA6UyD8Jb0YW8E8J+tCIDR SelMAgCL1Aag629IcWHKdwFoscuOOwCgFwNQxTMN+jMJYHgYhLwPBXAOAVw/82cdAPRqBVAcHb4I QBE1AFiuGgCl7ACQxPhUALBUwbRu03Zh9i0ApV831vkAslf02rJuvVBNCsCy7C8HUJ5jHQhguFCN e1X0fd8RzSy6E8DQ4C8C0M7CBnbBZKGajwKArhgluYNnA2iDZv6sxfFd8LpQzUfqgu+2UM132RVD AqqWmbGp+Zdfs4UU9ojlayJz/YKiXZsjQ1i1LlTjFmZYveCHL1mjbu8Bax3VhgcsmkrfSIIHlB40 25j6dwDQ/XxaF7wTQHYdNgreU/A1JQGYSBb+ImoBMFyg9QGz4H4ARnafhZS31ukAbgsAkvBZSnpn /fbBAMB+6gUgvSbrwmc56Y1VCGCQIRQA9Kq26EZRbOOhAG53wWGGQADQq9qiFeXOcdDdBQB76zAq 5gcD2JoBAHoBwCoBwN4CgLISjQWAvXUggGHRANAKAHoBQFkAcJAAoCwAOEbHQQEA0xkAoBMATAgA jtGBUERPKd0LQLm19wHwJtY+EsCBdfUXABwjAJiQDGD9LgDAvABgQgBwjEY28yYmWQQAxwgAJgQA xwgAJtQLQDELAHR6I4BF7QCAYwQAU4luDuBdFiUAgKlEAHCIAGAykZQMAPYWAEymAYAjdFEAD23W LP6M0twcwMuc73kBwGQaADhCADCZBgCOEABMpgGAI/RCAOmhAYBnCwAmG9AJQEkA0GpoIwGgFQC0 AoDpBgDAAXo5gOmrtQBwjC4L4IENKwVQau8VAFxfDS2tV0N+AcCWyg613s0BXMFTwno1tHAA2FLZ MACT9VwXQGUBpL7vAw/YtTYAuJX5Y9dI+hBfuMZ/JS1eckWNbWRxbfORDZvpMjqpeub/xOa2N6t1 oRrS5XrsWJm/H4lJ1OUED5hMdHUPGPo9/gsANtUGADN56fTXuz4A2LM2ANhaOABsqg0AthYOAJtq A4CthQPAptquAaAQCQA764UA0kMDAA/RRW76N9QGAFsLB4BNtR0MoCv90QCeRmDNkyTvBjDjJt4E YG9bPxXATic1AAzVHcDSEoc/MAEAVz0awPLhJwAEgDZtR8VWTRv5ugAmDn5lg6XkrwAw0XxRvZ8+ FwD0k75F07SGXxRAEbXv6VLbYABYoN5+SPKA3uBqwe/374YAVtpqZjseFQ4Al2SNe8U5Eg5eCODy Od3RA9bZKtjxqPAtAKVGdNHDAIzsy0ucfejva/L5XgIgc4QcwESBArhywD49DUBawiaAE803qZHq D2C+RAcgBbEewCkKb9WjAAyseCqAW8WV7OncE0Dm+vMARjZzX9M0iYn260oAZsYhZSoCcE11KQBT ywHO5QDOiaGar25WxMRzQHcpgOrVAG5NFbwV+S+WIAHgJjGVmnh5Uel8sJrq/eZZCUaZBVvNeUsH AM7sp3o3gHS/ywYy2ZIIZFHVxPjff9yYfQnkAE47ARQ9IHNlQRnkFJ3jLBxAaiAOYJjVfU104tZF YwDMtXbmVslI9AZB/JoqB6ByHdukfM2dAZx4cVNUenCMpf2SPRKjiQZ6zy7WwHjOAihcS1DeRk8D cHY9TU8ASVmxMe2xmlzQEQDS8qa49Jn/bAVwJjsu5Fr3kvUOdNTI+qk0gJO6HYACBUySZXJptwF0 Z3dctQvxAM7e9GMBDEipBTAMjgGcoz3vAOD8NACpjedcQheXScAB5IeJ5rWWX3pgf/h7EhgBmHGB zQDOtHv1/QkATAEodBMFABJ7ZeKd+2OHaQ4s/Puc6KFT5wLI92uehRTR1kySO/rshgAgKXYHgN8f 0+wJvDWAcSdSDGA6RQggPVX5BTXqKo8D0Jc3SaXP3AqUluiSSuL8dQiFY2i/yyzHTCLZJj+5Z94a 8uNX5kRmb+06FECyJ8IJrgITZwGcAysKKfhxmefJnarzHFrVRrCSOwLIkZsSxdM9ciaRJmSzkItl DXwe8YdRRT4d2ZQAnIk7dcG3BnAOg+c4aWK34kGdUBf7Oftrb7T/IZrc1ZrZhfRSOYDxwbffJQAy u/ITe15gFqwaVukfxZiJRWaHIM03L5eUltGL+vunaK/qdGwXTLyS8p2OBGDwmEZ4z2PmhhAkAMgP eZSLPAoThLRLAlCYC8/04DPoAoftiYpuwSW6S0dm7PqDImbWu4QjyADA1a7T9/cPvhsBSE3Cz9xf YHjuU+aC1MGZqUisP8LSpQ8lxfqSDgcwvCFC3dPM7+/y/Zu9PUJPLt6eTJcklq2IIwtvKtOCpuUc mH5P8K5ZGgk8eBISnD6Uwjk2w/qLnI6xp/RpxOwMwAxR4iX9bgBO7Mt/xzdEvMKTLIhNjE2SpcXp U1VPX4giAKWGrPO6n/tzOe4CoPfyVaaco95YKNH+/PubuNtJHu5JuDl2GIC0SXurqORP0hTfkF7C fxARAtON8ABOPkMbgQPWCQnU+OwxLdPO0xZGv93I9DcEwC2rJQCsqaK5DaFS9H8N8VeGkduffwPB P9eIuwHYtUxK89cQFR4wjvsrxmNjxzLT31MBFGtfASzhKN6RXyPiqTAJ2Jomd2fkE60T0rn8VMRv R//Zkg28Esd7UgKAfz7v7kaQqjcXl00AAAO9SURBVH1FkxzXqH4ALsH7AVTL9ZgVteXHn/2ycakL Nr0ZcevVHFF4tszFAboDbp2POPCRDsYvf2F34hsRmjUoOe7oTwVQGge6czbYlZCYf5vTHxn4TXEj QsziEmIdAOBnIIB+h3/8TEvQ9M9S088Y7tef8qfi1+Y/a7LT9FvI5E7laXIntFLEtKSgtfZvpS76 3xh0Wlux5J5YO39tm2zNf+Qn9xTMh4Stj/wKi05psp/TpIJwxyXLoBYj0HrW6cryTwBwQ6Iv6A8g WSppGqyP07rxz27LRqC/b9Sa9I9u+BR/5ZWyjfVwrT/s9tKWv7VNvpLiWtrlbPMnhstZ4jK8ufa3 gKk3gJ+DJzYQlBMbA0LQcPV3qhAEQRAEQRAEQSPF1uTMBh7fCD7BH9yIKxni3EYMFVmOeFkVVggc 1Qh7k+eURlzJEOc2Yqw+7uL2h+0yDRzVCGvgUxpB6rmAIc5sxFit9/bYLT458PhG8DN8cCNsPayj O88QJzZirMi5Rc45HjiqEYEHHNsIWx3ZPNEQZx6NsbrEqMNVdI0x4GltuMbRGKxLzLuu0IjPOgjm ffALDQFBEARBEARBBysz7D3ike7rNuIKbbhGI4ZKnOOTrTOuPpzSiCu04RqNGC9/oZMEfOyvFzXi Cm24RiMGavXv0q24cXt8hUZcoQ3XaMRQWd/+ofvnbsy9qBFXaMM1GjFWZHCxjHTJ1siu7/RGXKEN 12jEWNm5lZt+2VA10u4XaMQV2nCNRkAQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQ BEEPkP6KbvPIrnW5tb1zK/u2LSJfo+8ikGz7iErmmS4M/w2Q0iSj9sgclPYo6eKtVhUuLj9KqWXI +2rmYM0igeyrVVeAqkYLZIsftP7QesVjAOQrc69rNiuyqHS85PcRWgG0C7Ov7nASl2berxVA6wjX z9+W/bd+RM5ypyyAxph1y5C4NfD3tX6uKc+Sth/uBw+225varMmtTR4uDf/nvsjHH8uW1b4dX7vg aVodofuYaIq8tmuZPYPKc8gCBQ84bypdo/FfJgJwCVm/yIfxKba0vc91kgC0PA0YA66Bf3R7TGc9 sS8JwB5aAbTMOA+YB7BFIYCGeUBHpU/LGR2uEEAt+cMukgH8ewWAZNORN9v5hwOwZxcsA2guCqAb 9a3g8aFgJ/kx4B8N/KO42U560BjQf9nBX+cxoPN84Rhw6ZB5v9zHBdp+cu0tKX9+DOiSkq936kLT 4hfoxaClBABHCgBCD9f/E2AEJfsYj58AAAAASUVORK5CYII= --=-=-= At bout 00:50 I've started an upload via rsync, which ended in about 1:30, but it was really more prioritised only for a couple of minutes. At ~3:00 ftp upload started and we see the same picture. What does it mean? Why does it happen. PS You can ask, how did I get this picture. It is based on tc -s output, and even small piece of software I've written to get visualisation is not release quality, I attach it, probably, it will help somebody. --=-=-= Content-Type: application/octet-stream Content-Disposition: attachment; filename=tcstat.tar.gz Content-Transfer-Encoding: base64 Content-Description: Visualisation for tc -s H4sIAJ7Q/EAAA+xbfXBc1XV/FpgYEQKZhCHQZLiRbcyXtO9+vvuErcofAruxY9coOBQ6rCytbBFJ q2hX/qCm2WnSQkiTyYRMWpLSCJLQaYYk9CNxpinN/tNmgGFgaIdJS1PMwKQEGmBoKF8D2/M7byXf a8d2OmO7k0QPG2l3z7v33PPxO79z3ro+XKsP1UvJibzS1KRZmtLPVGY2+jl3JTJNs0yazDqbpFLq 1CXCnlCt2tcMnX9aiKQ2NLxz6Chyx/r8l/SqF/5fe/VVJy4G/i/+d1rC/5nWC/4/GVfg/63Vav2E 7JGSc93R/K8V+984ZSlQSF5ZR/mfnhBtDrl+zf3fW9lT753Yu6c6UZ3qGa5O9JZ2DU2XhnfVOv+/ NVu4TsYV5n9lqlobq1en9x7nPY6Z/+rQ/Depkgv5fzIuPlZparq6o1SEwkLe/1pdQf4PTNanxyq1 47/HsfKfWP8h/E+rzCzk/8m4KOuvRwT0jFAUyB5ZGpypiN+aGRdSizTtla5Xa6HIR6VS50HZysTP k7W9Sh0mu7M+Mf7zhPNefbjw1OSOX3Th60eq1w+Nj/fUdv7CqkxBEXWIqDG9xh4mOjxdnYzWValI s16re9W88LpfBahs53947uO+x7HyXxt3SP+vnV7I/5Nypd02L0lxyemXCPrv9N27d3cTEgydLrgP oJelOEIOpl2nFGm30iVz2K3DQ/Uj3Q6Y2VcfGhsX3ZNCmVT0HU2yZ/vQR8SFF4qJXceUOsrnovNX IVFP0HWIuYDWx32PY+W/s3qe/ytlOP/VQv9/Uq6V71+3ee3gNVsGxPrBTRvFlg+t2bhhrejqLpW2 6bWl0rrBdcUHpieVpdLAB7s6Ba6unfX6VG8JGdezW/dUp3eUBreWED2mVCMaOUyZVx/p6utcibv7 cNPK9QOr1/UVt4uVgxsGNw70DU4PjY6ODYu1VeKe1XGBGByr1ceGaytLhcSc/KaBwdUCm3ZXPjoz tmtV13RldLpS29klhuneymR9VZdLu4qNSvM7rVyzed0182usl0fdkD6ek9yw6UpRmx5e1RUQky4x NE67HHmFrvnb12yd+3XZhpFeESbXZbsE0YqCQqRZKSRDHGFiYM+UWFYco1CeFGMTnhgQOxK6H889 kP9Hm/+qdv2n/DdOK/T/Ls0W8v9kXEvfX9o+Nlmicj48cmgR7ewJqLPo6xNBUb1cdKLMBx3BPlGr jIjuiuiqlbYObNm4eu3ApoFSmWQr4tLl1yyfWD6yfP3yTaIbLKGyaoURO6sz0zUxtKO6olzqEvt2 TM5MjVfrolv0lUYqu0qTM+PEu/sulAv1+8Rdh9Ol47/H0eu/ShWR/bn8zwz3/4ZgYCH/T8Kl+OGc 1PCEED731DYrKahC2VR4q11nICEhYRxJ5CIV2hrhVW5CCSVETv5EfSMJm0mSMDqU0EJkSlITTV13 KpR0wlnlQwlDu2jlaRdLekjl6AaThxKWJKwkHXUuSMaRHqm1oYQjCelI00xBU1ozM1l0lowkXJ6T Bl5I+kHbeJlHIp5U9VlGIpmgI6lMZFpHqua0iMly/ozUMUpkeR4eV8KomSSjShzXaktLujSUIKNS 54vDQMJgl9SFRqW7aRdLEhJGVVrTcXW0i4ZjVM6uI4mczG5ktIbBWcjYinZyZDLSw9jwLBJGJUVY or2LzqI1HJwLo1IIkFEdBYjRWShBRs0lGVuRRiA5ZFMXmZ2MTRIKEgghRdb1NlehBNk0V5bsmZNj 6MRK0T6ZDc9L75AmueRVHJ/aOx1ald4hiUyz72gNCjuSCENEIVQVSxiScJo00TZaQ/N5oUlOp82E od28zEJt6SS0irdsNaOxk4ezwnBVHK6ULNJpCkWEM+2XR7al6IN/cL8Vutgy03loXAoMQWZwRTgi YGhzl8eHIvP6FCGLHERgklymTegChaB1GuooYb1jlcnxoYxG2FIUcotOW5KbaZks9IFG3HrlOIGU kAQcmVHhmYjS0roUtzKnyCdAIVWUj9YAGCBu4etUSEuHNnnoA424NQYHohxCKio6s4oWIfNm0ucF XpDOGuZ1SoYyZF5KdjqzBvKQrNHk8jR0pYZ9yeScHFjDEIY5FSGgJvtai328EcbzqQmIolPnEHFe aDo/LZY5kjChMmRSYQ2yhDZStBUtRaAQSkiskUo+NQWFzLWwabwIGddCUza/5LWMi2xHRxQmh2FS ZKMkKxpSPpQg61qXWzZrEXuExSEqEEgTiivXRgVpPUnkkQSZ1vq0ANK0OC+BWChBhjWOg9Ixsnig XHQYmBUhqVLDu5BVVYQb5DIKfl8UDBiEAF1GWUblCoWFjEHQTspKCi7KjnAbi/plUeGA+aSqpXT2 kYTiqmAYdFA3kPAmNKoF1DpTmAy7ASfp41AEMYtCh0TFFJowykUYZ4EIzuZscdgsRZkME9k6RieU P05OLpdU5CJlGW19kRtU3SgGJDAstJsFIOQIIQXfFj6m6hFZDoibes9B7Tz0yTj7D8pIJgeeYltm 5D3KMTpCfGyZMuQydlGgkboG2BPlqgQ/8J5Bl3LMF3b2qY+2YlBwgA3FhVVrQKbLQhlwhMxmRc57 phteGx+KkI1zCm6GUkNZgPgiZ0bqsJWRZ+QjSa41JOuVjdTJ2ghPwE/HBlwqwHl0dFQ1qKJ0kSOa 1PYmDC0JrpBrrENVQCpgEbk1y8LoQrkDf6ICjZTN4S+qO86H4CwlG9pkDOAmxYoep48WQnWzsgh1 h2LhUZdkqBFYAxUUUsSDqnlex1kZWhG8IZc658wEQ3E51fQ0BE4p2dJkS4nTGZR+yqws05EQGFlO kAjMkga2IvdS1QltDf7giXRySUJ5U0jR2PXMIIACiEQLhTOIRIdnU8PMkiuYKzS3IV5IxcxMg/zJ IhQ5XMM8lWARWLtARireEgUqLIMSNMLnEAEBcAWPNDraCTwCNRBakEsQz8QBo40MEzhTgAUZUoLg RvvAyM4WSUqcmGxEMZ0R+wyFYGQPLYDHaZv3UPCGMhzPQHRCDGShcQxooQhM7KgIqYxR0NCvLqLx EiQizyk2dQqMyxT4OmVPIAIOIZkhAc9TkiGIVjbyFEiEZEIPDCOZLIfzo1AGjUAD6fnE5CNAFCVt JKNZhgiPZiaegcEoF/YVElQiz9uOpq2Id4J3RCIwco7i4KEGyYBupTqScbyVLDwuEQ/wrAszFFSC ZLzilEjBwCgTbch9JKgEyaD4EqDQOhYIHmMYuASOjmMpVshlkI8cCjpBYZsxDbYE3U5mBtkVRoYp DC0t5x+1V8LmOWikD11m2NSsDwUOQTc6OEebu0gK8Ux9OjIiozpgNJFI40J6IsEsJPNIJBogyyHH tJaR6mxvomycqITyIDrKxbuxvZHTEiWKmSpMEJ2uiOmMEwfYR6htwE6jzRDVBlQJgU/5pMn23obc WIJmEJRlXJ8UYJFMQjkWOgVEIweJQfOBCk83US0K09nKuU6JzEgmpzD3WRoiHYhGDmRAT2e4tpBE aEEmGjniUCMzgNGkbHgg8AzHWa6ZX5MVrI/SgnlGjjIKlC8AiOAhOg03dSSCRE6Z93obKwLjcvyB jgiEMnW0oYtAMnL02NozjUShdSENkQXFyAu61G77KEwPSuAYaPvQ7oFGGvIWYaQJJWBURe+D6qZc 1j11HKEEG5W9wg0qwQX5zoYSmguMY99RfdAoiirSA0jsESWaCS8BLUnIUMIyh5FFjFCigXqEWK14 +pC1i69FOQSryNJQJOMGq0jaolXLrIm2YeaW2zZcGSZcYZegePqQ6/le2qPyhJCnePoAlJ7j9wbd dmhUcAnvmVcrdHEENd6qcBdmEqmTTNUoTNggJtqFjUpowsyesZOCLA8livKmeGCTopWhs4RcRPH0 AU7nSGWWT7U42gUdMrr0g32Gy0MUANsmCTU/waB8ICdEp4VNkfpFz88EzEful2xTnBTgRxABz4UJ o5g3WBRHPLspurw8ZIyKWYNl8moQIOAwVJpCCZAGdAFF1UMSZi6ccGB36gDzosiQXwhjbES3FVMG dE6YOlmMBMiLMVMEIyUjgQ9ws5JzR+J0yHEUcwalinAGcnGfbnWkDfOyrIgSg+KBbj+OVx496Kw9 TgCeU6JkFKWhDM92HNCM+THHW0ZXIAPakCPtuGvFaAuKEeqHCoE35JILpsJIpgiYLBzNKB4/gIVI oqyOexbiVqmOZHjEg3rnUaUzbh6pZ4lkGBEsDgTjUKkjZ5BM6HLNDR2+0ASKZ7ktobiJRBxP8XIG Hcc+9zKPTp5xU+PbfTL6f2qNQvuBM4A5sm2KToOasBDgNAMtMo1srakaasBT1DcqJgyo2UzFLYaf ZO4sTmoQBqPRZHh0YJqLGBGB0AugCxToGVvG2KLriSaTGLNgilxkHAU1ihaiNhQx3FEXAUOKe7Rp 4TAPrS8M49pDVAYprcKEAkko+nZsQ7QGKZdHEkUI2zZYajRxMSTzEAIEAlGBjhmsxvtoEZ73osvJ 0U8wSJCLwmgBO/Aua/c5spjFyijjeAzh4cViyIA5qowXgWEz9ECpmytC0SxWMTvI5tfgYb0KewFl OWwxI0XHz6WZ+vcwDpgdeIzAUyAqEIUCNDRJQQ7YJKwp6INNQ4uAHFCF0Xw3t5kA/yiheQSBsRhP XQo8JHyJROZGkjz9pJ42xx2BJprnD9zHFpUMYSTDFkrzwwn07xg/pJzIJJGFEhyu4FyMuvz4IopW nRZWLdAfEhqhaEMJfjghiwxUPEakliXSA1YFCWlrSt7NbGh3TIDRHaN/h3cYmKlDiETIrM7zYehz YnkKk8hIVc88ZW5ShTkuteXRGjk3gynTDzwUYCYTGrWgB/S+LHgbQsS4SAJGzRiMM+ZcGDDlkQQZ lRoty8hIWqYgs2F/onnMwH2d5Kc1HlgTtlSa6QFFHnO6NtVNfSTBoYrpAfeHXPN8VMc0Dxg8j40A A8UQy8pIBMFq05THzarostMwVjUPF4oHC3xePBTw8Ro5PyaZ46nWsd1Dz/DDCdl+sKDQPWPoGEnI domTRM3Q04IfRpRaF2MFWTAhfrSAWaWNRLhBQKOvQLu0hW/CbkYzRfBoIWgRHu0iJcIY4alC2h5j WsxPgc6hRQp6QPjaHtHTybOotdT8XILeE+iwigqZ6SgCmBooHixyF6upjmU+Nhqb1RXzXcWbeW3D bZgXYFYJQEkLiI8GDppJAdAVzBhP0jwMb0IJ5rJ2jtwrHrOELQQKHYyazjNmpEQU8AUd4NEltZgC g7wYVzWTgRxPsDCghFMOmZhp5gIO3I3n3YxVER/WzAUMIy9LACLyeI3i6eR8jWBUTaPT5vxAQ871 B2CqaRRlpuCyjnGsXUXScO6uDXPZ1M3VCAmJyB5MAoyb4/ZIMtI02oVRlfsUjz5V4rRhvdOmaLo8 S2DMhv4gpBqaKYDnxx382DhnChBCBFMAz4wZj42NBTGUkaac/pg25Hqu1Y1mOxoUgOs7U705IIrO wpUqnbep4rQM12ACgNkmfItJFJhyyP6RqEQ07Jzn8H+TRb61/HAHOGaRuEhOfDcylEB/oJ1sN9SY Stk0fKai+SlEBnJmuAuxmNLFesz3XIVvQaXjqms5TvkfAGDyhsGJjyYvmus/ZstglaBVHtUu0pR7 LqbWrt22U/GLduGeC/VUcT0EGJD77cK3fk7Cdej3fyoTx3+PY3z/V0qpD/n+H6HKwr//OylXrVIX +Na+qNX3jlfE+NhkpdaJN/eOD22vjIuurfj+3va99UpNTFWmRa0yXJ0c6SpEpocmd1TEtWnv7/Lr j1T2Crqnuptf7eFl62MTFX6JX0Yn6qLr4FcBi1VGq9MTQyROn6zvXb7pusnlIz3LJ4rPJqsTe/DV 2mI7/CbSyzCiNvzOjumxkeLtzqW8ZVuhrgJcUicp7Lp6LynUm/90/tuJ8x/VK9MTY5ND42Jqcoeo TQyNj9PWdZKvTQ1NVybrYrg6Xp0We0b5EnuKwD34c3T04Gt8jtfFT2r0+P3t24kp0k/vR0d5y+pM fWqGzBF+w7iTv/+4Ivgy3goxUxsjnWSvIgvWyUNdg9X60HjXZUcQ04LWXD8mpqbHqkcUMhDacjQJ C4l1ldGhmfH6EYUchDZWdxebLcD1L+N1CP5TFB7/PY7x/U+iMfYw/Ld6Af9PxvXJLR+88szO85G8 Z25Yv25rknQ0kmTRgSWn0DsdZ132GP04pbZmw+CSJUsef3LzAfrs4i0bBwdarVaxAP+gF63WLUny vdHkllZ/qyFEs5E0k3IjocUa/UmDXpWTZpOkRUOk5UY/XfQRfVBOGuWzG+Vyg4TpFpIoJ/3NRnm2 WaYFmrNYgEQEiZRpE/yjiv5+0U/ioozb6Oqnv7N0PXKgSRvTgs0DdDM0aJRb/UmLtmq2WvR7o9Gc JS2azVazhZ3ozdlWo9VszrbK9GnSmk0aBw7M0p+WaEKb5qwQs4LOk9CRcI5+gd3KTV4smaV7yw0c q9HfmqU/5dbsVKspaEW2SKPVal75+NBKOmheH/hw/arqaH03FZRk7qvuuyrTtbHqpNA9mZgaqg/v HK/soqKrBL23cWxyZo9QPaZHuWdumCgniUg2rFs9uOfPfnrHzXd9RZw9cP9dL7U+9velR0cv2r5o 2Y0vPP+Bd0/tvPLW89/Z8QdiSfznmftef+bhh2/ed962/W9b/Y2R5j9/7McPfvfvVi25YcUZYuKN vs+sT5bYLyx6JH1laOLJH+xvXLDkkp90NC64+Y4/fCj/XLl75veu/dSp121qnpMsXvzI5Ss7+vfu 7tj17H++a+rZV8+6463Xd5kvLj6l+ePXXzvVPNR8oeOiReW/ODVpfnVl4/Flb+1784k/bzxx2r2f ee/E1n976L5kzbbFyffvGXvgqz96c/KKZWs2/ezG5GtviC8/+tbbGt94eTK56U8u3bfjuWdue3T/ J7Ysve/8/vu/kxx434268bmJD/zDxQ+dloxfmuzcv6F20SdPwa/veeHevSl++dOXP3/5mtXbXt6e 7L+/o3HTqcnf/Edy781J+bHfSP7n7OSyvac07+5oLK8mPxxM7n36zORLz96XPL/4jMSdk9xzzjt6 v3Zux56pXWckX+pMnn/7O779zuTfz3vvDUuT72r/L1dsXvRicmEytWxR89Yv3PnUjRc1rv3svz5x 3/v+6u2d1/5EJtPrkgPfeuam5IGPr3/yB7dvWpw8ePdrpStmv36jadz/R8+d2nj1o9ddvuod/S/9 /qe/vPjFTX/7m6f1P/bc7yRXPTy4qHnnz85Olr8w81zHRWct/pZIXj3jn27vTB5Y0lx67jevevJa 9dLX81fOuaJv353nv/Kdl7qf+vQDV7/eevqvNwwkX7n0R2devKjxxlkzn9L+xb7Vt3zo0Zuuvvjx H95y5+a7F41s++1LFn146Yrz3pVMte684Psb+rqe+vaiP77nPc/+14MX7l+00v/lZ5++7R9XfNN9 4vaPv9GxR//03O+V//uL+6q3dq+6a1vXa69sfuvNN277/BOtc979v+19d1QUzbbv7gnkpEQVYQiS wUGiIjAGQJCkEpQgg+Sco4AtKipZBUVQHJCkSBIFBIFRFFSCoGQERkAEVATBRPIN+n3nnXvuue++ P956b623+DFT3V21U+2qXdX0qq6xvtBovmBUOVpnazptGp8QcffHyoNr183ylKd4Xk3vnY+Pn3y8 W0WozNc8eWyHSEXPpVTj6apfYgmFPojXniZNzkpUPJZYF+cVXi38+fjAu+mMnT0Q77cfmXC/LY86 Hjq4O4aBeIBQlLyPkz9qA0mNOU/T71hW+jQYdAiQwp+/343P++nFQINPXne+9SBuIYelKxVJ1nBR /87VLTcMGBJ4wOKQByzLRrlmBBod3BvUlJEvD5Gcker9M42xORounezUvee9JLJubsROzEn4IMlB DZYID4Leum7UZEaRohVv25EWBRPmnKTwuHhEagD2tYoLNns/J0kiOy8j9IJ1pIOW22aMsRO3vDhp iQLPrj6yjWsSaiUBuTfojT6N3sk1TSfdPRHy3afnJoY3nBoTHgpiRDPsR14ly737jBAvlBtA+rbW umYtRor2j4g3GVC9eFKD0d8Wifc3Of+QsWEYb8oFcw4Z0xBz6lR0kbpmD2L4RsZF0n0j1eqKK+fU JNzVsnqVMOdHb6HFfcZmHedH2yDNADd3ueyUdAz5p+JkvSwS2vniJaag0rFYNbsxEV/ISlbOyxbw 3pv2iafykuT+JFcfkNrnse/1Fifvzmp9s7GwiMDlUYi1SQjrMYZXHTzD+noC8eyHX4lGra/5KYcz KmCDlnxZJ/+MgomhqeIsRm7YKRTCQh3zPKfWdd7h9GIBI2WMq1e6Yzuwks5sNn3wM7GThzovbd7n yUxtJeePGD+RuGTTicxQrfX2prBpCh88vy0uIWe/X035CTH0PMNbenhXbzO3wlMNv2fu09kC+6/X Yk2n2W60Z8Adqp0S9IVwkDY2eEM9myou+dvnBmQiXvbzt0K4HW+beX9v/7yuzYN5loN8pKE6GyBe L/YCVsW+sdkAt1Ao4a7ipxYEliAFhz0V9DSQeA81ZvKPS5r6xUn7Hilked5viCdyUkZOfnk+yMZ7 mswp7MVocosVvX2QO81z5Djy4yxFFPp3DOLJLyTZCZ+bbPEaes+X1g9oIimqkktsGmZtrYhZ9kZ0 ckAoEszGlTDJjp+UUaHHOPTq3DQOnRJAcysuIwKS9oum+d9gSuagwvd3Ee94lL+eDHik6Mukp7MF DzKf/deRhheegsFC6osK9nZhUn+4z7WNWERKASv13I5Wh6VSKG2IVAqjr2Z+SgErwcdICj3AJ106 AAapiG/hgdzj59NF3QzeJAVYf8dOeLgywaGAs7YGIBWY2gjb+C8GDrnxQcrSBBvqJ5aCIwoyHYBy 7r3eSkHuuRnjb+GeKP+2H41aHbeZNb9hXV8HrKd+tc67qzNiGBK0rWqTrkJmX+zYoxBEoGwzVkoQ tRfjyvkGaGBBMiPxiNJJIYQSJN2yL9cH1ykC5kyUkcydW2S8MZfkyQjdalVwDNNkIffGSDoY7gyk eWAgHMQEoslR075sJOGdDMlddodz792SxjwziDE/keKms2C3Mo/EGUjm4yjnJM49wrKLRlyLQQTO 39DDqzAQO8x+jG0W8yWAOTPV0Y7fTHrWIesJB6RmJi3GTCmjk0g4puoUvKo3+srQPpxKj0EclnO8 Q70frwTmE82j91KL9qIWRlD/Ootwbvjgk+xMyVtvwtbFn9dPHzmWePBGIWlkWQbM2bCcwUKkig1C +3fY6IueA7Zz5yEnMwOKzz/DFsw72n4E4kMZLknldXgxOZl9Tx/6MCTnt/EgbuNJE1yoDELhSYBA 28CI3HxmdMGwDVOAQ9pL+WEi3fEGr84noJ5OhIIFjOugOipXMt/smYlvHyPMpWi25maVbUEP7Erf NP7xSJy8Cp4oJHdrEXLMb17kcgrCkYRUGSmOiTWImZYKL7BxZxi4yrBcyd4MfLIP3m9j50XMWhqG PgSmXpqK9gqT9eOh+hIydlqEVOnBfMYiIv6+Vx+YXY/Aa95LGFOd3CyPtMGJPh6Q+8CE7uqlxxG5 konCcwXiF4zWi2JMY3nQvI96uJmMKl3o3+3DSWmBquDFDs31R5ktETPxd0dAX83r/fJxGBMSP3RV uWY8s9Hl2ASeYJcl8Sv2aH4s3I2ehQWRTOEN/aX3IV7I93sUnVmrdxhHLHAfHrvaaF6l8KTf+d17 g1QQOcNoeuR44qQoKhPeHe19ALrk4Quve7STx8XGQpAyB1NmUnB4MENyz7wq+vB2rokGvl3HF0gH yU0w33arsxlIv/QQuVuNu1XefpidAxlVhR04irYMlrKJcYiR4oqh1Oc+TuhhNL2OM33Q+EAW9eM3 vFJUZjx8xv1a57D23ZnmCyoHAw9v+bXckffpzjeLrRuqIkLerN/W/f4GZ9bK9krNbPsenGODvrfl g1T/lC9hNGvvLsHrxvzG1feKmwwucmast4h4FSV9w7H25pumhXeHRBueLMwvRCwS7ady53NrVyyD 7aatWSamdqs8xCtvmsytvvNsWVq7rU9y8IX04JsH3FbH9XWiborclado6OIT9HepWFEpzPHWpJ6I c67dWfHMQiUsBknsauZVN13HvXjsj4Wx7tufkr/d1cv2RnaKfMyTFpmb6XB31q7xBx56Vk4hBRHb lZ7pIqZpR86Z5fT/ZMCb9sZ3PKjDE2NTMBMGKtB+Iy/Ws/owFgZBE0/px1JY+/BU8lDzlaLnG+ox FC4h0o6UuGmp5R1oZ+u2I4yk91dw7blXnAfYhUbXyU3G/NinEZHpu8e2BBuVW4x91lSnD8+d7hbD 7WdP8wa/FkV7nS49AF7htuVPvTJuxX1aYENxsQ4wxcyyYVv7sYCjqs9xARcNNh21nC7etmIPqTr6 d6O5KpEf7x8wr9ri1eq4jyR4dca3QBTdFVWBjGl/P7RrZDBNVflFQO3n80nD+Ha1DXpIPEsJZRl0 LczZCLXtWWo/t/DFMZ5g0WCntJ3/kpuOI7acYt6cxP+DuYGTAcWR3I2W2dApLnRX5nrYofeOo5+T kuwGg/PqLaxY4oEYBK1wU5iygCSuUAyVS93ajhEZCwrhowbdc0Zyfn57Obs4kYhMcPYzU4pPO8Ar fRMWkvMzLYm5CAi6740ULA3bwsI3yga07rAS6DY1gjsnI3nBxj/49Xl/3Yo9XMs7UT+diXoECfxs 3otrT0ke0W2DKkVOc2t4Ia4hRF1/tLpWWICkMTt6A/8J156akPJW/ssimHmaPIG7NYJfoeW9H574 lh3KX4AAu0ow7NP6XsCI7oqg03Ts0gPDiqT7iBz/XC1M9VcxkG3o93eM6CSHFTZt5zQXuuLtpsqs q42lSPfuLctFeETQlSPHvrjdl9sv4lwfwkSyyOLEEl1WnoPE1A8i2pLZIRolSNpPMwadiOEdF45O v0PGNA1eGPygHjyqhi1Q+87Vy0R9GvWJ0bfQ9mcQ9FTdhmeLGQ+nGXy/n+J2gRyHVD+Y32DR/0kQ fZRa3QB5fQUcZP1KrJQ3g+mpynM7T36FzquSILN8zutN8zAjeXyhpRx4HmnI6TL4bgfy7ZuOEWeA JdUVOYGlFkUDqg8NVkedFoZqwDDo0SnMxKnPWN98IDORYaQEpDoPwOtPb6IgiU3nSzUzSboR2qPf I2xbmRIR8kLFkYhObwj4GboOFU/1AjNHvYKqRz9eoC6/9uJo/rzUr2rHO7VxxDrpb2Lg3Tv0cjgO 4t1/FjJRZ8JbguCWBwOVx0ASxJWm14v+jBj7rDLNOEPChnKjIwS0bnciIpUtTMRPMiHxEmJGIL7E zkSeli4GqtdojQoO1cFEsncyJidiF5GJqODLQLwWJIiYrtOGXmbSuL8sWrYNFmSdNkDfoSFrE1p7 gQyStn36ALBYYd5GfynjgGdpGiyEq/ECtZxUT5tpg/lNSMomyGMum0CohhOeGpYIFVvNTbKzsgXD zWYY3+3Bm4ndpTAeEQKHL9UvgnjoPVx7N31ibN2Slgf9au8VQSxuNskEIauMxq5Mhs/43G09D2lS maKotPtBqH5w7pAGRO7wQPZJvgSih82sNjvFuUQbfeul/t3+qwe8aIZxJVfkzg7cR07Kp+MRlnc+ EmYkYHkwyRJJM5kdRczYSFtiENNQtcrXOJI28N0aPnIdb7oPDqsKgVQwImWMkUrECrQzgf5tC00g DbBnRGJpjSWj03Tbf6hbyD29yAhitmF69yI3ldhez6oybb3NRe1yq02K4qP21vUy0r4owXTsnBf0 N/w8xt45zoDGavAigXsaY6HahXIqQ9hzThTd+TDKI+sjEE6MfA+MPmVWtJGZFC10JGfcGTYEYLET RxC0hyO4pElteEjbpqDxTup6heps/n0XfuYaLWGIMjWGbPd/vdR5FBytzl/+QK7FxT5jf5VWS5aK d/SMwda3os9fKdpVth+r2tjWpp5adkde0Dr+7OHnxQ0OPY+3u6h1d51x710g1HTHWutYJt41PrZ5 /J01Kagaz5aU7zfUjbkrYlXLl7zTICgX37JZ1Yb12fZFe2hgJPeOf4AWIVU59G24Su4RIoxBozkH WG98iVTNJorqRx060rLsCtsuArlABO4ZkdvaROAQtx2EkpIY2yN9K9VAyswa8CC3SZiLVNzvQKqT nDQ34ibLQXm3MAetsYHpYifJBL6O3obkXp56Ttrt7yDQKNOw0TCXHSpUM3HE/bQG4ImEO6wvNkNU 8ZBsX6TrBirRtUOAkahFv6W68uIXM3SrWJPHArz0v9Yi1vDMfUYeYs8iP6RjqsjX3I9z9WKo9WSY SeNZvJ3ThBHo9hft1YSY8iFlNJew4YMJ1rQzzCbvTjrkYTBUlmos9WgjQkgaFUS1CLDTVRC+qAPl 63TABgZg8LPBzywu40B2ydEtv9umFkudOKIMoa++Z/vlGYEJPWC0gCqjnT6wBZ6NqLNSWL9zwfHB WCy6SxBKK/3omYDWJiQxUcKsrYMAewp8m2teX0++APP1/N3C0D7A09XK4b/18Pvizaj+CQg1hNLb 3liici8LdSqXAQqnxNGzl6MN97LAA90N2BUutEc0AQy52MGHyAHnWeGjz5I8NDqKn9jqy0GaVQeN ZYkxWRUp1H6sB2EbBFqeT74+E7QwYlGjeMbwrehTMpSenyUBcdPHWgh+yFbexlWuxY6DpKm+ctoK jP/AohmNepjkIq7HduknGqsw6CR5K4NvOePKDJFPD6rWuTnArQ5J+NFXzSXwkO2Xw/BlTlATNTIT hjdfBjEze2poSRlKJw6fc81Kf2jmnZtuJXvT9+b+Npes4f33Ylty93EXPhRn02X9KZhopiKloqPl 4drU3BMrT3F6uRxxum+pg69d9aQrIpaRXd3HesVeHV2pCee3WX5usHmAEwl9iMvE0L6VPXqlDKWC 0sCm3B5EVaRPvYJgYT5rYVOvITIKru1Y9IJRx2bq/pcOCFXqVWQYgrZVyqJXj/sBF1QQhZhhgd6+ c9OM5GLOaU5K5MYT7PxCIdKvbjCYbmxWUXklJ7BKQNvciFDisDBkHyEHCdow/5x42YMFJPBwSHWY idbzbhdMR5QxwsOmUDbKQ2bq1sgNsLWR3kyNDKZDXfR+ldLKl6q4DT0YG+pV774gAiYPL7BCpmIb kvINC3X8VI8IDFXdAp6ZRyntVhotAwo7LyZ0pxCEjviC6x6EGjnUE68XjkU19iCkTwNeuTnm0B5z EWY4Rk9sT8ncBaEzBTQmCMWQpIEC6JPF/uY4jhi7OQnm8AVWqOOj1iWNYUn8LGA1rAEp9JpbDa/A yqwemMGM2cZ05PDAFKlkIgjS88GSH0IV2OXBRj6YobTcL0ODgZyRXwY0v1pO0pZpzAynNqQRFz4q CEC/KbQvBl87jYMonzeV2FLTFCC63Qt3YmOjVWPhZe5bEThaw4KFJN2p3QhptGZU81V+guSYvyRC m70ZLZYJtG9Zl1uTBrfYvY/HkrjdzcApqJBXNzTzsQnRHYdKmmOpDE+/RVq5iYP2o4O2DNTXzcpE MLJAaA+U7yEzZgcrzEcthe+xOockcSqYlRc/y+7ZdeHEr4/VUufv2952Hfh4rKfQjWcx7/FXz8T8 LP2yW4f0n0/148Rw7cUdMw868TXCe6oa657f8pTzYZYnv5gwladsmlaEp7xwZgZkajgBIY8f3vH5 futk7pFSQHcYQ+gNv0gEgbvLo3xAOzI6znKZsZQXgZmqjk1CuhPhstOywATnfXr0vlhKzy2wsJIL hQQgk2hVrxyDS850X/U1kPtCdekNsM0Heu1gxnjUnQ2u2D7qnwjPQ2hhowZAAtfamrpNuqyAIX0e OLEeAwhhthahlvDAQ1cE+BJ8ng//AvS93D2ktK61LCptOlAbxYBEfDDjjMIozNw+I8G5brNdSU7B LPJw0h4HaXf7N1E1MmM6DlZiC6I/Z27kpU7b+n62DAhFqHF83vrfmb0U/X9a7rdMxKM9cjsR6g7t /p3SENqKgYdRVRanTpYoPny5CVS7KOXkbGc8M+j99Viyfy68QrcxhAUy786wQdC5qM+MhpOpcDSR B6aV6vbATAoeqpp/cCDUQ3yZCC2BP/u6Fe8YBvTaj7s8Al8mhHrwYaWZONwbKvkUbcuOoeZt/Oom sBVC2wA839Tb8YLg7qeWAW+G8JXr6afv3iMdmCEChNImyOdz4j6fm5YA9dPFteENieu0o6r20QWU V3OQy4W5Lbrvi2Se+dygfufYwwdA46pWffy6cwNXj1Ya+0bOkpTOQ83f0rVfFDMHNhno94ix91ht PHAlX4Bv+9lZyYkzHZhMXivqst7xsWx7+gQgS9fnqsbK51gSPduIQfe4Lp1dZ8UMHCKQtg4+3hx5 TWRPGJalG8IQucuJEaGK4EDp92Pc1VR5hbujCAdnuZwfbUCoWhh0NZXRupikULXHan2ZncqMACgy TyZf3vvRkp3ueWu7jgEbumcSfsV0WtCVMYEzDhaZymnxKbmw+si3hQm+Hfhp/EzD5ZEBUBUe19Lu AVkSof6VCqLufSzdBuB7AtVtUuWnOy0Nn48HDWbI+/oBKqyPldxV3eC3VdjdfslbPuM+G2i4zdmf dqmnrIdEynqUc+WIBAjuespXmjo7gIezpj/DSPGIDxcIDv8w/1211xj0Og4uHVyhB0AJK32CjjL/ 3ZApzwKIUFoEZAMozVAYnKDIdvbKqtbPxQ6JouESGMiYGjHXWjm6NBy+P0qIpFOHkK1tf73Nrbf/ PptoHl+52tI901+nvrXtLEsO3b/Szto1ZnnqwJi1fOTFQ9ZTP1m7BCa07owu4+pGWeRpXLdVGeYb qDKNA6zAkRVeTn7/7ZGAL9Bj5HiCnTldvBqQrRHqYSi9CfQbjd4DQOSDj1IgwArBPBBP9wcLNB4M pJvP+/cVBt2MB/oEkYhBy9TRETXmpXUrdN6nqsiqpH1Qmn+UlXaxSAx6D4Hp6VQ8HGcBlpUlYfhY GILdFxU1We/WJQ29h0sYTBEq3XX4n5urRY+3MUNFZyFyz0gIHpr4MJgCdREP+vuZYPHDFmi7ENf4 gsvlERYdxMORZpdfd4DsgVCNoH50D/QepA8RQzL00cSHF8YucfJ2CoKnHLgiY1cc6XQOCAlCC4HA SFxS5FwtoNN1NSPK8++QJ2cm6LXxlGCD44X9suFFRYr8t6WxaT9PMoHnnVjWripLHc4fiRPs0NB8 AkoLp+TN5tbR76n5vzTNM4B2YFa6yW1WIees9O3+ih9eStXKJLwosZr7rGZ5e8OJ6+nNdP4zGwxl f7zd333upBV1+wAmXb+puzCiHVNhhofB8SrbGQbUyroLD9ZTLOhbTNFoW3QceK/6QaMYi6HafyWB Qy/QqsKZ0TIxENwDpVKrlf03acEwbsZyfidwX7Gh02NQHYR6+X8/DSeg561FtBnIIzzhdIcdgNLc P6kQI+3abW1Qv5PJTvN0Fgffw5qCJAQY+UGOBSp4/k5va6C39k8m8f6+7mRFOjPAlw2hZgN5fy2G FOUXHgHDyqzIf9a7A/3AAYKWVwQUS2KMiywDBn/oH+h1voCfAXO69mL512T5vR+6bNSiLDRgyRtL 3RVYi18KHV8KV+GNv8EDS/Jd0H7nwryIV9ZsvX1W+tU7BkqL2ncPti4NapUuGDafcR/BB1o05cyN BgZlbXz1LvxjWusmK9LARNl1P2uq46GzfDPtj/xqLJt+bF/mQ906gTbkMDnfoxZ5CltQyA8c2fm2 jHfwhF0UNTQgzyUqD8hDieYaGITmATmJGnCtRvmknG0nL6ygs/eAlsQMznceclKPH31MH9AsdoB6 TVLCs0VmmO7WXS41qMUQzudIo37OQJtptMYKKBsluDt/swugccCmjSXJL+Mg6hcnnvZmAzUwBmje Xkue8XfLgXqvDenNE4jaQDVTWRZCh9/EA+1LBPB/CdNnRGwYGEu/CxAT+g++eO8ADzPXsRM+VN05 0NC2EMRH5fqsukV4d1PFy/VVsrfA9MOSWybGV0TXZdn5hRpmwiBErOMzfibjjI4Ng69q0D087XsD UnWOGxbE0lOWXhXgW6BKHJvLKX+1+PYwzvTXe9uZkYRir9E7153t6/s69MDz4LcjcAqZULx5jBHd v+P7S0bT9xQ+9JGpJiuF8YJQpBgaGMOzo7p1DvpzGJbl+vBo+PclDcqbVKXoc06xGHVL7MzYE+mw Tj5UIQtKT84+XSrBUAZLKxxAxwhe8q4woBJ+u1K+Atuhj4h4MkOTKpRGPGOH6jZ/rTADvFxRxXa0 sUgTvTB3d3LTlrbtCx45RsDGcFYPbFhWJtsnB0+HY9V7GNq782NiK+I5qH2L5zZD26OQitfrdeCQ Xtl43/ZgjO95xCb0XG8ea+nN6i+bTxhfR65VwptmMSe3B7zULcWtWx7ssVEDGxvDRWDjvh/aJIg2 HwB+YRoOfecw/TH6pt8L4/LTufVsHxZ4eEgOCqy0jSEdO08ROLSZDeJZxz9cQiYqxrfgKUNd472o iMgJci/1h7Oy8ZWf1kw5ck/D4PU+yUP3cMHTjESp01evj749Ei5IfdqV78bODQrZCHrC7frIlyFo 96rGlXf78aOsi6If6f/JYkmvuBdRVvYLsYH86JiPK/Bb/0TQuKLTt645Y2g9aZNdPRrCcnVAOrRT EX29t8hEHxqEvK4GGvBfmA66cmY8qXP6To3Xxein7yJVdA82ix1lYmLb9vjcYgtGAGcTfX0m+cyC jsqeQ2MNrwZOqmEFCOPINTHgZ6WlmJQX7an3ARtndlrLXa1NOz1Td+jZH7M6ZXyJAsaTfMTb1+ol 2hVHl/jr1yHPNq7H0EZM6pRRjp3u4ef7N69cheTLlTfjctRdS7ul+Eb4D9t8PCuPvVH/JOyKOSN4 ZdCaPOPCDqN8z7Jnf3pY5L053zAd7MrYkMYww+mj0XRELjQuoSOlJft1qeFljV9ZqRhflvQWJ00j ZfQSPrnr4tOX7wcX5Zynx5blgiu+8IVUlzq3fVZSVf+lOkdvu5eb+4/O0E4+PbNZmE01BvEtynl6 XdI7m+LC0bxzloV7IynktMpIJRtad+CHlc04kE6l33rah0ykH9HApu3F0Ya7Pb8Lnnz9pGbvnjfh VYWfKPI/F0zYREY1+pQaNfqjHmFdReIGtg/P4G4xL3C/vtSuRBB136xPFFtxXMhTYjB1OdLD47Zr O8qdFGjthVyr450vOlv/8p11AgPpk/qvn8V9xKjhmOfdg9nHn7ndzRgu+vpy/Kgr/KpYSc+0GgPA 16+uBSCpQlv5SZ9tqVOITeHSS1S3c76OQ1OPzEKtp8fvmeq8potKkRkdPmY77IflLgYqeGyrF4wI qDFw8ZG/2Ed1M2k7wn9av//YlJ/8/a9VPqX6AWXjDgnHE7w6MnbsVio+XGR42SGryDDO+Eu6u16T uERG4KHpOOms5xID98R39wzkDDCO1hvmiR2+RHY4cs9TprKTh2R7udrMgq+7s/hhxGu1D867byjy kQYwE+EqLrfetQmSYxcHLpl8uPO2RHG58HV9w/vn12oveaESc7JVKudEejKzo+bVmPf8TF8/usP6 Bu/I0278FW8Pzz3EB3FKdV1XbfZ/KUrvO3q+s6W46xu/c0WqVlyQ3eh7CSEPUmtMidkNEfvKFmmn NhOjbsf3Qa9H7hZ+mnpMdLvvoupWdCZOr/zD4q3nFkWnXhm9M8TzPVeaWshI9qEPXteL+/ve7VLT eF3pE5T6rkRf7qP/gJWJh9+yeUbtzMMRjb6ydI0aS98ekrdrpcU5j4GIZrUHtX2q5xaquk5Pil4y 2WLY0aVSXUPknIvPfiDgNRjEI+tUqP1p8M46u3fbjSSwHO1OZQlyn7i9pE+fM+R4etqVY5vWkbNe QYymh48u1XkDM3/3hbZfEXXj+mkxe3zhzElJ9e/jYdd9S9Vbjafkrl9n3OLnLFZCqmm2UVvUihL6 lO50nP+9r1FegEP2IHe43SXzt/y8hmIg5WnrY/NLsi9zeexRfxajBHRmuXX5PNkL94yOrUwPvh1p 1m15P9SsizERp4gqZ90qhK+IL0fdQfA/y97aIXHiruzOSy7OEcLosS+WOe8TsFZIVbkUhwR5a5ee siB648kOEaWSJ9sVxjyAL1EDS5mp/da9jj4O37x6qI6fu/3Y5t4OCPzQZTqKoIpqZ40XX9M7Zu/J 6vofjw/WYqmat7SZyd/ud+hNlTyvyWfEEa3yTrZwPcQuftMKoFFVlJRSZiLTy3e2+lmd3rT87uaP 0lKNi2WbqAQR+nTKnat6qOmq3olazaWNwpyku2av7nyNPFE3QBZF0i7NMecMiiktvksytkpMOH42 MLbgjH9a6xO9laUCzcuV3Ly43tQ3DYoSl0pz+yFqo4knwXW/JxvTrkHz+gNn/l4eU210w1XH+HOv 08Kl+A8JzLSgdiUk5MXRsTKBGFY+tZdRXD3HuWnZ05mo9des7RIDwV3fhJ6abEL5JWli6ujget/C Nwl1Jh+feWMqjOGDx/Q+tGo7shRj+RL3RibkZtJ9VDicJVifevbj0EU0aK4N1ztQtcztW7gEez8P bcfVaCJqScgphR+bHagHxtFHDoJp+HonPrZdXDj6p/ZA8MKmJNR653ACLj4N1XjqvNzd+vn+S831 vscx012S/QQ1NNxRiLlKE6l8kekyL2MztSK4fuYN7s3tzsmerxt3rtJ5825C934/mYyqidOMZ621 psuoifna631DMP+6TOjffSiS+6J0vj9w6aqSmOMvihNimLr52T/Zs15HvPlG1R4Zw+4P8WY3S4vE Qz7bpmJ92fAf+NVePX5kdRF3t6RwI3Jb7FXyZHB7xdkKc08sTVmxye2LXbdPev8ld7jWOvXSu/ZT telG8NrjqtWjueiild34JUcONZAuzz93w8+mviWfOexKzrLvpjd90/zm8W7pbJZsVLdBNbsxh2Nn vaZsGo34P1pYhAgrsZcV+cvFuZiGclx1yMbbxL5oKli6EgudCuNxEVLC2Tn+mUnSeMq7Ww0C7erG gfUmLprlJTyoiiPca6ni891ElWVBzO7gA80WSq91TLMgKbe+lca+AuMSSP644wufxi9f6P4Y/Rpu 70ICb2phhYRZLC4KY407/bKr+oyrXwu0n+h7ZPdOkeLx87EiZTo5rN4mn/necs6kvPSJKLaJ6Isl Ie4Ut1nW+WPt/hhUEw9ZZz9o35jQjfK/3xW3unxOX8d4b/FucvT/rUV//4R/Xf/5f3737/92/99t KsrEv9Z/Kq0WrP3+x/9FiIkQtgYF+P/eBNjXyd+TRew/7lnt+2fH6m3/smP1n1/N+Ocdq8XonK72 /o4OPo5OjgRHp2A3BycFBQUWrzCCOP2KoEkQdQp0JYpqrOZscfC0DwhwCvh9Ib760oEGC50/0GF1 Kbl3YABBUSXAyYFgH+zkb+/iRPC3D3SSI4Q4Ebyd6LIVvf4uoLPo6h820iEEujr5OxEc7L3pJvj6 OnkT7AmB/j5BxzydCG7Oq4xebgEBBB9vJ4KUjz/BKZhOERjiIyK9+q7+nzcaCHRZ9Pq7+TgGsLA4 04mkVi3zpputrLF61CIQV4/y8gRpwvHfm3v70PVIme2RI4huDVj1Ht14+QCCvCPhd90IAa4+Iatu +F37CFFpQkQEwdHNiSAuovGbPcTVjW6d1E6zPVqrEpnpdkptPfqbd+vvjFWigK1/hLkGHiNI2TjK 7qB/pRVkbLy3iitu1SD8IVo19A+ZJoEgbqfxJ/df5f+l4Lcv6bIO/SXnT9kqw2o5QVyRoBlF2Lqq S/qYb8BWN3o5Qfw3jya9UCPyL2Inz4D/RO/xbxhkVt/V+F9yef1XXP89q8cxt8B/y7pV/b9R+V/w /RtmJzrVarOJBvh40fvv6osPIf4+9FRc0cZb9B+UdPcH0h3PHPkPR//xLeGv8r8VETX+mYHwh2P1 +q/Db1udQt0CAgOkxP8KkuN/TiKlV7vev2YSZDX/CNf4W8Rvo/8N4T/TRbL80fnbNG+CiCZBcfV3 NgI8nZx86TGhQfg7sAirvdjbJ5AQ6PNXKT3Ufhv/+4UegttqqHn50IPPydPJxd47kBBiH6bNEvk7 hpzowwNBKsDHP1DKwyks4B9RL/13CP1PG+0iCVtXQ+1P9uqAQFCgjxj0P4X/QKWxKlpKnB6zcuJe bt5y4qt7iNNPHe3D6KkPPSPMyZ6eEfI7I+x36hbgGBAoTa+/p4+Dveeq2VKribQGy29iWU3F7UR6 u6yy08/pA9HvMciZILqFqOy4hbjtP34D6M0uR/ijhvBbJeGPesIfWwi/7frHoPb/enxfwxrWsIY1 rGENa1jDGtawhjWsYQ1rWMMa1rCGNaxhDWtYwxrWsIY1rGENa1jDGtawhjWsYQ3//+F/AKAkrr0A oAAA --=-=-= Thanks, -- Alexander Kotelnikov Saint-Petersburg, Russia --=-=-=-- From mjoachimiak@poczta.onet.pl Tue Jul 20 14:48:00 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Tue, 20 Jul 2004 15:48:00 +0200 Subject: [LARTC] Fw: HTB - Really Big problem Message-ID: <002201c46e60$2c96c290$0802a8c0@monster> This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C46E70.EF9C31C0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable ----- Original Message -----=20 From: Micha=B3 Joachimiak=20 To: lartc@mailman.ds9a.nl=20 Sent: Tuesday, July 20, 2004 3:45 PM Subject: HTB - Really Big problem Hello everybody! Since week i dig lists and www and can't find solution for my problem. I'm using HTB 3.13 kernel 2-4-25 smp iptables 1.2.9. I've got situation like this: LAN------Linux Box(routing only)------- Linux Box = (HTB)--------------Hardware Router(say:HD)------Internet When I start HTB it takes about 5 min. to start working and it works... within this 5min starting i can't ping HD and after about 5min I start = pinging. It works like this for cuple of hours, then something strange = is happening. Ping stops, www doesn't work but radio (36kbps) works. = There is no ping at all for about 1min and it starts pinging for about = 2-3min and it stops for 1-2min and so on..... When I stop HTB ping starts. It's look like HTB is filled to much(sorry = for my english :/) All my children classes rate doesn't exceeds root classes. I have 50 = classes on 900kbit-10kbit(for default class) - downstream and = 800-10kbit(for default) up. I shape bandwidth matching ip. r2q is set to 1 . no erros during doing = shape script.=20 I'm attaching this script in ip1 ip2 and so on are files where are written ip's for C classes. I'm including my script. ---------------------------------------------------cut here = -------------------------------------------------------------------------= ---------- #!/bin/bash #x=3D$[100/20] #echo "$1" > /skrytpy/status rxmax=3D900 #WAN max transfer -down (physically it is 960kbit/960kbit) kbit=3Dkbit rxmaxluser=3D250 txmax=3D800 #WAN max transfer - up=20 txmaxluser=3D100 #counting users # ip1 file is like this: # 11 #Somebody # 23 #Somebody II #EOF licznik=3D0 for x in $(awk '{ print $1 }' /skrytpy/ip1); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ip2); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ip3); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ip128); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ip4); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ipzew); do licznik=3D$[$licznik+1] done for x in $(awk '{ print $1 }' /skrytpy/ip6); do licznik=3D$[$licznik+1] done #Server licznik=3D$[$licznik+1] #plus router licznik=3D$[$licznik+1] echo number of users to $licznik #counting rate rx1=3D$[$rxmax-10] tx1=3D$[$txmax-10] # dla klasy domyslnej rxmin=3D$[$rx1/$licznik] txmin=3D$[$tx1/$licznik] echo rx $rxmin tx $txmin #echo $rxmin #root classes #rx tc qdisc del root dev eth1 tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2 tc class add dev eth1 parent 1:0 classid 1:1 htb rate $rxmax$kbit ceil = $rxmax$kbit #tx tc qdisc del root dev eth0 tc qdisc add dev eth0 root handle 2:0 htb r2q 1 default 4 tc class add dev eth0 parent 2:0 classid 2:1 htb rate $txmax$kbit ceil = $txmax$kbit #r=3D"$rxmax$kbit" #default classes #rx tc class add dev eth1 parent 1:1 classid 1:2 htb rate 10kbit ceil 10kbit = #tx tc class add dev eth0 parent 2:1 classid 2:4 htb rate 10kbit ceil 10kbit #siec 1.0 siec=3D1 for ip in $(awk '{ print $1 }' /skrytpy/ip1); do echo -n "$ip " #rx tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = $rxmaxluser$kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #tx #marking packets iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = $txmaxluser$kbit #filtering by mark tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 done echo "" #siec 2.0 siec=3D2 for ip in $(awk '{ print $1 }' /skrytpy/ip2); do echo -n "$ip "=20 tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = $rxmaxluser$kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #mark iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = $txmaxluser$kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip done #siec 3.0 siec=3D3 echo " "=20 for ip in $(awk '{ print $1 }' /skrytpy/ip3); do echo -n "$ip " tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 128kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #mark iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 64kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip done echo " " #Siec 4 siec=3D4 for ip in $(awk '{ print $1 }' /skrytpy/ip4); do echo -n "$ip " tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 128kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #mark iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 64kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip done echo " " #walas siec=3D6 for ip in $(awk '{ print $1 }' /skrytpy/ip6); do echo -n "$ip " tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 128kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #mark iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 64kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip done echo " " #Siec ip zewnetrznych siec=3D62.87.193 for ip in $(awk '{ print $1 }' /skrytpy/ipzew); do echo -n "$ip " tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = $rxmaxluser$kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst $siec.$ip = flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #mark iptables -t mangle -A MYSHAPER-OUT -p tcp -s $siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = $txmaxluser$kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip done echo " " #Wyjatki z ip128 siec=3D1 ip=3D54 echo $ip tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 64kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 20kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip siec=3D2 ip=3D53 echo $ip tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 128kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #tx iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 64kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip siec=3D4 ip=3D138 echo $ip tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 400kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 62.87.193.$ip flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #tx iptables -t mangle -A MYSHAPER-OUT -p tcp -s 62.87.193.$ip -j MARK = --set-mark $ip #tc tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 256kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip #Serwer siec=3D5 ip=3D3 echo "5.2/3" #nadle x:3 because x:3 are saved for default classess tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil = 200kbit tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.5.2 flowid 1:$ip tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20 #tx iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.5.2 -j MARK = --set-mark $ip tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil = 256kbit tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 #filtrowanie po marku tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid 2:$ip --------------------------------------------------------------------cut = here ------------------------------------------------------------------ Please help - I have no idea why it's not works. ------=_NextPart_000_001F_01C46E70.EF9C31C0 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable
 
----- Original Message -----=20
From: Micha=B3=20 Joachimiak
Sent: Tuesday, July 20, 2004 3:45 PM
Subject: HTB - Really Big problem

Hello everybody!
Since week i dig lists and www and = can't find=20 solution for my problem.
I'm using HTB 3.13 kernel 2-4-25 smp = iptables=20 1.2.9.
I've got situation like = this:
 
LAN------Linux Box(routing only)------- = Linux Box=20 (HTB)--------------Hardware Router(say:HD)------Internet
When I start HTB it takes about 5 min. = to start=20 working and it works...
within this 5min starting i can't ping = HD and after=20 about 5min I start pinging. It works like this for cuple of hours, then=20 something strange is happening. Ping stops, www doesn't work but radio = (36kbps)=20 works. There is no ping at all for about 1min and it starts pinging for = about=20 2-3min and it stops for 1-2min and so on.....
When I stop HTB ping starts. It's look = like HTB is=20 filled to much(sorry for my english :/)
All my children classes rate doesn't = exceeds root=20 classes. I have 50 classes on 900kbit-10kbit(for default class) - = downstream and=20 800-10kbit(for default)  up.
I shape bandwidth matching ip. r2q is = set to 1 . no=20 erros during doing shape script.
I'm attaching this script
in ip1 ip2 and so on are  files = where are=20 written ip's for C classes.
 
I'm including my script.
---------------------------------------------------cut here=20 -------------------------------------------------------------------------= ----------
#!/bin/bash
#x=3D$[100/20]
#echo = "$1" >=20 /skrytpy/status
rxmax=3D900 #WAN max transfer -down (physically it is = 960kbit/960kbit)
kbit=3Dkbit
rxmaxluser=3D250
txmax=3D800 #WAN = max transfer -=20 up
txmaxluser=3D100
#counting users
# ip1 file is like = this:
# 11=20 #Somebody
# 23 #Somebody II
#EOF
licznik=3D0
for   = x in=20 $(awk '{ print $1 }' /skrytpy/ip1);=20 do
licznik=3D$[$licznik+1]
done
for   x in $(awk '{ = print $1 }'=20 /skrytpy/ip2); do
licznik=3D$[$licznik+1]
done
for   = x in $(awk=20 '{ print $1 }' /skrytpy/ip3);=20 do
licznik=3D$[$licznik+1]
done
for   x in $(awk '{ = print $1 }'=20 /skrytpy/ip128); = do
licznik=3D$[$licznik+1]
done
for   x in=20 $(awk '{ print $1 }' /skrytpy/ip4);=20 do
licznik=3D$[$licznik+1]
done
for   x in $(awk '{ = print $1 }'=20 /skrytpy/ipzew); = do
licznik=3D$[$licznik+1]
done
for   x in=20 $(awk '{ print $1 }' /skrytpy/ip6);=20 do
licznik=3D$[$licznik+1]
done
 
#Server
licznik=3D$[$licznik+1]
#plus=20 router
licznik=3D$[$licznik+1]
 
echo number of users to = $licznik
#counting=20 rate
rx1=3D$[$rxmax-10]
tx1=3D$[$txmax-10] # dla klasy=20 domyslnej
rxmin=3D$[$rx1/$licznik]
txmin=3D$[$tx1/$licznik]
echo= rx $rxmin=20 tx $txmin
#echo $rxmin
#root classes
#rx
tc qdisc del root = dev=20 eth1
tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2
tc = class=20 add dev eth1 parent 1:0 classid 1:1 htb rate $rxmax$kbit ceil=20 $rxmax$kbit
#tx
tc qdisc del root dev eth0
tc qdisc add dev = eth0 root=20 handle 2:0 htb r2q 1 default 4
tc class add dev eth0 parent 2:0 = classid 2:1=20 htb rate $txmax$kbit ceil $txmax$kbit
#r=3D"$rxmax$kbit"
#default=20 classes
#rx
tc class add dev eth1 parent 1:1 classid 1:2 htb rate = 10kbit=20 ceil 10kbit
#tx
tc class add dev eth0 parent 2:1 classid 2:4 htb = rate=20 10kbit ceil 10kbit
#siec 1.0
siec=3D1
for ip in $(awk '{ print = $1 }'=20 /skrytpy/ip1); do
echo -n "$ip "
#rx
tc class add dev eth1 = parent 1:1=20 classid 1:$ip htb rate $rxmin$kbit ceil $rxmaxluser$kbit
tc filter = add dev=20 eth1 protocol ip parent 1:0 u32 match ip dst 192.168.$siec.$ip flowid=20 1:$ip
tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20
#tx
#marking packets
iptables -t mangle -A MYSHAPER-OUT -p tcp = -s=20 192.168.$siec.$ip -j MARK --set-mark $ip
#tc
tc class add dev eth0 = parent=20 2:1 classid 2:$ip htb rate $txmin$kbit ceil = $txmaxluser$kbit
#filtering by=20 mark
tc filter add dev eth0 protocol ip preference 1 parent 2:0 = handle $ip fw=20 flowid 2:$ip
tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq = perturb=20 10
done
echo ""
#siec 2.0
siec=3D2
for ip in $(awk '{ = print $1 }'=20 /skrytpy/ip2); do
echo -n "$ip "
tc class add dev eth1 parent 1:1 = classid=20 1:$ip htb rate $rxmin$kbit ceil $rxmaxluser$kbit
tc filter add dev = eth1=20 protocol ip parent 1:0 u32 match ip dst 192.168.$siec.$ip flowid = 1:$ip
tc=20 qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20
#mark
iptables -t mangle -A MYSHAPER-OUT -p tcp -s = 192.168.$siec.$ip -j=20 MARK --set-mark $ip
#tc
tc class add dev eth0 parent 2:1 classid = 2:$ip htb=20 rate $txmin$kbit ceil $txmaxluser$kbit
tc qdisc add dev eth0 parent = 2:$ip=20 handle $ip:1 sfq perturb 10
#filtrowanie po marku
tc filter add = dev eth0=20 protocol ip preference 1 parent 2:0 handle $ip fw flowid = 2:$ip
done
#siec=20 3.0
siec=3D3
echo " "
for ip in $(awk '{ print $1 }' = /skrytpy/ip3);=20 do
echo -n "$ip "
tc class add dev eth1 parent 1:1 classid 1:$ip = htb rate=20 $rxmin$kbit ceil 128kbit
tc filter add dev eth1 protocol ip parent = 1:0 u32=20 match ip dst 192.168.$siec.$ip flowid 1:$ip
tc qdisc add dev eth1 = parent=20 1:$ip handle $ip:0 sfq perturb 10
#mark
iptables -t mangle -A=20 MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK --set-mark = $ip
#tc
tc=20 class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil=20 64kbit
tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb=20 10
#filtrowanie po marku
tc filter add dev eth0 protocol ip = preference 1=20 parent 2:0 handle $ip fw flowid 2:$ip
done
echo " "
#Siec=20 4
siec=3D4
for ip in $(awk '{ print $1 }' /skrytpy/ip4); = do
echo -n "$ip=20 "
tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit = ceil=20 128kbit
tc filter add dev eth1 protocol ip parent 1:0 u32 match ip = dst=20 192.168.$siec.$ip flowid 1:$ip
tc qdisc add dev eth1 parent 1:$ip = handle=20 $ip:0 sfq perturb 10
#mark
iptables -t mangle -A MYSHAPER-OUT -p = tcp -s=20 192.168.$siec.$ip -j MARK --set-mark $ip
#tc
tc class add dev eth0 = parent=20 2:1 classid 2:$ip htb rate $txmin$kbit ceil 64kbit
tc qdisc add dev = eth0=20 parent 2:$ip handle $ip:1 sfq perturb 10
#filtrowanie po marku
tc = filter=20 add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw flowid=20 2:$ip
done
echo " "
#walas
siec=3D6
for ip in $(awk '{ = print $1 }'=20 /skrytpy/ip6); do
echo -n "$ip "
tc class add dev eth1 parent 1:1 = classid=20 1:$ip htb rate $rxmin$kbit ceil 128kbit
tc filter add dev eth1 = protocol ip=20 parent 1:0 u32 match ip dst 192.168.$siec.$ip flowid 1:$ip
tc qdisc = add dev=20 eth1 parent 1:$ip handle $ip:0 sfq perturb 10
#mark
iptables -t = mangle -A=20 MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j MARK --set-mark = $ip
#tc
tc=20 class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil=20 64kbit
tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb=20 10
#filtrowanie po marku
tc filter add dev eth0 protocol ip = preference 1=20 parent 2:0 handle $ip fw flowid 2:$ip
done
echo " "
 
#Siec ip = zewnetrznych
siec=3D62.87.193
for ip=20 in $(awk '{ print $1 }' /skrytpy/ipzew); do
echo -n "$ip "
tc = class add=20 dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil=20 $rxmaxluser$kbit
tc filter add dev eth1 protocol ip parent 1:0 u32 = match ip=20 dst $siec.$ip flowid 1:$ip
tc qdisc add dev eth1 parent 1:$ip handle = $ip:0=20 sfq perturb 10
#mark
iptables -t mangle -A MYSHAPER-OUT -p tcp -s = $siec.$ip -j MARK --set-mark $ip
#tc
tc class add dev eth0 parent = 2:1=20 classid 2:$ip htb rate $txmin$kbit ceil $txmaxluser$kbit
tc qdisc add = dev=20 eth0 parent 2:$ip handle $ip:1 sfq perturb 10
#filtrowanie po = marku
tc=20 filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw = flowid=20 2:$ip
done
echo " "
 
#Wyjatki z = ip128
siec=3D1
ip=3D54
echo=20 $ip
tc class add dev eth1 parent 1:1 classid 1:$ip htb rate = $rxmin$kbit ceil=20 64kbit
tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst = 192.168.$siec.$ip flowid 1:$ip
tc qdisc add dev eth1 parent 1:$ip = handle=20 $ip:0 sfq perturb 10
iptables -t mangle -A MYSHAPER-OUT -p tcp -s=20 192.168.$siec.$ip -j MARK --set-mark $ip
#tc
tc class add dev eth0 = parent=20 2:1 classid 2:$ip htb rate $txmin$kbit ceil 20kbit
tc qdisc add dev = eth0=20 parent 2:$ip handle $ip:1 sfq perturb 10
#filtrowanie po marku
tc = filter=20 add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw flowid=20 2:$ip
 
siec=3D2
ip=3D53
echo $ip
tc = class add dev=20 eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil 128kbit
tc = filter add=20 dev eth1 protocol ip parent 1:0 u32 match ip dst 192.168.$siec.$ip = flowid=20 1:$ip
tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20
#tx
iptables -t mangle -A MYSHAPER-OUT -p tcp -s = 192.168.$siec.$ip -j=20 MARK --set-mark $ip
#tc
tc class add dev eth0 parent 2:1 classid = 2:$ip htb=20 rate $txmin$kbit ceil 64kbit
tc qdisc add dev eth0 parent 2:$ip = handle $ip:1=20 sfq perturb 10
#filtrowanie po marku
tc filter add dev eth0 = protocol ip=20 preference 1 parent 2:0 handle $ip fw flowid 2:$ip
 
siec=3D4
ip=3D138
echo $ip
tc = class add dev=20 eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil 400kbit
tc = filter add=20 dev eth1 protocol ip parent 1:0 u32 match ip dst 62.87.193.$ip flowid=20 1:$ip
tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10=20
#tx
iptables -t mangle -A MYSHAPER-OUT -p tcp -s 62.87.193.$ip -j = MARK=20 --set-mark $ip
#tc
tc class add dev eth0 parent 2:1 classid 2:$ip = htb rate=20 $txmin$kbit ceil 256kbit
tc qdisc add dev eth0 parent 2:$ip handle = $ip:1 sfq=20 perturb 10
#filtrowanie po marku
tc filter add dev eth0 protocol = ip=20 preference 1 parent 2:0 handle $ip fw flowid 2:$ip
 
#Serwer
siec=3D5
ip=3D3
echo = "5.2/3" #nadle=20 x:3 because x:3 are saved for default classess
tc class add dev eth1 parent 1:1 classid 1:$ip htb rate = $rxmin$kbit=20 ceil 200kbit
tc filter add dev eth1 protocol ip parent 1:0 u32 match = ip dst=20 192.168.5.2 flowid 1:$ip
tc qdisc add dev eth1 parent 1:$ip handle = $ip:0 sfq=20 perturb 10
#tx
iptables -t mangle -A MYSHAPER-OUT -p tcp -s = 192.168.5.2=20 -j MARK --set-mark $ip
tc class add dev eth0 parent 2:1 classid 2:$ip = htb=20 rate $txmin$kbit ceil 256kbit
tc qdisc add dev eth0 parent 2:$ip = handle $ip:1=20 sfq perturb 10
#filtrowanie po marku
tc filter add dev eth0 = protocol ip=20 preference 1 parent 2:0 handle $ip fw flowid=20 2:$ip
----------------------------------------------------------------= ----cut=20 here=20 ------------------------------------------------------------------=
 
Please help - I have no idea why it's = not=20 works.
------=_NextPart_000_001F_01C46E70.EF9C31C0-- From lists@wildgooses.com Tue Jul 20 16:46:37 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 20 Jul 2004 16:46:37 +0100 Subject: [LARTC] Fw: HTB - Really Big problem In-Reply-To: <002201c46e60$2c96c290$0802a8c0@monster> References: <002201c46e60$2c96c290$0802a8c0@monster> Message-ID: <40FD3E5D.5040101@wildgooses.com> > Please help - I have no idea why it's not works. What do the tc stats look like? From mjoachimiak@poczta.onet.pl Tue Jul 20 17:28:41 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Tue, 20 Jul 2004 18:28:41 +0200 Subject: [LARTC] Fw: HTB - Really Big problem References: <002201c46e60$2c96c290$0802a8c0@monster> <40FD3E5D.5040101@wildgooses.com> Message-ID: <005c01c46e76$9e741320$0802a8c0@monster> Here are the stats. If you want full stats please write then i'll send as attachment but it is 0,5MB. tc qdisc show qdisc sfq 3: dev eth0 quantum 1514b perturb 10sec qdisc sfq 138: dev eth0 quantum 1514b perturb 10sec qdisc sfq 53: dev eth0 quantum 1514b perturb 10sec qdisc sfq 54: dev eth0 quantum 1514b perturb 10sec qdisc sfq 140: dev eth0 quantum 1514b perturb 10sec qdisc sfq 137: dev eth0 quantum 1514b perturb 10sec ...... qdisc sfq 11: dev eth0 quantum 1514b perturb 10sec qdisc sfq 10: dev eth0 quantum 1514b perturb 10sec qdisc sfq 9: dev eth0 quantum 1514b perturb 10sec qdisc htb 2: dev eth0 r2q 1 default 4 direct_packets_stat 0 qdisc sfq 3: dev eth1 quantum 1514b perturb 10sec qdisc sfq 138: dev eth1 quantum 1514b perturb 10sec ..... qdisc sfq 10: dev eth1 quantum 1514b perturb 10sec qdisc sfq 9: dev eth1 quantum 1514b perturb 10sec qdisc htb 1: dev eth1 r2q 1 default 2 direct_packets_stat 2 EOF tc filter show dev eth1: filter parent 1: protocol ip pref 49151 u32 filter parent 1: protocol ip pref 49151 u32 fh 831: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 831::800 order 2048 key ht 831 bkt 0 flowid 1:3 match c0a80502/ffffffff at 16 filter parent 1: protocol ip pref 49151 u32 fh 830: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 830::800 order 2048 key ht 830 bkt 0 flowid 1:138 match 3e57c18a/ffffffff at 16 filter parent 1: protocol ip pref 49151 u32 fh 82f: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 82f::800 order 2048 key ht 82f bkt 0 flowid 1:53 match c0a80235/ffffffff at 16 filter parent 1: protocol ip pref 49151 u32 fh 82e: ht divisor 1 filter parent 1: protocol ip pref 49151 u32 fh 82e::800 order 2048 key ..... #many lines filter parent 1: protocol ip pref 49152 u32 fh 802: ht divisor 1 filter parent 1: protocol ip pref 49152 u32 fh 802::800 order 2048 key ht 802 bkt 0 flowid 1:11 match c0a8010b/ffffffff at 16 filter parent 1: protocol ip pref 49152 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 49152 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:10 match c0a8010a/ffffffff at 16 filter parent 1: protocol ip pref 49152 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 49152 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:9 match c0a80109/ffffffff at 16 tc filter show dev eth0: tc filter show dev eth0 filter parent 2: protocol ip pref 1 fw filter parent 2: protocol ip pref 1 fw handle 0x3 classid 2:3 filter parent 2: protocol ip pref 1 fw handle 0x8 classid 2:8 filter parent 2: protocol ip pref 1 fw handle 0x9 classid 2:9 filter parent 2: protocol ip pref 1 fw handle 0xa classid 2:10 filter parent 2: protocol ip pref 1 fw handle 0xb classid 2:11 filter parent 2: protocol ip pref 1 fw handle 0xc classid 2:12 filter parent 2: protocol ip pref 1 fw handle 0xf classid 2:15 filter parent 2: protocol ip pref 1 fw handle 0x11 classid 2:17 ...#many lines filter parent 2: protocol ip pref 1 fw handle 0x97 classid 2:151 filter parent 2: protocol ip pref 1 fw handle 0x98 classid 2:152 filter parent 2: protocol ip pref 1 fw handle 0xbd classid 2:189 tc class show dev eth1: class htb 1:11 parent 1:1 leaf 11: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:22 parent 1:1 leaf 22: prio 0 rate 17Kbit ceil 250Kbit burst 1620b ... class htb 1:189 parent 1:1 leaf 189: prio 0 rate 17Kbit ceil 128Kbit burst 1620b cburst 1762b class htb 1:1 root rate 900Kbit ceil 900Kbit burst 2751b cburst 2751b class htb 1:10 parent 1:1 leaf 10: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:23 parent 1:1 leaf 23: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:32 parent 1:1 leaf 32: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:54 parent 1:1 leaf 54: prio 0 rate 17Kbit ceil 64Kbit burst 1620b cburst 1680b class htb 1:2 parent 1:1 prio 0 rate 10Kbit ceil 10Kbit burst 1611b cburst 1611b class htb 1:20 parent 1:1 leaf 20: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:64 parent 1:1 leaf 64: prio 0 rate 17Kbit ceil 250Kbit burst 1620b .... class htb 1:59 parent 1:1 leaf 59: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b class htb 1:58 parent 1:1 leaf 58: prio 0 rate 17Kbit ceil 250Kbit burst 1620b cburst 1919b tc class show dev eth0: class htb 2:11 parent 2:1 leaf 11: prio 0 rate 15Kbit ceil 100Kbit burst 1618b cburst 1727b class htb 2:22 parent 2:1 leaf 22: prio 0 rate 15Kbit ceil 100Kbit burst 1618b cburst 1727b .... class htb 2:1 root rate 800Kbit ceil 800Kbit burst 2623b cburst 2623b class htb 2:10 parent 2:1 leaf 10: prio 0 rate 15Kbit ceil 100Kbit burst 1618b cburst 1727b ..... class htb 2:3 parent 2:1 leaf 3: prio 0 rate 15Kbit ceil 256Kbit burst 1618b cburst 1926b class htb 2:4 parent 2:1 prio 0 rate 10Kbit ceil 10Kbit burst 1611b cburst 1611b > What do the tc stats look like? > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From ibb_linux@yahoo.com Tue Jul 20 21:12:39 2004 From: ibb_linux@yahoo.com (ibro tj) Date: Tue, 20 Jul 2004 13:12:39 -0700 (PDT) Subject: [LARTC] How to configure tc with burstable bandwidth Message-ID: <20040720201239.84964.qmail@web21505.mail.yahoo.com> Hello all, I have a qos system that is working fine with my present dedicated bandwidth.Now I need to move on to another ISP provider that gives me opportunity to burst my bandwidth when there is less contention. I want to incorporate the bursting advantage in to my script but do not know how. Please , can somebody help with what I need to do to make this possible ? Thanks. -Ibrahim __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/ From nix4me@cfl.rr.com Wed Jul 21 01:42:45 2004 From: nix4me@cfl.rr.com (nix4me) Date: Tue, 20 Jul 2004 20:42:45 -0400 Subject: [LARTC] shaping passive ftp traffic Message-ID: <40FDBC05.4010903@cfl.rr.com> Hi, I have tried unsuccesfully to limit my ftp server send speed in linux. I have an ipcop linux firewall/router with 2 nics. 1 nic (eth1) is connected to a 3mbit/384Kbit cable connection and the other (eth0) a switch. Behind it i have a suse linux box and a windows box. On the suse box i run proftpd. I need to shape my passive ftp send speed to 34KBytes because if it is maxed out at 45K it slows down all surfing on the entire network. I have tried running wondershaper-htb on the ipcop firewall and it limits my upload speed, but it still seems to slow down everything else a little bit. I notice a slow www experience however my ping times are good. Is there a simple way to just put a limit on the traffic coming from the passive ports (50000-51000) from my proftpd computer? I just want to set a limit on ftp and not affect anything else. I have looked at all the documentation and I must admit that I dont understand any of it. It all seems to be too complicated for my needs. I hope someone out there is doing what I am trying to do. Thanks, Mark From mjoachimiak@poczta.onet.pl Wed Jul 21 15:25:17 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 21 Jul 2004 16:25:17 +0200 Subject: [LARTC] shaping passive ftp traffic References: <40FDBC05.4010903@cfl.rr.com> Message-ID: <002701c46f2e$8be891f0$0802a8c0@monster> I coud possibly help but I'm using tc + htb and dont know anything about wondershaper. If you want a script I could do it for you. ----- Original Message ----- From: "nix4me" To: Sent: Wednesday, July 21, 2004 2:42 AM Subject: [LARTC] shaping passive ftp traffic > Hi, > > I have tried unsuccesfully to limit my ftp server send speed in linux. > I have an ipcop linux firewall/router with 2 nics. 1 nic (eth1) is > connected to a 3mbit/384Kbit cable connection and the other (eth0) a > switch. Behind it i have a suse linux box and a windows box. > > On the suse box i run proftpd. I need to shape my passive ftp send > speed to 34KBytes because if it is maxed out at 45K it slows down all > surfing on the entire network. > > I have tried running wondershaper-htb on the ipcop firewall and it > limits my upload speed, but it still seems to slow down everything else > a little bit. I notice a slow www experience however my ping times are > good. > > Is there a simple way to just put a limit on the traffic coming from the > passive ports (50000-51000) from my proftpd computer? I just want to > set a limit on ftp and not affect anything else. > > I have looked at all the documentation and I must admit that I dont > understand any of it. It all seems to be too complicated for my needs. > > I hope someone out there is doing what I am trying to do. > > Thanks, > Mark > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From justin.piszcz@mitretek.org Wed Jul 21 16:22:17 2004 From: justin.piszcz@mitretek.org (Piszcz, Justin Michael) Date: Wed, 21 Jul 2004 11:22:17 -0400 Subject: [LARTC] shaping passive ftp traffic Message-ID: <2E314DE03538984BA5634F12115B3A4E62E8E8@email1.mitretek.org> Have you tried limiting the maximum outgoing bandwidth in proftpd itself? -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of mjoachimiak@poczta.onet.pl Sent: Wednesday, July 21, 2004 10:25 AM To: lartc; nix4me Subject: Re: [LARTC] shaping passive ftp traffic I coud possibly help but I'm using tc + htb and dont know anything about wondershaper. If you want a script I could do it for you. ----- Original Message -----=20 From: "nix4me" To: Sent: Wednesday, July 21, 2004 2:42 AM Subject: [LARTC] shaping passive ftp traffic > Hi, > > I have tried unsuccesfully to limit my ftp server send speed in linux. > I have an ipcop linux firewall/router with 2 nics. 1 nic (eth1) is > connected to a 3mbit/384Kbit cable connection and the other (eth0) a > switch. Behind it i have a suse linux box and a windows box. > > On the suse box i run proftpd. I need to shape my passive ftp send > speed to 34KBytes because if it is maxed out at 45K it slows down all > surfing on the entire network. > > I have tried running wondershaper-htb on the ipcop firewall and it > limits my upload speed, but it still seems to slow down everything else > a little bit. I notice a slow www experience however my ping times are > good. > > Is there a simple way to just put a limit on the traffic coming from the > passive ports (50000-51000) from my proftpd computer? I just want to > set a limit on ftp and not affect anything else. > > I have looked at all the documentation and I must admit that I dont > understand any of it. It all seems to be too complicated for my needs. > > I hope someone out there is doing what I am trying to do. > > Thanks, > Mark > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From horst.graffy@wiesbaden.netsurf.de Wed Jul 21 16:35:37 2004 From: horst.graffy@wiesbaden.netsurf.de (Horst Graffy) Date: Wed, 21 Jul 2004 17:35:37 +0200 Subject: [LARTC] shaping passive ftp traffic In-Reply-To: <40FDBC05.4010903@cfl.rr.com> References: <40FDBC05.4010903@cfl.rr.com> Message-ID: <200407211735.40717.horst.graffy@wiesbaden.netsurf.de> Am Mittwoch, 21. Juli 2004 02:42 schrieb nix4me: > Hi, > > I have tried unsuccesfully to limit my ftp server send speed in linux. > I have an ipcop linux firewall/router with 2 nics. 1 nic (eth1) is > connected to a 3mbit/384Kbit cable connection and the other (eth0) a > switch. Behind it i have a suse linux box and a windows box. > > On the suse box i run proftpd. I need to shape my passive ftp send > speed to 34KBytes because if it is maxed out at 45K it slows down all > surfing on the entire network. you can use a ftp-proxy (for example jftpgw) A feature of this proxy is limiting speed for ftp-connections. the url: http://www.mcknight.de/jftpgw I'm using it as transparent-proxy only to limit the download-speed of my little powerdownloaders ;) and don't cache the downloaded files. > > I have tried running wondershaper-htb on the ipcop firewall and it > limits my upload speed, but it still seems to slow down everything else > a little bit. I notice a slow www experience however my ping times are > good. > > Is there a simple way to just put a limit on the traffic coming from the > passive ports (50000-51000) from my proftpd computer? I just want to > set a limit on ftp and not affect anything else. > > I have looked at all the documentation and I must admit that I dont > understand any of it. It all seems to be too complicated for my needs. > > I hope someone out there is doing what I am trying to do. > > Thanks, > Mark Toni > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From mjoachimiak@poczta.onet.pl Wed Jul 21 17:30:54 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 21 Jul 2004 18:30:54 +0200 Subject: [LARTC] shaping passive ftp traffic References: <2E314DE03538984BA5634F12115B3A4E62E8E8@email1.mitretek.org> Message-ID: <001601c46f40$1ae657f0$0802a8c0@monster> No i didnt but I've seen that is possible to get ftp into one class and rest traffic to the other class while using tc + htb. My traffic shaping is done by ip. >Have you tried limiting the maximum outgoing bandwidth in proftpd >itself? -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of mjoachimiak@poczta.onet.pl Sent: Wednesday, July 21, 2004 10:25 AM To: lartc; nix4me Subject: Re: [LARTC] shaping passive ftp traffic I coud possibly help but I'm using tc + htb and dont know anything about wondershaper. If you want a script I could do it for you. ----- Original Message ----- From: "nix4me" To: Sent: Wednesday, July 21, 2004 2:42 AM Subject: [LARTC] shaping passive ftp traffic > Hi, > > I have tried unsuccesfully to limit my ftp server send speed in linux. > I have an ipcop linux firewall/router with 2 nics. 1 nic (eth1) is > connected to a 3mbit/384Kbit cable connection and the other (eth0) a > switch. Behind it i have a suse linux box and a windows box. > > On the suse box i run proftpd. I need to shape my passive ftp send > speed to 34KBytes because if it is maxed out at 45K it slows down all > surfing on the entire network. > > I have tried running wondershaper-htb on the ipcop firewall and it > limits my upload speed, but it still seems to slow down everything else > a little bit. I notice a slow www experience however my ping times are > good. > > Is there a simple way to just put a limit on the traffic coming from the > passive ports (50000-51000) from my proftpd computer? I just want to > set a limit on ftp and not affect anything else. > > I have looked at all the documentation and I must admit that I dont > understand any of it. It all seems to be too complicated for my needs. > > I hope someone out there is doing what I am trying to do. > > Thanks, > Mark > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From mjoachimiak@poczta.onet.pl Wed Jul 21 19:18:26 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 21 Jul 2004 20:18:26 +0200 Subject: [LARTC] : HTB - Really Big problem References: <002201c46e60$2c96c290$0802a8c0@monster> <40FD3E5D.5040101@wildgooses.com> <005c01c46e76$9e741320$0802a8c0@monster> Message-ID: <004701c46f4f$1e33b060$0802a8c0@monster> I've found that i have messagess like this in /var/log/messages: Jul 20 20:11:26 (none) last message repeated 9 times Jul 20 20:11:30 (none) kernel: NET: 173 messages suppressed. Jul 20 20:11:30 (none) kernel: dst cache overflow Jul 20 20:12:59 (none) kernel: NET: 14 messages suppressed. ----- Original Message ----- From: To: "lartc" Sent: Tuesday, July 20, 2004 6:28 PM Subject: Re: [LARTC] Fw: HTB - Really Big problem > Here are the stats. If you want full stats please write then i'll send as > attachment but it is 0,5MB. > tc qdisc show > qdisc sfq 3: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 138: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 53: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 54: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 140: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 137: dev eth0 quantum 1514b perturb 10sec > ...... > qdisc sfq 11: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 10: dev eth0 quantum 1514b perturb 10sec > qdisc sfq 9: dev eth0 quantum 1514b perturb 10sec > qdisc htb 2: dev eth0 r2q 1 default 4 direct_packets_stat 0 > qdisc sfq 3: dev eth1 quantum 1514b perturb 10sec > qdisc sfq 138: dev eth1 quantum 1514b perturb 10sec > ..... > qdisc sfq 10: dev eth1 quantum 1514b perturb 10sec > qdisc sfq 9: dev eth1 quantum 1514b perturb 10sec > qdisc htb 1: dev eth1 r2q 1 default 2 direct_packets_stat 2 > EOF > > tc filter show dev eth1: > > filter parent 1: protocol ip pref 49151 u32 > filter parent 1: protocol ip pref 49151 u32 fh 831: ht divisor 1 > filter parent 1: protocol ip pref 49151 u32 fh 831::800 order 2048 key ht > 831 bkt 0 flowid 1:3 > match c0a80502/ffffffff at 16 > filter parent 1: protocol ip pref 49151 u32 fh 830: ht divisor 1 > filter parent 1: protocol ip pref 49151 u32 fh 830::800 order 2048 key ht > 830 bkt 0 flowid 1:138 > match 3e57c18a/ffffffff at 16 > filter parent 1: protocol ip pref 49151 u32 fh 82f: ht divisor 1 > filter parent 1: protocol ip pref 49151 u32 fh 82f::800 order 2048 key ht > 82f bkt 0 flowid 1:53 > match c0a80235/ffffffff at 16 > filter parent 1: protocol ip pref 49151 u32 fh 82e: ht divisor 1 > filter parent 1: protocol ip pref 49151 u32 fh 82e::800 order 2048 key > ..... #many lines > filter parent 1: protocol ip pref 49152 u32 fh 802: ht divisor 1 > filter parent 1: protocol ip pref 49152 u32 fh 802::800 order 2048 key ht > 802 bkt 0 flowid 1:11 > match c0a8010b/ffffffff at 16 > filter parent 1: protocol ip pref 49152 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 49152 u32 fh 801::800 order 2048 key ht > 801 bkt 0 flowid 1:10 > match c0a8010a/ffffffff at 16 > filter parent 1: protocol ip pref 49152 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 49152 u32 fh 800::800 order 2048 key ht > 800 bkt 0 flowid 1:9 > match c0a80109/ffffffff at 16 > > tc filter show dev eth0: > > tc filter show dev eth0 > filter parent 2: protocol ip pref 1 fw > filter parent 2: protocol ip pref 1 fw handle 0x3 classid 2:3 > filter parent 2: protocol ip pref 1 fw handle 0x8 classid 2:8 > filter parent 2: protocol ip pref 1 fw handle 0x9 classid 2:9 > filter parent 2: protocol ip pref 1 fw handle 0xa classid 2:10 > filter parent 2: protocol ip pref 1 fw handle 0xb classid 2:11 > filter parent 2: protocol ip pref 1 fw handle 0xc classid 2:12 > filter parent 2: protocol ip pref 1 fw handle 0xf classid 2:15 > filter parent 2: protocol ip pref 1 fw handle 0x11 classid 2:17 > ...#many lines > filter parent 2: protocol ip pref 1 fw handle 0x97 classid 2:151 > filter parent 2: protocol ip pref 1 fw handle 0x98 classid 2:152 > filter parent 2: protocol ip pref 1 fw handle 0xbd classid 2:189 > > > tc class show dev eth1: > class htb 1:11 parent 1:1 leaf 11: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:22 parent 1:1 leaf 22: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b > ... > class htb 1:189 parent 1:1 leaf 189: prio 0 rate 17Kbit ceil 128Kbit burst > 1620b cburst 1762b > class htb 1:1 root rate 900Kbit ceil 900Kbit burst 2751b cburst 2751b > class htb 1:10 parent 1:1 leaf 10: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:23 parent 1:1 leaf 23: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:32 parent 1:1 leaf 32: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:54 parent 1:1 leaf 54: prio 0 rate 17Kbit ceil 64Kbit burst > 1620b cburst 1680b > class htb 1:2 parent 1:1 prio 0 rate 10Kbit ceil 10Kbit burst 1611b cburst > 1611b > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:64 parent 1:1 leaf 64: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b > .... > class htb 1:59 parent 1:1 leaf 59: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > class htb 1:58 parent 1:1 leaf 58: prio 0 rate 17Kbit ceil 250Kbit burst > 1620b cburst 1919b > > > tc class show dev eth0: > class htb 2:11 parent 2:1 leaf 11: prio 0 rate 15Kbit ceil 100Kbit burst > 1618b cburst 1727b > class htb 2:22 parent 2:1 leaf 22: prio 0 rate 15Kbit ceil 100Kbit burst > 1618b cburst 1727b > .... > class htb 2:1 root rate 800Kbit ceil 800Kbit burst 2623b cburst 2623b > class htb 2:10 parent 2:1 leaf 10: prio 0 rate 15Kbit ceil 100Kbit burst > 1618b cburst 1727b > ..... > class htb 2:3 parent 2:1 leaf 3: prio 0 rate 15Kbit ceil 256Kbit burst 1618b > cburst 1926b > class htb 2:4 parent 2:1 prio 0 rate 10Kbit ceil 10Kbit burst 1611b cburst > 1611b > > > > What do the tc stats look like? > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From kraquen@kraquen.com Wed Jul 21 21:54:00 2004 From: kraquen@kraquen.com (kraquen@kraquen.com) Date: Wed, 21 Jul 2004 14:54:00 -0600 (MDT) Subject: [LARTC] tc script stopped working Message-ID: <4599.128.170.8.127.1090443240.squirrel@128.170.8.127> I've used tc in the past for shaping, upon learning of tcng, I redid my config, and load it using tcc. I thought this was great, as the new script is much easier to maintain, and is so much simpler. The new script was working for about a week, then it stopped working. I now get this error: can't dump subexpression (if_u32.c, unsupported offset sequence - please try to reorder matches) [&&]--[offset]--[==]--[&]--[access]-- (none) | | | | +-------- 0 | | | | `-------- 16 | | | `--- 65535 | | `---- 22 | `--------[<<]--[&]--[access]-- (none) | | | +-------- 0 | | | `-------- 8 | | `--- 15 | `---- 2 `----[&&]--[==]--[&]--[access]-- (none) | | | +-------- 1 | | | `-------- 8 | | `--- 16 | `---- 16 `---- I'm not sure when or why it stopped working, but I have a habit of doing apt-get update;apt-get upgrade on debian unstable and not paying attention to what gets updated.. so I may have gotten a new version of tcng without realizing it. Anyway, to get to the point, it is not obvious to me which line is causing the trouble from that error message. Without knowing which line to focus on, its hard for me to proceed with troubleshooting. Could any of you who are more familiar with tcng help me with this error? Thanks, Jason From jasonb@edseek.com Wed Jul 21 22:36:51 2004 From: jasonb@edseek.com (Jason Boxman) Date: Wed, 21 Jul 2004 17:36:51 -0400 Subject: [LARTC] tc script stopped working In-Reply-To: <4599.128.170.8.127.1090443240.squirrel@128.170.8.127> References: <4599.128.170.8.127.1090443240.squirrel@128.170.8.127> Message-ID: <200407211736.51486.jasonb@edseek.com> On Wednesday 21 July 2004 16:54, kraquen@kraquen.com wrote: > I've used tc in the past for shaping, upon learning of tcng, I redid my > config, and load it using tcc. > I thought this was great, as the new script is much easier to maintain, > and is so much simpler. > The new script was working for about a week, then it stopped working. > I now get this error: > can't dump subexpression (if_u32.c, unsupported offset sequence - please > try to reorder matches) This is due to an unresolved bug that is now simply fatal to encounter. (It failed silently before.) You're matching for something, like a tcp_ACK flag, before doing something like an ip_len match. Since the latter comes first in the packet, you need to match for it first in your configuration. At least, that's what I recall the correct solution was. > I'm not sure when or why it stopped working, but I have a habit of doing > apt-get update;apt-get upgrade on debian unstable and not paying attention > to what gets updated.. so I may have gotten a new version of tcng without > realizing it. You did. You may wish to install apt-listchanges to view the full changelog for each package when you do an `apt-get upgrade` in the future. > Anyway, to get to the point, it is not obvious to me which line is causing > the trouble from that error message. Without knowing which line to focus > on, its hard for me to proceed with troubleshooting. It's some line where you match into the header for some TCP, et al. option and then later try to match some IP header option. > Could any of you who are more familiar with tcng help me with this error? > > Thanks, > Jason > From Glen.Mabey@usu.edu Thu Jul 22 00:07:01 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Wed, 21 Jul 2004 17:07:01 -0600 Subject: [LARTC] kernel assertion error Message-ID: <20040721230701.GA3273@mabeys.dsl.aros.net> I'm running 2.6.7 + (julian's multi-path patch) + IMQ (imq2+beta6) and I got the following on my console while doing some stress testing: KERNEL: assertion (tp->retrans_out == 0) failed at net/ipv4/tcp_input.c (1827) I don't know what I would do to try to reproduce this condition; it only appeared once. tcp_input.c sounds deep enough to scare me off from looking ... So, I wonder if this error has any significance to anyone listening on the list, and what, if anything, I should do about it. Thanks -- Glen Mabey -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From Glen.Mabey@usu.edu Wed Jul 21 23:52:15 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Wed, 21 Jul 2004 16:52:15 -0600 Subject: [LARTC] list archive anomaly Message-ID: <20040721225214.GA3171@mabeys.dsl.aros.net> At the list archive page (http://mailman.ds9a.nl/pipermail/lartc/) there is an amazing message from the future: the year 2032 (q1). Not that I know anything about mailman, but someone might want to "maintain" that. -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From yuval@cablemx.com Thu Jul 22 14:20:46 2004 From: yuval@cablemx.com (Yuval Lifshitz) Date: Thu, 22 Jul 2004 15:20:46 +0200 Subject: [LARTC] Setkey Message-ID: <20040722122408.LWOK5126.imta01a2.registeredsite.com@yuval> I use ipsec on my Linux machine (Fedora 2 Core), and controls it using "setkey" scripts. Does anyone knows of a C interface/library that will enable me to control it from C code? The "setkey" C function is something completely different. Yuval Lifshitz CableMatrix Inc. From lists@ceskyserver.cz Thu Jul 22 18:58:40 2004 From: lists@ceskyserver.cz (Antonin Karasek) Date: Thu, 22 Jul 2004 19:58:40 +0200 Subject: [LARTC] HTB & tc Message-ID: <41000050.707@ceskyserver.cz> Hi, I'm trying to make run a simple shaping *through HTB*. I have compiled a new kernel 2.4.21. First command from http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm said: # tc qdisc add dev eth0 root handle 1: htb default 12 RTNETLINK answers: Invalid argument I tryed both standard tc from Debian stable and http://luxik.cdi.cz/~devik/qos/htb/v2/tc.gz this one... I tryed htb.init-v0.8.5 from SourceForge with htb-lartc.tar.gz configuration from the same site. The script doesn't report any error, but : skatach:~/bin# ./htb.init-v0.8.5 start skatach:~/bin# tc filter show dev eth0 skatach:~/bin# tc class show dev eth0 skatach:~/bin# tc qdisc show As I guess, it means, that there isn't any class. It isn't, what I want :( Any ideas, where the problem can be? Many thanks. From waruiinu@gmail.com Thu Jul 22 10:59:25 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Thu, 22 Jul 2004 11:59:25 +0200 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407212002.32976.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> Message-ID: <3063e504072202596705f5cd@mail.gmail.com> Is the 192.168.1.2 an ip on the router? If yes, you'll have to mark in OUTPUT, not PREROUTING, also, after you set up the rules and routes, did you an ip route flush cache ? I hope these works On Wed, 21 Jul 2004 20:02:32 -0700, Jens wrote: > I have a particular problem that has caused me grief for some time now and > even though the answer is probably very basic, it has eluded me. I would > appreciate any help or pointers in the right direction. > > I have two links to the internet, one via cable and one via adsl. Although I > would want to add redundancy at a later time, all I want to get working now > is that mail from my server goes out via the adsl link (it's a fixed IP and I > am running into too many cases where my cable account with it's dynamic IP is > blocked by other mail servers). > I have spent considerable time trying to wrap my brain around ip tables, > routing and the such. Although I only see a slight ray of hope in ever > understanding the subject completely, my current problem doesn't (at first > glance) seem to require a degree in rocket science. I have set up two routing > tables (adsl and shaw). I mark packets with "iptables -t mangle -A PREROUTING > -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark 1" and use "ip rule add > fwmark 1 table adsl". To my understanding, the result of this is that every > packet from 192.168.1.2 that comes out of my mail server via port 25 will get > market with '1' and that routing is decided via table adsl. The adsl table > has a default route via the adsl line. There is also a separate default > gateway set up in the regular routing table to go via the cable connection. > I seem to be missing something because I get the following result .... if I > telnet from my mail server (192.168.1.2) to another mail server via port 25, > I get a timeout. If I telnet to the same server via port 80 I get the connect > message from the other end. To me, this seems to indicate that port 25 > messages are marked and are routed differently from the port 80 messages - > just like I would expect. The question is, why the heck am I not getting > anywhere on port 25. The same setup going to the default cable provider works > just fine - this leads me to believe that I don't have anything in the > router/firewall impeding the traffic. > What am I missing ???? > Is there any way to trace how my attempts at telnetting thru port 25 are > handled by the router ? > I would be happy to post any further information needed to sort this out. > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From adamt@commspeed.net Thu Jul 22 23:07:46 2004 From: adamt@commspeed.net (Adam Towarnyckyj) Date: Thu, 22 Jul 2004 15:07:46 -0700 Subject: [LARTC] TC Hashing Filters In-Reply-To: <40F74D50.9E5AFB13@iswest.com> Message-ID: <01fc01c47038$51d687f0$903113d8@uranus> Dear list, After much code crunching and beating my head against the wall (literally), I discovered the faulty code. Thanks mostly to gypsy who played a huge role in helping me discover the problem. My tc filter line had an error in it which completely baffles me because it worked up until 2045 lines were entered. Old command: tc filter add dev $dev protocol ip parent 12: u32 ht 2:$table1: ht 3:$table2: match ip dst $ip/32 flowid 12:$classid New command: tc filter add dev $dev protocol ip parent 12: prio 5 u32 ht 2:$table1: ht 3:$table2: match ip dst $ip/32 flowid 12:$classid Who would have thought that a prio would cause that much trouble? I mean, I know in the documentation it says that it is required for CLASS commands, but since there's nothing on filters, I had no clue. And usually if a command requires a parameter, it will error immediately and not wait for 2045 entries. Also, why the hell would the priority cause a problem like that to begin with?! Weird. Anyways, THANKS EVERYONE! (gypsy, Catalin, and Ed especially) It all works, it's very resource friendly, and all is good again (and I get to keep my job)! The processor is only about 20% in use now. I'm very grateful for the hashing filter suggestion from Ed. Thanks a ton. I will be posting a How To shortly so others can do the same if they ever need to. Thanks again! Adam Towarnyckyj -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of gypsy Sent: Thursday, July 15, 2004 8:37 PM To: adamt@commspeed.net; LARTC Subject: Re: [LARTC] TC Hashing Filters Adam Towarnyckyj wrote: > Any tc filter command I try to > add from here on out gives me the same error even if I try it manually > instead of using the script. Adam, That is a killer. Please read the following and then, when we both have the same information, I'm going to try again to assist you. HINT TO READERS: I hope someone else will help us both because I have obligations that I'm stealing time from that I can ill afford. There is a LARTC mailing list thread dated (about) 24 thru 26 June 2003 between Trevor Warren and Michael Ulitskiy whose Subject is "u32 clarification...limits on 2000>???" Please use your favorite method to find it. Note that there may be kernel issues not mentioned by them; kernels change. I'd like to suggest that you see if anyone involved in that thread will send you a testing script; perhaps you could find a way to start with a working setup and then apply minor changes until either it breaks or it suits you. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From waruiinu@gmail.com Thu Jul 22 22:17:21 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 00:17:21 +0300 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407221217.27634.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> <3063e504072202596705f5cd@mail.gmail.com> <200407221217.27634.jens@pacificsun.ca> Message-ID: <3063e50407221417798d7899@mail.gmail.com> A good think would be to give a full description to your network setup, interfaces and so on, maybe there should be stuff like -s 192... -d ! 192../24 On Thu, 22 Jul 2004 12:17:27 -0700, Jens wrote: > 192.168.1.2 is the mail server which goes to 192.168.1.1 which is the firewall > that has the routing script and routs to one of two external interfaces. I > used PREROUTING based on some how-to's but have never really thought about > exactly where the marking should take place. It seemed to me that PREROUTING > was a good choice for marking since the routing rules which depend on the > marking follow that. > > The flushing is something that got me before but which I am watching like a > hawk now :) > > Jens > > > > On Thursday 22 July 2004 02:59, George Alexandru Dragoi wrote: > > Is the 192.168.1.2 an ip on the router? If yes, you'll have to mark in > > OUTPUT, not PREROUTING, also, after you set up the rules and routes, > > did you an > > ip route flush cache > > ? > > > > I hope these works > > > > On Wed, 21 Jul 2004 20:02:32 -0700, Jens wrote: > > > I have a particular problem that has caused me grief for some time now > > > and even though the answer is probably very basic, it has eluded me. I > > > would appreciate any help or pointers in the right direction. > > > > > > I have two links to the internet, one via cable and one via adsl. > > > Although I would want to add redundancy at a later time, all I want to > > > get working now is that mail from my server goes out via the adsl link > > > (it's a fixed IP and I am running into too many cases where my cable > > > account with it's dynamic IP is blocked by other mail servers). > > > I have spent considerable time trying to wrap my brain around ip tables, > > > routing and the such. Although I only see a slight ray of hope in ever > > > understanding the subject completely, my current problem doesn't (at > > > first glance) seem to require a degree in rocket science. I have set up > > > two routing tables (adsl and shaw). I mark packets with "iptables -t > > > mangle -A PREROUTING -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark > > > 1" and use "ip rule add fwmark 1 table adsl". To my understanding, the > > > result of this is that every packet from 192.168.1.2 that comes out of my > > > mail server via port 25 will get market with '1' and that routing is > > > decided via table adsl. The adsl table has a default route via the adsl > > > line. There is also a separate default gateway set up in the regular > > > routing table to go via the cable connection. I seem to be missing > > > something because I get the following result .... if I telnet from my > > > mail server (192.168.1.2) to another mail server via port 25, I get a > > > timeout. If I telnet to the same server via port 80 I get the connect > > > message from the other end. To me, this seems to indicate that port 25 > > > messages are marked and are routed differently from the port 80 messages > > > - just like I would expect. The question is, why the heck am I not > > > getting anywhere on port 25. The same setup going to the default cable > > > provider works just fine - this leads me to believe that I don't have > > > anything in the router/firewall impeding the traffic. > > > What am I missing ???? > > > Is there any way to trace how my attempts at telnetting thru port 25 are > > > handled by the router ? > > > I would be happy to post any further information needed to sort this out. > > > > > > Jens > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From waruiinu@gmail.com Thu Jul 22 22:41:14 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 00:41:14 +0300 Subject: [LARTC] HTB & tc In-Reply-To: <41000050.707@ceskyserver.cz> References: <41000050.707@ceskyserver.cz> Message-ID: <3063e504072214412c0d7111@mail.gmail.com> OT: Dudes, why i have to reedit To field and delete CC field, gmail see this as spam Now, make sure you compiled the kernel with htb, latest stable kernel is 2.4.26 or 2.6.7 On Thu, 22 Jul 2004 19:58:40 +0200, Antonin Karasek wrote: > Hi, > I'm trying to make run a simple shaping *through HTB*. I have compiled a > new kernel 2.4.21. > > First command from > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > said: > # tc qdisc add dev eth0 root handle 1: htb default 12 > RTNETLINK answers: Invalid argument > > I tryed both standard tc from Debian stable and > http://luxik.cdi.cz/~devik/qos/htb/v2/tc.gz > this one... > > I tryed htb.init-v0.8.5 from SourceForge with htb-lartc.tar.gz > configuration from the same site. The script doesn't report any error, but : > skatach:~/bin# ./htb.init-v0.8.5 start > skatach:~/bin# tc filter show dev eth0 > skatach:~/bin# tc class show dev eth0 > skatach:~/bin# tc qdisc show > > As I guess, it means, that there isn't any class. It isn't, what I want :( > > Any ideas, where the problem can be? > > Many thanks. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From waruiinu@gmail.com Fri Jul 23 00:50:41 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 02:50:41 +0300 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407221616.21917.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> <200407221217.27634.jens@pacificsun.ca> <3063e50407221417798d7899@mail.gmail.com> <200407221616.21917.jens@pacificsun.ca> Message-ID: <3063e504072216502cc9059b@mail.gmail.com> Hehe, maybe it is this: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE On Thu, 22 Jul 2004 16:16:21 -0700, Jens wrote: > On Thursday 22 July 2004 14:17, George Alexandru Dragoi wrote: > > A good think would be to give a full description to your network > > setup, interfaces and so on, maybe there should be stuff like -s > > 192... -d ! 192../24 > > Ok .... > I have two lines to the internet, each on their own interface on a debian > based firewall box. Eth0 goes to my cable provider and is set up dynamically, > eth1 goes to my adsl provider on a static ip 64.114.148.101. > Also in the firewall box are two additional interface cards - one for a DMZ > (eth3, 192.168.1.1) and one for all the regular users (eth2, 192.168.0.1). > The DMZ loop only has a single machine on it with ip 192.168.1.2. > The firewall is implemented via shorewall which sets up the various rules for > ipchains. > The DMZ box has a postfix mail server on it. All local users send to the > server and it then relays out the mail via the firewall box to the outside > world. > Is this sufficient information or do you require additional info ? > > I've been messing around doing some more tests which have me more confused. As > mentioned earlier, I mark all packets going to port 25 from the server box > with a '1'. I then set up a rule that is inserted right before the 'main' > rule to use table adsl whenever a fwmark of '1' is found. Table adsl just has > a default gateway via eth1 in it. The 'main' table has a default gw via eth0. > Leaving everything the same and just playing with the test for fwmark '1', if > I telnet from the server box to a local ISP port 25 I get either a connection > (no fwmark branch) or nothing (fwmark branch). If I switch the default gw in > the 'main' table to point to my adsl provider and telnet from the server box > to the ISP I can connect fine. This seems to indicate that the potential link > generated with the adsl table 'should' work fine but of course it doesn't. > Further, playing with the routing cache, it would appear that the fwmark test > is actually performing as should and the port 25 connection is in fact routed > via the adsl line (while having the cable line as default in the 'main' > table). I am now wondering if there is some protocol happening that isn't > allowed to proceed correctly ..... when I try to establish a telnet > connection on port 25 to the local ISP from the server box, is there anything > happening on any other port that has to be re-routed ? Could it be that some > other part of the protocol goes thru a different port, doesn't get the fwmark > and actually decides to go out the main default gateway (the cable > connection) ? My mail DNS entry points to the cable connection BTW .... > > .... my brain hurts .... > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From nix4me@cfl.rr.com Fri Jul 23 01:08:03 2004 From: nix4me@cfl.rr.com (nix4me) Date: Thu, 22 Jul 2004 20:08:03 -0400 Subject: [LARTC] marking and shaping outbound passive ftp traffic Message-ID: <410056E3.1040107@cfl.rr.com> Will the following rules work to mark and shape OUTBOUND ftp speed (passive ftp ports 50000-60000) on my linux server? I want to be able to run these commands on the actual computer that is running the ftp server. iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 50000:60000 -j MARK --set-mark 1 tc class add dev eth0 mark 1 htb rate 10 kbit I tried it but the tc line fails with "Error: Qdisc "mark" is classless." Any help would be greatly appreciated. Mark From waruiinu@gmail.com Thu Jul 22 22:28:24 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 00:28:24 +0300 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407221217.27634.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> <3063e504072202596705f5cd@mail.gmail.com> <200407221217.27634.jens@pacificsun.ca> Message-ID: <3063e50407221428a8e52f9@mail.gmail.com> A good think would be to give a full description to your network setup, interfaces and so on, maybe there should be stuff like -s 192... -d ! 192../24 On Thu, 22 Jul 2004 12:17:27 -0700, Jens wrote: > 192.168.1.2 is the mail server which goes to 192.168.1.1 which is the firewall > that has the routing script and routs to one of two external interfaces. I > used PREROUTING based on some how-to's but have never really thought about > exactly where the marking should take place. It seemed to me that PREROUTING > was a good choice for marking since the routing rules which depend on the > marking follow that. > > The flushing is something that got me before but which I am watching like a > hawk now :) > > Jens > > > > On Thursday 22 July 2004 02:59, George Alexandru Dragoi wrote: > > Is the 192.168.1.2 an ip on the router? If yes, you'll have to mark in > > OUTPUT, not PREROUTING, also, after you set up the rules and routes, > > did you an > > ip route flush cache > > ? > > > > I hope these works > > > > On Wed, 21 Jul 2004 20:02:32 -0700, Jens wrote: > > > I have a particular problem that has caused me grief for some time now > > > and even though the answer is probably very basic, it has eluded me. I > > > would appreciate any help or pointers in the right direction. > > > > > > I have two links to the internet, one via cable and one via adsl. > > > Although I would want to add redundancy at a later time, all I want to > > > get working now is that mail from my server goes out via the adsl link > > > (it's a fixed IP and I am running into too many cases where my cable > > > account with it's dynamic IP is blocked by other mail servers). > > > I have spent considerable time trying to wrap my brain around ip tables, > > > routing and the such. Although I only see a slight ray of hope in ever > > > understanding the subject completely, my current problem doesn't (at > > > first glance) seem to require a degree in rocket science. I have set up > > > two routing tables (adsl and shaw). I mark packets with "iptables -t > > > mangle -A PREROUTING -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark > > > 1" and use "ip rule add fwmark 1 table adsl". To my understanding, the > > > result of this is that every packet from 192.168.1.2 that comes out of my > > > mail server via port 25 will get market with '1' and that routing is > > > decided via table adsl. The adsl table has a default route via the adsl > > > line. There is also a separate default gateway set up in the regular > > > routing table to go via the cable connection. I seem to be missing > > > something because I get the following result .... if I telnet from my > > > mail server (192.168.1.2) to another mail server via port 25, I get a > > > timeout. If I telnet to the same server via port 80 I get the connect > > > message from the other end. To me, this seems to indicate that port 25 > > > messages are marked and are routed differently from the port 80 messages > > > - just like I would expect. The question is, why the heck am I not > > > getting anywhere on port 25. The same setup going to the default cable > > > provider works just fine - this leads me to believe that I don't have > > > anything in the router/firewall impeding the traffic. > > > What am I missing ???? > > > Is there any way to trace how my attempts at telnetting thru port 25 are > > > handled by the router ? > > > I would be happy to post any further information needed to sort this out. > > > > > > Jens > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From waruiinu@gmail.com Fri Jul 23 01:33:11 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 03:33:11 +0300 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407221708.14867.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> <200407221616.21917.jens@pacificsun.ca> <3063e504072216502cc9059b@mail.gmail.com> <200407221708.14867.jens@pacificsun.ca> Message-ID: <3063e504072217333cecca15@mail.gmail.com> I think there must be an SNAT/MASQUERADE for packets going out your router from DMZ Try also following thigs: install ROUTE extension from POM iptables -t mangle -A POSTROUTING -s 192.168.1.2 -p tcp --dport 25 -d ! 192.168.0.0/16 -j ROUTE --oif eth1 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Anyway, somehow it should work when the routes were made by iproute2 On Thu, 22 Jul 2004 17:08:14 -0700, Jens wrote: > On Thursday 22 July 2004 16:50, George Alexandru Dragoi wrote: > > Hehe, maybe it is this: > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Well I wouldn't be surprised if it was something as stupid as that. I tried > your suggestion but no luck :( ..... but it could easily be something along > similar lines. I will have to think thru this a bit more. > > I will try and see if tcpdump can tell me what is happening but I sure wish > there was something easier available where you can follow the packet and see > exactly what is happening and where ..... > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From CARRIGB@ITCARLOW.IE Fri Jul 23 10:45:43 2004 From: CARRIGB@ITCARLOW.IE (Brian Carrig) Date: Fri, 23 Jul 2004 10:45:43 +0100 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407221708.14867.jens@pacificsun.ca> References: <3063e504072216502cc9059b@mail.gmail.com> Message-ID: <4100EC57.6666.14A7C8E9@ITCARLOW.IE> You could try adding a rule to each table with a "-j LOG" target (logging to standard out). This would allow you to see how the packet is mangled/handled at each step and what tables it traverses ... Thats what I usually do when I'm stuck. Regards Brian On 22 Jul 2004 at 17:08, Jens wrote: > On Thursday 22 July 2004 16:50, George Alexandru Dragoi wrote: > > Hehe, maybe it is this: > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Well I wouldn't be surprised if it was something as stupid as that. I tried > your suggestion but no luck :( ..... but it could easily be something along > similar lines. I will have to think thru this a bit more. > > I will try and see if tcpdump can tell me what is happening but I sure wish > there was something easier available where you can follow the packet and see > exactly what is happening and where ..... > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Brian Carrig Department of Computing & Networking Institute of Technology, Carlow Tel. No.: +353 59 9176209 From gypsy@iswest.com Fri Jul 23 15:06:45 2004 From: gypsy@iswest.com (gypsy) Date: Fri, 23 Jul 2004 07:06:45 -0700 Subject: [LARTC] Please document this Message-ID: <41011B75.238F1C4F@iswest.com> Stephen, This REALLY needs to be fixed in the code; tc should reject as a syntax error any "add filter" command that does not include a "prio" parameter. It also needs to be documented. === From LARTC mailing list === > Dear list, > After much code crunching and beating my head against the wall > (literally), I discovered the faulty code. Thanks mostly to gypsy who > played a huge role in helping me discover the problem. My tc filter line > had an error in it which completely baffles me because it worked up > until 2045 lines were entered. > > Old command: > tc filter add dev $dev protocol ip parent 12: u32 ht 2:$table1: ht > 3:$table2: match ip dst $ip/32 flowid 12:$classid > > New command: > tc filter add dev $dev protocol ip parent 12: prio 5 u32 ht 2:$table1: > ht 3:$table2: match ip dst $ip/32 flowid 12:$classid > > Who would have thought that a prio would cause that much trouble? Thanks, gypsy From waruiinu@gmail.com Fri Jul 23 06:40:21 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Fri, 23 Jul 2004 08:40:21 +0300 Subject: [LARTC] Problems routing mail to particular interface In-Reply-To: <200407222105.43514.jens@pacificsun.ca> References: <200407212002.32976.jens@pacificsun.ca> <200407221708.14867.jens@pacificsun.ca> <3063e504072217333cecca15@mail.gmail.com> <200407222105.43514.jens@pacificsun.ca> Message-ID: <3063e504072222403ebd1f57@mail.gmail.com> http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ROUTE It is an iptables extension to force some pachets to get routed else than routing table On www.netfilter.org you'll see more about that patch-o-matic is I think this etensionis for pom-ng, patch-o-matic-ng for 2.6 kernels On Thu, 22 Jul 2004 21:05:43 -0700, Jens wrote: > On Thursday 22 July 2004 17:33, George Alexandru Dragoi wrote: > > > Try also following thigs: > > install ROUTE extension from POM > > Could you explain this one please ? I don't know what you are talking about. > > Thanks > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From shemminger@osdl.org Fri Jul 23 17:28:01 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Fri, 23 Jul 2004 09:28:01 -0700 Subject: [LARTC] Re: Please document this In-Reply-To: <41011B75.238F1C4F@iswest.com> References: <41011B75.238F1C4F@iswest.com> Message-ID: <20040723092801.264f485b@dell_ss3.pdx.osdl.net> On Fri, 23 Jul 2004 07:06:45 -0700 gypsy wrote: > Stephen, > > This REALLY needs to be fixed in the code; tc should reject as a syntax > error any "add filter" command that does not include a "prio" > parameter. It also needs to be documented. > > === From LARTC mailing list === > > Dear list, > > After much code crunching and beating my head against the wall > > (literally), I discovered the faulty code. Thanks mostly to gypsy who > > played a huge role in helping me discover the problem. My tc filter line > > had an error in it which completely baffles me because it worked up > > until 2045 lines were entered. > > > > Old command: > > tc filter add dev $dev protocol ip parent 12: u32 ht 2:$table1: ht > > 3:$table2: match ip dst $ip/32 flowid 12:$classid > > > > New command: > > tc filter add dev $dev protocol ip parent 12: prio 5 u32 ht 2:$table1: > > ht 3:$table2: match ip dst $ip/32 flowid 12:$classid > > > > Who would have thought that a prio would cause that much trouble? > > Thanks, > gypsy I'll get to it but not right away. If you want something fixed sooner submit your patch. From stef.coene@docum.org Fri Jul 23 18:40:07 2004 From: stef.coene@docum.org (Stef Coene) Date: Fri, 23 Jul 2004 19:40:07 +0200 Subject: [LARTC] marking and shaping outbound passive ftp traffic In-Reply-To: <410056E3.1040107@cfl.rr.com> References: <410056E3.1040107@cfl.rr.com> Message-ID: <200407231940.07242.stef.coene@docum.org> On Friday 23 July 2004 02:08, nix4me wrote: > Will the following rules work to mark and shape OUTBOUND ftp speed > (passive ftp ports 50000-60000) on my linux server? > I want to be able to run these commands on the actual computer that is > running the ftp server. > > > iptables -t mangle -N MYSHAPER-OUT > iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT > iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 50000:60000 -j MARK > --set-mark 1 > tc class add dev eth0 mark 1 htb rate 10 kbit > > I tried it but the tc line fails with "Error: Qdisc "mark" is classless." See the lartc.org howto and docum.org for htb and filter examples. Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From stef.coene@docum.org Fri Jul 23 18:45:51 2004 From: stef.coene@docum.org (Stef Coene) Date: Fri, 23 Jul 2004 19:45:51 +0200 Subject: [LARTC] tc+mrtg In-Reply-To: <014f01c46e1c$78427f20$15a02bca@gsd03> References: <20040717045930.16945.73460.Mailman@outpost.ds9a.nl> <40FBD0FA.7060100@draxinusom.ch> <014f01c46e1c$78427f20$15a02bca@gsd03> Message-ID: <200407231945.51807.stef.coene@docum.org> On Tuesday 20 July 2004 07:43, Kristiadi Himawan wrote: > I already use external script that fetch iptables mangle table from > PREROUTING and POSTROUTING counter. > But the traffic isn't really accurate, i found when there's bulk UDP > traffic come to the shaper, my mrtg shown that > the traffic shown bigger than allocated bandwidth for that class. So the > question, it's possible to make script from tc command, > that count bandwith acctually passing through the shaper. You can patch snmp so you can get the tc counters and process them in a cus= tom=20 script or use mrtg: http://www.docum.org/docum.org/tc-snmp/ Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From dyna@tri-oxyde.org Fri Jul 23 20:29:55 2004 From: dyna@tri-oxyde.org (Julien) Date: Fri, 23 Jul 2004 21:29:55 +0200 Subject: [LARTC] routing mail on a different gateway Message-ID: <41016733.9090702@tri-oxyde.org> Hi, I have a linux box with two dsl modems on it (connection is done via pppoe), I'm trying to route default traffic on the primary connection (ppp0) and mail traffic on another one (ppp1). This traffic will come from the localhost. I run Slackware 9.1 (Kernel 2.4.22), recompiled with necessary options for using iproute2. According to the advanced routing howto, I did the following : iptables −A OUTPUT −t mangle −p tcp −−dport 25 −j MARK −−set−mark 1 I use "-A OUTPUT" since I want to alter locally generated packets. echo 201 mail.out >> /etc/iproute2/rt_tables ip rule add fwmark 1 table mail.out /sbin/ip route add default via [Second's ISP Gateway] dev ppp1 table mail.out I get no error message, and ip rule ls and ip route show params where recorded, iptables -t mangle -lnV shows no problem too. When I do telnet smtp.someisp.com 25, I see with tcpdump the packets going out through the interface ppp1 : 14:32:40.693429 62.212.120.196.34515 > 193.252.22.80.smtp: S 4069327741:4069327741(0) win 5808 (DF) [tos 0x10] But the problem is that there are originated from 62.212.120.196, which is the ip of ppp0, not ppp1. So packets can't take the way back. How can I change the "from" ip of packets that are routed through ppp1 ? Thanks for your help. Julien PS: I did a quite similar post in the netfilter list, and thanks to the guys there I succeeded solving the base problem (at start no packet was going out at all on ppp1) but now I know that lartc list exists, I think asking here is better. From dyna@tri-oxyde.org Sat Jul 24 12:18:52 2004 From: dyna@tri-oxyde.org (Julien) Date: Sat, 24 Jul 2004 13:18:52 +0200 Subject: [LARTC] routing mail on a different gateway In-Reply-To: <4101A4D7.50104@jound.net> References: <4101A4D7.50104@jound.net> Message-ID: <4102459C.5010404@tri-oxyde.org> Lance Dryden wrote: > Good evening, > > Since you are worried only about outbound port 25 traffic being sent > from localhost, a question arises: is all of the mail traffic coming > from one specific program? > > If so, you will probably have an easier time convincing the program to > simply bind the outbound socket locally to the correct interface. > Unless it is a full-blown MTA like Postfix or Sendmail; most MTAs want > to be told which IP address to locally bind to and not which interface > to use. > > You might be better off using NAT. This would be a somewhat goofy > use, and I have never tried it, so I do not know if it works. It > would look like this: > > iptables \ > --table nat --append POSTROUTING --proto tcp \ > --source \ > --dport 25 \ > --jump SNAT --to-source > > This line would need to be added above any POSTROUTING lines for > supporting masquerading. The kernel should be able to take care of > sending the data out the correct interface. > > Do let me know if it works. > > Yours, &c > Lance Dryden > Thanks for your response, I did two things : - Ask postfix to bind to second isp's external ip => traffic go out through ppp1 and back in. Good but I get "connection timed out connecting to..." in postfix log - Added iptables line you adviced me to : => packets go out with second isp's ip, good, that was not the case before => packets go back But I get no answer in the telnet, which seems to be the same problem than when telling postfix to bind to second isp's ip : packets go out and back in but client cannot communicate with remote smtp server. I think I forgot some iptables lines that would let ppp1's traffic go back in. Do you know which one I should use to make sure the traffic can go back in well ? Here is the tcpdump log when doing telnet 213.41.143.209 25 : 13:12:36.296170 81.48.224.208.51061 > 213.41.143.209.smtp: S 3495988204:3495988204(0) win 5808 (DF) [tos 0x10] 13:12:36.437196 213.41.143.209.smtp > 81.48.224.208.51061: S 687160518:687160518(0) ack 3495988205 win 16800 (DF) 13:12:38.703028 213.41.143.209.smtp > 81.48.224.208.51060: S 1256669228:1256669228(0) ack 3496982511 win 16800 (DF) 13:12:39.292786 81.48.224.208.51061 > 213.41.143.209.smtp: S 3495988204:3495988204(0) win 5808 (DF) [tos 0x10] 13:12:39.428299 213.41.143.209.smtp > 81.48.224.208.51061: S 687160518:687160518(0) ack 3495988205 win 16800 (DF) 13:12:40.398787 213.41.143.209.smtp > 81.48.224.208.51059: S 957484233:957484233(0) ack 3482227097 win 16800 (DF) Thanks for your help ! Julien From wishbone@h4b.org Sat Jul 24 16:12:59 2004 From: wishbone@h4b.org (wishbone@h4b.org) Date: Sat, 24 Jul 2004 08:12:59 -0700 Subject: [LARTC] Failover connection question Message-ID: <20040724151259.GC17854@psitron> I'm still trying to figure out this problem, I appreciate any suggestions... What I'd like to do is have a second default gateway path that never gets taken unless the first one goes into the "dead" state. I have installed Julian's patch and it works great for loadballanced connections using the nexthop code, but I would like to setup the second default route to be the failover only if the first one becomes unavailable. Is this possible? How might I do this? regards, joshua From lartc@pro-technica.com Sat Jul 24 18:12:39 2004 From: lartc@pro-technica.com (zarhi) Date: Sat, 24 Jul 2004 20:12:39 +0300 Subject: [LARTC] tc del filter troubles Message-ID: <1090689106.11582.3.camel@zarhi.skknet.net> hello, I have working htb system with about 1000 users. Until now I reload all rules at change, but it take too much time to apply. I cannot delete applyed filters. There is rules for one user: #!/bin/bash -v # Download shaper EX -> 2:20 /sbin/tc class add dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:1775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 # Download shaper peering -> 2:30 /sbin/tc class add dev eth2 parent 2:30 classid 2:2775 htb rate 100Kbit ceil 25000Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:2775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:30 protocol ip handle 1775 fw flowid 2:2775 # Download shaper international -> 2:40 /sbin/tc class add dev eth2 parent 2:40 classid 2:3775 htb rate 384Kbit ceil 800Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:3775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:40 protocol ip handle 1775 fw flowid 2:3775 I change 'add' with 'del' but only sfq qdisc are deleted: #!/bin/bash -v # Download shaper EX -> 2:20 /sbin/tc class del dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:1775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 RTNETLINK answers: No such file or directory # Download shaper peering -> 2:30 /sbin/tc class del dev eth2 parent 2:30 classid 2:2775 htb rate 100Kbit ceil 25000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:2775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:30 protocol ip handle 1775 fw flowid 2:2775 RTNETLINK answers: No such file or directory # Download shaper international -> 2:40 /sbin/tc class del dev eth2 parent 2:40 classid 2:3775 htb rate 384Kbit ceil 800Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:3775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:40 protocol ip handle 1775 fw flowid 2:3775 RTNETLINK answers: No such file or directory If I try to run this again result is: # Download shaper EX -> 2:20 /sbin/tc class del dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:1775 sfq perturb 10 RTNETLINK answers: Invalid argument /sbin/tc filter del dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 RTNETLINK answers: No such file or directory I think that class cannot be deleted becouse there is filter pointing to it. But how to delete that filters? Any hint will be extreme usefull. Svetozar Mihailov. From db@wless.gr Sat Jul 24 19:51:23 2004 From: db@wless.gr (Mpourtounis Dimitris) Date: Sat, 24 Jul 2004 21:51:23 +0300 Subject: [LARTC] HTB classifying Message-ID: <1090695083.5162.93.camel@WLESS> I am trying to shape a client (somewhat advanced). This is my target: Client is 192.168.2.224. I would like to allow him to download with 500000 bits/sec in general. But, for a specific port(say 22), i would like him to download with 300000 bit/sec only. The problem is that my configuration (maybe wrong) allows him to download with 800000 bit/sec. (500000 generally + 300000 on port 22) I thought that having classes 1:11 and 1:12 being children of a class with rate 500000, 500000 would be the maximum... Can htb to this? Can another queue do this? /sbin/tc class add dev eth0 parent 1: classid 1:10 htb rate 500000 /sbin/tc class add dev eth0 parent 1:10 classid 1:11 htb rate 300000 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.2.224/32 \ match ip sport 80 0xffff classid 1:11 /sbin/tc class add dev eth0 parent 1:10 classid 1:12 htb rate 500000 /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match ip src 192.168.2.224/32 classid 1:12 From tomasz.paszkowski@e-wro.pl Sat Jul 24 20:46:05 2004 From: tomasz.paszkowski@e-wro.pl (Tomasz Paszkowski) Date: Sat, 24 Jul 2004 21:46:05 +0200 Subject: [LARTC] problems with hfsc Message-ID: <20040724194605.GA20090@krezus.e-wro.net> --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I've discoverd hfsc few days ago, and for me it's great ! I'am running it on linux 2.4.26 with vlan interfaces using iANS. During tests I've discovered few problems. My set of rules is quite big: root@hades:/home/system/scr/etc/hfsc_rebuild# cat tc.batch | grep hfsc | wc= -l 27900 and alwyas when I delete the root hfsc class, machine is loosing network conectivity for about 15 seconds. The second problems is that after reloading set of rules machine is losing network conectivity on some virtual interfaces. As I remember the same prob= lem was present in the earliest version of linux kernels (< 2.4.26) in htb code. --=20 Tomasz Paszkowski --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBArx9cNXOL98XeysRAoGbAJ4xcW38k8juBegLMgNW7u3eD1o1QgCdFsFV uIB+5J0BtaZmtGgnRJk4i+U= =dx92 -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From db@wless.gr Sat Jul 24 23:39:32 2004 From: db@wless.gr (Mpourtounis Dimitris) Date: Sun, 25 Jul 2004 01:39:32 +0300 Subject: [LARTC] HTB classifying References: <1090695083.5162.93.camel@WLESS> <001001c2c32d$d8abd640$0200a8c0@monster> <001f01c471c5$5cf4a750$e001a8c0@portablebou> <003201c2c335$18c54660$0200a8c0@monster> Message-ID: <000501c471cf$17ec5630$e001a8c0@portablebou> Ok then... BOX with 2 ifaces eth0 : 192.168.1.3/24 , NAT 192.168.2.0/24 wlan0: 192.168.2.3/24 , gw 192.168.1.1(it is an adsl mode in fact) All i want to do is make sure that a)node 192.168.2.224 doesnt get more than 500000 bits/sec b)its ssh,sftp (port 22) traffic is limited at 300000 bits/sec and c)add more shaped nodes in my script. When i start downloading from node, its http taffic for examle is really shaped at 500000. When i start downloading via sftp (port 22), its sftp traffic is really shaped at 300000. But, if when there is an http as well as an sftp session at the same time, total bandwidth is at 800000. Thanks in advance (and sorry for being so short, i will get used to explaining my problems briefly...) #My.notworking.script /sbin/tc qdisc add dev wlan0 root handle 1:0 htb r2q 100 /sbin/tc class add dev wlan0 parent 1: classid 1:10 htb rate 500000 /sbin/tc class add dev wlan0 parent 1:10 classid 1:11 htb rate 300000 /sbin/tc filter add dev wlan0 parent 1:0 protocol ip prio 100 u32 \ match ip src 192.168.2.224/32 \ match ip sport 80 0xffff classid 1:11 /sbin/tc class add dev wlan0 parent 1:10 classid 1:12 htb rate 500000 /sbin/tc filter add dev wlan0 parent 1:0 protocol ip prio 100 u32 match \ ip src 192.168.2.224/32 classid 1:12 ----- Original Message ----- From: To: "lartc" ; "Mpourtounis Dimitris" Sent: Friday, January 24, 2003 2:13 AM Subject: Re: [LARTC] HTB classifying > OK what's the address of eth0? Is the BOX with NAT ? > I think you could send a bit of your true script and describe a bit of your > network especially the part when this situation is happeniing . If you > really afraid of smth like hack attack change IP adressess. > > > Although i have done so ,you are right. I should have included this too in > > my (e-mail) configuration... > > BTW,Any idea of the situation > > > > ----- Original Message ----- > > From: > > To: "lartc" ; "Mpourtounis Dimitris" > > Sent: Friday, January 24, 2003 1:21 AM > > Subject: Re: [LARTC] HTB classifying > > > > > > > Maybe it's my oversight but shoudn't you have "tc qdisc add dev eth0 > root > > > handle 1:0 htb" before rest of your instructions ?? > > > > > > > I am trying to shape a client (somewhat advanced). > > > > > > > > This is my target: > > > > Client is 192.168.2.224. I would like to allow him to download with > > > > 500000 bits/sec in general. But, for a specific port(say 22), i would > > > > like him to download with 300000 bit/sec only. The problem is that my > > > > configuration (maybe wrong) allows him to download with 800000 > bit/sec. > > > > (500000 generally + 300000 on port 22) > > > > I thought that having classes 1:11 and 1:12 being children of a class > > > > with rate 500000, 500000 would be the maximum... > > > > Can htb to this? Can another queue do this? > > > > > > > > /sbin/tc class add dev eth0 parent 1: classid 1:10 htb rate 500000 > > > > > > > > /sbin/tc class add dev eth0 parent 1:10 classid 1:11 htb rate 300000 > > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match > > ip > > > src 192.168.2.224/32 \ > > > > match ip sport 80 0xffff classid 1:11 > > > > > > > > /sbin/tc class add dev eth0 parent 1:10 classid 1:12 htb rate 500000 > > > > /sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 100 u32 match > > ip > > > src 192.168.2.224/32 classid 1:12 > > > > > > > > > > > > _______________________________________________ > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > From mabrown-lartc@securepipe.com Sun Jul 25 03:53:50 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Sat, 24 Jul 2004 21:53:50 -0500 (CDT) Subject: [LARTC] HTB classifying In-Reply-To: <000501c471cf$17ec5630$e001a8c0@portablebou> References: <1090695083.5162.93.camel@WLESS> <001001c2c32d$d8abd640$0200a8c0@monster> <001f01c471c5$5cf4a750$e001a8c0@portablebou> <003201c2c335$18c54660$0200a8c0@monster> <000501c471cf$17ec5630$e001a8c0@portablebou> Message-ID: Hello Mpourtounis, : When i start downloading from node, its http taffic for examle is : really shaped at 500000. When i start downloading via sftp (port 22), : its sftp traffic is really shaped at 300000. But, if when there is an : http as well as an sftp session at the same time, total bandwidth is at : 800000. You are missing one key piece in your understanding of HTB and that is the difference between using "rate" and using "ceil". : /sbin/tc qdisc add dev wlan0 root handle 1:0 htb r2q 100 : /sbin/tc class add dev wlan0 parent 1: classid 1:10 htb rate 500000 : : /sbin/tc class add dev wlan0 parent 1:10 classid 1:11 htb rate 300000 : /sbin/tc filter add dev wlan0 parent 1:0 protocol ip prio 100 u32 \ : match ip src 192.168.2.224/32 \ : match ip sport 80 0xffff classid 1:11 : : /sbin/tc class add dev wlan0 parent 1:10 classid 1:12 htb rate 500000 : /sbin/tc filter add dev wlan0 parent 1:0 protocol ip prio 100 u32 match \ : ip src 192.168.2.224/32 classid 1:12 You have a class structure which looks roughly like this: class 1:10, rate 500000 [ ceil 500000 ] | +-class 1:11, rate 300000 [ ceil 300000 ] (rate M) \ class 1:12, rate 500000 [ ceil 500000 ] (rate L) Because you have specified a rate in each leaf class (1:11 and 1:12), your two leaf classes are getting the guaranteed 'rate'. You have guaranteed rate M, 300000 (units???) (seems to be 37500bps with my tc) to your class 1:11. You have guaranteed rate L to your class 1:12. HTB will dequeue packets entering this class until rate without examining any other parent class. Because each class is getting its guaranteed rate, HTB is effectively transmitting (dequeuing) packets at 800000 (300000 + 500000). I believe you wish to do the following. Note that I have used the same ratios, but have eliminated some zeroes and changed the units, but simply for readability. class 1:10, rate 500 kbps, ceil 500 kbps | +-class 1:11, rate 100 kbps, ceil 300 kbps \ class 1:12, rate 400 kbps, ceil 500 kbps Thes means that classes 1:11 and 1:12 can transmit up to rates 100 kbps and 400 kbps respectively before HTB starts to calculate borrowing. For more on the borrowing model, see [0], [1] and [2]. The rule you are unwittingly violating is this rule [3]. In short, since HTB will not check any rates or perform any shaping or borrowing until rate is met (exceeded), you must make sure that the sum of the rates of your leaf classes does not exceed the parent classes. As a final note, if you wish to limit your total outgoing bandwidth to only 500000 and let HTB help a bit with the borrowing, I would recommend the following model: class 1:10, rate 500000, ceil 500000 | +-class 1:11, rate 100000, ceil 300000 \ class 1:12, rate 200000, ceil 500000 Best of luck, -Martin [0] http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#hsharing [1] http://tldp.org/HOWTO/Traffic-Control-HOWTO/classful-qdiscs.html#qc-htb-borrowing [2] http://opalsoft.net/qos/DS-28.htm [3] http://www.docum.org/docum.org/faq/cache/13.html P.S. Just a reminder that with the command line "tc", kbps means kilobytes per second. If you want to talk about kilobits per second, use kbit. -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From devik@cdi.cz Sun Jul 25 10:26:26 2004 From: devik@cdi.cz (devik) Date: Sun, 25 Jul 2004 11:26:26 +0200 (CEST) Subject: [LARTC] Re: HTB 3.13 please help In-Reply-To: <001f01c2c275$139acef0$0802a8c0@monster> Message-ID: >From the stats is seems that no data are queued - as if nobody is sending them. You are using smp kernel, is your box SMP ? I haven't seen many smp+htb boxes thus there might be possibility of a bug... devik On Thu, 23 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > I've attached outputs for eth0 and eth1. > I was trying to get this script running. I've added one class for my NATed > BOX, and it helped. Shaping was stable almost one day but then i added "prio > 0" to eth0 filters and prio 0 for eth1 filters it has braken. So i removed > every "prio 0" and reboot the box but it didnt helped :(. > I've noticed that when the traffic is not much (14 hosts from 50 are up) > tc/htb works very well. > If you want new version of my script say a word. > ----- Original Message ----- > From: "devik" > To: > Sent: Thursday, July 22, 2004 3:48 PM > Subject: Re: HTB 3.13 please help > > > > I need > > tc -s -d class show dev xxx > > output during that non-working period. 3.6 is older than 3.13. > > > > ------------------------------- > > Martin Devera aka devik > > Linux kernel QoS/HTB maintainer > > http://luxik.cdi.cz/~devik/ > > > > On Wed, 21 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > > > > > Thanks for your reply. I've recent put my problem on lartc list. I'm > using > > > htb 3.13 in 2-4-25smp. > > > I wonder if upgrade to 3.6 will help? Could you be so kind and take a > look > > > at it. I'll be grateful. > > > If you have no time for me i'll understand and try to resolve it for > myself. > > > Thanks. > > > > > > Hello everybody! > > > Since week i dig lists and www and can't find solution for my problem. > > > I'm using HTB 3.13 kernel 2-4-25 smp iptables 1.2.9. > > > I've got situation like this: > > > > > > LAN------Linux Box(routing only)------- Linux Box > > > (HTB)--------------Hardware Router(say:HD)------Internet > > > When I start HTB it takes about 5 min. to start working and it works... > > > within this 5min starting i can't ping HD and after about 5min I start > > > pinging. It works like this for cuple of hours, then something strange > is > > > happening. Ping stops, www doesn't work but radio (36kbps) (from > clients) > > > works. There is no ping at all for about 1min and it starts pinging for > > > about 2-3min and it stops for 1-2min and so on..... > > > When I stop HTB ping starts. It's look like HTB is filled to much(sorry > for > > > my english :/) > > > All my children classes rate doesn't exceeds root classes. I have 50 > classes > > > on 900kbit-10kbit(for default class) - downstream and 800-10kbit(for > > > default) up. > > > I shape bandwidth matching ip. r2q is set to 1 . no erros during doing > shape > > > script. > > > I'm attaching this script > > > in ip1 is file where are written ip's for C classes. > > > > > > I'm including my script. > > > ---------------------------------------------------cut > > > > here ----------------------------------------------------------------------- > > > ------------ > > > #!/bin/bash > > > #x=$[100/20] > > > #echo "$1" > /skrytpy/status > > > rxmax=900 #WAN max transfer -down (physically it is 960kbit/960kbit) > > > kbit=kbit > > > rxmaxluser=250 > > > txmax=800 #WAN max transfer - up > > > txmaxluser=100 > > > #counting users > > > # ip1 file is like this: > > > # 11 #Somebody > > > # 23 #Somebody II > > > #EOF > > > licznik=0 > > > for x in $(awk '{ print $1 }' /skrytpy/ip1); do > > > licznik=$[$licznik+1] > > > done > > > > > > > > > #Server > > > licznik=$[$licznik+1] > > > #plus router > > > licznik=$[$licznik+1] > > > > > > echo number of users to $licznik > > > #counting rate > > > rx1=$[$rxmax-10] > > > tx1=$[$txmax-10] # dla klasy domyslnej > > > rxmin=$[$rx1/$licznik] > > > txmin=$[$tx1/$licznik] > > > echo rx $rxmin tx $txmin > > > #echo $rxmin > > > #root classes > > > #rx > > > tc qdisc del root dev eth1 > > > tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2 > > > tc class add dev eth1 parent 1:0 classid 1:1 htb rate $rxmax$kbit ceil > > > $rxmax$kbit > > > #tx > > > tc qdisc del root dev eth0 > > > tc qdisc add dev eth0 root handle 2:0 htb r2q 1 default 4 > > > tc class add dev eth0 parent 2:0 classid 2:1 htb rate $txmax$kbit ceil > > > $txmax$kbit > > > #r="$rxmax$kbit" > > > #default classes > > > #rx > > > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 10kbit ceil 10kbit > > > #tx > > > tc class add dev eth0 parent 2:1 classid 2:4 htb rate 10kbit ceil 10kbit > > > > #siec 1.0 > > > siec=1 > > > for ip in $(awk '{ print $1 }' /skrytpy/ip1); do > > > echo -n "$ip " > > > #rx > > > tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit ceil > > > $rxmaxluser$kbit > > > tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst > > > 192.168.$siec.$ip flowid 1:$ip > > > tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10 > > > #tx > > > #marking packets > > > iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j > > > MARK --set-mark $ip > > > #tc > > > tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit ceil > > > $txmaxluser$kbit > > > #filtering by mark > > > tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle $ip fw > > > flowid 2:$ip > > > tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 > > > done > > > echo "" > > > > > > --------------------------------------------------------------------cut > > > here ------------------------------------------------------------------ > > > > > > > > > > > > From dyna@tri-oxyde.org Sun Jul 25 12:10:42 2004 From: dyna@tri-oxyde.org (Julien) Date: Sun, 25 Jul 2004 13:10:42 +0200 Subject: [LARTC] Help in understanding routing/tables/chains In-Reply-To: <200407241442.03325.jens@pacificsun.ca> References: <200407241442.03325.jens@pacificsun.ca> Message-ID: <41039532.8060401@tri-oxyde.org> Jens wrote: >I am trying to trace a problem I have in redirecting my mail traffic to a >different ISP. I have set up a whole bunch of logging rules but am still a >bit mystified and could use some clarification.... > >The setup (shortened somewhat for this example): >Cable connection coming into a firewall/router going to a mail server in the >DMZ. >The interface on the firewall/router that the cable uses (to the internet) is >eth0. The interface on the firewall/router to the DMZ is eth3 > >I log all (I believe) destination port 25 packets going thru the firewall. The >current setup does not do any redirection of traffic to port 25 - everything >goes out the default interface eth0 and the whole setup works. I am trying to >get a baseline as to what I should see when I do the redirection later on. >To run my test, I am on the mailserver box and I initiate a telnet to a remote >ISP's mail server on port 25. > >The log messages I see are as follows: > >the first packet shows a traversal thru the nat filters as expected >The source and destination IP's are always the same - the source is always the >ip of my mail server and the destination is always the ip of the remote ISP's >mail server > >mangle preroute in eth3 src dst >nat preroute in eth3 >mangle forward in eth3 >mangle postroute out eth0 > >the second packet no longer shows traversal thru the nat filter >mangle preroute in eth3 >mangle forward in eth3 >mangle postroute out eth0 > >The things that I am having problems understanding are: > >1) I see the packet going into eth3, doing the preroute, the forward but I see >no postroute on eth3. I also don't see the packet going into eth0 or doing >anything until it comes out the postroute table. Why isn't there anything in >between ? > >2) The connection I establish is from a local ip 192.168.1.2 to the ISP's mail >server on the internet. The connection is fully functional so it's nat'ed >properly. Why is it that I don't see the change of source IP in the mangle >postroute (as the packet comes out of eth0 which is the internet interface) ? >Why don't I see the address change anywhere ? > >I am sorry to ask such basic questions but this stuff is crucial in me >figuring out what is happening and I have not managed to put the clues >together from the documents and how-to's that I have studied so far. > >Thanks > >Jens >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > I'm trying to do the same thing, as you can see from my previous posts, it's working a little better as redirection works. Can you show us the ip route add, iptables -t mangle and ip route add command lines you used so we can check what could be wrong ? Julien From fequepe@hotmail.com Sun Jul 25 12:57:17 2004 From: fequepe@hotmail.com (Ricardo Leite) Date: Sun, 25 Jul 2004 11:57:17 +0000 Subject: [LARTC] Modify the TCP Window size Message-ID: Hi lartc users, When a packet arrived to a network device it was stored on a skb structure and then enqueue on a network stack. One of the tests that I want to do is modify the TCP window size and verify the changes on the bandwidth between two hosts. To do that I need to know how to modify de packet window size and maybe recalculate the checksum value of the TCP packet. All I can do is read the information of the packet stored on the skb structure. Do you have any ideas? I'll need to be enlighted Ricardo _________________________________________________________________ MSN Messenger: converse com os seus amigos online. http://messenger.msn.com.br From lists@wildgooses.com Mon Jul 26 00:20:21 2004 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 26 Jul 2004 00:20:21 +0100 Subject: [LARTC] Modify the TCP Window size In-Reply-To: References: Message-ID: <41044035.4010606@wildgooses.com> Ricardo Leite wrote: > Hi lartc users, > > When a packet arrived to a network device it was stored on a skb > structure and then enqueue on a network stack. > > One of the tests that I want to do is modify the TCP window size and > verify the changes on the bandwidth between two hosts. > To do that I need to know how to modify de packet window size and > maybe recalculate the checksum value of the TCP packet. > > All I can do is read the information of the packet stored on the skb > structure. I think I saw a patch in patchomatic for iptables to modify window size. Perhaps have a look at that and see if it offers you some clues. I seem to remember the answer is in the ACK packets sent back to the server? Ed W From soporte@xmundo.net Mon Jul 26 02:35:45 2004 From: soporte@xmundo.net (XMundo - Soporte Tecnico) Date: Sun, 25 Jul 2004 22:35:45 -0300 Subject: [LARTC] Load Balancing Message-ID: <01ea01c472b0$e0449ca0$fd01000a@estacion1> Hi. I´m making an script for load balancing of two cablemodems internet connections toward my LAN. The problem is that when I try to 'equalize' the the two internet connections with the weight=1 it doesn´t work. On the other hand, if I put 5 and 5 it works, but not at 100%, it does intermittlently, some times works and others don´t. example: ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 Besides, when I open, for example, the firefox browser, it takes a lot to start navigating, sometimes it works and other times gives an error and I can´t navigate. >From the server it works properly, but form the clients PCs doesn´t. By the way, I´m making NAT toward the Client PCs. Do you have any idea why does it take so long to start navigating and why sometimes it works and sometimes doesn´t. This is the current script running in my server: #================================================= P0_NET=10.0.1.0/24 IF0=eth1 IP0=10.0.1.1 IF1=eth0 IP1=xxx.xxx.xxx.7 P1_NET=xxx.xxx.xxx.0/24 P1=xxx.xxx.xxx.1 IF2=eth2 IP2=yyy.yyy.yyy.21 P2_NET=yyy.yyy.yyy.0/24 P2=yyy.yyy.yyy.1 echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter echo 3 > /proc/sys/net/ipv4/route/gc_elasticity echo 1 > /proc/sys/net/ipv4/route/gc_interval echo 0 > /proc/sys/net/ipv4/route/gc_timeout ip route flush cache ip route flush all ip route flush table modem0 ip route flush table modem1 ip rule add from $IP1 lookup modem0 ip rule add from $IP2 lookup modem1 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P0_NET dev $IF0 src $IP0 ip rule add from $P1_NET lookup modem0 ip route add $P0_NET dev $IF0 table modem0 ip route add 0/0 via $P1 table modem0 ip rule add from $P2_NET lookup modem1 ip route add $P0_NET dev $IF0 table modem1 ip route add 0/0 via $P2 table modem1 ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 #================================================= From bschenker@privatereshalls.com Mon Jul 26 14:48:56 2004 From: bschenker@privatereshalls.com (bschenker) Date: Mon, 26 Jul 2004 08:48:56 -0500 Subject: [LARTC] tc del filter troubles In-Reply-To: <20040724220204.4427.73905.Mailman@outpost.ds9a.nl> References: <20040724220204.4427.73905.Mailman@outpost.ds9a.nl> Message-ID: <1090849736.5401.84.camel@localhost> I had the same problem and just resolved it a week ago. I was reloading all of close to 1000 thb filter rules and re-wrote my scripts to delete and re-add one particular rule. The solutions were all in archives of lartc mailing list, but they are difficult to all track down. First you have to specify your filter properly. Here is a line in my script: /sbin/tc filter add dev $INTIF protocol ip prio 1 parent 1:0 handle ::${FIELD_VARIABLES2[1]} u32 ..... flowid 1:${FIELD_VARIABLES[2]} First, you must specify a prio in your filter otherwise you will not be able to reference the filter later for deletion. Second. You must specify a handle if you want to work on that rule in a script later. In my script I specify a handle as "handle ::###" where ### is whatever you want--in this case a variable that looks up info in a database. Now for deleting : /sbin/tc filter del dev $INTIF parent 1: protocol ip prio 1 handle 800::${FIELD_VARIABLES[2]} u32 You must use this same format. u32 while not spelled out must be the last thing in your command line. Notice that the handle becomes 800::###. when adding filters, each prio level will have a number associated with it in the order you use it. So if your first filter has prio 1, prio 1 filters will be called 800::###. If you next use a prio 0 filter, it and all other prio 0 filters will be named 801::###. Hope this helps and good luck. ------------------------------------------------------------------------- hello, I have working htb system with about 1000 users. Until now I reload all rules at change, but it take too much time to apply. I cannot delete applyed filters. There is rules for one user: #!/bin/bash -v # Download shaper EX -> 2:20 /sbin/tc class add dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:1775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 # Download shaper peering -> 2:30 /sbin/tc class add dev eth2 parent 2:30 classid 2:2775 htb rate 100Kbit ceil 25000Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:2775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:30 protocol ip handle 1775 fw flowid 2:2775 # Download shaper international -> 2:40 /sbin/tc class add dev eth2 parent 2:40 classid 2:3775 htb rate 384Kbit ceil 800Kbit quantum 1514 /sbin/tc qdisc add dev eth2 parent 2:3775 sfq perturb 10 /sbin/tc filter add dev eth2 parent 2:40 protocol ip handle 1775 fw flowid 2:3775 I change 'add' with 'del' but only sfq qdisc are deleted: #!/bin/bash -v # Download shaper EX -> 2:20 /sbin/tc class del dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:1775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 RTNETLINK answers: No such file or directory # Download shaper peering -> 2:30 /sbin/tc class del dev eth2 parent 2:30 classid 2:2775 htb rate 100Kbit ceil 25000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:2775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:30 protocol ip handle 1775 fw flowid 2:2775 RTNETLINK answers: No such file or directory # Download shaper international -> 2:40 /sbin/tc class del dev eth2 parent 2:40 classid 2:3775 htb rate 384Kbit ceil 800Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:3775 sfq perturb 10 /sbin/tc filter del dev eth2 parent 2:40 protocol ip handle 1775 fw flowid 2:3775 RTNETLINK answers: No such file or directory If I try to run this again result is: # Download shaper EX -> 2:20 /sbin/tc class del dev eth2 parent 2:20 classid 2:1775 htb rate 8000Kbit ceil 10000Kbit quantum 1514 RTNETLINK answers: Device or resource busy /sbin/tc qdisc del dev eth2 parent 2:1775 sfq perturb 10 RTNETLINK answers: Invalid argument /sbin/tc filter del dev eth2 parent 2:20 protocol ip handle 1775 fw flowid 2:1775 RTNETLINK answers: No such file or directory I think that class cannot be deleted becouse there is filter pointing to it. But how to delete that filters? Any hint will be extreme usefull. Svetozar Mihailov. From freeswan9@yahoo.fr Mon Jul 26 19:47:05 2004 From: freeswan9@yahoo.fr (=?iso-8859-1?q?toto=20toto?=) Date: Mon, 26 Jul 2004 20:47:05 +0200 (CEST) Subject: [LARTC] H323/Netmeeting shaping Message-ID: <20040726184705.94756.qmail@web25303.mail.ukl.yahoo.com> Hi, Has anyone ever succedded in shaping H323 traffic ? I mean reserve a certain bandwidth for it, in order to have a comfortable Netmeeting, and not be disturbed by downloads & others. I tried with HTB but it doesn't seem perfect... Thanks for replies, Sam Vous manquez d’espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com From namiot@ciudad.com.ar Mon Jul 26 19:47:08 2004 From: namiot@ciudad.com.ar (Matias Namiot) Date: Mon, 26 Jul 2004 15:47:08 -0300 Subject: [LARTC] IP ROUTE Message-ID: <001101c47340$f6c281a0$1410a8c0@Wireless> This is a multi-part message in MIME format. ------=_NextPart_000_000E_01C47327.CEDC9D60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, my linux show me that: server2 root # ip route add default scope global nexthop via 192.168.5.1 = dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight 1 RTNETLINK answers: Invalid argument What can I do???? Thanks Matias --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 ------=_NextPart_000_000E_01C47327.CEDC9D60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello, my linux show me = that:
 
 
server2 root # ip route add default = scope=20 global nexthop via 192.168.5.1 dev eth2 weight 1 nexthop via = 192.168.160.1 dev=20 eth0 weight 1
RTNETLINK answers: Invalid = argument
 
What can I do????
Thanks
Matias
 

---
Outgoing mail is certified = Virus=20 Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: = 6.0.726 /=20 Virus Database: 481 - Release Date: = 22/07/2004
------=_NextPart_000_000E_01C47327.CEDC9D60-- From dyna@tri-oxyde.org Mon Jul 26 21:07:40 2004 From: dyna@tri-oxyde.org (Julien) Date: Mon, 26 Jul 2004 22:07:40 +0200 Subject: [LARTC] IP ROUTE In-Reply-To: <001101c47340$f6c281a0$1410a8c0@Wireless> References: <001101c47340$f6c281a0$1410a8c0@Wireless> Message-ID: <4105648C.3040805@tri-oxyde.org> Matias Namiot wrote: > Hello, my linux show me that: > > > /server2 root # ip route add default scope global nexthop via > 192.168.5.1 dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight 1 > RTNETLINK answers: Invalid argument > / > // > What can I do???? > Thanks > Matias > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 Hi, you need to recompile your kernel with the following enabled : CONFIG_IP_ADVANCED_ROUTER CONFIG_IP_MULTIPLE_TABLES CONFIG_IP_ROUTE_FWMARK (not sure it's needed here but let's enable it) Julien From namiot@ciudad.com.ar Mon Jul 26 21:57:40 2004 From: namiot@ciudad.com.ar (Matias Namiot) Date: Mon, 26 Jul 2004 17:57:40 -0300 Subject: [LARTC] IP ROUTE References: <001101c47340$f6c281a0$1410a8c0@Wireless> <4105648C.3040805@tri-oxyde.org> Message-ID: <001a01c47353$37e74640$1410a8c0@Wireless> This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C4733A.0B270320 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks ----- Original Message -----=20 From: Julien=20 To: lartc@mailman.ds9a.nl=20 Sent: Monday, July 26, 2004 5:07 PM Subject: Re: [LARTC] IP ROUTE Matias Namiot wrote: > Hello, my linux show me that: > =20 > =20 > /server2 root # ip route add default scope global nexthop via=20 > 192.168.5.1 dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 = weight 1 > RTNETLINK answers: Invalid argument > / > // =20 > What can I do???? > Thanks > Matias > =20 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 Hi, you need to recompile your kernel with the following enabled : CONFIG_IP_ADVANCED_ROUTER CONFIG_IP_MULTIPLE_TABLES CONFIG_IP_ROUTE_FWMARK (not sure it's needed here but let's enable it) Julien _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 ------=_NextPart_000_0017_01C4733A.0B270320 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Thanks
----- Original Message -----
From:=20 Julien
Sent: Monday, July 26, 2004 = 5:07 PM
Subject: Re: [LARTC] IP = ROUTE

Matias Namiot wrote:

> Hello, my linux show me=20 that:


> /server2 root # ip route = add=20 default scope global nexthop via
> 192.168.5.1 dev eth2 weight = 1=20 nexthop via 192.168.160.1 dev eth0 weight 1
> RTNETLINK answers: = Invalid=20 argument
> /
> // 
> What can I do????
> = Thanks
> Matias

>
> ---
> = Outgoing mail=20 is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> = Version:=20 6.0.726 / Virus Database: 481 - Release Date:=20 22/07/2004


Hi,

you need to recompile your kernel = with the=20 following enabled=20 = :

CONFIG_IP_ADVANCED_ROUTER
CONFIG_IP_MULTIPLE_TABLES
CONFIG= _IP_ROUTE_FWMARK=20 (not sure it's needed here but let's enable=20 = it)

Julien

_______________________________________________<= BR>LARTC=20 mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9= a.nl/mailman/listinfo/lartc=20 HOWTO: http://lartc.org/
 

---
Outgoing mail is certified Virus Free.
Checked by = AVG=20 anti-virus system (http://www.grisoft.com).
Version: = 6.0.726=20 / Virus Database: 481 - Release Date:=20 22/07/2004
------=_NextPart_000_0017_01C4733A.0B270320-- From marnuke@yahoo.com Mon Jul 26 23:18:56 2004 From: marnuke@yahoo.com (Steven Rice) Date: Mon, 26 Jul 2004 15:18:56 -0700 (PDT) Subject: [LARTC] iptables marking problems and ip route not working Message-ID: <20040726221856.29191.qmail@web60506.mail.yahoo.com> Hello, I'm trying to configure a machine to send mail traffic out on eth0 and web traffic, via Squid, out of eth1, with the default gw on the eth0 interface. After spending most of the day of trying this and that and reading docs until my eye hurts, I have had zero luck making anything work expect for standard routing. The Advance Routing Howto makes it seams easy to do this, but I fear there is something left out, or something hidden in a section that should be there. I have read that docs, the ipfilter howto, and a few others docs, but I can't seam to figure out how to get this work. As my last recourse, I'm asking the list for help. Here's the setup. The kernel is a stock Fedora Core 1 and seams to be configure correctly: # grep CONFIG_IP_ADVANCED_ROUTER /boot/config-2.4.22-1.2115.nptl CONFIG_IP_ADVANCED_ROUTER=y # grep CONFIG_IP_MULTIPLE_TABLES /boot/config-2.4.22-1.2115.nptl CONFIG_IP_MULTIPLE_TABLES=y # grep CONFIG_IP_ROUTE_FWMARK /boot/config-2.4.22-1.2115.nptl CONFIG_IP_ROUTE_FWMARK=y I have enabled ip forwarding: # grep ip_forward /etc/sysctl.conf net.ipv4.ip_forward = 1 The iptables, ip rule and ip route statements are lifted right out of the docs: #iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark 1 #ip rule add fwmark 0x1 table www.out #ip route add default via $ETH1_GW dev eth1 table www.out And logging for the heck of it: #iptables -t mangle -A PREROUTING -m mark --mark 1 -j LOG --log-level DEBUG --log-prefix "fwmark 1:" Yet nothing seams to work and nothing is logging. It almost looks like iptables is not marking the packets correctly? What do I need to fix this? Thanks, Steven __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From soporte@xmundo.net Tue Jul 27 00:58:02 2004 From: soporte@xmundo.net (XMundo - Soporte Tecnico) Date: Mon, 26 Jul 2004 20:58:02 -0300 Subject: [LARTC] Load Balancing References: <01ea01c472b0$e0449ca0$fd01000a@estacion1> Message-ID: <027a01c4736c$646eed30$fd01000a@estacion1> Any idea? ----- Original Message ----- From: "XMundo - Soporte Tecnico" To: Sent: Sunday, July 25, 2004 10:35 PM Subject: [LARTC] Load Balancing Hi. I´m making an script for load balancing of two cablemodems internet connections toward my LAN. The problem is that when I try to 'equalize' the the two internet connections with the weight=1 it doesn´t work. On the other hand, if I put 5 and 5 it works, but not at 100%, it does intermittlently, some times works and others don´t. example: ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 Besides, when I open, for example, the firefox browser, it takes a lot to start navigating, sometimes it works and other times gives an error and I can´t navigate. >From the server it works properly, but form the clients PCs doesn´t. By the way, I´m making NAT toward the Client PCs. Do you have any idea why does it take so long to start navigating and why sometimes it works and sometimes doesn´t. This is the current script running in my server: #================================================= P0_NET=10.0.1.0/24 IF0=eth1 IP0=10.0.1.1 IF1=eth0 IP1=xxx.xxx.xxx.7 P1_NET=xxx.xxx.xxx.0/24 P1=xxx.xxx.xxx.1 IF2=eth2 IP2=yyy.yyy.yyy.21 P2_NET=yyy.yyy.yyy.0/24 P2=yyy.yyy.yyy.1 echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter echo 3 > /proc/sys/net/ipv4/route/gc_elasticity echo 1 > /proc/sys/net/ipv4/route/gc_interval echo 0 > /proc/sys/net/ipv4/route/gc_timeout ip route flush cache ip route flush all ip route flush table modem0 ip route flush table modem1 ip rule add from $IP1 lookup modem0 ip rule add from $IP2 lookup modem1 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P0_NET dev $IF0 src $IP0 ip rule add from $P1_NET lookup modem0 ip route add $P0_NET dev $IF0 table modem0 ip route add 0/0 via $P1 table modem0 ip rule add from $P2_NET lookup modem1 ip route add $P0_NET dev $IF0 table modem1 ip route add 0/0 via $P2 table modem1 ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 #================================================= _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From ph1@openstrike.co.uk Tue Jul 27 08:52:57 2004 From: ph1@openstrike.co.uk (Pete Houston) Date: Tue, 27 Jul 2004 08:52:57 +0100 Subject: [LARTC] iptables marking problems and ip route not working In-Reply-To: <20040727050423.19757.692.Mailman@outpost.ds9a.nl> References: <20040727050423.19757.692.Mailman@outpost.ds9a.nl> Message-ID: <20040727075257.GA3752@sputnik.openstrike.co.uk> --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > The iptables, ip rule and ip route statements are lifted right out of the= docs: >=20 > #iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set= -mark > 1 > #ip rule add fwmark 0x1 table www.out > #ip route add default via $ETH1_GW dev eth1 table www.out I think that the problem here is in the first line above. This should set the mark on packets inbound on eth0 with a desination port of 80, whereas you want to mark outbound on eth0 (if I read your post correctly). As a test, try just removing the "-i eth0" and see if that results in some marks being set as you intend. HTH, Pete --=20 Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 07092 020107 --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBBgnYdzfnYmsKt50RAooLAJ46L/LfzerP5QzTQ1Z9nPRqWMAaOgCfQmK5 NQtyvIZN+Fq0mbJ9+ZJB99g= =s+Rz -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- From namiot@ciudad.com.ar Tue Jul 27 15:01:09 2004 From: namiot@ciudad.com.ar (Matias Namiot) Date: Tue, 27 Jul 2004 11:01:09 -0300 Subject: [LARTC] IP ROUTE References: <001101c47340$f6c281a0$1410a8c0@Wireless> Message-ID: <000201c473e2$3590c620$1410a8c0@Wireless> This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C473C9.05FDB3F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The problem was the module CONFIG_IP_ROUTE_MULTIPATH of the kernel Thanks for all, now I fight with what is de module of tc filter because = I can't do that: server2 linux # tc filter add dev eth0 parent 1:0 protocol ip prio 2 = handle 2 fw classid 1:11 RTNETLINK answers: Invalid argument server2 linux # ----- Original Message -----=20 From: Matias Namiot=20 To: lartc@mailman.ds9a.nl=20 Sent: Monday, July 26, 2004 3:47 PM Subject: [LARTC] IP ROUTE Hello, my linux show me that: server2 root # ip route add default scope global nexthop via = 192.168.5.1 dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight = 1 RTNETLINK answers: Invalid argument What can I do???? Thanks Matias --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 ------=_NextPart_000_000F_01C473C9.05FDB3F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
The problem was the module=20 CONFIG_IP_ROUTE_MULTIPATH of the kernel
Thanks for all, now I fight with what = is de module=20 of tc filter because I can't do that:
 
server2 linux # tc filter add dev = eth0 parent=20 1:0 protocol ip prio 2 handle 2 fw classid 1:11
RTNETLINK answers: = Invalid=20 argument
server2 linux #
 
 
 
----- Original Message -----
From:=20 Matias=20 Namiot
Sent: Monday, July 26, 2004 = 3:47 PM
Subject: [LARTC] IP ROUTE

Hello, my linux show me = that:
 
 
server2 root # ip route add = default scope=20 global nexthop via 192.168.5.1 dev eth2 weight 1 nexthop via = 192.168.160.1 dev=20 eth0 weight 1
RTNETLINK answers: Invalid = argument
 
What can I do????
Thanks
Matias
 

---
Outgoing mail is certified = Virus=20 Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: = 6.0.726=20 / Virus Database: 481 - Release Date:=20 22/07/2004
------=_NextPart_000_000F_01C473C9.05FDB3F0-- From Snotling@gmx.net Tue Jul 27 15:57:04 2004 From: Snotling@gmx.net (=?iso-8859-1?Q?Marcus_Sch=E4fer?=) Date: Tue, 27 Jul 2004 16:57:04 +0200 Subject: [LARTC] Problem installing tcng Message-ID: <001401c473e9$fbcff2a0$c97706d5@schwuleamsel> This is a multi-part message in MIME format. ------=_NextPart_000_0011_01C473FA.BE86F3B0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have a little Problem installing tcng.=20 Sorry, but a Linux beginner needs help I used Suse with a 2.4.21-99-default Kernel, iproute2 version 020116-try = and tcng-9m. When I try to build tcng with the make command the following error = occurs: scripts/symlinks.sh: line 1: CONFIG_RELEASE: command not found scripts/symlinks.sh: line 1: CONFIG_CFGNAME: command not found make: ***[.symlinks] Error 127 Thx for the answers=20 ------=_NextPart_000_0011_01C473FA.BE86F3B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
I have a little Problem installing = tcng.=20
Sorry, but a Linux beginner = needs=20 help
 
I used Suse with a = 2.4.21-99-default Kernel,=20 iproute2 version 020116-try and tcng-9m.
 
When I try to build tcng with the make = command the=20 following error occurs:
 
scripts/symlinks.sh: line 1: = CONFIG_RELEASE:=20 command not found
scripts/symlinks.sh: line 1: = CONFIG_CFGNAME:=20 command not found
make: ***[.symlinks] Error = 127
 
Thx for the answers=20
------=_NextPart_000_0011_01C473FA.BE86F3B0-- From nix4me@cfl.rr.com Wed Jul 28 01:07:37 2004 From: nix4me@cfl.rr.com (nix4me) Date: Tue, 27 Jul 2004 20:07:37 -0400 Subject: [LARTC] shaping marked packets Message-ID: <4106EE49.1010109@cfl.rr.com> Hi, I am trying to figure out how to shape the following marked packets and limit them to a speed on 30KBytes. I have read the documentation but I am unsue of what to do. iptables -t mangle -A FTP-OUT -p tcp --dport 50000:51000 -j MARK --set-mark 1 Mark From waruiinu@gmail.com Wed Jul 28 04:15:54 2004 From: waruiinu@gmail.com (George Alexandru Dragoi) Date: Wed, 28 Jul 2004 06:15:54 +0300 Subject: [LARTC] shaping marked packets In-Reply-To: <4106EE49.1010109@cfl.rr.com> References: <4106EE49.1010109@cfl.rr.com> Message-ID: <3063e5040727201531753d00@mail.gmail.com> tc qdisc del dev ethx root tc qdisc add dev ethx root handle 1: htb tc class add dev ethx parent 1: classid 1:1 htb rate 30kbps tc filter add dev ethx parent 1: prio 0 protocol ip handle 1 fw flowid 1:1 On Tue, 27 Jul 2004 20:07:37 -0400, nix4me wrote: > Hi, > > I am trying to figure out how to shape the following marked packets and > limit them to a speed on 30KBytes. I have read the documentation but I > am unsue of what to do. > > iptables -t mangle -A FTP-OUT -p tcp --dport 50000:51000 -j MARK > --set-mark 1 > > Mark > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From sbrooks@binary-solutions.net Wed Jul 28 06:50:01 2004 From: sbrooks@binary-solutions.net (Scott Brooks) Date: Tue, 27 Jul 2004 23:50:01 -0600 Subject: [LARTC] What happened to diffserv? Message-ID: <200407272350.01405.sbrooks@binary-solutions.net> I'm trying to find up to date information on diffserv, and it seems like either nobody is using it, or nobody is talking about using it. Is there some good site for information about using diffserv with new kernels? The last update on diffserv.sourceforge.net is in 2001, and most of the mailing list results are from that time. Has everyone moved on to something other then diffserv, or has it died? Thanks -- Scott Brooks Network Operations Manager Binary Solutions Ltd. sbrooks@binary-solutions.net From mjoachimiak@poczta.onet.pl Wed Jul 28 14:27:06 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 28 Jul 2004 15:27:06 +0200 Subject: [LARTC] return routes References: <200407272222.37851.jens@pacificsun.ca> Message-ID: <004801c474a6$9446af30$0802a8c0@monster> What do you mean : >If I set the default gateway to eth0 > but send the mail thru eth1, the outgoing mail does in fact go correctly out, ? How are you doing this? From mjoachimiak@poczta.onet.pl Wed Jul 28 14:19:04 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 28 Jul 2004 15:19:04 +0200 Subject: [LARTC] Re: HTB 3.13 please help References: Message-ID: <001c01c474a5$75952130$0802a8c0@monster> //Just to not forget eth0 is WAN and eth1 is LAN . The box is NATing my lan. I configured tcng to shape both download and upload and i got connection loss again. Maybe it is my script fault or it is something bad with packets marking . this is how i mark outgoing packets iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.1.23 -j MARK --set-mark $ip and this part of my script which is intented to shape upload: dev eth0 { egress { class (<$default>) if 1; htb ( r2q 1 ) { class ( rate 800kbps, ceil 800kbps ) { //192.168.1.0----------------------------------------------------------- $ruter = class ( rate 15kbps, ceil 250kbps ) { sfq( perturb 10secs, quantum 1500Bytes ); } ; fw { class $ruter on (23); //ruter--------------------------------------------------------------------- ---- //--------------------- fw }//fw }//main class }//htb }//egress }//eth0(none):/skrytpy# and these are a bit of `tc -s -d class show dev eth0` prints while connection loss after running my tcng script : class htb 2:f parent 2:1 leaf 10: prio 0 quantum 1875 rate 1875bps ceil 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 706914 ctokens: 95572 class htb 2:1e parent 2:1 leaf 1f: prio 0 quantum 1875 rate 1875bps ceil 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 706914 ctokens: 95572 class htb 2:2d parent 2:1 leaf 2e: prio 0 quantum 1875 rate 1875bps ceil 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 706914 ctokens: 95572 > that is interesting. let me know then. other test might be to > reboot with maxcpus=1 to mitigate smp related bugs. > > On Sat, 25 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > Yes I'm using smp kernel. > > I thought that i make some error that i canot see so i decided to write my > > classes using tcng this time. > > Currently i'm shaping only outgoing traffic to my local network(using tcng) > > and it seems to work (it work one day without errors). > > Today i'm going to configure upload too. > > The difference i could see at once is that there is no connection loss when > > i'm starting htb. > > ----- Original Message ----- > > From: "devik" > > To: > > Cc: "lartc" > > Sent: Sunday, July 25, 2004 10:26 AM > > Subject: Re: [LARTC] Re: HTB 3.13 please help > > > > > > > From the stats is seems that no data are queued - as if nobody > > > is sending them. You are using smp kernel, is your box SMP ? > > > I haven't seen many smp+htb boxes thus there might be possibility > > > of a bug... > > > devik > > > > > > On Thu, 23 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > > > > > I've attached outputs for eth0 and eth1. > > > > I was trying to get this script running. I've added one class for my > > NATed > > > > BOX, and it helped. Shaping was stable almost one day but then i added > > "prio > > > > 0" to eth0 filters and prio 0 for eth1 filters it has braken. So i > > removed > > > > every "prio 0" and reboot the box but it didnt helped :(. > > > > I've noticed that when the traffic is not much (14 hosts from 50 are up) > > > > tc/htb works very well. > > > > If you want new version of my script say a word. > > > > ----- Original Message ----- > > > > From: "devik" > > > > To: > > > > Sent: Thursday, July 22, 2004 3:48 PM > > > > Subject: Re: HTB 3.13 please help > > > > > > > > > > > > > I need > > > > > tc -s -d class show dev xxx > > > > > output during that non-working period. 3.6 is older than 3.13. > > > > > > > > > > ------------------------------- > > > > > Martin Devera aka devik > > > > > Linux kernel QoS/HTB maintainer > > > > > http://luxik.cdi.cz/~devik/ > > > > > > > > > > On Wed, 21 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > > > > > > > > > > > Thanks for your reply. I've recent put my problem on lartc list. I'm > > > > using > > > > > > htb 3.13 in 2-4-25smp. > > > > > > I wonder if upgrade to 3.6 will help? Could you be so kind and take > > a > > > > look > > > > > > at it. I'll be grateful. > > > > > > If you have no time for me i'll understand and try to resolve it for > > > > myself. > > > > > > Thanks. > > > > > > > > > > > > Hello everybody! > > > > > > Since week i dig lists and www and can't find solution for my > > problem. > > > > > > I'm using HTB 3.13 kernel 2-4-25 smp iptables 1.2.9. > > > > > > I've got situation like this: > > > > > > > > > > > > LAN------Linux Box(routing only)------- Linux Box > > > > > > (HTB)--------------Hardware Router(say:HD)------Internet > > > > > > When I start HTB it takes about 5 min. to start working and it > > works... > > > > > > within this 5min starting i can't ping HD and after about 5min I > > start > > > > > > pinging. It works like this for cuple of hours, then something > > strange > > > > is > > > > > > happening. Ping stops, www doesn't work but radio (36kbps) (from > > > > clients) > > > > > > works. There is no ping at all for about 1min and it starts pinging > > for > > > > > > about 2-3min and it stops for 1-2min and so on..... > > > > > > When I stop HTB ping starts. It's look like HTB is filled to > > much(sorry > > > > for > > > > > > my english :/) > > > > > > All my children classes rate doesn't exceeds root classes. I have 50 > > > > classes > > > > > > on 900kbit-10kbit(for default class) - downstream and 800-10kbit(for > > > > > > default) up. > > > > > > I shape bandwidth matching ip. r2q is set to 1 . no erros during > > doing > > > > shape > > > > > > script. > > > > > > I'm attaching this script > > > > > > in ip1 is file where are written ip's for C classes. > > > > > > > > > > > > I'm including my script. > > > > > > ---------------------------------------------------cut > > > > > > > > > > > > here ----------------------------------------------------------------------- > > > > > > ------------ > > > > > > #!/bin/bash > > > > > > #x=$[100/20] > > > > > > #echo "$1" > /skrytpy/status > > > > > > rxmax=900 #WAN max transfer -down (physically it is 960kbit/960kbit) > > > > > > kbit=kbit > > > > > > rxmaxluser=250 > > > > > > txmax=800 #WAN max transfer - up > > > > > > txmaxluser=100 > > > > > > #counting users > > > > > > # ip1 file is like this: > > > > > > # 11 #Somebody > > > > > > # 23 #Somebody II > > > > > > #EOF > > > > > > licznik=0 > > > > > > for x in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > licznik=$[$licznik+1] > > > > > > done > > > > > > > > > > > > > > > > > > #Server > > > > > > licznik=$[$licznik+1] > > > > > > #plus router > > > > > > licznik=$[$licznik+1] > > > > > > > > > > > > echo number of users to $licznik > > > > > > #counting rate > > > > > > rx1=$[$rxmax-10] > > > > > > tx1=$[$txmax-10] # dla klasy domyslnej > > > > > > rxmin=$[$rx1/$licznik] > > > > > > txmin=$[$tx1/$licznik] > > > > > > echo rx $rxmin tx $txmin > > > > > > #echo $rxmin > > > > > > #root classes > > > > > > #rx > > > > > > tc qdisc del root dev eth1 > > > > > > tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2 > > > > > > tc class add dev eth1 parent 1:0 classid 1:1 htb rate $rxmax$kbit > > ceil > > > > > > $rxmax$kbit > > > > > > #tx > > > > > > tc qdisc del root dev eth0 > > > > > > tc qdisc add dev eth0 root handle 2:0 htb r2q 1 default 4 > > > > > > tc class add dev eth0 parent 2:0 classid 2:1 htb rate $txmax$kbit > > ceil > > > > > > $txmax$kbit > > > > > > #r="$rxmax$kbit" > > > > > > #default classes > > > > > > #rx > > > > > > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 10kbit ceil > > 10kbit > > > > > > #tx > > > > > > tc class add dev eth0 parent 2:1 classid 2:4 htb rate 10kbit ceil > > 10kbit > > > > > > > > > > #siec 1.0 > > > > > > siec=1 > > > > > > for ip in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > echo -n "$ip " > > > > > > #rx > > > > > > tc class add dev eth1 parent 1:1 classid 1:$ip htb rate $rxmin$kbit > > ceil > > > > > > $rxmaxluser$kbit > > > > > > tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst > > > > > > 192.168.$siec.$ip flowid 1:$ip > > > > > > tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10 > > > > > > #tx > > > > > > #marking packets > > > > > > iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.$siec.$ip -j > > > > > > MARK --set-mark $ip > > > > > > #tc > > > > > > tc class add dev eth0 parent 2:1 classid 2:$ip htb rate $txmin$kbit > > ceil > > > > > > $txmaxluser$kbit > > > > > > #filtering by mark > > > > > > tc filter add dev eth0 protocol ip preference 1 parent 2:0 handle > > $ip fw > > > > > > flowid 2:$ip > > > > > > tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 > > > > > > done > > > > > > echo "" > > > > > > > > > > > > > > --------------------------------------------------------------------cut > > > > > > > > here ------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > From devik@cdi.cz Wed Jul 28 14:30:45 2004 From: devik@cdi.cz (devik) Date: Wed, 28 Jul 2004 15:30:45 +0200 (CEST) Subject: [LARTC] Re: HTB 3.13 please help In-Reply-To: <001c01c474a5$75952130$0802a8c0@monster> Message-ID: as you can see, NO packets are going thru. You have to look to other classes as well as to ifconfig and tc -s qdisc show dev xxx to see wherw packets are lost. On Wed, 28 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > //Just to not forget eth0 is WAN and eth1 is LAN . The box is NATing my lan. > I configured tcng to shape both download and upload > and i got connection loss again. > Maybe it is my script fault or it is something bad with packets marking . > this is how i mark outgoing packets > iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.1.23 -j MARK --set-mark > $ip > > and this part of my script which is intented to shape upload: > dev eth0 { > egress { > class (<$default>) if 1; > htb ( r2q 1 ) { > class ( rate 800kbps, ceil 800kbps ) { > > //192.168.1.0----------------------------------------------------------- > $ruter = class ( rate 15kbps, ceil 250kbps ) { sfq( perturb 10secs, > quantum 1500Bytes ); } ; > fw { > > class $ruter on (23); > //ruter--------------------------------------------------------------------- > ---- > > > //--------------------- fw > }//fw > }//main class > }//htb > }//egress > }//eth0(none):/skrytpy# > > and these are a bit of `tc -s -d class show dev eth0` prints while > connection loss after running my tcng script : > > class htb 2:f parent 2:1 leaf 10: prio 0 quantum 1875 rate 1875bps ceil > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 706914 ctokens: 95572 > > class htb 2:1e parent 2:1 leaf 1f: prio 0 quantum 1875 rate 1875bps ceil > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 706914 ctokens: 95572 > > class htb 2:2d parent 2:1 leaf 2e: prio 0 quantum 1875 rate 1875bps ceil > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 706914 ctokens: 95572 > > > > that is interesting. let me know then. other test might be to > > reboot with maxcpus=1 to mitigate smp related bugs. > > > > On Sat, 25 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > > > Yes I'm using smp kernel. > > > I thought that i make some error that i canot see so i decided to write > my > > > classes using tcng this time. > > > Currently i'm shaping only outgoing traffic to my local network(using > tcng) > > > and it seems to work (it work one day without errors). > > > Today i'm going to configure upload too. > > > The difference i could see at once is that there is no connection loss > when > > > i'm starting htb. > > > ----- Original Message ----- > > > From: "devik" > > > To: > > > Cc: "lartc" > > > Sent: Sunday, July 25, 2004 10:26 AM > > > Subject: Re: [LARTC] Re: HTB 3.13 please help > > > > > > > > > > From the stats is seems that no data are queued - as if nobody > > > > is sending them. You are using smp kernel, is your box SMP ? > > > > I haven't seen many smp+htb boxes thus there might be possibility > > > > of a bug... > > > > devik > > > > > > > > On Thu, 23 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > > > > > > > I've attached outputs for eth0 and eth1. > > > > > I was trying to get this script running. I've added one class for my > > > NATed > > > > > BOX, and it helped. Shaping was stable almost one day but then i > added > > > "prio > > > > > 0" to eth0 filters and prio 0 for eth1 filters it has braken. So i > > > removed > > > > > every "prio 0" and reboot the box but it didnt helped :(. > > > > > I've noticed that when the traffic is not much (14 hosts from 50 are > up) > > > > > tc/htb works very well. > > > > > If you want new version of my script say a word. > > > > > ----- Original Message ----- > > > > > From: "devik" > > > > > To: > > > > > Sent: Thursday, July 22, 2004 3:48 PM > > > > > Subject: Re: HTB 3.13 please help > > > > > > > > > > > > > > > > I need > > > > > > tc -s -d class show dev xxx > > > > > > output during that non-working period. 3.6 is older than 3.13. > > > > > > > > > > > > ------------------------------- > > > > > > Martin Devera aka devik > > > > > > Linux kernel QoS/HTB maintainer > > > > > > http://luxik.cdi.cz/~devik/ > > > > > > > > > > > > On Wed, 21 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > > > > > > > > > > > > > Thanks for your reply. I've recent put my problem on lartc list. > I'm > > > > > using > > > > > > > htb 3.13 in 2-4-25smp. > > > > > > > I wonder if upgrade to 3.6 will help? Could you be so kind and > take > > > a > > > > > look > > > > > > > at it. I'll be grateful. > > > > > > > If you have no time for me i'll understand and try to resolve it > for > > > > > myself. > > > > > > > Thanks. > > > > > > > > > > > > > > Hello everybody! > > > > > > > Since week i dig lists and www and can't find solution for my > > > problem. > > > > > > > I'm using HTB 3.13 kernel 2-4-25 smp iptables 1.2.9. > > > > > > > I've got situation like this: > > > > > > > > > > > > > > LAN------Linux Box(routing only)------- Linux Box > > > > > > > (HTB)--------------Hardware Router(say:HD)------Internet > > > > > > > When I start HTB it takes about 5 min. to start working and it > > > works... > > > > > > > within this 5min starting i can't ping HD and after about 5min I > > > start > > > > > > > pinging. It works like this for cuple of hours, then something > > > strange > > > > > is > > > > > > > happening. Ping stops, www doesn't work but radio (36kbps) (from > > > > > clients) > > > > > > > works. There is no ping at all for about 1min and it starts > pinging > > > for > > > > > > > about 2-3min and it stops for 1-2min and so on..... > > > > > > > When I stop HTB ping starts. It's look like HTB is filled to > > > much(sorry > > > > > for > > > > > > > my english :/) > > > > > > > All my children classes rate doesn't exceeds root classes. I > have 50 > > > > > classes > > > > > > > on 900kbit-10kbit(for default class) - downstream and > 800-10kbit(for > > > > > > > default) up. > > > > > > > I shape bandwidth matching ip. r2q is set to 1 . no erros during > > > doing > > > > > shape > > > > > > > script. > > > > > > > I'm attaching this script > > > > > > > in ip1 is file where are written ip's for C classes. > > > > > > > > > > > > > > I'm including my script. > > > > > > > ---------------------------------------------------cut > > > > > > > > > > > > > > > > here ----------------------------------------------------------------------- > > > > > > > ------------ > > > > > > > #!/bin/bash > > > > > > > #x=$[100/20] > > > > > > > #echo "$1" > /skrytpy/status > > > > > > > rxmax=900 #WAN max transfer -down (physically it is > 960kbit/960kbit) > > > > > > > kbit=kbit > > > > > > > rxmaxluser=250 > > > > > > > txmax=800 #WAN max transfer - up > > > > > > > txmaxluser=100 > > > > > > > #counting users > > > > > > > # ip1 file is like this: > > > > > > > # 11 #Somebody > > > > > > > # 23 #Somebody II > > > > > > > #EOF > > > > > > > licznik=0 > > > > > > > for x in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > > licznik=$[$licznik+1] > > > > > > > done > > > > > > > > > > > > > > > > > > > > > #Server > > > > > > > licznik=$[$licznik+1] > > > > > > > #plus router > > > > > > > licznik=$[$licznik+1] > > > > > > > > > > > > > > echo number of users to $licznik > > > > > > > #counting rate > > > > > > > rx1=$[$rxmax-10] > > > > > > > tx1=$[$txmax-10] # dla klasy domyslnej > > > > > > > rxmin=$[$rx1/$licznik] > > > > > > > txmin=$[$tx1/$licznik] > > > > > > > echo rx $rxmin tx $txmin > > > > > > > #echo $rxmin > > > > > > > #root classes > > > > > > > #rx > > > > > > > tc qdisc del root dev eth1 > > > > > > > tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2 > > > > > > > tc class add dev eth1 parent 1:0 classid 1:1 htb rate > $rxmax$kbit > > > ceil > > > > > > > $rxmax$kbit > > > > > > > #tx > > > > > > > tc qdisc del root dev eth0 > > > > > > > tc qdisc add dev eth0 root handle 2:0 htb r2q 1 default 4 > > > > > > > tc class add dev eth0 parent 2:0 classid 2:1 htb rate > $txmax$kbit > > > ceil > > > > > > > $txmax$kbit > > > > > > > #r="$rxmax$kbit" > > > > > > > #default classes > > > > > > > #rx > > > > > > > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 10kbit > ceil > > > 10kbit > > > > > > > #tx > > > > > > > tc class add dev eth0 parent 2:1 classid 2:4 htb rate 10kbit > ceil > > > 10kbit > > > > > > > > > > > > #siec 1.0 > > > > > > > siec=1 > > > > > > > for ip in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > > echo -n "$ip " > > > > > > > #rx > > > > > > > tc class add dev eth1 parent 1:1 classid 1:$ip htb rate > $rxmin$kbit > > > ceil > > > > > > > $rxmaxluser$kbit > > > > > > > tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst > > > > > > > 192.168.$siec.$ip flowid 1:$ip > > > > > > > tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10 > > > > > > > #tx > > > > > > > #marking packets > > > > > > > iptables -t mangle -A MYSHAPER-OUT -p tcp -s > 192.168.$siec.$ip -j > > > > > > > MARK --set-mark $ip > > > > > > > #tc > > > > > > > tc class add dev eth0 parent 2:1 classid 2:$ip htb rate > $txmin$kbit > > > ceil > > > > > > > $txmaxluser$kbit > > > > > > > #filtering by mark > > > > > > > tc filter add dev eth0 protocol ip preference 1 parent 2:0 > handle > > > $ip fw > > > > > > > flowid 2:$ip > > > > > > > tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 > > > > > > > done > > > > > > > echo "" > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------cut > > > > > > > > > > here ------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > > > > > > From namiot@ciudad.com.ar Wed Jul 28 16:00:34 2004 From: namiot@ciudad.com.ar (Matias Namiot) Date: Wed, 28 Jul 2004 12:00:34 -0300 Subject: [LARTC] IP ROUTE References: <001101c47340$f6c281a0$1410a8c0@Wireless> Message-ID: <007201c474b3$a3648b60$1410a8c0@Wireless> This is a multi-part message in MIME format. ------=_NextPart_000_006F_01C4749A.7CE737D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks, the problem was the kernel with CONFIG_IP_ROUTE_MULTIPATH ----- Original Message -----=20 From: Matias Namiot=20 To: lartc@mailman.ds9a.nl=20 Sent: Monday, July 26, 2004 3:47 PM Subject: [LARTC] IP ROUTE Hello, my linux show me that: server2 root # ip route add default scope global nexthop via = 192.168.5.1 dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight = 1 RTNETLINK answers: Invalid argument What can I do???? Thanks Matias --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 ------=_NextPart_000_006F_01C4749A.7CE737D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Thanks, the problem was the kernel with = CONFIG_IP_ROUTE_MULTIPATH
----- Original Message -----
From:=20 Matias=20 Namiot
Sent: Monday, July 26, 2004 = 3:47 PM
Subject: [LARTC] IP ROUTE

Hello, my linux show me = that:
 
 
server2 root # ip route add = default scope=20 global nexthop via 192.168.5.1 dev eth2 weight 1 nexthop via = 192.168.160.1 dev=20 eth0 weight 1
RTNETLINK answers: Invalid = argument
 
What can I do????
Thanks
Matias
 

---
Outgoing mail is certified = Virus=20 Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: = 6.0.726=20 / Virus Database: 481 - Release Date:=20 22/07/2004
------=_NextPart_000_006F_01C4749A.7CE737D0-- From namiot@ciudad.com.ar Wed Jul 28 15:58:59 2004 From: namiot@ciudad.com.ar (Matias Namiot) Date: Wed, 28 Jul 2004 11:58:59 -0300 Subject: [LARTC] IP ROUTE References: <001101c47340$f6c281a0$1410a8c0@Wireless> <4105648C.3040805@tri-oxyde.org> Message-ID: <006201c474b3$6df3aab0$1410a8c0@Wireless> This is a multi-part message in MIME format. ------=_NextPart_000_005F_01C4749A.44BA6B70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I need resolv this problem now, because I haven't any time, and my = problem is: server2 root # ip route add default scope global nexthop via 192.168.5.1 = dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight 1 RTNETLINK answers: Invalid argument I want make this is my configuration: # Configuraci=F3n TC para Bariloche Wireless # Salida a internet eth1 # Subida 128k y bajada 128k # Valores: # mbps =3D 1024 kbps =3D 1024 * 1024 bps =3D> byte/s # mbit =3D 1024 kbit =3D> kilobit/s. # mb =3D 1024 kb =3D 1024 * 1024 b =3D> byte # mbit =3D 1024 kbit =3D> kilobit. # Internamente, los n=FAmeros se almacenan en bps, pero cuando tc = imprime las tasas, usa lo siguiente: # 1Mbit =3D 1024 Kbit =3D 1024 * 1024 bps =3D> byte/s ##### Limpiamos reglas anteriores tc qdisc del dev eth1 root 2> /dev/null > /dev/null tc qdisc del dev eth1 ingress 2> /dev/null > /dev/null ##### Definimos las qdisc # Definimos tasa superior y dispositivo de internet CEIL=3D128 DEV_INT=3Deth1 # Esta l=EDnea se encargar=E1 de enviar por defecto a la clase 1:15 tc qdisc add dev eth1 root handle 1: htb default 15 # Qdisc padre tc class add dev eth1 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil = ${CEIL}kbit # Esta l=EDnea se encargar=E1 de enviar paquetes de baja latencia = (telnet, ssh, SYN, etc) como interactivas tc class add dev eth1 parent 1:1 classid 1:10 htb rate 80kbit ceil = 80kbit prio 0 # Esta l=EDnea se encargar=E1 de tr=E1fico masivo WEB tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbit ceil = ${CEIL}kbit prio 1 # Esta l=EDnea se encargar=E1 de tr=E1fico TOS de maximizar = transferencia y el tr=E1fico local #tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbit ceil = ${CEIL}kbit prio 2 # Esta l=EDnea se encargar=E1 de las m=E1quinas con NAT tc class add dev eth1 parent 1:1 classid 1:13 htb rate 80kbit ceil = ${CEIL}kbit prio 2 # Esta l=EDnea se encargar=E1 del correo SMTP y POP3 con un TOS de = minimizar costo. tc class add dev eth1 parent 1:1 classid 1:14 htb rate 20kbit ceil = ${CEIL}kbit prio 3 # Esta l=EDnea se encargar=E1 de tr=E1fico masivo de las m=E1quinas con = NAT con Kazaa, e-Donkey, etc tc class add dev eth1 parent 1:1 classid 1:15 htb rate 10kbit ceil = ${CEIL}kbit prio 3 # Aplicamos SFQ para el tr=E1fico pesado con hash cada 10 segundos #tc qdisc add dev eth1 parent 1:12 handle 120: sfq perturb 10 tc qdisc add dev eth1 parent 1:13 handle 130: sfq perturb 10 tc qdisc add dev eth1 parent 1:14 handle 140: sfq perturb 10 tc qdisc add dev eth1 parent 1:15 handle 150: sfq perturb 10 ##### Clasificaci=F3n de paquetes con iptables # Se prefiere por los paquetes porque son muy flexibles y puedes hacer = conteo de paquetes por cada regla, y con el objetivo=20 # RETURN los paquetes no necesitan pasar por todas las reglas. Los = paquetes con FWMARK (handle x fw) van en la clase indicada=20 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid = 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid = 1:11 #tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw = classid 1:12 tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 4 fw classid = 1:13 tc filter add dev eth0 parent 1:0 protocol ip prio 5 handle 5 fw classid = 1:14 tc filter add dev eth0 parent 1:0 protocol ip prio 6 handle 6 fw classid = 1:15 ##### Ac=E1 hay que hacer NAT con iptables. ##### Marcando paquetes # No olvidarse el -j RETURN de manera que los paquetes no atraviesen = todas las reglas ##### Para clase 10 # Marcando iptables para paquetes ICMP iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p icmp -j RETURN iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -p icmp -j RETURN # Marcando iptables para paquetes con TOS para Minimizar el tiempo iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK = --set-mark 0x1 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j MARK = --set-mark 0x1 iptables -t mangle -A OUTPUT -m tos --tos Minimize-Delay -j RETURN # Marcando iptables para paquetes SSH iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK = --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark = 0x1 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN =20 # Marcando iptables para paquetes de sincronismo iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK = SYN -j MARK --set-mark 0x1 iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK = SYN -j RETURN iptables -t mangle -I OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN = -j MARK --set-mark 0x1 iptables -t mangle -I OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN = -j RETURN ##### Para clase 11 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK = --set-mark 0x2 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 80 -j MARK --set-mark = 0x2 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 80 -j RETURN ##### Para clase 13 # Marcando iptables para paquetes FTP y FTP-DATA iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j MARK = --set-mark 0x4 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 21 -j MARK --set-mark = 0x4 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 21 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j MARK = --set-mark 0x4 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 20 -j MARK --set-mark = 0x4 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 20 -j RETURN ##### Para clase 14 # Marcando iptables para paquetes con TOS para Minimizar el costo iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK = --set-mark 0x5 iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j MARK = --set-mark 0x5 iptables -t mangle -A OUTPUT -m tos --tos Minimize-Cost -j RETURN # Marcando iptables para paquetes SMTP iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j MARK = --set-mark 0x5 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark = 0x5 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j RETURN # Marcando iptables para paquetes POP3 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j MARK = --set-mark 0x5 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j RETURN iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 110 -j MARK = --set-mark 0x5 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 110 -j RETURN ##### Para clase 15 # Marcando iptables para paquetes con TOS para Maximizar transferencias iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j = MARK --set-mark 0x6 iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j = RETURN iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK = --set-mark 0x6 iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j RETURN # Marcando iptables para paquetes por defecto (es redundante) iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6 iptables -t mangle -A OUTPUT -j MARK --set-mark 0x6 My kernel config is: CONFIG_X86=3Dy CONFIG_UID16=3Dy CONFIG_EXPERIMENTAL=3Dy CONFIG_MODULES=3Dy CONFIG_MODVERSIONS=3Dy CONFIG_KMOD=3Dy CONFIG_MXP31=3Dy CONFIG_X86_WP_WORKS_OK=3Dy CONFIG_X86_INVLPG=3Dy CONFIG_X86_CMPXCHG=3Dy CONFIG_X86_XADD=3Dy CONFIG_X86_BSWAP=3Dy CONFIG_X86_POPAD_OK=3Dy CONFIG_RWSEM_XCHGADD_ALGORITHM=3Dy CONFIG_X86_L1_CACHE_SHIFT=3D6 CONFIG_X86_HAS_TSC=3Dy CONFIG_X86_GOOD_APIC=3Dy CONFIG_X86_USE_3DNOW=3Dy CONFIG_X86_PGE=3Dy CONFIG_X86_USE_PPRO_CHECKSUM=3Dy CONFIG_X86_MCE=3Dy CONFIG_NOHIGHMEM=3Dy CONFIG_1GB=3Dy CONFIG_PREEMPT=3Dy CONFIG_X86_TSC=3Dy CONFIG_HAVE_DEC_LOCK=3Dy CONFIG_NET=3Dy CONFIG_PCI=3Dy CONFIG_PCI_GOANY=3Dy CONFIG_PCI_BIOS=3Dy CONFIG_PCI_DIRECT=3Dy CONFIG_PCI_NAMES=3Dy CONFIG_HOTPLUG=3Dy CONFIG_SYSVIPC=3Dy CONFIG_SYSCTL=3Dy CONFIG_KCORE_ELF=3Dy CONFIG_BINFMT_AOUT=3Dy CONFIG_BINFMT_ELF=3Dy CONFIG_BINFMT_MISC=3Dy CONFIG_PACKET=3Dy CONFIG_PACKET_MMAP=3Dy CONFIG_NETLINK_DEV=3Dy CONFIG_NETFILTER=3Dy CONFIG_NETFILTER_DEBUG=3Dy CONFIG_FILTER=3Dy CONFIG_UNIX=3Dy CONFIG_INET=3Dy CONFIG_IP_MULTICAST=3Dy CONFIG_IP_ADVANCED_ROUTER=3Dy CONFIG_IP_MULTIPLE_TABLES=3Dy CONFIG_IP_ROUTE_FWMARK=3Dy CONFIG_IP_ROUTE_NAT=3Dy CONFIG_IP_ROUTE_MULTIPATH=3Dy CONFIG_IP_ROUTE_TOS=3Dy CONFIG_IP_ROUTE_VERBOSE=3Dy CONFIG_NET_IPIP=3Dy CONFIG_IP_MROUTE=3Dy CONFIG_IP_PIMSM_V1=3Dy CONFIG_IP_PIMSM_V2=3Dy CONFIG_INET_ECN=3Dy CONFIG_IP_NF_CONNTRACK=3Dy CONFIG_IP_NF_FTP=3Dy CONFIG_IP_NF_QUEUE=3Dy CONFIG_IP_NF_IPTABLES=3Dy CONFIG_IP_NF_MATCH_LIMIT=3Dy CONFIG_IP_NF_MATCH_MAC=3Dy CONFIG_IP_NF_MATCH_PKTTYPE=3Dy CONFIG_IP_NF_MATCH_MARK=3Dy CONFIG_IP_NF_MATCH_MULTIPORT=3Dy CONFIG_IP_NF_MATCH_TOS=3Dy CONFIG_IP_NF_MATCH_RECENT=3Dy CONFIG_IP_NF_MATCH_LENGTH=3Dy CONFIG_IP_NF_MATCH_TTL=3Dy CONFIG_IP_NF_MATCH_TCPMSS=3Dy CONFIG_IP_NF_MATCH_STEALTH=3Dy CONFIG_IP_NF_MATCH_HELPER=3Dy CONFIG_IP_NF_MATCH_STATE=3Dy CONFIG_IP_NF_MATCH_CONNTRACK=3Dy CONFIG_IP_NF_FILTER=3Dy CONFIG_IP_NF_TARGET_REJECT=3Dy CONFIG_IP_NF_TARGET_MIRROR=3Dy CONFIG_IP_NF_NAT=3Dy CONFIG_IP_NF_NAT_NEEDED=3Dy CONFIG_IP_NF_TARGET_MASQUERADE=3Dy CONFIG_IP_NF_TARGET_REDIRECT=3Dy CONFIG_IP_NF_NAT_FTP=3Dy CONFIG_IP_NF_MANGLE=3Dy CONFIG_IP_NF_TARGET_TOS=3Dy CONFIG_IP_NF_TARGET_MARK=3Dy CONFIG_IP_NF_TARGET_LOG=3Dy CONFIG_IP_NF_TARGET_TCPMSS=3Dy CONFIG_IP_NF_ARPTABLES=3Dy CONFIG_IP_NF_ARPFILTER=3Dy CONFIG_NET_DIVERT=3Dy CONFIG_NET_FASTROUTE=3Dy CONFIG_NET_SCHED=3Dy CONFIG_NET_SCH_CBQ=3Dy CONFIG_NET_SCH_HTB=3Dy CONFIG_NET_SCH_CSZ=3Dy CONFIG_NET_SCH_HFSC=3Dy CONFIG_NET_SCH_PRIO=3Dy CONFIG_NET_SCH_RED=3Dy CONFIG_NET_SCH_SFQ=3Dy CONFIG_NET_SCH_TEQL=3Dy CONFIG_NET_SCH_TBF=3Dy CONFIG_NET_SCH_GRED=3Dy CONFIG_NET_SCH_DELAY=3Dy CONFIG_NET_SCH_DSMARK=3Dy CONFIG_NET_SCH_INGRESS=3Dy CONFIG_NET_QOS=3Dy CONFIG_NET_ESTIMATOR=3Dy CONFIG_NET_CLS=3Dy CONFIG_NET_CLS_TCINDEX=3Dy CONFIG_NET_CLS_ROUTE4=3Dy CONFIG_NET_CLS_ROUTE=3Dy CONFIG_NET_CLS_FW=3Dy CONFIG_NET_CLS_U32=3Dy CONFIG_NET_CLS_RSVP=3Dy CONFIG_NET_CLS_POLICE=3Dy CONFIG_IDE=3Dy CONFIG_BLK_DEV_IDE=3Dy CONFIG_BLK_DEV_IDEDISK=3Dy CONFIG_IDEDISK_MULTI_MODE=3Dy CONFIG_BLK_DEV_IDECD=3Dy CONFIG_BLK_DEV_CMD640=3Dy CONFIG_BLK_DEV_IDEPCI=3Dy CONFIG_BLK_DEV_GENERIC=3Dy CONFIG_IDEPCI_SHARE_IRQ=3Dy CONFIG_BLK_DEV_IDEDMA_PCI=3Dy CONFIG_IDEDMA_PCI_AUTO=3Dy CONFIG_BLK_DEV_IDEDMA=3Dy CONFIG_BLK_DEV_PIIX=3Dy CONFIG_IDEDMA_AUTO=3Dy CONFIG_NETDEVICES=3Dy CONFIG_DUMMY=3Dm CONFIG_NET_ETHERNET=3Dy CONFIG_NET_VENDOR_3COM=3Dy CONFIG_VORTEX=3Dy CONFIG_R8169=3Dy CONFIG_PPP=3Dy CONFIG_PPP_MULTILINK=3Dy CONFIG_PPP_ASYNC=3Dy CONFIG_PPP_SYNC_TTY=3Dy CONFIG_PPPOE=3Dy CONFIG_NET_RADIO=3Dy CONFIG_HERMES=3Dy CONFIG_PLX_HERMES=3Dy CONFIG_TMD_HERMES=3Dy CONFIG_PCI_HERMES=3Dy CONFIG_NET_WIRELESS=3Dy CONFIG_VT=3Dy CONFIG_VT_CONSOLE=3Dy CONFIG_SERIAL=3Dy CONFIG_UNIX98_PTYS=3Dy CONFIG_UNIX98_PTY_COUNT=3D256 CONFIG_AGP=3Dy CONFIG_AGP_NVIDIA=3Dy CONFIG_AUTOFS4_FS=3Dy CONFIG_REISERFS_FS=3Dy CONFIG_REISERFS_CHECK=3Dy CONFIG_REISERFS_PROC_INFO=3Dy CONFIG_EXT3_FS=3Dy CONFIG_JBD=3Dy CONFIG_JBD_DEBUG=3Dy CONFIG_TMPFS=3Dy CONFIG_RAMFS=3Dy CONFIG_ISO9660_FS=3Dy CONFIG_JOLIET=3Dy CONFIG_PROC_FS=3Dy CONFIG_DEVFS_FS=3Dy CONFIG_DEVFS_MOUNT=3Dy CONFIG_MSDOS_PARTITION=3Dy CONFIG_NLS=3Dy CONFIG_NLS_DEFAULT=3D"iso8859-1" CONFIG_VGA_CONSOLE=3Dy CONFIG_VIDEO_SELECT=3Dy CONFIG_FB=3Dy CONFIG_DUMMY_CONSOLE=3Dy CONFIG_FB_LOGO_TUX=3Dy CONFIG_FB_VESA=3Dy CONFIG_VIDEO_SELECT=3Dy CONFIG_FBCON_CFB8=3Dy CONFIG_FBCON_CFB16=3Dy CONFIG_FBCON_CFB24=3Dy CONFIG_FBCON_CFB32=3Dy CONFIG_FONT_8x8=3Dy CONFIG_FONT_8x16=3Dy CONFIG_LOG_BUF_SHIFT=3D0 CONFIG_CRC32=3Dy ----- Original Message -----=20 From: mjoachimiak@poczta.onet.pl=20 To: Matias Namiot=20 Sent: Wednesday, July 28, 2004 10:21 AM Subject: Re: [LARTC] IP ROUTE Please send earlier commands you are doing before that tc filter = add.... --- Original Message -----=20 From: Matias Namiot=20 To: lartc@mailman.ds9a.nl=20 Sent: Tuesday, July 27, 2004 4:01 PM Subject: Re: [LARTC] IP ROUTE The problem was the module CONFIG_IP_ROUTE_MULTIPATH of the kernel Thanks for all, now I fight with what is de module of tc filter = because I can't do that: server2 linux # tc filter add dev eth0 parent 1:0 protocol ip prio 2 = handle 2 fw classid 1:11 RTNETLINK answers: Invalid argument server2 linux # ----- Original Message -----=20 From: Matias Namiot=20 To: lartc@mailman.ds9a.nl=20 Sent: Monday, July 26, 2004 3:47 PM Subject: [LARTC] IP ROUTE Hello, my linux show me that: server2 root # ip route add default scope global nexthop via = 192.168.5.1 dev eth2 weight 1 nexthop via 192.168.160.1 dev eth0 weight = 1 RTNETLINK answers: Invalid argument What can I do???? Thanks Matias --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.726 / Virus Database: 481 - Release Date: 22/07/2004 ------=_NextPart_000_005F_01C4749A.44BA6B70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I need resolv this problem now, because = I haven't=20 any time, and my problem is:
 
server2 root # ip route add default = scope=20 global nexthop via 192.168.5.1 dev eth2 weight 1 nexthop via = 192.168.160.1 dev=20 eth0 weight 1
RTNETLINK answers: Invalid argument
 
 
I want make this is my = configuration:
 
# Configuraci=F3n TC para Bariloche = Wireless
#=20 Salida a internet eth1
# Subida 128k y bajada 128k
 
# Valores:
# mbps =3D 1024 kbps =3D = 1024 * 1024 bps=20 =3D> byte/s
# mbit =3D 1024 kbit =3D> kilobit/s.
# mb =3D = 1024 kb =3D 1024 *=20 1024 b =3D> byte
# mbit =3D 1024 kbit =3D> kilobit.
# = Internamente, los=20 n=FAmeros se almacenan en bps, pero cuando tc imprime las tasas, usa lo=20 siguiente:
# 1Mbit =3D 1024 Kbit =3D 1024 * 1024 bps =3D> = byte/s
 
##### Limpiamos reglas anteriores
tc = qdisc del=20 dev eth1 root    2> /dev/null > /dev/null
tc = qdisc del=20 dev eth1 ingress 2> /dev/null > /dev/null
 
##### Definimos las qdisc
 
# Definimos tasa superior y dispositivo = de=20 internet
CEIL=3D128
DEV_INT=3Deth1
 
# Esta l=EDnea se encargar=E1 de enviar = por defecto a=20 la clase 1:15
tc qdisc add dev eth1 root handle 1: htb default=20 15
 
# Qdisc padre
tc class add dev eth1 = parent 1:=20 classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit
 
# Esta l=EDnea se encargar=E1 de enviar = paquetes de=20 baja latencia (telnet, ssh, SYN, etc) como interactivas
tc class add = dev eth1=20 parent 1:1 classid 1:10 htb rate 80kbit ceil 80kbit prio 0
 
# Esta l=EDnea se encargar=E1 de = tr=E1fico masivo=20 WEB
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 80kbit = ceil=20 ${CEIL}kbit prio 1
 
# Esta l=EDnea se encargar=E1 de = tr=E1fico TOS de=20 maximizar transferencia y el tr=E1fico local
#tc class add dev eth1 = parent 1:1=20 classid 1:12 htb rate 20kbit ceil ${CEIL}kbit prio 2
 
# Esta l=EDnea se encargar=E1 de las = m=E1quinas con=20 NAT
tc class add dev eth1 parent 1:1 classid 1:13 htb rate 80kbit = ceil=20 ${CEIL}kbit prio 2
 
# Esta l=EDnea se encargar=E1 del = correo SMTP y POP3=20 con un TOS de minimizar costo.
tc class add dev eth1 parent 1:1 = classid 1:14=20 htb rate 20kbit ceil ${CEIL}kbit prio 3
 
# Esta l=EDnea se encargar=E1 de = tr=E1fico masivo de las=20 m=E1quinas con NAT con Kazaa, e-Donkey, etc
tc class add dev eth1 = parent 1:1=20 classid 1:15 htb rate 10kbit ceil ${CEIL}kbit prio 3
 
# Aplicamos SFQ para el tr=E1fico = pesado con hash=20 cada 10 segundos
#tc qdisc add dev eth1 parent 1:12 handle 120: sfq = perturb=20 10
tc qdisc add dev eth1 parent 1:13 handle 130: sfq perturb 10
tc = qdisc=20 add dev eth1 parent 1:14 handle 140: sfq perturb 10
tc qdisc add dev = eth1=20 parent 1:15 handle 150: sfq perturb 10
 
##### Clasificaci=F3n de paquetes con = iptables
#=20 Se prefiere por los paquetes porque son muy flexibles y puedes hacer = conteo de=20 paquetes por cada regla, y con el objetivo
# RETURN los paquetes no=20 necesitan pasar por todas las reglas. Los paquetes con FWMARK (handle x = fw) van=20 en la clase indicada
 
tc filter add dev eth0 parent 1:0 = protocol ip prio=20 1 handle 1 fw classid 1:10
tc filter add dev eth0 parent 1:0 protocol = ip prio=20 2 handle 2 fw classid 1:11
#tc filter add dev eth0 parent 1:0 = protocol ip=20 prio 3 handle 3 fw classid 1:12
tc filter add dev eth0 parent 1:0 = protocol ip=20 prio 4 handle 4 fw classid 1:13
tc filter add dev eth0 parent 1:0 = protocol ip=20 prio 5 handle 5 fw classid 1:14
tc filter add dev eth0 parent 1:0 = protocol ip=20 prio 6 handle 6 fw classid 1:15
 
##### Ac=E1 hay que hacer NAT con=20 iptables.
 
##### Marcando paquetes
# No = olvidarse el -j=20 RETURN de manera que los paquetes no atraviesen todas las = reglas
 
##### Para clase 10
 
# Marcando iptables para paquetes = ICMP
iptables=20 -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t = mangle -A=20 PREROUTING -p icmp -j RETURN
iptables -t mangle -A OUTPUT -p icmp -j = MARK=20 --set-mark 0x1
iptables -t mangle -A OUTPUT -p icmp -j = RETURN
 
# Marcando iptables para paquetes con = TOS para=20 Minimizar el tiempo
iptables -t mangle -A PREROUTING -m tos --tos=20 Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A = PREROUTING -m tos=20 --tos Minimize-Delay -j RETURN
iptables -t mangle -A OUTPUT -m tos = --tos=20 Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -m = tos=20 --tos Minimize-Delay -j RETURN
 
# Marcando iptables para paquetes = SSH
iptables=20 -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark=20 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j=20 RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK=20 --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 = -j=20 RETURN
   
# Marcando iptables para paquetes de=20 sincronismo
iptables -t mangle -I PREROUTING -p tcp -m tcp = --tcp-flags=20 SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I = PREROUTING -p=20 tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
iptables -t mangle = -I OUTPUT=20 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark = 0x1
iptables -t=20 mangle -I OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j=20 RETURN
 
##### Para clase 11
iptables -t = mangle -A=20 PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2
iptables = -t mangle=20 -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
iptables -t mangle = -A OUTPUT=20 -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2
iptables -t mangle -A = OUTPUT=20 -p tcp -m tcp --sport 80 -j RETURN
 
##### Para clase 13
# Marcando = iptables para=20 paquetes FTP y FTP-DATA
iptables -t mangle -A PREROUTING -p tcp -m = tcp=20 --sport 21 -j MARK --set-mark 0x4
iptables -t mangle -A PREROUTING -p = tcp -m=20 tcp --sport 21 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp = --sport=20 21 -j MARK --set-mark 0x4
iptables -t mangle -A OUTPUT -p tcp -m tcp = --sport=20 21 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport = 20 -j=20 MARK --set-mark 0x4
iptables -t mangle -A PREROUTING -p tcp -m tcp = --sport 20=20 -j RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 20 -j = MARK=20 --set-mark 0x4
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 20 = -j=20 RETURN
 
##### Para clase 14
# Marcando = iptables para=20 paquetes con TOS para Minimizar el costo
iptables -t mangle -A = PREROUTING -m=20 tos --tos Minimize-Cost -j MARK --set-mark 0x5
iptables -t mangle -A=20 PREROUTING -m tos --tos Minimize-Cost -j RETURN
iptables -t mangle -A = OUTPUT=20 -m tos --tos Minimize-Cost -j MARK --set-mark 0x5
iptables -t mangle = -A=20 OUTPUT -m tos --tos Minimize-Cost -j RETURN
 
# Marcando iptables para paquetes = SMTP
iptables=20 -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j MARK --set-mark=20 0x5
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 25 -j=20 RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j MARK=20 --set-mark 0x5
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 = -j=20 RETURN
 
# Marcando iptables para paquetes = POP3
iptables=20 -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j MARK --set-mark=20 0x5
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 110 -j=20 RETURN
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 110 -j MARK = --set-mark 0x5
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 110 = -j=20 RETURN
 
##### Para clase 15
# Marcando = iptables para=20 paquetes con TOS para Maximizar transferencias
iptables -t mangle -A=20 PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark = 0x6
iptables=20 -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j = RETURN
iptables=20 -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j MARK --set-mark=20 0x6
iptables -t mangle -A OUTPUT -m tos --tos Maximize-Throughput -j=20 RETURN
 
# Marcando iptables para paquetes por = defecto (es=20 redundante)
iptables -t mangle -A PREROUTING -j MARK --set-mark=20 0x6
iptables -t mangle -A OUTPUT -j MARK --set-mark = 0x6
My kernel config is:
 
CONFIG_X86=3Dy
CONFIG_UID16=3Dy
CONFIG_EXPERIMENTAL=3Dy
CONFIG_MODULES=3Dy
CONFIG_MODVERSIONS=3Dy
CONFIG_KMOD=3Dy<= /FONT>
CONFIG_MXP31=3Dy
CONFIG_X86_WP_WORKS_OK=3Dy
CONFIG_X86_INV= LPG=3Dy
CONFIG_X86_CMPXCHG=3Dy
CONFIG_X86_XADD=3Dy
CONFIG_X86_BS= WAP=3Dy
CONFIG_X86_POPAD_OK=3Dy
CONFIG_RWSEM_XCHGADD_ALGORITHM=3Dy<= BR>CONFIG_X86_L1_CACHE_SHIFT=3D6
CONFIG_X86_HAS_TSC=3Dy
CONFIG_X86_= GOOD_APIC=3Dy
CONFIG_X86_USE_3DNOW=3Dy
CONFIG_X86_PGE=3Dy
CONFIG= _X86_USE_PPRO_CHECKSUM=3Dy
CONFIG_X86_MCE=3Dy
CONFIG_NOHIGHMEM=3Dy<= BR>CONFIG_1GB=3Dy
CONFIG_PREEMPT=3Dy
CONFIG_X86_TSC=3Dy
CONFIG_H= AVE_DEC_LOCK=3Dy
CONFIG_NET=3Dy
CONFIG_PCI=3Dy
CONFIG_PCI_GOANY=3Dy
CONF= IG_PCI_BIOS=3Dy
CONFIG_PCI_DIRECT=3Dy
CONFIG_PCI_NAMES=3Dy
CONFI= G_HOTPLUG=3Dy
CONFIG_SYSVIPC=3Dy
CONFIG_SYSCTL=3Dy
CONFIG_KCORE_ELF=3Dy<= BR>CONFIG_BINFMT_AOUT=3Dy
CONFIG_BINFMT_ELF=3Dy
CONFIG_BINFMT_MISC=3D= y
CONFIG_PACKET=3Dy
CONFIG_PACKET_MMAP=3Dy
CONFIG_NETLINK_DE= V=3Dy
CONFIG_NETFILTER=3Dy
CONFIG_NETFILTER_DEBUG=3Dy
CONFIG_FIL= TER=3Dy
CONFIG_UNIX=3Dy
CONFIG_INET=3Dy
CONFIG_IP_MULTICAST=3Dy<= BR>CONFIG_IP_ADVANCED_ROUTER=3Dy
CONFIG_IP_MULTIPLE_TABLES=3Dy
CONF= IG_IP_ROUTE_FWMARK=3Dy
CONFIG_IP_ROUTE_NAT=3Dy
CONFIG_IP_ROUTE_MULT= IPATH=3Dy
CONFIG_IP_ROUTE_TOS=3Dy
CONFIG_IP_ROUTE_VERBOSE=3Dy
CO= NFIG_NET_IPIP=3Dy
CONFIG_IP_MROUTE=3Dy
CONFIG_IP_PIMSM_V1=3Dy
CO= NFIG_IP_PIMSM_V2=3Dy
CONFIG_INET_ECN=3Dy
CONFIG_IP_NF_CONNTRACK=3Dy=
CONFIG_IP_NF_FTP=3Dy
CONFIG_IP_NF_QUEUE=3Dy
CONFIG_IP_NF_IPTABL= ES=3Dy
CONFIG_IP_NF_MATCH_LIMIT=3Dy
CONFIG_IP_NF_MATCH_MAC=3Dy
C= ONFIG_IP_NF_MATCH_PKTTYPE=3Dy
CONFIG_IP_NF_MATCH_MARK=3Dy
CONFIG_IP= _NF_MATCH_MULTIPORT=3Dy
CONFIG_IP_NF_MATCH_TOS=3Dy
CONFIG_IP_NF_MAT= CH_RECENT=3Dy
CONFIG_IP_NF_MATCH_LENGTH=3Dy
CONFIG_IP_NF_MATCH_TTL=3D= y
CONFIG_IP_NF_MATCH_TCPMSS=3Dy
CONFIG_IP_NF_MATCH_STEALTH=3Dy
C= ONFIG_IP_NF_MATCH_HELPER=3Dy
CONFIG_IP_NF_MATCH_STATE=3Dy
CONFIG_IP= _NF_MATCH_CONNTRACK=3Dy
CONFIG_IP_NF_FILTER=3Dy
CONFIG_IP_NF_TARGET= _REJECT=3Dy
CONFIG_IP_NF_TARGET_MIRROR=3Dy
CONFIG_IP_NF_NAT=3Dy
= CONFIG_IP_NF_NAT_NEEDED=3Dy
CONFIG_IP_NF_TARGET_MASQUERADE=3Dy
CONF= IG_IP_NF_TARGET_REDIRECT=3Dy
CONFIG_IP_NF_NAT_FTP=3Dy
CONFIG_IP_NF_= MANGLE=3Dy
CONFIG_IP_NF_TARGET_TOS=3Dy
CONFIG_IP_NF_TARGET_MARK=3Dy=
CONFIG_IP_NF_TARGET_LOG=3Dy
CONFIG_IP_NF_TARGET_TCPMSS=3Dy
CONF= IG_IP_NF_ARPTABLES=3Dy
CONFIG_IP_NF_ARPFILTER=3Dy
CONFIG_NET_DIVERT=3Dy
CONFIG_NET_FASTROUTE=3Dy
CONFIG_NET_SCHED=3Dy
CONFIG_NET_SCH_CBQ=3Dy
CONFIG_NET_SCH= _HTB=3Dy
CONFIG_NET_SCH_CSZ=3Dy
CONFIG_NET_SCH_HFSC=3Dy
CONFIG_N= ET_SCH_PRIO=3Dy
CONFIG_NET_SCH_RED=3Dy
CONFIG_NET_SCH_SFQ=3Dy
CO= NFIG_NET_SCH_TEQL=3Dy
CONFIG_NET_SCH_TBF=3Dy
CONFIG_NET_SCH_GRED=3D= y
CONFIG_NET_SCH_DELAY=3Dy
CONFIG_NET_SCH_DSMARK=3Dy
CONFIG_NET_= SCH_INGRESS=3Dy
CONFIG_NET_QOS=3Dy
CONFIG_NET_ESTIMATOR=3Dy
CONF= IG_NET_CLS=3Dy
CONFIG_NET_CLS_TCINDEX=3Dy
CONFIG_NET_CLS_ROUTE4=3Dy=
CONFIG_NET_CLS_ROUTE=3Dy
CONFIG_NET_CLS_FW=3Dy
CONFIG_NET_CLS_U= 32=3Dy
CONFIG_NET_CLS_RSVP=3Dy
CONFIG_NET_CLS_POLICE=3Dy
CONFIG_= IDE=3Dy
CONFIG_BLK_DEV_IDE=3Dy
CONFIG_BLK_DEV_IDEDISK=3Dy
CONFIG_I= DEDISK_MULTI_MODE=3Dy
CONFIG_BLK_DEV_IDECD=3Dy
CONFIG_BLK_DEV_CMD64= 0=3Dy
CONFIG_BLK_DEV_IDEPCI=3Dy
CONFIG_BLK_DEV_GENERIC=3Dy
CONFI= G_IDEPCI_SHARE_IRQ=3Dy
CONFIG_BLK_DEV_IDEDMA_PCI=3Dy
CONFIG_IDEDMA_= PCI_AUTO=3Dy
CONFIG_BLK_DEV_IDEDMA=3Dy
CONFIG_BLK_DEV_PIIX=3Dy
C= ONFIG_IDEDMA_AUTO=3Dy
CONFIG_NETDEVICES=3Dy
CONFIG_DUMMY=3Dm
CONFIG_NET_ETHERNET=3Dy
CONFIG_NET_VENDOR_3COM=3Dy
CONFIG_= VORTEX=3Dy
CONFIG_R8169=3Dy
CONFIG_PPP=3Dy
CONFIG_PPP_MULTILINK=3D= y
CONFIG_PPP_ASYNC=3Dy
CONFIG_PPP_SYNC_TTY=3Dy
CONFIG_PPPOE=3Dy<= BR>CONFIG_NET_RADIO=3Dy
CONFIG_HERMES=3Dy
CONFIG_PLX_HERMES=3D= y
CONFIG_TMD_HERMES=3Dy
CONFIG_PCI_HERMES=3Dy
CONFIG_NET_WIRELES= S=3Dy
CONFIG_VT=3Dy
CONFIG_VT_CONSOLE=3Dy
CONFIG_SERIAL=3Dy
C= ONFIG_UNIX98_PTYS=3Dy
CONFIG_UNIX98_PTY_COUNT=3D256
CONFIG_AGP=3Dy<= BR>CONFIG_AGP_NVIDIA=3Dy
CONFIG_AUTOFS4_FS=3Dy
CONFIG_REISERFS_FS=3Dy
CONFIG_REISER= FS_CHECK=3Dy
CONFIG_REISERFS_PROC_INFO=3Dy
CONFIG_EXT3_FS=3Dy
CO= NFIG_JBD=3Dy
CONFIG_JBD_DEBUG=3Dy
CONFIG_TMPFS=3Dy
CONFIG_RAMFS=3D= y
CONFIG_ISO9660_FS=3Dy
CONFIG_JOLIET=3Dy
CONFIG_PROC_FS=3Dy
= CONFIG_DEVFS_FS=3Dy
CONFIG_DEVFS_MOUNT=3Dy
CONFIG_MSDOS_PARTITION=3D= y
CONFIG_NLS=3Dy
CONFIG_NLS_DEFAULT=3D"iso8859-1"
CONFIG_VGA_CONSOLE=3Dy
CO= NFIG_VIDEO_SELECT=3Dy
CONFIG_FB=3Dy
CONFIG_DUMMY_CONSOLE=3Dy
CONFIG_FB_LOGO_TUX=3D= y
CONFIG_FB_VESA=3Dy
CONFIG_VIDEO_SELECT=3Dy
CONFIG_FBCON_CFB8=3D= y
CONFIG_FBCON_CFB16=3Dy
CONFIG_FBCON_CFB24=3Dy
CONFIG_FBCON_CFB= 32=3Dy
CONFIG_FONT_8x8=3Dy
CONFIG_FONT_8x16=3Dy
CONFIG_LOG_BUF_S= HIFT=3D0
CONFIG_CRC32=3Dy
----- Original Message -----
From:=20 mjoachimiak@poczta.onet.pl=
Sent: Wednesday, July 28, 2004 = 10:21=20 AM
Subject: Re: [LARTC] IP = ROUTE

Please send earlier commands you are = doing before=20 that tc filter add....
--- Original Message -----
From:=20 Matias=20 Namiot
Sent: Tuesday, July 27, 2004 = 4:01=20 PM
Subject: Re: [LARTC] IP = ROUTE

The problem was the module=20 CONFIG_IP_ROUTE_MULTIPATH of the kernel
Thanks for all, now I fight with = what is de=20 module of tc filter because I can't do that:
 
server2 linux # tc filter add = dev eth0=20 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11
RTNETLINK = answers:=20 Invalid argument
server2 linux #
 
 
 
----- Original Message ----- =
From:=20 Matias=20 Namiot
Sent: Monday, July 26, 2004 = 3:47=20 PM
Subject: [LARTC] IP = ROUTE

Hello, my linux show me = that:
 
 
server2 root # ip route add = default scope=20 global nexthop via 192.168.5.1 dev eth2 weight 1 nexthop via = 192.168.160.1=20 dev eth0 weight 1
RTNETLINK answers: Invalid=20 argument
 
What can I do????
Thanks
Matias
 

---
Outgoing mail is = certified Virus=20 Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: = 6.0.726 / Virus Database: 481 - Release Date:=20 = 22/07/2004
------=_NextPart_000_005F_01C4749A.44BA6B70-- From mjoachimiak@poczta.onet.pl Wed Jul 28 16:56:07 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 28 Jul 2004 17:56:07 +0200 Subject: [LARTC] Re: HTB 3.13 please help References: Message-ID: <007a01c474bb$65325400$0802a8c0@monster> oops. I took bad classes (these clients where down so there was no traffic ) lately from tc -s -d class show dev eth0. These are classes (part of) while there was no connection from clients. BTW is it good tcng config with "fw". I mean if fw { class $classname on (2); } means "match packet to $classname if it's mark equals 2" ? Is there any kind of sniffer or smth like that for tc? I mean to look in realtime packet statistics. Smthing like iptraf maybe? class htb 2:1 root rate 800Kbit ceil 800Kbit burst 2623b/8 mpu 0b cburst 2623b/8 mpu 0b level 7 Sent 21958200 bytes 38721 pkts (dropped 0, overlimits 0) rate 47328bps 68pps lended: 22026 borrowed: 0 giants: 0 tokens: 20609 ctokens: 20609 class htb 2:10 parent 2:1 leaf 10: prio 0 quantum 1920 rate 15Kbit ceil 100Kbit burst 1618b/8 mpu 0b cburst 1727b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 690773 ctokens: 110592 class htb 2:23 parent 2:1 leaf 23: prio 0 quantum 1920 rate 15Kbit ceil 100Kbit burst 1618b/8 mpu 0b cburst 1727b/8 mpu 0b level 0 Sent 2490197 bytes 3069 pkts (dropped 0, overlimits 0) rate 5157bps 5pps lended: 1015 borrowed: 2054 giants: 0 tokens: -475203 ctokens: -30720 class htb 2:32 parent 2:1 leaf 32: prio 0 quantum 1920 rate 15Kbit ceil 100Kbit burst 1618b/8 mpu 0b cburst 1727b/8 mpu 0b level 0 Sent 476682 bytes 1633 pkts (dropped 0, overlimits 0) rate 661bps 2pps lended: 745 borrowed: 888 giants: 0 tokens: -235603 ctokens: 107520 class htb 2:54 parent 2:1 leaf 54: prio 0 quantum 1920 rate 15Kbit ceil 20Kbit burst 1618b/8 mpu 0b cburst 1624b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 690773 ctokens: 519999 class htb 2:20 parent 2:1 leaf 20: prio 0 quantum 1920 rate 15Kbit ceil 100Kbit burst 1618b/8 mpu 0b cburst 1727b/8 mpu 0b level 0 Sent 108 bytes 2 pkts (dropped 0, overlimits 0) lended: 2 borrowed: 0 giants: 0 tokens: 649813 ctokens: 104448 ----- Original Message ----- From: "devik" To: Cc: "lartc" Sent: Wednesday, July 28, 2004 3:30 PM Subject: Re: [LARTC] Re: HTB 3.13 please help > as you can see, NO packets are going thru. You have to look > to other classes as well as to ifconfig and tc -s qdisc show dev xxx > to see wherw packets are lost. > > > On Wed, 28 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > > > //Just to not forget eth0 is WAN and eth1 is LAN . The box is NATing my lan. > > I configured tcng to shape both download and upload > > and i got connection loss again. > > Maybe it is my script fault or it is something bad with packets marking . > > this is how i mark outgoing packets > > iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.1.23 -j MARK --set-mark > > $ip > > > > and this part of my script which is intented to shape upload: > > dev eth0 { > > egress { > > class (<$default>) if 1; > > htb ( r2q 1 ) { > > class ( rate 800kbps, ceil 800kbps ) { > > > > //192.168.1.0----------------------------------------------------------- > > $ruter = class ( rate 15kbps, ceil 250kbps ) { sfq( perturb 10secs, > > quantum 1500Bytes ); } ; > > fw { > > > > class $ruter on (23); > > //ruter--------------------------------------------------------------------- > > ---- > > > > > > //--------------------- fw > > }//fw > > }//main class > > }//htb > > }//egress > > }//eth0(none):/skrytpy# > > > > and these are a bit of `tc -s -d class show dev eth0` prints while > > connection loss after running my tcng script : > > > > class htb 2:f parent 2:1 leaf 10: prio 0 quantum 1875 rate 1875bps ceil > > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 706914 ctokens: 95572 > > > > class htb 2:1e parent 2:1 leaf 1f: prio 0 quantum 1875 rate 1875bps ceil > > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 706914 ctokens: 95572 > > > > class htb 2:2d parent 2:1 leaf 2e: prio 0 quantum 1875 rate 1875bps ceil > > 15000bps burst 1617b/8 mpu 0b cburst 1749b/8 mpu 0b level 0 > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 706914 ctokens: 95572 > > > > > > > that is interesting. let me know then. other test might be to > > > reboot with maxcpus=1 to mitigate smp related bugs. > > > > > > On Sat, 25 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > > > > > Yes I'm using smp kernel. > > > > I thought that i make some error that i canot see so i decided to write > > my > > > > classes using tcng this time. > > > > Currently i'm shaping only outgoing traffic to my local network(using > > tcng) > > > > and it seems to work (it work one day without errors). > > > > Today i'm going to configure upload too. > > > > The difference i could see at once is that there is no connection loss > > when > > > > i'm starting htb. > > > > ----- Original Message ----- > > > > From: "devik" > > > > To: > > > > Cc: "lartc" > > > > Sent: Sunday, July 25, 2004 10:26 AM > > > > Subject: Re: [LARTC] Re: HTB 3.13 please help > > > > > > > > > > > > > From the stats is seems that no data are queued - as if nobody > > > > > is sending them. You are using smp kernel, is your box SMP ? > > > > > I haven't seen many smp+htb boxes thus there might be possibility > > > > > of a bug... > > > > > devik > > > > > > > > > > On Thu, 23 Jan 2003 mjoachimiak@poczta.onet.pl wrote: > > > > > > > > > > > I've attached outputs for eth0 and eth1. > > > > > > I was trying to get this script running. I've added one class for my > > > > NATed > > > > > > BOX, and it helped. Shaping was stable almost one day but then i > > added > > > > "prio > > > > > > 0" to eth0 filters and prio 0 for eth1 filters it has braken. So i > > > > removed > > > > > > every "prio 0" and reboot the box but it didnt helped :(. > > > > > > I've noticed that when the traffic is not much (14 hosts from 50 are > > up) > > > > > > tc/htb works very well. > > > > > > If you want new version of my script say a word. > > > > > > ----- Original Message ----- > > > > > > From: "devik" > > > > > > To: > > > > > > Sent: Thursday, July 22, 2004 3:48 PM > > > > > > Subject: Re: HTB 3.13 please help > > > > > > > > > > > > > > > > > > > I need > > > > > > > tc -s -d class show dev xxx > > > > > > > output during that non-working period. 3.6 is older than 3.13. > > > > > > > > > > > > > > ------------------------------- > > > > > > > Martin Devera aka devik > > > > > > > Linux kernel QoS/HTB maintainer > > > > > > > http://luxik.cdi.cz/~devik/ > > > > > > > > > > > > > > On Wed, 21 Jul 2004 mjoachimiak@poczta.onet.pl wrote: > > > > > > > > > > > > > > > Thanks for your reply. I've recent put my problem on lartc list. > > I'm > > > > > > using > > > > > > > > htb 3.13 in 2-4-25smp. > > > > > > > > I wonder if upgrade to 3.6 will help? Could you be so kind and > > take > > > > a > > > > > > look > > > > > > > > at it. I'll be grateful. > > > > > > > > If you have no time for me i'll understand and try to resolve it > > for > > > > > > myself. > > > > > > > > Thanks. > > > > > > > > > > > > > > > > Hello everybody! > > > > > > > > Since week i dig lists and www and can't find solution for my > > > > problem. > > > > > > > > I'm using HTB 3.13 kernel 2-4-25 smp iptables 1.2.9. > > > > > > > > I've got situation like this: > > > > > > > > > > > > > > > > LAN------Linux Box(routing only)------- Linux Box > > > > > > > > (HTB)--------------Hardware Router(say:HD)------Internet > > > > > > > > When I start HTB it takes about 5 min. to start working and it > > > > works... > > > > > > > > within this 5min starting i can't ping HD and after about 5min I > > > > start > > > > > > > > pinging. It works like this for cuple of hours, then something > > > > strange > > > > > > is > > > > > > > > happening. Ping stops, www doesn't work but radio (36kbps) (from > > > > > > clients) > > > > > > > > works. There is no ping at all for about 1min and it starts > > pinging > > > > for > > > > > > > > about 2-3min and it stops for 1-2min and so on..... > > > > > > > > When I stop HTB ping starts. It's look like HTB is filled to > > > > much(sorry > > > > > > for > > > > > > > > my english :/) > > > > > > > > All my children classes rate doesn't exceeds root classes. I > > have 50 > > > > > > classes > > > > > > > > on 900kbit-10kbit(for default class) - downstream and > > 800-10kbit(for > > > > > > > > default) up. > > > > > > > > I shape bandwidth matching ip. r2q is set to 1 . no erros during > > > > doing > > > > > > shape > > > > > > > > script. > > > > > > > > I'm attaching this script > > > > > > > > in ip1 is file where are written ip's for C classes. > > > > > > > > > > > > > > > > I'm including my script. > > > > > > > > ---------------------------------------------------cut > > > > > > > > > > > > > > > > > > > > here ----------------------------------------------------------------------- > > > > > > > > ------------ > > > > > > > > #!/bin/bash > > > > > > > > #x=$[100/20] > > > > > > > > #echo "$1" > /skrytpy/status > > > > > > > > rxmax=900 #WAN max transfer -down (physically it is > > 960kbit/960kbit) > > > > > > > > kbit=kbit > > > > > > > > rxmaxluser=250 > > > > > > > > txmax=800 #WAN max transfer - up > > > > > > > > txmaxluser=100 > > > > > > > > #counting users > > > > > > > > # ip1 file is like this: > > > > > > > > # 11 #Somebody > > > > > > > > # 23 #Somebody II > > > > > > > > #EOF > > > > > > > > licznik=0 > > > > > > > > for x in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > > > licznik=$[$licznik+1] > > > > > > > > done > > > > > > > > > > > > > > > > > > > > > > > > #Server > > > > > > > > licznik=$[$licznik+1] > > > > > > > > #plus router > > > > > > > > licznik=$[$licznik+1] > > > > > > > > > > > > > > > > echo number of users to $licznik > > > > > > > > #counting rate > > > > > > > > rx1=$[$rxmax-10] > > > > > > > > tx1=$[$txmax-10] # dla klasy domyslnej > > > > > > > > rxmin=$[$rx1/$licznik] > > > > > > > > txmin=$[$tx1/$licznik] > > > > > > > > echo rx $rxmin tx $txmin > > > > > > > > #echo $rxmin > > > > > > > > #root classes > > > > > > > > #rx > > > > > > > > tc qdisc del root dev eth1 > > > > > > > > tc qdisc add dev eth1 root handle 1:0 htb r2q 1 default 2 > > > > > > > > tc class add dev eth1 parent 1:0 classid 1:1 htb rate > > $rxmax$kbit > > > > ceil > > > > > > > > $rxmax$kbit > > > > > > > > #tx > > > > > > > > tc qdisc del root dev eth0 > > > > > > > > tc qdisc add dev eth0 root handle 2:0 htb r2q 1 default 4 > > > > > > > > tc class add dev eth0 parent 2:0 classid 2:1 htb rate > > $txmax$kbit > > > > ceil > > > > > > > > $txmax$kbit > > > > > > > > #r="$rxmax$kbit" > > > > > > > > #default classes > > > > > > > > #rx > > > > > > > > tc class add dev eth1 parent 1:1 classid 1:2 htb rate 10kbit > > ceil > > > > 10kbit > > > > > > > > #tx > > > > > > > > tc class add dev eth0 parent 2:1 classid 2:4 htb rate 10kbit > > ceil > > > > 10kbit > > > > > > > > > > > > > > #siec 1.0 > > > > > > > > siec=1 > > > > > > > > for ip in $(awk '{ print $1 }' /skrytpy/ip1); do > > > > > > > > echo -n "$ip " > > > > > > > > #rx > > > > > > > > tc class add dev eth1 parent 1:1 classid 1:$ip htb rate > > $rxmin$kbit > > > > ceil > > > > > > > > $rxmaxluser$kbit > > > > > > > > tc filter add dev eth1 protocol ip parent 1:0 u32 match ip dst > > > > > > > > 192.168.$siec.$ip flowid 1:$ip > > > > > > > > tc qdisc add dev eth1 parent 1:$ip handle $ip:0 sfq perturb 10 > > > > > > > > #tx > > > > > > > > #marking packets > > > > > > > > iptables -t mangle -A MYSHAPER-OUT -p tcp -s > > 192.168.$siec.$ip -j > > > > > > > > MARK --set-mark $ip > > > > > > > > #tc > > > > > > > > tc class add dev eth0 parent 2:1 classid 2:$ip htb rate > > $txmin$kbit > > > > ceil > > > > > > > > $txmaxluser$kbit > > > > > > > > #filtering by mark > > > > > > > > tc filter add dev eth0 protocol ip preference 1 parent 2:0 > > handle > > > > $ip fw > > > > > > > > flowid 2:$ip > > > > > > > > tc qdisc add dev eth0 parent 2:$ip handle $ip:1 sfq perturb 10 > > > > > > > > done > > > > > > > > echo "" > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------cut > > > > > > > > > > > > here ------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > > > _______________________________________________ > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > > > > > > > > > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From linux@netcomp.com.br Wed Jul 28 19:57:26 2004 From: linux@netcomp.com.br (Ricardo) Date: Wed, 28 Jul 2004 15:57:26 -0300 Subject: [LARTC] CBQ Problem Message-ID: <003a01c474d4$b9895350$0200000a@ricardo> This is a multi-part message in MIME format. ------=_NextPart_000_0037_01C474BB.93FEEB40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi. I want to shape traffic from some IPs in my lan, but I'm w/ trouble. = I have a linux box connected to the Internet. In the other side of this = box is my LAN. I want to create the following scenario: =20 My root qdisc is attached to a 100Mbit/s NIC I want to create a class attached to this qdisc that will limit the = traffic at 384Kbit/s. I want to create two leaf classes that limits the traffic at 256Kbit/s. I want to attach two sfq qdiscs so two classes are treated equally. I want to put one LAN IP for each leaf class. When one IP is downloading a file from internet it will never be more = than 256Kbit. When both IPs is downloading files at the same time, they will never be = more than 384Kbit. (I think that is something like the webserver + smtp example that is in = the howto) My config: tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 = cell 8 tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate = 384Kbit weight 38Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 = bounded tc class add dev eth1 parent 1:1 classid 1:10 cbq bandwidth 100Mbit rate = 256Kbit weight 25Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 tc class add dev eth1 parent 1:1 classid 1:20 cbq bandwidth 100Mbit rate = 256Kbit weight 25Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 tc qdisc add dev eth1 parent 1:10 handle 100: sfq tc qdisc add dev eth1 parent 1:20 handle 200: sfq tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst = 10.0.0.2/32 flowid 1:10 tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip dst = 10.0.0.3/32 flowid 1:20 When I start a download from one machine, the speed is limited at = 256Kbit/s (this is OK) When I start a download from both machines, the speed for each machine = is limited to 256Kbit/s. They are getting 512Kbit/s together.=20 I want limit this speed at 384Kbit/s, so traffic from each machine will = never be more than 192Kbps when both are in use. Why it is not working for me ??? What is the mistake ? Thank You. Ricardo ------=_NextPart_000_0037_01C474BB.93FEEB40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
    Hi.

    I want to shape = traffic=20 from some IPs in my lan, but I'm w/ trouble. I have a linux box = connected to the=20 Internet. In the other side of this box is my LAN. I want to create the=20 following scenario:
 
My root qdisc is attached to a 100Mbit/s NIC
I want to create a class attached to this qdisc that will limit=20 the traffic at 384Kbit/s.
I want to create two leaf classes that limits the traffic = at=20 256Kbit/s.
I want to attach two sfq qdiscs so two classes are treated=20 equally.
I want to put one LAN IP for each leaf class.
When one IP is downloading a file from internet it will never be = more than=20 256Kbit.
When both IPs is downloading files at the same time, they will = never be=20 more than 384Kbit.
 
(I think that is something like the webserver + smtp example  = that is=20 in the howto)
 
My config:
 
tc qdisc add dev eth1 root handle 1:0 cbq bandwidth 100Mbit avpkt = 1000 cell=20 8
tc class add dev eth1 parent 1:0 classid 1:1 cbq bandwidth 100Mbit = rate=20 384Kbit weight 38Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000=20 bounded
 
tc class add dev eth1 parent 1:1 classid 1:10 cbq bandwidth 100Mbit = rate=20 256Kbit weight 25Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt = 1000
tc=20 class add dev eth1 parent 1:1 classid 1:20 cbq bandwidth 100Mbit rate = 256Kbit=20 weight 25Kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000
 
tc qdisc add dev eth1 parent 1:10 handle 100: sfq
tc qdisc add = dev eth1=20 parent 1:20 handle 200: sfq
 
tc filter add dev eth1 parent 1:0 protocol ip prio 1 u32 match ip = dst=20 10.0.0.2/32 flowid 1:10
tc filter add dev eth1 parent 1:0 protocol ip = prio 1=20 u32 match ip dst 10.0.0.3/32 flowid 1:20
When I start a download from one machine, the speed is limited at = 256Kbit/s=20 (this is OK)
When I start a download from both machines, the speed for each = machine is=20 limited to 256Kbit/s. They are getting 512Kbit/s together. 
I want limit this speed at 384Kbit/s, so traffic from each machine = will=20 never be more than 192Kbps when both are in use.
 
Why it is not working for me ??? What is the mistake ?
Thank You.
 
Ricardo
------=_NextPart_000_0037_01C474BB.93FEEB40-- From nehavrce@yahoo.co.in Thu Jul 29 12:07:53 2004 From: nehavrce@yahoo.co.in (=?iso-8859-1?q?neha=20agrawal?=) Date: Thu, 29 Jul 2004 12:07:53 +0100 (BST) Subject: [LARTC] help regarding policing Message-ID: <20040729110753.14837.qmail@web8207.mail.in.yahoo.com> hello sir, i want to control the bandwidth when sending traffic between two logicial address (ip address ) on the same interface (eth0) on the same machine. can i do it using tc tool. i am sending mail using sendmail between 2 users on same machine and sniffing packets at receiving side. but i want to control bandwidth of this traffic so that i do not lose packets at capture. please let me know if its possible using filters, let me know which parameters to use for it. thanks neha ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony From shep@alum.mit.edu Thu Jul 29 21:16:36 2004 From: shep@alum.mit.edu (Tim Shepard) Date: Thu, 29 Jul 2004 16:16:36 -0400 Subject: [LARTC] error: structure has no member named `rate' Message-ID: I want to take the functionality that I found sitting in linux-2.6.8-rc2/net/sched/sch_netem.c for a test drive but I found that the /sbin/tc that I have does not have the necessary knobs. So I grabbed iproute2-2.6.X-ss040702.tar.gz and tried to build it, but I got this: q_netem.c: In function `netem_parse_opt': q_netem.c:90: error: structure has no member named `rate' and indeed, there is no longer a .rate member of the struct tc_netem_qopt. I did some web searching and the patch mentioned here seems to be responsible for removing it: http://lwn.net/Articles/93487/ Since I see no snapshot more recent than iproute2-2.6.X-ss040702.tar.gz, I went looking to see if there was anonymous CVS access so I could get something even more recent. I discovered the bk://developer.osdl.org/iproute2 pointer but when I tried to find a bitkeeper package to install on my Debian system, I found none. (Some more web searching explained why that is.) So, before I try to figure out how to update iproute2-2.6.X/tc/*.[ch] to make it work with my linux-2.6.8-rc2 kernel, can someone tell me if this work has already been done by someone else? If it's in bitkeeper already, could a new snapshot version be pushed out? (Could some sort of bitkeeper to anoncvs gateway be set up so that I could check out the most recent version without having to install bitkeeper?) (I'm newly subscribed to this list. If this has already been dealt with, then I failed to figure out what message to read in the archives.) -Tim Shepard shep@alum.mit.edu From shemminger@osdl.org Thu Jul 29 21:57:05 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 29 Jul 2004 13:57:05 -0700 Subject: [LARTC] error: structure has no member named `rate' In-Reply-To: References: Message-ID: <20040729135705.3631a8f6@dell_ss3.pdx.osdl.net> On Thu, 29 Jul 2004 16:16:36 -0400 Tim Shepard wrote: > > I want to take the functionality that I found sitting in > linux-2.6.8-rc2/net/sched/sch_netem.c for a test drive but I found > that the /sbin/tc that I have does not have the necessary knobs. > > So I grabbed iproute2-2.6.X-ss040702.tar.gz and tried to build it, > but I got this: > > q_netem.c: In function `netem_parse_opt': > q_netem.c:90: error: structure has no member named `rate' The rate option was not accepted, and instead the new one is jitter. I'll make a new package today. From nix4me@cfl.rr.com Thu Jul 29 22:57:33 2004 From: nix4me@cfl.rr.com (nix4me) Date: Thu, 29 Jul 2004 17:57:33 -0400 Subject: [LARTC] limiting outbound passive ftp Message-ID: <410972CD.5040802@cfl.rr.com> Hi, I am trying to use the following script to limit my passive ftp traffic to 35KBytes. Problem is, it kill's the entire connection on that computer. The script is running on the same machine as the ftp server. I was hoping to limit the ftp traffic, and only the ftp traffic, leaving the computer. It seems to limit everything, i tried transfering a file with samba and the whole computer came to a screeching halt. Any words of wisdom? #!/bin/bash #shaping passive ftp traffic # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 50000:51000 -j MARK --set-mark 1 # shape the traffic to 35Kbytes tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 35kbps tc filter add dev eth0 parent 1: prio 0 protocol ip handle 1 fw flowid 1:1 From ebay@honorablemenschen.com Fri Jul 30 01:27:43 2004 From: ebay@honorablemenschen.com (Joshua Megerman) Date: Thu, 29 Jul 2004 20:27:43 -0400 Subject: [LARTC] TC Newbie Questions In-Reply-To: <20040730000502.14579.15562.Mailman@outpost.ds9a.nl> References: <20040730000502.14579.15562.Mailman@outpost.ds9a.nl> Message-ID: <200407292027.43461.lartc@honorablemenschen.com> Having never worked with Linux TC before, I have a few questions about setting it up and am not certain I understand the Howto well enough to do what I specifically want. I have a linux firewall talking to my cable modem, as well as the rest of my network. I have 4 things I'm trying to accomplish, in order of priority: 1) I use a VoIP phone, and want to give it as much bandwidth as it wants whenever it wants it with minimal latancy - this should never be more than about 100kbit. There is one VoIP device that will always be on the same IP when on my network (DHCP Reservation). 2) I want interactive traffic, especially SSH, to get priority over everything except the VoIP device. Low latancy is also important here. 3) All non-P2P (primarily bittorrent) traffic should be able to take up whatever isn't being used by #1 and #2. Latancy is ok, as long as it's not to big. Since I routinely get > 2000kbit downloads, I don't expect this to be a problem. 4) Any P2P traffic can use up whatever's left, but should surrender most of its bandwidth if needed. I'm thinking of giving it around 256kbit to play with as a minimum available for P2P, as long as #1 and #2 are met. The firewall is also acting as a transparant squid proxy for http, which may or may not make a difference. I'm pretty sure that this can be done relatively easily, if not simply, but it's just not obvious to me. Any and all help is appreciated. TIA Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics lartc@honorablemenschen.com From kyf@arterm.pl Fri Jul 30 02:08:58 2004 From: kyf@arterm.pl (Krzysztof Matusik) Date: Fri, 30 Jul 2004 03:08:58 +0200 Subject: [LARTC] notes&questions: filter, HTB, hfsc & tc binary,ifs tx ques Message-ID: Hello I've been messing with traffic controlling for some time and encountered singularities I'd like to talk about. First explaining of my pow (can't tell how much each point is relevant) Box with Debian, Intel PII*2 old and fancy:), ADSL link with dyn IP, some servers (f. ex. squid), loc net with dhcp, (although IP statically given by MAC); MASQ. Such circumstances made me make a script which involves: -recalculation in each ppp up/down (dynamic IP) -filter rules/link sharing depending on list of local hosts (also used by dhcp) -sharing bandwidth with traffic to/generated by server box So we've got imq (from http://pupa.da.ru/- simple and stable as far as I'm using it) for download sharing and shaping, also 'iptables PREROUTING MARK' and 'tc filter fw' for do the same for upload (am I right that u32 can't do it?); else is done with HTB and u32. Each host has its own (including the router- mentioned above) HTB parent class where fw filter puts flow, in that class are attached interactive prio and bulk subclasses and filters, for example: tcaddcls parent 1:1 htb rate $(($UPLOAD/$NUM_HOSTS)) ceil $NUM_HOSTS prio 0 tcfltadd parent 1:${parent_id} prio 2 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x11 0xff at 33 \ flowid 1:${CL_ID} and it works great!!! .debs for buddys created at my repository. So what's mail for?:-) Issues: Yesterday I've read somewhere (don't remeber) that HTB can't have filters attached to classes except root (and leaves?). BUT IT WORKS. ??? Confused, I listed filters: all attached to 1: but with many different handles like: filter parent 1: protocol ip pref 1 fw handle 0x1 classid 1:11 filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:11 (matches) filter parent 1: protocol ip pref 2 u32 fh 801::802 order 2050 key ht 801 bkt 0 flowid 1:11 (matches) Maybe provided info explains all but for me all of it works magically ;) I'd like to know what mean above params- I understand them only intuitively now (by means of reading HOWTO chapter about hashing). I mean: do 'tc filter show dev' listing (which part I presented) can explain how really filtering works in this situation? (a way how packets are directed into and from the classes?) I must decrease link throughput a bit to avoid latencies. Problem is that sometimes link is saturated at 170kbit, sometimes at 150kbit. That ppp link is on pppoa; max throughput is correlated with packet/s ratio, as i noticed (using iptraf). Am I right? How to deal with it? Using #ifconfig $iface txqueulen $n affects latency. What else (for e. dropping)? How to choose best value? Furthermore, couple of days ago I wondered about HFSC. I've collected infos and 'stuff' (it's messy; I still have questions, not with hfsc idea itself though; I've read all of trash.net and proposed places, BSD altq man- which hfsc differs I guess and some discussions here from archives). The same 'trick' with filters as in HTB doesn't working. Creating more hfsc qdiscs, directing packets to them with fw filter, and directing back to classes at root with u32 doesn't working neither. (well, I'm not absolutely sure, I haven't played much). I've been compiling iproute-ss040702 and it haven't done well. Some compilation errors at atm.h, l:235 with 'void __user'. Using kernel-headers-2.6.7-1-686-smp. Such made tc binary print deranged 'tc show class' but seems working well. It's got problems with hfsc too- anyone can tell me does that iproute version work well with hfsc? (supposing correct compilation) Does it have patch from trash.net? it would be lovely to have some help :-) Krzysiek, kyf@arterm.pl From swcims@163.com Fri Jul 30 07:17:26 2004 From: swcims@163.com (swcims) Date: Fri, 30 Jul 2004 14:17:26 +0800 Subject: [LARTC] Help:how many bandwidth are borrowed in HTB?How to caculate! Message-ID: <20040730063036.9419C449F@outpost.ds9a.nl> Hi,All I use HTB to control traffic.Here is my script: /usr/sbin/tc qdisc del dev nas0 root /usr/sbin/tc qdisc add dev nas0 root handle 1:0 htb default 60 /usr/sbin/tc class add dev nas0 parent 1:0 classid 1:1 htb ceil 896kbit rate 896kbit prio 0 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:10 htb ceil 896kbit rate 537kbit prio 1 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:20 htb ceil 361kbit rate 161kbit prio 2 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:30 htb ceil 298kbit rate 98kbit prio 3 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:40 htb ceil 271kbit rate 71kbit prio 4 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:50 htb ceil 117kbit rate 17kbit prio 5 burst 60k /usr/sbin/tc class add dev nas0 parent 1:1 classid 1:60 htb ceil 212kbit rate 12kbit prio 6 burst 60k #### Attach SFQ to each class ##### /usr/sbin/tc qdisc add dev nas0 parent 1:10 handle 10: sfq perturb 10 /usr/sbin/tc qdisc add dev nas0 parent 1:20 handle 20: sfq perturb 10 /usr/sbin/tc qdisc add dev nas0 parent 1:30 handle 30: sfq perturb 10 /usr/sbin/tc qdisc add dev nas0 parent 1:40 handle 40: sfq perturb 10 /usr/sbin/tc qdisc add dev nas0 parent 1:50 handle 50: sfq perturb 10 /usr/sbin/tc qdisc add dev nas0 parent 1:60 handle 60: sfq perturb 10 ######Filters######### /usr/sbin/tc filter add dev nas0 parent 1:0 protocol ip prio 1 u32 match ip sport 20 0xffff flowid 1:10 /usr/sbin/tc filter add dev nas0 parent 1:0 protocol ip prio 1 u32 match ip dport 20 0xffff flowid 1:10 /usr/sbin/tc filter add dev nas0 parent 1:0 protocol ip prio 3 u32 match ip sport 8000 0xffff flowid 1:30 /usr/sbin/tc filter add dev nas0 parent 1:0 protocol ip prio 3 u32 match ip dport 8000 0xffff flowid 1:30 Then,I use "ftp 21" and "ftp 8001" to test this script,which according to class 1:10 and class 1:30.I found that the class 1:30 will get more bandwidth than class 1:10.I got confused!You know,class can borrow more available bandwidth.But I don't know why the low priority (1:30) can borrow more bandwidth than high priority(1:10)? Would anyone like to tell me how HTB caculate borrowed bandwidth? Any suggestion will be highly appreciated! Best Regards swcims swcims@163.com 2004-07-30 From adi@tettas.net Fri Jul 30 10:21:09 2004 From: adi@tettas.net (adi@tettas.net) Date: Fri, 30 Jul 2004 12:21:09 +0300 (EEST) Subject: [LARTC] tc & rrd question In-Reply-To: References: Message-ID: <33573.80.97.190.109.1091179269.squirrel@webmail.tettas.net> hello list, i've got a small question related to tc and rrd. my problem is as follows. i've written a small c app that takes the stats of tc using libs from iproute2 package and outputs a shell script that updates rrd files (2 ds: 1 gauge for speed, 1 counter for sent). i've followed the manuals from tobi's website on how to create and update the database. the dump is quite curious even after a hole day of updating (every 5 min). can anyone here share his/hers experience with these tools. any links or resources maybe even some example code are very welcome. thanks From roy@xxx.lt Fri Jul 30 14:53:45 2004 From: roy@xxx.lt (Roy) Date: Fri, 30 Jul 2004 16:53:45 +0300 Subject: [LARTC] tc & rrd question References: <33573.80.97.190.109.1091179269.squirrel@webmail.tettas.net> Message-ID: <001501c4763c$a1ed1100$030aa8c0@t> Basicaly it is easy to use rrd tool, the hardest part for me was to setup rrd database correctly here is example RRDs::create("$rrd","-s",$period, "DS:TR:GAUGE:300:0:U", "RRA:AVERAGE:0.5:1:1440", # 0.5- uaualy leave as is : 1- for first entry use 1 :1440 number of points "RRA:AVERAGE:0.5:15:3072"); #: 0.5: 15 needs 15 updates to create one average database entry :3072 Complete example for perl, probably will be good for you too. have resolution of 1 min for 1 day and 15 min resolution for 1 month. uopdates should be done each minute $time=time; $rrd="./data/$ip.rrd"; #$rrd is filename if (!(-e "$rrd")) { print "creating $rrd\n"; RRDs::create("$rrd","-s",$period, "DS:TR:GAUGE:300:0:U", "RRA:AVERAGE:0.5:1:1440", "RRA:AVERAGE:0.5:15:3072"); if (my $error=RRDs::error()) {print "Cannot create $rrd: $error\n";} } RRDs::update("$rrd","$time:$tr"); # $tr is the data you want to add to database if (my $error=RRDs::error()) {print "Cannot update $rrd: $error\n";} } ################## example for view script. shows load graph and total traffic per $period $period is in seconds $period=3600*24; #(for one day) $start=time-$period; #starts from current time. $rrd="./data/$ip.rrd"; RRDs::graph ("$cache/$name.png","--start=$start","--width=720", "DEF:d=$rrd:TR:AVERAGE", "CDEF:down=d,UN,0,d,IF,$period,*", "LINE1:d#6600cc", "GPRINT:down:AVERAGE:%1.1lf%sB Download", ); if (my $error=RRDs::error()) {print "Cannot graph $rrd: $error\n";} print " \n"; print "$name $ip
\n"; } ----- Original Message ----- From: To: Sent: Friday, July 30, 2004 12:21 PM Subject: [LARTC] tc & rrd question > hello list, > i've got a small question related to tc and rrd. > > my problem is as follows. i've written a small c app that takes the stats > of tc using libs from iproute2 package and outputs a shell script that > updates rrd files (2 ds: 1 gauge for speed, 1 counter for sent). i've > followed the manuals from tobi's website on how to create and update the > database. the dump is quite curious even after a hole day of updating > (every 5 min). > > can anyone here share his/hers experience with these tools. any links or > resources maybe even some example code are very welcome. > > thanks > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From shemminger@osdl.org Fri Jul 30 23:37:15 2004 From: shemminger@osdl.org (Stephen Hemminger) Date: Fri, 30 Jul 2004 15:37:15 -0700 Subject: [LARTC] [announce] iproute2 update Message-ID: <20040730153715.453c14cf@dell_ss3.pdx.osdl.net> This version supports: * changes 'tc' for latest netem queuing discipline * additions to 'ip' to support xfrm * more robust configuration (works with older 2.4 systems) to detect xfrm, hfsc, htb, etc. The versioning scheme is to label the highest version of kernel used. It should build and run on older systems as well, but obviously can't support stuff your kernel doesn't have. So if a new feature (like netem scheduler) got added in 2.6.8 kernel, then you would need the corresponding iproute2 to use it. Available at: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.8-ss040730.tar.gz From adi@tettas.net Sun Aug 1 01:28:03 2004 From: adi@tettas.net (Adrian Vasile) Date: Sun, 01 Aug 2004 03:28:03 +0300 Subject: [LARTC] tc &amp; rrd question In-Reply-To: <003b01c47691$1d8bc050$030aa8c0@t> References: <33573.80.97.190.109.1091179269.squirrel@webmail.tettas.net> <001501c4763c$a1ed1100$030aa8c0@t> <1091229636.11549.32.camel@yoyo.homelinux.org> <003b01c47691$1d8bc050$030aa8c0@t> Message-ID: <1091320083.2678.16.camel@yoyo.homelinux.org> that's what i did.. rrdtool dump (or fetch) ... gives me only nan's in the dump i see in (?) an extended value (eg. 4.000000e+10) but for AVERAGE, MIN, MAX i get only nan. which is weird. the only diffs i see between my implementation and roys' is that he uses perl extensions and i use shell script outputted by a c program that gathers data from tc and compares the classes with a config file to get the name of the clients. my program is an extension to htb-utils. On Sat, 2004-07-31 at 02:58, Tadas wrote: > I dont see anything wrong with your script, > but you did not show the part which displays graphs. > > For testing you can try to dump your database as xml it helps to test if > you create and update it correctly. > if all data is good, then you are incorrectly displaying it. > > > > ----- Original Message ----- > From: "Adrian Vasile" > To: "Roy" > Sent: Saturday, July 31, 2004 2:20 AM > Subject: Re: [LARTC] tc &amp; rrd question > > > > thanks for the info. i'll try implementing it as soon as > > possible. > > > > i've been using this line: for creating the db's: > > > > $RRDTOOL create /var/rrd/eth0/upload.rrd \ > > DS:Speed:GAUGE:600:0:U \ > > DS:Bytes:COUNTER:600:0:U \ > > RRA:AVERAGE:0.5:1:288 > > RRA:MIN:0.5:1:24 \ > > RRA:MAX:0.5:1:24 > > i see some diffs i don't set the step size (man page says default is 300 > > aka 5min) and heartbeat double. the avg is set to 24h with 12 points per > > hour.i realize it's not too exact but for testing purposes works :) > > Do you log only last 24 points of min and max? > > if you want one point per hour you should use > 60min/5min =12 > RRA:MIN:0.5:12:24 > > > > > > and i use crontab to periodically run the update script: > > > > $RRDTOOL update /var/rrd/eth0/upload.rrd N:57:1202599 > > i use N: for now time (as per the man page) > > > > the problem appears when i fetch the data i get only 'nan'. i'm thinking > > that i may be putting the data the wrong way or something but i've been > > hitting a stone wall searching on this problem (docs, mailing lists). > > > > On Fri, 2004-07-30 at 16:53, Roy wrote: > > > Basicaly it is easy to use rrd tool, the hardest part for me > > was to setup > > > rrd database correctly > > > here is example > > > > > > RRDs::create('"'$rrd'"','"'-s'"',$period, > > > '"'DS:TR:GAUGE:300:0:U'"', > > > '"'RRA:AVERAGE:0.5:1:1440'"', # 0.5- > > uaualy leave as is : 1- > > > for first entry use 1 :1440 number of points > > > '"'RRA:AVERAGE:0.5:15:3072'"'); #: 0.5: 15 > > needs 15 updates to > > > create one average database entry :3072 > > > > > > > > > Complete example for perl, probably will be good for you too. > > have > > > resolution of 1 min for 1 day and 15 min resolution for 1 > > month. uopdates > > > should be done each minute > > > $time=time; > > > $rrd='"'./data/$ip.rrd'"'; #$rrd is filename > > > if (!(-e '"'$rrd'"')) { print '"'creating > > $rrd\n'"'; > > > > > RRDs::create('"'$rrd'"','"'-s'"',$period, > > > '"'DS:TR:GAUGE:300:0:U'"', > > > '"'RRA:AVERAGE:0.5:1:1440'"', > > > '"'RRA:AVERAGE:0.5:15:3072'"'); > > > if (my $error=RRDs::error()) {print '"'Cannot create > > $rrd: $error\n'"';} > > > } > > > > > > RRDs::update('"'$rrd'"','"'$time:$tr'"'); # > > $tr is the data you want to add to > > > database > > > > > > if (my $error=RRDs::error()) {print '"'Cannot update $rrd: > > $error\n'"';} > > > > > > } > > > ################## > > > example for view script. shows load graph and total traffic per > > $period > > > $period is in seconds > > > > > > $period=3600*24; #(for one day) > > > > > > $start=time-$period; #starts from current time. > > > $rrd='"'./data/$ip.rrd'"'; > > > RRDs::graph > > ('"'$cache/$name.png'"','"'--start=$start'"','"'--width=720'"', > > > '"'DEF:d=$rrd:TR:AVERAGE'"', > > > '"'CDEF:down=d,UN,0,d,IF,$period,*'"', > > > '"'LINE1:d#6600cc'"', > > > '"'GPRINT:down:AVERAGE:%1.1lf%sB Download'"', > > > ); > > > > > > if (my $error=RRDs::error()) {print '"'Cannot graph > > $rrd: $error\n'"';} > > > > > > print '"' > > \n'"'; > > > print '"'$name $ip
\n'"'; > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > > > > > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > > > > From soporte@xmundo.net Sun Aug 1 06:20:14 2004 From: soporte@xmundo.net (XMundo - Soporte Tecnico) Date: Sun, 1 Aug 2004 02:20:14 -0300 Subject: [LARTC] QOS Message-ID: <002601c47787$4769c1a0$fd01000a@estacion1> This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C4776E.141F73D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi. I=B4m making an script for load balancing of two cablemodems internet connections toward my LAN. The problem is that when I try to 'equalize' the the two internet connections with the weight=3D1 it doesn=B4t work. On the other hand, if I put 5 and 5 it works, but not at 100%, it does intermittlently, some times works and others don=B4t. example: ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 Besides, when I open, for example, the firefox browser, it takes a lot to start navigating, sometimes it works and other times gives an error and I can=B4t navigate. >From the server it works properly, but form the clients PCs doesn=B4t. By the way, I=B4m making NAT toward the Client PCs. Do you have any idea why does it take so long to start navigating and why sometimes it works and sometimes doesn=B4t. This is the current script running in my server: #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= P0_NET=3D10.0.1.0/24 IF0=3Deth1 IP0=3D10.0.1.1 IF1=3Deth0 IP1=3Dxxx.xxx.xxx.7 P1_NET=3Dxxx.xxx.xxx.0/24 P1=3Dxxx.xxx.xxx.1 IF2=3Deth2 IP2=3Dyyy.yyy.yyy.21 P2_NET=3Dyyy.yyy.yyy.0/24 P2=3Dyyy.yyy.yyy.1 echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter echo 3 > /proc/sys/net/ipv4/route/gc_elasticity echo 1 > /proc/sys/net/ipv4/route/gc_interval echo 0 > /proc/sys/net/ipv4/route/gc_timeout ip route flush cache ip route flush all ip route flush table modem0 ip route flush table modem1 ip rule add from $IP1 lookup modem0 ip rule add from $IP2 lookup modem1 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add $P0_NET dev $IF0 src $IP0 ip rule add from $P1_NET lookup modem0 ip route add $P0_NET dev $IF0 table modem0 ip route add 0/0 via $P1 table modem0 ip rule add from $P2_NET lookup modem1 ip route add $P0_NET dev $IF0 table modem1 ip route add 0/0 via $P2 table modem1 ip route add default equalize\ nexthop via $P1 dev $IF1 weight 5\ nexthop via $P2 dev $IF2 weight 5 #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= ------=_NextPart_000_000F_01C4776E.141F73D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi.

I=B4m making an script for load = balancing of=20 two
cablemodems internet connections toward my LAN.

The = problem is=20 that when I try to 'equalize' the
the two internet connections with = the=20 weight=3D1 it
doesn=B4t work. On the other hand, if I put 5 and = 5
it works,=20 but not at 100%, it does intermittlently,
some times works and others = don=B4t.

example:

ip route add default = equalize\
 nexthop=20 via $P1 dev $IF1 weight 5\
 nexthop via $P2 dev $IF2 weight=20 5

Besides, when I open, for example, the firefox browser, = it
takes a=20 lot to start navigating, sometimes it works and other
times gives an = error=20 and I can=B4t navigate.

>From the server it works properly, = but form the=20 clients PCs
doesn=B4t.

By the way, I=B4m making NAT toward the = Client=20 PCs.

Do you have any idea why does it take so long to = start
navigating=20 and why sometimes it works and sometimes doesn=B4t.


This is = the current=20 script running in my=20 server:


#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D

P0_NET=3D10.0.1.0/24
IF0=3Deth1
IP0=3D10.= 0.1.1

IF1=3Deth0
IP1=3Dxxx.xxx.xxx.7
P1_NET=3Dxxx.xxx.xxx.0/= 24
P1=3Dxxx.xxx.xxx.1

IF2=3Deth2
IP2=3Dyyy.yyy.yyy.21
P2_= NET=3Dyyy.yyy.yyy.0/24
P2=3Dyyy.yyy.yyy.1

echo=20 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 >=20 /proc/sys/net/ipv4/conf/eth2/rp_filter

echo 3 >=20 /proc/sys/net/ipv4/route/gc_elasticity
echo 1 >=20 /proc/sys/net/ipv4/route/gc_interval
echo 0 >=20 /proc/sys/net/ipv4/route/gc_timeout

ip route flush cache
ip = route=20 flush all
ip route flush table modem0
ip route flush table=20 modem1

ip rule add from $IP1 lookup modem0
ip rule add from = $IP2=20 lookup modem1

ip route add $P1_NET dev $IF1 src $IP1
ip route = add=20 $P2_NET dev $IF2 src $IP2
ip route add $P0_NET dev $IF0 src = $IP0

ip=20 rule add from $P1_NET lookup modem0
ip route add $P0_NET dev $IF0 = table=20 modem0
ip route add 0/0 via $P1 table modem0

ip rule add from = $P2_NET=20 lookup modem1
ip route add $P0_NET dev $IF0 table modem1
ip route = add 0/0=20 via $P2 table modem1

ip route add default = equalize\
 nexthop via=20 $P1 dev $IF1 weight 5\
 nexthop via $P2 dev $IF2 weight=20 5

#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D
------=_NextPart_000_000F_01C4776E.141F73D0-- From nfogh@vectory.com Sun Aug 1 14:01:38 2004 From: nfogh@vectory.com (Nikolaj Fogh) Date: Sun, 01 Aug 2004 15:01:38 +0200 Subject: [LARTC] Network shaper for gateway with massive p2p traffic Message-ID: <410CE9B2.7040106@vectory.com> Hi, I have made this script, that I use for controlling the bandwidth on a gateway for about 100 computers. It is working quite effectively to limit the use of p2p programs (and other programs), so that you can surf undisturbed. Also, it improves internet access in general, so that one large download doesn't take up all your bandwidth. I was wondering if someone would like to test it, and give me their opinion about it. Maybe what I should improve. The link is http://p2pshaper.sourceforge.net cheers, Nikolaj Fogh From sandro@e-den.it Sun Aug 1 16:51:04 2004 From: sandro@e-den.it (Sandro Dentella) Date: Sun, 1 Aug 2004 17:51:04 +0200 Subject: [LARTC] tables and default Message-ID: <20040801155104.GA27013@bluff> I already setup several 2 gateways boxes, with rules too decide which lan should use which gateway. Now I'm stuck with a simpler problem. At home I was just making some experimental setup: * 1 adsl (ppp0) * 1 more tables in rt_tables (200 ping) called "bluff" * table 'bluff *has not* a default route root@fw-eden root # ip ro li table bluff 192.168.5.0/24 dev eth1 scope link * ip rule add from 192.168.5.2 table bluff prio 50 root@fw-eden root # ip ru li 0: from all lookup local 50: from 192.168.5.0/24 lookup bluff 32766: from all lookup main 32767: from all lookup default Now I would think that pinging from 192.168.5.2 outside the LAN should not work and in fact: root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2 RTNETLINK answers: Invalid argument but if I try I can flawlessly get out. Is this related to SNAT? In my opinion that should come afterwords since SNAT in in the POSTrouting chain. Any hints? TYA sandro *:-) -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From jakob@simon-gaarde.dk Sun Aug 1 23:27:19 2004 From: jakob@simon-gaarde.dk (jakob@simon-gaarde.dk) Date: Mon, 2 Aug 2004 00:27:19 +0200 (CEST) Subject: [LARTC] help on ADSL shaping Message-ID: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> Hi I have read the howto on qdisc's a few times but I cant figure out how to use the shaping capabilities to serve my needs. In the village whera I live we have created a wireless local network consisting of 10 houses. One of these houses has an ADSL connection and services this connection to the other houses. To gain access to the network a member must have an accesspoint in client mode, the idea is that if each house has to use a certain accesspoint (with a specific known ip address) to access the router then it must be possible to shape the traffic so no single house can dominate the out (and thus the incomming) traffic. The configuration: House with ADSL: A client house: ((o)) ((0)) | | (Known ip) ------------ eth0 ----| |---- -------- |Linux router|-------| AP | | AP |---| router | | SuSE 8.2 | ---- ---- -------- ------------ | | | ------ ------ eth1 | | PC 1 | | PC 2 | | ------ ------ __--__--__ | Internet | ---------- One house might need to connect 1 PC another house 3, but I need to be sure that one house doesn't swallow the whole bandwidth. Is this possible? Best Regards Jakob Simon-Gaarde From nfogh@vectory.com Mon Aug 2 01:54:27 2004 From: nfogh@vectory.com (Nikolaj Fogh) Date: Mon, 02 Aug 2004 02:54:27 +0200 Subject: [LARTC] help on ADSL shaping In-Reply-To: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> References: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> Message-ID: <410D90C3.90208@vectory.com> jakob@simon-gaarde.dk wrote: >Hi >I have read the howto on qdisc's a few times but I cant figure out how to >use the shaping capabilities to serve my needs. In the village whera I >live we have created a wireless local network consisting of 10 houses. One >of these houses has an ADSL connection and services this connection to the >other houses. To gain access to the network a member must have an >accesspoint in client mode, the idea is that if each house has to use a >certain accesspoint (with a specific known ip address) to access the >router then it must be possible to shape the traffic so no single house >can dominate the out (and thus the incomming) traffic. > >The configuration: > >House with ADSL: A client house: > ((o)) ((0)) > | | (Known ip) > ------------ eth0 ----| |---- -------- >|Linux router|-------| AP | | AP |---| router | >| SuSE 8.2 | ---- ---- -------- > ------------ | | > | ------ ------ > eth1 | | PC 1 | | PC 2 | > | ------ ------ > __--__--__ > | Internet | > ---------- > >One house might need to connect 1 PC another house 3, but I need to be >sure that one house doesn't swallow the whole bandwidth. Is this possible? > >Best Regards >Jakob Simon-Gaarde > > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > Hi, You can use the tc program, and htb qdiscs to ensure that people are guaranteed some bandwidth, so that one host cannot dominate the network.As it is the Internet link that is the weak point, you need to shape at the gateway. I am currently working on a script that deals out the bandwidth evenly amongst hosts, so that when only one host uses the link, it gets full speed, but if two are on it is 50/50, and so on. I hope to have it finished in a month or so. Maybe you can use that Also, if it is p2p traffic you are worried about, you could try the p2pshaper. I posted a link in a earlier post. cheers Nikolaj Fogh From swcims@163.com Mon Aug 2 02:37:33 2004 From: swcims@163.com (swcims) Date: Mon, 2 Aug 2004 09:37:33 +0800 Subject: [LARTC] Urgen Help:Kernel crashed in HTB. Message-ID: <20040802015038.475D7400B@outpost.ds9a.nl> SGmjrEFsbA0KICAgICAgSSBwYXRjaGVkIGh0YjMuNiB0byBtaXBzIGxpdW54IDIuNC4xNy5CdXQg d2hlbiBJIHJ1biBodGIsdGhlIG1pcHMgbGludXggYm94IHdpbGwgc2F5Og0KICJVbmhhbmRsZWQg a2VybmVsIHVuYWxpZ25lZCBhY2Nlc3MgaW4gdW5hbGlnbmVkLmM6ZW11bGF0ZV9sb2FkX3N0b3Jl X2luc24sIGxpbmUgMzQ2Ii5UaGVuIHRoZSBrZXJuZWwgY3Jhc2hlZCAuDQoJV291bGQgYW55b25l IGxpa2UgdG8gdGVsbCBtZSBob3cgdG8gc29sdmUgdGhpcyBwcm9ibGVtP1RoYW5rIHlvdSB2ZXJ5 IG11Y2ghDQoJDQoNCqGhoaFCZXN0IFJlZ2FyZHMNCg0KoaGhoaGhoaGhoaGhoaGhoXN3Y2ltcw0K oaGhoaGhoaGhoaGhoaGhoXN3Y2ltc0AxNjMuY29tDQqhoaGhoaGhoaGhoaGhoaGhoaGhoTIwMDQt MDgtMDINCg== From mabrown-lartc@securepipe.com Mon Aug 2 03:21:45 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Sun, 1 Aug 2004 21:21:45 -0500 Subject: [LARTC] tables and default In-Reply-To: <20040801155104.GA27013@bluff> References: <20040801155104.GA27013@bluff> Message-ID: Hello Sandro, : * 1 adsl (ppp0) : * 1 more tables in rt_tables (200 ping) called "bluff" All OK! : * table 'bluff *has not* a default route This is the problem. : root@fw-eden root # ip ro li table bluff : 192.168.5.0/24 dev eth1 scope link : : * ip rule add from 192.168.5.2 table bluff prio 50 : : root@fw-eden root # ip ru li : 0: from all lookup local : 50: from 192.168.5.0/24 lookup bluff : 32766: from all lookup main : 32767: from all lookup default : : Now I would think that pinging from 192.168.5.2 outside the LAN : should not work and in fact: : : root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2 : RTNETLINK answers: Invalid argument : : but if I try I can flawlessly get out. First thing--I don't know why you are seeing this error from 'ip route get'. This should return the real route chosen. You could always try the ping and then check the route cache. This should help you identify the actual route chosen. Here's what's happening. - kernel gets packet and needs to select a route - according to rule 0, we look up in table local - perform route lookup in table local--no match! - according to rule 50, we look up in table bluff - perform route lookup in table local--no match! - according to rule 32767, we look up in table main - perform route lookup in table main-- MATCH! - route packet out default gateway If you add a route to table bluff as follows, you should effectively prevent 192.168.5.0/24 from reaching any network other than 192.168.5.0/24. ip route add blackhole default table bluff Now, any packets addressed from 192.168.5.0/24 will be blackholed. This may not be quite what you desire, particularly if packets addressed from 192.168.5.0/24 are created by your own router, so you could always say: ip rule del prio 50 from 192.168.5.0/24 table bluff ip rule add prio 50 from 192.168.5.0/24 iif eth1 table bluff Then again, you don't describe your network completely, so I could be steering you wrong here. And by the way, unless you have some very strange (but not inconceivable) routes on your hosts inside the 192.168.5.0/24 network, you won't need to specify the route 192.168.5.0/24 dev eth1 scope link in table bluff. : Is this related to SNAT? In my opinion that should come : afterwords since SNAT in in the POSTrouting chain. Nope! No SNAT problem here! -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From mingching.tiew@redtone.com Mon Aug 2 10:00:30 2004 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Mon, 2 Aug 2004 17:00:30 +0800 Subject: [LARTC] Route policy preference value Message-ID: <038701c4786f$293971b0$0100a8c0@newlife> Assuming if I have rules matching the same packet, the one chosen is the lower preference value or the high ? For example # ip rule list .... 100 from 192.168.1.0/24 lookup main 200 from all fwmark 5 lookup first ..... Packet is matching both rules, the one with priority/preference 100 or 200 is selected ? From jakob@simon-gaarde.dk Mon Aug 2 10:38:37 2004 From: jakob@simon-gaarde.dk (jakob@simon-gaarde.dk) Date: Mon, 2 Aug 2004 11:38:37 +0200 (CEST) Subject: [LARTC] help on ADSL shaping In-Reply-To: <410D90C3.90208@vectory.com> References: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> <410D90C3.90208@vectory.com> Message-ID: <28036.194.255.111.125.1091439517.squirrel@webmail1.b-one.nu> > jakob@simon-gaarde.dk wrote: > >>Hi >>I have read the howto on qdisc's a few times but I cant figure out how to >>use the shaping capabilities to serve my needs. In the village whera I >>live we have created a wireless local network consisting of 10 houses. >> One >>of these houses has an ADSL connection and services this connection to >> the >>other houses. To gain access to the network a member must have an >>accesspoint in client mode, the idea is that if each house has to use a >>certain accesspoint (with a specific known ip address) to access the >>router then it must be possible to shape the traffic so no single house >>can dominate the out (and thus the incomming) traffic. >> >>The configuration: >> >>House with ADSL: A client house: >> ((o)) ((0)) >> | | (Known ip) >> ------------ eth0 ----| |---- -------- >>|Linux router|-------| AP | | AP |---| router | >>| SuSE 8.2 | ---- ---- -------- >> ------------ | | >> | ------ ------ >> eth1 | | PC 1 | | PC 2 | >> | ------ ------ >> __--__--__ >> | Internet | >> ---------- >> >>One house might need to connect 1 PC another house 3, but I need to be >>sure that one house doesn't swallow the whole bandwidth. Is this >> possible? >> >>Best Regards >>Jakob Simon-Gaarde >> >> >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> > Hi, > > You can use the tc program, and htb qdiscs to ensure that people are > guaranteed some bandwidth, so that one host cannot dominate the > network.As it is the Internet link that is the weak point, you need to > shape at the gateway. > > I am currently working on a script that deals out the bandwidth evenly > amongst hosts, so that when only one host uses the link, it gets full > speed, but if two are on it is 50/50, and so on. I hope to have it > finished in a month or so. Maybe you can use that > > Also, if it is p2p traffic you are worried about, you could try the > p2pshaper. I posted a link in a earlier post. > That sounds very cool (and fair :) ) how do you plan to detect how many hosts are using the gateway? idle traffic or ping-like check? Some clients may have a hardware router on the other end so it is allways on-line though maybe being idle for hours. From sandro@e-den.it Mon Aug 2 12:06:27 2004 From: sandro@e-den.it (Sandro Dentella) Date: Mon, 2 Aug 2004 13:06:27 +0200 Subject: [LARTC] tables and default In-Reply-To: References: <20040801155104.GA27013@bluff> Message-ID: <20040802110627.GA2441@bluff> > First thing--I don't know why you are seeing this error from 'ip > route get'. This should return the real route chosen. You could > always try the ping and then check the route cache. This should > help you identify the actual route chosen. > > Here's what's happening. > > - kernel gets packet and needs to select a route > - according to rule 0, we look up in table local > - perform route lookup in table local--no match! > - according to rule 50, we look up in table bluff > - perform route lookup in table local--no match! > - according to rule 32767, we look up in table main > - perform route lookup in table main-- MATCH! > - route packet out default gateway > > If you add a route to table bluff as follows, you should effectively > prevent 192.168.5.0/24 from reaching any network other than > 192.168.5.0/24. > > ip route add blackhole default table bluff thanks a lot for the explanation. This definitely solved my doubts. The only remainig problem is the 'ip route get' error. I'm sure that in some moments yesterday I culd get an answer, now it always give errors, independent from the rule set... sandro *:-) -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From sandro@e-den.it Mon Aug 2 12:12:00 2004 From: sandro@e-den.it (Sandro Dentella) Date: Mon, 2 Aug 2004 13:12:00 +0200 Subject: [LARTC] Route policy preference value In-Reply-To: <038701c4786f$293971b0$0100a8c0@newlife> References: <038701c4786f$293971b0$0100a8c0@newlife> Message-ID: <20040802111200.GB2441@bluff> On Mon, Aug 02, 2004 at 05:00:30PM +0800, Ming-Ching Tiew wrote: > > Assuming if I have rules matching the same packet, > the one chosen is the lower preference value or > the high ? > > For example > > # ip rule list > > .... > 100 from 192.168.1.0/24 lookup main > 200 from all fwmark 5 lookup first > ..... > for what I have understood is the lower, beware as pointed out to me from Martin Brown that failing a matching *route* from rule 100 it will look for the route in next matching *rule*. In my case I didn't defined default route, but packets passed since arrived to get the one defined in main table. sandro *:-) -- Sandro Dentella *:-) e-mail: sandro@e-den.it http://www.tksql.org TkSQL Home page - My GPL work From mabrown-lartc@securepipe.com Mon Aug 2 14:21:47 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Mon, 2 Aug 2004 08:21:47 -0500 Subject: [LARTC] Route policy preference value In-Reply-To: <038701c4786f$293971b0$0100a8c0@newlife> References: <038701c4786f$293971b0$0100a8c0@newlife> Message-ID: Ming-Ching, : Assuming if I have rules matching the same packet, the one chosen : is the lower preference value or the high ? : : For example : : # ip rule list : : .... : 100 from 192.168.1.0/24 lookup main : 200 from all fwmark 5 lookup first : ..... : : Packet is matching both rules, the one with priority/preference : 100 or 200 is selected ? The first matched rule in the routing policy database (RPDB) is the one chosen. Rules are traversed from 0 to 32767. If a route match is found for a given packet in a specified table, that route is used. If no match is found in a given table, the (sequential) traversal of the RPDB continues. See also this description: http://linux-ip.net/html/routing-selection.html#routing-selection-adv Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From nfogh@vectory.com Mon Aug 2 14:22:18 2004 From: nfogh@vectory.com (Nikolaj Fogh) Date: Mon, 02 Aug 2004 15:22:18 +0200 Subject: [LARTC] help on ADSL shaping In-Reply-To: <28036.194.255.111.125.1091439517.squirrel@webmail1.b-one.nu> References: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> <410D90C3.90208@vectory.com> <28036.194.255.111.125.1091439517.squirrel@webmail1.b-one.nu> Message-ID: <410E400A.2010309@vectory.com> jakob@simon-gaarde.dk wrote: >>jakob@simon-gaarde.dk wrote: >> >> >> >>>Hi >>>I have read the howto on qdisc's a few times but I cant figure out how to >>>use the shaping capabilities to serve my needs. In the village whera I >>>live we have created a wireless local network consisting of 10 houses. >>>One >>>of these houses has an ADSL connection and services this connection to >>>the >>>other houses. To gain access to the network a member must have an >>>accesspoint in client mode, the idea is that if each house has to use a >>>certain accesspoint (with a specific known ip address) to access the >>>router then it must be possible to shape the traffic so no single house >>>can dominate the out (and thus the incomming) traffic. >>> >>>The configuration: >>> >>>House with ADSL: A client house: >>> ((o)) ((0)) >>> | | (Known ip) >>>------------ eth0 ----| |---- -------- >>>|Linux router|-------| AP | | AP |---| router | >>>| SuSE 8.2 | ---- ---- -------- >>>------------ | | >>> | ------ ------ >>>eth1 | | PC 1 | | PC 2 | >>> | ------ ------ >>> __--__--__ >>>| Internet | >>> ---------- >>> >>>One house might need to connect 1 PC another house 3, but I need to be >>>sure that one house doesn't swallow the whole bandwidth. Is this >>>possible? >>> >>>Best Regards >>>Jakob Simon-Gaarde >>> >>> >>>_______________________________________________ >>>LARTC mailing list / LARTC@mailman.ds9a.nl >>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >>> >>> >>> >>Hi, >> >>You can use the tc program, and htb qdiscs to ensure that people are >>guaranteed some bandwidth, so that one host cannot dominate the >>network.As it is the Internet link that is the weak point, you need to >>shape at the gateway. >> >>I am currently working on a script that deals out the bandwidth evenly >>amongst hosts, so that when only one host uses the link, it gets full >>speed, but if two are on it is 50/50, and so on. I hope to have it >>finished in a month or so. Maybe you can use that >> >>Also, if it is p2p traffic you are worried about, you could try the >>p2pshaper. I posted a link in a earlier post. >> >> >> >That sounds very cool (and fair :) ) how do you plan to detect how many >hosts are using the gateway? idle traffic or ping-like check? Some clients >may have a hardware router on the other end so it is allways on-line >though maybe being idle for hours. >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > At first I was thinking of making a patch to the linux kernel. That would be the "right" way of doing it. But it also requires people to patch kernels, and I'm not that much into kernel hacking at the moment. So actually, I just create a huge HTB tree and make rules for each host (hosts should be in the 192.168.0.1 - 192.168.0.255 range) that puts them into priorities according to how fast they are downloading. Fastest downloaders gets least priority. If I am not mistaken, this will make the bandwidth split very fair, because each host will be ensured at least their fraction of the bandwidth, while the others can borrow if you dont use your share. It might seem a bit cruel to make about 8 rules for each of the 255 hosts, but if it just works, it might not be so big a problem. AFAIK, most routers are doing nothing anyway, and can spare the extra cpu-cycles. And maybe it can be made smarter by using massive filtering. I will include some more documentation when I have completed the script. cheers, Nikolaj Fogh From alexander.janssen@gmx.de Mon Aug 2 14:36:49 2004 From: alexander.janssen@gmx.de (Alexander W. Janssen) Date: Mon, 2 Aug 2004 15:36:49 +0200 (CEST) Subject: [LARTC] Split Access Routing and SNAT Message-ID: <20344.194.138.18.131.1091453809.squirrel@127.0.0.1> Hi all, i got the following configuration: * NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 * NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 * INTNET: Internal Network with productive servers and workstations, 192.168.1.0/24 Obvisiously the 10er networks are official networks but censored to protect my customer. The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 and NET2. The internal net is on eth2. I've set up split-access routing like in the documentation, part "4.2.1. Split access". Every productive server get's his own routingtable and it's own SNAT/DNAT rule. Example is given for one server. # Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, # default-gateway is 10.1.0.1 (DSL router) ip route add $NET1 dev eth0 src 10.1.0.1 table server1 ip route add $INTNET dev eth2 table server1 ip route add default via 10.1.0.1 table server1 ip rule add from 192.168.1.2 table server1 # Now NAT iptables -t nat -A PREROUTING -d 10.1.0.3 -j DNAT --to 192.168.1.2 iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 I do this for all server on alternating IP-adresses and lines. Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT for all workstations in INTNET to get SNATed access to the internet (only routed via one line): iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 (where 10.1.0.1 is a designated IP address only used for the workstations - the server all got their own IP-address. Works so far. Now my problem: If a workstation from the internal network, let's say, wants to connect to the offical IP-address of one of the servers, it doesn't work. Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's default gateway 192.168.1.1, which is the only IP address assigned on eth2, the internal interface. It hits the PREROUTING chain and gets DNATed to 192.168.1.2. It hits routing code and is matched against "$INTNET dev eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, the external, designated IP-address fo the router for the clients. It should be pushed out on the internal interface. The server receives the packet, processes it and sends back the answer to the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no rule matches), hits routing-code and there is the problem i think. Destined for local interface, don't route. BANG. Is my observation at that point right? If yes, does somebody know how to achieve my goal, that internal IPs can connect to the external IPs? The term "CONNMARK" somehow popped up in my mind, but i haven't seen any useful examples yet how to use it properly. I hope i provided all necessary information; i know that "ip rule show" is missing to check the precedences of rules, but i don't have access to the system right now. Any hint is appreciated, thanks, Alex. From Andreas.Klauer@metamorpher.de Mon Aug 2 15:02:57 2004 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Mon, 2 Aug 2004 16:02:57 +0200 Subject: [LARTC] help on ADSL shaping In-Reply-To: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> References: <3818.80.160.199.114.1091399239.squirrel@webmail1.b-one.nu> Message-ID: <200408021602.58139.Andreas.Klauer@metamorpher.de> Am Monday 02 August 2004 00:27 schrieb jakob@simon-gaarde.dk: > In the village whera I live we have created a wireless local network > consisting of 10 houses. One of these houses has an ADSL connection and > services this connection to the other houses. Well, you could have a look at the existing shaper scripts, for example my own ;-) which deals with this kind of problem; however, I never tested it with WLAN, only in a cable-based LAN, where all clients are in the same subnet and all IPs are known. It's located here: http://www.metamorpher.de/fairnat/ I'm still working on some new features like load balancing (multiple links), and dynamic IP (DHCP) support with multiple subnets, and firewall support, but those are still far away from being completed. My page also describes exactly the kind of setup I use, so even if the script is not useful to you, you might at least get some ideas on how to do shaping in your own situation. Andreas From zoop@lone.ath.cx Mon Aug 2 15:46:44 2004 From: zoop@lone.ath.cx (zoop@lone.ath.cx) Date: Mon, 02 Aug 2004 14:46:44 +0000 Subject: [LARTC] Split Access Routing and SNAT Message-ID: <20040802.g7v.11619800@www.djrance.com> One thing you might do if you use DNS, is to create views for hosts on the lan have a VIEW for them so they will resolve the internal IP. Looks like you should specify with your natting what interface the traffic is outbound on with -o eth1 or eth0 so that when it leaves eth2 it won't source nat Alexander W. Janssen (alexander.janssen@gmx.de) wrote: > >Hi all, > >i got the following configuration: >* NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 >* NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 >* INTNET: Internal Network with productive servers and workstations, >192.168.1.0/24 >Obvisiously the 10er networks are official networks but censored to >protect my customer. >The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 >and NET2. The internal net is on eth2. >I've set up split-access routing like in the documentation, part "4.2.1. >Split access". Every productive server get's his own routingtable and it's >own SNAT/DNAT rule. Example is given for one server. ># Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, ># default-gateway is 10.1.0.1 (DSL router) >ip route add $NET1 dev eth0 src 10.1.0.1 table server1 >ip route add $INTNET dev eth2 table server1 >ip route add default via 10.1.0.1 table server1 >ip rule add from 192.168.1.2 table server1 ># Now NAT0.1.0.3 - >iptables -t nat -A PREROUTING -d 10.1.0.3j DNAT --to 192.168.1.2 >iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 > >I do this for all server on alternating IP-adresses and lines. > >Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT >for all workstations in INTNET to get SNATed access to the internet (only >routed via one line): >iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 >(where 10.1.0.1 is a designated IP address only used for the workstations >- the server all got their own IP-address. >Works so far. > >Now my problem: If a workstation from the internal network, let's say, >wants to connect to the offical IP-address of one of the servers, it >doesn't work. >Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's >default gateway 192.168.1.1, which is the only IP address assigned on >eth2, the internal interface. It hits the PREROUTING chain and gets DNATed >to 192.168.1.2. It hits routing code and is matched against "$INTNET dev >eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, >the external, designated IP-address fo the router for the clients. It >should be pushed out on the internal interface. >The server receives the packet, processes it and sends back the answer to >the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no >rule matches), hits routing-code and there is the problem i think. >Destined for local interface, don't route. BANG. >Is my observation at that point right? If yes, does somebody know how to >achieve my goal, that internal IPs can connect to the external IPs? The >term "CONNMARK" somehow popped up in my mind, but i haven't seen any >useful examples yet how to use it properly. >I hope i provided all necessary information; i know that "ip rule show" is >missing to check the precedences of rules, but i don't have access to the >system right now. >Any hint is appreciated, >thanks, >Alex. > > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. From mjoachimiak@poczta.onet.pl Mon Aug 2 17:02:04 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Mon, 2 Aug 2004 18:02:04 +0200 Subject: [LARTC] tcng + NAT Message-ID: <002101c478aa$0e585560$0802a8c0@monster> This is a multi-part message in MIME format. ------=_NextPart_000_001E_01C478BA.D15AB750 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Does anybody know how to you use tcng with packet marking. I'm = masquerading my connection so to shape outbound traffic I need to mark = packets with iptables. But how to you make tcng to recognize marked = packets? Thanks for your help. ------=_NextPart_000_001E_01C478BA.D15AB750 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable
 
Does anybody know how to you use tcng = with packet=20 marking. I'm masquerading my connection so to shape outbound traffic I = need to=20 mark packets with iptables. But how to you make tcng to recognize marked = packets?
 
Thanks for your = help.
------=_NextPart_000_001E_01C478BA.D15AB750-- From lartc@manchotnetworks.net Mon Aug 2 17:56:12 2004 From: lartc@manchotnetworks.net (lartc@manchotnetworks.net) Date: Mon, 02 Aug 2004 18:56:12 +0200 Subject: [LARTC] tcng + NAT In-Reply-To: <002101c478aa$0e585560$0802a8c0@monster> References: <002101c478aa$0e585560$0802a8c0@monster> Message-ID: <1091465772.3740.4.camel@drs0> Hello, you can try: . . . // ip header type of service class ( <$adsl_high> ) if ip_tos == 0x80; // metadata packet mark class ( <$adsl_medium> ) if meta_nfmark == 0x30; . . . Cheers Charles On Mon, 2004-08-02 at 18:02, mjoachimiak@poczta.onet.pl wrote: > > Does anybody know how to you use tcng with packet marking. I'm > masquerading my connection so to shape outbound traffic I need to mark > packets with iptables. But how to you make tcng to recognize marked > packets? > > Thanks for your help. From mingching.tiew@redtone.com Tue Aug 3 05:52:14 2004 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 3 Aug 2004 12:52:14 +0800 Subject: [LARTC] Route policy preference value References: <038701c4786f$293971b0$0100a8c0@newlife> Message-ID: <001f01c47915$a6062070$0100a8c0@newlife> > See also this description: > > http://linux-ip.net/html/routing-selection.html#routing-selection-adv > Ghee a simple illustration will explain it much better than such a train of words. From mabrown-lartc@securepipe.com Tue Aug 3 06:41:00 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Tue, 3 Aug 2004 00:41:00 -0500 (CDT) Subject: [LARTC] Route policy preference value In-Reply-To: <001f01c47915$a6062070$0100a8c0@newlife> References: <038701c4786f$293971b0$0100a8c0@newlife> <001f01c47915$a6062070$0100a8c0@newlife> Message-ID: Ming-Ching, : > http://linux-ip.net/html/routing-selection.html#routing-selection-adv : : Ghee a simple illustration will explain it much better than : such a train of words. Well...in that case...how do you feel about my pseudo-code locomotive? You may well be right--I sometimes have a tendency to be verbose. I'll see what I can do to imagine an accurate and intuitive diagram. Thanks for the feedback, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From mingching.tiew@redtone.com Tue Aug 3 06:49:29 2004 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 3 Aug 2004 13:49:29 +0800 Subject: [LARTC] Route policy preference value References: <038701c4786f$293971b0$0100a8c0@newlife> <001f01c47915$a6062070$0100a8c0@newlife> Message-ID: <006101c4791d$a49028a0$0100a8c0@newlife> > > You may well be right--I sometimes have a tendency to be verbose. I'll > see what I can do to imagine an accurate and intuitive diagram. > > Thanks for the feedback, > It's OK, i think I have figured out the answer. The system will pick smaller no, meaning smaller no, higher preference. From swcims@163.com Tue Aug 3 09:58:15 2004 From: swcims@163.com (swcims) Date: Tue, 3 Aug 2004 16:58:15 +0800 Subject: [LARTC] QOS inquiry:WFQ?HTB?DRR? Message-ID: <20040803091128.5CB183FD2@outpost.ds9a.nl> Hi, I used HTB3.6 on Linux to control traffic.It seems that HTB uses DRR(Dificit Round-Robin) algorithm.I heard that it is difficult for DRR to get a delay bounded and WFQ is better than DRR.Is that right?So,how to implement WFQ in Linux? Thanks a lot! Best Regards swcims swcims@163.com 2004-08-03 From lrotger@aircomp.aero Tue Aug 3 11:05:38 2004 From: lrotger@aircomp.aero (L Rotger) Date: Tue, 03 Aug 2004 12:05:38 +0200 Subject: [LARTC] ceil, cburst, prio not working? Message-ID: <410F6372.5000000@aircomp.aero> Hi, I've been using htb fine to separate outgoing SMTP traffic from HTTP traffic so sending big emails doesn't affect browsing. As long as ceil == burst and the sum of all rates don't exceed the root class' rate all is fine but when I incorporate ceil I would expect (from lartc howto) that when other classes are idle the remaining bandwith would be assigned in order of prio (I believe, again from howto that 0 is highest) to other classes, which is not happening. In particular, sending big test emails (with everything else idle) shows that SMTP traffic never exceeds exactly 3kbps, even with ceil set at 9kbps. I measured the speed with iptraf. What am I doing wrong? List of my classes. If you need more info, please let me know! # tc class show dev eth2 class htb 1: root prio 0 rate 13312bit ceil 13312bit burst 1732b cburst 5Kb class htb 1:20 root prio 7 rate 12bit ceil 12bit burst 1599b cburst 1599b class htb 1:5 root prio 2 rate 13312bit ceil 13312bit burst 1732b cburst 1732b class htb 1:6 root prio 3 rate 13312bit ceil 13312bit burst 1732b cburst 1732b class htb 1:7 root prio 4 rate 4096bit ceil 4096bit burst 1639b cburst 5Kb class htb 1:8 root prio 5 rate 3072bit ceil 9216bit burst 1629b cburst 1691b class htb 1:9 root prio 6 rate 3072bit ceil 9216bit burst 1629b cburst 1691b root class: 1:0 siblings: 1:5, 1:6, 1:7, 1:8, 1:9, 1:20 SMTP outgoing traffic goes out 1:8 1:20 is the default so all non-specifically filtered traffic goes out slowly (rate is 0.1kbit) so I know what's left to filter. Thanks in advance! L Rotger From JPolache@texasmutual.com Tue Aug 3 21:57:28 2004 From: JPolache@texasmutual.com (Jonathan S. Polacheck) Date: Tue, 3 Aug 2004 15:57:28 -0500 Subject: [LARTC] Jonathan S. Polacheck/AUSTIN/THE_FUND is out of the office. Message-ID: I will be out of the office starting 08/03/2004 and will not return until 08/18/2004. I will respond to your message when I return. From johnm@advocap.org Tue Aug 3 22:40:06 2004 From: johnm@advocap.org (John McMonagle) Date: Tue, 03 Aug 2004 16:40:06 -0500 Subject: [LARTC] network scripts debian Message-ID: <41100636.5050207@advocap.org> Working at setting up some new firewalls with multi-path routing over 2 isps. Doing it with debian sarge. Problem is the normal network scripts use ifconfig and route. In my tests I did a simple setup script. Feel like I am reinventing the wheel :-) Is it OK to use the network scripts to setup the interface and then remove the routes ifconfig created and add any needed routes with ip commands? Or am I best setting up the connections from scratch? Also related is some of interfaces are dynamic. I ran rewrite dhclient-script or just rebuild routes in dhclient-exit-hooks.d. Also dhcpd-script gives new_subnet_mask=......... new_ip_address=.... new_network_number=...... interface=eth2 But for ip route need the length part of new_network_number/length Is there a simple way to calculate length from new_subnet_mask ? Thanks John From Gareth.Segree@gleanerjm.com Tue Aug 3 23:28:15 2004 From: Gareth.Segree@gleanerjm.com (Segree, Gareth) Date: Tue, 3 Aug 2004 17:28:15 -0500 Subject: [LARTC] Second isp failure with dual internet connection Message-ID: <1198536982594F4E9A8E8D4DA6B64E66829D@COMMSRV04.gleanerjm.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C479A9.2B576C00 Content-Type: text/plain Below is a snippet from my firewall script isp1_ip="xx.0.5.20" isp1_gw="xx.0.5.1" isp1_net="xx.0.5.0/28" isp1_if="eth2" isp2_ip="xx.182.19.88" isp2_gw="xx.182.19.1" isp2_net="xx.182.19.0/28" isp2_if="eth3" lo_ip="127.0.0.1" lo_if="lo" lo_net="127.0.0.1/8" ip rule delete from $isp1_ip ip rule delete from $isp2_ip ip route delete table 5 # isp 1 ip route delete table 7 # isp 2 ip route del default via $isp2_gw dev $isp2_if ip route flush cache #ip route default nexthop via $isp2_gw nexthop $isp1_gw #ip route add default nexthop via $isp2_gw dev $isp2_if weight 2\ # nexthop via $isp1_gw dev $isp1_if weight 1 echo "Adding routes ..." ip route add $isp1_net dev $isp1_if src $isp1_ip table 5 ip route add default via $isp1_gw table 5 #ip route add $lan_net dev $lan_if table 5 #ip route add $isp2_net dev $isp2_if table 5 #ip route add $lo_net dev $lo_if table 5 ip route add $isp1_net dev $isp1_if src $isp1_ip ip route add $isp2_net dev $isp2_if src $isp2_ip ip rule add from $isp1_ip table 5 ip rule add from $isp2_ip table 7 ip route add $isp2_net dev $isp2_if src $isp2_ip table 7 ip route add default via $isp2_gw table 7 ip route add $lan_net dev $lan_if table 7 ip route add $isp1_net dev $isp1_if table 7 ip route add $lo_net dev $lo_if table 7 ip route add default scope global nexthop via $isp2_gw dev $isp2_if \ weight 200 nexthop via $isp1_gw dev $isp1_if weight 1 ip route flush cache echo "Starting firewall ..." mail/http connections to $isp1_ip fails. Why is this? I want to be able to connect to both ISP and fail over to ISP1 when ISP2 is down. Thanks Gareth Segree mailto:Gareth.Segree@gleanerjm.com Technical Support Analyst The Gleaner Company Ltd. 7 North Street Kingston Tel: 922-3400 ------_=_NextPart_001_01C479A9.2B576C00 Content-Type: text/html Second isp failure with dual internet connection

Below is a snippet from my firewall script
   isp1_ip="xx.0.5.20"
   isp1_gw="xx.0.5.1"
   isp1_net="xx.0.5.0/28"
   isp1_if="eth2"

   isp2_ip="xx.182.19.88"
   isp2_gw="xx.182.19.1"
   isp2_net="xx.182.19.0/28"
   isp2_if="eth3"

   lo_ip="127.0.0.1"
   lo_if="lo"
   lo_net="127.0.0.1/8"

   ip rule delete from $isp1_ip
   ip rule delete from $isp2_ip
   ip route delete table 5 # isp 1
   ip route delete table 7 # isp 2
   ip route del default via $isp2_gw dev $isp2_if
   ip route flush cache
   #ip route default nexthop via $isp2_gw nexthop $isp1_gw
   #ip route add default nexthop via $isp2_gw dev $isp2_if weight 2\
   #    nexthop via $isp1_gw dev $isp1_if weight 1

   echo "Adding routes ..."
   ip route add $isp1_net dev $isp1_if src $isp1_ip table 5
   ip route add default via $isp1_gw table 5
   #ip route add $lan_net dev $lan_if table 5
   #ip route add $isp2_net dev $isp2_if table 5
   #ip route add $lo_net dev $lo_if table 5

   ip route add $isp1_net dev $isp1_if src $isp1_ip
   ip route add $isp2_net dev $isp2_if src $isp2_ip
   ip rule add from $isp1_ip table 5
   ip rule add from $isp2_ip table 7

   ip route add $isp2_net dev $isp2_if src $isp2_ip table 7
   ip route add default via $isp2_gw table 7
   ip route add $lan_net dev $lan_if table 7
   ip route add $isp1_net dev $isp1_if table 7
   ip route add $lo_net dev $lo_if table 7

   ip route add default scope global nexthop via $isp2_gw dev $isp2_if  \
       weight 200 nexthop via $isp1_gw dev $isp1_if weight 1
   ip route flush cache
   echo "Starting firewall ..."

mail/http connections to $isp1_ip fails. Why is this?
I want to be able to connect to both ISP and fail over to ISP1 when ISP2 is down.

Thanks


Gareth Segree
mailto:Gareth.Segree@gleanerjm.com
Technical Support Analyst
The Gleaner Company Ltd.
7 North Street
Kingston
Tel: 922-3400

------_=_NextPart_001_01C479A9.2B576C00-- From isianto.istiadi@adirarental.com Wed Aug 4 10:00:59 2004 From: isianto.istiadi@adirarental.com (Ing Isianto Istiadi) Date: Wed, 4 Aug 2004 16:00:59 +0700 Subject: [LARTC] htb and fw problems Message-ID: <20040804160059.6fe9a596.isianto.istiadi@adirarental.com> Dear All, I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and gentoo. I have a leased-line 64 kbps. I can see the counter works in iptables, but in the htb, it doesn't go to the right class (it always go to the default class). Any help will be appreciated here's my htb conf #!/bin/bash tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 80 tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps prio 3 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps prio 0 tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps prio 2 tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil 40kbps prio 1 tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps prio 4 tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 Here's my iptables rules*mangle :PREROUTING ACCEPT [1061:863210] :INPUT ACCEPT [1022:857788] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [947:201743] :POSTROUTING ACCEPT [947:201743] -N personal -N others -N personal1 #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j personal #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 -A OUTPUT -p tcp -m tcp --dport 80 -j others -A personal -j MARK --set-mark 40 -A others -j MARK --set-mark 20 Here's my iptables -L -v -t mangle -x output Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) pkts bytes target prot opt in out source destination 11105 14785525 personal tcp -- any any anywhere 192.168.1.145 tcp spt:webcache 28465 2233910 others tcp -- any any anywhere anywhere tcp dpt:www Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) pkts bytes target prot opt in out source destination Chain others (1 references) pkts bytes target prot opt in out source destination 28465 2233910 MARK all -- any any anywhere anywhere MARK set 0x14 Chain personal (1 references) pkts bytes target prot opt in out source destination 11105 14785525 MARK all -- any any anywhere anywhere MARK set 0x28 Chain personal1 (0 references) pkts bytes target prot opt in out source destination Here's my /sbin/tc -s qdisc show dev eth1 qdisc sfq 80: limit 128p quantum 1514b perturb 10sec Sent 386 bytes 5 pkts (dropped 0, overlimits 0) qdisc sfq 40: limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 30: limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: limit 128p quantum 1514b perturb 10sec Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) qdisc sfq 10: limit 128p quantum 1514b perturb 10sec Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) tc -s -d filter show dev eth1 filter parent 1: protocol ip pref 49151 fw filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 filter parent 1: protocol ip pref 49151 fw filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 filter parent 1: protocol ip pref 49151 fw filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 filter parent 1: protocol ip pref 49151 fw filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 filter parent 1: protocol ip pref 49152 fw filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 tc -s class show dev eth1 class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) rate 712bps 5pps lended: 4 borrowed: 0 giants: 0 tokens: 34107 ctokens: 34107 class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit burst 1803b cburst 1957b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 90199 ctokens: 55942 class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst 1650b cburst 1701b Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) rate 340bps 3pps lended: 990 borrowed: 0 giants: 0 tokens: 320599 ctokens: 165400 class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst 1680b cburst 1711b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 210124 ctokens: 155635 class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit burst 1834b cburst 2008b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 79781 ctokens: 50224 class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst 1680b cburst 1701b Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) rate 3Kbit 1pps lended: 148 borrowed: 4 giants: 0 tokens: 202125 ctokens: 163799 From JPolache@texasmutual.com Wed Aug 4 10:00:13 2004 From: JPolache@texasmutual.com (Jonathan S. Polacheck) Date: Wed, 4 Aug 2004 04:00:13 -0500 Subject: [LARTC] Jonathan S. Polacheck/AUSTIN/THE_FUND is out of the office. Message-ID: I will be out of the office starting 08/03/2004 and will not return until 08/18/2004. I will respond to your message when I return. From mjoachimiak@poczta.onet.pl Wed Aug 4 12:34:08 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 4 Aug 2004 13:34:08 +0200 Subject: [LARTC] Re: HTB 3.13 please help References: Message-ID: <000e01c47a16$f8b4e390$0802a8c0@monster> Hello Devik! Thanks for your help. And many thanks to everybody from the group who has been thinking on my problem. It seems i resolved my problem - there is no connection loss while reseting htb, but I'll be observing it's stability in a few days. I have no words to write what a STUPID mistake it was. As i suposed it was conected with packet marking. I've been using this command to mark packets: iptables -t mangle -A MYSHAPER-OUT -p tcp -s 192.168.0.2 -j MARK --set-mark $mark BUT when configuring tcng i looked at my marking script "what the heck??, Internet is not only tcp! Isn't it?" I removed "-p tcp" and now it works. Yes it was really BAD and took me too much time ggrrrrrrr. Good luck folks. From mjoachimiak@poczta.onet.pl Wed Aug 4 12:41:34 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Wed, 4 Aug 2004 13:41:34 +0200 Subject: [LARTC] htb and fw problems Message-ID: <002201c47a18$0049b210$0802a8c0@monster> ----- Original Message ----- From: To: "Ing Isianto Istiadi" Sent: Wednesday, August 04, 2004 1:40 PM Subject: Re: [LARTC] htb and fw problems > hi! > your default class must not have rate grater than your desired speed rate. > If you have 64kbps your class shoud have 60kbps or less. Without this htb > will not work as you except! > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > ----- Original Message ----- > From: "Ing Isianto Istiadi" > To: > Sent: Wednesday, August 04, 2004 11:00 AM > Subject: [LARTC] htb and fw problems > > > > Dear All, > > I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and > gentoo. > > I have a leased-line 64 kbps. > > I can see the counter works in iptables, but in the htb, it doesn't go to > the right class (it always go to the default class). > > > > Any help will be appreciated > > > > > > here's my htb conf > > #!/bin/bash > > > > tc qdisc del dev eth1 root > > > > tc qdisc add dev eth1 root handle 1: htb default 80 > > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps > prio 3 > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps > prio 0 > > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps > prio 2 > > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil 40kbps > prio 1 > > tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps > prio 4 > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > > tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > > > > tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 > > tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 > > tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 > > tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 > > tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > > > > Here's my iptables rules*mangle > > :PREROUTING ACCEPT [1061:863210] > > :INPUT ACCEPT [1022:857788] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [947:201743] > > :POSTROUTING ACCEPT [947:201743] > > -N personal > > -N others > > -N personal1 > > #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > > -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j > personal > > #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > > -A OUTPUT -p tcp -m tcp --dport 80 -j others > > -A personal -j MARK --set-mark 40 > > -A others -j MARK --set-mark 20 > > > > > > Here's my iptables -L -v -t mangle -x output > > Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > > pkts bytes target prot opt in out source > destination > > 11105 14785525 personal tcp -- any any anywhere > 192.168.1.145 tcp spt:webcache > > 28465 2233910 others tcp -- any any anywhere > anywhere tcp dpt:www > > > > Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain others (1 references) > > pkts bytes target prot opt in out source > destination > > 28465 2233910 MARK all -- any any anywhere > anywhere MARK set 0x14 > > > > Chain personal (1 references) > > pkts bytes target prot opt in out source > destination > > 11105 14785525 MARK all -- any any anywhere > anywhere MARK set 0x28 > > > > Chain personal1 (0 references) > > pkts bytes target prot opt in out source > destination > > > > Here's my > > > > /sbin/tc -s qdisc show dev eth1 > > > > qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > > qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > > qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > > > > tc -s -d filter show dev eth1 > > > > filter parent 1: protocol ip pref 49151 fw > > filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > > filter parent 1: protocol ip pref 49151 fw > > filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > > filter parent 1: protocol ip pref 49151 fw > > filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > > filter parent 1: protocol ip pref 49151 fw > > filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > > filter parent 1: protocol ip pref 49152 fw > > filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > > > > tc -s class show dev eth1 > > > > class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > > rate 712bps 5pps > > lended: 4 borrowed: 0 giants: 0 > > tokens: 34107 ctokens: 34107 > > > > class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit burst > 1803b cburst 1957b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 90199 ctokens: 55942 > > > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst > 1650b cburst 1701b > > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > > rate 340bps 3pps > > lended: 990 borrowed: 0 giants: 0 > > tokens: 320599 ctokens: 165400 > > > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst > 1680b cburst 1711b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 210124 ctokens: 155635 > > > > class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit burst > 1834b cburst 2008b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 79781 ctokens: 50224 > > > > class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst > 1680b cburst 1701b > > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > > rate 3Kbit 1pps > > lended: 148 borrowed: 4 giants: 0 > > tokens: 202125 ctokens: 163799 > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From isianto.istiadi@adirarental.com Wed Aug 4 14:11:05 2004 From: isianto.istiadi@adirarental.com (Ing Isianto Istiadi) Date: Wed, 4 Aug 2004 20:11:05 +0700 Subject: [LARTC] htb and fw problems In-Reply-To: <002201c47a18$0049b210$0802a8c0@monster> References: <002201c47a18$0049b210$0802a8c0@monster> Message-ID: <20040804201105.119ed93d.isianto.istiadi@adirarental.com> Dear, I have change tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps to tc class add dev eth1 parent 1: classid 1:1 htb rate 60kbps ceil 60kbps still with the same result any other tips? On Wed, 4 Aug 2004 13:41:34 +0200 wrote: > > ----- Original Message ----- > From: > To: "Ing Isianto Istiadi" > Sent: Wednesday, August 04, 2004 1:40 PM > Subject: Re: [LARTC] htb and fw problems > > > > hi! > > your default class must not have rate grater than your desired speed rate. > > If you have 64kbps your class shoud have 60kbps or less. Without this htb > > will not work as you except! > > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > > ----- Original Message ----- > > From: "Ing Isianto Istiadi" > > To: > > Sent: Wednesday, August 04, 2004 11:00 AM > > Subject: [LARTC] htb and fw problems > > > > > > > Dear All, > > > I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, > and > > gentoo. > > > I have a leased-line 64 kbps. > > > I can see the counter works in iptables, but in the htb, it doesn't go > to > > the right class (it always go to the default class). > > > > > > Any help will be appreciated > > > > > > > > > here's my htb conf > > > #!/bin/bash > > > > > > tc qdisc del dev eth1 root > > > > > > tc qdisc add dev eth1 root handle 1: htb default 80 > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil > 35kbps > > prio 3 > > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps > > prio 0 > > > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps > > prio 2 > > > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil > 40kbps > > prio 1 > > > tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps > > prio 4 > > > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > > > tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > > > > > > tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 > > > tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 > > > tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 > > > tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 > > > tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > > > > > > Here's my iptables rules*mangle > > > :PREROUTING ACCEPT [1061:863210] > > > :INPUT ACCEPT [1022:857788] > > > :FORWARD ACCEPT [0:0] > > > :OUTPUT ACCEPT [947:201743] > > > :POSTROUTING ACCEPT [947:201743] > > > -N personal > > > -N others > > > -N personal1 > > > #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > > > -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j > > personal > > > #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > > > -A OUTPUT -p tcp -m tcp --dport 80 -j others > > > -A personal -j MARK --set-mark 40 > > > -A others -j MARK --set-mark 20 > > > > > > > > > Here's my iptables -L -v -t mangle -x output > > > Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > > > pkts bytes target prot opt in out source > > destination > > > > > > Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > > > pkts bytes target prot opt in out source > > destination > > > > > > Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > > > pkts bytes target prot opt in out source > > destination > > > > > > Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > > > pkts bytes target prot opt in out source > > destination > > > 11105 14785525 personal tcp -- any any anywhere > > 192.168.1.145 tcp spt:webcache > > > 28465 2233910 others tcp -- any any anywhere > > anywhere tcp dpt:www > > > > > > Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > > > pkts bytes target prot opt in out source > > destination > > > > > > Chain others (1 references) > > > pkts bytes target prot opt in out source > > destination > > > 28465 2233910 MARK all -- any any anywhere > > anywhere MARK set 0x14 > > > > > > Chain personal (1 references) > > > pkts bytes target prot opt in out source > > destination > > > 11105 14785525 MARK all -- any any anywhere > > anywhere MARK set 0x28 > > > > > > Chain personal1 (0 references) > > > pkts bytes target prot opt in out source > > destination > > > > > > Here's my > > > > > > /sbin/tc -s qdisc show dev eth1 > > > > > > qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > > > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > > > qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > > > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > > > qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > > > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > > > > > > > tc -s -d filter show dev eth1 > > > > > > filter parent 1: protocol ip pref 49151 fw > > > filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > > > filter parent 1: protocol ip pref 49151 fw > > > filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > > > filter parent 1: protocol ip pref 49151 fw > > > filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > > > filter parent 1: protocol ip pref 49151 fw > > > filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > > > filter parent 1: protocol ip pref 49152 fw > > > filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > > > > > > > tc -s class show dev eth1 > > > > > > class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > > > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > > > rate 712bps 5pps > > > lended: 4 borrowed: 0 giants: 0 > > > tokens: 34107 ctokens: 34107 > > > > > > class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit > burst > > 1803b cburst 1957b > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > lended: 0 borrowed: 0 giants: 0 > > > tokens: 90199 ctokens: 55942 > > > > > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst > > 1650b cburst 1701b > > > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > > > rate 340bps 3pps > > > lended: 990 borrowed: 0 giants: 0 > > > tokens: 320599 ctokens: 165400 > > > > > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst > > 1680b cburst 1711b > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > lended: 0 borrowed: 0 giants: 0 > > > tokens: 210124 ctokens: 155635 > > > > > > class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit > burst > > 1834b cburst 2008b > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > lended: 0 borrowed: 0 giants: 0 > > > tokens: 79781 ctokens: 50224 > > > > > > class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst > > 1680b cburst 1701b > > > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > > > rate 3Kbit 1pps > > > lended: 148 borrowed: 4 giants: 0 > > > tokens: 202125 ctokens: 163799 > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From arno@disconnect.de Wed Aug 4 14:36:03 2004 From: arno@disconnect.de (Arno) Date: Wed, 4 Aug 2004 15:36:03 +0200 Subject: [LARTC] htb and fw problems In-Reply-To: <20040804160059.6fe9a596.isianto.istiadi@adirarental.com> References: <20040804160059.6fe9a596.isianto.istiadi@adirarental.com> Message-ID: <200408041536.03889.arno@disconnect.de> Hello, On Wednesday 04 August 2004 11:00, Ing Isianto Istiadi wrote: > I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and > gentoo. I have a leased-line 64 kbps. > I can see the counter works in iptables, but in the htb, it doesn't go to > the right class (it always go to the default class). > > Any help will be appreciated > > > here's my htb conf > #!/bin/bash > > tc qdisc del dev eth1 root > > tc qdisc add dev eth1 root handle 1: htb default 80 > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps > prio 3 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil > 10kbps prio 0 tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps > ceil 11kbps prio 2 tc class add dev eth1 parent 1:1 classid 1:40 htb rate > 23kbps ceil 40kbps prio 1 tc class add dev eth1 parent 1:1 classid 1:80 htb > rate 8kbps ceil 10kbps prio 4 Well, it's just a wild guess, but do you really have a 64 k-byte/second leased line or could it be a 64 k-bit/second line? If it's the latter you should try: tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbit ceil 64kbit and see if that works out. I'd also highly recommend reading http://www.docum.org/docum.org/faq/cache/74.html rgds, Arno From mabrown-lartc@securepipe.com Wed Aug 4 14:41:54 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Wed, 4 Aug 2004 08:41:54 -0500 Subject: [LARTC] htb and fw problems In-Reply-To: <20040804201105.119ed93d.isianto.istiadi@adirarental.com> References: <002201c47a18$0049b210$0802a8c0@monster> <20040804201105.119ed93d.isianto.istiadi@adirarental.com> Message-ID: Dear Isianto Istiadi, Here are your class creation statements: : [ snip ] 1: classid 1:1 htb rate 65kbps ceil 65kbps : [ snip ] 1:1 classid 1:10 htb rate 20kbps ceil 35kbps prio 3 : [ snip ] 1:1 classid 1:20 htb rate 5kbps ceil 10kbps prio 0 : [ snip ] 1:1 classid 1:30 htb rate 8kbps ceil 11kbps prio 2 : [ snip ] 1:1 classid 1:40 htb rate 23kbps ceil 40kbps prio 1 : [ snip ] 1:1 classid 1:80 htb rate 8kbps ceil 10kbps prio 4 You are configuring HTB to guarantee exactly 64kbps to the children classes. - Leaf class rate is guaranteed. HTB does not check parent classes. This may be non-intuitive or even counter-intuitive. - Your rates, then total 64kbps: 20 + 5 + 8 + 23 + 8 = 64 Perhaps you could try dropping the guaranteed bandwidth (sum of rates of leaf classes) below 60kbps. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com From tuxpower2k3@uni.de Wed Aug 4 14:43:15 2004 From: tuxpower2k3@uni.de (Morten Kramer) Date: Wed, 4 Aug 2004 15:43:15 +0200 Subject: [LARTC] htb and fw problems References: <002201c47a18$0049b210$0802a8c0@monster> <20040804201105.119ed93d.isianto.istiadi@adirarental.com> Message-ID: <000901c47a28$fe6aa920$152ea8c0@rulership> only short answer test sorry ----- Original Message ----- From: "Ing Isianto Istiadi" To: Sent: Wednesday, August 04, 2004 3:11 PM Subject: Re: [LARTC] htb and fw problems > Dear, I have change > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > to > tc class add dev eth1 parent 1: classid 1:1 htb rate 60kbps ceil 60kbps > still with the same result > any other tips? > > On Wed, 4 Aug 2004 13:41:34 +0200 > wrote: > > > > > ----- Original Message ----- > > From: > > To: "Ing Isianto Istiadi" > > Sent: Wednesday, August 04, 2004 1:40 PM > > Subject: Re: [LARTC] htb and fw problems > > > > > > > hi! > > > your default class must not have rate grater than your desired speed rate. > > > If you have 64kbps your class shoud have 60kbps or less. Without this htb > > > will not work as you except! > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > > > ----- Original Message ----- > > > From: "Ing Isianto Istiadi" > > > To: > > > Sent: Wednesday, August 04, 2004 11:00 AM > > > Subject: [LARTC] htb and fw problems > > > > > > > > > > Dear All, > > > > I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, > > and > > > gentoo. > > > > I have a leased-line 64 kbps. > > > > I can see the counter works in iptables, but in the htb, it doesn't go > > to > > > the right class (it always go to the default class). > > > > > > > > Any help will be appreciated > > > > > > > > > > > > here's my htb conf > > > > #!/bin/bash > > > > > > > > tc qdisc del dev eth1 root > > > > > > > > tc qdisc add dev eth1 root handle 1: htb default 80 > > > > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > > > > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil > > 35kbps > > > prio 3 > > > > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps > > > prio 0 > > > > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps > > > prio 2 > > > > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil > > 40kbps > > > prio 1 > > > > tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps > > > prio 4 > > > > > > > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > > > > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > > > > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > > > > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > > > > tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > > > > > > > > tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 > > > > tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 > > > > tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 > > > > tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 > > > > tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > > > > > > > > Here's my iptables rules*mangle > > > > :PREROUTING ACCEPT [1061:863210] > > > > :INPUT ACCEPT [1022:857788] > > > > :FORWARD ACCEPT [0:0] > > > > :OUTPUT ACCEPT [947:201743] > > > > :POSTROUTING ACCEPT [947:201743] > > > > -N personal > > > > -N others > > > > -N personal1 > > > > #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > > > > -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j > > > personal > > > > #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > > > > -A OUTPUT -p tcp -m tcp --dport 80 -j others > > > > -A personal -j MARK --set-mark 40 > > > > -A others -j MARK --set-mark 20 > > > > > > > > > > > > Here's my iptables -L -v -t mangle -x output > > > > Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > > > > pkts bytes target prot opt in out source > > > destination > > > > > > > > Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > > > > pkts bytes target prot opt in out source > > > destination > > > > > > > > Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > > > > pkts bytes target prot opt in out source > > > destination > > > > > > > > Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > > > > pkts bytes target prot opt in out source > > > destination > > > > 11105 14785525 personal tcp -- any any anywhere > > > 192.168.1.145 tcp spt:webcache > > > > 28465 2233910 others tcp -- any any anywhere > > > anywhere tcp dpt:www > > > > > > > > Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > > > > pkts bytes target prot opt in out source > > > destination > > > > > > > > Chain others (1 references) > > > > pkts bytes target prot opt in out source > > > destination > > > > 28465 2233910 MARK all -- any any anywhere > > > anywhere MARK set 0x14 > > > > > > > > Chain personal (1 references) > > > > pkts bytes target prot opt in out source > > > destination > > > > 11105 14785525 MARK all -- any any anywhere > > > anywhere MARK set 0x28 > > > > > > > > Chain personal1 (0 references) > > > > pkts bytes target prot opt in out source > > > destination > > > > > > > > Here's my > > > > > > > > /sbin/tc -s qdisc show dev eth1 > > > > > > > > qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > > > > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > > > > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > > > > qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > > > > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > > > > > > > > > > tc -s -d filter show dev eth1 > > > > > > > > filter parent 1: protocol ip pref 49151 fw > > > > filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > > > > filter parent 1: protocol ip pref 49151 fw > > > > filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > > > > filter parent 1: protocol ip pref 49151 fw > > > > filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > > > > filter parent 1: protocol ip pref 49151 fw > > > > filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > > > > filter parent 1: protocol ip pref 49152 fw > > > > filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > > > > > > > > > > tc -s class show dev eth1 > > > > > > > > class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > > > > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > > > > rate 712bps 5pps > > > > lended: 4 borrowed: 0 giants: 0 > > > > tokens: 34107 ctokens: 34107 > > > > > > > > class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit > > burst > > > 1803b cburst 1957b > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > lended: 0 borrowed: 0 giants: 0 > > > > tokens: 90199 ctokens: 55942 > > > > > > > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst > > > 1650b cburst 1701b > > > > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > > > > rate 340bps 3pps > > > > lended: 990 borrowed: 0 giants: 0 > > > > tokens: 320599 ctokens: 165400 > > > > > > > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst > > > 1680b cburst 1711b > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > lended: 0 borrowed: 0 giants: 0 > > > > tokens: 210124 ctokens: 155635 > > > > > > > > class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit > > burst > > > 1834b cburst 2008b > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > lended: 0 borrowed: 0 giants: 0 > > > > tokens: 79781 ctokens: 50224 > > > > > > > > class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst > > > 1680b cburst 1701b > > > > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > > > > rate 3Kbit 1pps > > > > lended: 148 borrowed: 4 giants: 0 > > > > tokens: 202125 ctokens: 163799 > > > > _______________________________________________ > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From isianto.istiadi@adirarental.com Wed Aug 4 15:15:52 2004 From: isianto.istiadi@adirarental.com (Ing Isianto Istiadi) Date: Wed, 4 Aug 2004 21:15:52 +0700 Subject: [LARTC] htb and fw problems In-Reply-To: <000901c47a28$fe6aa920$152ea8c0@rulership> References: <002201c47a18$0049b210$0802a8c0@monster> <20040804201105.119ed93d.isianto.istiadi@adirarental.com> <000901c47a28$fe6aa920$152ea8c0@rulership> Message-ID: <20040804211552.4170dcd4.isianto.istiadi@adirarental.com> Ok, here's my new htb config #!/bin/bash tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 80 debug 3333333 tc class add dev eth1 parent 1: classid 1:1 htb rate 60kbit ceil 60kbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbit ceil 65kbit prio 3 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 10kbit ceil 15kbit prio 0 tc class add dev eth1 parent 1:1 classid 1:30 htb rate 5kbit ceil 11kbit prio 2 tc class add dev eth1 parent 1:1 classid 1:40 htb rate 20kbit ceil 23kbit prio 1 tc class add dev eth1 parent 1:1 classid 1:80 htb rate 5kbit ceil 10kbit prio 4 tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 tc filter add dev eth1 parent 1:0 protocol ip handle 1 fw flowid 1:10 tc filter add dev eth1 parent 1:0 protocol ip handle 2 fw flowid 1:20 tc filter add dev eth1 protocol ip parent 1:0 handle 3 fw flowid 1:30 tc filter add dev eth1 parent 1:0 protocol ip handle 4 fw flowid 1:40 tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 whith the same effect. Thanks for pointing out the parent's rate. it's my mistakes ^_^ > > > > > Here's my iptables rules*mangle > > > > > :PREROUTING ACCEPT [1061:863210] > > > > > :INPUT ACCEPT [1022:857788] > > > > > :FORWARD ACCEPT [0:0] > > > > > :OUTPUT ACCEPT [947:201743] > > > > > :POSTROUTING ACCEPT [947:201743] > > > > > -N personal > > > > > -N others > > > > > -N personal1 > > > > > #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > > > > > -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j > > > > personal > > > > > #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > > > > > -A OUTPUT -p tcp -m tcp --dport 80 -j others > > > > > -A personal -j MARK --set-mark 40 > > > > > -A others -j MARK --set-mark 20 > > > > > > > > > > > > > > > Here's my iptables -L -v -t mangle -x output > > > > > Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > > > Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > > > Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > > > Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > 11105 14785525 personal tcp -- any any anywhere > > > > 192.168.1.145 tcp spt:webcache > > > > > 28465 2233910 others tcp -- any any anywhere > > > > anywhere tcp dpt:www > > > > > > > > > > Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > > > Chain others (1 references) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > 28465 2233910 MARK all -- any any anywhere > > > > anywhere MARK set 0x14 > > > > > > > > > > Chain personal (1 references) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > 11105 14785525 MARK all -- any any anywhere > > > > anywhere MARK set 0x28 > > > > > > > > > > Chain personal1 (0 references) > > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > > > Here's my > > > > > > > > > > /sbin/tc -s qdisc show dev eth1 > > > > > > > > > > qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > > > > > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > > > > > qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > > > > > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > > > > > qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > > > > > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > > > > > > > > > > > > > tc -s -d filter show dev eth1 > > > > > > > > > > filter parent 1: protocol ip pref 49151 fw > > > > > filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > > > > > filter parent 1: protocol ip pref 49151 fw > > > > > filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > > > > > filter parent 1: protocol ip pref 49151 fw > > > > > filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > > > > > filter parent 1: protocol ip pref 49151 fw > > > > > filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > > > > > filter parent 1: protocol ip pref 49152 fw > > > > > filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > > > > > > > > > > > > > tc -s class show dev eth1 > > > > > > > > > > class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst > 2264b > > > > > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > > > > > rate 712bps 5pps > > > > > lended: 4 borrowed: 0 giants: 0 > > > > > tokens: 34107 ctokens: 34107 > > > > > > > > > > class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit > > > burst > > > > 1803b cburst 1957b > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > lended: 0 borrowed: 0 giants: 0 > > > > > tokens: 90199 ctokens: 55942 > > > > > > > > > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit > burst > > > > 1650b cburst 1701b > > > > > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > > > > > rate 340bps 3pps > > > > > lended: 990 borrowed: 0 giants: 0 > > > > > tokens: 320599 ctokens: 165400 > > > > > > > > > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit > burst > > > > 1680b cburst 1711b > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > lended: 0 borrowed: 0 giants: 0 > > > > > tokens: 210124 ctokens: 155635 > > > > > > > > > > class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit > > > burst > > > > 1834b cburst 2008b > > > > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > > > > lended: 0 borrowed: 0 giants: 0 > > > > > tokens: 79781 ctokens: 50224 > > > > > > > > > > class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit > burst > > > > 1680b cburst 1701b > > > > > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > > > > > rate 3Kbit 1pps > > > > > lended: 148 borrowed: 4 giants: 0 > > > > > tokens: 202125 ctokens: 163799 > > > > > _______________________________________________ > > > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > > > > > > > > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From zoop@lone.ath.cx Wed Aug 4 15:31:06 2004 From: zoop@lone.ath.cx (zoop@lone.ath.cx) Date: Wed, 04 Aug 2004 14:31:06 +0000 Subject: [LARTC] htb and fw problems Message-ID: <20040804.QGL.88116400@www.djrance.com> it looks like you might have a problem with your marking with the FW. >#-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 >-A OUTPUT -p tcp -m tcp --dport 80 -j others >-A personal -j MARK --set-mark 40 >-A others -j MARK --set-mark 20 >From Looking at this I see the first commented link that as the mark in hex, Don't all the marks need to be written this way? 0x80 0x40 0x20 ? This is just a guess I don't really know. Ing Isianto Istiadi (isianto.istiadi@adirarental.com) wrote: > >Dear All, >I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and gentoo. >I have a leased-line 64 kbps. >I can see the counter works in iptables, but in the htb, it doesn't go to the right class (it always go to the default class). > >Any help will be appreciated > > >here's my htb conf >#!/bin/bash > >tc qdisc del dev eth1 root > >tc qdisc add dev eth1 root handle 1: htb default 80 >tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps >tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps prio 3 >tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps prio 0 >tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps prio 2 >tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil 40kbps prio 1 >tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps prio 4 > >tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 >tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 >tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 >tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 >tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > >tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 >tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 >tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 >tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 >tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > >Here's my iptables rules*mangle >:PREROUTING ACCEPT [1061:863210] >:INPUT ACCEPT [1022:857788] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [947:201743] >:POSTROUTING ACCEPT [947:201743] >-N personal >-N others >-N personal1 >#-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 >-A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j personal >#-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 >-A OUTPUT -p tcp -m tcp --dport 80 -j others >-A personal -j MARK --set-mark 40 >-A others -j MARK --set-mark 20 > > >Here's my iptables -L -v -t mangle -x output >Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > pkts bytes target prot opt in out source destination > >Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > pkts bytes target prot opt in out source destination > >Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > pkts bytes target prot opt in out source destination > >Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > pkts bytes target prot opt in out source destination > 11105 14785525 personal tcp -- any any anywhere 192.168.1.145 tcp spt:webcache > 28465 2233910 others tcp -- any any anywhere anywhere tcp dpt:www > >Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > pkts bytes target prot opt in out source destination > >Chain others (1 references) > pkts bytes target prot opt in out source destination > 28465 2233910 MARK all -- any any anywhere anywhere MARK set 0x14 > >Chain personal (1 references) > pkts bytes target prot opt in out source destination > 11105 14785525 MARK all -- any any anywhere anywhere MARK set 0x28 > >Chain personal1 (0 references) > pkts bytes target prot opt in out source destination > >Here's my > >/sbin/tc -s qdisc show dev eth1 > >qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) >qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) >qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) >qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) >qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) >qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > >tc -s -d filter show dev eth1 > >filter parent 1: protocol ip pref 49151 fw >filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 >filter parent 1: protocol ip pref 49151 fw >filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 >filter parent 1: protocol ip pref 49151 fw >filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 >filter parent 1: protocol ip pref 49151 fw >filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 >filter parent 1: protocol ip pref 49152 fw >filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > >tc -s class show dev eth1 > >class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > rate 712bps 5pps > lended: 4 borrowed: 0 giants: 0 > tokens: 34107 ctokens: 34107 > >class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit burst 1803b cburst 1957b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 90199 ctokens: 55942 > >class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst 1650b cburst 1701b > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > rate 340bps 3pps > lended: 990 borrowed: 0 giants: 0 > tokens: 320599 ctokens: 165400 > >class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst 1680b cburst 1711b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 210124 ctokens: 155635 > >class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit burst 1834b cburst 2008b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 79781 ctokens: 50224 > >class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst 1680b cburst 1701b > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > rate 3Kbit 1pps > lended: 148 borrowed: 4 giants: 0 > tokens: 202125 ctokens: 163799 >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. From isianto.istiadi@adirarental.com Wed Aug 4 15:44:21 2004 From: isianto.istiadi@adirarental.com (Ing Isianto Istiadi) Date: Wed, 4 Aug 2004 21:44:21 +0700 Subject: [LARTC] htb and fw problems In-Reply-To: <20040804.QGL.88116400@www.djrance.com> References: <20040804.QGL.88116400@www.djrance.com> Message-ID: <20040804214421.0a92da9b.isianto.istiadi@adirarental.com> On Wed, 04 Aug 2004 14:31:06 +0000 zoop@lone.ath.cx wrote: > it looks like you might have a problem with your marking with the FW. That's what I thought, but I can't troubleshoot any other way. I tried both ways 0x80, 80 to the same affect. The strange problem is if I omitted the source ip part, so iptables -A OUTPUT -p tcp -t mangle --dport www -j MARK --set-mark 40 it works I'm out of my head ^_^ > > From Looking at this I see the first commented link that as the mark in hex, Don't > all the marks need to be written this way? 0x80 0x40 0x20 ? > > This is just a guess I don't really know. > > > Ing Isianto Istiadi (isianto.istiadi@adirarental.com) wrote: > > > >Dear All, > >I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and gentoo. > >I have a leased-line 64 kbps. > >I can see the counter works in iptables, but in the htb, it doesn't go to the right > class (it always go to the default class). > > > >Any help will be appreciated > > > > > >here's my htb conf > >#!/bin/bash > > > >tc qdisc del dev eth1 root > > > >tc qdisc add dev eth1 root handle 1: htb default 80 > >tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > >tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps prio 3 > >tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps prio 0 > >tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps prio 2 > >tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil 40kbps prio 1 > >tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps prio 4 > > > >tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > >tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > >tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > >tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > >tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > > > >tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 > >tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 > >tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 > >tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 > >tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > > > >Here's my iptables rules*mangle > >:PREROUTING ACCEPT [1061:863210] > >:INPUT ACCEPT [1022:857788] > >:FORWARD ACCEPT [0:0] > >:OUTPUT ACCEPT [947:201743] > >:POSTROUTING ACCEPT [947:201743] > >-N personal > >-N others > >-N personal1 > >#-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > >-A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j personal > >#-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > >-A OUTPUT -p tcp -m tcp --dport 80 -j others > >-A personal -j MARK --set-mark 40 > >-A others -j MARK --set-mark 20 > > > > > >Here's my iptables -L -v -t mangle -x output > >Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > > pkts bytes target prot opt in out source destination > > > >Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > > pkts bytes target prot opt in out source destination > > > >Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > > pkts bytes target prot opt in out source destination > > > >Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > > pkts bytes target prot opt in out source destination > > 11105 14785525 personal tcp -- any any anywhere > 192.168.1.145 tcp spt:webcache > > 28465 2233910 others tcp -- any any anywhere anywhere > tcp dpt:www > > > >Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > > pkts bytes target prot opt in out source destination > > > >Chain others (1 references) > > pkts bytes target prot opt in out source destination > > 28465 2233910 MARK all -- any any anywhere anywhere > MARK set 0x14 > > > >Chain personal (1 references) > > pkts bytes target prot opt in out source destination > > 11105 14785525 MARK all -- any any anywhere anywhere > MARK set 0x28 > > > >Chain personal1 (0 references) > > pkts bytes target prot opt in out source destination > > > >Here's my > > > >/sbin/tc -s qdisc show dev eth1 > > > >qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > >qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > >qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > >qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > >qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > >qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > > > >tc -s -d filter show dev eth1 > > > >filter parent 1: protocol ip pref 49151 fw > >filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > >filter parent 1: protocol ip pref 49151 fw > >filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > >filter parent 1: protocol ip pref 49151 fw > >filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > >filter parent 1: protocol ip pref 49151 fw > >filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > >filter parent 1: protocol ip pref 49152 fw > >filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > > > >tc -s class show dev eth1 > > > >class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > > rate 712bps 5pps > > lended: 4 borrowed: 0 giants: 0 > > tokens: 34107 ctokens: 34107 > > > >class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit burst 1803b > cburst 1957b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 90199 ctokens: 55942 > > > >class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst 1650b > cburst 1701b > > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > > rate 340bps 3pps > > lended: 990 borrowed: 0 giants: 0 > > tokens: 320599 ctokens: 165400 > > > >class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst 1680b > cburst 1711b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 210124 ctokens: 155635 > > > >class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit burst 1834b > cburst 2008b > > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > > lended: 0 borrowed: 0 giants: 0 > > tokens: 79781 ctokens: 50224 > > > >class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst 1680b > cburst 1701b > > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > > rate 3Kbit 1pps > > lended: 148 borrowed: 4 giants: 0 > > tokens: 202125 ctokens: 163799 > >_______________________________________________ > >LARTC mailing list / LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > -- > When dealing with a slow pipe, never underestimate the throughput of the postal system. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From etienne@unix.za.org Wed Aug 4 16:35:07 2004 From: etienne@unix.za.org (Etienne Ledoux) Date: Wed, 4 Aug 2004 17:35:07 +0200 Subject: [LARTC] should I shape tun[N] or eth0 ? Message-ID: <200408041735.07132.etienne@unix.za.org> Greetings, me again. I'm starting to feel miff now. If I have a few vpn tunnels with different tun interfaces. And all this tunnel traffic is coming in on my eth0 interface, it also leave via eth0 again. I would like to share the available bandwidth evenly with tunnel clients. Would applying the bandwidth rule on eth0 with htb & sfq work for sharing the bandwidth or will bandwidth rules only affect tunnel traffic if I apply it to the actual tun[n] intefaces ? From etienne@unix.za.org Wed Aug 4 16:18:01 2004 From: etienne@unix.za.org (Etienne Ledoux) Date: Wed, 4 Aug 2004 17:18:01 +0200 Subject: [LARTC] iptables mark + openvpn will the mark survive ? Message-ID: <200408041718.01844.etienne@unix.za.org> Greetings, I want to setup bandwidth restrictions for a few clients that use openvpn to connect to my server. I'm using iptables to mark the packets in the mangle table (PRE/POSTROUTING) on eth0 before they get sent via the tunnel. Will the mark survive even if the packets then get routed via an openvpn tunnel (tunX) out the box or does openvpn change it removing the mark ? damnit, just as I think I'm starting to understand this stuff, I get confused all over. tx. e. From stlally@cs.tcd.ie Wed Aug 4 19:05:59 2004 From: stlally@cs.tcd.ie (Stephen Lally) Date: Wed, 04 Aug 2004 19:05:59 +0100 Subject: [LARTC] simulating RED using tcsim question Message-ID: <41112587.8010709@cs.tcd.ie> I'm trying to setup a bottlekneck scenario so I can see the effects of the RED qdisc on a congested interface. My example simulation code is at the bottom of this email if someone wants to see it. The following is a snippet form TCSIMs output. 0.602000 E : 0x80bc080 40 : inputB_eth0: 45000028 00000000 40060000 ... 0.602000 D : 0x80bc080 40 : inputB_eth0: 45000028 00000000 40060000 ... 0.602003 E : 0x80bbfd8 40 : router_eth2: 45000028 00000000 40060000 ... 0.602003 * : 0x80bbfd8 40 : router_eth2: enqueue returns CN (2) 0.602003 E : 0x80bc080 40 : router_eth2: 45000028 00000000 40060000 ... 0.602003 * : 0x80bc080 40 : router_eth2: enqueue returns CN (2) 0.604000 E : 0x80bbfd8 40 : inputA_eth0: 45000028 00000000 40060000 . As I hoped, packets seem to get dropped as marked by '*' when the interface gets congested. On closer inspection (with -v) tcsim output is: 0.182000 D : 0x80bc0a0 40 : inputB_eth0: 45000028 00000000 40060000 ... 0.182003 E : 0x80bbff8 40 : router_eth2: 45000028 00000000 40060000 ... 0.182003 e : 0x80bbff8 40 : <1> red (2:0) returns CN (2) 0.182003 e : 0x80bbff8 40 : <0> dsmark (1:0) returns CN (2) 0.182003 * : 0x80bbff8 40 : router_eth2: enqueue returns CN (2) 0.182003 E : 0x80bc0a0 40 : router_eth2: 45000028 00000000 40060000 ... 0.182003 e : 0x80bc0a0 40 : <1> red (2:0) returns CN (2) 0.182003 e : 0x80bc0a0 40 : <0> dsmark (1:0) returns CN (2) 0.182003 * : 0x80bc0a0 40 : router_eth2: enqueue returns CN (2) 0.184000 E : 0x80bbff8 40 : inputA_eth0: 45000028 00000000 40060000 ... I was exspecting the '*' to now print as 'x' to indicate a dropped packet rather than some error occuring! The network setup looks something like this |inputA_eth0|--100 Mbs------] ]----|router_eth2|---10 Bs------|output_eth1| |inputB_eth0|--100 Mbs------] RED is added router_eth2, router_eth2 is set as a 10 Bs interface to force some congestion. Anyone know what's going on? What does "router_eth2: enqueue returns CN (2)" mean? Any help is much appreciated. Stephen. bottleneck.tcsim ----------------- //inputA to router host { dev inputA_eth0 100 Mbps } //inputB to router host { dev inputB_eth0 100 Mbps } //the router host { dev router_eth0 100 Mbps dev router_eth1 100 Mbps dev router_eth2 10 //the bottleneck { egress { red( min 150 B, max 450 B, burst 200 B, limit 600 B, bandwidth 100 bps, probability 0.4, avpkt 80 B ); } } route 10.0.0.0 netmask 255.0.0.0 router_eth2 } //output destination from router host { dev output_eth0 10 Mbps dev output_eth1 100 Mbps route 10.0.0.2 netmask 255.0.0.0 output_eth1 } connect inputA_eth0 router_eth0 connect inputB_eth0 router_eth1 connect router_eth2 output_eth0 every 0.002s until 5s send inputA_eth0 TCP_PCK($tcp_sport = PORT_HTTP); every 0.002s until 5s send inputB_eth0 TCP_PCK($tcp_sport = PORT_SSH); time 6s end From mjoachimiak@poczta.onet.pl Thu Aug 5 00:40:48 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Thu, 5 Aug 2004 01:40:48 +0200 Subject: [LARTC] htb and fw problems References: <20040804160059.6fe9a596.isianto.istiadi@adirarental.com> Message-ID: <002901c47a7c$7c364000$0802a8c0@monster> >>I can see the counter works in iptables, but in the htb, it doesn't go to the right class Please write what commands do you use to see "the counter" and what counter do you mean? I think counter for ip packets isn't it? You can try to see my problem in LARTC archive: "HTB 3.13 please help". In my opinion you have bad configured packet marking. See my configuration of packet marking. I included it with archive posts in "HTB 3.13 please help" ---------------------------------------------------------------------------- --------------------- > Dear All, > I'm using the kernel 2.6.6, iproute2-2.4.7.20020116, iptables v1.2.9, and gentoo. > I have a leased-line 64 kbps. > I can see the counter works in iptables, but in the htb, it doesn't go to the right class (it always go to the default class). > > Any help will be appreciated > > > here's my htb conf > #!/bin/bash > > tc qdisc del dev eth1 root > > tc qdisc add dev eth1 root handle 1: htb default 80 > tc class add dev eth1 parent 1: classid 1:1 htb rate 65kbps ceil 65kbps > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 20kbps ceil 35kbps prio 3 > tc class add dev eth1 parent 1:1 classid 1:20 htb rate 5kbps ceil 10kbps prio 0 > tc class add dev eth1 parent 1:1 classid 1:30 htb rate 8kbps ceil 11kbps prio 2 > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 23kbps ceil 40kbps prio 1 > tc class add dev eth1 parent 1:1 classid 1:80 htb rate 8kbps ceil 10kbps prio 4 > > tc qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 > tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 > tc qdisc add dev eth1 parent 1:40 handle 40: sfq perturb 10 > tc qdisc add dev eth1 parent 1:80 handle 80: sfq perturb 10 > > tc filter add dev eth1 parent 1:0 protocol ip handle 10 fw flowid 1:10 > tc filter add dev eth1 parent 1:0 protocol ip handle 20 fw flowid 1:20 > tc filter add dev eth1 protocol ip parent 1:0 handle 30 fw flowid 1:30 > tc filter add dev eth1 parent 1:0 protocol ip handle 40 fw classid 1:40 > tc filter add dev eth1 protocol ip parent 1:0 handle 80 fw flowid 1:80 > > Here's my iptables rules*mangle > :PREROUTING ACCEPT [1061:863210] > :INPUT ACCEPT [1022:857788] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [947:201743] > :POSTROUTING ACCEPT [947:201743] > -N personal > -N others > -N personal1 > #-A OUTPUT -p tcp -m tcp --sport 3128 -j MARK --set-mark 0x2 > -A OUTPUT -p tcp -m tcp --sport 3128 --destination 192.168.1.145 -j personal > #-A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 20 > -A OUTPUT -p tcp -m tcp --dport 80 -j others > -A personal -j MARK --set-mark 40 > -A others -j MARK --set-mark 20 > > > Here's my iptables -L -v -t mangle -x output > Chain PREROUTING (policy ACCEPT 580535 packets, 176796832 bytes) > pkts bytes target prot opt in out source destination > > Chain INPUT (policy ACCEPT 573475 packets, 174919251 bytes) > pkts bytes target prot opt in out source destination > > Chain FORWARD (policy ACCEPT 5656 packets, 1810367 bytes) > pkts bytes target prot opt in out source destination > > Chain OUTPUT (policy ACCEPT 598621 packets, 392036436 bytes) > pkts bytes target prot opt in out source destination > 11105 14785525 personal tcp -- any any anywhere 192.168.1.145 tcp spt:webcache > 28465 2233910 others tcp -- any any anywhere anywhere tcp dpt:www > > Chain POSTROUTING (policy ACCEPT 604295 packets, 393851150 bytes) > pkts bytes target prot opt in out source destination > > Chain others (1 references) > pkts bytes target prot opt in out source destination > 28465 2233910 MARK all -- any any anywhere anywhere MARK set 0x14 > > Chain personal (1 references) > pkts bytes target prot opt in out source destination > 11105 14785525 MARK all -- any any anywhere anywhere MARK set 0x28 > > Chain personal1 (0 references) > pkts bytes target prot opt in out source destination > > Here's my > > /sbin/tc -s qdisc show dev eth1 > > qdisc sfq 80: limit 128p quantum 1514b perturb 10sec > Sent 386 bytes 5 pkts (dropped 0, overlimits 0) > qdisc sfq 40: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc sfq 30: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc sfq 20: limit 128p quantum 1514b perturb 10sec > Sent 12272 bytes 72 pkts (dropped 0, overlimits 0) > qdisc sfq 10: limit 128p quantum 1514b perturb 10sec > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > qdisc htb 1: r2q 10 default 80 direct_packets_stat 0 > Sent 12658 bytes 77 pkts (dropped 0, overlimits 0) > > > tc -s -d filter show dev eth1 > > filter parent 1: protocol ip pref 49151 fw > filter parent 1: protocol ip pref 49151 fw handle 0x50 classid 1:80 > filter parent 1: protocol ip pref 49151 fw > filter parent 1: protocol ip pref 49151 fw handle 0x28 classid 1:40 > filter parent 1: protocol ip pref 49151 fw > filter parent 1: protocol ip pref 49151 fw handle 0x1e classid 1:30 > filter parent 1: protocol ip pref 49151 fw > filter parent 1: protocol ip pref 49151 fw handle 0x14 classid 1:20 > filter parent 1: protocol ip pref 49152 fw > filter parent 1: protocol ip pref 49152 fw handle 0xa classid 1:10 > > > tc -s class show dev eth1 > > class htb 1:1 root rate 520Kbit ceil 520Kbit burst 2264b cburst 2264b > Sent 174465 bytes 1142 pkts (dropped 0, overlimits 0) > rate 712bps 5pps > lended: 4 borrowed: 0 giants: 0 > tokens: 34107 ctokens: 34107 > > class htb 1:10 parent 1:1 leaf 10: prio 3 rate 160Kbit ceil 280Kbit burst 1803b cburst 1957b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 90199 ctokens: 55942 > > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 40Kbit ceil 80Kbit burst 1650b cburst 1701b > Sent 115721 bytes 990 pkts (dropped 0, overlimits 0) > rate 340bps 3pps > lended: 990 borrowed: 0 giants: 0 > tokens: 320599 ctokens: 165400 > > class htb 1:30 parent 1:1 leaf 30: prio 2 rate 64Kbit ceil 88Kbit burst 1680b cburst 1711b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 210124 ctokens: 155635 > > class htb 1:40 parent 1:1 leaf 40: prio 1 rate 184Kbit ceil 320Kbit burst 1834b cburst 2008b > Sent 0 bytes 0 pkts (dropped 0, overlimits 0) > lended: 0 borrowed: 0 giants: 0 > tokens: 79781 ctokens: 50224 > > class htb 1:80 parent 1:1 leaf 80: prio 4 rate 64Kbit ceil 80Kbit burst 1680b cburst 1701b > Sent 58744 bytes 152 pkts (dropped 0, overlimits 0) > rate 3Kbit 1pps > lended: 148 borrowed: 4 giants: 0 > tokens: 202125 ctokens: 163799 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From mjoachimiak@poczta.onet.pl Thu Aug 5 00:50:20 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Thu, 5 Aug 2004 01:50:20 +0200 Subject: [LARTC] Urgen Help:Kernel crashed in HTB. References: <20040802015038.475D7400B@outpost.ds9a.nl> Message-ID: <004e01c47a7d$d0e6bde0$0802a8c0@monster> > Hi£¬All > I patched htb3.6 to mips liunx 2.4.17.But when I run htb,the mips linux box will say: > "Unhandled kernel unaligned access in unaligned.c:emulate_load_store_insn, line 346".Then the kernel crashed . > Would anyone like to tell me how to solve this problem?>Thank you very much! Upgrade your kernel to 2.4.20 at least. I'm sugesting 2.4.26. From mjoachimiak@poczta.onet.pl Thu Aug 5 00:45:58 2004 From: mjoachimiak@poczta.onet.pl (mjoachimiak@poczta.onet.pl) Date: Thu, 5 Aug 2004 01:45:58 +0200 Subject: [LARTC] tcng + NAT References: <002101c478aa$0e585560$0802a8c0@monster> <1091465772.3740.4.camel@drs0> Message-ID: <004201c47a7d$319c8b20$0802a8c0@monster> class ( <$adsl_medium> ) if meta_nfmark == 0x30; It works great. Thanks for help :D. > Hello, > > you can try: > > > . > . > . > > // ip header type of service > class ( <$adsl_high> ) if ip_tos == 0x80; > // metadata packet mark > class ( <$adsl_medium> ) if meta_nfmark == 0x30; > . > . > . > Cheers > > Charles > > > > > On Mon, 2004-08-02 at 18:02, mjoachimiak@poczta.onet.pl wrote: > > > > Does anybody know how to you use tcng with packet marking. I'm > > masquerading my connection so to shape outbound traffic I need to mark > > packets with iptables. But how to you make tcng to recognize marked > > packets? > > > > Thanks for your help. > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From isianto.istiadi@adirarental.com Thu Aug 5 03:27:25 2004 From: isianto.istiadi@adirarental.com (Ing Isianto Istiadi) Date: Thu, 5 Aug 2004 09:27:25 +0700 Subject: [LARTC] htb and fw problems In-Reply-To: <002901c47a7c$7c364000$0802a8c0@monster> References: <20040804160059.6fe9a596.isianto.istiadi@adirarental.com> <002901c47a7c$7c364000$0802a8c0@monster> Message-ID: <20040805092725.7c903b4c.isianto.istiadi@adirarental.com> On Thu, 5 Aug 2004 01:40:48 +0200 > Please write what commands do you use to see "the counter" and what counter > do you mean? I think counter for ip packets isn't it? I'm using iptables -L -v -x -t mangle and look for my rule. My assumptions is that if the counter is counting up in the iptables rules, then the iptable rules catches the packet, and it should mark the catched packet with whatever marking I put. Is it correct (my assumptions)? I've read your archieve before, I asked but I can't find any solutions since (in my case I really want to limit per ip for web only). Thanks From smohan@vsnl.com Thu Aug 5 04:25:24 2004 From: smohan@vsnl.com (S Mohan) Date: Thu, 5 Aug 2004 08:55:24 +0530 Subject: [LARTC] should I shape tun[N] or eth0 ? In-Reply-To: <200408041735.07132.etienne@unix.za.org> Message-ID: <20040805032857.CB99744DB@outpost.ds9a.nl> AFAIK, tc will work on real and not virtual interfaces. Warm regards Mohan > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl > [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Etienne Ledoux > Sent: Wednesday, August 04, 2004 9:05 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] should I shape tun[N] or eth0 ? > > Greetings, > > me again. I'm starting to feel miff now. > > If I have a few vpn tunnels with different tun interfaces. > And all this tunnel traffic is coming in on my eth0 > interface, it also leave via eth0 again. I would like to > share the available bandwidth evenly with tunnel clients. > Would applying the bandwidth rule on eth0 with htb & sfq work > for sharing the bandwidth or will bandwidth rules only affect > tunnel traffic if I apply it to the actual tun[n] intefaces ? > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From Glen.Mabey@usu.edu Thu Aug 5 04:07:08 2004 From: Glen.Mabey@usu.edu (Glen Mabey) Date: Wed, 4 Aug 2004 21:07:08 -0600 Subject: [LARTC] network scripts debian In-Reply-To: <41100636.5050207@advocap.org> References: <41100636.5050207@advocap.org> Message-ID: <20040805030708.GA5464@mabeys.dsl.aros.net> On Tue, Aug 03, 2004 at 04:40:06PM -0500, John McMonagle wrote: > Working at setting up some new firewalls with multi-path routing over 2 > isps. Doing it with debian sarge. > > Problem is the normal network scripts use ifconfig and route. > > In my tests I did a simple setup script. > > Feel like I am reinventing the wheel :-) > > Is it OK to use the network scripts to setup the interface and then > remove the routes ifconfig created and add any needed routes with ip > commands? > > Or am I best setting up the connections from scratch? After struggling with exactly this same issue myself, I simply created everything from scratch. Otherwise, I couldn't ever get it to work. > Also related is some of interfaces are dynamic. > I ran rewrite dhclient-script or just rebuild routes in > dhclient-exit-hooks.d. > > Also dhcpd-script gives > new_subnet_mask=......... > new_ip_address=.... > new_network_number=...... > interface=eth2 > > But for ip route need the length part of new_network_number/length > > Is there a simple way to calculate length from new_subnet_mask ? dunno about that one. Glen -- ****************************************************************** Glen W. Mabey Glen.Mabey@usu.edu http://mabeys.homelinux.com/glen/ ****************************************************************** From J.Kraaijeveld@Askesis.nl Thu Aug 5 08:53:43 2004 From: J.Kraaijeveld@Askesis.nl (Joost Kraaijeveld) Date: Thu, 5 Aug 2004 09:53:43 +0200 Subject: [LARTC] TC-ng questions/problems Message-ID: Hi all, We have 2 class C networks that are connected by a Linux router with the = internet. We want to apply traffic control (bandwidth control). For that = we wrote the tcc script below. We have 2 problems: 1. To establish a 2 megagit download we must actually set the value to = 2500kbps. Is there a possible reason for that? 2. If we enable the WAN device we get very hight ping times (they change = from 21.1 ms to > 2000 ms) and erratic upload values that partly suffer = from the problem above (we want to allow for an upload of 512kb and have = to specify a upload of 712 to get that) but most of the time we have a = far worse actual upload. Anyone any ideas?=20 We use Debian 2.6.3-1-386 (Sarge) with tcng 9m. Any help is greatly appreciated. Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl=20 /////////////////////////////////////////////////////////////////////////= // #include "fields.tc" #include "ports.tc" #define WAN eth0 #define LAN83 eth1 #define LAN84 eth2 /* The WAN section is about upload to the internet */ dev WAN { egress { class ( <$uploadRouter> ) if ip_src =3D=3D 192.168.83.1 || = ip_src =3D=3D 192.168.84.1; class ( <$uploadGKS> ) if ip_src =3D=3D 192.168.83.22 ; class ( <$upload83> ) if ip_src:24 =3D=3D 192.168.83.0 ; class ( <$upload84> ) if ip_src:24 =3D=3D 192.168.84.0 ; class ( <$others> ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $uploadRouter =3D class ( rate 18Mbps, ceil 18Mbps ); $uploadGKS =3D class ( rate 10Mbps, ceil 10Mbps ) ; $upload83 =3D class ( rate 5Mbps, ceil 5Mbps ) ; $upload84 =3D class ( rate 712kbps, ceil 712kbps ) ; $others =3D class ( rate 18Mbps , ceil 18Mbps ) ; } } } } /* This section is about downloading to the 83 network */ dev LAN83 { egress { class ( <$downloadRouter> ) if ip_dst =3D=3D 192.168.83.1; class ( <$downloadGKS> ) if ip_dst =3D=3D 192.168.83.22; class ( <$download> ) if ip_dst:24 =3D=3D 192.168.83.0; class ( <$others> ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $downloadRouter =3D class ( rate 18Mbps, ceil 18Mbps ) ; $downloadGKS =3D class ( rate 10Mbps, ceil 10Mbps ) ; $download =3D class ( rate 5Mbps, ceil 5Mbps ) ; $others =3D class ( rate 18Mbps, ceil 18Mbps ) ; } } } } /* This section is about downloading to the 84 network */ dev LAN84 { egress { class ( <$download> ) if ip_dst:24 =3D=3D 192.168.84.0; class ( <$others> ) if 1 ; htb () { class ( rate 18Mbps, ceil 18Mbps ) { $download =3D class ( rate 2500kbps,ceil 2500kbps ) ; $others =3D class ( rate 18Mbps, ceil 18Mbps ) ; } } } } From J.Kraaijeveld@Askesis.nl Thu Aug 5 09:26:45 2004 From: J.Kraaijeveld@Askesis.nl (Joost Kraaijeveld) Date: Thu, 5 Aug 2004 10:26:45 +0200 Subject: [LARTC] TC-ng questions/problems Message-ID: Hi Chalres, Thanks for the answer. I have also been bitten by the byte/bit bug in = the past but in this case it must be something different. All my values = are in in the correct amount of bits. The most important problem is actually problem 2: why does the tc toward = internet (dev WAN) do what it does? Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From lartc@manchotnetworks.net Thu Aug 5 09:12:51 2004 From: lartc@manchotnetworks.net (lartc@manchotnetworks.net) Date: Thu, 05 Aug 2004 10:12:51 +0200 Subject: [LARTC] TC-ng questions/problems In-Reply-To: References: Message-ID: <1091693571.7080.3.camel@drs0> Hi Joost, I think that maybe you have run across an issue that I too had trouble with. A snip from a message from Martin BROWN explains: > You have not actually found a bug, but rather a historical strangeness > about the Linux traffic control system. For reasons of which I'm > ignorant, the syntax for the "tc" command uses bps for bytes/second. So, > 64000 bytes/second is actually 512 kilobits/second ("512 kbps" in common > usage), but is 512 kbit to the "tc" tool. Here's a brief chart: > > tc syntax tcng syntax > +----------------+----------------+ > bytes/second | bps | Bps | > bits/second | bit | bps | > kilobytes/second | kbps | kBps | > kilobits/second | kbit | kbps | > +----------------+----------------+ > > Note that the tcng syntax is exactly the same sort of syntax we use in > general when discussing speed of WAN links. "It's a 512 kbps line" means > it's 512 kilobits per second, but this would be 64000 bytes per second if > we were writing a "tc" command line. Hope this helps! Cheers Chalres On Thu, 2004-08-05 at 09:53, Joost Kraaijeveld wrote: > Hi all, > > We have 2 class C networks that are connected by a Linux router with the internet. We want to apply traffic control (bandwidth control). For that we wrote the tcc script below. We have 2 problems: > > 1. To establish a 2 megagit download we must actually set the value to 2500kbps. Is there a possible reason for that? > 2. If we enable the WAN device we get very hight ping times (they change from 21.1 ms to > 2000 ms) and erratic upload values that partly suffer from the problem above (we want to allow for an upload of 512kb and have to specify a upload of 712 to get that) but most of the time we have a far worse actual upload. Anyone any ideas? > > We use Debian 2.6.3-1-386 (Sarge) with tcng 9m. > > Any help is greatly appreciated. > > Groeten, > > Joost Kraaijeveld > Askesis B.V. > Molukkenstraat 14 > 6524NB Nijmegen > tel: 024-3888063 / 06-51855277 > fax: 024-3608416 > e-mail: J.Kraaijeveld@Askesis.nl > web: www.askesis.nl > > /////////////////////////////////////////////////////////////////////////// > #include "fields.tc" > #include "ports.tc" > > #define WAN eth0 > #define LAN83 eth1 > #define LAN84 eth2 > > /* The WAN section is about upload to the internet */ > > dev WAN > { > egress > { > class ( <$uploadRouter> ) if ip_src == 192.168.83.1 || ip_src == 192.168.84.1; > class ( <$uploadGKS> ) if ip_src == 192.168.83.22 ; > class ( <$upload83> ) if ip_src:24 == 192.168.83.0 ; > class ( <$upload84> ) if ip_src:24 == 192.168.84.0 ; > class ( <$others> ) if 1 ; > > htb () > { > class ( rate 18Mbps, ceil 18Mbps ) > { > $uploadRouter = class ( rate 18Mbps, ceil 18Mbps ); > $uploadGKS = class ( rate 10Mbps, ceil 10Mbps ) ; > $upload83 = class ( rate 5Mbps, ceil 5Mbps ) ; > $upload84 = class ( rate 712kbps, ceil 712kbps ) ; > $others = class ( rate 18Mbps , ceil 18Mbps ) ; > } > } > } > } > > /* This section is about downloading to the 83 network */ > > dev LAN83 > { > egress > { > class ( <$downloadRouter> ) if ip_dst == 192.168.83.1; > class ( <$downloadGKS> ) if ip_dst == 192.168.83.22; > class ( <$download> ) if ip_dst:24 == 192.168.83.0; > class ( <$others> ) if 1 ; > > htb () > { > class ( rate 18Mbps, ceil 18Mbps ) > { > $downloadRouter = class ( rate 18Mbps, ceil 18Mbps ) ; > $downloadGKS = class ( rate 10Mbps, ceil 10Mbps ) ; > $download = class ( rate 5Mbps, ceil 5Mbps ) ; > $others = class ( rate 18Mbps, ceil 18Mbps ) ; > } > } > } > } > > /* This section is about downloading to the 84 network */ > > dev LAN84 > { > egress > { > class ( <$download> ) if ip_dst:24 == 192.168.84.0; > class ( <$others> ) if 1 ; > htb () > { > class ( rate 18Mbps, ceil 18Mbps ) > { > $download = class ( rate 2500kbps,ceil 2500kbps ) ; > $others = class ( rate 18Mbps, ceil 18Mbps ) ; > } > } > } > } > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From lartc@draxinusom.ch Thu Aug 5 10:40:28 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Thu, 05 Aug 2004 11:40:28 +0200 Subject: [LARTC] iptables mark + openvpn will the mark survive ? In-Reply-To: <200408041718.01844.etienne@unix.za.org> References: <200408041718.01844.etienne@unix.za.org> Message-ID: <4112008C.3040508@draxinusom.ch> Hello, > I want to setup bandwidth restrictions for a few clients that use openv= pn to=20 > connect to my server. I'm using iptables to mark the packets in the man= gle=20 > table (PRE/POSTROUTING) on eth0 before they get sent via the tunnel. Wi= ll the=20 > mark survive even if the packets then get routed via an openvpn tunnel = (tunX)=20 > out the box or does openvpn change it removing the mark ? openVPN is just a userspace process that - depending on configuration -=20 doesn't even need root access to run. (provided the device nodes are set = up accordingly). Depending on what you do, the mark should survive (never tested this),=20 or not. If you are just forwarding to a tun/tap, the mark should survive like=20 usual. There is no difference between a tun/tap device and another=20 ethernet device with regard to this point. However, once a packet reaches the tun/tap, it gets transfered to=20 openVPN which encrypts it and sends it out using udp (or tcp, depending=20 on configuration) of a real interface. These outgoing packets are not=20 having the mark on them, primarily because they are completely different = packets that were generated by openVPN and not really directly related=20 to what went into the tun/tap device. I suspect that is however what=20 you'd like to achieve. Note that openVPN does has its own shaping=20 directive (--shaper n) which may help you in this case. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From lartc@draxinusom.ch Thu Aug 5 10:51:21 2004 From: lartc@draxinusom.ch (Rene Gallati) Date: Thu, 05 Aug 2004 11:51:21 +0200 Subject: [LARTC] should I shape tun[N] or eth0 ? In-Reply-To: <200408041735.07132.etienne@unix.za.org> References: <200408041735.07132.etienne@unix.za.org> Message-ID: <41120319.9070906@draxinusom.ch> Hello, > If I have a few vpn tunnels with different tun interfaces. And all this= tunnel=20 > traffic is coming in on my eth0 interface, it also leave via eth0 again= =2E I=20 > would like to share the available bandwidth evenly with tunnel clients.= Would=20 > applying the bandwidth rule on eth0 with htb & sfq work for sharing the= =20 > bandwidth or will bandwidth rules only affect tunnel traffic if I apply= it to=20 > the actual tun[n] intefaces ? I'm not sure if it works on tun devices, but on tap's it should work=20 since those actually look like normal ethernet devices. However if you=20 shape on the virtual interfaces you only shape the incoming traffic (ie=20 traffic going out a tun/tap is decrypted VPN traffic that is coming=20 *in*) So if you want to manage outgoing traffic, shape on eth0. Since=20 openVPN per default requires a single port for each VPN, you can easily=20 mark and classify the outgoing traffic with tc. For example: VPN1 udp 5000 <----> udp 5000 VPN2 udp 5001 <----> udp 5001 =2E.. tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5000 dport = 5000 flowid 1:2 tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5001 dport = 5001 flowid 1:2 etc. to put all VPN traffic into class 1:2 Note that I didn't test this, so there might be an error in the lines=20 above but the outlined way should work. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From rio@martin.mu Thu Aug 5 10:54:04 2004 From: rio@martin.mu (Rio Martin.) Date: Thu, 5 Aug 2004 16:54:04 +0700 Subject: [LARTC] should I shape tun[N] or eth0 ? In-Reply-To: <41120319.9070906@draxinusom.ch> References: <200408041735.07132.etienne@unix.za.org> <41120319.9070906@draxinusom.ch> Message-ID: <200408051654.04858.rio@martin.mu> On 05 August 2004 pm 16:51, Rene Gallati wrote: > Hello, > > If I have a few vpn tunnels with different tun interfaces. And all this > > tunnel traffic is coming in on my eth0 interface, it also leave via eth0 > > again. I would like to share the available bandwidth evenly with tunnel > > clients. Would applying the bandwidth rule on eth0 with htb & sfq work > > for sharing the bandwidth or will bandwidth rules only affect tunnel > > traffic if I apply it to the actual tun[n] intefaces ? > For example: > VPN1 udp 5000 <----> udp 5000 > VPN2 udp 5001 <----> udp 5001 > tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5000 dport > 5000 flowid 1:2 > tc filter add dev eth0 parent 1:0 prio 10 u32 match udp sport 5001 dport > 5001 flowid 1:2 > etc. > to put all VPN traffic into class 1:2 > Note that I didn't test this, so there might be an error in the lines > above but the outlined way should work. On device tun, tc worked perfectly, just as you do with real interface eth0..n Tested under 256Kbps link using Slackware-9.1 and Slackware-10 as distro. Also tested and worked perfectly with IMQ. So cheer up .. :)) Regards, Rio Martin. From lartc@manchotnetworks.net Thu Aug 5 10:59:20 2004 From: lartc@manchotnetworks.net (lartc@manchotnetworks.net) Date: Thu, 05 Aug 2004 11:59:20 +0200 Subject: [LARTC] TC-ng questions/problems In-Reply-To: References: Message-ID: <1091699959.13878.4.camel@drs0> Hi Joost, OK -- on the units of measure -- you may to double check that your upstream provider is 2.000.000 bits/s and not 2 * 1024^1024. I think that your r2q is probably off -- please see: http://www.docum.org/stef.coene/qos/faq/cache/31.html Check your system log as well -- you may see an indication of the problem. You can try #define MYR2Q 20 and then in your htb declaration try htb ( r2q MYR2Q ) Also consider specifying a burst of 6kB and try someother values. Cheers Charles On Thu, 2004-08-05 at 10:26, Joost Kraaijeveld wrote: > Hi Chalres, > > Thanks for the answer. I have also been bitten by the byte/bit bug in the past but in this case it must be something different. All my values are in in the correct amount of bits. > > The most important problem is actually problem 2: why does the tc toward internet (dev WAN) do what it does? > > > Groeten, > > Joost Kraaijeveld > Askesis B.V. > Molukkenstraat 14 > 6524NB Nijmegen > tel: 024-3888063 / 06-51855277 > fax: 024-3608416 > e-mail: J.Kraaijeveld@Askesis.nl > web: www.askesis.nl > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From J.Kraaijeveld@Askesis.nl Thu Aug 5 11:36:26 2004 From: J.Kraaijeveld@Askesis.nl (Joost Kraaijeveld) Date: Thu, 5 Aug 2004 12:36:26 +0200 Subject: [LARTC] TC-ng questions/problems Message-ID: Hi Charles, lartc@manchotnetworks.net schreef: > I think that your r2q is probably off -- please see: >=20 > http://www.docum.org/stef.coene/qos/faq/cache/31.html This link does not work. All other numbers are there but one is not. But = it's true: in the logfiles I see r2q mentioned (jumping with joy in my = office, hope at last).=20 Thanks. =20 Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl From bill@ycc.com Thu Aug 5 17:47:56 2004 From: bill@ycc.com (Bill Gradwohl) Date: Thu, 05 Aug 2004 11:47:56 -0500 Subject: [LARTC] NAT & tc filter addresses Message-ID: <411264BC.40801@ycc.com> Is there a flow diagram as to where tc actions take place with respect to NAT and other iptables functions on a multihomed box (private & public NICs) ? Are tc filter rules consulted before or after NATing? My real interest is in basic understanding first, and then solving a real problem second. Example: Firewall Public NIC 123.123.123.1 Firewall Private NIC 192.168.168.1 Dedicated Video Conferencing equipment @ 192.168.168.100 I'd like to write a rule that says any traffic emanating from the private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit as the traffic heads out on to the Internet to find the other end of the Video Conference. The shaping occurs on the Public NIC, but the only address I have to work with is a private address. By time the traffic hits the public NIC and tc rules are applied, I suspect the packet no longer has a source IP of private .100, but has been NAT'd to the public NIC address. There's no way to distinguish private .100's traffic via IP address. by time the tc filters are queried. Is that correct? What methods are available to do this? I can think of marking all the packets on the private side then looking for the marks on the public side. Or, NAT private.100 to a specific Public IP and then write rules for that new Public IP. What other options are there? -- Bill Gradwohl bill@ycc.com http://www.ycc.com SPAMstomper Protected email From stefan.gold@stud.tu-ilmenau.de Thu Aug 5 18:06:10 2004 From: stefan.gold@stud.tu-ilmenau.de (Stefan Gold) Date: Thu, 5 Aug 2004 19:06:10 +0200 Subject: [LARTC] HTB mpu and overhead settings for PPPoE ADSL? Message-ID: <200408051906.30178.stefan.gold@stud.tu-ilmenau.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm using HTB to shape my outgoing traffic over a ADSL-link with PPPoE with= a=20 nominal bandwidth of 128kbit/s. My goal is to favour small packets like ACK= s=20 and interactive services like ssh; in other words, I want to achieve low=20 lantency. If there are some big packets going over the wire, everything works fine. B= ut=20 if there are many small packets saturating my uplink, I get pings of 1000ms= =20 and above. To minimize this effect I've set the HTB qdisc rate to 100kbit/s= =2E=20 But even now, throttling my uplink to lower than 80% of physical bandwidth,= =20 pings go up to 800ms in some cases. Today I've noticed, that two additional parameters have been added recently= to=20 the HTB-shaper: mpu and overhead. Are this new parameters suitable for=20 solving my problem? Which are smart values for this two settings? I'm shaping the ppp-device=20 directly, not the ethernet-device on which the dsl-modem is connected and I= 'm=20 using the kernel pppoe driver (if this is important for you to know). Thanks=20 Stefan =2D --=20 In a free world nobody needs Windows and Gates. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBEmkKFdd7dooRJzsRAi/3AJ9KZYVoJVSZSYTGsUAtC3xLLyZrBQCeOZ34 byc+vxTFy5pYTEhZXejYGmk=3D =3DOvk/ =2D----END PGP SIGNATURE----- From stef.coene@docum.org Thu Aug 5 21:06:56 2004 From: stef.coene@docum.org (Stef Coene) Date: Thu, 5 Aug 2004 22:06:56 +0200 Subject: [LARTC] TC-ng questions/problems In-Reply-To: References: Message-ID: <200408052206.56197.stef.coene@docum.org> On Thursday 05 August 2004 12:36, Joost Kraaijeveld wrote: > Hi Charles, > > lartc@manchotnetworks.net schreef: > > I think that your r2q is probably off -- please see: > > > > http://www.docum.org/stef.coene/qos/faq/cache/31.html > > This link does not work.=20 Correct link (I rehosted the site and the main path is changed): http://www.docum.org/docum.org/faq/cache/31.html Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From Gareth.Segree@gleanerjm.com Thu Aug 5 21:09:24 2004 From: Gareth.Segree@gleanerjm.com (Segree, Gareth) Date: Thu, 5 Aug 2004 15:09:24 -0500 Subject: [LARTC] URGENT HELP needed!! Problem with second route dual ISP Message-ID: <1198536982594F4E9A8E8D4DA6B64E6682AF@COMMSRV04.gleanerjm.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C47B28.1A329F50 Content-Type: text/plain Below is a snippet from my firewall script isp1_ip="xx.0.5.20" isp1_gw="xx.0.5.1" isp1_net="xx.0.5.0/28" isp1_if="eth2" isp2_ip="xx.182.19.88" isp2_gw="xx.182.19.1" isp2_net="xx.182.19.0/28" isp2_if="eth3" lo_ip="127.0.0.1" lo_if="lo" lo_net="127.0.0.1/8" ip rule delete from $isp1_ip ip rule delete from $isp2_ip ip route delete table 5 # isp 1 ip route delete table 7 # isp 2 ip route del default via $isp2_gw dev $isp2_if ip route flush cache #ip route default nexthop via $isp2_gw nexthop $isp1_gw #ip route add default nexthop via $isp2_gw dev $isp2_if weight 2\ # nexthop via $isp1_gw dev $isp1_if weight 1 echo "Adding routes ..." ip route add $isp1_net dev $isp1_if src $isp1_ip table 5 ip route add default via $isp1_gw table 5 #ip route add $lan_net dev $lan_if table 5 #ip route add $isp2_net dev $isp2_if table 5 #ip route add $lo_net dev $lo_if table 5 ip route add $isp1_net dev $isp1_if src $isp1_ip ip route add $isp2_net dev $isp2_if src $isp2_ip ip rule add from $isp1_ip table 5 ip rule add from $isp2_ip table 7 ip route add $isp2_net dev $isp2_if src $isp2_ip table 7 ip route add default via $isp2_gw table 7 ip route add $lan_net dev $lan_if table 7 ip route add $isp1_net dev $isp1_if table 7 ip route add $lo_net dev $lo_if table 7 ip route add default scope global nexthop via $isp2_gw dev $isp2_if \ weight 200 nexthop via $isp1_gw dev $isp1_if weight 1 ip route flush cache echo "Starting firewall ..." mail/http connections to $isp1_ip fails. Why is this? I want to be able to connect to both ISP and fail over to ISP1 when ISP2 is down. Thanks Gareth Segree mailto:Gareth.Segree@gleanerjm.com Technical Support Analyst The Gleaner Company Ltd. 7 North Street Kingston Tel: 922-3400 ------_=_NextPart_001_01C47B28.1A329F50 Content-Type: text/html Content-Transfer-Encoding: quoted-printable URGENT HELP needed!! Problem with second route dual ISP

Below is a snippet from my = firewall script
isp1_ip=3D"xx.0.5.20"
isp1_gw=3D"xx.0.5.1"
isp1_net=3D"xx.0.5.0/28"
isp1_if=3D"eth2" =

    isp2_ip=3D"xx.182.19.88"
    isp2_gw=3D"xx.182.19.1"
    isp2_net=3D"xx.182.19.0/28"
    isp2_if=3D"eth3" =
    lo_ip=3D"127.0.0.1"
    lo_if=3D"lo"
    lo_net=3D"127.0.0.1/8"
    ip rule delete from = $isp1_ip
    ip rule delete from = $isp2_ip
    ip route delete table 5 # = isp 1
    ip route delete table 7 # = isp 2
    ip route del default via = $isp2_gw dev $isp2_if
    ip route flush = cache
    #ip route default nexthop = via $isp2_gw nexthop $isp1_gw
    #ip route add default = nexthop via $isp2_gw dev $isp2_if weight 2\
    # nexthop via $isp1_gw dev = $isp1_if weight 1
    echo "Adding routes = ..."
    ip route add $isp1_net dev = $isp1_if src $isp1_ip table 5
    ip route add default via = $isp1_gw table 5
    #ip route add $lan_net dev = $lan_if table 5
    #ip route add $isp2_net dev = $isp2_if table 5
    #ip route add $lo_net dev = $lo_if table 5
    ip route add $isp1_net dev = $isp1_if src $isp1_ip
    ip route add $isp2_net dev = $isp2_if src $isp2_ip
    ip rule add from $isp1_ip = table 5
    ip rule add from $isp2_ip = table 7
    ip route add $isp2_net dev = $isp2_if src $isp2_ip table 7
    ip route add default via = $isp2_gw table 7
    ip route add $lan_net dev = $lan_if table 7
    ip route add $isp1_net dev = $isp1_if table 7
    ip route add $lo_net dev = $lo_if table 7
    ip route add default scope = global nexthop via $isp2_gw dev $isp2_if \
    weight 200 nexthop via = $isp1_gw dev $isp1_if weight 1
    ip route flush = cache
    echo "Starting firewall = ..."
    mail/http connections to $isp1_ip = fails. Why is this?
    I want to be able to connect to = both ISP and fail over to ISP1 when ISP2 is down.
    Thanks


Gareth Segree
mailto:Gareth.Segree@gleanerjm.com
Technical Support Analyst
The Gleaner Company Ltd.
7 North Street
Kingston
Tel: 922-3400

------_=_NextPart_001_01C47B28.1A329F50-- From stef.coene@docum.org Thu Aug 5 21:04:33 2004 From: stef.coene@docum.org (Stef Coene) Date: Thu, 5 Aug 2004 22:04:33 +0200 Subject: [LARTC] NAT & tc filter addresses In-Reply-To: <411264BC.40801@ycc.com> References: <411264BC.40801@ycc.com> Message-ID: <200408052204.34004.stef.coene@docum.org> On Thursday 05 August 2004 18:47, Bill Gradwohl wrote: > Is there a flow diagram as to where tc actions take place with respect > to NAT and other iptables functions on a multihomed box (private & > public NICs) ? Are tc filter rules consulted before or after NATing? See kptd on www.docum.org. Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From nix4me@cfl.rr.com Thu Aug 5 20:26:19 2004 From: nix4me@cfl.rr.com (nix4me) Date: Thu, 05 Aug 2004 15:26:19 -0400 Subject: [LARTC] marking passive ftp and shaping Message-ID: <411289DB.8020500@cfl.rr.com> I am trying to mark outbound passive ftp traffic with iptables and shape it to 35KBytes. I am using the following script on the computer that runs the ftp server. It is not working correctly, it seems to limit ALL traffic. Cant file share or anything. Anyone might know what is wrong? #!/bin/bash #shaping passive ftp traffic # mark the outbound passive ftp packets on ports 50000-51000 iptables -t mangle -D POSTROUTING -o eth0 -j MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -F MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -X MYSHAPER-OUT 2> /dev/null > /dev/null iptables -t mangle -N MYSHAPER-OUT iptables -t mangle -I POSTROUTING -o eth0 -j MYSHAPER-OUT iptables -t mangle -A MYSHAPER-OUT -p tcp --dport 50000:51000 -j MARK --set-mark 1 # shape the traffic to 35Kbytes tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 35kbps tc filter add dev eth0 parent 1: prio 0 protocol ip handle 1 fw flowid 1:1 From mabrown-lartc@securepipe.com Fri Aug 6 06:32:33 2004 From: mabrown-lartc@securepipe.com (Martin A. Brown) Date: Fri, 6 Aug 2004 00:32:33 -0500 Subject: [LARTC] NAT & tc filter addresses In-Reply-To: <411264BC.40801@ycc.com> References: <411264BC.40801@ycc.com> Message-ID: Bill, : Is there a flow diagram as to where tc actions take place with : respect to NAT and other iptables functions on a multihomed box : (private & public NICs) ? Are tc filter rules consulted before or : after NATing? For simplicity's sake, let's just talk about packets leaving the box (transmit only). All iptables functions have taken place by the time the traffic control functions are called. There are a number of different diagrams which cover this in different ways. The KPTD [0], which Stef has already mentioned, the Packet Flow diagram [1], which deal with the bridging, brouting stuff as well, an older 2.4 packet traversal diagram [2], and my recent diagram of just the netfilter system [3]. : My real interest is in basic understanding first, and then : solving a real problem second. Well...further on the self-promotion front--if understanding is what you seek, then maybe also my Traffic Control HOWTO would be handy. It's available at TLDP [4]. : Example: : Firewall Public NIC 123.123.123.1 : Firewall Private NIC 192.168.168.1 : Dedicated Video Conferencing equipment @ 192.168.168.100 : : I'd like to write a rule that says any traffic emanating from the : private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit : as the traffic heads out on to the Internet to find the other end of the : Video Conference. : : The shaping occurs on the Public NIC, but the only address I have to : work with is a private address. By time the traffic hits the public NIC : and tc rules are applied, I suspect the packet no longer has a source IP : of private .100, but has been NAT'd to the public NIC address. There's : no way to distinguish private .100's traffic via IP address. by time the : tc filters are queried. Is that correct? That is correct, but you can always use the fwmark. : What methods are available to do this? I can think of marking all : the packets on the private side then looking for the marks on the : public side. Or, NAT private.100 to a specific Public IP and then : write rules for that new Public IP. What other options are there? As far as I know, these are the two best options. If you don't wish to mess around with marking, the NAT option seems a very good and sensible way to go. If you haven't used tc much, I'd recommend tcng [5]. It's far simpler to use (and more intuitive) once you have it installed. Though I haven't tested the below, I could see something like this as a starting point for your experimentation. If you wished to cap the video bandwidth at 128k, you could simply use the same parameter for the rate and ceil (videobw). #define private eth0 #define public eth1 /* assume that the NAT for the video server is separate from the source IP of the remainder of the traffic */ #define videobox 192.168.168.100 #define videopub 123.123.123.100 #define videobw 128000 bps #define halft1 772000 bps #define fullt1 1544000 bps /* this should take care of shaping download traffic */ dev private { egress { class ( <$video> ) if ip_src == videobox ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { /* guarantee videobw to $video, allow full usage */ $video = class ( rate videobw, ceil fullt1 ) ; /* guarantee half the t1 to other traffic */ $other = class ( rate halft1, ceil fullt1 ) ; } } } } /* this should take care of shaping upload traffic */ dev public { egress { class ( <$video> ) if ip_src == videopub ; class ( <$other> ) if 1 ; htb { class ( rate fullt1, ceil fullt1 ) { $video = class ( rate videobw, ceil fullt1 ) ; $other = class ( rate halft1, ceil fullt1 ) ; } } } } Good luck! -Martin [0] http://www.docum.org/docum.org/kptd/ [1] http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png [2] http://open-source.arkoon.net/kernel/kernel_net.png [3] http://linux-ip.net/nf/nfk-traversal.png [4] http://tldp.org/HOWTO/Traffic-Control-HOWTO/ [5] http://tcng.sourceforge.net/ -- Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net From lartc@manchotnetworks.net Fri Aug 6 09:54:41 2004 From: lartc@manchotnetworks.net (lartc@manchotnetworks.net) Date: Fri, 06 Aug 2004 10:54:41 +0200 Subject: [LARTC] TC-ng questions/problems In-Reply-To: References: Message-ID: <1091782481.3806.30.camel@drs0> Hi Joost, I hope you saw Steph's message on the link ... On Thu, 2004-08-05 at 12:36, Joost Kraaijeveld wrote: > But it's true: in the logfiles I see r2q mentioned > (jumping with joy in my office, hope at last). Careful not to jump too hard -- you might wake up the management :-) Cheers Charles From lists@benzo8.org Fri Aug 6 14:10:10 2004 From: lists@benzo8.org (John Sullivan) Date: Fri, 06 Aug 2004 15:10:10 +0200 Subject: [LARTC] Hacking wondershaper... Message-ID: <6.1.2.0.2.20040806150611.09c5b760@pop3.benzo8.org> Hi, First time post to list - hope I've not messed up on the etiquette! I have a server running in a DMZ behind a wireless ADSL router. I recently= =20 implemented wondershaper, which did exactly what it should have, but, of=20 course, knobbled the local bandwidth into the server too, as it's going via= =20 the same (and only) interface. So, I've been playing with wondershaper,=20 trying to set it up so that local traffic (to AND from my local netmask)=20 gets the full 100Mbit bandwidth of the card, whereas Internet traffic is=20 shaped within the 400kbit down/200kbit up limits. While I was at it, I=20 thought I'd also look at implementing some high priority ports, too... Now, I can get the local traffic to go down a new qdisc I created, but I=20 can't get it to give it the full speed, and I think I'm coming up against=20 my level of knowledge here, even with the help of the faq! Could someone=20 take a look at my script and let me know if they can see where I'm going=20 wrong? Or is it just not possible to shape to such a wild degree? (Script not attached, due to list considerations. Please ask for it=20 offlist, or if it's OK, I'll post here...) Thanks in advance guys, Me... --=20 John Sullivan Y si el Hombre debe tener a un enemigo john@benzo8.org D=E9jalo ser su orgullo b=E9lico... gpg: 1024D/701EE513 AEFC E06D 8D5C 6099 0576 6832 2734 5FD0 701E E513=20 From ch_sujith@yahoo.com Fri Aug 6 15:54:55 2004 From: ch_sujith@yahoo.com (sujith chandra) Date: Fri, 6 Aug 2004 07:54:55 -0700 (PDT) Subject: [LARTC] problem with HTB, U32 Message-ID: <20040806145455.18657.qmail@web50607.mail.yahoo.com> --0-446289331-1091804095=:18587 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline Hello.. could anyone please tell what the problem is, with this code, i can trace the traffic with command "tc -d -s class show dev eth0" it shows every time the packets from 1:1 goes to queues 1:3 & 1:4 & then to 1:31 & 1:32 & 1:4 depending on port number. but i had problem in classifying with dest IP adress , the filter is not matching any packets, but with "ethereal" i can see the traffic destined to address i mentioned. any clues? thanks a lot. __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail --0-446289331-1091804095=:18587 Content-Type: application/x-sh; name="try03H1.sh" Content-Transfer-Encoding: base64 Content-Description: try03H1.sh Content-Disposition: attachment; filename="try03H1.sh" ZWNobyBkZWxldGluZyB0aGUgcHJldmlvdXMgaW5zdGFsbGVkIHFkaXNjcyBv biBldGgwCnRjIHFkaXNjIGRlbCBkZXYgZXRoMCByb290CgplY2hvIGNyZWF0 aW5nIHJvb3QgUWRpc2MKdGMgcWRpc2MgYWRkIGRldiBldGgwIHJvb3QgaGFu ZGxlIDE6IGh0YiBkZWZhdWx0IDQKCmVjaG8gY3JlYXRpbmcgcm9vdCBjbGFz cwp0YyBjbGFzcyBhZGQgZGV2IGV0aDAgcGFyZW50IDE6IGNsYXNzaWQgMTox IGh0YiByYXRlIDQ1MGtiaXQgY2VpbCA0NTBrYml0IGJ1cnN0IDE1awoKZWNo byBhZGRpbmcgY2hpbGQgY2xhc3NlcyAxOjIsIDE6MywgMTo0CnRjIGNsYXNz IGFkZCBkZXYgZXRoMCBwYXJlbnQgMToxIGNsYXNzaWQgMToyIGh0YiByYXRl IDMwMGtiaXQgY2VpbCAzMDBrYml0IGJ1cnN0IDE1awoKdGMgY2xhc3MgYWRk IGRldiBldGgwIHBhcmVudCAxOjEgY2xhc3NpZCAxOjMgaHRiIHJhdGUgMTAw a2JpdCBjZWlsIDEwMGtiaXQgYnVyc3QgMTVrCgp0YyBjbGFzcyBhZGQgZGV2 IGV0aDAgcGFyZW50IDE6MSBjbGFzc2lkIDE6NCBodGIgcmF0ZSA1MGtiaXQg Y2VpbCA0NTBrYml0IGJ1cnN0IDE1awp0YyBxZGlzYyBhZGQgZGV2IGV0aDAg cGFyZW50IDE6NCBoYW5kbGUgNDogc2ZxIHBlcnR1cmIgMTAKCmVjaG8gYWRk aW5nIGxlYWYgY2xhc3NlcyB0byAxOjIsIDE6MwoKdGMgY2xhc3MgYWRkIGRl diBldGgwIHBhcmVudCAxOjIgY2xhc3NpZCAxOjIxIGh0YiByYXRlIDIwMGti aXQgY2VpbCAzMDBrYml0IGJ1cnN0IDE1awogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIAp0YyBjbGFzcyBhZGQgZGV2IGV0aDAgcGFyZW50 IDE6MiBjbGFzc2lkIDE6MjIgaHRiIHJhdGUgMTAwa2JpdCBjZWlsIDMwMGti aXQgYnVyc3QgMTVrCgp0YyBjbGFzcyBhZGQgZGV2IGV0aDAgcGFyZW50IDE6 MyBjbGFzc2lkIDE6MzEgaHRiIHJhdGUgNzBrYml0IGNlaWwgMTAwa2JpdCBi dXJzdCAxNWsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAK dGMgY2xhc3MgYWRkIGRldiBldGgwIHBhcmVudCAxOjMgY2xhc3NpZCAxOjMy IGh0YiByYXRlIDMwa2JpdCBjZWlsIDEwMGtiaXQgYnVyc3QgMTVrCgplY2hv IGFkZGluZyBmaWx0ZXJzIG5vdyB0byBzZXBlcmF0ZSB0aGUgZmxvd3MgdG8g MToyLCAxOjMgYmFzZWQgb24gSVBhZHJlc3MgCgp0YyBmaWx0ZXIgYWRkIGRl diBldGgwIHBhcmVudCAxOjAgcHJvdG9jb2wgaXAgcHJpbyAxIHUzMiBtYXRj aCBpcCBkc3QgMTkyLjE2OC4xLjEwMSBmbG93aWQgMToyCgp0YyBmaWx0ZXIg YWRkIGRldiBldGgwIHBhcmVudCAxOjAgcHJvdG9jb2wgaXAgcHJpbyAyIHUz MiBtYXRjaCBpcCBzcmMgMTkyLjE2OC4xLjEwMSBmbG93aWQgMTozCgplY2hv IGFkZGluZyBmaWx0ZXJzIG5vdyB0byBzZXBhcmF0ZSB0aGUgZmxvd3MgIHRv IGxlYWYgY2xhc3NlcyBiYXNlZCBvbiBwb3J0IG51bWJlcnMKCnRjIGZpbHRl ciBhZGQgZGV2IGV0aDAgcGFyZW50IDE6MiBwcm90b2NvbCBpcCBwcmlvIDEg dTMyIG1hdGNoIGlwIHNwb3J0IDIxIDB4ZmZmZiBmbG93aWQgMToyMQoKdGMg ZmlsdGVyIGFkZCBkZXYgZXRoMCBwYXJlbnQgMToyIHByb3RvY29sIGlwIHBy aW8gMiB1MzIgbWF0Y2ggaXAgc3BvcnQgODAgMHhmZmZmIGZsb3dpZCAxOjIy Cgp0YyBmaWx0ZXIgYWRkIGRldiBldGgwIHBhcmVudCAxOjMgcHJvdG9jb2wg aXAgcHJpbyAxIHUzMiBtYXRjaCBpcCBkcG9ydCAyMSAweGZmZmYgZmxvd2lk IDE6MzEKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKdGMg ZmlsdGVyIGFkZCBkZXYgZXRoMCBwYXJlbnQgMTozIHByb3RvY29sIGlwIHBy aW8gMiB1MzIgbWF0Y2ggaXAgZHBvcnQgODAgMHhmZmZmIGZsb3dpZCAxOjMy CgplY2hvIHN1Y2Nlc2Z1bAo= --0-446289331-1091804095=:18587-- From denis@cfg.tel.etecsa.cu Fri Aug 6 16:54:47 2004 From: denis@cfg.tel.etecsa.cu (Denis Morejon) Date: Fri, 6 Aug 2004 11:54:47 -0400 Subject: [LARTC] filtering tcp ports References: <411264BC.40801@ycc.com> Message-ID: <000501c47bcd$b3dd1860$910aa8c0@cfg.tel.etecsa.cu> Friends: I do establish a well tc firter as follows: tc filter add dev eth0 parent 1:0 protocol ip prio 0 u32 match ip scr 129.10.10.3 flowid 1:10 Where 1:10 is a HTB class with certain rate and 1:0 its parent qdisc But when i pretend to filter a source port 21 (for instance) taping: tc filter add dev eth0 parent 1:0 (protocol ip) prio 0 u32 match ip protocol 0x6 0xff match tcp sport 21 0xffff flowid 1:10 No filter can be added because of a match error. I have already excluded an included the ¨(protocol ip)¨ from that place and nothing. I hope you will help me! ----- Original Message ----- From: "Martin A. Brown" To: "Bill Gradwohl" Cc: "lartc list" Sent: Friday, August 06, 2004 1:32 AM Subject: Re: [LARTC] NAT & tc filter addresses > Bill, > > : Is there a flow diagram as to where tc actions take place with > : respect to NAT and other iptables functions on a multihomed box > : (private & public NICs) ? Are tc filter rules consulted before or > : after NATing? > > For simplicity's sake, let's just talk about packets leaving the box > (transmit only). All iptables functions have taken place by the > time the traffic control functions are called. > > There are a number of different diagrams which cover this in > different ways. The KPTD [0], which Stef has already mentioned, the > Packet Flow diagram [1], which deal with the bridging, brouting > stuff as well, an older 2.4 packet traversal diagram [2], and my > recent diagram of just the netfilter system [3]. > > : My real interest is in basic understanding first, and then > : solving a real problem second. > > Well...further on the self-promotion front--if understanding is what > you seek, then maybe also my Traffic Control HOWTO would be handy. > It's available at TLDP [4]. > > : Example: > : Firewall Public NIC 123.123.123.1 > : Firewall Private NIC 192.168.168.1 > : Dedicated Video Conferencing equipment @ 192.168.168.100 > : > : I'd like to write a rule that says any traffic emanating from the > : private .100 box gets 128kbit of bandwidth out of a T1's total 1.55mbit > : as the traffic heads out on to the Internet to find the other end of the > : Video Conference. > : > : The shaping occurs on the Public NIC, but the only address I have to > : work with is a private address. By time the traffic hits the public NIC > : and tc rules are applied, I suspect the packet no longer has a source IP > : of private .100, but has been NAT'd to the public NIC address. There's > : no way to distinguish private .100's traffic via IP address. by time the > : tc filters are queried. Is that correct? > > That is correct, but you can always use the fwmark. > > : What methods are available to do this? I can think of marking all > : the packets on the private side then looking for the marks on the > : public side. Or, NAT private.100 to a specific Public IP and then > : write rules for that new Public IP. What other options are there? > > As far as I know, these are the two best options. If you don't wish > to mess around with marking, the NAT option seems a very good and > sensible way to go. > > If you haven't used tc much, I'd recommend tcng [5]. It's far > simpler to use (and more intuitive) once you have it installed. > > Though I haven't tested the below, I could see something like this > as a starting point for your experimentation. If you wished to cap > the video bandwidth at 128k, you could simply use the same parameter > for the rate and ceil (videobw). > > #define private eth0 > #define public eth1 > > /* assume that the NAT for the video server i